Preventing Attackers From Using Verifiers: A-PAKE With PK-Id

Similar documents
Password. authentication through passwords

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

for Compound Authentication

Strong Password Protocols

Real-time protocol. Chapter 16: Real-Time Communication Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

MTAT Applied Cryptography

Auth. Key Exchange. Dan Boneh

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

CS 494/594 Computer and Network Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Proceedings of the 10 th USENIX Security Symposium

1.264 Lecture 28. Cryptography: Asymmetric keys

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CSC/ECE 774 Advanced Network Security

Password Authenticated Key Exchange by Juggling

Alice in Cyber world

Cryptographic Protocols 1

Key Agreement Schemes

Lecture 15 Public Key Distribution (certification)

Wireless LAN Security. Gabriel Clothier

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Public-Key Infrastructure NETS E2008

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Crypto meets Web Security: Certificates and SSL/TLS

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

Encryption. INST 346, Section 0201 April 3, 2018

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Transport Layer Security

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Securing Internet Communication: TLS

Information Security CS 526

Applied Cryptography and Computer Security CSE 664 Spring 2017

E-commerce security: SSL/TLS, SET and others. 4.1

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Public Key Algorithms

CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Key Encryption as per T10/06-103

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

Protecting TLS from Legacy Crypto

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

Public Key Algorithms

Using SRP for TLS Authentication

Authentication in Distributed Systems

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Proving who you are. Passwords and TLS

EE 418 Network Security and Cryptography Lecture #18

CIS 4360 Secure Computer Systems Applied Cryptography

Total points: 71. Total time: 75 minutes. 9 problems over 7 pages. No book, notes, or calculator

CPSC 467b: Cryptography and Computer Security

Network Security Chapter 8

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Chapter 4: Securing TCP connections

Key Management and Distribution

Security Handshake Pitfalls

Internet security and privacy

Summary on Crypto Primitives and Protocols

Configuring SSH with x509 authentication on IOS devices

Authenticating People and Machines over Insecure Networks

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Network Security (NetSec)

Spring 2010: CS419 Computer Security

CS 161 Computer Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Configuring OpenVPN on pfsense

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Session key establishment protocols

Security Handshake Pitfalls

Digital Certificates Demystified

Session key establishment protocols

Integrated Key Exchange Protocol Capable of Revealing Spoofing and Resisting Dictionary Attacks

CSE484 Final Study Guide

Authentication Protocols. Outline. Who Is Authenticated?

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

ECE 646 Lecture 3. Key management

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Virtual Private Networks

Authentication Handshakes

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Configuration of an IPSec VPN Server on RV130 and RV130W

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Security Association Creation

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

(2½ hours) Total Marks: 75

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

CSC 774 Network Security

Transcription:

Preventing Attackers From Using Verifiers: A-PAKE With PK-Id Sean Parkinson (sean.parkinson@rsa.com) RSA, The Security Division of EMC Session ID: ARCH R02 Session Classification: Advanced

Outline Introduction A-PAKE with PK-Id Alternatives and Trade-offs Conclusions

Introduction

Problem Domain

Authentication Server to User User to Server

Attacker: Man-in-the-Middle Steal password database Create a fake server certificate Create a fake client certificate

Server Authentication Authenticating a computer Certificate and Private Key

User Authentication Authenticating a person User Certificate and Private Key

User Authentication

Passwords in the Database Mechanism Form Security Clear password None Hash H(P) Depends on length of password Hash with Salt H(S, P) Depends on length of password Different sites, different value N*Hash with Salt H( H(S, P).)^ Longer to break Exponentiation g H(S,P) Brute force not practical ^ Password Based Key Derivation Function (PBKDF)

PAKE Password Authenticated Key Exchange Strong security from weak passwords Hash(Password)

A-PAKE Augmented Password Authenticated Key Exchange g H(S,I,P) Verifier

Vulnerability Change Password

A-PAKE with PK-Id: Aim New protocol that is standardized Easy identity management for User Secure storage of password on Server Without password Attacker cannot impersonate User or Server

