FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 | 3 |

«Abstract. We study the problem of Key Exchange (KE), where authen- tication is two-factor and based on both electronically stored long keys and ...»

-- [ Page 1 ] --

Password Mistyping in

Two-Factor-Authenticated Key Exchange

Vladimir Kolesnikov1 and Charles Rackoff2


Bell Labs, Murray Hill, NJ 07974,USA kolesnikov@research.bell-labs.com


Dept. Computer Science, University of Toronto, Canada rackoff@cs.utoronto.ca

Abstract. We study the problem of Key Exchange (KE), where authen-

tication is two-factor and based on both electronically stored long keys

and human-supplied credentials (passwords or biometrics). The latter

credential has low entropy and may be adversarily mistyped. Our main contribution is the first formal treatment of mistyping in this setting.

Ensuring security in presence of mistyping is subtle. We show mistyping- related limitations of previous KE definitions and constructions (of Boyen et al. [7, 6, 10] and Kolesnikov and Rackoff [16]).

We concentrate on the practical two-factor authenticated KE setting where servers exchange keys with clients, who use short passwords (mem- orized) and long cryptographic keys (stored on a card). Our work is thus a natural generalization of Halevi-Krawczyk [15] and Kolesnikov-Rackoff [16]. We discuss the challenges that arise due to mistyping. We propose the first KE definitions in this setting, and formally discuss their guar- antees. We present efficient KE protocols and prove their security.

1 Introduction The problem of securing communication over an insecure network is generally solved using key exchange (KE). KE provides partners with matching randomly chosen keys, which are used for securing their conversation. Of course, no adver- sary Adv should be able to mismatch players. Therefore, players must possess secrets with which they can authenticate themselves. The kind of secrets that are available to players determines the setting of KE. In the simplest KE setting players have a long shared random string. KE is more complicated if parties establish key pairs with the public keys securely published. Using weak and/or fuzzy credentials, such as passwords or biometrics, further complicates the de- sign of KE. Finally, using a combination of credentials may make certain aspects of KE easier (such as incorporating password authentication), but increases the overall complexity of the solution, as discussed in [16].

Our setting. Two-factor authentication is critical and is used extensively in secure applications such as banking, VPN, etc. Stored long keys protect against online adversaries, but are vulnerable against theft. The extra layer of security is achieved with additional use of a theft-resistant credential, e.g. a short password or a biometric. Unfortunately, neither password nor biometric can be expected to be read reliably into the computer.

2 Vladimir Kolesnikov and Charles Rackoff We give foundation to this setting by generalizing the work of Halevi-Krawczyk (HK) [15] and Kolesnikov-Rackoff (KR) [16]. Recall, they address the clientserver setting where both long key and a short password are used for KE. The servers are incorruptible, but client’s card or password can be compromised.

Motivated by real scenarios, we study the effects of password mistyping. Mistyping need not be random, but may be skewed by the adversary, e.g. by technical means or social engineering manipulation. We thus consider security against adversaries who can arbitrarily affect user’s mistyping. This consideration is especially relevant in case biometric credentials are used for authentication, since, due to technology limitations, biometric readings are expected to be misread.

Mistyping opens subtle vulnerabilities and raises complex definitional issues.

In the sequel, we use terms “password” and “mistype”, although our work applies to passwords, biometrics, and other short noisy credentials, as noted in Sect. 5.

1.1 Our contributions and outline of work Our main contribution is the first formal treatment of mistyping of passwords in KE that uses a combination of credentials.

We discuss recent definitions that consider mistyping-related settings and issues – robust fuzzy extractors of [7, 6, 10]. We point out a limitation of the definitions of [7, 6, 10] with respect to robust handling of biometric misreading/mistyping and discuss possible remedies. We demonstrate and correct a vulnerability of the definition and protocol of [16], which can only be exploited when users mistype. These observations further emphasize the subtleties of mistyping and the need for its formal treatment and deeper understanding.

In Sect. 3, we introduce our setting and the framework of [16] which we build upon. Then, with simple protocols we illustrate mistyping-related issues, discuss natural definitional approaches to handling mistyping and their shortcomings.

Most of the mistyping-related subtleties we uncover arise due to the simultaneous use of both long keys and passwords. In Sect. 4, we formalize our discussion in a definition, and formally argue that it prevents attacks that exploit mistyping.

In Sect. 5 we discuss applications of our work in biometric authentication.

In Sect. 6 we give efficient protocols; we prove their security in the full version.

