Hidk ( h ) h ( )deki Imai (Chuo University), SeongHan Shin (AIST), … · 2011-11-28 · yLet us think of an open network (e.g., Internet) where an attackercan eavesdrop the communications

d k ( h ) h ( )Hideki Imai (Chuo University), SeongHan Shin (AIST), and Kazukuni Kobara (AIST)

BackgroundAuthenticated Key Exchange (AKE)Authenticated Key Exchange (AKE)

Password Authenticated Key Exchange (PAKE)Password-Authenticated Key Exchange (PAKE)

Leakage-Resilient AKE (LR-AKE)RSA-Based LR-AKE Secure against Replacement Attacksg pProgressive Developments of LR-AKE

Concluding Remark

2011/11/18 2SPANISH CRYPTOGRAPHY DAYS (SCD2011)


Let us think of an open network (e.g., Internet)

where an attacker can eavesdrop the communications (calledwhere an attacker can eavesdrop the communications (called, passive attack), modify/replay messages, impersonate parties or perform man-in-the-middle attacks (called, active attacks)


Main goal is to provide privacy and integrity of data It plays a key role in information/network securityp y y y

It can be classified intoPublic-Key Encryption

RSA, ElGamal, Rabin, …Digital Signature

RSA-FDH, DSS, …Public-Key Infrastructure (PKI)

Public-Key Cryptography

Public-Key Infrastructure (PKI)Symmetric-Key EncryptionMessage Authentication Code (MAC) Symmetric-Key Cryptographyg ( )Hash FunctionCryptographic Protocols, …

y y yp g p y


Public-key encryptionDefinition. A public-key encryption scheme is a tuple of probabilistic

polynomial time algorithms (G E D) such that:polynomial-time algorithms (GPKE, E, D) such that:The key generation algorithm GPKE takes as input the security parameter 1k and outputs a pair of keys (PubK, PriK) where the former is public key and the latter is private keyThe encryption algorithm E takes as input a public key PubK and a message M from some plaintext space It outputs a ciphertextmessage M from some plaintext space. It outputs a ciphertextC=EPubK(M)The decryption algorithm D takes as input a private key PriK and a i h t t C d t t M D (C) i l b lciphertext C, and outputs a message M=DPriK(C) or a special symbol

⊥ indicating failureIt is required that Pr[DPriK(EPubK(M))=M] except with negligible q [ PriK( PubK( )) ] p g g

probability over (PubK, PriK) output by GPKE(1k) and any randomness used by E


Diffie-Hellman key exchangeLet G be a cyclic group of order q. Let g be a generator of G such that G={g0, g1, …, gq-1}that G {g , g , …, g }Public parameter (G, q, g)

RSALet ZN

* be a group of order ϕ(N)=(p-1)(q-1) where N is the product of two same-length primes p and q. Let e>0 be an integer with g p p q ggcd(e, ϕ(N))=1 and d be an integer satisfying ed=1 mod ϕ(N)

RSA public-key encryptionPublic key PubK (N e) and private key PriK (N d)Public key PubK=(N, e) and private key PriK=(N, d)Encryption: For a message M∈ZN

*, anyone who knows PubK can compute the ciphertext C=Me mod ND i F i h C Z * l h k P iKDecryption: For a ciphertext C∈ZN

*, only one who knows PriK can compute the message M=Cd=Med mod ϕ(N)=M mod N


Symmetric-key encryptionDefinition. A symmetric-key encryption scheme is a tuple of

b bili i l i l i l i h (G SKE SKD)probabilistic polynomial-time algorithms (GSKE, SKE, SKD) such that: The key generation algorithm G takes as input the securityThe key generation algorithm GSKE takes as input the security parameter 1k and outputs a symmetric key symKThe encryption algorithm SKE takes as input a symmetric key yp g p y ysymK and a message M∈{0,1}*, and outputs a ciphertextC=SKEsymK(M)The decryption algorithm SKD takes as input a symmetricThe decryption algorithm SKD takes as input a symmetric key symK and a ciphertext C, and outputs a message M=SKDsymK(C)symK( )

It is required that SKDsymK(SKEsymK(M) )=M for every symmetric key symK output by GSKE(1k) and every M∈{0,1}*


Collision-resistant (one-way) hash functionDefinition. A collision-resistant (one-way) hash functionDefinition. A collision resistant (one way) hash function

is a pair of probabilistic polynomial-time algorithms (GH, H) such that: )The key generation algorithm GH takes as input the security parameter 1k and outputs a key I (for index)y p p y ( )The hash algorithm H takes as input a key I and a message M∈{0,1}*, and outputs a hash HI(M)g { , } , p I( )

A hash function (GH, H) is collision-resistant if the probability to find out M and M’ satisfying HI(M)= probability to find out M and M satisfying HI(M) HI(M’) is negligible over I output by GH(1k)


Let us think of two parties (Alice and Bob) who want to exchange messages securely

Using public-key encryption for short messagesUsing public key encryption for short messagesUsing hybrid encryption for arbitrary-length messages

Hybrid encryption is a combination of public-key and symmetric-key encryptionsencryptionsAlice sends (EPubK_B(symK), SKEsymK(M)) to Bob where PubK_B is Bob’s public key Suitable for secure e-mail (non-interactive)Suitable for secure e-mail (non-interactive)

However, the receiver should decrypt the ciphertexts encrypted ith hi /h bli k tiwith his/her public key every time.

