Hash Based

Single Password Authentication Protocols

M. Tech. Project Report

Software Requirement Specification

(SRS)

I Help Study
(Rohit Rajpoot)

Contents
1 Introduction 2
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
1.2 Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
1.3.1 Password Protocols . . . . . . . . . . . . . . . . . . . . . .3
1.3.2 Merkle Tree Authentication Scheme . . . . . . . . . 4
1.3.3 An Ideal Password Authentication Scheme . . . .5
2 Proposed Scheme 7
2.1 Proposed Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Attacks and Remedies . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 Conclusion
11

Chapter 1

Introduction
1.1 Motivation

Many people today have multiple accounts on the Internet. Most of these accounts
are protected by passwords. As more services move to the Internet, the number of
accounts a user needs to manage is expected only to grow. If one uses different and
unrelated passwords for each account, then remembering all these unique
passwords is
a daunting task. Because of this, the common practice is to use the same password
for
multiple accounts. But current password protocols are not suitable for this practice.
A Merkle Tree [1, 2] is a construction introduced by Ralph Merkle in 1979 to build
secure authentication and signature schemes from hash functions (e.g. SHA1). Due
to
the discovery of more efficient cryptographic primitives based on number theory
(e.g.
RSA, ECC), this classic technique has received little practical attention. However,
there are good reasons to further develop these cryptographic constructions. Today,
RSA and other number theoretic constructions serve our needs for encryption and
digital signatures well, and the improvements in technology and algorithms that
affect
the security of these primitives (e.g. factoring integers) have historically progressed
at a modest predictable rate, and it has been possible to adjust key sizes
accordingly.
Merkle Tree signatures [8] do not rely on the difficulty of factoring or of the discrete
log problem.

1.2 Problem Definition

We propose a protocol that allows a client to securely use a single password across
multiple servers. In the proposed scheme, we are using the concept of Merkle Tree
authentication and thus we do not require any number theoretic assumptions. We
are
not revealing any information about password during message communication and
thus
preventing the password guessing attack. Thus, we are trying to design a hash
based
single password authentication protocol such that it should be simple, secure,
efficient
and user-friendly.

1.3 Survey

Authentication is the process of determining whether someone or something is, in

fact,
who or what it is declared to be. In private and public computer networks (including
the Internet), authentication is commonly done through the use of logon passwords.
Knowledge of the password is assumed to guarantee that the user is authentic.
Each

user registers initially (or is registered by someone else), using an assigned or

selfdeclared
password. On each subsequent use, the user must know and use the previously
declared password. The weakness in this system for transactions that are significant
(such as the exchange of money) is that passwords can often be stolen, accidentally
revealed, or forgotten. For this reason, Internet business and many other
transactions
require a more stringent password authentication protocol.

1.3.1 Password Protocols

Many password protocols have been proposed, especially in the past decade. In this
section, we review these password protocols.
Web-specific Password Protocols
The HTTP digest authentication protocol [3] uses the challenge/response technique,
which basically works as follows. When client C registers with server S, S stores Cs
password P. When C wants to login on S, S generates a nonce n and sends it to C
as a challenge. Then C computes MD(n||P) and sends the result to S as a response
(MD is message digest function). Server S verifies the received response using the
stored password P and the generated nonce n. Because a server knows the
passwords
of its clients, the HTTP digest authentication protocol is vulnerable to malicious
server
attacks and password file compromise attacks.
Strong Password Protocols
Strong password protocols often have strong security properties, but they usually
require
computationally intensive operations such as modular exponentiations, asymmetric
encryptions/decryptions, etc. Many such protocols have been proposed, such as
Simple Password Exponential Key Exchange method (SPEKE) [4] and Diffie-Hellman
Encrypted Key Exchange (DHEKE) [4]. Most of these strong password protocols were
proposed before the wide deployment of SSL. They are mostly designed to achieve
the
following two goals: (1) to establish a session key between a client and a server
after the
server authenticates the client using passwords. This is not must-have functionality
for
a password protocol any more because a session key is established after the client
authenticates
the server using SSL. (2) To prevent dictionary attacks. This goal is always
expensive to achieve. That strong and consequently heavy weight, password
protocols
are not well suited for Internet authentication because of the heavy computational
cost.
A password protocol that is desirable for the Internet must be computationally
efficient
in the server side because a server on the Internet often has heavy service load and
consequently cannot afford significant computation for authenticating every client.
Most of the strong password protocols are based on some number theoretic
assumptions
such as integer factorization problem and discrete logarithm problem. Nowadays

