id protocols
Post on 08-Dec-2016
217 Views
Preview:
TRANSCRIPT
DanBoneh
IDprotocols
Overview
DanBoneh
TheSetup
Alg.G
UserP(prover)
ServerV(verifier)
sk vk
yes/nonokeyexchange
vk eitherpublicorsecret
DanBoneh
Applications:physicalworld– Physicallocks:(friend-or-foe)• Wirelesscarentrysystem• Openinganofficedoor
– LoginatabankATMoradesktopcomputer
DanBoneh
Applications:InternetLogintoaremotewebsiteafterakey-exchangewithone-sidedauthentication(e.g.HTTPS)
Prover Verifierone-sidedauth.keyexchangek k
sk vk
IDprotocol
Alice
bank.com ???
DanBoneh
Prover Verifier
IDProtocols:hownottouse• IDprotocol donotestablishasecuresession
betweenAliceandBob!!• Notevenwhencombinedwithanonymouskeyexch.• Vulnerabletomanintothemiddleattacks
anon.keyexchangek k
sk vk
IDprotocol
AliceInsecure!
??? ???
DanBoneh
Prover Verifier
IDProtocols:hownottouse• IDprotocoldonotsetupasecuresession
betweenAliceandBob!!• Notevenwhencombinedwithanonymouskeyexch.• Vulnerabletomanintothemiddleattack
keyexch.ka kb
sk vkkeyexch.
ka kb
proxyIDprotocol
Alice
??? ???
DanBoneh
IDProtocols:SecurityModels1. DirectAttacker:impersonatesproverwithnoadditional
information(otherthanvk)– Doorlock
2. Eavesdroppingattacker:impersonatesprover aftereavesdroppingonafewconversationsbetweenprover andverifier– Wirelesscarentrysystem
3.Activeattacker:interrogatesprover andthenattemptstoimpersonateprover– FakeATMinshoppingmall
DanBoneh
IDprotocols
Directattacks
DanBoneh
BasicPasswordProtocol(incorrectversion)• PWD:finitesetofpasswords
• AlgorithmG(KeyGen):• choosepw← PWD.outputsk =vk =pw.
UserP(prover)
ServerV(verifier)
sk
sk vkyesiff sk=vk
DanBoneh
BasicPasswordProtocol(incorrectversion)Problem:vk mustbekeptsecret• Compromiseofserverexposesallpasswords• Neverstorepasswordsintheclear!
Alice pwalice
Bob pwbob
… …
passwordfileonserver
DanBoneh
BasicPasswordProtocol:version1H:one-wayhashfunctionfromPWDtoX• “GivenH(x)itisdifficulttofindysuchthatH(y)=H(x)”
Alice H(pwA)
Bob H(pwB)
… …
passwordfileonserverUserP(prover)
ServerV(verifier)
sk
sk vk =H(sk)
yesiff H(sk)=vk
DanBoneh
Problem:WeakPasswordChoiceUsersfrequentlychooseweakpasswords:(adobelist,2013)
Acommonoccurrence• Example:theRockyoupasswordlist,2009(6mostcommonpwds)
123456,12345,Password,iloveyou,princess,abc123
Dictionaryof360,000,000wordscoversabout25%ofuserpasswords
Password: 123456 123456789 password adobe123 12345678 qwerty 1234567
Fractionofusers: 5% 1.1% 0.9% 0.5% 0.5% 0.5% 0.3%
Total:8.8%
DanBoneh
Onlinedictionaryattack:Supposeanattackerobtainsalistofusernames.Foreachusernametheattackertriestologinusingthepassword‘123456’.