Public-key operations (encryption and decryption) is slower than symmetric-key operationsNot suitable for interactive situations where the communicating parties exchange several messages during some period of time


One of the indispensable cryptographic primitivesAuthentication (assurance of (identity of the communicating party) + key exchange

It allows a pair (or a group) of parties not only to authenticate each over an insecure network, but also to h i k lshare session keys securely

The authenticated session keys are used to establish secure channelsWidely used in practice

Internet shopping/banking, web mail, remote network access, ftp, and so onand so on

Secure Channel

2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 11

Diffie-Hellman key exchange does not provide authentication at all!

It is insecure against active attacks (e.g., man-in-the-middle attack)

It requires (already established) keys/secrets“It is not possible to establish an authenticated session key without existing secure channels already being available”, C. Boyd (1993)P i l d h k /Parties already share a key/secretOff-line server is used (e.g., public key certificates)O li i d h h t h k / tOn-line server is used where each party shares a key/secret with a trusted server


AKE can be classified intoPKI-Based

ISO/IEC IS 9798 3: Both parties run Diffie Hellman key exchangeISO/IEC IS 9798-3: Both parties run Diffie-Hellman key exchange through authenticated channel (by using digital signature) MTI and (H)MQV: “Implicitly-authentication” protocol where session keys are derived from DH public values and public/privatesession keys are derived from DH public values and public/private keysSSL/TLS…Complex management of public keys

Validity of public keys should be checked via CRL (Certificate Revocation List) OCSP (Online Certificate Status Protocol) or SCVPRevocation List), OCSP (Online Certificate Status Protocol) or SCVP (Simple Certificate Validation Protocol)

CRL: List (maintained by certificate authority) of revoked certificatesOCSP/SCVP: Internet protocol for checking revocation status of X.509 p g 5 9certificate

Skipping this process opens the door to an attacker (e.g., Phishing attack)


Shared-key BasedISO/IEC 11770-2: Using symmetric key encryption, one party sends encrypted session keys to the other party who shares the same keythe same key …Distribution of shared keysy

On-line Server BasedKerberos and 3PKD: Both parties share session keys with the help of on-line server who shares a key with each party…Distribution of shared keys


Password-Authenticated Key Exchange (PAKE)Password-only authentication + key exchange: Both parties share authenticated session keys only by relying on a weak secret (e gauthenticated session keys only by relying on a weak secret (e.g., alphanumerical passwords with 6 characters)Very usable to users

Leakage Resilient AKE (LR AKE)

Our Main Talks

Leakage-Resilient AKE (LR-AKE)Two-factor authentication + key exchange: Both parties share authenticated session keys where

A client remembers only one password and stores secrets on his/her device, while a server stores verification data on its database

It guarantees a higher level of security against active attacks andIt guarantees a higher level of security against active attacks and leakage of stored secrets



Password is chosen from a small set of dictionaryIt is convenient to users because they just remember his/her passwords (without carrying any devices)passwords (without carrying any devices)E.g., 4-digit pin-code, alphanumerical passwords with 6 characters

Password authentication is widely deployed in practice

However, two exhaustive search attacks are possibleOn-line dictionary attacksOn line dictionary attacks

An attacker should communicate with (at least) one party in order to verify a guessed password

Off line dictionary attacksOff-line dictionary attacksAn attacker can verify more than one password with sophisticated manners


CHAP [IETF RFC1994] where client C and server S share the same password pw

1. First, server S chooses a challenge C and sends it to client C.2. After receiving C, client C computes a response R from the

challenge and his/her password and sends R to server Schallenge and his/her password, and sends R to server S3. Finally, server S authenticates client C by checking if the received

R is same with a hashed value of C and pw


On-line dictionary attacks Off-line dictionary attacksLet us think of attacker Awho can just eavesdrop the communications between l dclient C and server S

From the obtained h ll C d

Attacker A impersonates client C and tests a

challenge C and response R, the attacker finds out the password pw by testingclient C and tests a

guessed password pw’ while communicating with

the password pw by testing R?=H(C||pw’) for all possible password g

server Sp pcandidates pw’


We can say that CHAP is insecure against off-line dictionary attacks

In fact, the attacker verified all possible password candidates without interaction with honest parties

On the other hand, on-line dictionary attacks are inevitable in any password-based authenticationin any password based authentication

But, it is controllable (see next slide)

What kind of security can be achieved in password-based authenticationauthentication

Security against off-line dictionary attacks


Dictionary tests rule out common words and

l dcommonly-used passwordsComposition rules includerules include lower/upper case letters and non-alphabetic psymbols (e.g., :;!”#$%&’=~)

