improved server authentication presented by dmitri epshtein supervised by prof. hugo krawczyk...
TRANSCRIPT
![Page 1: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/1.jpg)
Improved Server Authentication
Presented by Dmitri EpshteinSupervised by Prof. Hugo Krawczyk
January 2002
![Page 2: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/2.jpg)
January 2002 Improved Server Authentication 2
Outline
Why public key verification ?
Human friendly public key verification
Authentication through image
SSH integration and demo
![Page 3: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/3.jpg)
January 2002 Improved Server Authentication 3
Client-Server security
Server: Kprv / Kpub,Random: y
Client: psswd, KpubRandom: x
g^y | signKprv(g^y,g^x) | Kpub
g^x
Encrypted channel (K)
K=(g^x)^y K=(g^y)^x
VerifyKpub(signKprv(g^y,g^x))
Verify psswd
login+psswd
Confirm Server Kpub
![Page 4: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/4.jpg)
January 2002 Improved Server Authentication 4
Man in the middle attack
Server: Kprv / KpubRandom: x
Client: psswdRandom: y
Man in middle: K'prv/K'pubRandom: y', x'
Encrypted channel
(K`)
Encrypted channel(K)
K’= (g^y)^x’=(g^x’)^yK= (g^y’)^x=(g^x)^y’
![Page 5: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/5.jpg)
January 2002 Improved Server Authentication 5
Public Key Verification
Local (stored in client machine) Not applicable everywhere (e.g. Internet-
Cafe)CA - Certification Authority
CA root key should be known It is not widely available on the Internet yet
User verifies hashed version of public key “public password” as described in [HK99]
![Page 6: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/6.jpg)
January 2002 Improved Server Authentication 6
Outline
Why public key verification ?
Human friendly public key verification
Authentication through image
SSH integration and demo
![Page 7: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/7.jpg)
January 2002 Improved Server Authentication 7
Public Passwords
Not necessary to know all 1024 bits to verify the key
About 64 bits (2^64 different values) is secure for most applications
Use hash function MD5/SHA1(Public Key) to reduce key size It is infeasible to find a different public key that
corresponds to the same “public password”Public key is not secret information
![Page 8: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/8.jpg)
January 2002 Improved Server Authentication 8
SSH public password
SSH requires user to verify 128 bits - hash value of server public key.Public Key (1024 bits) Fingerprint (128 bits)
Example: DSA key fingerprint is: d7:7d:cf:16:07:3b:5e:17:dc:b7:52:f1:eb:49:37:b1
Too difficult to recognize or retype=> Blind Acceptance
MD5
![Page 9: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/9.jpg)
January 2002 Improved Server Authentication 9
Improved solution
Use more user friendly format for public key verification (with the same security)
Public key(1024) Hashed Public Key(64) String of English words:
“SCAN TOTE NOON DIE MAID COP” String Alpha-Numeric words:
“4786 8fsh hprb ” Picture
![Page 10: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/10.jpg)
January 2002 Improved Server Authentication 10
English Words format
RFC1760 (The S/KEY One-Time Password System) defines Table of 2048 English words 2-4 letters each one.
Public key(1024) Hashed Public Key(66) Each 11 bits represent one word from the table 6 words (66 bits) are secure enough 6 English Words are easy to recognizee.g. SCAN TOTE NOON DIE MAID COP
![Page 11: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/11.jpg)
January 2002 Improved Server Authentication 11
Verification interface
It is important that a user really checks for the validity of displayed value
The purpose of attacker is to find an alternative public key with similar “public password”
Our interface is designed to avoid tendency of users to answer every question by simply hitting Enter-key
![Page 12: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/12.jpg)
January 2002 Improved Server Authentication 12
Interface to user
4 different (but similar) options are displayed
User should choose the appropriate one.
(1) SCAN NOON DIE MAID TOTE COP(2) SCAN TOTE NOON DIE MAID COP(3) COP TOTE DIE SCAN MAID NOON(4) TOTE DIE SCAN COP MAID NOON
What is the appropriate phrase ?
