verifier-based password-a uthenticated k ey exchange

CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005

Verifier-Based Password-Authenticated K ey Exchange

Jeong Ok Kwon

December 17th, 　 2005

• A fundamental problem in cryptography is how to communicate securely over an insecure channel.

MotivationMotivation

sk sk

data privacy/integrity

How can we obtain a secret session key?

• Public-key encryption or signature– too high for certain applications

• Password-Authenticated Key Exchange (PAKE)– PAKE is to share a secret key between specified

parties using just a human-memorable password.

– convenience, mobility, and less hardware requirement

– no security infrastructure

MotivationMotivation

Intrinsic ProblemIntrinsic Problem

• Low-entropy of passwords – i.e., 4 or 8 characters such as natural language phrase to

be easily memorized.

• So they are susceptible to dictionary attacks. – On-line dictionary attacks

– Off-line dictionary attacks

Even tiny amounts of redundancy in the flows of the protocol could be used by the adversary to mount dictionary attacks.

-> Protocol for PAKE must be immune to off-line attacks

Classification for PAKEClassification for PAKE

According to the number of parties sharing a session key

According to the sameness of pre-shared passwords

Parties with same passwords

Parties with different passwords

According to the need of servers

Model requiring help of server

Model not requiring help of server

Two-party

Multi-Party (Group)

According to the password f orm stored by servers

Symmetric model

Asymmetric model (Verifier-based model)

Our work is aboutOur work is about

• In the Client/Server model

– Verifier-based 　 PAKE

• for two-party with same passwords 　• for two-party with different passwords 　• for multi-party with different passwords





U1 Information for pw1

U1

Server

2-party with sksk sk

(pw1 )







U1

Server

U2

sk sk2-party with sk

(pw1 ) (pw2 )





(pw1 ) (pw3 )

(pw4 )

(pw2 )

U1

U2

U3

U4

Group with sk

sk sk

sk

sk

Symmetric model Symmetric model vs. Vvs. Verifier-basederifier-based model model

• Symmetric model – the server stores a plaintext-form of a password.

• Asymmetric model (or verifier-based) – the server stores a verifier for a password.

pw2U2

pw1U1

(pw1)


• Asymmetric model (or verifier-based) – the server stores a verifier for a password.

(pw1)

U1 f(pw1)

U2 f(pw2)

A verifier is the information computed from a password. It is computable from the password whereas the reverse is infeasible in polynomial time.


• Asymmetric model (or verifier-based)

– it is designed to protect against server compromise so that an attacker that is able to steal a password file from a server cannot later masquerade as a legitimate user without performing dictionary attacks.

(pw1)

U1 f(pw1)

U2 f(pw2)


• Symmetric model – the server stores a plaintext-form of a password.

pw2U2

pw1U1

(pw1)


• Asymmetric model (or verifier-based)

– even if the password file is compromised, the attacker has to perform additional off-line dictionary attacks to find out passwords of the clients.

• It will give the server system’s administrator time to react and to inform its clients, which would reduce the damage of the corruption.

(pw1)

U1 f(pw1)

U2 f(pw2)

Comparison with the related verifier-based protocol

Scheme/

Parameters

PAKE for 2-party

with same passwords

PAKE for 2-party

with different passwords

PAKE for multi-party


EPA Our Scheme Our Scheme Our Scheme

Round 3 2 3 3

Communication

Ui |p|+|l| |p|+|l| |p|+|l| 2|p|

S |p|+|l| 2|p|+|l| 4|p| 3n|p|

Exponentiation

Ui 1 2 3 3

S 2 1 4 2n

Security Forward Secrecy Forward Secrecy Forward Secrecy Forward Secrecy

Assumptions DDH in R.O. DDH in Standard DDH in Standard DDH in Standard

[EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003.

|p| : length of a prime of Zp*, |l| : length of an output of a hash/MAC function, n : number of members in a group


Scheme/

Parameters

PAKE for 2-party with same passwords

B-SPEKE SRP AMP PAK-Z EPA VB-EKEOur prot

ocol

Round 4 4 4 3 3 3 2

Communication

Ui 2|p|+|l| |p|+|l| |p|+|l| |p|+|l| |p|+|l| 3|p|+|l| |p|+|l|

S 3|p|+2|l| 2|p|+2|l| 2|p|+|l| 2|p|+|l| |p|+|l| |p|+|l| 2|p|+|l|

Exponentiation

Ui 2 2 2 3 1 1 2

S 2 3 3 3 2 4 1

SecurityForward Secrecy

Forward Secrecy

Forward Secrecy

Forward SecrecyForward Secrecy

Forward Secrecy

Forward Secrecy

AssumptionsDDH in

R.O.DDH in

R.O.CDH in R.O. DDH in R.O. DDH in R.O.