With one minute lock-out for 3 failed password

i l i ldtrials, it would take about 90 years to carry out 225.5 trialsThat’s the reason why we use 6-8 length of passwords


2 5 5 trialsThat s the reason why we use 6-8 length of passwords

Password-only authentication + key exchangeIt does not rely on PKIClients do not need to carry any devicesVery convenient

However, it is not trivial at all to design a secure PAKE protocol sinceprotocol since

We have to bootstrap a weak secret (i.e., password) to a strong one (i.e., cryptographically-secure session key) ( , yp g p y y)There is no clear guideline to avoid off-line dictionary attacks…See bad examples


Diffie-Hellman key exchange, encrypted with password in SKE

1. Client C computes a public value gx and sends SKEpw(gx) to server S where pw is used as a symmetric key

2. After decrypting SKEpw(gx) with pw, server S computes a public value gy and d SKE ( ) li C

psends SKEpw(gx, gy) to client C

3. After decrypting SKEpw(gx, gy) with pw, client C authenticates server S by checking the decrypted first element gx. Client C returns SKEpw(gy) back to server Sserver S

4. Server S authenticates client C by checking the decrypted element gy. Then, they generate a session key SK=H(gxy)


Let us think of attacker A who just eavesdrops the communications between client C and server SOff-line dictionary attacks

Let C1= SKEpw(gx), C2= SKEpw(gx, gy), C3= SKEpw(gy). From the obtained C1 C2 and C3 theobtained C1, C2 and C3, the attacker finds out the password pw by checking that the first (resp., second) element of SKDpw’(C2) is

( ) (pw

same as SKDpw’(C1) (resp., SKDpw’(C3)) for all possible password candidates pw’

What we have learnedRedundancy in symmetric key encryption is used for off-lineencryption is used for off line dictionary attacks


RSA public key encryption,masked with password

1. Server S generates a one-time RSA public/private key pair (PubK, PriK) and sends PubKto client C

2. After receiving PubK, client C computes a masked RSA encryption Z=te⋅FDH(pw) and sends it to server S where FDH is a full-domain hash

3. After de-masking and decrypting Z with pw and PriK, server S sends H1(t) to client CClient C authenticates server S by checking the received H (t) and then returns H (t)4. Client C authenticates server S by checking the received H1(t), and then returns H2(t) back to server S

5. Server S authenticates client C by checking the received H2(t). Then, they generate a session key SK= H3(t)


Let us think of attacker A who impersonates server S and generates an RSA public key PubK=(N, e) such th t d( ϕ(N))≠

Special kind of off-line dictionary attacks (called, e-residue attacks)

that gcd(e, ϕ(N))≠1Off-line dictionary attacks

From the received Z, the attacker checks if (Z/FDH(p ’)) is echecks if (Z/FDH(pw )) is e-residue or not by Jacobi symbol for all possible password candidates pw’pOnly a proper subset of password candidates remain valid

What we have learnedClient C has to check the validity of RSA public key PubK, generated by server SRSA public key encryption with PubK maps by server SRSA public key encryption with PubK maps

to only a strict fraction of the range


A combination of symmetric and public key cryptographic techniques can provide insufficient information for an

k [BM ]attacker [BM92]Remove redundancy in symmetric key encryptionUse challenge/response methods in order to check theUse challenge/response methods in order to check the validity of RSA public key or restricts RSA key generation (e.g., e>N))

Secure PAKE can be constructed from other cryptographic yp g pprimitives

CCA-secure public key encryptionObli i fOblivious transfer…


In the PAKE setting,Client C remembers his/her password, and server S holds the password or its verification data that is used to verify thepassword or its verification data that is used to verify the client’s knowledge of the password

Some PAKE protocols have been standardized in IEEE P1363.2 [IEEE], ISO/IEC JTC1/SC27 11770-4 [ISO/IEC], IETF RFC [IETF RFC ] d ITU T [ITU T]RFC2945 [IETF RFC2945] and ITU-T [ITU-T]

Inherent limitations of PAKEInherent limitations of PAKEOn-line dictionary attacks are always possibleServer compromise always leads to password compromisep y p p

Of course, server compromise allows attacker A to impersonate server S to client C



The previous AKE protocols are secure against active attacks

PKI-Based AKEShared-key Based AKEOn line Ser er Based AKEOn-line Server Based AKEPAKE...Based on the assumption that the stored secrets (e.g., cryptographic keys or password verification data) are secure

What happens if the stored secrets are leaked out?Most of the previous AKE protocols become insecure [SKI03]


Leakage of stored secrets/data (including personal information) is common and practical threat in the real world

Laptop/mobile device (e g smart phones USB) theft or lossLaptop/mobile device (e.g., smart phones, USB) theft or lossAccording to [CSI10], 33.5% of respondents experienced this type of attack

Phishing attackPhishing attackAccording to [CSI10], 38.9% of respondents experienced this type of attack