1.2 Related work The problem of key exchange has deservedly received a vast amount of attention.

Password KE was first considered by Bellovin and Merritt [4]. Foundations – formal definitions and protocols – were laid in [3, 8, 13, 9], and other works.

The use of combined keys in authentication, where the client has a password and the public key of the server, was introduced by Gong et al. [14] and first formalized by Halevi and Krawczyk [15]. Kolesnikov and Rackoff [16] extended this setting by allowing the client to also share a long key with the server, and gave first definitions of KE in their (and thus in the Gong et al. and HK) setting.

Password mistyping in KE. Despite the large research effort, the definitional issues of KE password mistyping are formally approached only in the Password Mistyping in Two-Factor-Authenticated Key Exchange 3 UC definition of Canetti et al. [9]. In their password-only setting, mistyping is modelled by Environment Z providing players’ inputs. Additional use of long key makes our setting significantly different (and more subtle with respect to

mistyping) from that of [9]. Mistyping was also considered in different settings:

related-key attacks on blockciphers [2] and signing authority delegation [17].

Biometric authentication and fuzzy extractors. A growing body of work, e.g. [12, 5, 10, 11], addresses the use of biometrics in cryptography. Boyen et al. [7, 6, 10] consider its application to KE. They introduce the notion of robust fuzzy extractor (RFE), and give generic constructions of biometric-based KE from RFE. While their setting is similar to ours, the problems solved by [7, 6, 10] are different. They give KE protocols that accept “close enough” secrets, thus enabling security and privacy of biometric authentication. They do not aim to give a formal KE definition that handles biometric/password misreading. Moreover, as shown in Sect. 2, their notion of RFE is insufficiently strong to guarantee security of their generic KE protocol in many practical settings.

(However, instantiating their KE protocol with their RFE construction is secure, since the latter satisfies stronger requirements than required by the definition.) 2 Mistyping-related limitations in previous work On robust fuzzy extractor (RFE) definition and KE protocol [7, 6, 10].

We first clarify underlying biometric technology limitations and assumptions.

Biometrics are “fuzzy”, i.e. each scan is likely to be different from, but “close” to the “true” scan. Error-correction [12] is then used to extract non-fuzzy keys usable in cryptography. However, error-correction cannot correct many misreading errors (up to 10%), since this would imply high false acceptance rate3. Thus misreading beyond error-correction ball occurs often, and must be considered.

We note a limitation of RFE definition [7, 6, 10], prohibiting its use with the generic KE construction (Sect. 3.3 of [7]) in many scenarios. Roughly, definition’s domains of correctness and security guarantees coincide. That is, extracted randomness is only guaranteed to be good if the scan is within the error-correction distance t from the original. There are no guarantees on the randomness if this condition does not hold. This is, perhaps, due to the papers’ implicit assumption that “natural” misreadings are almost always “close” and are corrected (i.e. FRR is negligible). However, as discussed above, this assumption often does not hold.

Strengthening the randomness guarantees of RFE would increase its usability.

More specifically, a RFE (Gen, Rep) may exhibit the following vulnerability.

Given the public helper string P, if the biometric w0 is misread in a special way w outside the error-correction ball, the extracted randomness Rep(w, P ) is predictable. Even more subtly, Rep(w, P ) and Rep(w0, P ) could be related, but unequal. Clearly, KE protocols, including one of Sect. 3.3 of [7, 6], constructed from such RFE would not be secure. One solution is to require, for w outside the 3 In balanced optimized real-life systems, which compare scans directly, False Reject Rate (FRR) is usually 1..10%. Notably, NIST reports FRR of fingerprints 0.1..2%, iris 0.2..1% and face 10%. See [1] for comprehensive overview and references.

4 Vladimir Kolesnikov and Charles Rackoff error-correction ball, that either Rep(w, P ) = ⊥ (property of RFE construction of [7, 6]) or that Rep(w, P ) is either equal to or independent from Rep(w0, P ).

Finally, although [7, 6, 10] consider adversarial substitution of P with P, they guarantee Rep(w, P ) = ⊥ only for w in the error-correction ball. This vulnerability also can be resolved by separating the error-correction and security domains. We defer detailed definition, analysis and constructions as future work.

On the definition and construction of [16]. We present the following practical outside-of-the-model mistyping attack on the protocol (and thus also on the definition) of Kolesnikov and Rackoff [16]. Specifically, resistance to Denial of Access (DoA) attacks of the protocol of [16] is compromised if the honest client ever mistypes. Indeed, since their protocol is not challenge-response, client C’s message can be replayed. This is not a problem if C always types the correct password (session keys of C and server S will be independent). However, if the password was mistyped, both the original and replayed message will cause S to register password failure, violating the intent of the DoA resistance. We stress that the KR protocol is otherwise secure against mistyping (and we prove it in Sect. 6). Our definitions and protocols address and correct the above insecurity.

