Escolar Documentos
Profissional Documentos
Cultura Documentos
I Help Study
(Rohit Rajpoot)
Contents
1 Introduction 2
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
1.2 Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
1.3.1 Password Protocols . . . . . . . . . . . . . . . . . . . . . .3
1.3.2 Merkle Tree Authentication Scheme . . . . . . . . . 4
1.3.3 An Ideal Password Authentication Scheme . . . .5
2 Proposed Scheme 7
2.1 Proposed Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Attacks and Remedies . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 Conclusion
11
Chapter 1
Introduction
1.1 Motivation
Many people today have multiple accounts on the Internet. Most of these accounts
are protected by passwords. As more services move to the Internet, the number of
accounts a user needs to manage is expected only to grow. If one uses different and
unrelated passwords for each account, then remembering all these unique
passwords is
a daunting task. Because of this, the common practice is to use the same password
for
multiple accounts. But current password protocols are not suitable for this practice.
A Merkle Tree [1, 2] is a construction introduced by Ralph Merkle in 1979 to build
secure authentication and signature schemes from hash functions (e.g. SHA1). Due
to
the discovery of more efficient cryptographic primitives based on number theory
(e.g.
RSA, ECC), this classic technique has received little practical attention. However,
there are good reasons to further develop these cryptographic constructions. Today,
RSA and other number theoretic constructions serve our needs for encryption and
digital signatures well, and the improvements in technology and algorithms that
affect
the security of these primitives (e.g. factoring integers) have historically progressed
at a modest predictable rate, and it has been possible to adjust key sizes
accordingly.
Merkle Tree signatures [8] do not rely on the difficulty of factoring or of the discrete
log problem.
We propose a protocol that allows a client to securely use a single password across
multiple servers. In the proposed scheme, we are using the concept of Merkle Tree
authentication and thus we do not require any number theoretic assumptions. We
are
not revealing any information about password during message communication and
thus
preventing the password guessing attack. Thus, we are trying to design a hash
based
single password authentication protocol such that it should be simple, secure,
efficient
and user-friendly.
1.3 Survey
Many password protocols have been proposed, especially in the past decade. In this
section, we review these password protocols.
Web-specific Password Protocols
The HTTP digest authentication protocol [3] uses the challenge/response technique,
which basically works as follows. When client C registers with server S, S stores Cs
password P. When C wants to login on S, S generates a nonce n and sends it to C
as a challenge. Then C computes MD(n||P) and sends the result to S as a response
(MD is message digest function). Server S verifies the received response using the
stored password P and the generated nonce n. Because a server knows the
passwords
of its clients, the HTTP digest authentication protocol is vulnerable to malicious
server
attacks and password file compromise attacks.
Strong Password Protocols
Strong password protocols often have strong security properties, but they usually
require
computationally intensive operations such as modular exponentiations, asymmetric
encryptions/decryptions, etc. Many such protocols have been proposed, such as
Simple Password Exponential Key Exchange method (SPEKE) [4] and Diffie-Hellman
Encrypted Key Exchange (DHEKE) [4]. Most of these strong password protocols were
proposed before the wide deployment of SSL. They are mostly designed to achieve
the
following two goals: (1) to establish a session key between a client and a server
after the
server authenticates the client using passwords. This is not must-have functionality
for
a password protocol any more because a session key is established after the client
authenticates
the server using SSL. (2) To prevent dictionary attacks. This goal is always
expensive to achieve. That strong and consequently heavy weight, password
protocols
are not well suited for Internet authentication because of the heavy computational
cost.
A password protocol that is desirable for the Internet must be computationally
efficient
in the server side because a server on the Internet often has heavy service load and
consequently cannot afford significant computation for authenticating every client.
Most of the strong password protocols are based on some number theoretic
assumptions
such as integer factorization problem and discrete logarithm problem. Nowadays
computing the secure hash function once and comparing the result with the
previously
accepted one-time password. But to make one-time password protocols secure
against malicious server attacks, a client has to remember multiple seed
passwords
or multiple lists of one-time passwords for multiple accounts.
Merkle trees can be used for a variety of cryptographic purposes, including digital
signatures and user authentication. In this section, we discuss the Merkle tree user
authentication scheme [6].
Merkle Tree: Merkle Tree is a complete binary tree with a k- bit value associated to
each node such that the interior node value is a hash function of the node values of
its
children. That is,
P(nparent) = h(P(nleft)||P(nright))
Where P is the assignment function, which maps the set of nodes to the set of their
strings of length k; h() is a cryptographic hash function and || denotes string
concatenation.
The N values that need to be authenticated are placed at the N leaves of the
tree. We may choose the leaf value arbitrarily, but usually it is a cryptographic hash
function of the values that need to be authenticated. In this case these values are
called
leaf - preimages. A leaf can be verified with respect to a publicly known root value
and
Chapter 2
Proposed Scheme
2.1 Proposed Solution
In this section, we present our Password Protocol. In our protocol, we need only one
Merkle tree at the Clients side to login on all its Servers. The selection of height H
of
the tree depends upon security level of the protocol. The protocol is more secure
with
large value of H, but tree storage cost and authentication path size increases. The
notations used in the proposed solution are listed in Table 2.1.
