SlideShare a Scribd company logo

Overview and evolution of password-based authentication schemes

I
Ignat Korchagin

Password is the oldest and the most widely used pillar of authentication, and is still being the core of approximately 80% of authentication events in the 21st century Internet. As the data on the Web becomes more valuable, more sophisticated attacks on authentication are being developed. The good thing is that crypto community tries to keep up with the continuously increasing threat surface and provides more advanced authentication techniques with higher security guarantees. However, password is still a solid building block in each of them: the first part of most two-factor authentication schemes is a password challenge, to generate one-time token, you enter a password, to use a hardware device - you enter a password in the device. But is verifying passwords secure? By communicating a password to a verifying party you leak at least some of the password information. Given the long history of password-based authentication schemes we can clearly see that it is rather challenging even to properly implement password verification. The presentation gives an overview of the evolution of password-based authentication schemes and provides comparison between two of the latest ones: socialist millionaires’ protocol and SPAKE2.

Internet
1 of 65
Download to read offline
Overview and evolution of password- based authentication schemes Ignat Korchagin
Passwords in Roman Empire Ave, Caesar! http://ancienthistory.about.com/library/bl/bl_text_polybius6.htm • every night the watchword was changed • used a “roundtrip” delivery mechanism with confirmation to distribute the password
Passwords in modern world create password? “hunter2” hehe, no one will ever guess
HTTP basic authentication alice:example.com:hunter2
HTTP basic authentication alice:example.com:hunter2 • simple • password is sent in clear text • HTTPS is needed to protect from eavesdroppers • server DB leak compromises all the passwords
HTTP digest authentication • server stores Hash(alice:example.com:hunter2)
HTTP digest authentication • server stores Hash(alice:example.com:hunter2) GET secret info
HTTP digest authentication • server stores Hash(alice:example.com:hunter2) GET secret info nonce
HTTP digest authentication • server stores Hash(alice:example.com:hunter2) GET secret info nonce cnonce, Hash(Hash(alice:example.com:hunter2),nonce,cnonce)
HTTP digest authentication • passwords are not sent in clear text • protected from replay attacks • servers may store hashes of passwords instead of passwords themselves • server DB leak compromises passwords for specific realm only
HTTP digest authentication • passwords are not sent in clear text • protected from replay attacks • servers may store hashes of passwords instead of passwords themselves • server DB leak compromises passwords for specific realm only BUT…
HTTP digest authentication • still vulnerable to MiTM • still vulnerable to spoofed websites • requires HTTPS • vulnerable to dictionary attacks
HTTP digest authentication • still vulnerable to MiTM • still vulnerable to spoofed websites • requires HTTPS • vulnerable to dictionary attacks From RFC 7616: HTTP Digest Authentication, when used with human-memorable passwords, is vulnerable to dictionary attacks. Such attacks are much easier than cryptographic attacks on any widely used algorithm, including those that are no longer considered secure. In other words, algorithm agility does not make this usage any more secure. As a result, Digest Authentication SHOULD be used only with passwords that have a reasonable amount of entropy, e.g., 128-bit or more. Such passwords typically cannot be memorized by humans but can be used for automated web services. If Digest Authentication is being used, it SHOULD be over a secure channel like HTTPS.
HTTP OAuth auth token GET auth token
HTTP OAuth auth token GET auth token • allows delegations • does not need to use real credentials • needs other methods to authenticate on authorization server • HTTPS is needed to protect from eavesdroppers
HTTPS is hard
HTTPS is hard • problems with mixed content • maybe fixed with implementing proper content security policy
HTTPS is hard • problems with mixed content • maybe fixed with implementing proper content security policy • spoofed websites • similar domain names, same look and feel
HTTPS is hard • problems with mixed content • maybe fixed with implementing proper content security policy • spoofed websites • similar domain names, same look and feel • spoofed certificates • https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl- certificates-from-comodo-via-dangling-markup-injection/index.html
HTTPS is hard • problems with mixed content • maybe fixed with implementing proper content security policy • spoofed websites • similar domain names, same look and feel • spoofed certificates • https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl- certificates-from-comodo-via-dangling-markup-injection/index.html • compromised keys and certificates • certificate revocation is hard
Can we do better?
Socialist millionaires • Socialist millionaire problem is a way for two millionaires to check whether their wealth is equal
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y.
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2a, G3a, G2b, G3b
