Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
d k ( h ) h ( )Hideki Imai (Chuo University), SeongHan Shin (AIST), and Kazukuni Kobara (AIST)
BackgroundAuthenticated Key Exchange (AKE)Authenticated Key Exchange (AKE)
Password Authenticated Key Exchange (PAKE)Password-Authenticated Key Exchange (PAKE)
Leakage-Resilient AKE (LR-AKE)RSA-Based LR-AKE Secure against Replacement Attacksg pProgressive Developments of LR-AKE
Concluding Remark
2011/11/18 2SPANISH CRYPTOGRAPHY DAYS (SCD2011)
2011/11/18 3SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Let us think of an open network (e.g., Internet)
where an attacker can eavesdrop the communications (calledwhere an attacker can eavesdrop the communications (called, passive attack), modify/replay messages, impersonate parties or perform man-in-the-middle attacks (called, active attacks)
2011/11/18 4SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Main goal is to provide privacy and integrity of data It plays a key role in information/network securityp y y y
It can be classified intoPublic-Key Encryption
RSA, ElGamal, Rabin, …Digital Signature
RSA-FDH, DSS, …Public-Key Infrastructure (PKI)
Public-Key Cryptography
Public-Key Infrastructure (PKI)Symmetric-Key EncryptionMessage Authentication Code (MAC) Symmetric-Key Cryptographyg ( )Hash FunctionCryptographic Protocols, …
y y yp g p y
2011/11/18 5SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Public-key encryptionDefinition. A public-key encryption scheme is a tuple of probabilistic
polynomial time algorithms (G E D) such that:polynomial-time algorithms (GPKE, E, D) such that:The key generation algorithm GPKE takes as input the security parameter 1k and outputs a pair of keys (PubK, PriK) where the former is public key and the latter is private keyThe encryption algorithm E takes as input a public key PubK and a message M from some plaintext space It outputs a ciphertextmessage M from some plaintext space. It outputs a ciphertextC=EPubK(M)The decryption algorithm D takes as input a private key PriK and a i h t t C d t t M D (C) i l b lciphertext C, and outputs a message M=DPriK(C) or a special symbol
⊥ indicating failureIt is required that Pr[DPriK(EPubK(M))=M] except with negligible q [ PriK( PubK( )) ] p g g
probability over (PubK, PriK) output by GPKE(1k) and any randomness used by E
2011/11/18 6SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Diffie-Hellman key exchangeLet G be a cyclic group of order q. Let g be a generator of G such that G={g0, g1, …, gq-1}that G {g , g , …, g }Public parameter (G, q, g)
RSALet ZN
* be a group of order ϕ(N)=(p-1)(q-1) where N is the product of two same-length primes p and q. Let e>0 be an integer with g p p q ggcd(e, ϕ(N))=1 and d be an integer satisfying ed=1 mod ϕ(N)
RSA public-key encryptionPublic key PubK (N e) and private key PriK (N d)Public key PubK=(N, e) and private key PriK=(N, d)Encryption: For a message M∈ZN
*, anyone who knows PubK can compute the ciphertext C=Me mod ND i F i h C Z * l h k P iKDecryption: For a ciphertext C∈ZN
*, only one who knows PriK can compute the message M=Cd=Med mod ϕ(N)=M mod N
2011/11/18 7SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Symmetric-key encryptionDefinition. A symmetric-key encryption scheme is a tuple of
b bili i l i l i l i h (G SKE SKD)probabilistic polynomial-time algorithms (GSKE, SKE, SKD) such that: The key generation algorithm G takes as input the securityThe key generation algorithm GSKE takes as input the security parameter 1k and outputs a symmetric key symKThe encryption algorithm SKE takes as input a symmetric key yp g p y ysymK and a message M∈{0,1}*, and outputs a ciphertextC=SKEsymK(M)The decryption algorithm SKD takes as input a symmetricThe decryption algorithm SKD takes as input a symmetric key symK and a ciphertext C, and outputs a message M=SKDsymK(C)symK( )
It is required that SKDsymK(SKEsymK(M) )=M for every symmetric key symK output by GSKE(1k) and every M∈{0,1}*
2011/11/18 8SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Collision-resistant (one-way) hash functionDefinition. A collision-resistant (one-way) hash functionDefinition. A collision resistant (one way) hash function
is a pair of probabilistic polynomial-time algorithms (GH, H) such that: )The key generation algorithm GH takes as input the security parameter 1k and outputs a key I (for index)y p p y ( )The hash algorithm H takes as input a key I and a message M∈{0,1}*, and outputs a hash HI(M)g { , } , p I( )
A hash function (GH, H) is collision-resistant if the probability to find out M and M’ satisfying HI(M)= probability to find out M and M satisfying HI(M) HI(M’) is negligible over I output by GH(1k)
2011/11/18 9SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Let us think of two parties (Alice and Bob) who want to exchange messages securely
Using public-key encryption for short messagesUsing public key encryption for short messagesUsing hybrid encryption for arbitrary-length messages
Hybrid encryption is a combination of public-key and symmetric-key encryptionsencryptionsAlice sends (EPubK_B(symK), SKEsymK(M)) to Bob where PubK_B is Bob’s public key Suitable for secure e-mail (non-interactive)Suitable for secure e-mail (non-interactive)
However, the receiver should decrypt the ciphertexts encrypted ith hi /h bli k tiwith his/her public key every time.