CDH in R.O.

DDH in Standard

[B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, 1997.[SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998.[AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001.[PAK-Z] P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,” http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02, April, 2002.[EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003.[VB-EKE] M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted Key Exchange,” PKC 05


Scheme/

Parameters

PAKE for 2-party with same passwords

B-SPEKE SRP AMP PAK-Z EPA VB-EKEOur prot

ocol

Round 4 4 4 3 3 3 2

Communication

Ui 2|p|+|l| |p|+|l| |p|+|l| |p|+|l| |p|+|l| 3|p|+|l| |p|+|l|

S 3|p|+2|l| 2|p|+2|l| 2|p|+|l| 2|p|+|l| |p|+|l| |p|+|l| 2|p|+|l|

Exponentiation

Ui 2 2 2 3 1 1 2

S 2 3 3 3 2 4 1

SecurityForward Secrecy

Forward Secrecy

Forward Secrecy

Forward SecrecyForward Secrecy

Forward Secrecy

Forward Secrecy

AssumptionsDDH in

R.O.DDH in

R.O.CDH in R.O. DDH in R.O. DDH in R.O.

CDH in R.O.

DDH in Standard

[B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, 1997.[SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998.[AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001.[PAK-Z] P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,” http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02,

April, 2002.

Password-based protocols submitted to IEEE P1363.2 (Password-based Techniques)http://grouper.ieee.org/groups/1363/passwdPK/purpose.html


Scheme/

Parameters

PAKE for 2-party

with same passwords

PAKE for 2-party





Round 3 2 3 3

Communication

Ui |p|+|l| |p|+|l| |p|+|l| 2|p|

S |p|+|l| 2|p|+|l| 4|p| 3n|p|

Exponentiation

Ui 1 2 3 3

S 2 1 4 2n



[EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003.

|p| : length of a prime of Zp*, |l| : length of an output of a hash/MAC function, n : number of members in a groupThe focus of this work is on the round-efficient verifier-based PAKE protocol


Scheme/

Parameters

PAKE for 2-party

with same passwords

PAKE for 2-party





Round 3 2 3 3

Communication

Ui |p|+|l| |p|+|l| |p|+|l| 2|p|+|l|

S |p|+|l| 2|p|+|l| 4|p| 3n|p|

Exponentiation

Ui 1 2 3 3

S 2 1 4 2n



|p| : length of a prime of Zp*, |l| : length of an output of a hash/MAC function, n : number of members in a groupThe focus of this work is on round-efficient verifier-based PAKE protocol

The focus of this work is to construct secure and round-efficient verifier-based PAKE protocols for 2-/multi-party with different passwords

Preliminary for our protocolsPreliminary for our protocols

• Public information– G : a finite cyclic group has order q

– p : a safe prime such that p=2q+1

– g1,g2 : generators of G

– H : a collision-resistant one-way hash function – Mac=(Key.gen,Mac.gen,Mac.ver):a secure message authentication

code

• Initialization step– Ui selects a password pwi

– Ui registers vi,1 = g1H(Ui||S||pwi) mod p and vi,2 = g2

H(Ui||S||pwi) mod p (verifiers of the password) to the server S over a secure channel.

– S stores them in a password file with an entry for each user Ui.

