Hash.Based.doc

8/18/2019 Hash.Based.doc

1/14

Hash BasedSingle Password Authentication Protocols

M. Tech. Project Report

Software Requirement SpecicationSRS!

" Help Stud#

Rohit Rajpoot!


2/14

$ontents% "ntroduction &

%.% Moti'ation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (.&%.& Pro)lem *enition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . &%.+ Sur'e# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (.&

%.+.% Password Protocols . . . . . . . . . . . . . . . . . . . . . .+%.+.& Mer,le Tree Authentication Scheme . . . . . . . . . -%.+.+ An "deal Password Authentication Scheme . . . .

& Proposed Scheme /&.% Proposed Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . /&.& Attac,s and Remedies . . . . . . . . . . . . . . . . . . . . . . . . . . . 0

+ $onclusion %%


3/14

$hapter %

"ntroduction%.% Moti'ationMan# people toda# ha'e multiple accounts on the "nternet. Most of these accountsare protected )# passwords. As more ser'ices mo'e to the "nternet1 the num)er of accounts a user needs to manage is e2pected onl# to grow. "f one uses di3erent andunrelated passwords for each account1 then remem)ering all these uniquepasswords isa daunting tas,. Because of this1 the common practice is to use the same passwordformultiple accounts. But current password protocols are not suita)le for this practice.A Mer,le Tree 4%1 &5 is a construction introduced )# Ralph Mer,le in %0/0 to )uildsecure authentication and signature schemes from hash functions e.g. SHA%!. *ue

tothe disco'er# of more e6cient cr#ptographic primiti'es )ased on num)er theor#e.g.RSA1 7$$!1 this classic technique has recei'ed little practical attention. Howe'er1there are good reasons to further de'elop these cr#ptographic constructions. Toda#1RSA and other num)er theoretic constructions ser'e our needs for encr#ption anddigital signatures well1 and the impro'ements in technolog# and algorithms thata3ectthe securit# of these primiti'es e.g. factoring integers! ha'e historicall# progressedat a modest predicta)le rate1 and it has )een possi)le to adjust ,e# si8esaccordingl#.Mer,le Tree signatures 495 do not rel# on the di6cult# of factoring or of the discrete

log pro)lem.%.& Pro)lem *enition:e propose a protocol that allows a client to securel# use a single password acrossmultiple ser'ers. "n the proposed scheme1 we are using the concept of Mer,le Treeauthentication and thus we do not require an# num)er theoretic assumptions. :earenot re'ealing an# information a)out password during message communication andthuspre'enting the password guessing attac,. Thus1 we are tr#ing to design a hash)asedsingle password authentication protocol such that it should )e simple1 secure1e6cient

and user;friendl#.%.+ Sur'e#Authentication is the process of determining whether someone or something is1 infact1who or what it is declared to )e. "n pri'ate and pu)lic computer networ,s includingthe "nternet!1 authentication is commonl# done through the use of logon passwords.


4/14

user registers initiall# or is registered )# someone else!1 using an assigned orselfdeclaredpassword. =n each su)sequent use1 the user must ,now and use the pre'iousl#declared password. The wea,ness in this s#stem for transactions that are signicantsuch as the e2change of mone#! is that passwords can often )e stolen1 accidentall#re'ealed1 or forgotten. >or this reason1 "nternet )usiness and man# other

transactionsrequire a more stringent password authentication protocol.

%.+.% Password ProtocolsMan# password protocols ha'e )een proposed1 especiall# in the past decade. "n thissection1 we re'iew these password protocols.:e);specic Password Protocols The HTTP digest authentication protocol 4+5 uses the challenge?response technique1which )asicall# wor,s as follows. :hen client $ registers with ser'er S1 S stores $@spassword P. :hen $ wants to login on S1 S generates a nonce n and sends it to $as a challenge. Then $ computes M*nP! and sends the result to S as a responseM* is message digest function!. Ser'er S 'eries the recei'ed response using the

stored password P and the generated nonce n. Because a ser'er ,nows thepasswordsof its clients1 the HTTP digest authentication protocol is 'ulnera)le to maliciousser'erattac,s and password le compromise attac,s.Strong Password ProtocolsStrong password protocols often ha'e strong securit# properties1 )ut the# usuall#requirecomputationall# intensi'e operations such as modular e2ponentiations1 as#mmetricencr#ptions?decr#ptions1 etc. Man# such protocols ha'e )een proposed1 such asSimple Password 72ponential


5/14

a 'er# important role in cr#ptograph# pla#s the quantum computer. B# comparison1a quantum computer could sol'e these pro)lems relati'el# easil#. This a)ilit# wouldallow a quantum computer to )rea, man# of the cr#ptographic s#stems in usetoda#1in the sense that there would )e a relati'el# fast pol#nomial time in n! algorithmfor

sol'ing the pro)lem.

