Download - ID protocols
![Page 1: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/1.jpg)
DanBoneh
IDprotocols
Overview
![Page 2: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/2.jpg)
DanBoneh
TheSetup
Alg.G
UserP(prover)
ServerV(verifier)
sk vk
yes/nonokeyexchange
vk eitherpublicorsecret
![Page 3: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/3.jpg)
DanBoneh
Applications:physicalworld– Physicallocks:(friend-or-foe)• Wirelesscarentrysystem• Openinganofficedoor
– LoginatabankATMoradesktopcomputer
![Page 4: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/4.jpg)
DanBoneh
Applications:InternetLogintoaremotewebsiteafterakey-exchangewithone-sidedauthentication(e.g.HTTPS)
Prover Verifierone-sidedauth.keyexchangek k
sk vk
IDprotocol
Alice
bank.com ???
![Page 5: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/5.jpg)
DanBoneh
Prover Verifier
IDProtocols:hownottouse• IDprotocol donotestablishasecuresession
betweenAliceandBob!!• Notevenwhencombinedwithanonymouskeyexch.• Vulnerabletomanintothemiddleattacks
anon.keyexchangek k
sk vk
IDprotocol
AliceInsecure!
??? ???
![Page 6: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/6.jpg)
DanBoneh
Prover Verifier
IDProtocols:hownottouse• IDprotocoldonotsetupasecuresession
betweenAliceandBob!!• Notevenwhencombinedwithanonymouskeyexch.• Vulnerabletomanintothemiddleattack
keyexch.ka kb
sk vkkeyexch.
ka kb
proxyIDprotocol
Alice
??? ???
![Page 7: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/7.jpg)
DanBoneh
IDProtocols:SecurityModels1. DirectAttacker:impersonatesproverwithnoadditional
information(otherthanvk)– Doorlock
2. Eavesdroppingattacker:impersonatesprover aftereavesdroppingonafewconversationsbetweenprover andverifier– Wirelesscarentrysystem
3.Activeattacker:interrogatesprover andthenattemptstoimpersonateprover– FakeATMinshoppingmall
![Page 8: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/8.jpg)
DanBoneh
IDprotocols
Directattacks
![Page 9: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/9.jpg)
DanBoneh
BasicPasswordProtocol(incorrectversion)• PWD:finitesetofpasswords
• AlgorithmG(KeyGen):• choosepw← PWD.outputsk =vk =pw.
UserP(prover)
ServerV(verifier)
sk
sk vkyesiff sk=vk
![Page 10: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/10.jpg)
DanBoneh
BasicPasswordProtocol(incorrectversion)Problem:vk mustbekeptsecret• Compromiseofserverexposesallpasswords• Neverstorepasswordsintheclear!
Alice pwalice
Bob pwbob
… …
passwordfileonserver
![Page 11: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/11.jpg)
DanBoneh
BasicPasswordProtocol:version1H:one-wayhashfunctionfromPWDtoX• “GivenH(x)itisdifficulttofindysuchthatH(y)=H(x)”
Alice H(pwA)
Bob H(pwB)
… …
passwordfileonserverUserP(prover)
ServerV(verifier)
sk
sk vk =H(sk)
yesiff H(sk)=vk
![Page 12: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/12.jpg)
DanBoneh
Problem:WeakPasswordChoiceUsersfrequentlychooseweakpasswords:(adobelist,2013)
Acommonoccurrence• Example:theRockyoupasswordlist,2009(6mostcommonpwds)
123456,12345,Password,iloveyou,princess,abc123
Dictionaryof360,000,000wordscoversabout25%ofuserpasswords
Password: 123456 123456789 password adobe123 12345678 qwerty 1234567
Fractionofusers: 5% 1.1% 0.9% 0.5% 0.5% 0.5% 0.3%
Total:8.8%
![Page 13: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/13.jpg)
DanBoneh
Onlinedictionaryattack:Supposeanattackerobtainsalistofusernames.Foreachusernametheattackertriestologinusingthepassword‘123456’.
