outline password based authenticated key exchange
play

Outline Password-based Authenticated Key Exchange Password-based - PowerPoint PPT Presentation

May 20, 2023 •805 likes •927 views

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

  1. PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup´ erieure Game-based Security 2 Universal Composability 3 Language-based Authenticated Key Exchange 4 PKC 2012 Darmstadt, Germany May 22nd, 2012 ´ Ecole Normale Sup´ erieure David Pointcheval 2/40 PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE Introduction Introduction Key Exchange Protocols Diffie-Hellman Key Exchange A fundamental problem in cryptography: The classical Diffie-Hellman protocol allows such a key exchange: Enable secure communication over insecure channels in a finite cyclic group G , of prime order p , with a generator g A common scenario: X $ $ ← Z p , X ← g x ← Z p , Y ← g y Users encrypt and authenticate their messages x − − − − − − − − − − − − − → y using a shared secret key Y K ← Y x = g xy K ← X y = g xy ← − − − − − − − − − − − − − m A m A No authentication provided − − − − − − → − − − − − − → Authenticated Key Exchange m B m B Semantic security / Implicit Authentication: ← − − − − − − ← − − − − − − the session key should be indistinguishable from a random string Alice Bob to all except the expected players How to obtain such a shared secret key? − → Key exchange protocols ´ ´ Ecole Normale Sup´ erieure David Pointcheval 3/40 Ecole Normale Sup´ erieure David Pointcheval 4/40

  2. PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE Introduction A Case Study Authentication Techniques Electronic Passport Since 1998, some passports contain digital information on a chip. Asymmetric technique Standards are specified by ICAO Assume the existence of a public-key infrastructure (International Civil Aviation Organization) Each party holds a pair of secret and public keys In 2004, security introduced: 2-party and group settings encrypted communication between the chip and the reader access control: BAC (Basic Access Control) Symmetric technique The shared secret is on the MRZ Users share a random secret key (Machine Readable Zone) 2-party or server-based settings It has low entropy: at most 72 bits, Password-based technique but actually approx. 40 Users share a random low-entropy secret: password = ⇒ low-entropy shared secret: 2-party and group settings a password pw ´ ´ Ecole Normale Sup´ erieure David Pointcheval 5/40 Ecole Normale Sup´ erieure David Pointcheval 6/40 PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE A Case Study Attacks BAC: Basic Access Control Off-line Dictionary Attacks The symmetric encryption and MAC keys are derived from pw As in the previous scenario, after having Passport Reader eavesdropped some (possibly many) transcripts r P $ $ ← { 0 , 1 } 64 ← { 0 , 1 } 64 − − − − − − − − − − − − − → r R , k R interacted (quite a few times) with players r P , k P C R ← Enc pw ( r R , r P , k R ) the adversary accumulates enough information C R , M R C P ← Enc pw ( r P , r R , k P ) ← − − − − − − − − − − − − − M R ← Mac pw ( C R ) to take the real password apart from the dictionary C P , M P efficient password-recovery after off-line exhaustive search M P ← Mac pw ( C P ) − − − − − − − − − − − − − → K ← k P ⊕ k R For the BAC: quite a few passive eavesdroppings are enough From a pair ( C R , M R ) , one can make an exhaustive search to recover the password! on the password pw to check the validity of the Mac M R How many active interactions could one enforce? After a few eavesdroppings only : password recovery What can we expect from a low-entropy secret? ´ ´ Ecole Normale Sup´ erieure David Pointcheval 7/40 Ecole Normale Sup´ erieure David Pointcheval 8/40