Single Sign;on Protocols The )asic idea of single sign;on protocols is to use one central ser'er toauthenticateclients for multiple ser'ers1 instead of each ser'er authenticating clients )# itself.Althoughsingle sign;on protocols pro'ide clients the con'enience of remem)ering onl#one password1 which is registered in the single sign;on ser'er1 such protocols ha'ethefollowing main disad'antages. >irst1 single sign;on protocols introduces a singlepoint

of failure. "f the single sign;on ser'er fails wor,ing1 then all the ser'ers that dependonit fail authenticating their clients1 which is e2tremel# destructi'e. $ompromising thesingle sign;on ser'er has high pa#;o3s for attac,ers and there)# ma,es attac,attemptsmore li,el#. Second1 single sign;on protocols ha'e high cost of integration )ecauseser'ers need to register with the single sign;on ser'er in order to get the ser'ice1andconsequentl# lac,s uni'ersal adoption. >or the ser'ers that do not use single sign;onprotocols1 a client has to register with them indi'iduall# using passwords. "f a clientregisters with a malicious ser'er using the same password that he uses for the

singlesign;on ser'er1 then the malicious ser'er can impersonate the client to login onmultipleser'ers.=ne;time Password Protocols=ne;Time Password =TP! authentication protocol1 such as amport@s one;timepasswordprotocol 45 can )e used for authenticating a user )# a ser'er. There are twoentities in the operation of the one;time password protocol. The one time passwords#stem generator passes the $lient@s secret password1 along with a seed recei'edfromthe ser'er as part of the challenge1 through multiple iterations of a secure hashfunctionto produce a one;time password. After each successful authentication1 the num)erof secure hash function iterations is reduced )# one. Thus1 a unique sequence ofpasswordsis generated. The ser'er 'eries the one;time password recei'ed from the generator)#


6/14

computing the secure hash function once and comparing the result with thepre'iousl#accepted one;time password. But to ma,e one;time password protocols secureagainst malicious ser'er attac,s1 a client has to remem)er multiple EseedEpasswordsor multiple lists of one;time passwords for multiple accounts.

%.+.& Mer,le Tree Authentication SchemeMer,le trees can )e used for a 'ariet# of cr#ptographic purposes1 including digitalsignatures and user authentication. "n this section1 we discuss the Mer,le tree userauthentication scheme 4F5.Mer,le TreeC Mer,le Tree is a complete )inar# tree with a ,; )it 'alue associated toeach node such that the interior node 'alue is a hash function of the node 'alues ofitschildren. That is1Pnparent! G hPnleft!Pnright!!:here P is the assignment function1 which maps the set of nodes to the set of theirstrings of length , h! is a cr#ptographic hash function and denotes stringconcatenation. The D 'alues that need to )e authenticated are placed at the D lea'es of thetree. :e ma# choose the leaf 'alue ar)itraril#1 )ut usuall# it is a cr#ptographic hashfunction of the 'alues that need to )e authenticated. "n this case these 'alues arecalledleaf ; preimages. A leaf can )e 'eried with respect to a pu)licl# ,nown root 'alue

and

>igure %.%C Mer,le tree on - lea'es

showing the authentication path for leaf %.its authentication path.


7/14

Authentication PathC Authentication path Authi of leaf i is an ordered sequenceof node 'alues1 where these nodes are the si)lings of the nodes on the pathconnectingthe leaf i to the root. et Auth ji! )e the 'alue on the node that is the si)ling to thenode at height j in the path from leaf i to the root. et H )e the height of the tree. The authentication path for leaf i is then1

Authi G hleaf i!1 AuthIi!1 Auth%i!1 ...1 AuthHJ%i!!Kser Authentication and LericationC "n user authentication1 a user wishes torepeatedl# authenticate herself with a ser'er. This can )e accomplished )#pro'idingthe ser'er with the 'alue Pnroot! for the root of the Mer,le tree. 7ach time the userwishes to authenticate to the ser'er1 the user re'eals the hash 'alue of leaf i alongwith an authentication path so that the ser'er can construct and 'erif# Pnroot!. Theauthentication path can )e 'eried )# chec,ing if the pu)lished root 'alue1 Pn root!1is equal toh...hhleaf i!AuthIi!!...AuthHJ%i!!where the order of concatenation is done correctl# )ased on the structure of thetree.