Public-key operations (encryption and decryption) is slower than symmetric-key operationsNot suitable for interactive situations where the communicating parties exchange several messages during some period of time
2011/11/18 10SPANISH CRYPTOGRAPHY DAYS (SCD2011)
One of the indispensable cryptographic primitivesAuthentication (assurance of (identity of the communicating party) + key exchange
It allows a pair (or a group) of parties not only to authenticate each over an insecure network, but also to h i k lshare session keys securely
The authenticated session keys are used to establish secure channelsWidely used in practice
Internet shopping/banking, web mail, remote network access, ftp, and so onand so on
Secure Channel
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 11
Diffie-Hellman key exchange does not provide authentication at all!
It is insecure against active attacks (e.g., man-in-the-middle attack)
It requires (already established) keys/secrets“It is not possible to establish an authenticated session key without existing secure channels already being available”, C. Boyd (1993)P i l d h k /Parties already share a key/secretOff-line server is used (e.g., public key certificates)O li i d h h t h k / tOn-line server is used where each party shares a key/secret with a trusted server
2011/11/18 12SPANISH CRYPTOGRAPHY DAYS (SCD2011)
AKE can be classified intoPKI-Based
ISO/IEC IS 9798 3: Both parties run Diffie Hellman key exchangeISO/IEC IS 9798-3: Both parties run Diffie-Hellman key exchange through authenticated channel (by using digital signature) MTI and (H)MQV: “Implicitly-authentication” protocol where session keys are derived from DH public values and public/privatesession keys are derived from DH public values and public/private keysSSL/TLS…Complex management of public keys
Validity of public keys should be checked via CRL (Certificate Revocation List) OCSP (Online Certificate Status Protocol) or SCVPRevocation List), OCSP (Online Certificate Status Protocol) or SCVP (Simple Certificate Validation Protocol)
CRL: List (maintained by certificate authority) of revoked certificatesOCSP/SCVP: Internet protocol for checking revocation status of X.509 p g 5 9certificate
Skipping this process opens the door to an attacker (e.g., Phishing attack)
2011/11/18 13SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Shared-key BasedISO/IEC 11770-2: Using symmetric key encryption, one party sends encrypted session keys to the other party who shares the same keythe same key …Distribution of shared keysy
On-line Server BasedKerberos and 3PKD: Both parties share session keys with the help of on-line server who shares a key with each party…Distribution of shared keys
2011/11/18 14SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Password-Authenticated Key Exchange (PAKE)Password-only authentication + key exchange: Both parties share authenticated session keys only by relying on a weak secret (e gauthenticated session keys only by relying on a weak secret (e.g., alphanumerical passwords with 6 characters)Very usable to users
Leakage Resilient AKE (LR AKE)
Our Main Talks
Leakage-Resilient AKE (LR-AKE)Two-factor authentication + key exchange: Both parties share authenticated session keys where
A client remembers only one password and stores secrets on his/her device, while a server stores verification data on its database
It guarantees a higher level of security against active attacks andIt guarantees a higher level of security against active attacks and leakage of stored secrets
2011/11/18 15SPANISH CRYPTOGRAPHY DAYS (SCD2011)
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 17
Password is chosen from a small set of dictionaryIt is convenient to users because they just remember his/her passwords (without carrying any devices)passwords (without carrying any devices)E.g., 4-digit pin-code, alphanumerical passwords with 6 characters
Password authentication is widely deployed in practice
However, two exhaustive search attacks are possibleOn-line dictionary attacksOn line dictionary attacks
An attacker should communicate with (at least) one party in order to verify a guessed password
Off line dictionary attacksOff-line dictionary attacksAn attacker can verify more than one password with sophisticated manners
2011/11/18 18SPANISH CRYPTOGRAPHY DAYS (SCD2011)
CHAP [IETF RFC1994] where client C and server S share the same password pw
1. First, server S chooses a challenge C and sends it to client C.2. After receiving C, client C computes a response R from the
challenge and his/her password and sends R to server Schallenge and his/her password, and sends R to server S3. Finally, server S authenticates client C by checking if the received
R is same with a hashed value of C and pw
2011/11/18 19SPANISH CRYPTOGRAPHY DAYS (SCD2011)
On-line dictionary attacks Off-line dictionary attacksLet us think of attacker Awho can just eavesdrop the communications between l dclient C and server S
From the obtained h ll C d
Attacker A impersonates client C and tests a
challenge C and response R, the attacker finds out the password pw by testingclient C and tests a
guessed password pw’ while communicating with
the password pw by testing R?=H(C||pw’) for all possible password g
server Sp pcandidates pw’
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 20
We can say that CHAP is insecure against off-line dictionary attacks
In fact, the attacker verified all possible password candidates without interaction with honest parties