Password: 123456 123456789 password adobe123 12345678 qwerty 1234567
Fractionofusers: 5% 1.1% 0.9% 0.5% 0.5% 0.5% 0.3%
Successafter20triesonaverage
DanBoneh
OfflineDictionaryAttacksSupposeattackerobtainsasingle vk =H(pw)fromserver• Offline attack: hashallwordsinDict untilawordwisfound
suchthatH(w)=vk• TimeO(|Dict|)perpassword
Offtheshelftools(e.g.Johntheripper):• Scanthroughall 7-letterpasswordsinafewminutes• Scanthrough360,000,000guessesinfewseconds
⇒ willrecover23%ofpasswords
DanBoneh
BatchOfflineDictionaryAttacksSupposeattackerstealsentire pwd fileF• Obtainshashedpwds forall users
• Example(2012):Linkedin (6M:SHA1(pwd))
Batchdict.attack:• Foreachw∈ Dict:testifH(w)appearsinF(usingfastlook-up)
Totaltime:O( |Dict|+|F|) [Linkedin:6days,90%ofpwds.recovered]
Muchbetterthanattackingeachpasswordindividually!
Alice H(pwA)
Bob H(pwB)
… …
DanBoneh
PreventingBatchDictionaryAttacksPublicsalt:
• Whensettingpassword,pickarandomn-bitsaltS
• WhenverifyingpwforA,testifH(pw,SA)=hA
Recommendedsaltlength,n=64bits• Attackermustre-hashdictionaryforeachuser
Batchattacktimeisnow:O(|Dict|× |F|)
Alice SA H(pwA ,SA)
Bob SB H(pwB ,SB)
… … …
hSid
DanBoneh
Howtohashapassword?Linked-in: SHA1 hashed(unsalted)passwords
⇒ 6days,90%ofpasswordsrecoveredbyexhaustivesearch
Theproblem:SHA1istoofast…attackercantryallwordsinalargedictionary
Tohashpasswords:
• Useakeyed hashfunction(e.g.,HMAC)wherekeystoredinHSM
• Inaddition:useaslow,space-hard function
DanBoneh
Howtohash?PBKDF2,bcrypt: slowhashfunctions• Slownessby“iterating”acryptohashfunctionlikeSHA256
Example:H(pw)=SHA256(SHA256(…SHA256(pw,SA)…))• Numberofiterations:setfor1000evals/sec• Unnoticeabletouser,butmakesofflinedictionaryattackharder
Problem:customhardware(ASIC)canevaluatehashfunction50,000xfasterthanacommodityCPU
⇒ attackercandodictionaryattackmuchfasterthan1000evals/sec.
DanBoneh
Howtohash:abetterapproachScrypt:aslowhashfunctionANDneedlotsofmemorytoevaluate
⇒ customhardwarenotmuchfasterthancommodityCPU
Problem:memoryaccesspatterndependsoninputpassword⇒ localattackercanlearnmemoryaccesspattern
foragivenpassword⇒ eliminatesneedformemoryinanofflinedictionaryattack
Isthereaspace-hardfunctionwheretimeisindependentofpwd?• Passwordhashingcompetition(2015):Argon2i (alsoBalloon)
DanBoneh
IDprotocols
Securityagainsteavesdroppingattacks
(one-timepasswordsystems)
DanBoneh
EavesdroppingSecurityModelAdversaryisgiven:• Server’svk,and• thetranscriptofseveralinteractionsbetween
honestprover andverifier.(example:remotecarunlock)
adv.goalistoimpersonateprover toverifier
Aprotocolis“secureagainsteavesdropping”ifnoefficientadversarycanwinthisgame
Thepasswordprotocolisclearlyinsecure!
DanBoneh
One-timepasswords(secretvk,stateful)Setup (algorithmG):• Chooserandomkeyk• Outputsk =(k,0);vk =(k,0)
Identification:
prover serverr0 ← F(k,0)sk =(k,0) vk =(k,0) Yesiff
r=F(k,0)r1 ← F(k,1)sk =(k,1) vk =(k,1)
often,time-basedupdates:r← F(k,time)[stateless]
6digits
DanBoneh
TheSecurID system(secretvk,stateful)“Thm”: ifFisasecurePRFthenprotocol
issecureagainsteavesdropping
RSASecurID usesAES-128:
Advancingstate:sk← (k,i+1)• Timebased:every60seconds• Useraction:everybuttonpressBothsystemsallowforskewinthecountervalue
F128bitkey32bitctr
6digitoutput
DanBoneh
Googleauthenticator• 6-digittimedone-timepasswords(TOTP)basedon[RFC6238]• Wideweb-siteadoption:– Evernote,Dropbox,WordPress,outlook.com,…
ToenableTOTPforauser:websitepresentsQRcodewithembeddeddata: otpauth://totp/Example:alice@dropbox.com?