Insider abuse of Net access or e-mailInsider abuse of Net access or e mailAccording to [CSI10], 24.8% of respondents experienced this type of attack

Unauthorized access or virus (e g keylogging malware)Unauthorized access or virus (e.g., keylogging malware)Server administrator’s misconduct or misconfigurationNo perfect TRM (Tamper Resistant Module)

Side channel attacks (partial leakage of cryptographic keys)Side channel attacks (partial leakage of cryptographic keys)E.g., power analysis on Mifare DESFire [OP11]


Number of incidents“Sony Admitted PSN’s 70 Million Users Information Leakage” [TRACEHOTNEWS]

Sony PSN platform has been hacked and lead to users information (including PSN

d ) l kaccount passwords) leakage Ranked fifth in the history of user information leak

“Citigroup Cites $2.7M in Customer Losses From Hack” [FOXBUSINESS]

According to Citigroup Inc., 3,400 of the customers whose

Number of victims(in million)

Year3 4credit-card information was hacked have suffered about $2.7 million in losses

Japan’s annual transition of number of incidents and number of victims due to insider abuse

[JNSA11]2011/11/18SPANISH CRYPTOGRAPHY DAYS (SCD2011) 33

[JNSA11]

“DoD Admits to Being Severely Hacked” [IEEESpectruma]The June 2007 network hack into U. S. Department of Defense computers stole an amazing amount of informationDefense computers stole an amazing amount of informationThe U. S. DoD gets some 70,000 intrusion attempts per day

“DigiNotar Certificat e Authority Breach Crashes e-Governme nt in the Netherland s” [IEEESpectrumb]

Di iN t th D t h tifi t th it (CA) h dDigiNotar, the Dutch certificate authority (CA) company, had been breached which resulted in the 531 fraudulent issuance of public key certificates for a number of domains (including * l ) Th f d l l ifi h d b*.google.com). The fraudulent google certificate had not been detected over a week. The attacker(s) had acquired the domain administrator rights and compromised CAs, g p ,maintained by DigiNotar [Fox-IT11]


Let us think of client C who has access to many different kinds of servers (e.g., web mail, remote login, internet shopping mall, internet banking, SNS) with password authentication in a daily lifeg ) p y

In order to realize secure password authentication, the client should use a distinct password for each serverHowever, the client does not remember many passwords, y p

A majority of users re-use passwords across multiple websites [PCWorld]A third of users are using same password for every websites [Sophos]Empirical study (2007): Average user has 6.5 (actively-used) passwords, and the

d i h d 6 diff t it [FH ]average password is shared across 5.67 different sites [FH07]If the client registers the same (or very similar) password to all servers and uses the previous password authentication (e.g., password-based client authentication in PKI based AKE or PAKE) leakage of storedclient authentication in PKI-based AKE or PAKE), leakage of stored secrets (password itself or password verification data) from one server leads to the total breakdown of security in the other servers. Also, one malicious server can easily impersonates client C to the remainingmalicious server can easily impersonates client C to the remaining servers


To design a secure password authentication against active attacks as well as leakage of stored secretsg

T d i d th ti ti hTo design a secure password authentication where client C remembers only one password even in

l i l imultiple server scenario


A suite of LR-AKE protocols [LR-AKE] are designed to provide maximum level of security against active p y gattacks as well as leakage of stored secrets from client and/or server sideand/or server side

In the LR-AKE protocols, client C remembers only one password and stores secrets on his/her devices whilepassword and stores secrets on his/her devices, while server S stores verification data on its database Without relying on PKI and physical security (i e TRM)Without relying on PKI and physical security (i.e., TRM)Efficient constructionsProvable securityProvable security


Eavesdropping

Parallelon-line attacks

Security of password against leakage from

Phishing

attacks

No. of PW

Client Server Both withAKEProtocols

Client Server Both with different

time-slots

CHAP etc Insecure Insecure Secure Insecure Insecure Secure MultipleCHAP etc. Insecure Insecure Secure Insecure Insecure Secure Multiple

PAKE Secure Insecure Secure Insecure Insecure Secure Multiple

PKI (server PK auth Secure Insecure Secure Insecure Insecure Insecure MultiplePKI (server PK auth. + client PW auth.)