Above limitations show subtleties of mistyping and the need to address them.

3 Pre-definition discussion Our main contribution is a formal treatment of mistyping in the combined keys KE setting of Kolesnikov and Rackoff [16]. The KR setting is a generalization of the Halevi-Krawczyk setting [15], in which clients have a password and the public key of S. In KR setting, clients carry stealable cards capable of storing cryptographic keys – public key of S and long key shared by C and S. Addition of the cards allows better functionality and security than that of HK. KR definitions and protocol guarantee and achieve strong security when C’s card is secure, and weaker, password-grade, security, when the card is compromised.

We stress that the definition of KR does not handle mistyping. That is, it is possible to construct KR-secure protocols that “break” if the client ever mistypes his password. Sect. 3.3 of [16] provides an example and a short informal discussion on mistyping, and leaves the problem open. In Sect. 3.2, we expand this discussion, present more subtle mistyping threats, and discuss approaches to handling them. This leads to the presentation of our definitions in Sect. 4.

Notation. We concentrate on the two-factor authentication setting, where a client (denoted C) exchanges keys with a server (S). Both long and short keys are used for KE. Let P be a player. We denote by Pi the i-th instance of P.

We write PiQ to emphasize that Pi intends to do KE with (some instance of) player Q. Denote the adversary by Adv. Sometimes we distinguish the game and real-life adversary, and denote the latter AdvReal. Denote C’s password by pwd and long key by. S’s public/ private keys are pkS and skS. Password failure ⊥.

and the associated control symbol output by S is denoted by P On the Style of Definition. We chose the game (Bellare-Pointcheval-Rogaway [3]) style, since this allowed using the intuitive definition of KR (only existing two-factor-authentication KE definition). Extending KR allowed reduction of Password Mistyping in Two-Factor-Authenticated Key Exchange 5 security claims of our definition/setting to those of KR. Further, the stronger and arguably more intuitive UC model unfortunately is sometimes too strict, ruling out some efficient protocols which appear to be good enough in practice.

Proposing a simulation-based (especially, UC) definition, and exploring the relationship between it and our definition would add confidence in both our and the UC treatment of the problem. We thus leave as an important next step the design, detailed analysis and comparison of a corresponding UC definition. We expect that our discussions of ideas and obstacles would aid in this future work.

3.1 Review of the framework of [16]

Our definition is an extension of the KE definition of KR (Def. 2 of [16]).

Recall, KR (and thus our) definition follows the common game-based paradigm.

The real world and real adversary AdvReal are abstracted as a game, played by the game adversary Adv. Game includes clients and servers – Interactive Turing Machines (ITM) running the KE protocol Π, communicating via channels controlled by Adv. Game rules mimic reality, and are designed so that Adv’s wins correspond to real-life breaks. Π is defined secure if no polytime Adv is able to win above certain “allowed” probability. Definition is thus reduced to the design of the game. KR break down the real world into five intuitive games (KE1, KE2, KE3, DOA and SID), which mimic possible real-life attack scenarios.

Pages:   || 2 | 3 |

Similar works:

«Testimony of Andrew Rhoades Assistant Federal Security Director Office of Security Operations Transportation Security Administration Before the House Oversight and Government Reform Committee Concerning Examining Management Practices and Misconduct at TSA April 27, 2016 Chairman Chaffetz, Ranking Member Cummings, and members of the committee, thank you for the opportunity to speak with you regarding the TSA’s use of directed reassignments, senior leader misconduct, retaliation and its impact...»

«That Little Thumb Can Do an Awful Amount of Damage! A Parents Guide to Childhood Thumbsucking Issues and Tongue Thrust Behavior. by Shari Green, A.A.S., R.D.H. (rered), C.O.M., B.A. The mere thought of their child's thumbsucking behavior brings frustration and anxiety to many parents. Most parents know that thumbsucking is a common occurrence during childhood, but at what point should acceptance become concern? What are the complications that arise if this non-nutritive sucking behavior...»

«Richmond Terrace Guide Welcome to your new home. This Guide will help make your stay in our accommodation as happy and successful as possible. This information is for 3035 Richmond Terrace residents and should be used with the Handbook, which contains general rules and regulations for living in a University owned residence. Please read this Guide now and keep it for reference throughout your year in Hall. 30-35 Richmond Terrace, Clifton, Bristol, BS8 1AD E mail: manor-hall@bristol.ac.uk...»

