key exchange using passwords and long keys vladimir kolesnikov charles rackoff comp. sci. university...
TRANSCRIPT
![Page 1: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/1.jpg)
Key Exchange Using Passwords
and Long Keys
Vladimir Kolesnikov
Charles Rackoff
Comp. Sci. University of Toronto
![Page 2: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/2.jpg)
Communication Setting
Insecure network
…
Full Control
![Page 3: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/3.jpg)
Secure Communication from Shared Random Key
Trusted Party k 2R DK
k2 2R DK
Trusted Party
• Simple• Very efficient
![Page 4: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/4.jpg)
Key Exchange (KE)
A protocol between two parties Both output (the same) randomly chosen k 2 DK
Security Adv does not know anything about k even if it sees
all other exchanged keys Adv cannot mismatch players
If Alice instance ``thinks’’ she exchanged a key with Bob, then at most one instance of “Bob talking to Alice” may have the same key
Players must have secret credentials
![Page 5: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/5.jpg)
Defining KE
Large amount of prior work An intuitive notion, but hard to define
We want our definition to: Be intuitive and easy to use Reject “bad” protocols (allow powerful adversaries) Accept “good” protocols (avoid unnecessary
restrictions)
![Page 6: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/6.jpg)
Simulation Style KE Definition
• Powerful• But complicated
Real Ideal
¼
8 9
![Page 7: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/7.jpg)
Game Style KE Definition
• Seems to be almost as powerful• Self-contained• Simpler
Plays the game:
• challenge a completed honest player
Challenge:• Present either a key or a random stringAdversary guesses which• Should not do too well
![Page 8: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/8.jpg)
Our Setting
• Asymmetric – Server (e.g. Bank) and Clients
• Large secure storage of credentials
• Key on storage card• can be lost or stolen
• Memorized password• low entropy• guessing attack possible
• if card not stolen• have full security. Password guessing not possible
• If card is stolen, still have password security
![Page 9: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/9.jpg)
Some of Related Work
Hybrid model (C has a pwd and pk of S) Halevi Krawczyk 99, Boyarsky 99
Simulation- vs game-style KE Simulation-style KE
Shoup 99, Boyko MacKenzie Patel 00 Universally Composable (UC) Canetti Halevi Katz
Lindell MacKenzie 05 Game-style KE
Bellare Pointcheval Rogaway 00
![Page 10: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/10.jpg)
Denial of Access (DoA) Attack
In Password-Authenticated KE, it is necessary to stop service if “too many” password failures P? Adv can deny access for good guys
We can protect against such attacks Require that Adv cannot cause P?, unless he
stole key card Don’t know of previous formalizations of DoA
Complements Denial of Service notion
![Page 11: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/11.jpg)
Our Protocol
Note: No Mutual Authentication
![Page 12: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/12.jpg)
Password updates
Usually handled externally to the definition If C updates his pwd, then DoA attack is
possible (Adv can replay old msgs) Problem: have users with related credentials
Solutions Update long key as well Have a challenge-response protocol Keep password update counters In the last two cases also need to update definition
![Page 13: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/13.jpg)
Can a definition allow for mistyping passwords?
We don’t model this What if we allowed Adv to create instances
with mistyped passwords? Adv specifies the password
Is this how people mistype? can behave badly on pwd’ = pwd+1
Adv specifies a mistyping function Only f that has 0,1,|D|-1 or |D| fixed points is allowed
UC-based definitions can handle this [CHKLM05]
![Page 14: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/14.jpg)
Definitional Choices: Counting passwords attacks
Adv can guess passwords Quantify advantage; “password attack” Previously
Act of Adv interfering with traffic (Insignificant change? Successful guess?)
In our definition Count failed password attacks – player outputs P?
![Page 15: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/15.jpg)
Summary
Define Key Exchange (KE) in a new model Generalization of the hybrid model of Halevi-
Krawczyk (HK) (Some of) our discussion applies to other models
(password-only and hybrid model of HK) Give a new efficient KE protocol Discuss a potential flaw in the HK protocols
Some members of the family of the HK protocols are vulnerable to password guessing attacks
![Page 16: Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto](https://reader038.vdocuments.mx/reader038/viewer/2022102906/56649cc55503460f9498eaaf/html5/thumbnails/16.jpg)
Other
Extended version is on Eprint. Contains: Proofs Discussion on storing passwords on the server Discussion on password updates
http://eprint.iacr.org/2006/057