![Page 13: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/13.jpg)
January 2002 Improved Server Authentication 13
Too mush diversity
(1) TUM TANK TIP CUBE LID HELM(2) SCAN TOTE NOON DIE MAID COP !(3) BANK HANS BIN GOAT JET BEAM(4) HIGH TUNE REID BARB BONY RAIN
User will remember only first word “SCAN” Attacker can find the other key that converted to the string started with “SCAN” e.g. “SCAN GOAT DIE JET TANK COP”
Security decreased from 2^66 to 2^11
![Page 14: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/14.jpg)
January 2002 Improved Server Authentication 14
Too much similarity
(1) SCAN BEAM NOON DIE MAID COP(2) SCAN TOTE NOON DIE MAID COP !(3) BANK TOTE NOON DIE MAID COP(4) SCAN TOTE NOON JET MAID COP
One-word distance from right string. In place of checking the correct answer user may derive the “right” option from the proposed list
![Page 15: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/15.jpg)
January 2002 Improved Server Authentication 15
Our suggestion
(1) SCAN NOON DIE MAID TOTE COP(2) SCAN TOTE NOON DIE MAID COP !(3) COP TOTE DIE SCAN MAID NOON(4) TOTE DIE SCAN COP MAID NOON
Each alternative created from previous one by permutation of two randomly chosen words.
Strings are randomly placed from 1 to 4.
![Page 16: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/16.jpg)
January 2002 Improved Server Authentication 16
Alpha-Numeric format
Based on 26 letters and 10 digits. Letters ‘l’ and ‘o’ excluded. Digits ‘1’ and ‘0’ excluded.Total 32 symbols are used.
Public key(1024) Hashed Public Key(60) Each 5 bits represent one Alpha-Numeric symbol 12 symbols (60 bits) are secure enough 12 symbols - 3 words are easy to recognize
e.g. “qu24 ih2q sswb”
![Page 17: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/17.jpg)
January 2002 Improved Server Authentication 17
Outline
Why public key verification ?
Human friendly public key verification
Authentication through image
SSH integration and demo
![Page 18: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/18.jpg)
January 2002 Improved Server Authentication 18
Visual format
Maybe the most user friendly option.Huge number of different pictures.Easy to remember and recognize.
![Page 19: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/19.jpg)
January 2002 Improved Server Authentication 19
Image verification
What is the appropriate Image ?
![Page 20: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/20.jpg)
January 2002 Improved Server Authentication 20
Image properties
The images should meet the following requirements [PS99]:
Regularity Easy to recognize
Minimal complexity Avoid too simplified images
Collision resistance Hard to find two different keys represented by
the same or very similar image.
![Page 21: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/21.jpg)
January 2002 Improved Server Authentication 21
Minimal complexity
Compression (zlib) used to check regularity and minimal complexity of the image.
Too high compression ratio == Very simplified image ==Easy to falsify
e.g. Compression ratio 6%
![Page 22: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/22.jpg)
January 2002 Improved Server Authentication 22
Regularity
Too low compression ratio ==
Not regular image ==
Difficult to recognize
e.g. Compression ratio 82%
Compression ratio thresholds that guarantees Regularity and Minimal Complexity of the image
35 - 70 %
![Page 23: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/23.jpg)
January 2002 Improved Server Authentication 23
Collision Resistance
h*w
1i
2i
2i
2i
h*w
1i
2i
2i
2i
h*w
1i
2ii
2ii
2ii
))b()g()r(())b()g()r((
))bb()gg()rr((*100[%]diff
Very small probability to find two different keys represented by the same (or very similar) image.
To calculate differences between two pictures “normal corelation” formula used:
w – width of picture in pixels, h – height of picture in pixelsri, gi, bi – red, green and blue components of the colour for
pixel “i” in the picture.
![Page 24: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/24.jpg)
January 2002 Improved Server Authentication 24
Image creation method
Based on idea of “randomArt ” [Bau98].
N*M image created from the 64 bits key. Picture format is array of long words (32
bits) of size of “width*height” (N*M)Each long word represents an RGB colour
of a pixel in the picture (0x00bbggrr). 0x000000FF – red, 0x00FF0000 – blue, 0x0000FF00 – green
![Page 25: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/25.jpg)
January 2002 Improved Server Authentication 25
Image creation method (1)
F1 F2 F16
64 bits Hashed key
.....
InputColor(r, g, b)
Output Color(r', g', b')
(x,y) ->(r, g, b)
Pixelcoordinates
(x, y)
S(1) S(2) S(16)
![Page 26: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/26.jpg)
January 2002 Improved Server Authentication 26
Image creation method (1)
The algorithm based on set of 16 mathematical functions that convert input colour {r, g, b} to output colour {r’, g’, b’}.
