A Secure Login System with Portable Devices

1
A Secure Login System with Portable Devices

• ???

2
Outline

• Introduction
• Security Requirements and Models
• PAKE-SPD
• Security Analysis
• Conclusion

3
Introduction

• Password Authentication
• User logins system with identity id and password
  pw.

4
Introduction

• Dictionary Attack
• Users tend to use simple passwords.
• pw is chosen from a small set (dictionary).
• The information enough to verify a password guess
  is critical.
• Example h(pw).

5
Introduction

• Offline dictionary attack
• Passive attack
• Active attack
• Partition attack
• Online dictionary attack
• Number of trials

6
Introduction

• Mobile Devices
• Storage and communication
• SmartPhone, PDA
• Combine password authentication and mobile
  devices
• Store password for user.
• Perform authentication automatically.

7
Introduction

• Motivation

id,pw
Press
Verification Data
Key Exchange
User
Secret data
Server
Mobile Device
Semi-trusted Computer
Password Authentication
8
Introduction

• Users can perform password authentication in the
  original way

Verification Data
id,pw
id,pw
User
Server
Trusted Computer
Password Authentication and key exchange
9
Security Requirements

• Semantic Security
• Unilateral Authentication
• Forward Security
• Password Protection

10
Security Model

• The random oracle model.
• Each party may have many instances in which to
  execute the protocol
• Instances PCi, Sj,Dk

11
Security Model
Secure Portable Device (D)
Public Computer (PC)
Eavesdrop
Adversary
Server (S)
12
Security Model
PCi,Sj,Dk
Execute
Transcript between (PC,S) and (PC,D)
Ui, M
Send
The response of PCi or Sj on input M, including
the transcript between (PC,D)
Ui
Reveal
The session key of Ui
13
Security Model

• Semantic Security
• Add an oracle Test and a random bit b.
• The target instance Ui should be fresh

Ui
Test
Output a random key if b0 Or the session key of
Ui if b1
14
Security Model

• Unilateral Authentication
• Adversary breaks unilateral authentication if a
  server instance Sj terminated but there does not
  exist partner instances for Sj.

15
Security Model

• Forward Security
• An adversary can not interactive with parties
  involved in the past communication.
• We can model the Forward Security by providing pw
  and disable send oracle.

16
Security Model

• Password Protection
• We assume the computer is semi-trusted
• We model this ability by an oracle
• Allow an adversary to choose the randomness.
• Restrict an adversary to follow the protocol.

17
Security Model

• Semi-Execute(M)
• M start or the randomness used by PC.
• Outputs the 3-parties transcript and secret value
  used by PC

start
Semi-Execute

transcript

randomness

transcript
18
PAKE-SPD

• Password Setting, G(p,g,q)

owf f
mask by t in Zq
pw
skx
vkgx
skxt
vkg(xt)
vk
vk
vk
sk
id
pw
User
Secure Portable Device
Server
19
PAKE-SPD (with device)
Device
Public Computer
Server S
H0, H1, H2 vk
H0, H1, H2 vk,sk
H0, H1, H2
accept ? false a ?R Zq, A ? ga PW ?
H0(id,S,A,B,vk) K ? (C/PW)1/a M ?
H1(id,S,A,B,C,K,vk) d ? H2(id,S,A,B,C,K,vk) Au
th ? Sign(M,sk) accept ? true
accept ? false terminate ? false c ?R Zq PW ?
H0(id,S,A,B,vk) C ? PW.Ac K ? gc d ?
H2(id,S,A,B,C,K,vk) M ? H1(id,S,A,B,C,K,vk) Veri
fy(M,Auth,vk) ? SK ? Bd accept ? true terminate
? true
id,A
b ?R Zq, B ? gb SK ? (gd)b
id,A,B
C,S
B,C,S
Auth, gd
Auth
20
PAKE-SPD (without device)
User
Computer
Server S
H0, H1, H2 vk,vk
id, pw
H0, H1, H2
accept ? false terminate ? false c ?R Zq PW ?
H0(id,S,A,B,vk) C ? PW.Ac K ? gc d ?
H2(id,S,A,B,C,K,vk) M ? H1(id,S,A,B,C,K,vk) Verify
(M,Auth,vk) ? SK ? Bd accept ? true terminate ?
true
accept ? false f(pw)(skx,vkgx) a ?R Zq, A ?
ga b ?R Zq, B ? gb PW ? H0(id,S,A,B,vk) K ?
(C/PW)1/a M ? H1(id,S,A,B,C,K,vk) d ?
H2(id,S,A,B,C,K,vk) Auth ? Sign(M,sk) accept ?
true SK ? (gd)b
id, pw
id,A,B
C,S
Auth
21
Security Analysis

• Theorem 1 (Semantic Security/ Unilateral
  Authentication)
• PAKE-SPD provide the unilateral authentication
  and the agreed session key are semantically
  secure
• Assume DDH assumption hold in G.

22
Security Analysis

• Proof idea
• Game reductions, from a real game to a perfect
  game.
• the protocol do not rely on password.
• the probability that an adversary can break in
  perfect game is small.
• Then we prove that the difference between each
  game is small.

23
Perfect Game
Device
Public Computer
Server S
H0, H1, H2
H0, H1, H2 vk
H0, H1, H2 vk,sk
accept ? false a ?R Zq, A ? ga Auth ?
H1(id,S,A,B,C) d ? H2(id,S,A,B,C) accept ? true
accept ? false terminate ? false c ?R Zq C ?
Ac Auth ? H1(id,S,A,B,C) d ?
H2(id,S,A,B,C) AuthAuth? SK ? Bd accept ?
true terminate ? true
id,A
b ?R Zq, B ? gb SK ? (gd)b
id,A,B
C,S
B,C,S
Auth, gd
Auth
24
Security Analysis

• In the perfect game
• d is computed from H2(id,S,A,B,C)
• Auth is computed from H1(id,S,A,B,C)
• H1 and H2 are secret to adversary.
• To distinguish the session key from a random one
  is exactly DDH problem.
• Auth is totally random to adversary.

25
Security Analysis

• If an adversary can distinguish the real game
  from the perfect game
• he must query H(id,S,Aga,B,C,(C/PW)-a,vk), for
  some transcript (id,A,B),(C,S),(Auth,gd)
• Introduce a random challenge, given
  to compute

26
Security Analysis

• Consider the passive attack
• Choose a random instance Di, set A
• Set PW (PWH0(id,S,A,B,vk))
• Then, is in the hash record.

27
Security Analysis

• Consider the active attack
• The adversary can exactly query
  H(id,S,Aga,B,C,(C/PW)-a,vk) in each active
  attack for some pw.
• Restrict at most one pw.
• The protocol do not rely on password.
• We can choose pw after adversary outputs his
  guess.

28
Security Analysis

• Case 1 the adversary control S
• The device is simulated.
• Case 2 the adversary control PC and D
• adversary tries to impersonate id to S
• Each authenticator can be related to at most one
  password.

29
Security Analysis

• Exclude the cases
• A collision occurs in the partial transcript
• A collision occurs when compute PW

30
Security Analysis

• Forward Security
• Only consider passive attack
• Password Protection
• A similar reasoning
• For any partial transcript (A,B,C), A is always
  simulated.

31
Conclusion

• We propose a password-based authenticated key
  exchange protocol with secure portable device.
• Another choice do not mask password
• Simple setup
• User has to change his password if the device was
  lost.