• No results found

Server-Assisted Generation of a Strong Secret from a Password

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Server-Assisted Generation of a Strong Secret from a Password"

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)

Server-Assisted Generation of a

Strong Secret from a Password

Warwick Ford, VeriSign, Inc.

(Joint research with Burt Kaliski, RSA Laboratories)

(2)

Requirement

! User who roams between client terminals

needs to

 obtain private key or data

 strongly authenticate to application servers

! No local stored state

! No smartcards

! Private data downloaded from online

(3)

Traditional Credentials Server Solution

! Surveyed in Perlman & Kaufman, NDSS ‘99

 Examples EKE, SPEKE

! Protocol exposes no information about private data

! Throttling/lockout:

 Limits password guessing

 Makes friendly passwords possible

 Based on failed password authentications

Credentials Server Credentials Repository User presents password Throttling/lockout function Private Data Delivery Protocol

(4)

Weakness in Traditional Design

! If server compromised, attacker can potentially:

 Attack credentials database, e.g., password verifiers by exhaustive attack (even if passwords not

determinable directly)

 Disable throttling/lockout and exhaustively attack with password guesses

! Vulnerable to password attack

! Password exposure means private data

exposure

(5)

Solution - Multiple Servers

! Objective: Compromise of one server exposes neither private data nor password

! Not as easy as it looks

 Ordinary secret-sharing not adequate if servers have to

verify passwords Credentials Server Credentials Repository User presents password Throttling/lockout function Private Data Delivery Protocol Credentials Server Credentials Repository Throttling/lockout function Private Data Delivery Protocol

(6)

Basic Approach

! Client generates strong master secret K via

interaction with two or more servers

! Client proves successful regeneration of K to all

servers

! K can unlock encrypted private data or facilitate

authentication to other servers

(7)

In More Detail…

! Pre-knowledge

User knows password P

Each server Si holds its own secret di for that user  Each Si also holds its own strong verifier Ki for K

! Client generates strong master secret K

For each Si, client computes strong secret Ri

via a password hardening transaction depending on P and di

◗ subject to throttling/lockout

Combines all the Ri to give K

! Client proves successful regeneration of K to servers

For each server Si generates strong verifier Ki from KDemonstrates knowledge of Ki to server Si

! K can unlock encrypted private data or facilitate

(8)

Secret-Strengthening Protocol

! Properties:

R1 is a strong secret

Observer cannot feasibly learn R1 ,d1 or PServer cannot feasibly learn R1 [or P ?]Same R1 always generated for same P

Server S1 User U Generate random k w = f(P) r = wk mod p U, r U, d1 s1 = rd1 mod p s1 R1 = s11/k mod p = wd1 mod p

Shared strong prime p = 2q + 1 Password P entered

(9)

Do It with Two Servers

! Properties:

K is a strong secret

Observer cannot feasibly learn K or PNeither server can feasibly learn K or PSame K always generated for same P

Both servers need to cooperate for K to be generated

Server S1 User U Server S2 U, r s2 U, d2 s2 = rd2 mod p R2 = s21/k mod p = wd2 mod p K = KDF (R1 , R2 ) Generate random k U, r U, d1 s1 = rd1 mod p s1 w = f(P) r = wk mod p Password P entered R1 = s11/k mod p = wd1 mod p

(10)

Now Prove It was Successful

! Properties:

Each server gets proof that client knows K

Server’s knowledge of Ki does not feasibly assist determining K (or password)

Server S1 User U Server S2 U, K1 Verify OWF (K1 ,n1) Generate n1 n1 U, K2 OWF (K1 ,n1) K1 = OWF(K, 1) n2 OWF (K2 ,n2) K2 = OWF(K, 2) Generate n2 Verify OWF (K2 ,n2) Pre-establish K1 = OWF(K, 1) K2 = OWF(K, 2)

(11)

Some Variants

! Other secret-strengthening protocols

 ECC variant is obvious  RSA-based also exists

! Other verification methods

K decrypts a private digital signature key; signed nonce proves regeneration to server holding

public key

! Use threshold functions in combining

hardened passwords

! Use other functions of master secret to

(12)