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb a3 * Rb = b3 * Ra = (Pa - Pb) + (a3 * b3 * (x - y)) * G2
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb a3 * Rb = b3 * Ra = (Pa - Pb) + (a3 * b3 * (x - y)) * G2
Socialist millionaires • Socialist millionaire problem is a way for two millionaires to check whether their wealth is equal • can be used to verify whether two parties posses the same secret • a passive attacker learns nothing about the protocol and its outcome • MiTM can do no better than passive attacker except disrupting the communication channel • even if one of the parties is dishonest, he learns nothing more that the protocol outcome • unlike most other zero-knowledge proofs requires O(1) protocol iterations • is adopted and has good history
OTR SMP • Uses 1536-bit group calculations
OTR SMP • Uses 1536-bit group calculations • BUT: LogJam!
OTR SMP • Uses 1536-bit group calculations • BUT: LogJam! • 512-bit broken • 1024-bit probably • 1536-bit is very close!
Themis SMP vs OTR SMP • Improving SMP • moved all cryptographic operations in ECC domain • modern (boring) cryptography (ed25519) • timing attacks protection • fast and performant • reduced memory footprint • support for many high-level languages • simple API • GitHub: https://github.com/cossacklabs/themis
SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w.
SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y
SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y T, S
SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S
SPAKE2 • PAKE - password-authenticated key agreement • basic SPAKE2 requires only 1 roundtrip • simple, requires small number of asymmetric cryptographic operations • easy to implement • provides a negotiated secret key as a protocol outcome
SPAKE2 • PAKE - password-authenticated key agreement • basic SPAKE2 requires only 1 roundtrip • simple, requires small number of asymmetric cryptographic operations • easy to implement • provides a negotiated secret key as a protocol outcome • Example: SPAKE2 (https://tools.ietf.org/html/draft-irtf- cfrg-spake2-03)
SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • provides mutual authentication
SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • provides mutual authentication • protected from MiTM
SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • provides mutual authentication • protected from MiTM • requires 2 roundtrips
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S
SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S Key confirmation?
SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster
SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • ~30 times slower in pure C • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster • ~30 times faster in pure C
SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • ~30 times slower in pure C • ~3 times slower in Python • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster • ~30 times faster in pure C • ~3 times faster in Python
SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • ~30 times slower in pure C • ~3 times slower in Python • negotiates 2 shared secrets • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster • ~30 times faster in pure C • ~3 times faster in Python • negotiates 1 shared secret
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • ~30 times slower in pure C • ~3 times slower in Python • negotiates 2 shared secrets • provides zero-knowledge guarantee • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster • ~30 times faster in pure C • ~3 times faster in Python • negotiates 1 shared secret • has some implementation caveats
SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S
SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S
SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S To successfully complete the protocol: • the peer may not even know w (the real secret information) • but only w*M and w*N (its public derivatives)
Possible use-cases
Possible use-cases
Possible use-cases Encrypted communication (K1) • Automatic key rotation for long-lived encrypted connections
Possible use-cases SMP (or SPAKE2 with confirm) Encrypted communication (K1) • Automatic key rotation for long-lived encrypted connections
Possible use-cases SMP (or SPAKE2 with confirm) Encrypted communication (K1) • Automatic key rotation for long-lived encrypted connections save negotiated key
Possible use-cases SMP (or SPAKE2 with confirm) Encrypted communication (K1) Encrypted communication (K2) • Automatic key rotation for long-lived encrypted connections save negotiated key
Conclusions • Zero-knowledge protocols are useful building blocks for enhanced security and privacy preserving protocols • They can be useful in a scenario where one of the protocol participants may be malicious • You may use SPAKE2 for many real world tasks, but you have to be aware of the caveats • Socialist millionaire protocol provides more security guarantees, although with some performance penalty
Links • Paper: https://www.cossacklabs.com/files/secure- comparator-paper-rev12.pdf • SMP code: https://github.com/cossacklabs/themis • SPAKE2 code: https://boringssl.googlesource.com/ boringssl/+/master/crypto/curve25519/spake25519.c • sctest.c: https://gist.github.com/secumod/ d3a064ee93e3eda74aebd379e60ede66 • spake2test.c: https://gist.github.com/secumod/ 5c35c067a4e25fbe038f09a2706b236b
Thank you! Questions?