«An NGO Shadow Report to CEDAW 44th Session 2009, New York Japan The “Comfort Women” Issue Basic Information (1) Subject Violence against women (Japan’s military sexual slavery/ the “Comfort Women” issue) (2) Relevant CEDAW Article Article 2 (b) (d) (3) Reference to Past CEDAW Concluding Observations A/58/38 [outcome of 2003 Review] 361. [abbr.].While appreciative of the comprehensive information provided by the State party with respect to the measures it has taken before and after the...»

«UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, DC 20549 FORM 10-Q x QUARTERLY REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 For the quarterly period ended June 30, 2011.¨ TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 for the transition period from _ to _. Commission File Number 0-50481 AEOLUS PHARMACEUTICALS, INC. (Exact Name of Registrant as Specified in Its Charter) Delaware 56-1953785 (State or Other...»

«Claiming the Past with Gratitude; Living the Present with Enthusiasm; Looking to the Future with Hope. diocesan Pastoral Plan 2010 – 2015 Diocesan Pastoral Plan Diocese of Victoria “Were not our hearts burning within us while he was talking to us on the road.” (Luke 24:32) Dear Brothers and Sisters in Christ, T he words spoken by the Disciples on the road to Emmaus after they had encountered Our Lord at the Breaking of the Bread, were the only way they could describe how they felt when...»

«Jean Amery Antisemitism the Left on The Respectable Antisemitism This essay was originally delivered as an address (Respectable Antisemi­ tism) on March 7, 1976, in Hamburg, at the opening session of Brother­ hood Week, an inteifaith event sponsored annually since 1951 by the Gesell­ schaft jUr Christlich-Jiidische Zusammenarbeit (Society for Christian-Jewish Cooperation). It is not a happy moment at which I appear before you to offer my thoughts on the Jewish Problem. It evidently exists...»

«~rpartmrnt nK ~ustia THE CONSTITUTION AS A BILL OF RIGHTS: SEPARATION OF POWERS AND INDIVIDUAL LIBERTY LECTURE BY THE HONORABLE EDv~IN MEESE I I I ATTORNEY GENERAL OF THE UNITED STATES AT THE BICENTENNIAL PROGRAM OF THE UNIVERSITY OF DALLAS THURSDAY, FEBRUARY 27, 1986 IRVING, TEXAS The Constitution as a Bill of Rights: Separation of Powers and Individual Liberty It is a real pleasure to be here with you this evening. I always look forward to the chance to visit colleges and universities such as...»

«PRIOR ANALYSIS AND SCHEDULING OF THE 2011 RUGBY UNION ITM CUP IN NEW ZEALAND Abstract This paper describes work done for the New Zealand Rugby Union (NZRU) in preparation for their most important wholly domestic competition in 2011. This competition had to be played during a shorter timescale than usual because of the 2011 Rugby Union World Cup, and the NZRU were keen to ensure that they could incorporate the format they wanted into this timescale without unfortunate consequences. In addition,...»

«MASARYK UNIVERSITY FACULTY OF SCIENCE RECETOX Research Centre for Environmental Chemistry and Ecotoxicology Laboratory tests of toxicity with enchytraeids RIGOROUS THESIS Brno, 2007 MSc. Klára Kobetičová 1 Acknowledgements: My thanks belongs to dr. Jakub Hofman for many consultations at field of soil ecotoxicology; to Mgr. Blanka Holubářová for implementation of enchytraeid breedings and toxicity test; to dr. Jitka Bezchlebová, dr. Ivana Sochová, Mgr. Jan Lána for testing the chemicals...»

«WORKING PAPER NO. 11-30/R COLLATERAL DAMAGE: SIZING AND ASSESSING THE SUBPRIME CDO CRISIS Larry Cordell Federal Reserve Bank of Philadelphia Yilin Huang Federal Reserve Bank of Philadelphia Meredith Williams Federal Reserve Bank of Philadelphia May 2012 Collateral Damage: Sizing and Assessing the Subprime CDO Crisis Larry Cordell Yilin Huang Meredith Williams1                                                              1 Cordell is...»

«Act on the Autonomy of Åland (1991/1144) The war of 1808-09 resulted in Sweden being forced to relinquish Finland and the Åland Islands to Russia, whereby Swedish-speaking Åland became part of the Grand Duchy of Finland. When Finland gained its independence, the Ålanders began to hope for reunion with Sweden. Consequently the Parliament of Finland adopted an Autonomy Act for Åland in 1920. At first the Ålanders refused to accept it, and the question of Åland's status was referred to the...»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.