Password: 123456 123456789 password adobe123 12345678 qwerty 1234567
Fractionofusers: 5% 1.1% 0.9% 0.5% 0.5% 0.5% 0.3%
Successafter20triesonaverage
![Page 14: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/14.jpg)
DanBoneh
OfflineDictionaryAttacksSupposeattackerobtainsasingle vk =H(pw)fromserver• Offline attack: hashallwordsinDict untilawordwisfound
suchthatH(w)=vk• TimeO(|Dict|)perpassword
Offtheshelftools(e.g.Johntheripper):• Scanthroughall 7-letterpasswordsinafewminutes• Scanthrough360,000,000guessesinfewseconds
⇒ willrecover23%ofpasswords
![Page 15: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/15.jpg)
DanBoneh
BatchOfflineDictionaryAttacksSupposeattackerstealsentire pwd fileF• Obtainshashedpwds forall users
• Example(2012):Linkedin (6M:SHA1(pwd))
Batchdict.attack:• Foreachw∈ Dict:testifH(w)appearsinF(usingfastlook-up)
Totaltime:O( |Dict|+|F|) [Linkedin:6days,90%ofpwds.recovered]
Muchbetterthanattackingeachpasswordindividually!
Alice H(pwA)
Bob H(pwB)
… …
![Page 16: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/16.jpg)
DanBoneh
PreventingBatchDictionaryAttacksPublicsalt:
• Whensettingpassword,pickarandomn-bitsaltS
• WhenverifyingpwforA,testifH(pw,SA)=hA
Recommendedsaltlength,n=64bits• Attackermustre-hashdictionaryforeachuser
Batchattacktimeisnow:O(|Dict|× |F|)
Alice SA H(pwA ,SA)
Bob SB H(pwB ,SB)
… … …
hSid
![Page 17: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/17.jpg)
DanBoneh
Howtohashapassword?Linked-in: SHA1 hashed(unsalted)passwords
⇒ 6days,90%ofpasswordsrecoveredbyexhaustivesearch
Theproblem:SHA1istoofast…attackercantryallwordsinalargedictionary
Tohashpasswords:
• Useakeyed hashfunction(e.g.,HMAC)wherekeystoredinHSM
• Inaddition:useaslow,space-hard function
![Page 18: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/18.jpg)
DanBoneh
Howtohash?PBKDF2,bcrypt: slowhashfunctions• Slownessby“iterating”acryptohashfunctionlikeSHA256
Example:H(pw)=SHA256(SHA256(…SHA256(pw,SA)…))• Numberofiterations:setfor1000evals/sec• Unnoticeabletouser,butmakesofflinedictionaryattackharder
Problem:customhardware(ASIC)canevaluatehashfunction50,000xfasterthanacommodityCPU
⇒ attackercandodictionaryattackmuchfasterthan1000evals/sec.
![Page 19: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/19.jpg)
DanBoneh
Howtohash:abetterapproachScrypt:aslowhashfunctionANDneedlotsofmemorytoevaluate
⇒ customhardwarenotmuchfasterthancommodityCPU
Problem:memoryaccesspatterndependsoninputpassword⇒ localattackercanlearnmemoryaccesspattern
foragivenpassword⇒ eliminatesneedformemoryinanofflinedictionaryattack
Isthereaspace-hardfunctionwheretimeisindependentofpwd?• Passwordhashingcompetition(2015):Argon2i (alsoBalloon)
![Page 20: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/20.jpg)
DanBoneh
IDprotocols
Securityagainsteavesdroppingattacks
(one-timepasswordsystems)
![Page 21: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/21.jpg)
DanBoneh
EavesdroppingSecurityModelAdversaryisgiven:• Server’svk,and• thetranscriptofseveralinteractionsbetween
honestprover andverifier.(example:remotecarunlock)
adv.goalistoimpersonateprover toverifier
Aprotocolis“secureagainsteavesdropping”ifnoefficientadversarycanwinthisgame
Thepasswordprotocolisclearlyinsecure!
![Page 22: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/22.jpg)
DanBoneh
One-timepasswords(secretvk,stateful)Setup (algorithmG):• Chooserandomkeyk• Outputsk =(k,0);vk =(k,0)
Identification:
prover serverr0 ← F(k,0)sk =(k,0) vk =(k,0) Yesiff
r=F(k,0)r1 ← F(k,1)sk =(k,1) vk =(k,1)
often,time-basedupdates:r← F(k,time)[stateless]
6digits
![Page 23: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/23.jpg)
DanBoneh
TheSecurID system(secretvk,stateful)“Thm”: ifFisasecurePRFthenprotocol
issecureagainsteavesdropping
RSASecurID usesAES-128:
Advancingstate:sk← (k,i+1)• Timebased:every60seconds• Useraction:everybuttonpressBothsystemsallowforskewinthecountervalue
F128bitkey32bitctr
6digitoutput
![Page 24: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/24.jpg)
DanBoneh
Googleauthenticator• 6-digittimedone-timepasswords(TOTP)basedon[RFC6238]• Wideweb-siteadoption:– Evernote,Dropbox,WordPress,outlook.com,…
ToenableTOTPforauser:websitepresentsQRcodewithembeddeddata: otpauth://totp/Example:[email protected]?