Recommended

Apache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:CodecApache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:Codec
moai kids
 
From 0 to 60 in SPARQL in 50 Minutes
From 0 to 60 in SPARQL in 50 MinutesFrom 0 to 60 in SPARQL in 50 Minutes
From 0 to 60 in SPARQL in 50 Minutes
ewg118
 
Cyber-crime PPT
Cyber-crime PPTCyber-crime PPT
Cyber-crime PPT
Anshuman Tripathi
 
Cyber security
Cyber securityCyber security
Cyber security
Siblu28
 
Cyber crime ppt
Cyber crime pptCyber crime ppt
Cyber crime ppt
MOE515253
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
Lipsita Behera
 
Enforcing Web security and privacy with zero-knowledge protocols
Enforcing Web security and privacy with zero-knowledge protocolsEnforcing Web security and privacy with zero-knowledge protocols
Enforcing Web security and privacy with zero-knowledge protocols
Ignat Korchagin
 
Introduction to Cryptography & PGP
Introduction to Cryptography & PGPIntroduction to Cryptography & PGP
Introduction to Cryptography & PGP
Rayed Alrashed
 

Recommended

Apache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:CodecApache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:Codec
moai kids
 
From 0 to 60 in SPARQL in 50 Minutes
From 0 to 60 in SPARQL in 50 MinutesFrom 0 to 60 in SPARQL in 50 Minutes
From 0 to 60 in SPARQL in 50 Minutes
ewg118
 
Cyber-crime PPT
Cyber-crime PPTCyber-crime PPT
Cyber-crime PPT
Anshuman Tripathi
 
Cyber security
Cyber securityCyber security
Cyber security
Siblu28
 
Cyber crime ppt
Cyber crime pptCyber crime ppt
Cyber crime ppt
MOE515253
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
Lipsita Behera
 
Enforcing Web security and privacy with zero-knowledge protocols
Enforcing Web security and privacy with zero-knowledge protocolsEnforcing Web security and privacy with zero-knowledge protocols
Enforcing Web security and privacy with zero-knowledge protocols
Ignat Korchagin
 
Introduction to Cryptography & PGP
Introduction to Cryptography & PGPIntroduction to Cryptography & PGP
Introduction to Cryptography & PGP
Rayed Alrashed
 
Cache on Delivery
Cache on DeliveryCache on Delivery
Cache on Delivery
SensePost
 
Happy Go Programming
Happy Go ProgrammingHappy Go Programming
Happy Go Programming
Lin Yo-An
 
Git Magic: Versioning Files like a Boss
Git Magic: Versioning Files like a BossGit Magic: Versioning Files like a Boss
Git Magic: Versioning Files like a Boss
tmacwilliam
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
Erik LaBianca
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 
Ethereum 101
Ethereum 101Ethereum 101
Ethereum 101
Chang-Wu Chen
 
What is the cost of a secret
What is the cost of a secretWhat is the cost of a secret
What is the cost of a secret
LibbySchulze
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
琛琳 饶
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
Gopal Sakarkar
 
Inside Of Mbga Open Platform
Inside Of Mbga Open PlatformInside Of Mbga Open Platform
Inside Of Mbga Open Platform
Hideo Kimura
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
Jonathan Katz
 
Onsg10 Intro Termtter
Onsg10 Intro TermtterOnsg10 Intro Termtter
Onsg10 Intro Termtter
Shota Fukumori
 
London devops logging
London devops loggingLondon devops logging
London devops logging
Tomas Doran
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
DefconRussia
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
Alexey Troshichev
 
Class3
Class3Class3
Class3
ankitasinghbsc
 
HifnCrypto101
HifnCrypto101HifnCrypto101
HifnCrypto101
Jim Faith
 
goaを使った開発TIPS@六本木一丁目
goaを使った開発TIPS@六本木一丁目goaを使った開発TIPS@六本木一丁目
goaを使った開発TIPS@六本木一丁目
jumpei chikamori
 
The slower the stronger a story of password hash migration
The slower the stronger a story of password hash migrationThe slower the stronger a story of password hash migration
The slower the stronger a story of password hash migration
OWASP
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Jonathan Katz
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 