On the other hand, on-line dictionary attacks are inevitable in any password-based authenticationin any password based authentication
But, it is controllable (see next slide)
What kind of security can be achieved in password-based authenticationauthentication
Security against off-line dictionary attacks
2011/11/18 21SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Dictionary tests rule out common words and
l dcommonly-used passwordsComposition rules includerules include lower/upper case letters and non-alphabetic psymbols (e.g., :;!”#$%&’=~)
With one minute lock-out for 3 failed password
i l i ldtrials, it would take about 90 years to carry out 225.5 trialsThat’s the reason why we use 6-8 length of passwords
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 22
2 5 5 trialsThat s the reason why we use 6-8 length of passwords
Password-only authentication + key exchangeIt does not rely on PKIClients do not need to carry any devicesVery convenient
However, it is not trivial at all to design a secure PAKE protocol sinceprotocol since
We have to bootstrap a weak secret (i.e., password) to a strong one (i.e., cryptographically-secure session key) ( , yp g p y y)There is no clear guideline to avoid off-line dictionary attacks…See bad examples
2011/11/18 23SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Diffie-Hellman key exchange, encrypted with password in SKE
1. Client C computes a public value gx and sends SKEpw(gx) to server S where pw is used as a symmetric key
2. After decrypting SKEpw(gx) with pw, server S computes a public value gy and d SKE ( ) li C
psends SKEpw(gx, gy) to client C
3. After decrypting SKEpw(gx, gy) with pw, client C authenticates server S by checking the decrypted first element gx. Client C returns SKEpw(gy) back to server Sserver S
4. Server S authenticates client C by checking the decrypted element gy. Then, they generate a session key SK=H(gxy)
2011/11/18 24SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Let us think of attacker A who just eavesdrops the communications between client C and server SOff-line dictionary attacks
Let C1= SKEpw(gx), C2= SKEpw(gx, gy), C3= SKEpw(gy). From the obtained C1 C2 and C3 theobtained C1, C2 and C3, the attacker finds out the password pw by checking that the first (resp., second) element of SKDpw’(C2) is
( ) (pw
same as SKDpw’(C1) (resp., SKDpw’(C3)) for all possible password candidates pw’
What we have learnedRedundancy in symmetric key encryption is used for off-lineencryption is used for off line dictionary attacks
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 25
RSA public key encryption,masked with password
1. Server S generates a one-time RSA public/private key pair (PubK, PriK) and sends PubKto client C
2. After receiving PubK, client C computes a masked RSA encryption Z=te⋅FDH(pw) and sends it to server S where FDH is a full-domain hash
3. After de-masking and decrypting Z with pw and PriK, server S sends H1(t) to client CClient C authenticates server S by checking the received H (t) and then returns H (t)4. Client C authenticates server S by checking the received H1(t), and then returns H2(t) back to server S
5. Server S authenticates client C by checking the received H2(t). Then, they generate a session key SK= H3(t)
2011/11/18 26SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Let us think of attacker A who impersonates server S and generates an RSA public key PubK=(N, e) such th t d( ϕ(N))≠
Special kind of off-line dictionary attacks (called, e-residue attacks)
that gcd(e, ϕ(N))≠1Off-line dictionary attacks
From the received Z, the attacker checks if (Z/FDH(p ’)) is echecks if (Z/FDH(pw )) is e-residue or not by Jacobi symbol for all possible password candidates pw’pOnly a proper subset of password candidates remain valid
What we have learnedClient C has to check the validity of RSA public key PubK, generated by server SRSA public key encryption with PubK maps by server SRSA public key encryption with PubK maps
to only a strict fraction of the range
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 27
A combination of symmetric and public key cryptographic techniques can provide insufficient information for an
k [BM ]attacker [BM92]Remove redundancy in symmetric key encryptionUse challenge/response methods in order to check theUse challenge/response methods in order to check the validity of RSA public key or restricts RSA key generation (e.g., e>N))
Secure PAKE can be constructed from other cryptographic yp g pprimitives
CCA-secure public key encryptionObli i fOblivious transfer…
2011/11/18 28SPANISH CRYPTOGRAPHY DAYS (SCD2011)
In the PAKE setting,Client C remembers his/her password, and server S holds the password or its verification data that is used to verify thepassword or its verification data that is used to verify the client’s knowledge of the password
Some PAKE protocols have been standardized in IEEE P1363.2 [IEEE], ISO/IEC JTC1/SC27 11770-4 [ISO/IEC], IETF RFC [IETF RFC ] d ITU T [ITU T]RFC2945 [IETF RFC2945] and ITU-T [ITU-T]
Inherent limitations of PAKEInherent limitations of PAKEOn-line dictionary attacks are always possibleServer compromise always leads to password compromisep y p p
Of course, server compromise allows attacker A to impersonate server S to client C
2011/11/18 29SPANISH CRYPTOGRAPHY DAYS (SCD2011)
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 30
The previous AKE protocols are secure against active attacks
PKI-Based AKEShared-key Based AKEOn line Ser er Based AKEOn-line Server Based AKEPAKE...Based on the assumption that the stored secrets (e.g., cryptographic keys or password verification data) are secure
