DanBoneh

IDprotocols

Overview

DanBoneh

TheSetup

Alg.G

UserP(prover)

ServerV(verifier)

sk vk

yes/nonokeyexchange

vk eitherpublicorsecret

DanBoneh

Applications:physicalworld– Physicallocks:(friend-or-foe)• Wirelesscarentrysystem• Openinganofficedoor

– LoginatabankATMoradesktopcomputer

DanBoneh

Applications:InternetLogintoaremotewebsiteafterakey-exchangewithone-sidedauthentication(e.g.HTTPS)

Prover Verifierone-sidedauth.keyexchangek k

sk vk

IDprotocol

Alice

bank.com ???

DanBoneh

Prover Verifier

IDProtocols:hownottouse• IDprotocol donotestablishasecuresession

betweenAliceandBob!!• Notevenwhencombinedwithanonymouskeyexch.• Vulnerabletomanintothemiddleattacks

anon.keyexchangek k

sk vk

IDprotocol

AliceInsecure!

??? ???

DanBoneh

Prover Verifier

IDProtocols:hownottouse• IDprotocoldonotsetupasecuresession

betweenAliceandBob!!• Notevenwhencombinedwithanonymouskeyexch.• Vulnerabletomanintothemiddleattack

keyexch.ka kb

sk vkkeyexch.

ka kb

proxyIDprotocol

Alice

??? ???

DanBoneh

IDProtocols:SecurityModels1. DirectAttacker:impersonatesproverwithnoadditional

information(otherthanvk)– Doorlock

2. Eavesdroppingattacker:impersonatesprover aftereavesdroppingonafewconversationsbetweenprover andverifier– Wirelesscarentrysystem

3.Activeattacker:interrogatesprover andthenattemptstoimpersonateprover– FakeATMinshoppingmall

DanBoneh

IDprotocols

Directattacks

DanBoneh

BasicPasswordProtocol(incorrectversion)• PWD:finitesetofpasswords

• AlgorithmG(KeyGen):• choosepw← PWD.outputsk =vk =pw.

UserP(prover)

ServerV(verifier)

sk

sk vkyesiff sk=vk

DanBoneh

BasicPasswordProtocol(incorrectversion)Problem:vk mustbekeptsecret• Compromiseofserverexposesallpasswords• Neverstorepasswordsintheclear!

Alice pwalice

Bob pwbob

… …

passwordfileonserver

DanBoneh

BasicPasswordProtocol:version1H:one-wayhashfunctionfromPWDtoX• “GivenH(x)itisdifficulttofindysuchthatH(y)=H(x)”

Alice H(pwA)

Bob H(pwB)

… …

passwordfileonserverUserP(prover)

ServerV(verifier)

sk

sk vk =H(sk)

yesiff H(sk)=vk

DanBoneh

Problem:WeakPasswordChoiceUsersfrequentlychooseweakpasswords:(adobelist,2013)

Acommonoccurrence• Example:theRockyoupasswordlist,2009(6mostcommonpwds)

123456,12345,Password,iloveyou,princess,abc123

Dictionaryof360,000,000wordscoversabout25%ofuserpasswords

Password: 123456 123456789 password adobe123 12345678 qwerty 1234567

Fractionofusers: 5% 1.1% 0.9% 0.5% 0.5% 0.5% 0.3%

Total:8.8%

DanBoneh

Onlinedictionaryattack:Supposeanattackerobtainsalistofusernames.Foreachusernametheattackertriestologinusingthepassword‘123456’.