%.+.+ An "deal Password Authentication Scheme To )e called ideal1 a password authentication scheme should )e a)le to withstand allof the attac,s and achie'e all of the following goals 4/5. The passwords or 'erication ta)les are not stored in the s#stem.

The passwords cannot )e re'ealed )# the administrator of the ser'er.

The passwords are not transmitted in plain te2t o'er the insecure networ,.

The length of a password must )e appropriate for memori8ation.

The scheme must )e e6cient and practical.

An# unauthori8ed login can )e quic,l# detected when a user inputs a wrongpassword. A session ,e# is esta)lished during the password authentication process topro'idecondentialit# of communication. The passwords can )e chosen and changed freel# )# the users.


8/14

$hapter &

Proposed Scheme&.% Proposed Solution"n this section1 we present our Password Protocol. "n our protocol1 we need onl# oneMer,le tree at the $lient@s side to login on all its Ser'ers. The selection of height Hof the tree depends upon securit# le'el of the protocol. The protocol is more securewithlarge 'alue of H1 )ut tree storage cost and authentication path si8e increases. Thenotations used in the proposed solution are listed in Ta)le &.%. Ta)le &.%C Dotations

$ $lientS Ser'er

P Password remem)ered )# clientn Random num)erR Root 'alue of Mer,le TreeH Height of Mer,le TreeAuthi Authentication path of leaf ih! Message digest one;wa# hash! function concatenation

et P )e the single password that a client $ remem)ers. "nitiall# $ prepares aMer,le hash tree and calculates its root 'alue R. :hen $ registers with a ser'er S1 $generates a hash 'alue hPS!1 then sends hPS! securel# to S1 and S stores themin its password le. The construction of Mer,le tree is as follows. et our Mer,le tree contains Dleaf G

&H leaf nodes. :e assigns 'alue of leaf &i with i and leaf &iJ% with pseudo randomnum)ers ri where iG%1&1. . . 1&HJ%!. The interior nodes are calculated using )asicproperties of Mer,le tree that is1 interior node 'alue is a hash function of the node'alues of its children1 ie1 nparent G hnleftnright!!.ater on1 when $ tries to login on S1 S prompts $ with a challenge n. Then $ usesthe challenge n1 the ser'er@s name S1 and his password P to compute i G >hPS!1n!1where > is one wa# function that nds least signicant @H@ )its of hhPS!n! andreplace SB of result with 8ero. $lient $ computes authentication path Authi of leaf ias1


9/14

Authi G AuthIi!1 Auth%i!1 ...1 AuthHJ%i!!

>igure &.%C Mer,le tree on 9 lea'es showing leaf 'alues and authentication path ofleaf -shaded nodes!

hPS! and n. The authentication path Authi can )e 'eried )# chec,ing if the root'alue1 R1 is equal to1h...hhi?&!AuthIi!!Auth%i!!...AuthHJ%i!!Dote that $lient $ does not send his password P to S1 e'en in the initial registration.


10/14

&.& Attac,s and Remedies"n this section1 we discuss the securit# of our protocol against some commonattac,s.:e assume that our protocol is used with the Secure Soc,ets a#er SS!1 thecurrentindustr# standard for securing communication o'er the "nternet. Dote that themessagedigest one;wa# hash! function h! is assumed to ha'e the propert# that apol#nomial)oundedad'ersar# should not )e a)le to gain an# information a)out the input )#e2amining the output of such a function. :e sort common attac,s and remedies asfollowsC

Password Nuessing Attac,s;Most passwords ha'e such low entrop# that it is 'ulnera)le to password guessingattac,s1where an attac,er intercepts authentication messages and stores them locall#and then attempts to use a guessed password to 'erif# the correctness of his?herguessusing theses authentication messages. =ur protocol secure against this attac,)ecausewe are not re'ealing an# information a)out password during message

communication.

Message Repla# Attac,s;"n message repla# attac,1 an attac,er rst listens to all of the communication)etweena client and a ser'er1 then tries to login on the ser'er )# repla#ing some messagesthat the attac,er captured pre'iousl#. =ur protocol is secure against message repla#attac,s. "f an attac,er repla#s an old challenge to the client1 the client will createAuthi


11/14

that corresponds to the old challenge1 )ut the ser'er cannot 'erif# Authi. Similarl#1repla#ing an old Authi to ser'er is useless.