What happens if the stored secrets are leaked out?Most of the previous AKE protocols become insecure [SKI03]
2011/11/18 31SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Leakage of stored secrets/data (including personal information) is common and practical threat in the real world
Laptop/mobile device (e g smart phones USB) theft or lossLaptop/mobile device (e.g., smart phones, USB) theft or lossAccording to [CSI10], 33.5% of respondents experienced this type of attack
Phishing attackPhishing attackAccording to [CSI10], 38.9% of respondents experienced this type of attack
Insider abuse of Net access or e-mailInsider abuse of Net access or e mailAccording to [CSI10], 24.8% of respondents experienced this type of attack
Unauthorized access or virus (e g keylogging malware)Unauthorized access or virus (e.g., keylogging malware)Server administrator’s misconduct or misconfigurationNo perfect TRM (Tamper Resistant Module)
Side channel attacks (partial leakage of cryptographic keys)Side channel attacks (partial leakage of cryptographic keys)E.g., power analysis on Mifare DESFire [OP11]
2011/11/18 32SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Number of incidents“Sony Admitted PSN’s 70 Million Users Information Leakage” [TRACEHOTNEWS]
Sony PSN platform has been hacked and lead to users information (including PSN
d ) l kaccount passwords) leakage Ranked fifth in the history of user information leak
“Citigroup Cites $2.7M in Customer Losses From Hack” [FOXBUSINESS]
According to Citigroup Inc., 3,400 of the customers whose
Number of victims(in million)
Year3 4credit-card information was hacked have suffered about $2.7 million in losses
Japan’s annual transition of number of incidents and number of victims due to insider abuse
[JNSA11]2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 33
[JNSA11]
“DoD Admits to Being Severely Hacked” [IEEESpectruma]The June 2007 network hack into U. S. Department of Defense computers stole an amazing amount of informationDefense computers stole an amazing amount of informationThe U. S. DoD gets some 70,000 intrusion attempts per day
“DigiNotar Certificat e Authority Breach Crashes e-Governme nt in the Netherland s” [IEEESpectrumb]
Di iN t th D t h tifi t th it (CA) h dDigiNotar, the Dutch certificate authority (CA) company, had been breached which resulted in the 531 fraudulent issuance of public key certificates for a number of domains (including * l ) Th f d l l ifi h d b*.google.com). The fraudulent google certificate had not been detected over a week. The attacker(s) had acquired the domain administrator rights and compromised CAs, g p ,maintained by DigiNotar [Fox-IT11]
2011/11/18 34SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Let us think of client C who has access to many different kinds of servers (e.g., web mail, remote login, internet shopping mall, internet banking, SNS) with password authentication in a daily lifeg ) p y
In order to realize secure password authentication, the client should use a distinct password for each serverHowever, the client does not remember many passwords, y p
A majority of users re-use passwords across multiple websites [PCWorld]A third of users are using same password for every websites [Sophos]Empirical study (2007): Average user has 6.5 (actively-used) passwords, and the
d i h d 6 diff t it [FH ]average password is shared across 5.67 different sites [FH07]If the client registers the same (or very similar) password to all servers and uses the previous password authentication (e.g., password-based client authentication in PKI based AKE or PAKE) leakage of storedclient authentication in PKI-based AKE or PAKE), leakage of stored secrets (password itself or password verification data) from one server leads to the total breakdown of security in the other servers. Also, one malicious server can easily impersonates client C to the remainingmalicious server can easily impersonates client C to the remaining servers
2011/11/18 35SPANISH CRYPTOGRAPHY DAYS (SCD2011)
To design a secure password authentication against active attacks as well as leakage of stored secretsg
T d i d th ti ti hTo design a secure password authentication where client C remembers only one password even in
l i l imultiple server scenario
2011/11/18 36SPANISH CRYPTOGRAPHY DAYS (SCD2011)
A suite of LR-AKE protocols [LR-AKE] are designed to provide maximum level of security against active p y gattacks as well as leakage of stored secrets from client and/or server sideand/or server side
In the LR-AKE protocols, client C remembers only one password and stores secrets on his/her devices whilepassword and stores secrets on his/her devices, while server S stores verification data on its database Without relying on PKI and physical security (i e TRM)Without relying on PKI and physical security (i.e., TRM)Efficient constructionsProvable securityProvable security
2011/11/18 37SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Eavesdropping
Parallelon-line attacks
Security of password against leakage from
Phishing
attacks
No. of PW
Client Server Both withAKEProtocols
Client Server Both with different
time-slots
CHAP etc Insecure Insecure Secure Insecure Insecure Secure MultipleCHAP etc. Insecure Insecure Secure Insecure Insecure Secure Multiple
PAKE Secure Insecure Secure Insecure Insecure Secure Multiple
PKI (server PK auth Secure Insecure Secure Insecure Insecure Insecure MultiplePKI (server PK auth. + client PW auth.)
