1 / 15

P1363.2 submission: Password authentication using m ultiple servers

P1363.2 submission: Password authentication using m ultiple servers. David Jablon March 13, 2002. Password authentication using multiple servers [Jab2001]. Author: David Jablon Presented at April 2001 RSA conference Published paper (Springer LNCS) Extends work of Ford & Kaliski 2000.

marinel
Download Presentation

P1363.2 submission: Password authentication using m ultiple servers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. P1363.2 submission:Password authenticationusing multiple servers David Jablon March 13, 2002

  2. Password authentication using multiple servers [Jab2001] • Author: David Jablon • Presented at April 2001 RSA conference • Published paper (Springer LNCS) • Extends work of Ford & Kaliski 2000

  3. Multi-server systems • Ford & Kaliski, WETICE, June 2001 • Multiple servers share responsibility to defend against password database cracking • Ford & Kaliski, proceedings, Sep. 2001 • Prior server-authenticated channel not needed for password security

  4. A neat trick Alice “small” P Bob big y • QA = g2 RA  • K1 = QB2 RA • K2 = QBP • K = h( K1, K2 ) •  (P x) y • P x  • K = (P x y) (1/ x) • K = P y converts low-entropy secret P into big secret K uses prime order group (e.g. mod p)

  5. Do it twice [Ford & Kaliski 2000] Alice P Bob1y1 • P x  • K1 = P y1 • K2 = P y2 • Km = h(K1 || K2) •  (P x) y1 •  (P x) y2 Bob2y2

  6. Benefits of multiple servers • Alice uses Km as a master key to encrypt all kinds of stuff, with less fear of her stuff being cracked. • the password “database” is split. • all Bobs must collude to get a chance to crack it.

  7. Main points of [Jab2001] paper • Alice tests Km before using it in public • Alice signs Px to prove she’s real • no server pre-auth (as in [FK2001b]) • Alice can use P = g1  g2hash(Password) • to sleep better when o(x) << p • forgiveness protocol • better handling of errors in password entry

  8. Test Km before using Alice P Bobs y1 y2 • P x  • Km = h(P y1 || P y2) • if owf(Km) V,abort(don’t reveal f(Km)) •  (P x) y1 •  (P x) y2 • V= owf(Km)

  9. Sign {P x} Alice P Bobs y1 y2 • P x  • Km = h(P y1 || P y2) • verify Km == V • PrivAlice{ P x }  •  (P x) y1 •  (P x) y2 • V = owf(Km) • If no valid signature • in time, log failure

  10. Compound base (1) • use group G of order q  2160, p  21000 • g1 & g2 not related by known exponents try g1=hash(“1”), g2=hash(“2”) • P = g1  g2hash(Password) • x, y in range [0, q] • uses smaller group in case short exponents don’t work out so well for the group of order ~21000. (open question)

  11. Compound base (2) • Since x, y are uniformly chosen random values in [1, o(G)], each value Px, PY individually reveals zero information • Would be nice to have a proof that this construction doesn’t introduce other new problems

  12. Password-in-exponent problem revisited • (g1  g2hash(Password))x • (g1  g2hash(Password))y

  13. Forgiveness protocol Scene: Alice mistypes a few passwordsP1, P2, ..., Pn, but finally gets P right. • Alice signs & sends prior mistaken valuesPrivAlice { P1x1, P2x2, ..., Pnxn } to each Bobn. • Each Bobn forgives Alice for a few mistakes,if she proves P in time. • Mistakes not counted towards illegal login threshholds.

  14. Relevance to 1363.2 • Variation of public-key retrieval scheme • Composite P used in {DL,EC}REDP-2 • Appears potentially useful for PKA Schemes • Forgiveness protocol • Fodder for an annex?

More Related