More Related Content

Similar to Overview and evolution of password-based authentication schemes

Cache on Delivery
Cache on DeliveryCache on Delivery
Cache on Delivery
SensePost
 
Happy Go Programming
Happy Go ProgrammingHappy Go Programming
Happy Go Programming
Lin Yo-An
 
Git Magic: Versioning Files like a Boss
Git Magic: Versioning Files like a BossGit Magic: Versioning Files like a Boss
Git Magic: Versioning Files like a Boss
tmacwilliam
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
Erik LaBianca
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 
Ethereum 101
Ethereum 101Ethereum 101
Ethereum 101
Chang-Wu Chen
 
What is the cost of a secret
What is the cost of a secretWhat is the cost of a secret
What is the cost of a secret
LibbySchulze
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
琛琳 饶
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
Gopal Sakarkar
 
Inside Of Mbga Open Platform
Inside Of Mbga Open PlatformInside Of Mbga Open Platform
Inside Of Mbga Open Platform
Hideo Kimura
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
Jonathan Katz
 
Onsg10 Intro Termtter
Onsg10 Intro TermtterOnsg10 Intro Termtter
Onsg10 Intro Termtter
Shota Fukumori
 
London devops logging
London devops loggingLondon devops logging
London devops logging
Tomas Doran
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
DefconRussia
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
Alexey Troshichev
 
Class3
Class3Class3
Class3
ankitasinghbsc
 
HifnCrypto101
HifnCrypto101HifnCrypto101
HifnCrypto101
Jim Faith
 
goaを使った開発TIPS@六本木一丁目
goaを使った開発TIPS@六本木一丁目goaを使った開発TIPS@六本木一丁目
goaを使った開発TIPS@六本木一丁目
jumpei chikamori
 
The slower the stronger a story of password hash migration
The slower the stronger a story of password hash migrationThe slower the stronger a story of password hash migration
The slower the stronger a story of password hash migration
OWASP
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Jonathan Katz
 

Similar to Overview and evolution of password-based authentication schemes (20)

Cache on Delivery
Cache on DeliveryCache on Delivery
Cache on Delivery
 
Happy Go Programming
Happy Go ProgrammingHappy Go Programming
Happy Go Programming
 
Git Magic: Versioning Files like a Boss
Git Magic: Versioning Files like a BossGit Magic: Versioning Files like a Boss
Git Magic: Versioning Files like a Boss
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 
Ethereum 101
Ethereum 101Ethereum 101
Ethereum 101
 
What is the cost of a secret
What is the cost of a secretWhat is the cost of a secret
What is the cost of a secret
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
 
Inside Of Mbga Open Platform
Inside Of Mbga Open PlatformInside Of Mbga Open Platform
Inside Of Mbga Open Platform
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
 
Onsg10 Intro Termtter
Onsg10 Intro TermtterOnsg10 Intro Termtter
Onsg10 Intro Termtter
 
London devops logging
London devops loggingLondon devops logging
London devops logging
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
Class3
Class3Class3
Class3
 
HifnCrypto101
HifnCrypto101HifnCrypto101
HifnCrypto101
 
goaを使った開発TIPS@六本木一丁目
goaを使った開発TIPS@六本木一丁目goaを使った開発TIPS@六本木一丁目
goaを使った開発TIPS@六本木一丁目
 
The slower the stronger a story of password hash migration
The slower the stronger a story of password hash migrationThe slower the stronger a story of password hash migration
The slower the stronger a story of password hash migration
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
 

Recently uploaded

manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 

Recently uploaded (19)

manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 

Overview and evolution of password-based authentication schemes

  • 1. Overview and evolution of password- based authentication schemes Ignat Korchagin
  • 2. Passwords in Roman Empire Ave, Caesar! http://ancienthistory.about.com/library/bl/bl_text_polybius6.htm • every night the watchword was changed • used a “roundtrip” delivery mechanism with confirmation to distribute the password
  • 3. Passwords in modern world create password? “hunter2” hehe, no one will ever guess
  • 5. HTTP basic authentication alice:example.com:hunter2 • simple • password is sent in clear text • HTTPS is needed to protect from eavesdroppers • server DB leak compromises all the passwords
  • 6. HTTP digest authentication • server stores Hash(alice:example.com:hunter2)
  • 7. HTTP digest authentication • server stores Hash(alice:example.com:hunter2) GET secret info
  • 8. HTTP digest authentication • server stores Hash(alice:example.com:hunter2) GET secret info nonce
  • 9. HTTP digest authentication • server stores Hash(alice:example.com:hunter2) GET secret info nonce cnonce, Hash(Hash(alice:example.com:hunter2),nonce,cnonce)
  • 10. HTTP digest authentication • passwords are not sent in clear text • protected from replay attacks • servers may store hashes of passwords instead of passwords themselves • server DB leak compromises passwords for specific realm only
  • 11. HTTP digest authentication • passwords are not sent in clear text • protected from replay attacks • servers may store hashes of passwords instead of passwords themselves • server DB leak compromises passwords for specific realm only BUT…
  • 12. HTTP digest authentication • still vulnerable to MiTM • still vulnerable to spoofed websites • requires HTTPS • vulnerable to dictionary attacks
  • 13. HTTP digest authentication • still vulnerable to MiTM • still vulnerable to spoofed websites • requires HTTPS • vulnerable to dictionary attacks From RFC 7616: HTTP Digest Authentication, when used with human-memorable passwords, is vulnerable to dictionary attacks. Such attacks are much easier than cryptographic attacks on any widely used algorithm, including those that are no longer considered secure. In other words, algorithm agility does not make this usage any more secure. As a result, Digest Authentication SHOULD be used only with passwords that have a reasonable amount of entropy, e.g., 128-bit or more. Such passwords typically cannot be memorized by humans but can be used for automated web services. If Digest Authentication is being used, it SHOULD be over a secure channel like HTTPS.
  • 15. HTTP OAuth auth token GET auth token • allows delegations • does not need to use real credentials • needs other methods to authenticate on authorization server • HTTPS is needed to protect from eavesdroppers
  • 17. HTTPS is hard • problems with mixed content • maybe fixed with implementing proper content security policy
  • 18. HTTPS is hard • problems with mixed content • maybe fixed with implementing proper content security policy • spoofed websites • similar domain names, same look and feel
  • 19. HTTPS is hard • problems with mixed content • maybe fixed with implementing proper content security policy • spoofed websites • similar domain names, same look and feel • spoofed certificates • https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl- certificates-from-comodo-via-dangling-markup-injection/index.html
  • 20. HTTPS is hard • problems with mixed content • maybe fixed with implementing proper content security policy • spoofed websites • similar domain names, same look and feel • spoofed certificates • https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl- certificates-from-comodo-via-dangling-markup-injection/index.html • compromised keys and certificates • certificate revocation is hard
  • 21. Can we do better?
  • 22. Socialist millionaires • Socialist millionaire problem is a way for two millionaires to check whether their wealth is equal
  • 23. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y.
  • 24. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2a, G3a, G2b, G3b
  • 25. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb
  • 26. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
  • 27. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
  • 28. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb a3 * Rb = b3 * Ra = (Pa - Pb) + (a3 * b3 * (x - y)) * G2
  • 29. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb a3 * Rb = b3 * Ra = (Pa - Pb) + (a3 * b3 * (x - y)) * G2
  • 30. Socialist millionaires • Socialist millionaire problem is a way for two millionaires to check whether their wealth is equal • can be used to verify whether two parties posses the same secret • a passive attacker learns nothing about the protocol and its outcome • MiTM can do no better than passive attacker except disrupting the communication channel • even if one of the parties is dishonest, he learns nothing more that the protocol outcome • unlike most other zero-knowledge proofs requires O(1) protocol iterations • is adopted and has good history
  • 31. OTR SMP • Uses 1536-bit group calculations
  • 32. OTR SMP • Uses 1536-bit group calculations • BUT: LogJam!
  • 33. OTR SMP • Uses 1536-bit group calculations • BUT: LogJam! • 512-bit broken • 1024-bit probably • 1536-bit is very close!