Secure Insecure Secure Insecure Insecure Insecure Multiple
PKI (server PK auth. li PW & S S S I I I M l i l+ client PW &
token auth.)Secure Secure Secure Insecure Insecure Insecure Multiple
PKI (mutual PK Secure Secure Insecure Secure Insecure Insecure Only auth.) one
LR-AKE Secure Secure Secure Secure Secure Secure Only one
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 38
o e
Serial on-line dictionary attacks are not possible if there is no leakage of stored secrets from client side
Attacker A who obtains the client’s stored secrets can perform serialAttacker A who obtains the client s stored secrets can perform serial on-line dictionary attacks
Automatic revocation of leaked secretsThough on-line dictionary attacks are possible with leaked secrets from client side, these attacks can not be continued if client C runs ,LR-AKE with server S successfully since the already-leaked secrets are revoked automatically
Strong forward secrecyEven if the underlying problems (e.g., DL/CDH/RSA) are broken with efficient algorithms in future the previous communicationswith efficient algorithms in future, the previous communications still remain hidden as long as there is no leakage of stored secrets from either side
2011/11/18 39SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Situation 1 Situation 2
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 40
RSA-Based LR-AKE Secure against Replacement Attacks [SKI10a]
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 41
In [SKI07], we proposed an RSA-based LR-AKE (called, RSA-AKE) protocol that is the most efficient over the previous RSA-based ones
In the RSA-AKE protocol, client C remembers only one d f di i d hpassword for distinct servers and stores another secret
and server’s RSA public key, whereas the corresponding server S stores verification data and RSA private keyserver S stores verification data and RSA private keyA distinguished feature of RSA-AKE is that it provides security against leakage of stored secrets and highsecurity against leakage of stored secrets and high efficiency at the same time
In particular, client C needs to compute only one modular p p ymultiplication (if pre-computation is allowed)
2011/11/18 42SPANISH CRYPTOGRAPHY DAYS (SCD2011)
More powerful threat in the real worldA hacker can break into a computer system to change some i f i d i d i d l iinformation, stored in pre-determined locations
E.g., public keys of PGP are stored in “Keyrings” folderA practical attack to insert a self-signed CA public key intoA practical attack to insert a self-signed CA public key into the list of a computer’s root public keys [AM05]
What happens if attacker A can completely control stored secrets?
Due to e-residue attacks, RSA-AKE is no longer secureAttacker A replaces server’s RSA modulus N with N’ such that gcd(e,
(N))≠ϕ(N))≠1We call it “replacement” attacks
2011/11/18 43SPANISH CRYPTOGRAPHY DAYS (SCD2011)
We propose a strengthened RSA-based LR-AKE (RSA-AKE2) protocol that is secure against active attacks as well as replacement attacks
Based on number theory, we prove that replacement k i f ibl i h SA A lattacks are infeasible in the RSA-AKE2 protocol
Provably secure under the RSA problem in the random l d loracle model
For formal proof, we introduce an extended security model that covers both active attacks and replacement attacksthat covers both active attacks and replacement attacks
In terms of efficient, RSA-AKE2 is comparable to [SKI07]Several extensions of RSA-AKE2
2011/11/18 44SPANISH CRYPTOGRAPHY DAYS (SCD2011)
In order to thwart replacement attacks, we fix an RSA public key exponent e to be an 80-bit primep y p p
Attacker A should guess a correct witness in RSA public key encryptionkey encryption
I th RSA AKE t l i bli tIn the RSA-AKE2 protocol, e is public to everyoneIt is not a strong assumption since anyone can easily h k h i i ( b i h Mill R bicheck that e is a prime (e.g., by using the Miller-Rabin
primality testing algorithm) and its length is at least 80-bitbits
2011/11/18 45SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Only one password for different servers
InitClient InitServer
Stored secrets
Initialization through secure channelsInitClient: At first, client C chooses a secret value si1 randomly and
generates a verification data vi = si ⊕H (C||Si||pw) where pw is thegenerates a verification data vi1= si1⊕H0(C||Si||pw) where pw is the client’s password. Client C sends vi1 to server Si. Then, client C stores counter 1, the secret value si1 and an RSA modulus N (received from server Si)i)
InitServer: Since e is an 80-bit prime, server Si generates an RSA private key (d, N) as follows: N=pq and d=e-1 mod ϕ(N) such that gcd(e, ϕ(N))≠1. Server Si sends the RSA modulus N to client C. Then, server Siϕ( )) i istores counter 1, the RSA private key (d, N) and the verification data vi1(received from client C). Note that e can be shared among many servers, but N is not shared
2011/11/18 46SPANISH CRYPTOGRAPHY DAYS (SCD2011)
StStep 1
Step 4
Step 3Step 2
Step 4
j-th (j≥1) protocol execution through insecure channels
2011/11/18 47SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Security against replacement attacks where attacker Areplaces the RSA modulus (stored on client’s devices) with
N d d lib l i f i d(a new one N, generated deliberately satisfying gcd(e, ϕ(N))≠1. Let Pr[InvalidKey] be the success probability that attacker A can correctly find out the committed value xattacker A can correctly find out the committed value x2from y2=x2
e mod N, computed with an invalid RSA modulus N
Theorem: Let N be an odd integer with N=p1r_1p2
r_2…pmr_m as a g p1 p2 pm
prime-power factorization. Let e be an 80-bit prime. If there exists a prime power pj
r_j of the factorization of N such that e|ϕ(p r j) then Pr[InvalidKey] is upper bounded by 1/e (i ee|ϕ(pj
r_j), then Pr[InvalidKey] is upper-bounded by 1/e (i.e., negligible in the parameter e)
2011/11/18 48SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Security against replacement attacks
P f L t r j b i f th f t i ti f N h th tProof: Let nj=pjr_j be a prime power of the factorization of N such that
e|ϕ(pjr_j). Note that there is at least one such a prime power because
e is an 80-bit prime and gcd(e, ϕ(N))≠1.N th t tt k A tl fi d t f ithNow, we prove that attacker A can correctly find out x2 from y2 with probability as small as 1/e. Since N is odd, each nj has a primitive root. Let g be a primitive root of nj. According to Fact 2, y2 is an e-thpower residue of n iff x e y mod n has a solution which ispower residue of nj iff x2
e=y2 mod nj has a solution, which is equivalent to
eindgx2=indgy2 mod ϕ(nj)g g jBecause of gcd(e, ϕ(nj))=e, the above congruence is solvable iffe|indgy2. Let ϕ(nj)=ed. By the Euler’s theorem,
e|ind y ⇔ ed|dind y ⇔ ind y d=0 mod ϕ(nj)e|indgy2 ⇔ ed|dindgy2 ⇔ indgy2 0 mod ϕ(nj)⇔ y2
ϕ(n_j)/e=1 mod nj ⇔ x2ϕ(n_j)=1 mod nj
Note that gcd(x2, nj)=1. Therefore, there are exactly e solutions.
2011/11/18 49SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Underlying assumptionThe RSA problemp
Security of RSA-AKE2The RSA-AKE2 protocol provides the AKE security under the RSA problem in the random oracle model
Ad (A) O( /D) l(k)Adv(A)≤O(qsend/D)+negl(k) In this case, attacker A can invoke the Replace(Ci, r)-queryRSA AKE2 is secure against off line dictionary attacks even ifRSA-AKE2 is secure against off-line dictionary attacks even if the stored secrets of client are totally controlled by attacker A
Full proof can be found in [SKI10a]
2011/11/18 50SPANISH CRYPTOGRAPHY DAYS (SCD2011)
RSA-AKE2 provides semantic security of session keys in the case that attacker A obtains/replaces the RSA / pprivate key of server S
Attacker A cannot perform on-line dictionary attacksAttacker A cannot perform on line dictionary attacks since the authentication relies on the strong secret vij
Security of passwordAtt k A t t i f ti b t thAttacker A cannot get any information about the password from either sij (stored on client’s device) or vij(stored on server’s database)(stored on server s database)
2011/11/18 51SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Computation costs on client sideIf pre-computation is allowed, client C needs to compute only one modular multiplication (not modular exponentiation)p ( p )
RSA b d
Number of modular exponentiations on client
Communication costs (identity
d t
No. of message
flRSA-basedLR-AKE
and counter, omitted)
flowsWith pre-computation
Without pre-computation
RSA AKE 0 1 when e≥3 l+2k 3RSA-AKE [SKI07]
0 1 when e≥3 l+2k 3
RSA-AKE2 0 2 when e is an 2l+2k 3
Communication costsRSA AKE2 needs to send one more group element than RSA AKE
80-bit prime3
RSA-AKE2 needs to send one more group element than RSA-AKE where l and k are security parameter for RSA and hash functions, respectively
2011/11/18 52SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Some trade-off between security and efficiencyIf pre-computation is not possible, client C in RSA-If pre computation is not possible, client C in RSAAKE2 have to compute two modular exponentiations with an 80-bit prime epFor such a situation, we recommend to use the 80-bit primes with the least hamming weight (HW) in order to p g g ( )boost computational efficiency
Three 80-bit primes with HW(e)=3p ( ) 3e=279+227+1, e=279+234+1, e=279+227+1In this case, the overall computation costs of client C is 163 modular multiplications
2011/11/18 53SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Progressive Developments of LR-AKE
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 54
Detection of on-line dictionary attacksDistinguish user’s password mis-type from on-lineDistinguish user s password mis type from on line dictionary attacks using the leaked secretsFor reasonable security policyFor reasonable security policy
I t i d t tiIntrusion detectionA user can figure out which accounts are penetrated by
kattackerBy login information (e.g., last access date, IP address)
2011/11/18 55SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Data encryption is not a complete solution to data leakageImproper key management is problematic
Encryption key (derived from password) is insecure against off-line dictionary yp y ( p ) g yattacksStored encryption keys can be leaked
LR-AKE can be easily extended to data security [ISK09]Single mode for two parties
Data key is distributed between client C and server SyProactive security of data key
Proactive security: combination of secret sharing and refreshment of sharesData key is recovered only on client side
l d f hCluster mode for three partiesData key is distributed among client and primary/secondary serversProactive security of data keyD t k i d l li t idData key is recovered only on client sideAny two parties can recover data key (i.e., availability of data key)
2011/11/18 56SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Single mode Cluster mode
57SPANISH CRYPTOGRAPHY DAYS (SCD2011) 2011/11/18
LR-AKE can be applied to any services where authentication is necessaryy
As a basic authentication serviceE.g., SSH, SSL/TLS, IPsec, FTPE.g., SSH, SSL/TLS, IPsec, FTP
Login to remote server/intranet/hotspotVPN thin clientVPN, thin clientWeb mail/shopping, internet bankingIdentity management SSOIdentity management, SSOCloud storage system, NAS, credential retrieval system, data center accessdata center access…
2011/11/18 58SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Security architecture for Mobile IPv6 [FSK+05]In order to ensure continuous connectivity, a fast and secure Mobile IPv6 handover is proposedIPv6 handover is proposed
LR-AKE based AAA for Network Mobility (NEMO) [FSK+06]N h d d b bil d i i iNew handover procedures between mobile routers and visiting mobile nodes are proposed for authentication, authorization and accounting (AAA) in NEMO environment
Security architecture for personal networks [SFK+08]Based on new LR-AKE security architecture for PN wideBased on new LR AKE, security architecture for PN wide communication and communication between P-PANs of two different users is proposed In wireless ad-hoc networksIn wireless ad hoc networks
LR-AKE initialization can be set up [ISK09] by using a short secret, imprinted between devices through proximity authenticated channels
2011/11/18 59SPANISH CRYPTOGRAPHY DAYS (SCD2011)
In a hybrid cloud storage system where authentication servers are maintained by third party (not cloud service provider)
The cluster mode [ISK09] can be directly used
2011/11/18 60SPANISH CRYPTOGRAPHY DAYS (SCD2011)
In a public cloud storage system where a cloud service provider completely controls authentication servers as well as storages
The cluster mode is modifiedth t l li tso that only client can
store/retrieve data keys [SKI11]
2011/11/18 61SPANISH CRYPTOGRAPHY DAYS (SCD2011)
LR-AKE has become the fountainhead of BURSEC Inc.
