VerifierBased PasswordAuthenticated Key Exchange

1
Verifier-Based Password-Authenticated Key
Exchange
Jeong Ok Kwon December 17th, 2005
2
Motivation

• A fundamental problem in cryptography is how to
  communicate securely over an insecure channel.

3
Motivation

• How can we obtain a secret session key?
• Public-key encryption or signature
• too high for certain applications
• Password-Authenticated Key Exchange (PAKE)
• PAKE is to share a secret key between specified
  parties using just a human-memorable password.
• convenience, mobility, and less hardware
  requirement
• no security infrastructure

4
Intrinsic Problem

• Low-entropy of passwords
• i.e., 4 or 8 characters such as natural language
  phrase to be easily memorized.
• So they are susceptible to dictionary attacks.
• On-line dictionary attacks
• Off-line dictionary attacks

Even tiny amounts of redundancy in the flows of
the protocol could be used by the adversary to
mount dictionary attacks. -gt Protocol for PAKE
must be immune to off-line attacks
5
Classification for PAKE
6
Our work is about

• In the Client/Server model
• Verifier-based PAKE
• for two-party with same passwords
• for two-party with different passwords
• for multi-party with different passwords

7
Our work is about

• In the Client/Server model
• Verifier-based PAKE
• for two-party with same passwords
• for two-party with different passwords
• for multi-party with different passwords

(pw1 )
U1
Server
8
Our work is about

• In the Client/Server model
• Verifier-based PAKE
• for two-party with same passwords
• for two-party with different passwords
• for multi-party with different passwords

(pw1 )
(pw2 )
U1
U2
Server
9
Our work is about

• In the Client/Server model
• Verifier-based PAKE
• for two-party with same passwords
• for two-party with different passwords
• for multi-party with different passwords

(pw4 )
U4
(pw1 )
(pw3 )
U3
U1
(pw2 )
U2
10
Symmetric model vs. Verifier-based model

• Symmetric model
• the server stores a plaintext-form of a password.
• Asymmetric model (or verifier-based)
• the server stores a verifier for a password.

11
Symmetric model vs. Verifier-based model

• Asymmetric model (or verifier-based)
• the server stores a verifier for a password.

(pw1)
A verifier is the information computed from a
password. It is computable from the password
whereas the reverse is infeasible in polynomial
time.
12
Symmetric model vs. Verifier-based model

• Asymmetric model (or verifier-based)
• it is designed to protect against server
  compromise so that an attacker that is able to
  steal a password file from a server cannot later
  masquerade as a legitimate user without
  performing dictionary attacks.

(pw1)
13
Symmetric model vs. Verifier-based model

• Symmetric model
• the server stores a plaintext-form of a password.

14
Symmetric model vs. Verifier-based model

• Asymmetric model (or verifier-based)
• even if the password file is compromised, the
  attacker has to perform additional off-line
  dictionary attacks to find out passwords of the
  clients.
• It will give the server systems administrator
  time to react and to inform its clients, which
  would reduce the damage of the corruption.

(pw1)
15
Comparison with the related verifier-based
protocol
p length of a prime of Zp, l length
of an output of a hash/MAC function, n
number of members in a group

• EPA Y. H. Hwang, D. H. Yum, and P. J. Lee,
  EPA An Efficient Password-Based Protocol for
  Authenticated Key Exchange, ACISP 2003.

16
Comparison with the related verifier-based
protocol

• B-SPEKE D. Jablon, Extended password key
  exchange protocols immune to dictionary attack,
  In WETICE97 Workshop on Enterprise Security,
  1997.
• SRP T. Wu, Secure remote password
  protocol, Proceedings of the ISOC NDSS
  Symposium, pages 99111, 1998.
• AMP T. Kwon, Authentication and key
  agreement via memorable password, Proceedings of
  the ISOC NDSS Symposium, 2001.
• PAK-Z P. MacKenzie, The PAK suit Protocols
  for Password-Authenticated Key Exchange,
  http//grouper.ieee.org/groups/1363/passwdPK/contr
  ibutions.htmlMac02, April, 2002.
• EPA Y. H. Hwang, D. H. Yum, and P. J.
  Lee, EPA An Efficient Password-Based Protocol
  for Authenticated Key Exchange, ACISP 2003.
• VB-EKE M. Abdalla, O. Chevassut, and D.
  Pointcheval, One-time Verifier-based Encrypted
  Key Exchange, PKC 05

17
Comparison with the related verifier-based
protocol

• B-SPEKE D. Jablon, Extended password key
  exchange protocols immune to dictionary attack,
  In WETICE97 Workshop on Enterprise Security,
  1997.
• SRP T. Wu, Secure remote password
  protocol, Proceedings of the ISOC NDSS
  Symposium, pages 99111, 1998.
• AMP T. Kwon, Authentication and key
  agreement via memorable password, Proceedings of
  the ISOC NDSS Symposium, 2001.
• PAK-Z P. MacKenzie, The PAK suit Protocols
  for Password-Authenticated Key Exchange,
  http//grouper.ieee.org/groups/1363/passwdPK/contr
  ibutions.htmlMac02, April, 2002.

