on the provable security of the dragonfly protocol
play

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 - PowerPoint PPT Presentation

Mar 04, 2024 •257 likes •915 views

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

  1. PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan Škrobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18

  2. PAKEs Dragonfly Results Conclusion Outline 1. PAKEs 2. Dragonfly 3. Results 4. Conclusion 2 / 18

  3. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: 3 / 18

  4. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) 3 / 18

  5. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key 3 / 18

  6. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI 3 / 18

  7. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI ◮ Only password for authentication 3 / 18

  8. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI ◮ Only password for authentication ◮ Prevent offline-dictionary attacks 3 / 18

  9. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI ◮ Only password for authentication ◮ Prevent offline-dictionary attacks ◮ Limit online-guessing attacks 3 / 18

  10. PAKEs Dragonfly Results Conclusion Intro Design Techniques Typical approaches for designing efficient PAKEs in (ROM): 4 / 18

  11. PAKEs Dragonfly Results Conclusion Intro Design Techniques Typical approaches for designing efficient PAKEs in (ROM): 1. "EKE-style" E pw ( g x ) − − − − − − − − − − → E pw ( g y ) ← − − − − − − − − − − 4 / 18

  12. PAKEs Dragonfly Results Conclusion Intro Design Techniques Typical approaches for designing efficient PAKEs in (ROM): 1. "EKE-style" E pw ( g x ) − − − − − − − − − − → E pw ( g y ) ← − − − − − − − − − − 2. "SPEKE-style" ( H ( pw )) x − − − − − − − − − − → ( H ( pw )) y ← − − − − − − − − − − 4 / 18

  13. PAKEs Dragonfly Results Conclusion Intro Design Techniques Typical approaches for designing efficient PAKEs in (ROM): 1. "EKE-style" E pw ( g x ) − − − − − − − − − − → E pw ( g y ) ← − − − − − − − − − − 2. "SPEKE-style" ( H ( pw )) x − − − − − − − − − − → ( H ( pw )) y ← − − − − − − − − − − 3. "J-PAKE-style" ( D 1 ) xpw , π 1 − − − − − − − − − − → ( D 2 ) ypw , π 2 ← − − − − − − − − − − 4 / 18

  14. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 5 / 18

  15. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 1. Indistinguishability-Based Model [BR93,95] ◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05] 5 / 18

  16. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 1. Indistinguishability-Based Model [BR93,95] ◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05] 2. Simulation-Based Model [S99] ◮ Modified Shoup’s model [BMP00] ◮ Plain model PAKEs [GL01] 5 / 18

  17. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 1. Indistinguishability-Based Model [BR93,95] ◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05] 2. Simulation-Based Model [S99] ◮ Modified Shoup’s model [BMP00] ◮ Plain model PAKEs [GL01] 3. Universal Composability Model [CK02] ◮ UC for PAKE [CHKLM05] 5 / 18

  18. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 1. Indistinguishability-Based Model [BR93,95] ◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05] 2. Simulation-Based Model [S99] ◮ Modified Shoup’s model [BMP00] ◮ Plain model PAKEs [GL01] 3. Universal Composability Model [CK02] ◮ UC for PAKE [CHKLM05] 5 / 18

  19. PAKEs Dragonfly Results Conclusion Indistinguishability-Based Model for PAKEs Find-then-Guess BPR Model Queries available to PPT adversary A : Send( U i , M ) - message exchange ◮ Send ◮ Execute Execute( C i , S j ) - eavesdropping ◮ Reveal Reveal( U i ) - leakage of the session key ◮ Corrupt Corrupt( U ) - leakage of the long term secret* Test( U i ) - semantic security of the session key ◮ Test 6 / 18

  20. PAKEs Dragonfly Results Conclusion Indistinguishability-Based Model for PAKEs Find-then-Guess BPR Model Queries available to PPT adversary A : Send( U i , M ) - message exchange ◮ Send ◮ Execute Execute( C i , S j ) - eavesdropping ◮ Reveal Reveal( U i ) - leakage of the session key ◮ Corrupt Corrupt( U ) - leakage of the long term secret* Test( U i ) - semantic security of the session key ◮ Test What security means in BPR model? 6 / 18