Password: 123456 123456789 password adobe123 12345678 qwerty 1234567

Fractionofusers: 5% 1.1% 0.9% 0.5% 0.5% 0.5% 0.3%

Successafter20triesonaverage

DanBoneh

OfflineDictionaryAttacksSupposeattackerobtainsasingle vk =H(pw)fromserver• Offline attack: hashallwordsinDict untilawordwisfound

suchthatH(w)=vk• TimeO(|Dict|)perpassword

Offtheshelftools(e.g.Johntheripper):• Scanthroughall 7-letterpasswordsinafewminutes• Scanthrough360,000,000guessesinfewseconds

⇒ willrecover23%ofpasswords

DanBoneh

BatchOfflineDictionaryAttacksSupposeattackerstealsentire pwd fileF• Obtainshashedpwds forall users

• Example(2012):Linkedin (6M:SHA1(pwd))

Batchdict.attack:• Foreachw∈ Dict:testifH(w)appearsinF(usingfastlook-up)

Totaltime:O( |Dict|+|F|) [Linkedin:6days,90%ofpwds.recovered]

Muchbetterthanattackingeachpasswordindividually!

Alice H(pwA)

Bob H(pwB)

… …

DanBoneh

PreventingBatchDictionaryAttacksPublicsalt:

• Whensettingpassword,pickarandomn-bitsaltS

• WhenverifyingpwforA,testifH(pw,SA)=hA

Recommendedsaltlength,n=64bits• Attackermustre-hashdictionaryforeachuser

Batchattacktimeisnow:O(|Dict|× |F|)

Alice SA H(pwA ,SA)

Bob SB H(pwB ,SB)

… … …

hSid

DanBoneh

Howtohashapassword?Linked-in: SHA1 hashed(unsalted)passwords

⇒ 6days,90%ofpasswordsrecoveredbyexhaustivesearch

Theproblem:SHA1istoofast…attackercantryallwordsinalargedictionary

Tohashpasswords:

• Useakeyed hashfunction(e.g.,HMAC)wherekeystoredinHSM

• Inaddition:useaslow,space-hard function

DanBoneh

Howtohash?PBKDF2,bcrypt: slowhashfunctions• Slownessby“iterating”acryptohashfunctionlikeSHA256

Example:H(pw)=SHA256(SHA256(…SHA256(pw,SA)…))• Numberofiterations:setfor1000evals/sec• Unnoticeabletouser,butmakesofflinedictionaryattackharder

Problem:customhardware(ASIC)canevaluatehashfunction50,000xfasterthanacommodityCPU

⇒ attackercandodictionaryattackmuchfasterthan1000evals/sec.

DanBoneh

Howtohash:abetterapproachScrypt:aslowhashfunctionANDneedlotsofmemorytoevaluate

⇒ customhardwarenotmuchfasterthancommodityCPU

Problem:memoryaccesspatterndependsoninputpassword⇒ localattackercanlearnmemoryaccesspattern

foragivenpassword⇒ eliminatesneedformemoryinanofflinedictionaryattack

Isthereaspace-hardfunctionwheretimeisindependentofpwd?• Passwordhashingcompetition(2015):Argon2i (alsoBalloon)

DanBoneh

IDprotocols

Securityagainsteavesdroppingattacks

(one-timepasswordsystems)

DanBoneh

EavesdroppingSecurityModelAdversaryisgiven:• Server’svk,and• thetranscriptofseveralinteractionsbetween

honestprover andverifier.(example:remotecarunlock)

adv.goalistoimpersonateprover toverifier

Aprotocolis“secureagainsteavesdropping”ifnoefficientadversarycanwinthisgame

Thepasswordprotocolisclearlyinsecure!

DanBoneh

One-timepasswords(secretvk,stateful)Setup (algorithmG):• Chooserandomkeyk• Outputsk =(k,0);vk =(k,0)

Identification:

prover serverr0 ← F(k,0)sk =(k,0) vk =(k,0) Yesiff

r=F(k,0)r1 ← F(k,1)sk =(k,1) vk =(k,1)

often,time-basedupdates:r← F(k,time)[stateless]

6digits

DanBoneh

TheSecurID system(secretvk,stateful)“Thm”: ifFisasecurePRFthenprotocol

issecureagainsteavesdropping

RSASecurID usesAES-128:

Advancingstate:sk← (k,i+1)• Timebased:every60seconds• Useraction:everybuttonpressBothsystemsallowforskewinthecountervalue