secret=JBSWY3DPEHPK3PXP&issuer=Example
(SubsequentuserloginsrequireusertopresentTOTP)
Danger:passwordresetuponuserlockout
![Page 25: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/25.jpg)
DanBoneh
ServercompromiseexposessecretsMarch2011:• RSAannouncedserversattacked,secretkeysstolen
⇒ enabledSecurID userimpersonation
IsthereanIDprotocolwhereserverkeyvk ispublic?
![Page 26: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/26.jpg)
DanBoneh
TheS/Keysystem(publicvk,stateful)Notation:H(n)(x)=H(H(…H(x)…))
AlgorithmG: (setup)• Chooserandomkeyk← K• Outputsk =(k,n);vk =H(n+1)(k)
Identification:
ntimes
H(n+1)(k)H(n)(k)H(n-1)(k)H(n-2)(k)k H(k)
vkpwd #1pwd #2pwd #3pwd #4
![Page 27: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/27.jpg)
DanBoneh
TheS/Keysystem(publicvk,stateful)Identification(indetail):
• Prover (sk=(k,i)):sendt← H(i) (k);setsk← (k,i-1)
• Verifier(vk=H(i+1)(k)): ifH(t)=vk thenvk←t,output“yes”
Notes: vk canbemadepublic;butneedtogeneratenewsk afternlogins(n≈106)
“Thm”: S/Keyn issecureagainsteavesdropping(publicvk)providedHisone-wayonn-iterates
![Page 28: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/28.jpg)
DanBoneh
SecurID vs.S/KeyS/Key:
• public vk,limited numberofauthentications
• Longauthenticatort(e.g.,80bits)
SecurID:
• secret vk,unlimited numberofauthentications
• Shortauthenticator(6digits)
![Page 29: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/29.jpg)
DanBoneh
IDprotocols
Securityagainstactiveattacks
(challenge-responseprotocols)
Online Cryptography Course Dan Boneh
![Page 30: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/30.jpg)
DanBoneh
ActiveAttacks
• OfflinefakeATM: interactswithuser;latertriestoimpersonateusertorealATM
• Offlinephishing: phishingsiteinteractswithuser;laterauthenticatestorealsite
Allprotocolssofararevulnerable
vkUserP(prover)
sk
probe#1
probe#q
ServerV(verifier)
vkimpersonate
![Page 31: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/31.jpg)
DanBoneh
MAC-basedChallengeResponse(secretvk)
“Thm”:protocolissecureagainstactiveattacks(secretvk),provided(SMAC,VMAC)isasecureMAC
UserP(prover)
sk
ServerV(verifier)
vk
k← Ksk =k vk =k
randomm←M
t← SMAC(k,m)
VMAC(k,m,t)
![Page 32: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/32.jpg)
DanBoneh
MAC-basedChallengeResponseProblems:• vk mustbekeptsecretonserver• dictionaryattackwhenkisahumanpwd:
Given[m,SMAC(pw,m)]eavesdroppercantryallpw∈ Dict torecoverpw
Mainbenefit:• Bothmandtcanbeshort• CryptoCard:8charseach
![Page 33: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/33.jpg)
DanBoneh
Sig-basedChallengeResponse(publicvk)
“Thm”: Protocolissecureagainstactiveattacks(publicvk),provided(GSIG,Sign,Verify)isasecuredigitalsig.
buttislong(≥20bytes)
UserP(prover)
sk
ServerV(verifier)
vk
(sk,vk)← GSIGsk vk
random m←M
t← Sign(k,m)
ReplaceMACwithadigitalsignature:
Verify(k,m,t)
![Page 34: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/34.jpg)
DanBoneh
SummaryIDprotocols:usefulinsettingswhereadversarycannotinteract
withprover duringimpersonationattempt
Threesecuritymodels:
• Direct:passwords(properlysaltedandhashed)
• Eavesdroppingattacks:Onetimepasswords– SecurID:secretvk,unboundedlogins– S/Key:publicvk,boundedlogins
• Activeattacks:challenge-response
![Page 35: ID protocols](https://reader034.vdocuments.net/reader034/viewer/2022051710/584955b91a28aba93a8d9e49/html5/thumbnails/35.jpg)
DanBoneh
THEEND