Verifier-based PAKE for 2-partyVerifier-based PAKE for 2-party with same passwords with same passwords

U1 Server1( )pw 1 1 1 1( || || ) ( || || )

1,1 1 1,2 2( , )H U S pw H U S pwv g v g

1 1 2( || || )xysk H U S g sk

1 1( || || )11, 1 1( / )H U S pw

Sxx yzk Z g g ,1 1 1,2 1( / ) yS

xyk X v g

R11 1,21

xgX v

*R qx Z

1,11 1,2 11 1; y zzY v Zg g v

*R qy Z

1,1 1 1 ,1 ,2. ( || || || || )Sk S SMac gen U S X X X R2

2,2 1 1 ,1 ,2. ( || || || || )Sk S SMac gen S U X X X

Verifier-based PAKE for 2-party Verifier-based PAKE for 2-party with with differentdifferent passwords passwords

• Motivation

– PAKE for 2-party with same passwords

– If a user wants to communicate securely with many users? • the number of passwords that the user needs to memorize

may be increased linearly with the number of possible partners.

(pw)(pw)

Verifier-based PAKE for 2-party Verifier-based PAKE for 2-party with with differentdifferent passwords passwords

• Motivation

– PAKE for 2-party with different passwords

– each user only shares a password with a trusted server.

– the trusted server helps the users with different passwords to agree on a common session key.

(pw1)(pw2)

U1 f(pw1)

U2 f(pw2)

U1 Server U21( )pw 2( )pw1 1 1 1

2 2 2 2

( || || ) ( || || )1,1 1 1,2 2

( || || ) ( || || )2,1 1 2,2 2

( , )

( , )

H U S pw H U S pw

H U S pw H U S pw

v g v g

v g v g

1 22 1 1 2

1,2 2,21 2

1 11 2 2 2( || || )

1 1

( || || )1 1 21 1

modH U S pw H U S

x xx s y x s y

x x spy y w

g v g vsk g p sk

g g

1,1 1 1, ,1. ( || || || )Sk S SMac gen U S X X

R22,2 1 2, ,2. ( || || || )Sk S SMac gen U S X X

1 11, 1S

x ygk 2 22, 1S

x ygk R1

11, 1,21

xSX vg

*1 R qx Z

1,1 1,21

ysX vg 2

,2 2,21y

SX vg

*i R qy Z

22, 2,21

xSX vg

*2 R qx Z

R3

2 1

1,21,1 1,x s y

S SY vg k 1 2

2,21,2 2,x s y

S SY vg k

*R qs Z

Verifier-based PAKE for multi-party Verifier-based PAKE for multi-party with with differentdifferent passwords passwords

• Motivation

– PAKE for multi-party with same passwords

– If a user wants to communicate securely with many groups? • the number of passwords that the user needs to memorize

may be increased linearly with the number of possible groups.

• the member have to newly share a password whenever one wants to communicate securely with new groups

(pw ) (pw )

(pw )

(pw )

Group with sk


• Motivation

– PAKE for multi-party with different passwords

– each user only shares a password with a trusted server.

– the trusted server helps the users with different passwords to agree on a group key.

(pw2 ) (pw4 )

(pw1 )

(pw3 )