F128bitkey32bitctr

6digitoutput

DanBoneh

Googleauthenticator• 6-digittimedone-timepasswords(TOTP)basedon[RFC6238]• Wideweb-siteadoption:– Evernote,Dropbox,WordPress,outlook.com,…

ToenableTOTPforauser:websitepresentsQRcodewithembeddeddata: otpauth://totp/Example:alice@dropbox.com?

secret=JBSWY3DPEHPK3PXP&issuer=Example

(SubsequentuserloginsrequireusertopresentTOTP)

Danger:passwordresetuponuserlockout

DanBoneh

ServercompromiseexposessecretsMarch2011:• RSAannouncedserversattacked,secretkeysstolen

⇒ enabledSecurID userimpersonation

IsthereanIDprotocolwhereserverkeyvk ispublic?

DanBoneh

TheS/Keysystem(publicvk,stateful)Notation:H(n)(x)=H(H(…H(x)…))

AlgorithmG: (setup)• Chooserandomkeyk← K• Outputsk =(k,n);vk =H(n+1)(k)

Identification:

ntimes

H(n+1)(k)H(n)(k)H(n-1)(k)H(n-2)(k)k H(k)

vkpwd #1pwd #2pwd #3pwd #4

DanBoneh

TheS/Keysystem(publicvk,stateful)Identification(indetail):

• Prover (sk=(k,i)):sendt← H(i) (k);setsk← (k,i-1)

• Verifier(vk=H(i+1)(k)): ifH(t)=vk thenvk←t,output“yes”

Notes: vk canbemadepublic;butneedtogeneratenewsk afternlogins(n≈106)

“Thm”: S/Keyn issecureagainsteavesdropping(publicvk)providedHisone-wayonn-iterates

DanBoneh

SecurID vs.S/KeyS/Key:

• public vk,limited numberofauthentications

• Longauthenticatort(e.g.,80bits)

SecurID:

• secret vk,unlimited numberofauthentications

• Shortauthenticator(6digits)

DanBoneh

IDprotocols

Securityagainstactiveattacks

(challenge-responseprotocols)

Online Cryptography Course Dan Boneh

DanBoneh

ActiveAttacks

• OfflinefakeATM: interactswithuser;latertriestoimpersonateusertorealATM

• Offlinephishing: phishingsiteinteractswithuser;laterauthenticatestorealsite

Allprotocolssofararevulnerable

vkUserP(prover)

sk

probe#1

probe#q

ServerV(verifier)

vkimpersonate

DanBoneh

MAC-basedChallengeResponse(secretvk)

“Thm”:protocolissecureagainstactiveattacks(secretvk),provided(SMAC,VMAC)isasecureMAC

UserP(prover)

sk

ServerV(verifier)

vk

k← Ksk =k vk =k

randomm←M

t← SMAC(k,m)

VMAC(k,m,t)

DanBoneh

MAC-basedChallengeResponseProblems:• vk mustbekeptsecretonserver• dictionaryattackwhenkisahumanpwd:

Given[m,SMAC(pw,m)]eavesdroppercantryallpw∈ Dict torecoverpw

Mainbenefit:• Bothmandtcanbeshort• CryptoCard:8charseach

DanBoneh

Sig-basedChallengeResponse(publicvk)

“Thm”: Protocolissecureagainstactiveattacks(publicvk),provided(GSIG,Sign,Verify)isasecuredigitalsig.

buttislong(≥20bytes)

UserP(prover)

sk

ServerV(verifier)

vk

(sk,vk)← GSIGsk vk

random m←M

t← Sign(k,m)

ReplaceMACwithadigitalsignature:

Verify(k,m,t)

DanBoneh

SummaryIDprotocols:usefulinsettingswhereadversarycannotinteract

withprover duringimpersonationattempt

Threesecuritymodels:

• Direct:passwords(properlysaltedandhashed)

• Eavesdroppingattacks:Onetimepasswords– SecurID:secretvk,unboundedlogins– S/Key:publicvk,boundedlogins

• Activeattacks:challenge-response

DanBoneh

THEEND