A Special Case Variant

! Client interacts with password hardening server

S1 to obtain R1

! Client uses T1 derived from R1 to authenticate to

a second server S2

! S2 confidentially delivers to client: secret K

encrypted under T2 derived from R1

! Client decrypts K

(13)

Special Case Variant - Protocol

Server S1 User U Server S2 Generate random k U, r U, d1 s1 = rd1 mod p s1 w = f(P) r = wk mod p Password P entered R1 = s11/k mod p U, T1, ET2 (K) T1 = OWF(R1, 1) T2 = OWF(R1, 2) K = DT2 (ET2(K))

Then prove knowledge of K to S1

T1

ET2 (K)

Secure channel

! Properties:

Attractive when S2 already exists (e.g., SSL or SPEKE server)  Adding one password hardening server S1 provides the requisite

(14)

The Fundamental Characteristics

! Must recover a master secret using more

than one independent server

 all of which contribute to recovering the secret  all of which employ throttling/lockout

! At least one secret-contributing server must

use secret-strengthening

! Must prove successful regeneration of a

strong secret to at least two verification servers

(15)

Non-Repudiation Ramifications

! Single server design is weak wrt

non-repudiation

 user can plausibly claim that insider/penetrator at the server recovered the private key and signed

! The multi-server design significantly improves

non-repudiation

 it is much harder to mount a plausible argument that independently controlled servers colluded

! But, claims of non-repudiability still rest on

confidence that the client terminal is secure

(16)

Summary of the Technology

! Traditional credentials server architecture is

vulnerable to server compromise and

exhaustive password guessing against stored password-derived values

 Server vulnerability raises security concerns and kills non-repudiation

! Need multiple independent servers

contributing to secret regeneration

 Each must independently throttle/lockout

! Need password hardening as a basis of

(17)

Deployment Status

!

Current-shipping VeriSign enterprise

PKI offering includes the option:

 Two-server secret-strengthening

technology to support protection of private key plus arbitrary user data

 Servers may be operated by Enterprise

and/or VeriSign

!

Alternative packagings (e.g., for SSO,

(18)

For More Information

! See Ford/Kaliski WETICE 2000 paper at:

http://www.verisign.com/repository/pubs/roaming.pdf

! Contact details:

Warwick Ford, VeriSign, Inc. E-mail: [email protected] Tel: (781) 245 6996 x225

References

Download now ( PDF - 18 Page - 80.08 KB )

Related documents

Training nurses in a competency framework to support adults with epilepsy and intellectual disability: the EpAID cluster RCT

The Epilepsy And Intellectual Disability (EpAID) clinical trial was a two-arm cluster randomised controlled trial (RCT) of a competency framework designed to provide guidelines

Keeping your VPN protected

The VPN appliance gathers the user’s ID, static password and OTP and submits these credentials to the ESET Secure Authentication RADIUS server 3.. The server marshals the credentials

Buying Property in Portugal

Certidão de Teor (Land Registry Document)- This document shows who owns of the property, who has rights to the property and if there are any charges,

Event Notification Module TM

Database Maintenance Credentials: Enter the Windows administrator login credentials associated with the machine that ENM is being installed.. The username and password credentials

Arbitrary view action recognition via transfer dictionary learning on synthetic training data

x We propose a new transfer dictionary learning framework that utilizes synthetic 2D and 3D training videos to learn a dictionary that can project a real world 2D

Ericsson Important Optimization Parameters

usedFreqThresh2dRscp: Threshold for event 2d (the estimated quality of the currently used WCDMA RAN frequency is below a certain threshold) based on RSCP

Does Adoption of Quncho Tef Increases Farmers’ Crops Income? Evidence from Small Holder Farmers in Wayu Tuqa District, Oromia Regional State, Ethiopia

Form the methods of matching, according to (Gashaw, Getnet and Gian 2014), the kernel matching method is used to allow matching of treatment (adopter) with the

Use Enterprise SSO as the Credential Server for Protected Sites

Webthority can be configured to use Enterprise SSO as a Credentials Server, enabling user credentials such as username and password to be obtained from Enterprise SSO and used to