A-PAKE with PK-Id

A-PAKE with PK-Id Verifier = g Hash(PK,S,I,P)

1 2 3 4 A-PAKE with PK-Id: General Identity Calculate Hash Shared Key Server Verified Anon Key Exchange Verification Messages Lookup Parameters User Parameters Shared Key Client Verified

1 A-PAKE with PK-Id: SRP-PK Identity Lookup Parameters Identity: Alice Anderson Salt = 0x123456 Verifier = 0xa73b24

2 A-PAKE with PK-Id: SRP-PK Calculate Hash s = Salt I = Identity P = password x = Hash(PK, Hash(s, Hash(I, :,P)) s, User Parameters Salt = 0x123456 PK = 0xf389da

A-PAKE with PK-Id: SRP-PK 3 Shared Key Anon Key Exchange Shared Key A = g a Verify(PK, sig, s, g, N, B) B = kv + g b sig = Sign(PrivK, s, g, N, B) v= Verifier a,b = random k = Hash(N,g)

A-PAKE Scheme: SRP-PK 3 Shared Key Anon Key Exchange Shared Key u= Hash(A,B) u= Hash(A,B) S = (B kg x ) a+ux S = (Av u ) b K = Hash(S) K = Hash(S) k = Hash(N,g)

A-PAKE with PK-Id: SRP-PK 4 Server Verified Verification Messages Client Verified M 1 = Hash(Hash(N) Hash(g),Hash(I),s,A,B,K) M 1 (verify M 2 ) (verify M 1 ) M 2 = Hash(A,M 1,K)

A-PAKE with PK-Id: Security Server signs with the private key Provides proof of ownership Salt is unique to each user and B is random Different signature generated in each handshake If Man-in-the-Middle replays previously signed B Private random, b, unknown b is required to complete the handshake If Man-in-the-Middle uses a fake certificate Public key used in verifier Different keys results in different verifiers

A-PAKE with PK-Id: Optional If A sent in clear No security issue Client encrypts A A is random Different message generated in each handshake Advantage Server knows Client is using the public key Client used the public key in verifier

TLS with SRP RFC 5054: Informational only Experimental Implementations Server certificate optional

TLS with SRP-PK 1 Client Hello Identity (TLS Ext): Alice Anderson

TLS with SRP-PK 2 From Server s Certificate x = Hash(s, Hash(PK, s, Hash(I, :,P)) Server Certificate Server Key Exchange Server s Cert Chain s=0x12,n=0xf9 g=0x02,b=0x91 Signed

TLS with SRP-PK 3 Client Key Exchange A = 0x8617E3

A-PAKE-PK with Stored PK Public Key Verifier No certificate No chain verification [Encrypt A]

Alternatives and Trade-offs

Alternative: Client Certificate Difficult to create/use/deploy Many non-technical users Only useable on a device with private key Separately issued device Difficult to verify Chain verification on server Hash lookup in LDAP CRLs and OCSP Hackers can create fake certificates

Architecture: User Auth in TLS Separation of Layers Which service or website needs authentication? Single authentication domain per server TLS Server requires access to Password store Certificate verification infrastructure

Trade-offs: Protocol Timing Protocol Client Server Round trips SRP 3DH 3DH 3 SRP PK 3DH+1RSA+Cert Chain 3DH+1RSA 3 TLS SRP 3DH(+1RSA+Cert 3DH(+1RSA) 2 Chain) TLS SRP PK 3DH+1RSA+Cert Chain 3DH+1RSA 2 Secure against Server Impersonation

Trade-offs: Protocol Timing Protocol Client Server Round trips SRP 3DH 3DH 3 SRP PK 3DH+1RSA+Cert Chain 3DH+1RSA 3 TLS SRP 3DH(+1RSA+Cert 3DH(+1RSA) 2 Chain) TLS SRP PK 3DH+1RSA+Cert Chain 3DH+1RSA 2 TLS Client Auth 2RSA+Cert Chain 2RSA+Cert Chain 2 (RSA) TLS Client Auth (DHE RSA) 2DH+2RSA+Cert Chain 2DH+2RSA+Cert Chain 2 3 Diffie-Hellman + 1 RSA Sign 1 RSA Vfy & Dec + Cert Chain 2 DH + 1 RSA Sign & Vfy + Cert Chain