  • 34. Themis SMP vs OTR SMP • Improving SMP • moved all cryptographic operations in ECC domain • modern (boring) cryptography (ed25519) • timing attacks protection • fast and performant • reduced memory footprint • support for many high-level languages • simple API • GitHub: https://github.com/cossacklabs/themis
  • 35. SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w.
  • 36. SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y
  • 37. SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y T, S
  • 38. SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S
  • 39. SPAKE2 • PAKE - password-authenticated key agreement • basic SPAKE2 requires only 1 roundtrip • simple, requires small number of asymmetric cryptographic operations • easy to implement • provides a negotiated secret key as a protocol outcome
  • 40. SPAKE2 • PAKE - password-authenticated key agreement • basic SPAKE2 requires only 1 roundtrip • simple, requires small number of asymmetric cryptographic operations • easy to implement • provides a negotiated secret key as a protocol outcome • Example: SPAKE2 (https://tools.ietf.org/html/draft-irtf- cfrg-spake2-03)
  • 41. SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • provides mutual authentication
  • 42. SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • provides mutual authentication • protected from MiTM
  • 43. SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • provides mutual authentication • protected from MiTM • requires 2 roundtrips
  • 44. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
  • 45. SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S
  • 46. SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S Key confirmation?
  • 47. SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster
  • 48. SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • ~30 times slower in pure C • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster • ~30 times faster in pure C
  • 49. SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • ~30 times slower in pure C • ~3 times slower in Python • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster • ~30 times faster in pure C • ~3 times faster in Python
  • 50. SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • ~30 times slower in pure C • ~3 times slower in Python • negotiates 2 shared secrets • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster • ~30 times faster in pure C • ~3 times faster in Python • negotiates 1 shared secret
  • 51. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
  • 52. Socialist millionaires • EC curve: G - base point, n - order of G • Alice and Bob have x and y respectively. Both want to know whether x==y. Generate a2, a3, s G2a = a2*G G3a = a3*G Generate b2, b3, r G2b = b2*G G3b = b3*G G2 = a2*G2b G3 = a3*G3b Pa = s*G3 Qa = s*G + x*G2 G2 = b2*G2a G3 = b3*G3a Pb = r*G3 Qb = r*G + y*G2 Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb) a3*Rb == Pa-Pb b3*Ra == Pa-Pb G2a, G3a, G2b, G3b Pa, Qa, Pb, Qb Ra, Rb
  • 53. SMP vs SPAKE2 SMP SPAKE2 • provides mutual authentication • protected from MiTM • requires 3 roundtrips • slower • ~30 times slower in pure C • ~3 times slower in Python • negotiates 2 shared secrets • provides zero-knowledge guarantee • provides mutual authentication • protected from MiTM • requires 2 roundtrips • faster • ~30 times faster in pure C • ~3 times faster in Python • negotiates 1 shared secret • has some implementation caveats
  • 54. SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S
  • 55. SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S
  • 56. SPAKE2 • EC curve: G - base point, n - order of G, M,N - known fixed points on the curve • Alice and Bob know w. Generate x X = x*G T = w*M + X Generate y Y = y*G S = w*N +Y K = x*(S - w*N) K = y*(T - w*M) T, S To successfully complete the protocol: • the peer may not even know w (the real secret information) • but only w*M and w*N (its public derivatives)
  • 59. Possible use-cases Encrypted communication (K1) • Automatic key rotation for long-lived encrypted connections
  • 60. Possible use-cases SMP (or SPAKE2 with confirm) Encrypted communication (K1) • Automatic key rotation for long-lived encrypted connections
  • 61. Possible use-cases SMP (or SPAKE2 with confirm) Encrypted communication (K1) • Automatic key rotation for long-lived encrypted connections save negotiated key
  • 62. Possible use-cases SMP (or SPAKE2 with confirm) Encrypted communication (K1) Encrypted communication (K2) • Automatic key rotation for long-lived encrypted connections save negotiated key
  • 63. Conclusions • Zero-knowledge protocols are useful building blocks for enhanced security and privacy preserving protocols • They can be useful in a scenario where one of the protocol participants may be malicious • You may use SPAKE2 for many real world tasks, but you have to be aware of the caveats • Socialist millionaire protocol provides more security guarantees, although with some performance penalty
  • 64. Links • Paper: https://www.cossacklabs.com/files/secure- comparator-paper-rev12.pdf • SMP code: https://github.com/cossacklabs/themis • SPAKE2 code: https://boringssl.googlesource.com/ boringssl/+/master/crypto/curve25519/spake25519.c • sctest.c: https://gist.github.com/secumod/ d3a064ee93e3eda74aebd379e60ede66 • spake2test.c: https://gist.github.com/secumod/ 5c35c067a4e25fbe038f09a2706b236b