Secure Insecure Secure Insecure Insecure Insecure Multiple

PKI (server PK auth. li PW & S S S I I I M l i l+ client PW &

token auth.)Secure Secure Secure Insecure Insecure Insecure Multiple

PKI (mutual PK Secure Secure Insecure Secure Insecure Insecure Only auth.) one

LR-AKE Secure Secure Secure Secure Secure Secure Only one


o e

Serial on-line dictionary attacks are not possible if there is no leakage of stored secrets from client side

Attacker A who obtains the client’s stored secrets can perform serialAttacker A who obtains the client s stored secrets can perform serial on-line dictionary attacks

Automatic revocation of leaked secretsThough on-line dictionary attacks are possible with leaked secrets from client side, these attacks can not be continued if client C runs ,LR-AKE with server S successfully since the already-leaked secrets are revoked automatically

Strong forward secrecyEven if the underlying problems (e.g., DL/CDH/RSA) are broken with efficient algorithms in future the previous communicationswith efficient algorithms in future, the previous communications still remain hidden as long as there is no leakage of stored secrets from either side


Situation 1 Situation 2


RSA-Based LR-AKE Secure against Replacement Attacks [SKI10a]


In [SKI07], we proposed an RSA-based LR-AKE (called, RSA-AKE) protocol that is the most efficient over the previous RSA-based ones

In the RSA-AKE protocol, client C remembers only one d f di i d hpassword for distinct servers and stores another secret

and server’s RSA public key, whereas the corresponding server S stores verification data and RSA private keyserver S stores verification data and RSA private keyA distinguished feature of RSA-AKE is that it provides security against leakage of stored secrets and highsecurity against leakage of stored secrets and high efficiency at the same time

In particular, client C needs to compute only one modular p p ymultiplication (if pre-computation is allowed)


More powerful threat in the real worldA hacker can break into a computer system to change some i f i d i d i d l iinformation, stored in pre-determined locations

E.g., public keys of PGP are stored in “Keyrings” folderA practical attack to insert a self-signed CA public key intoA practical attack to insert a self-signed CA public key into the list of a computer’s root public keys [AM05]

What happens if attacker A can completely control stored secrets?

Due to e-residue attacks, RSA-AKE is no longer secureAttacker A replaces server’s RSA modulus N with N’ such that gcd(e,

(N))≠ϕ(N))≠1We call it “replacement” attacks


We propose a strengthened RSA-based LR-AKE (RSA-AKE2) protocol that is secure against active attacks as well as replacement attacks

Based on number theory, we prove that replacement k i f ibl i h SA A lattacks are infeasible in the RSA-AKE2 protocol

Provably secure under the RSA problem in the random l d loracle model

For formal proof, we introduce an extended security model that covers both active attacks and replacement attacksthat covers both active attacks and replacement attacks

In terms of efficient, RSA-AKE2 is comparable to [SKI07]Several extensions of RSA-AKE2


In order to thwart replacement attacks, we fix an RSA public key exponent e to be an 80-bit primep y p p

Attacker A should guess a correct witness in RSA public key encryptionkey encryption

I th RSA AKE t l i bli tIn the RSA-AKE2 protocol, e is public to everyoneIt is not a strong assumption since anyone can easily h k h i i ( b i h Mill R bicheck that e is a prime (e.g., by using the Miller-Rabin

primality testing algorithm) and its length is at least 80-bitbits


Only one password for different servers

InitClient InitServer

Stored secrets

Initialization through secure channelsInitClient: At first, client C chooses a secret value si1 randomly and

generates a verification data vi = si ⊕H (C||Si||pw) where pw is thegenerates a verification data vi1= si1⊕H0(C||Si||pw) where pw is the client’s password. Client C sends vi1 to server Si. Then, client C stores counter 1, the secret value si1 and an RSA modulus N (received from server Si)i)

InitServer: Since e is an 80-bit prime, server Si generates an RSA private key (d, N) as follows: N=pq and d=e-1 mod ϕ(N) such that gcd(e, ϕ(N))≠1. Server Si sends the RSA modulus N to client C. Then, server Siϕ( )) i istores counter 1, the RSA private key (d, N) and the verification data vi1(received from client C). Note that e can be shared among many servers, but N is not shared


StStep 1

Step 4

Step 3Step 2

Step 4

j-th (j≥1) protocol execution through insecure channels


Security against replacement attacks where attacker Areplaces the RSA modulus (stored on client’s devices) with

N d d lib l i f i d(a new one N, generated deliberately satisfying gcd(e, ϕ(N))≠1. Let Pr[InvalidKey] be the success probability that attacker A can correctly find out the committed value xattacker A can correctly find out the committed value x2from y2=x2

e mod N, computed with an invalid RSA modulus N

Theorem: Let N be an odd integer with N=p1r_1p2

r_2…pmr_m as a g p1 p2 pm

prime-power factorization. Let e be an 80-bit prime. If there exists a prime power pj

r_j of the factorization of N such that e|ϕ(p r j) then Pr[InvalidKey] is upper bounded by 1/e (i ee|ϕ(pj

r_j), then Pr[InvalidKey] is upper-bounded by 1/e (i.e., negligible in the parameter e)