Trade-offs: Protocol Timing 3xDH for 1xRSA Public + Chain Vfy Protocol Client Server Round trips SRP 3DH 3DH 3 SRP PK 3DH+1RSA+Cert Chain 3DH+1RSA 3 TLS SRP 3DH(+1RSA+Cert 3DH(+1RSA) 2 Chain) TLS SRP PK 3DH+1RSA+Cert Chain 3DH+1RSA 2 TLS Client Auth 2RSA+Cert Chain 2RSA+Cert Chain 2 (RSA) TLS Client Auth (DHE RSA) 2DH+2RSA+Cert Chain 2DH+2RSA+Cert Chain 2 1xDH for 1xRSA Public + Chain Vfy

Trade-offs: Password/Certificate Issue Password Client Certificate Cert on Token Sensitive Data Safety Attacks Social engineering Computer compromise Certificate Expiration Reused Unique Physically secure Reset password (overlap period) User gets new certificate issued Steal token (and passcode) Update token or get new token

Conclusions

User Authentication Options Mechanism Attack Speed Management Hashed Password Pre generated values Fastest Simplest Salted Hashed Password Salted Multi Hashed Password Brute force Faster Simpler Brute force (Slower) Fast Simpler Verifier Server impersonation Slow Simple Verifier PK Id Secure Slower Simple Client Certificate Secure (Fake certs) Slowest Difficult

TLS Protocol Comparison Protocol Client Server Security TLS A PAKE PK 3DH+1RSA +Cert Chain 3DH+1RSA Protocol secure from Attacker. User must protect password. TLS Client Auth (RSA) 2RSA +Cert Chain 2RSA +Cert Chain Only as secure as the Certificate. Lifetime of certificate. TLS Client Auth (DHE RSA) 2DH+1RSA +Cert Chain 2DH+1RSA +Cert Chain Only as secure as the Certificate.

A-PAKE-PK Verifier = g H(PK,S,I,P)

Standards TLS IPsec SSH

Thank you! Sean Parkinson RSA, The Security Division of EMC sean.parkinson@rsa.com https://blogs.rsa.com

TLS with AugPAKE IETF Draft - draft-shin-tls-augpake-01 Augmented Password-Authenticated Key Exchange for Transport Layer Security (TLS) Expires: March 08, 2014 No Server Certificate message Verifier W = g w mod p where w is password or W = g w mod p where w = H (0x00 U S w)

TLS with AugPAKE-PK Add Server Certificate message Verifier W = g w mod p where w = H (0x00 U S PK w) Alternatively replace server identity with public key Server Key Exchange Message Y is signed

A-EKE-PK Server sends public key with identity and cryptographic algorithm proposal Client hashes password + public key and calculates verifier Client calculates C based on verifier Server sends E B and signature of E B Client verifies E B Client sends encrypted E A and EP A Server decrypts E A and EP A with private key

B-SPEKE-PK Server sends public key and signature of (g, p, Q B, U) Client verifies signature Client hashes password + salt and public key Client sends encrypted Q A Server decrypts Q A with private key

SSH with SRP IETF Draft draft-nisse-secsh-srp-01 Expired in September 2001 Adds SRP to Transport Layer Protocol Defines new Key Exchange messages Verifier v = g x where x = Hash(s, Hash(I : P))

SSH and SRP-PK Server sends RSA Public key Verifier v = g x where x = Hash(Pub, s, Hash(I : P))

IPsec with A-PAKE Internet Key Exchange Protocol Version 2 (IKEv2) RFC 5996 Key exchange protocol performs mutual authentication Server sends certificate that client uses to verify authentication fields Extensible Authentication Protocol (EAP) Framework for implementing authentication mechanisms A-EKE (RFC 6124) and SRP (expired draft)

IPsec EAP-EKE-PK Server must supply a certificate during authentication Server has proven ownership of private key Verifier P = prf(0+, password salt pub)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback