Improved Server Authentication

Improved Server Authentication

Presented by Dmitri EpshteinSupervised by Prof. Hugo Krawczyk

January 2002

January 2002 Improved Server Authentication 2

Outline

Why public key verification ?

Human friendly public key verification

Authentication through image

SSH integration and demo


Client-Server security

Server: Kprv / Kpub,Random: y

Client: psswd, KpubRandom: x

g^y | signKprv(g^y,g^x) | Kpub

g^x

Encrypted channel (K)

K=(g^x)^y K=(g^y)^x

VerifyKpub(signKprv(g^y,g^x))

Verify psswd

login+psswd

Confirm Server Kpub


Man in the middle attack

Server: Kprv / KpubRandom: x

Client: psswdRandom: y

Man in middle: K'prv/K'pubRandom: y', x'

Encrypted channel

(K`)

Encrypted channel(K)

K’= (g^y)^x’=(g^x’)^yK= (g^y’)^x=(g^x)^y’


Public Key Verification

Local (stored in client machine) Not applicable everywhere (e.g. Internet-

Cafe)CA - Certification Authority

CA root key should be known It is not widely available on the Internet yet

User verifies hashed version of public key “public password” as described in [HK99]


Outline






Public Passwords

Not necessary to know all 1024 bits to verify the key

About 64 bits (2^64 different values) is secure for most applications

Use hash function MD5/SHA1(Public Key) to reduce key size It is infeasible to find a different public key that

corresponds to the same “public password”Public key is not secret information


SSH public password

SSH requires user to verify 128 bits - hash value of server public key.Public Key (1024 bits) Fingerprint (128 bits)

Example: DSA key fingerprint is: d7:7d:cf:16:07:3b:5e:17:dc:b7:52:f1:eb:49:37:b1

Too difficult to recognize or retype=> Blind Acceptance

MD5


Improved solution

Use more user friendly format for public key verification (with the same security)

Public key(1024) Hashed Public Key(64) String of English words:

“SCAN TOTE NOON DIE MAID COP” String Alpha-Numeric words:

“4786 8fsh hprb ” Picture


English Words format

RFC1760 (The S/KEY One-Time Password System) defines Table of 2048 English words 2-4 letters each one.

Public key(1024) Hashed Public Key(66) Each 11 bits represent one word from the table 6 words (66 bits) are secure enough 6 English Words are easy to recognizee.g. SCAN TOTE NOON DIE MAID COP


Verification interface

It is important that a user really checks for the validity of displayed value

The purpose of attacker is to find an alternative public key with similar “public password”

Our interface is designed to avoid tendency of users to answer every question by simply hitting Enter-key


Interface to user

4 different (but similar) options are displayed

User should choose the appropriate one.

(1) SCAN NOON DIE MAID TOTE COP(2) SCAN TOTE NOON DIE MAID COP(3) COP TOTE DIE SCAN MAID NOON(4) TOTE DIE SCAN COP MAID NOON

What is the appropriate phrase ?


Too mush diversity

(1) TUM TANK TIP CUBE LID HELM(2) SCAN TOTE NOON DIE MAID COP !(3) BANK HANS BIN GOAT JET BEAM(4) HIGH TUNE REID BARB BONY RAIN

User will remember only first word “SCAN” Attacker can find the other key that converted to the string started with “SCAN” e.g. “SCAN GOAT DIE JET TANK COP”

Security decreased from 2^66 to 2^11


Too much similarity

(1) SCAN BEAM NOON DIE MAID COP(2) SCAN TOTE NOON DIE MAID COP !(3) BANK TOTE NOON DIE MAID COP(4) SCAN TOTE NOON JET MAID COP

One-word distance from right string. In place of checking the correct answer user may derive the “right” option from the proposed list


Our suggestion

(1) SCAN NOON DIE MAID TOTE COP(2) SCAN TOTE NOON DIE MAID COP !(3) COP TOTE DIE SCAN MAID NOON(4) TOTE DIE SCAN COP MAID NOON

Each alternative created from previous one by permutation of two randomly chosen words.

Strings are randomly placed from 1 to 4.


Alpha-Numeric format

Based on 26 letters and 10 digits. Letters ‘l’ and ‘o’ excluded. Digits ‘1’ and ‘0’ excluded.Total 32 symbols are used.

Public key(1024) Hashed Public Key(60) Each 5 bits represent one Alpha-Numeric symbol 12 symbols (60 bits) are secure enough 12 symbols - 3 words are easy to recognize

e.g. “qu24 ih2q sswb”


Outline






Visual format

Maybe the most user friendly option.Huge number of different pictures.Easy to remember and recognize.


Image verification

What is the appropriate Image ?


Image properties

The images should meet the following requirements [PS99]:

Regularity Easy to recognize

Minimal complexity Avoid too simplified images

Collision resistance Hard to find two different keys represented by

the same or very similar image.