Security against replacement attacks

P f L t r j b i f th f t i ti f N h th tProof: Let nj=pjr_j be a prime power of the factorization of N such that

e|ϕ(pjr_j). Note that there is at least one such a prime power because

e is an 80-bit prime and gcd(e, ϕ(N))≠1.N th t tt k A tl fi d t f ithNow, we prove that attacker A can correctly find out x2 from y2 with probability as small as 1/e. Since N is odd, each nj has a primitive root. Let g be a primitive root of nj. According to Fact 2, y2 is an e-thpower residue of n iff x e y mod n has a solution which ispower residue of nj iff x2

e=y2 mod nj has a solution, which is equivalent to

eindgx2=indgy2 mod ϕ(nj)g g jBecause of gcd(e, ϕ(nj))=e, the above congruence is solvable iffe|indgy2. Let ϕ(nj)=ed. By the Euler’s theorem,

e|ind y ⇔ ed|dind y ⇔ ind y d=0 mod ϕ(nj)e|indgy2 ⇔ ed|dindgy2 ⇔ indgy2 0 mod ϕ(nj)⇔ y2

ϕ(n_j)/e=1 mod nj ⇔ x2ϕ(n_j)=1 mod nj

Note that gcd(x2, nj)=1. Therefore, there are exactly e solutions.


Underlying assumptionThe RSA problemp

Security of RSA-AKE2The RSA-AKE2 protocol provides the AKE security under the RSA problem in the random oracle model

Ad (A) O( /D) l(k)Adv(A)≤O(qsend/D)+negl(k) In this case, attacker A can invoke the Replace(Ci, r)-queryRSA AKE2 is secure against off line dictionary attacks even ifRSA-AKE2 is secure against off-line dictionary attacks even if the stored secrets of client are totally controlled by attacker A

Full proof can be found in [SKI10a]


RSA-AKE2 provides semantic security of session keys in the case that attacker A obtains/replaces the RSA / pprivate key of server S

Attacker A cannot perform on-line dictionary attacksAttacker A cannot perform on line dictionary attacks since the authentication relies on the strong secret vij

Security of passwordAtt k A t t i f ti b t thAttacker A cannot get any information about the password from either sij (stored on client’s device) or vij(stored on server’s database)(stored on server s database)


Computation costs on client sideIf pre-computation is allowed, client C needs to compute only one modular multiplication (not modular exponentiation)p ( p )

RSA b d

Number of modular exponentiations on client

Communication costs (identity

d t

No. of message

flRSA-basedLR-AKE

and counter, omitted)

flowsWith pre-computation

Without pre-computation

RSA AKE 0 1 when e≥3 l+2k 3RSA-AKE [SKI07]

0 1 when e≥3 l+2k 3

RSA-AKE2 0 2 when e is an 2l+2k 3

Communication costsRSA AKE2 needs to send one more group element than RSA AKE

80-bit prime3

RSA-AKE2 needs to send one more group element than RSA-AKE where l and k are security parameter for RSA and hash functions, respectively


Some trade-off between security and efficiencyIf pre-computation is not possible, client C in RSA-If pre computation is not possible, client C in RSAAKE2 have to compute two modular exponentiations with an 80-bit prime epFor such a situation, we recommend to use the 80-bit primes with the least hamming weight (HW) in order to p g g ( )boost computational efficiency

Three 80-bit primes with HW(e)=3p ( ) 3e=279+227+1, e=279+234+1, e=279+227+1In this case, the overall computation costs of client C is 163 modular multiplications


Progressive Developments of LR-AKE


Detection of on-line dictionary attacksDistinguish user’s password mis-type from on-lineDistinguish user s password mis type from on line dictionary attacks using the leaked secretsFor reasonable security policyFor reasonable security policy

I t i d t tiIntrusion detectionA user can figure out which accounts are penetrated by

kattackerBy login information (e.g., last access date, IP address)


Data encryption is not a complete solution to data leakageImproper key management is problematic

Encryption key (derived from password) is insecure against off-line dictionary yp y ( p ) g yattacksStored encryption keys can be leaked

LR-AKE can be easily extended to data security [ISK09]Single mode for two parties

Data key is distributed between client C and server SyProactive security of data key

Proactive security: combination of secret sharing and refreshment of sharesData key is recovered only on client side

l d f hCluster mode for three partiesData key is distributed among client and primary/secondary serversProactive security of data keyD t k i d l li t idData key is recovered only on client sideAny two parties can recover data key (i.e., availability of data key)


Single mode Cluster mode

57SPANISH CRYPTOGRAPHY DAYS (SCD2011) 2011/11/18

LR-AKE can be applied to any services where authentication is necessaryy

As a basic authentication serviceE.g., SSH, SSL/TLS, IPsec, FTPE.g., SSH, SSL/TLS, IPsec, FTP

Login to remote server/intranet/hotspotVPN thin clientVPN, thin clientWeb mail/shopping, internet bankingIdentity management SSOIdentity management, SSOCloud storage system, NAS, credential retrieval system, data center accessdata center access…


Security architecture for Mobile IPv6 [FSK+05]In order to ensure continuous connectivity, a fast and secure Mobile IPv6 handover is proposedIPv6 handover is proposed

LR-AKE based AAA for Network Mobility (NEMO) [FSK+06]N h d d b bil d i i iNew handover procedures between mobile routers and visiting mobile nodes are proposed for authentication, authorization and accounting (AAA) in NEMO environment

Security architecture for personal networks [SFK+08]Based on new LR-AKE security architecture for PN wideBased on new LR AKE, security architecture for PN wide communication and communication between P-PANs of two different users is proposed In wireless ad-hoc networksIn wireless ad hoc networks

LR-AKE initialization can be set up [ISK09] by using a short secret, imprinted between devices through proximity authenticated channels


In a hybrid cloud storage system where authentication servers are maintained by third party (not cloud service provider)

The cluster mode [ISK09] can be directly used


In a public cloud storage system where a cloud service provider completely controls authentication servers as well as storages

The cluster mode is modifiedth t l li tso that only client can

store/retrieve data keys [SKI11]


LR-AKE has become the fountainhead of BURSEC Inc.

