Password-Based Protocols
Cryptographic authentication relies on possession of a key by the party to be authenticated. Such a key is usually chosen randomly within its domain and can be of lengths from around 100 bits up to many thousands of bits, depending on the algorithm used a
- PDF / 4,419,400 Bytes
- 42 Pages / 439.37 x 666.142 pts Page_size
- 35 Downloads / 170 Views
7.1 Introduction Cryptographic authentication relies on possession of a key by the party to be authenticated. Such a key is usually chosen randomly within its domain and can be of lengths from around 100 bits up to many thousands of bits, depending on the algorithm used and security level desired. Experience has shown [109, 333] that humans find it difficult to remember secrets in the form of passwords of even seven or eight characters. But if all upper and lower case letters are used together with the digits 0 to 9 then a random eightcharacter password represents less than 48 bits of randomness. Therefore we can conclude that even short random keys for cryptographic algorithms cannot be reliably remembered by humans. Another way to express this is that it can be assumed that a computer is able to search through all possible passwords in a short time. Cryptographic keys are often stored in secure memory in computers or using special devices such as tamper-resistant cryptographic servers or in smart cards. However, there are situations where this is inconvenient or expensive. Not all devices are tamper resistant, and the memory required for public keys can be scarce. Therefore it is desirable to be able to set up secure communications relying only on a short secret that can be remembered by humans. This chapter examines a number of key establishment protocols that have been designed to be secure in the situation that the principals share only a password of small entropy. At first thought it might seem impossible to achieve key establishment using only a short secret in such a way that brute force searching to find the secret is not possible. This intuition may account for why it was not until 1989 that the first password-based protocols appeared in the literature. These first protocols, due to Lomas et al. [210]' used the additional assumption that the client (in a client-server application) has knowledge of the server's public key, in addition to sharing the password with the server. Later Bellovin and Merritt [38] introduced a class of protocols that does not require this assumption. C. Boyd et al., Protocols for Authentication and Key Establishment © Springer-Verlag Berlin Heidelberg 2003
248
7 Password-Based Protocols
The idea of Bellovin and Merritt's Encrypted Key Exchange (EKE) protocols is that the protocol initiator will choose an ephemeral public key and use the shared password to encrypt this key. The responder can decrypt the public key and use it to send the session key securely back to the initiator. On the assumption (not always reasonable) that public keys are random strings, an adversary who tries a brute force search of passwords will not be able to distinguish which ephemeral public key was used; furthermore even when the correct public key has been found it cannot be used to discover the session key since it is not possible to obtain the private key from the public key. It is interesting to compare password-based protocols with protocols providing forward secrecy. Both seem to be possible onl
Data Loading...