a very important role in cryptography plays the quantum computer. By comparison,

a quantum computer could solve these problems relatively easily. This ability would
allow a quantum computer to break many of the cryptographic systems in use
today,
in the sense that there would be a relatively fast (polynomial time in n) algorithm
for
solving the problem.
Single Sign-on Protocols
The basic idea of single sign-on protocols is to use one central server to
authenticate
clients for multiple servers, instead of each server authenticating clients by itself.
Although
single sign-on protocols provide clients the convenience of remembering only
one password, which is registered in the single sign-on server, such protocols have
the
following main disadvantages. First, single sign-on protocols introduces a single
point
of failure. If the single sign-on server fails working, then all the servers that depend
on
it fail authenticating their clients, which is extremely destructive. Compromising the
single sign-on server has high pay-offs for attackers and thereby makes attack
attempts
more likely. Second, single sign-on protocols have high cost of integration because
servers need to register with the single sign-on server in order to get the service,
and
consequently lacks universal adoption. For the servers that do not use single signon
protocols, a client has to register with them individually using passwords. If a client
registers with a malicious server using the same password that he uses for the
single
sign-on server, then the malicious server can impersonate the client to login on
multiple
servers.
One-time Password Protocols
One-Time Password (OTP) authentication protocol, such as Lamports one-time
password
protocol [5] can be used for authenticating a user by a server. There are two
entities in the operation of the one-time password protocol. The one time password
system generator passes the Clients secret password, along with a seed received
from
the server as part of the challenge, through multiple iterations of a secure hash
function
to produce a one-time password. After each successful authentication, the number
of
secure hash function iterations is reduced by one. Thus, a unique sequence of
passwords
is generated. The server verifies the one-time password received from the generator
by

computing the secure hash function once and comparing the result with the
previously
accepted one-time password. But to make one-time password protocols secure
against malicious server attacks, a client has to remember multiple seed
passwords
or multiple lists of one-time passwords for multiple accounts.

1.3.2 Merkle Tree Authentication Scheme

Merkle trees can be used for a variety of cryptographic purposes, including digital
signatures and user authentication. In this section, we discuss the Merkle tree user
authentication scheme [6].
Merkle Tree: Merkle Tree is a complete binary tree with a k- bit value associated to
each node such that the interior node value is a hash function of the node values of
its
children. That is,
P(nparent) = h(P(nleft)||P(nright))
Where P is the assignment function, which maps the set of nodes to the set of their
strings of length k; h() is a cryptographic hash function and || denotes string
concatenation.
The N values that need to be authenticated are placed at the N leaves of the
tree. We may choose the leaf value arbitrarily, but usually it is a cryptographic hash
function of the values that need to be authenticated. In this case these values are
called
leaf - preimages. A leaf can be verified with respect to a publicly known root value
and

Figure 1.1: Merkle tree on 4 leaves

showing the authentication path for leaf1.

its authentication path.

Authentication Path: Authentication path Authi of leafi is an ordered sequence

of node values, where these nodes are the siblings of the nodes on the path
connecting
the leafi to the root. Let Authj(i) be the value on the node that is the sibling to the
node at height j in the path from leafi to the root. Let H be the height of the tree.
The authentication path for leafi is then,
Authi = (h(leafi), Auth0(i), Auth1(i), ..., AuthH1(i))
User Authentication and Verification: In user authentication, a user wishes to
repeatedly authenticate herself with a server. This can be accomplished by
providing
the server with the value P(nroot) for the root of the Merkle tree. Each time the user
wishes to authenticate to the server, the user reveals the hash value of leafi along
with an authentication path so that the server can construct and verify P(nroot). The
authentication path can be verified by checking if the published root value, P(nroot),
is equal to
h(...h(h(leafi)||Auth0(i))...||AuthH1(i))
where the order of concatenation is done correctly based on the structure of the
tree.

