new authentication protocol, possible SRP alternative
From: Steven Alexander (fbi66_at_hotmail.com)
Date: 08/01/04
- Next message: Phil Carmody: "Re: Algorithm ideas"
- Previous message: John A. Malley: "Re: Algorithm ideas"
- Next in thread: Thomas Wu: "Re: new authentication protocol, possible SRP alternative"
- Reply: Thomas Wu: "Re: new authentication protocol, possible SRP alternative"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 1 Aug 2004 00:04:20 -0700
I've been studying authentication protocols lately and am interested
in verifier-based protocols that provide perfect forward secrecy.
I've designed a protocol that appears to me to provide the same
security as Wu's Secure Remote Password Protocol while requiring one
less modular exponentiation on both the client and server sides.
Additional symmetric encryption and hash operations are required on
both sides but should require less computation time than modular
exponentiation.
Obviously, protocol design is complicated and I'm interested in
hearing any opinions or analyses that people might come up with. My
own analysis is included at the end. I would also be interested to
hear any mistakes in my own analysis. Responses indicating that the
design appears strong are always welcome as well :) I hope I haven't
missed anything obvious but am prepared to find out that I have.
Thanks in advance to everyone who takes the time to look at this.
-steven alexander
alexander dot s _at_ mccd dot edu
Please send any replies directly to me as well as to the list. Use
the address above, the hotmail address I registered with is a
throwaway.
Notation:
H(x) = Hash of x
K[x] = Encryption of x with key K
K^-1[x] = Decryption of x with key K
g^x = shorthand for g^x mod p
Alice = client
Bob = server
P = Password
M = key derived from P, H(P)
r = random number generated by client(Alice)
s = another random number generated by client(Alice)
challengeX = randomly generated challenge
Bob stores:
X = M[r,s]
Y1 = hash(r)
Y2 = hash(s)
Alice <------------------------------------------------------>Bob
1. "Alice" -------------------------->
2. <------------------------------------ g^b, X
Alice computes <r,s> = P^-1(X)
Alice computes Y1 = hash(r)
Alice computes Y2 = hash(s)
Alice computes (a * Y1 mod p) while Bob computes (b * Y1 mod p)
Both sides compute K = g^(a * b * Y1)
[using Y1 in the calculation of K ensures that Alice is talking with
someone who is Bob or has compromised Bob]
3. g^a, challengeA ------------------------------------------>
4. <---------------------------------------------- K[challengeA],
challengeB
[ use challengeA to prevent Man in the Middle attacks ]
Alice generates new r and s values (newR, newS) and calculates newX,
newY1, newY2
5. K[[Y2[r, newX,newY1,newY2], challengeB]
Bob stores newX, newY1 and newY2
Alice's knowledge of r ensures that Alice knows P and was able to
compute P^-1[X]. Bob computes H(r) to verify.
r can be used to calculate Y1 which could be used to exact a
dictionary attack if K were compromised so it is doubly encrypted with
Y2
[ K can be used to encrypt further data or a new DH exchange can be
performed with those message encrypted with K].
My analysis (with a little bit of redundancy):
I am considering combining message 1 and 3. As it stands, Alice can
verify that Bob has provided a good value of X before sending g^a and
a challenge but this is probably not necessary. Alice initiates the
authentication attempt so denial of service is not an issue.
The server stores a verifier (Y1) rather than a plaintext equivalent.
Therefore, this information cannot be used directly to impersonate
Alice. A dictionary attack could be executed to find a P such that K
= H(P), <r,s> = P^-1(X) and H(r) = Y1 and H(s) = Y2.
X is a reminder to Alice as to the value r which is used for
authentication and the values s which is used to produce a key that
can be used for encryption of the new reminder, verifier and s values.
A salt is not necessary since a new random r and s are generated to
complete each authentication. Both of r and s should be as large as
the output of the hash function.
The return of challengeA by Bob proves that Bob knows Y1. An
attacker, Trudy, should not be able to generate a new message X such
that <r,s> = P^-1[X] and H(r) = Y1 without knowledge of P.
Alice encrypts challengeB with K to prove she knows K and thus was
able to compute Y1 using r derived from X with her password.
An attacker who discovers K (through psychic ability perhaps) should
not be able to find Y1 without solving the discrete log problem.
r, newX, newY1 and newY2 are random. Thus, an attacker who discovers
K should not be able to perform a dictionary attack on X to produce a
candidate s value that will allow computation of Y2 and trial
decryptions of r, newX, newY1 or newY2 since they do not have a
recognizable format.
An attacker who has control of Bob throughout an authentication
process will know K, X, Y1 and Y2. He will thus be able to recover
newX, newY1 and newY2 (trivial) but will not know the newR and newS
used to produce these values.
An attacker who recovers K will not be able to recover the values
newX, newY1 and newY2.
An attacker will not be able to substitute his own values for newX,
newY1 and newY2 provided CBC-mode encryption is used. If he tries,
challengeB will not decrypt correctly.
The server has no awareness of password changes. Because of this, the
protocol extends well to smart card usage. A smart card can generate
and save a random value that will be used as part of the key material
for the next authentication, this value will be used at the end of
this authentication to compute newX.
Replay attacks should not be a factor since a new verifier is
generated with every authentication.
- Next message: Phil Carmody: "Re: Algorithm ideas"
- Previous message: John A. Malley: "Re: Algorithm ideas"
- Next in thread: Thomas Wu: "Re: new authentication protocol, possible SRP alternative"
- Reply: Thomas Wu: "Re: new authentication protocol, possible SRP alternative"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