Group with sk

R1


( || || ) ( || || ),1 1 ,2 2( , ) 1 4i i i iH U S pw H U S pwi iv g v g for i

Server

U1 1( )pw

1

*1

1 1 1,2

R q

xg

x Z

X v

2( )pw

2

*2

2 1 2,2

R q

xg

x Z

X v

U2 3( )pw

3

*3

3 1 3,2

R q

xg

x Z

X v

U3 4( )pw

4

*4

4 1 4,2

R q

xg

x Z

X v

U4

1X 1 1||Y Z 2X 2 2||Y Z 3X 3 3||Y Z 4X 4 4||Y Z

1

1,2

1

1

*1

1 1,1

1

2

1

R q

z

z

y

g

g

y Z

Z v

Y v

2

2,2

2

2

*2

2 2,1

2

2

1

R q

z

z

y

g

g

y Z

Z v

Y v

2

3,2

3

3

*3

3 3,1

3

2

1

R q

z

z

y

g

g

y Z

Z v

Y v

4

4,2

4

4

*4

4 4,1

4

2

1

R q

z

z

y

g

g

y Z

Z v

Y v

R1

1 11, 1S

x ygk



Server

U1 1( )pw

1

*1

1 1 1,2

R q

x

x Z

X g v

2( )pw

2

*2

2 1 2,2

R q

x

x Z

X g v

U2 3( )pw

3

*3

3 1 3,2

R q

x

x Z

X g v

U3 4( )pw

4

*4

4 1 4,2

R q

x

x Z

X g v

U4

2 22, 1S

x ygk 3 33, 1S

x ygk 4 44, 1S

x ygk

1

1 1

1,2

*1

1 2 1,1

1 1

R q

z

y z

y Z

Z g v

Y g v

2

2 2

2,2

*2

2 2 2,1

2 1

R q

z

y z

y Z

Z g v

Y g v

3

3 2

3,2

*3

3 2 3,1

3 1

R q

z

y z

y Z

Z g v

Y g v

4

4 4

4,2

*4

4 2 4,1

4 1

R q

z

y z

y Z

Z g v

Y g v

R2



Server

1

1 1,

1 1

s

x smac

macK

g k

k k

*. ;mac R qk Key gen s Z

2

2 2,

2 1

s

x smac

macK

g k

k k

3

3 3,

3 1

s

x smac

macK

g k

k k

4

4 4,

4 1

s

x smac

macK

g k

k k

1 4 2, , )(K

2( )pw

2 2

*2

2, 1

R q

x yS

x Z

k g

U2 3( )pw

3 3

*3

3, 1

R q

x yS

x Z

k g

U3 4( )pw

4 4

*4

4, 1

R q

x yS

x Z

k g

U4 U1 1( )pw

1 1

*1

1, 1

R q

x yS

x Z

k g

2 1 3, , )(K 3 2 4, , )(K 4 3 1, , )(K

R3


2( )pw

31

*2

1 1;

R q

mac

x sx s

x Z

k

g g

U2 3( )pw

2 4

*3

1 1;

R q

mac

x s x s

x Z

k

g g

U3 4( )pw

3 1

*4

1 1;

R q

mac

x s x s

x Z

k

g g

U4

12

4

11

1

1 1. ( )mac

xx s

x s

k

g

g

Mac gen

U1 1( )pw

4 2

*1

1 1;

R q

mac

x s x s

x Z

k

g g

23

1

12

1

2 2. ( )mac

xx s

x s

k

g

g

Mac gen

34

2

13

1

3 3. ( )mac

xx s

x s

k

g

g

Mac gen

41

3

14

1

4 4. ( )mac

xx s

x s

k

g

g

Mac gen

R3


2( )pw

31

*2

1 1;

R q

mac

x sx s

x Z

k

g g

U2 3( )pw

2 4

*3

1 1;

R q

mac

x s x s

x Z

k

g g

U3 4( )pw

3 1

*4

1 1;

R q

mac

x s x s

x Z

k

g g

U4

12

4

11 1

1

,xx s

x s

g

g

U1 1( )pw

4 2

*1

1 1;

R q

mac

x s x s

x Z

k

g g

23

1

12 2

1

,xx s

x s

g

g

34

2

13 3

1

,xx s

x s

g

g

41

3

14 4

1

,xx s

x s

g

g

4 1 1 2

2 3 3 4

4 43 2 3 2

1 1 1 2 3 2 1 2 3 4

4 43 2 3 2

3 1 3 4 1 4

1 2

3 4 1 4 1 2

: , :

: , :

x x s x x s

x x x x

U Usk g sk g

sk g sk gU U

1 2 2 3 3 4 4 11 modx x s x x s x x s x x ssk g p

Security Goal: Verifier-based PAKESecurity Goal: Verifier-based PAKE

• Security against dictionary attacks

– passive eavesdropping does not help the adversary in computing any information about the password.

– only interactions with the instances help the adversary in computing information about the password.

• Key secrecy – no computationally bounded adversary (including the

server) should learn anything about session keys shared between honest parties.

• Server-compromise attack

– even if an adversary steal the password file from the server, the adversary still cannot impersonate a user without performing dictionary attacks on the password file.

Security Goal: Verifier-based PAKESecurity Goal: Verifier-based PAKE

• Forward secrecy– the expose of a password does not compromise the

previous session keys.

• Denning-Sacco attack1. even with the session key from an eavesdropped session

an adversary cannot gain the ability to impersonate the user directly.

2. an outsider attacker cannot gain the ability to performing off-line dictionary attacks against the passwords of users from using the compromised session keys which are successfully established between honest entities.

3. an insider attacker that knows one’s password does not learn any information about other users’ passwords from the successfully established session key with the other.

Q & AQ & A

Thank you !

verifier-based password-a uthenticated k ey exchange

Documents