secret=JBSWY3DPEHPK3PXP&issuer=Example
(SubsequentuserloginsrequireusertopresentTOTP)
Danger:passwordresetuponuserlockout
DanBoneh
ServercompromiseexposessecretsMarch2011:• RSAannouncedserversattacked,secretkeysstolen
⇒ enabledSecurID userimpersonation
IsthereanIDprotocolwhereserverkeyvk ispublic?
DanBoneh
TheS/Keysystem(publicvk,stateful)Notation:H(n)(x)=H(H(…H(x)…))
AlgorithmG: (setup)• Chooserandomkeyk← K• Outputsk =(k,n);vk =H(n+1)(k)
Identification:
ntimes
H(n+1)(k)H(n)(k)H(n-1)(k)H(n-2)(k)k H(k)
vkpwd #1pwd #2pwd #3pwd #4
DanBoneh
TheS/Keysystem(publicvk,stateful)Identification(indetail):
• Prover (sk=(k,i)):sendt← H(i) (k);setsk← (k,i-1)
• Verifier(vk=H(i+1)(k)): ifH(t)=vk thenvk←t,output“yes”
Notes: vk canbemadepublic;butneedtogeneratenewsk afternlogins(n≈106)
“Thm”: S/Keyn issecureagainsteavesdropping(publicvk)providedHisone-wayonn-iterates
DanBoneh
SecurID vs.S/KeyS/Key:
• public vk,limited numberofauthentications
• Longauthenticatort(e.g.,80bits)
SecurID:
• secret vk,unlimited numberofauthentications
• Shortauthenticator(6digits)
DanBoneh
IDprotocols
Securityagainstactiveattacks
(challenge-responseprotocols)
Online Cryptography Course Dan Boneh
DanBoneh
ActiveAttacks
• OfflinefakeATM: interactswithuser;latertriestoimpersonateusertorealATM
• Offlinephishing: phishingsiteinteractswithuser;laterauthenticatestorealsite
Allprotocolssofararevulnerable
vkUserP(prover)
sk
probe#1
probe#q
ServerV(verifier)
vkimpersonate
DanBoneh
MAC-basedChallengeResponse(secretvk)
“Thm”:protocolissecureagainstactiveattacks(secretvk),provided(SMAC,VMAC)isasecureMAC
UserP(prover)
sk
ServerV(verifier)
vk
k← Ksk =k vk =k
randomm←M
t← SMAC(k,m)
VMAC(k,m,t)
DanBoneh
MAC-basedChallengeResponseProblems:• vk mustbekeptsecretonserver• dictionaryattackwhenkisahumanpwd:
Given[m,SMAC(pw,m)]eavesdroppercantryallpw∈ Dict torecoverpw
Mainbenefit:• Bothmandtcanbeshort• CryptoCard:8charseach
DanBoneh
Sig-basedChallengeResponse(publicvk)
“Thm”: Protocolissecureagainstactiveattacks(publicvk),provided(GSIG,Sign,Verify)isasecuredigitalsig.
buttislong(≥20bytes)
UserP(prover)
sk
ServerV(verifier)
vk
(sk,vk)← GSIGsk vk
random m←M
t← Sign(k,m)
ReplaceMACwithadigitalsignature:
Verify(k,m,t)
DanBoneh
SummaryIDprotocols:usefulinsettingswhereadversarycannotinteract
withprover duringimpersonationattempt
Threesecuritymodels:
• Direct:passwords(properlysaltedandhashed)
• Eavesdroppingattacks:Onetimepasswords– SecurID:secretvk,unboundedlogins– S/Key:publicvk,boundedlogins
• Activeattacks:challenge-response
DanBoneh
THEEND
top related