Minimal complexity

Compression (zlib) used to check regularity and minimal complexity of the image.

Too high compression ratio == Very simplified image ==Easy to falsify

e.g. Compression ratio 6%


Regularity

Too low compression ratio ==

Not regular image ==

Difficult to recognize

e.g. Compression ratio 82%

Compression ratio thresholds that guarantees Regularity and Minimal Complexity of the image

35 - 70 %


Collision Resistance

h*w

1i

2i

2i

2i

h*w

1i

2i

2i

2i

h*w

1i

2ii

2ii

2ii

))b()g()r(())b()g()r((

))bb()gg()rr((*100[%]diff

Very small probability to find two different keys represented by the same (or very similar) image.

To calculate differences between two pictures “normal corelation” formula used:

w – width of picture in pixels, h – height of picture in pixelsri, gi, bi – red, green and blue components of the colour for

pixel “i” in the picture.


Image creation method

Based on idea of “randomArt ” [Bau98].

N*M image created from the 64 bits key. Picture format is array of long words (32

bits) of size of “width*height” (N*M)Each long word represents an RGB colour

of a pixel in the picture (0x00bbggrr). 0x000000FF – red, 0x00FF0000 – blue, 0x0000FF00 – green


Image creation method (1)

F1 F2 F16

64 bits Hashed key

.....

InputColor(r, g, b)

Output Color(r', g', b')

(x,y) ->(r, g, b)

Pixelcoordinates

(x, y)

S(1) S(2) S(16)



The algorithm based on set of 16 mathematical functions that convert input colour {r, g, b} to output colour {r’, g’, b’}.

Each 4 bits of the key define one of the functions from the set.

The initial value of the colour for each pixel depends on coordinates {x, y} of the pixel

S(1) .. S(16) - shifts color accordingly with function location.



Each one of the 16 functions: Continuous, r [-1; 1], r’ [-1; 1],

r’=log10(4.1 + 4*r) r’=sin(5*r); r’=0.8*atan(-3*r)


Statistical results

Quality of image (Regularity and Minimal Complexity)

1000 randomly chosen keys

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 1000

20

40

60

80

100

120

140

Num

ber

of Im

ages

Compression Rate [%]

About 700 from 1000 images are Good images. Compression rate in range 35-70 %


Statistical results (1)

Collision resistance of the image One “good” reference image is chosen 1000 other “good” images compared with the

reference image accordingly to the formula above.

Results: Most of images have ~25-40% difference from

the reference image. No image has difference less than 15% from

the reference image.


Outline






SSH Overview

SSH is a protocol for secure network services (telnet, rlogin) over insecure network.

It consists of three major components: Transport layer protocol provides Server

Authentication, Confidentiality and Integrity. User authentication protocol authenticates the

Client side to the Server. Connection protocol multiplexes encrypted

tunnels into several logical channels.


SSH integration

No changes in SSH server (sshd)Key Generator (ssh-keygen) is

changedSSH Client (ssh) is changedFull Backward compatibility


SSH Framework

Key Generation Generate and display all possible formats Only key that can be converted in “good” image

will be accepted

Diffie-Hellman Key Exchange and Server Authentication Server has Kprv/Kpub - private/public keys pair Client creates e=(g^x mod p) and sends to

Server Server creates f=(g^y mod p)


SSH Framework (1)

Server receives “e” from Client Server computes K=(e^y mod p) Server computes H=hash( Kpub | e | f | K ) Server computes s = sign(H) with Kprv Server sends ( Kpub | f | s ) to Client Client verifies Kpub received from

Server !!! Client computes K=(f^x mod p) Client computes H=hash( Kpub | e | f | K ) Client verifies the signature “s” on H


Supported formats

Client choose key representation format: (1) Fingerprint (2) EnglishWords (3) AlphaNumeric (4) Visual


Verification actions

Client choose key verification action: (1) Confirm (2) Retype (3) Abort

Start Updated SSH demonstration !!!


Summary

“Public passwords” are more user friendly method for Server authentication

New method for key visualization and authentication

Integrate all above into SSH and improve the its overall security


Future work

Other user friendly string formatsOther mechanism to create

alternative stringsImprove picture quality (Regularity)Improve picture compare algorithm

and analyze collision resistanceGrayscale images


References

[SH99] Shai Halevi, Hugo Krawczyk. Public cryptography and password protocols. 1999

[PS99] Adrian Perrig, Dawn Song. Hash Visualization: a New Technique to improve Real-World Security. 1999

[DP00] Rachna Dhamija, Adrian Perrig. Using Images for Authentication. 2000

[Bau98] Andrej Bauer. Gallery of random art. 1998

Improved Server Authentication

Documents

Transcript of Improved Server Authentication