Malicious Ser'er Attac,s"n malicious ser'er attac,1 an attac,er rst set up a malicious ser'er and attractspeople to register with the ser'er second1 tries to impersonate one of his clients to

login on another ser'er. =ur protocol is secure against this t#pe of attac, )ecause of two reasonsC a! A client ne'er releases his password to a ser'er1 and a ser'er isne'era)le to compute a client@s password )ased on the password 'erication informationAuthi that the client gi'es to the ser'er. )! Repla#ing a used Authi to an# ser'ercannot )e successful. Although a client uses the same password on multipleser'ers1Authi is 'alid for one particular ser'er and is 'alid for onl# one time.

Password >ile $ompromise Attac,s"n password le compromise attac,1 an attac,er rst steals a ser'er@s password le1which stores the password 'erication information of e'er# client then the attac,er

tries to disco'er either the password of a client using o3;line dictionar# attac,s orthene2t password 'erication information that a client will use to login on the ser'er.=urprotocol is secure against o3;line dictionar# attac,s the attac,er cannot disco'erthepassword of an# client. 7'en if attac,er got password le from the ser'er1 he cannotlogin on another ser'ers without ,nowing hPS! of others.

7a'esdropping Attac,s"n ea'esdropping attac,1 an attac,er listens to all the communication )etween aclientand a ser'er1 and tries to disco'er the client@s Mer,le tree. "n our protocol1 anattac,ercan gather a lot of info a)out the tree from Authi that is sent to the ser'er from theclient in di3erent sessions. Howe'er1 we can meet this pro)lem up to an e2tent asfollows1 "ncrease the height H of the tree. B# a su6cient large H1 we can generate &HJ%authentication paths. So1 gathered information )# an attac,er is not su6cient tologin on an# ser'er. The current industr# standard for securing communication o'er the "nternet isSecure Soc,ets a#er SS!. :e assume that our protocol is used with SS. =urprotocol runs on top of SS and all the communication )etween a client and aser'er is encr#pted with a session ,e# esta)lished )# SS1 an ea'esdropper cannotdisco'er password authentication information Authi. 7'en if attac,er got some information a)out client@s Mer,le tree1 he can notcompute Authi corresponding to a challenge n without password P. 7nsure periodic update of Mer,le tree which can )e done oOine.


12/14


13/14

$hapter +

$onclusion=ur protocol is simple1 secure1 e6cient and user;friendl#. The protocol is simple)ecauseit onl# in'ol'es three messages. The protocol is also secure against most of theattac,s that ha'e )een disco'ered so far. These attac,s include the ones that aredi6cultto defend1 such as the malicious ser'er attac,s and password guessing attac,s.=ur protocol is )ased on one;wa# hash function and the computation cost is lowerthanother password authentication schemes. Thus the protocol is e6cient. "n terms ofusa)ilit#1the protocol requires a user to remem)er onl# one password1 and this passwordcan )e used for all of his accounts.


14/14

Bi)liograph#4%5 R. $. Mer,le1 A certied digital signature su)titleC That antique paper from%0/0!1"n N. Brassard1 ed.1 Ad'ances in $r#ptolog# Proc. $RQPT= @901 'olume -+ of D$S1 pp. &%9&+91 Springer;Lerlag1 %00I.4&5 M. a,o)sson1 T. eighton1 S. Micali1 M. S8#dlo1 >ractal Mer,le Tree Representationand Tra'ersal1 "n RSA $r#ptographers Trac,1 RSA Securit# $onference &II+.4+5 . >ran,s1 P. Hallam;Ba,er1 . Hostetler1 S. awrence1 P. each1 A. uotonen1 .Stewart1 Http authenticationC Basic and digest access authentication1 R>$ &F%/1%000.4-5 *. a)lon1 Strong password;onl# authenticated ,e# e2change. $omputer$ommunicationRe'iew1 &F!C &F1 =cto)er %00F.45 . amport1 Password authentication with insecure communication1$ommunicationsof the A$M1 'ol. &-1 pp. //I//&1 Do'em)er %09%.4F5 *ouglas Ste)ila1 Slightl# impro'ed Mer,le tree tra'ersal for user authenticationusing pseudorandoml#;generated lea'es1 =nline1 &IIF1 Research Dote.4/5 $hwei;Sh#ong Tsai%1 $heng;$hi ee1Min;Shiang Hwang1Password AuthenticationSchemesC $urrent Status and

Documents

Hash.Based.doc