1.3.3 An Ideal Password Authentication Scheme

To be called ideal, a password authentication scheme should be able to withstand all

of the attacks and achieve all of the following goals [7].
The passwords or verification tables are not stored in the system.
The passwords cannot be revealed by the administrator of the server.
The passwords are not transmitted in plain text over the insecure network.
The length of a password must be appropriate for memorization.
The scheme must be efficient and practical.
Any unauthorized login can be quickly detected when a user inputs a wrong
password.
A session key is established during the password authentication process to
provide
confidentiality of communication.
The passwords can be chosen and changed freely by the users.

Chapter 2

Proposed Scheme
2.1 Proposed Solution

In this section, we present our Password Protocol. In our protocol, we need only one
Merkle tree at the Clients side to login on all its Servers. The selection of height H
of
the tree depends upon security level of the protocol. The protocol is more secure
with
large value of H, but tree storage cost and authentication path size increases. The
notations used in the proposed solution are listed in Table 2.1.
Table 2.1: Notations
C Client
S Server
P Password remembered by client
n Random number
R Root value of Merkle Tree
H Height of Merkle Tree
Authi Authentication path of leafi
h() Message digest (one-way hash) function
|| concatenation
Let P be the single password that a client C remembers. Initially C prepares a
Merkle hash tree and calculates its root value R. When C registers with a server S, C
generates a hash value h(P||S), then sends h(P||S) securely to S, and S stores them
in its password file.
The construction of Merkle tree is as follows. Let our Merkle tree contains Nleaf =
2H leaf nodes. We assigns value of leaf2i with i and leaf2i1 with pseudo random
numbers ri (where i=1,2,. . . ,2H1). The interior nodes are calculated using basic
properties of Merkle tree (that is, interior node value is a hash function of the node
values of its children, ie, nparent = h(nleft||nright)).
Later on, when C tries to login on S, S prompts C with a challenge n. Then C uses
the challenge n, the servers name S, and his password P to compute i = F(h(P||S),
n),
where F is one way function that finds least significant H bits of h(h(P||S)||n) and
replace LSB of result with zero. Client C computes authentication path Authi of leafi
as,

Authi = (Auth0(i), Auth1(i), ..., AuthH1(i))

Figure 2.1: Merkle tree on 8 leaves showing leaf values and authentication path of
leaf4
(shaded nodes)
h(P||S) and n. The authentication path Authi can be verified by checking if the root
value, R, is equal to,
h(...h(h((i/2)||Auth0(i))||Auth1(i))...||AuthH1(i))
Note that Client C does not send his password P to S, even in the initial registration.
Knowing h(P||S) does not allow server S to gain any information about the password
P, and does not allow server S to impersonate client C to other servers. By including
challenge n, message replay attack is not possible. If an attacker replays an old
Authi
for server S, verification fails since he takes i by computing i = F(h(P||S), n).

2.2 Attacks and Remedies

In this section, we discuss the security of our protocol against some common
attacks.
We assume that our protocol is used with the Secure Sockets Layer (SSL), the
current
industry standard for securing communication over the Internet. Note that the
message
digest (one-way hash) function h() is assumed to have the property that a
polynomialbounded
adversary should not be able to gain any information about the input by
examining the output of such a function. We sort common attacks and remedies as
follows:
Password Guessing AttacksMost passwords have such low entropy that it is vulnerable to password guessing
attacks,
where an attacker intercepts authentication messages and stores them locally
and then attempts to use a guessed password to verify the correctness of his/her
guess
using theses authentication messages. Our protocol secure against this attack
because
we are not revealing any information about password during message
communication.
Message Replay AttacksIn message replay attack, an attacker first listens to all of the communication
between
a client and a server, then tries to login on the server by replaying some messages
that the attacker captured previously. Our protocol is secure against message replay
attacks. If an attacker replays an old challenge to the client, the client will create
Authi