  21. PAKEs Dragonfly Results Conclusion Indistinguishability-Based Model for PAKEs Find-then-Guess BPR Model Queries available to PPT adversary A : Send( U i , M ) - message exchange ◮ Send ◮ Execute Execute( C i , S j ) - eavesdropping ◮ Reveal Reveal( U i ) - leakage of the session key ◮ Corrupt Corrupt( U ) - leakage of the long term secret* Test( U i ) - semantic security of the session key ◮ Test What security means in BPR model? Definition Protocol P is forward secure PAKE if for all PPT adversaries A making at most n se online attempts, where N is the size of the dictionary and C is a constant ( A ) ≤ C · n se Adv ake Adv + ε . (1) P N 6 / 18

  22. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? 7 / 18

  23. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD 7 / 18

  24. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD ◮ Fully symmetric (no strict roles) 7 / 18

  25. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD ◮ Fully symmetric (no strict roles) ◮ Follows SPEKE design approach 7 / 18

  26. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD ◮ Fully symmetric (no strict roles) ◮ Follows SPEKE design approach ◮ Without security proof 7 / 18

  27. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD ◮ Fully symmetric (no strict roles) ◮ Follows SPEKE design approach ◮ Without security proof ◮ Stirred some controversy 7 / 18

  28. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Dragonfly draft specifications Client Server Initialization Public: G , p , q ; H 0 , H 2 : { 0 , 1 } ∗ → { 0 , 1 } k ; H 1 : { 0 , 1 } ∗ → { 0 , 1 } 2 k ; π ∈ Passwords ; seed := H 0 ( C, S, π, c ) max,min ; PW := H & P ( seed, l 1 ). m 1 , r 1 ← Z q m 2 , r 2 ← Z q s 1 := r 1 + m 1 s 2 := r 2 + m 2 E 1 := PW − m 1 E 2 := PW − m 2 C, E 1 , s 1 S, E 2 , s 2 abort if ¬ Good( E 2 , s 2 ) abort if ¬ Good( E 1 , s 1 ) σ := ( PW s 2 × E 2 ) r 1 σ := ( PW s 1 × E 1 ) r 2 kck | sk C := H 1 ( σ, l 2 ) kck | sk S := H 1 ( σ, l 2 ) κ := H 2 ( kck, C, s 1 , s 2 , E 1 , E 2 ) τ := H 2 ( kck, S, s 2 , s 1 , E 2 , E 1 ) ˆ τ := H 2 ( kck, S, s 2 , s 1 , E 2 , E 1 ) ˆ κ := H 2 ( kck, C, s 1 , s 2 , E 1 , E 2 ) κ τ abort if τ � = ˆ τ abort if κ � = ˆ κ 8 / 18

Recommend

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

2/7/2012 Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly, Project 1 Provide overview of Dragonfly architecture Class diagrams Discuss details needed to fully implement Dragonfly classes

900 views • 42 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views • 105 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

IN3210 Network Security Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals: Authentication Integrity Confidentiality Transparent security protocol between TCP and application

1k views • 66 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program

Threads and DragonFly BSD Improving Thread Performance on DragonFly BSD Conduits for program execution Concurrency A property that allows several vessels of execution to be run without a predefined order. Parallelism A property that

625 views • 23 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with Florian Bergsma, Katriel Cohn-Gordon, Cas Cremers, Ben Dowling, Marc Fischlin, Felix Gnther, Luke Garratt, Florian Kohlar, Jrg Schwenk Funding

899 views • 72 slides
How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel

How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel

How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel Jero + , Alexandra Boldyreva * , and Cristina Nita-Rotaru ++ * Georgia Institute ++ Northeastern + Purdue of T echnology University University 1

536 views • 31 slides

More recommend