18
Comparison with the related verifier-based
protocol
p length of a prime of Zp, l length
of an output of a hash/MAC function, n
number of members in a group
The focus of this work is on the round-efficient
verifier-based PAKE protocol

• EPA Y. H. Hwang, D. H. Yum, and P. J. Lee,
  EPA An Efficient Password-Based Protocol for
  Authenticated Key Exchange, ACISP 2003.

19
Comparison with the related verifier-based
protocol
p length of a prime of Zp, l length
of an output of a hash/MAC function, n
number of members in a group
The focus of this work is on round-efficient
verifier-based PAKE protocol
The focus of this work is to construct secure
and round-efficient verifier-based PAKE protocols
for 2-/multi-party with different passwords
20
Preliminary for our protocols

• Public information
• G a finite cyclic group has order q
• p a safe prime such that p2q1
• g1,g2 generators of G
• H a collision-resistant one-way hash function
• Mac(Key.gen,Mac.gen,Mac.ver)a secure message
  authentication code
• Initialization step
• Ui selects a password pwi
• Ui registers vi,1 g1H(UiSpwi) mod p and
  vi,2 g2H(UiSpwi) mod p (verifiers of the
  password) to the server S over a secure channel.
• S stores them in a password file with an entry
  for each user Ui.

21
Verifier-based PAKE for 2-party with same
passwords
U1

Server
22
Verifier-based PAKE for 2-party with different
passwords

• Motivation
• PAKE for 2-party with same passwords
• If a user wants to communicate securely with many
  users?
• the number of passwords that the user needs to
  memorize may be increased linearly with the
  number of possible partners.

23
Verifier-based PAKE for 2-party with different
passwords

• Motivation
• PAKE for 2-party with different passwords
• each user only shares a password with a trusted
  server.
• the trusted server helps the users with different
  passwords to agree on a common session key.

24
U1
Server
U2
25
Verifier-based PAKE for multi-party with
different passwords

• Motivation
• PAKE for multi-party with same passwords
• If a user wants to communicate securely with many
  groups?
• the number of passwords that the user needs to
  memorize may be increased linearly with the
  number of possible groups.
• the member have to newly share a password
  whenever one wants to communicate securely with
  new groups

(pw )
(pw )
(pw )
Group with sk
(pw )
26
Verifier-based PAKE for multi-party with
different passwords

• Motivation
• PAKE for multi-party with different passwords
• each user only shares a password with a trusted
  server.
• the trusted server helps the users with different
  passwords to agree on a group key.

(pw1 )
(pw4 )
(pw2 )
Group with sk
(pw3 )
27
Verifier-based PAKE for multi-party with
different passwords
R1
Server
28
Verifier-based PAKE for multi-party with
different passwords
R1
Server
29
Verifier-based PAKE for multi-party with
different passwords
R2
Server
30
Verifier-based PAKE for multi-party with
different passwords
R3
31
Verifier-based PAKE for multi-party with
different passwords
R3
32
Security Goal Verifier-based PAKE

• Security against dictionary attacks
• passive eavesdropping does not help the adversary
  in computing any information about the password.
• only interactions with the instances help the
  adversary in computing information about the
  password.
• Key secrecy
• no computationally bounded adversary (including
  the server) should learn anything about session
  keys shared between honest parties.
• Server-compromise attack
• even if an adversary steal the password file from
  the server, the adversary still cannot
  impersonate a user without performing dictionary
  attacks on the password file.

33
Security Goal Verifier-based PAKE

• Forward secrecy
• the expose of a password does not compromise the
  previous session keys.
• Denning-Sacco attack
• even with the session key from an eavesdropped
  session an adversary cannot gain the ability to
  impersonate the user directly.
• an outsider attacker cannot gain the ability to
  performing off-line dictionary attacks against
  the passwords of users from using the compromised
  session keys which are successfully established
  between honest entities.
• an insider attacker that knows ones password
  does not learn any information about other users
  passwords from the successfully established
  session key with the other.

34
Q A

• Thank you !