BURSEC Inc.The company was founded in April 2010The company was founded in April 2010Location: Tokyo, JapanWebpage: http://www bursec com/Webpage: http://www.bursec.com/ Authorized as AIST venture company in July 2010Products & servicesProducts & services

LR-AKE server setup/maintenanceDevelopment toolkit for core modulepApplication tools (LR-Passwords, LR-LoginChecker, LR-Desktop)Authentication service, SSO, …


Password manager for applicationsPasswords used in various applications (e.g., Twitter, Dropbox, Firefox Truecrypt MS Word PDF) are stored and retrievedFirefox, Truecrypt, MS-Word, PDF) are stored and retrieved in single/cluster mode

These passwords can be chosen randomly because client does not need to rememberneed to remember

Demo


Password manager for IE (Anti-Phishing)Passwords needed for login to different web sites (e.g., web mail, internet shopping mall, internet banking) are stored and retrievedinternet shopping mall, internet banking) are stored and retrieved in single/cluster mode

If the authentication is successful, id and password are automatically put in the pre-determined field. Of course, these passwords can be p p , pchosen randomly because client does not need to remember

Demo


File encryption/decryption toolEncryption/decryption keys used to encrypt/decrypt files are

d d i d i i l / l dstored and retrieved in single/cluster modeThese keys are securely managed by LR-AKE: Only if the authentication is successful, encryption/decryption keys are , yp / yp yrecovered on client side

Demo


LR-AKE over VPNThrough the tunnel VPN li d VPNVPN client and VPN server established, one-time passwordone time password (generated by LR-AKE) authentication is

f dperformed Easily applicable to existing authenticationexisting authentication frameworks

Demo


Operational test in AISTRemote access to intranet and mail serverLR-CiscoVPN

I i l d d i iInternational standard activityDraft of AugPAKE was submitted to IETFUp to date version is draft shin augmented pake 08 [SK11]Up-to-date version is draft-shin-augmented-pake-08 [SK11]In draft, how to integrate AugPAKE into IKEv2

Currently, LR-AKE is being deployed in several systemsLR-AKE client library, SDK and API are available for your ownLR AKE client library, SDK and API are available for your own applications

Contact to [email protected]



In this talk, we introduced two very useful AKE protocolsPAKE

Client does not need to carry any devicesClient does not need to carry any devicesHowever, there are inherent limitations on server compromise and the number of passwords (client should remember distinct passwords for many servers)y )

LR-AKE Client remembers only one password for many serversClient remembers only one password for many serversIt guarantees a maximum level of security against active attacks and leakage of stored secrets

Specific exampleSpecific exampleRSA-Based LR-AKE Secure against Replacement Attacks

Progressive developmentsExtension to data securityExtension to data security Applications to wireless networks and cloud storage systemsLR-AKE tools & demonstrations


LR-AKE project is to solve realistic problems in a novel way


[AM05] A. Alsaid and C. J. Mitchell, “Installing Fake Root Keys in a PC”, EuroPKI2005[BM92] S. M. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-based

Protocols Secure against Dictionary Attacks”, IEEE Symposium on Security and P iPrivacy, 1992

[CSI10] CSI (Computer Security Institute), “2010/2011 Computer Crime and Security Survey”, http://gatton.uky.edu/FACULTY/PAYNE/ACC324/CSISurvey2010.pdf

[ ] l d l “ l d f b d[FH07] D. Florencio and C. Herley, “A Large-Scale Study of Web Password Habits”,WWW2007

[FOXBUSINESS] http://www.foxbusiness.com/industries/2011/06/24/citigroup-cites-27m in customer losses from hack/27m-in-customer-losses-from-hack/

[Fox-IT11] Fox-IT, “DigiNotar Certificate Authority breach Operation Black Tulip”, Interim Report, 2011, http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-publicaties/rapporten/2011/09/05/diginotar public report version 1/rapport fox itoperation-black-tulip-v1-0.pdf

[FSK+05] H. Fathi, S. H. Shin, K. Kobara, S. Chakraborty, H. Imai, and R. Prasad, “Leakage-Resilient Security Architecture for Mobile IPv6 in Wireless Overlay g y yNetworks”, IEEE Journal on Selected Areas in Communications, Vol. 23, No. 11, pp. 2182-2193, 2005