Table 2.1: Notations
C Client
S Server
P Password remembered by client
n Random number
R Root value of Merkle Tree
H Height of Merkle Tree
Authi Authentication path of leafi
h() Message digest (one-way hash) function
|| concatenation
Let P be the single password that a client C remembers. Initially C prepares a
Merkle hash tree and calculates its root value R. When C registers with a server S, C
generates a hash value h(P||S), then sends h(P||S) securely to S, and S stores them
in its password file.
The construction of Merkle tree is as follows. Let our Merkle tree contains Nleaf =
2H leaf nodes. We assigns value of leaf2i with i and leaf2i1 with pseudo random
numbers ri (where i=1,2,. . . ,2H1). The interior nodes are calculated using basic
properties of Merkle tree (that is, interior node value is a hash function of the node
values of its children, ie, nparent = h(nleft||nright)).
Later on, when C tries to login on S, S prompts C with a challenge n. Then C uses
the challenge n, the servers name S, and his password P to compute i = F(h(P||S),
n),
where F is one way function that finds least significant H bits of h(h(P||S)||n) and
replace LSB of result with zero. Client C computes authentication path Authi of leafi
as,
Figure 2.1: Merkle tree on 8 leaves showing leaf values and authentication path of
leaf4
(shaded nodes)
h(P||S) and n. The authentication path Authi can be verified by checking if the root
value, R, is equal to,
h(...h(h((i/2)||Auth0(i))||Auth1(i))...||AuthH1(i))
Note that Client C does not send his password P to S, even in the initial registration.
Knowing h(P||S) does not allow server S to gain any information about the password
P, and does not allow server S to impersonate client C to other servers. By including
challenge n, message replay attack is not possible. If an attacker replays an old
Authi
for server S, verification fails since he takes i by computing i = F(h(P||S), n).
that corresponds to the old challenge, but the server cannot verify Authi. Similarly,
replaying an old Authi to server is useless.
Malicious Server Attacks
In malicious server attack, an attacker first set up a malicious server and attracts
people to register with the server; second, tries to impersonate one of his clients to
login on another server. Our protocol is secure against this type of attack because of
two reasons: (a) A client never releases his password to a server, and a server is
never
able to compute a clients password based on the password verification information
Authi that the client gives to the server. (b) Replaying a used Authi to any server
cannot be successful. Although a client uses the same password on multiple
servers,
Authi is valid for one particular server and is valid for only one time.
Password File Compromise Attacks
In password file compromise attack, an attacker first steals a servers password file,
which stores the password verification information of every client; then the attacker
tries to discover either the password of a client using off-line dictionary attacks or
the
next password verification information that a client will use to login on the server.
Our
protocol is secure against off-line dictionary attacks; the attacker cannot discover
the
password of any client. Even if attacker got password file from the server, he can
not
login on another servers without knowing h(P||S) of others.
Eavesdropping Attacks
In eavesdropping attack, an attacker listens to all the communication between a
client
and a server, and tries to discover the clients Merkle tree. In our protocol, an
attacker
can gather a lot of info about the tree from Authi that is sent to the server from the
client in different sessions. However, we can meet this problem up to an extent as
follows,
Increase the height H of the tree. By a sufficient large H, we can generate 2H1
authentication paths. So, gathered information by an attacker is not sufficient to
login on any server.
The current industry standard for securing communication over the Internet is
Secure Sockets Layer (SSL). We assume that our protocol is used with SSL. Our
protocol runs on top of SSL and all the communication between a client and a
server is encrypted with a session key established by SSL, an eavesdropper cannot
discover password authentication information Authi.
Even if attacker got some information about clients Merkle tree, he can not
compute Authi corresponding to a challenge n without password P.
Ensure periodic update of Merkle tree which can be done offline.
Chapter 3
Conclusion
Our protocol is simple, secure, efficient and user-friendly. The protocol is simple
because
it only involves three messages. The protocol is also secure against most of the
attacks that have been discovered so far. These attacks include the ones that are
difficult
to defend, such as the malicious server attacks and password guessing attacks.
Our protocol is based on one-way hash function and the computation cost is lower
than
other password authentication schemes. Thus the protocol is efficient. In terms of
usability,
the protocol requires a user to remember only one password, and this password
can be used for all of his accounts.
Bibliography
[1] R. C. Merkle, A certified digital signature (subtitle: That antique paper from
1979),
In G. Brassard, ed., Advances in Cryptology Proc. CRYPTO 89, volume 435 of
LNCS, pp. 218238, Springer-Verlag, 1990.
[2] M. Jakobsson, T. Leighton, S. Micali, M. Szydlo, Fractal Merkle Tree Representation
and Traversal, In RSA Cryptographers Track, RSA Security Conference 2003.
[3] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L.
Stewart, Http authentication: Basic and digest access authentication, RFC 2617,
1999.
[4] D. Jablon, Strong password-only authenticated key exchange. Computer
Communication
Review, 26(5): 526, October 1996.
[5] L. Lamport, Password authentication with insecure communication,
Communications
of the ACM, vol. 24, pp. 770772, November 1981.
[6] Douglas Stebila, Slightly improved Merkle tree traversal for user authentication
using pseudorandomly-generated leaves, Online, 2006, Research Note.
[7] Chwei-Shyong Tsai1, Cheng-Chi Lee,Min-Shiang Hwang,Password Authentication
Schemes: Current Status and Key Issues, International Journal of Network Security,
vol.3, no.2, pp.101115, Sept. 2006.
[8] Recent Improvements in the Efficient Use of Merkle Trees: Additional Options for
the Long Term, http://www.rsa.com/rsalabs/node.asp?id=2003.
12