BURSEC Inc.The company was founded in April 2010The company was founded in April 2010Location: Tokyo, JapanWebpage: http://www bursec com/Webpage: http://www.bursec.com/ Authorized as AIST venture company in July 2010Products & servicesProducts & services
LR-AKE server setup/maintenanceDevelopment toolkit for core modulepApplication tools (LR-Passwords, LR-LoginChecker, LR-Desktop)Authentication service, SSO, …
2011/11/18 62SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Password manager for applicationsPasswords used in various applications (e.g., Twitter, Dropbox, Firefox Truecrypt MS Word PDF) are stored and retrievedFirefox, Truecrypt, MS-Word, PDF) are stored and retrieved in single/cluster mode
These passwords can be chosen randomly because client does not need to rememberneed to remember
Demo
2011/11/18 63SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Password manager for IE (Anti-Phishing)Passwords needed for login to different web sites (e.g., web mail, internet shopping mall, internet banking) are stored and retrievedinternet shopping mall, internet banking) are stored and retrieved in single/cluster mode
If the authentication is successful, id and password are automatically put in the pre-determined field. Of course, these passwords can be p p , pchosen randomly because client does not need to remember
Demo
2011/11/18 64SPANISH CRYPTOGRAPHY DAYS (SCD2011)
File encryption/decryption toolEncryption/decryption keys used to encrypt/decrypt files are
d d i d i i l / l dstored and retrieved in single/cluster modeThese keys are securely managed by LR-AKE: Only if the authentication is successful, encryption/decryption keys are , yp / yp yrecovered on client side
Demo
2011/11/18 65SPANISH CRYPTOGRAPHY DAYS (SCD2011)
LR-AKE over VPNThrough the tunnel VPN li d VPNVPN client and VPN server established, one-time passwordone time password (generated by LR-AKE) authentication is
f dperformed Easily applicable to existing authenticationexisting authentication frameworks
Demo
2011/11/18 66SPANISH CRYPTOGRAPHY DAYS (SCD2011)
Operational test in AISTRemote access to intranet and mail serverLR-CiscoVPN
I i l d d i iInternational standard activityDraft of AugPAKE was submitted to IETFUp to date version is draft shin augmented pake 08 [SK11]Up-to-date version is draft-shin-augmented-pake-08 [SK11]In draft, how to integrate AugPAKE into IKEv2
Currently, LR-AKE is being deployed in several systemsLR-AKE client library, SDK and API are available for your ownLR AKE client library, SDK and API are available for your own applications
Contact to [email protected]
2011/11/18 67SPANISH CRYPTOGRAPHY DAYS (SCD2011)
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 68
In this talk, we introduced two very useful AKE protocolsPAKE
Client does not need to carry any devicesClient does not need to carry any devicesHowever, there are inherent limitations on server compromise and the number of passwords (client should remember distinct passwords for many servers)y )
LR-AKE Client remembers only one password for many serversClient remembers only one password for many serversIt guarantees a maximum level of security against active attacks and leakage of stored secrets
Specific exampleSpecific exampleRSA-Based LR-AKE Secure against Replacement Attacks
Progressive developmentsExtension to data securityExtension to data security Applications to wireless networks and cloud storage systemsLR-AKE tools & demonstrations
2011/11/18 69SPANISH CRYPTOGRAPHY DAYS (SCD2011)
LR-AKE project is to solve realistic problems in a novel way
2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 70
[AM05] A. Alsaid and C. J. Mitchell, “Installing Fake Root Keys in a PC”, EuroPKI2005[BM92] S. M. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-based
Protocols Secure against Dictionary Attacks”, IEEE Symposium on Security and P iPrivacy, 1992
[CSI10] CSI (Computer Security Institute), “2010/2011 Computer Crime and Security Survey”, http://gatton.uky.edu/FACULTY/PAYNE/ACC324/CSISurvey2010.pdf
[ ] l d l “ l d f b d[FH07] D. Florencio and C. Herley, “A Large-Scale Study of Web Password Habits”,WWW2007
[FOXBUSINESS] http://www.foxbusiness.com/industries/2011/06/24/citigroup-cites-27m in customer losses from hack/27m-in-customer-losses-from-hack/
[Fox-IT11] Fox-IT, “DigiNotar Certificate Authority breach Operation Black Tulip”, Interim Report, 2011, http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-publicaties/rapporten/2011/09/05/diginotar public report version 1/rapport fox itoperation-black-tulip-v1-0.pdf