that corresponds to the old challenge, but the server cannot verify Authi. Similarly,
replaying an old Authi to server is useless.
Malicious Server Attacks
In malicious server attack, an attacker first set up a malicious server and attracts
people to register with the server; second, tries to impersonate one of his clients to
login on another server. Our protocol is secure against this type of attack because of
two reasons: (a) A client never releases his password to a server, and a server is
never
able to compute a clients password based on the password verification information
Authi that the client gives to the server. (b) Replaying a used Authi to any server
cannot be successful. Although a client uses the same password on multiple
servers,
Authi is valid for one particular server and is valid for only one time.
Password File Compromise Attacks
In password file compromise attack, an attacker first steals a servers password file,
which stores the password verification information of every client; then the attacker
tries to discover either the password of a client using off-line dictionary attacks or
the
next password verification information that a client will use to login on the server.
Our
protocol is secure against off-line dictionary attacks; the attacker cannot discover
the
password of any client. Even if attacker got password file from the server, he can
not
login on another servers without knowing h(P||S) of others.
Eavesdropping Attacks
In eavesdropping attack, an attacker listens to all the communication between a
client
and a server, and tries to discover the clients Merkle tree. In our protocol, an
attacker
can gather a lot of info about the tree from Authi that is sent to the server from the
client in different sessions. However, we can meet this problem up to an extent as
follows,
Increase the height H of the tree. By a sufficient large H, we can generate 2H1
authentication paths. So, gathered information by an attacker is not sufficient to
login on any server.
The current industry standard for securing communication over the Internet is
Secure Sockets Layer (SSL). We assume that our protocol is used with SSL. Our
protocol runs on top of SSL and all the communication between a client and a
server is encrypted with a session key established by SSL, an eavesdropper cannot
discover password authentication information Authi.
Even if attacker got some information about clients Merkle tree, he can not
compute Authi corresponding to a challenge n without password P.
Ensure periodic update of Merkle tree which can be done offline.

Chapter 3

Conclusion
Our protocol is simple, secure, efficient and user-friendly. The protocol is simple
because
it only involves three messages. The protocol is also secure against most of the
attacks that have been discovered so far. These attacks include the ones that are
difficult
to defend, such as the malicious server attacks and password guessing attacks.
Our protocol is based on one-way hash function and the computation cost is lower
than
other password authentication schemes. Thus the protocol is efficient. In terms of
usability,
the protocol requires a user to remember only one password, and this password
can be used for all of his accounts.

Bibliography
[1] R. C. Merkle, A certified digital signature (subtitle: That antique paper from
1979),
In G. Brassard, ed., Advances in Cryptology Proc. CRYPTO 89, volume 435 of
LNCS, pp. 218238, Springer-Verlag, 1990.
[2] M. Jakobsson, T. Leighton, S. Micali, M. Szydlo, Fractal Merkle Tree Representation
and Traversal, In RSA Cryptographers Track, RSA Security Conference 2003.
[3] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L.
Stewart, Http authentication: Basic and digest access authentication, RFC 2617,
1999.
[4] D. Jablon, Strong password-only authenticated key exchange. Computer
Communication
Review, 26(5): 526, October 1996.
[5] L. Lamport, Password authentication with insecure communication,
Communications
of the ACM, vol. 24, pp. 770772, November 1981.
[6] Douglas Stebila, Slightly improved Merkle tree traversal for user authentication
using pseudorandomly-generated leaves, Online, 2006, Research Note.
[7] Chwei-Shyong Tsai1, Cheng-Chi Lee,Min-Shiang Hwang,Password Authentication
Schemes: Current Status and Key Issues, International Journal of Network Security,
vol.3, no.2, pp.101115, Sept. 2006.
[8] Recent Improvements in the Efficient Use of Merkle Trees: Additional Options for
the Long Term, http://www.rsa.com/rsalabs/node.asp?id=2003.
12