Each 4 bits of the key define one of the functions from the set.
The initial value of the colour for each pixel depends on coordinates {x, y} of the pixel
S(1) .. S(16) - shifts color accordingly with function location.
![Page 27: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/27.jpg)
January 2002 Improved Server Authentication 27
Image creation method (3)
Each one of the 16 functions: Continuous, r [-1; 1], r’ [-1; 1],
r’=log10(4.1 + 4*r) r’=sin(5*r); r’=0.8*atan(-3*r)
![Page 28: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/28.jpg)
January 2002 Improved Server Authentication 28
Statistical results
Quality of image (Regularity and Minimal Complexity)
1000 randomly chosen keys
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 1000
20
40
60
80
100
120
140
Num
ber
of Im
ages
Compression Rate [%]
About 700 from 1000 images are Good images. Compression rate in range 35-70 %
![Page 29: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/29.jpg)
January 2002 Improved Server Authentication 29
Statistical results (1)
Collision resistance of the image One “good” reference image is chosen 1000 other “good” images compared with the
reference image accordingly to the formula above.
Results: Most of images have ~25-40% difference from
the reference image. No image has difference less than 15% from
the reference image.
![Page 30: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/30.jpg)
January 2002 Improved Server Authentication 30
Outline
Why public key verification ?
Human friendly public key verification
Authentication through image
SSH integration and demo
![Page 31: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/31.jpg)
January 2002 Improved Server Authentication 31
SSH Overview
SSH is a protocol for secure network services (telnet, rlogin) over insecure network.
It consists of three major components: Transport layer protocol provides Server
Authentication, Confidentiality and Integrity. User authentication protocol authenticates the
Client side to the Server. Connection protocol multiplexes encrypted
tunnels into several logical channels.
![Page 32: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/32.jpg)
January 2002 Improved Server Authentication 32
SSH integration
No changes in SSH server (sshd)Key Generator (ssh-keygen) is
changedSSH Client (ssh) is changedFull Backward compatibility
![Page 33: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/33.jpg)
January 2002 Improved Server Authentication 33
SSH Framework
Key Generation Generate and display all possible formats Only key that can be converted in “good” image
will be accepted
Diffie-Hellman Key Exchange and Server Authentication Server has Kprv/Kpub - private/public keys pair Client creates e=(g^x mod p) and sends to
Server Server creates f=(g^y mod p)
![Page 34: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/34.jpg)
January 2002 Improved Server Authentication 34
SSH Framework (1)
Server receives “e” from Client Server computes K=(e^y mod p) Server computes H=hash( Kpub | e | f | K ) Server computes s = sign(H) with Kprv Server sends ( Kpub | f | s ) to Client Client verifies Kpub received from
Server !!! Client computes K=(f^x mod p) Client computes H=hash( Kpub | e | f | K ) Client verifies the signature “s” on H
![Page 35: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/35.jpg)
January 2002 Improved Server Authentication 35
Supported formats
Client choose key representation format: (1) Fingerprint (2) EnglishWords (3) AlphaNumeric (4) Visual
![Page 36: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/36.jpg)
January 2002 Improved Server Authentication 36
Verification actions
Client choose key verification action: (1) Confirm (2) Retype (3) Abort
Start Updated SSH demonstration !!!
![Page 37: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/37.jpg)
January 2002 Improved Server Authentication 37
Summary
“Public passwords” are more user friendly method for Server authentication
New method for key visualization and authentication
Integrate all above into SSH and improve the its overall security
![Page 38: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/38.jpg)
January 2002 Improved Server Authentication 38
Future work
Other user friendly string formatsOther mechanism to create
alternative stringsImprove picture quality (Regularity)Improve picture compare algorithm
and analyze collision resistanceGrayscale images
![Page 39: Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002](https://reader037.vdocuments.net/reader037/viewer/2022110206/56649cfe5503460f949cf53e/html5/thumbnails/39.jpg)
January 2002 Improved Server Authentication 39
References
[SH99] Shai Halevi, Hugo Krawczyk. Public cryptography and password protocols. 1999
[PS99] Adrian Perrig, Dawn Song. Hash Visualization: a New Technique to improve Real-World Security. 1999
[DP00] Rachna Dhamija, Adrian Perrig. Using Images for Authentication. 2000
[Bau98] Andrej Bauer. Gallery of random art. 1998