[FSK+05] H. Fathi, S. H. Shin, K. Kobara, S. Chakraborty, H. Imai, and R. Prasad, “Leakage-Resilient Security Architecture for Mobile IPv6 in Wireless Overlay g y yNetworks”, IEEE Journal on Selected Areas in Communications, Vol. 23, No. 11, pp. 2182-2193, 2005
2011/11/18 71SPANISH CRYPTOGRAPHY DAYS (SCD2011)
[FSK+06] H. Fathi, S. H. Shin, K. Kobara, S. Chakraborty, H. Imai, and R. Prasad, “LR-AKE-Based AAA for Network Mobility (NEMO) Over Wireless Links”, IEEE Journal on Selected Areas in Communications, Vol. 24, No. 9, pp. 1725-1737, 2006on Selected Areas in Communications, Vol. 24, No. 9, pp. 1725 1737, 2006
[IEEESpectruma] http://spectrum.ieee.org/riskfactor/computing/it/dod_admits_to_being_severely_hh
[IEEESpectrumb] http://spectrum.ieee.org/riskfactor/telecom/security/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlands/?utm_source=techalert&utm_medium=email&utm_campaign=091511
[IEEE P1363.2] IEEE P1363.2, “Standard Specifications for Password-Based Public-Key Cryptographic Techniques”,Cryptographic Techniques , http://grouper.ieee.org/groups/1363/passwdPK/index.html
[IETF RFC1994] IETF RFC 1994, “PPP Challenge Handshake Authentication Protocol (CHAP)” 6(CHAP)”, 1996
[IETF RFC2945] IETF RFC 2945, “The SRP Authentication and Key Exchange System”, 2000
2011/11/18 72SPANISH CRYPTOGRAPHY DAYS (SCD2011)
[ISK09] H. Imai, S. H. Shin, and K. Kobara, “New Security Layer for OverLay Networks (Invited Paper)”, Journal of Communications and Networks, Vol. 11, No. 3, pp. 211-228, 2009
[ISO/IEC] ISO/IEC JTC /SC “I f i T h l S i T h i[ISO/IEC] ISO/IEC JTC1/SC27 11770-4, “Information Technology – Security Techniques – Key Management – Part 4: Mechanisms based on Weak Secrets”, 2006
[ITU-T] ITU-T Recommendation X.1035, “Password-Authenticated Key Exchange (PAK) Protocol” Series X: Data Networks Open System Communications and(PAK) Protocol , Series X: Data Networks, Open System Communications and Security, 2007
[JNSA11] JNSA (Japan Network Security Association), “2010 Survey Report on Information Security Incidents – Personal Information Leakage – (in Japanese)”,Information Security Incidents Personal Information Leakage (in Japanese) , 2011, http://www.jnsa.org/result/incident/data/2010incident_survey_PIL_v1.4.pdf
[LR-AKE] LR-AKE Webpage, http://www.rcis.aist.go.jp/project/LR-AKE/[NIST SP 800-63] NIST Special Publication 800-63 “Information Security (Electronic[NIST SP 800 63] NIST Special Publication 800 63, Information Security (Electronic
Authentication Guideline)”, 2006, http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
[OP11] D. Oswald and C. Parr, “Breaking Mifare DESFire MF3ICD40: Power Analysis g 3 4 yand Templates in the Real World”, CHES2011
[PCWorld] http://www.pcworld.com/article/188763/too_many_people_reuse_logins_study_find ht lds.html
2011/11/18 73SPANISH CRYPTOGRAPHY DAYS (SCD2011)
[Sophos] http://nakedsecurity.sophos.com/2009/03/10/password-website/[SFK+08] S. H. Shin, H. Fathi, K. Kobara, N. R. Prasad, and H. Imai, “A New Security
Architecture for Personal Networks and Its Performance Evaluation”, IEICE Transactions C i ti Vol E9 B No pp 22 2264 2008on Communications, Vol. E91-B, No. 7, pp. 2255-2264, 2008
[SK11] S. H. Shin and K. Kobara, “Most Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2”, IETF Internet-Draft 08, https://datatracker.ietf.org/doc/draft-shin-augmented-pake/p // g/ / g p /
[SKI03] S. H. Shin, K. Kobara, and H. Imai, “Leakage-Resilient Authenticated Key Establishment Protocols”, ASIACRYPT2003
[SKI07] S. H. Shin, K. Kobara, and H. Imai, “An Efficient and Leakage-Resilient RSA-Based [ 7] , , , gAuthenticated Key Exchange Protocol with Tight Security Reduction”, IEICE Transactions on Fundamentals, Vol. E90-A, No. 2, pp. 474-490, 2007
[SKI10a] S. H. Shin, K. Kobara, and H. Imai, “An RSA-Based Leakage-Resilient Authenticated Key Exchange Protocol Secure against Replacement Attacks and ItsAuthenticated Key Exchange Protocol Secure against Replacement Attacks, and Its Extensions”, IEICE Transactions on Fundamentals, Vol. E93-A, No. 6, pp. 1086-1101, 2010
[SKI11] S. H. Shin, K. Kobara, and H. Imai, “A Secure Public Cloud Storage System”, Internal Workshop on Cloud Applications and Security (CSA2011)p pp y ( )
[TRACEHOTNEWS] http://tracehotnews.com/sony-admitted-psns-70-million-users-information-leakage/
2011/11/18 74SPANISH CRYPTOGRAPHY DAYS (SCD2011)