  3. PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE Attacks Examples On-line Dictionary Attacks The Most Famous Examples On-line Dictionary Attacks In a finite group G , of prime order p , with key derivation function K The adversary interacts with a player, trying a password EKE: Encrypted Key Exchange [Bellovin–Merritt, 1992] In case of success: it has guessed the password $ $ ← Z p , X ← g x ← Z p , Y ← g y x y DH Key Exchange In case of failure: it tries again with another password X X ′ X ′ ← E pw ( X ) X ← D pw ( X ′ ) − − − − − − − − − − − − → with flows Y Y ′ If the dictionary has a size N , the adversary wins after N / 2 attempts Y ′ ← E pw ( Y ) Y ← D pw ( Y ′ ) ← − − − − − − − − − − − − encrypted under pw k ← Y x = g xy k ← X y = g xy K ← K ( A , B , X , Y , k ) K ← K ( A , B , X ′ , Y ′ , k ) In Practice This attack is unavoidable SPEKE: Simple Password Exponential Key Exchange [Jablon, 1996] If the failures for a target user can be detected: the impact can be limited by various techniques g ← G ( A , B , pw ) DH Key Exchange X $ $ ← Z p , X ← g x ← Z p , Y ← g y (limited number of failures, delays between attempts, . . . ) x − − − − − − − − − − − − → y with a basis Y k ← Y x = g xy k ← X y = g xy derived from pw ← − − − − − − − − − − − − If the failures cannot be detected (anonymity, no check, . . . ) the impact can be dramatic K ← K ( A , B , X , Y , k ) K ← K ( A , B , g , X , Y , k ) ´ ´ Ecole Normale Sup´ erieure David Pointcheval 9/40 Ecole Normale Sup´ erieure David Pointcheval 10/40 PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE Examples Examples PACE: Password Authenticated Security Models Connection Establishment Game-based Security [Bellare–P.–Rogaway, 2000] Find-then-Guess The recent alternative to BAC is PACE: Real-or-Random [Abdalla–Fouque–P., 2005] Password Authenticated Connection Establishment Simulation-based Security [Boyko–MacKenzie–Patel, 2000] In the spirit of SPEKE: a generator derived from the password Universal Composability [Canetti–Halevi–Katz–Lindell–MacKenzie, 2005] With security analyses: Where PACE v1 [Bender–Fischlin–Kuegler, 2009] The adversary controls all the communications: PACE v2 It can create, modify, transfer, alter, delete messages [Coron–Gouget–Icart–Paillier, 2011] Users can participate in concurrent executions of the protocol Instances of the players are denoted A i and B j What does security really mean? On-line dictionary attack should be the best attack = ⇒ No adversary should win with probability greater than q S / N where q S = # Active Sessions and N = # Dictionary ´ ´ Ecole Normale Sup´ erieure David Pointcheval 11/40 Ecole Normale Sup´ erieure David Pointcheval 12/40

Recommend

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based Authenticated Key Exchange Authenticated Key Exchange Dario Catalano David Pointcheval Password-based CNRS-ENS France Authenticated Key

291 views • 5 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides
A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval cole normale suprieure & CNRS Joint work with: Michel Abdalla Authenticated Key Exchange (AKE) Goal: Secure channel Allows two parties

283 views • 12 slides
Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann

Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann

Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann 2 , Sebastian Stappert 2 , Markus Ullmann 1 , Matthias Vgeler 2 1 Bundesamt fr Sicherheit in der Informationstechnik 2 NXP Semiconductors Outline

174 views • 16 slides
Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai Ding Michael Snook zgr Dagdelen DIMACS Workshop on the Mathematics of

339 views • 33 slides
Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy ibenik, Croatia June 17 th , 2019 Outline Security of the Diffie-Hellman Key Exchange Man-in-the-Middle attacks

1.09k views • 85 slides
AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

Understanding and Constructing AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated key exchange Motivations & our contributions AKE 2-key KEM AKE in a post quantum world

821 views • 36 slides
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability and Channel Secrecy Underlying

400 views • 21 slides
Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan

Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan

Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan University, China June 28, 2017 Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 1 / 39 Outline 1 Introduction

601 views • 39 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

Diffie-Hellman key exchange Secure against passive eavesdropping but insecure against a man-in-the-middle attack CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1 2 Adding key

492 views • 5 slides
Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk, Sebastian Lauer Ruhr-University Bochum Classical Key Exchange Setting m1 Bob Alice m2 skA skB pkB pkA mq-1 mq derive K derive K 2

185 views • 18 slides
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

914 views • 45 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
Is it too late for PAKE? John Engler (UC Berkeley) Chris Karlof Elaine Shi Dawn Song (Usable

Is it too late for PAKE? John Engler (UC Berkeley) Chris Karlof Elaine Shi Dawn Song (Usable

Is it too late for PAKE? John Engler (UC Berkeley) Chris Karlof Elaine Shi Dawn Song (Usable Security (PARC) (UC Berkeley) Systems) What is PAKE? Password Authenticated Key Exchange 1 Enter Password 2 Crypto

206 views • 9 slides
Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research Zurich based on joint work with Jan Camenisch, Anna Lysyanskaya & Gregory Neven ROADMAP Password-Based Authentication How to make password

1.43k views • 43 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
FPAKE: Fuzzy Password- Authen6cated Key Exchange Sophia

FPAKE: Fuzzy Password- Authen6cated Key Exchange Sophia

FPAKE: Fuzzy Password- Authen6cated Key Exchange Sophia Yakoubov joint work with Pierre-Alain Dupont, Julia Hesse, David Pointcheval, Leonid Reyzin 1

843 views • 43 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

360 views • 34 slides
Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round GAKE Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng Yang Ruhr-University Bochum CANS 2013 1 / 40 Introduction, Motivation and Contributions GAKE Security Model

515 views • 50 slides
Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

1.04k views • 69 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides

More recommend