[FSK+06] H. Fathi, S. H. Shin, K. Kobara, S. Chakraborty, H. Imai, and R. Prasad, “LR-AKE-Based AAA for Network Mobility (NEMO) Over Wireless Links”, IEEE Journal on Selected Areas in Communications, Vol. 24, No. 9, pp. 1725-1737, 2006on Selected Areas in Communications, Vol. 24, No. 9, pp. 1725 1737, 2006

[IEEESpectruma] http://spectrum.ieee.org/riskfactor/computing/it/dod_admits_to_being_severely_hh

[IEEESpectrumb] http://spectrum.ieee.org/riskfactor/telecom/security/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlands/?utm_source=techalert&utm_medium=email&utm_campaign=091511

[IEEE P1363.2] IEEE P1363.2, “Standard Specifications for Password-Based Public-Key Cryptographic Techniques”,Cryptographic Techniques , http://grouper.ieee.org/groups/1363/passwdPK/index.html

[IETF RFC1994] IETF RFC 1994, “PPP Challenge Handshake Authentication Protocol (CHAP)” 6(CHAP)”, 1996

[IETF RFC2945] IETF RFC 2945, “The SRP Authentication and Key Exchange System”, 2000


[ISK09] H. Imai, S. H. Shin, and K. Kobara, “New Security Layer for OverLay Networks (Invited Paper)”, Journal of Communications and Networks, Vol. 11, No. 3, pp. 211-228, 2009

[ISO/IEC] ISO/IEC JTC /SC “I f i T h l S i T h i[ISO/IEC] ISO/IEC JTC1/SC27 11770-4, “Information Technology – Security Techniques – Key Management – Part 4: Mechanisms based on Weak Secrets”, 2006

[ITU-T] ITU-T Recommendation X.1035, “Password-Authenticated Key Exchange (PAK) Protocol” Series X: Data Networks Open System Communications and(PAK) Protocol , Series X: Data Networks, Open System Communications and Security, 2007

[JNSA11] JNSA (Japan Network Security Association), “2010 Survey Report on Information Security Incidents – Personal Information Leakage – (in Japanese)”,Information Security Incidents Personal Information Leakage (in Japanese) , 2011, http://www.jnsa.org/result/incident/data/2010incident_survey_PIL_v1.4.pdf

[LR-AKE] LR-AKE Webpage, http://www.rcis.aist.go.jp/project/LR-AKE/[NIST SP 800-63] NIST Special Publication 800-63 “Information Security (Electronic[NIST SP 800 63] NIST Special Publication 800 63, Information Security (Electronic

Authentication Guideline)”, 2006, http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

[OP11] D. Oswald and C. Parr, “Breaking Mifare DESFire MF3ICD40: Power Analysis g 3 4 yand Templates in the Real World”, CHES2011

[PCWorld] http://www.pcworld.com/article/188763/too_many_people_reuse_logins_study_find ht lds.html


[Sophos] http://nakedsecurity.sophos.com/2009/03/10/password-website/[SFK+08] S. H. Shin, H. Fathi, K. Kobara, N. R. Prasad, and H. Imai, “A New Security

Architecture for Personal Networks and Its Performance Evaluation”, IEICE Transactions C i ti Vol E9 B No pp 22 2264 2008on Communications, Vol. E91-B, No. 7, pp. 2255-2264, 2008

[SK11] S. H. Shin and K. Kobara, “Most Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2”, IETF Internet-Draft 08, https://datatracker.ietf.org/doc/draft-shin-augmented-pake/p // g/ / g p /

[SKI03] S. H. Shin, K. Kobara, and H. Imai, “Leakage-Resilient Authenticated Key Establishment Protocols”, ASIACRYPT2003

[SKI07] S. H. Shin, K. Kobara, and H. Imai, “An Efficient and Leakage-Resilient RSA-Based [ 7] , , , gAuthenticated Key Exchange Protocol with Tight Security Reduction”, IEICE Transactions on Fundamentals, Vol. E90-A, No. 2, pp. 474-490, 2007

[SKI10a] S. H. Shin, K. Kobara, and H. Imai, “An RSA-Based Leakage-Resilient Authenticated Key Exchange Protocol Secure against Replacement Attacks and ItsAuthenticated Key Exchange Protocol Secure against Replacement Attacks, and Its Extensions”, IEICE Transactions on Fundamentals, Vol. E93-A, No. 6, pp. 1086-1101, 2010

[SKI11] S. H. Shin, K. Kobara, and H. Imai, “A Secure Public Cloud Storage System”, Internal Workshop on Cloud Applications and Security (CSA2011)p pp y ( )

[TRACEHOTNEWS] http://tracehotnews.com/sony-admitted-psns-70-million-users-information-leakage/


Documents

Hidk ( h ) h ( )deki Imai (Chuo University), SeongHan Shin (AIST), … · 2011-11-28 · yLet us think of an open network (e.g., Internet) where an attackercan eavesdrop the communications