RE: Thoughts on shared-key authentication

The problem with Charles' proposal is that it does not protect passwords
against off-line attacks.  If I can obtain a challenge-response pair
(say, by cracking the 40-bit encryption used to encrypt it), and the
client's password is poorly chosen (or is nothing more than a 4- or
5-digit PIN), then I can simply do a dictionary attack on the
challenge-response pair, obtaining the original password by exhaustive
search.

Our shared-key authentication proposal is designed to thwart this
attack, by incorporating a long key derived from the master secret into
the authentication response.  Since the master secret is exchanged using
public-key cryptography, the derived key hashed into the authentication
response is not available to the attacker regardless of the strength of
symmetric encryption used.  Hence even a 4-digit PIN is effectively
invulnerable to off-line attacks (on-line attacks can of course be
restricted in number by a properly designed server).

				Daniel Simon
				Cryptographer, Microsoft Corp.
				(dansimon@microsoft.com)

>----------
>From: 	Charles Watt[SMTP:watt@sware.com]
>Sent: 	Friday, October 11, 1996 2:58 PM
>To: 	ericm@lne.com
>Cc: 	marcvh@aventail.com; tomw@netscape.com; ietf-tls@w3.org
>Subject: 	Thoughts on shared-key authentication
>
>-----BEGIN PRIVACY-ENHANCED MESSAGE-----
>Proc-Type: 4,MIC-CLEAR
>Content-Domain: RFC822
>Originator-Certificate:
> MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG
> A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj
> dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw
> MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl
> Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT
> DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB
> AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf
> 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA
> A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK
> aTxjgASxqHhzkx7PkOnL4JrN+Q==
>MIC-Info: RSA-MD5,RSA,
> BwP+eZsNFRAvH/278pFEFxJYn4qugayrKLxU0mEYckY5DDWVTbDex6Dpjq8jAncW
> 1ydDgePOn0MDaLcb6Er+czg=
>
>There are many applications that have a much stronger requirement for
>data authenticity than for confidentiality.  As an example, retail
>banking over the Internet.  (Please hold any comments on the specific
>example.  If you do not like it, think for a while and you will be able 
>to find an example that your prefer that meets these criteria).  40-bit 
>keys for encryption are adequate for things like viewing your check 
>register -- there are MUCH easier ways for an attacker to gain access to 
>your transaction data than breaking a 40-bit key (e.g., if in the US the
>odds are pretty good that your bank supports telephone banking where all 
>I need is your account number from your check and your SSN, which I can 
>look up on the Web).  However, the authorization of bill payments requires 
>a full 128-bits of authenticity -- definitely not cool if an attacker can 
>pay your bills for you.
>
>When servicing a customer base of > 1 million account holders, it is:
>
>	1) an onerous administrative task
>	2) a horrendous performance hit on the server
>
>to use client-side certificates -- particularly in light of the fact 
>that most banks have already distributed via manual methods sufficient 
>information to authenticate customers (e.g., ATM cards and PINs) that 
>could be used in an automated fashion by an on-line bank server.
>
>It is quite possible to build into TLS a shared-secret authentication
>mechanism that is exportable and whose strength is independent of the
>strength of the encryption.  We run an example of such a mechanism in 
>our lab:
>
>	a) modify a public-domain implementation of MD5 or SHA to add
> 	   procedures for saving and restoring the internal state
>	   registers -- an easy task.
>
>	b) on the server, create a one-way hash of the customer password
>	   by running your modified hash function over the password.
>	   Save the internal state registers of the hash function and throw 
>	   away the password.
>
>	c) when the customer logs in, have the server send a one-time nonce
>	   to the browser.
>
>	d) have the client prompt the customer for the customer's password.
>	   The client calculates the one way hash of password + nonce.
>
>	e) send the resulting hash value to the server.  Note that a standard
>	   version of the hash function is all you need on the client.
>
>	f) server verifies customer password by restoring the hash function
>	   registers and performing the final hash cycle over just the
>	   nonce.
>
>Charles Watt
>Security First Network Bank
>www.sfnb.com
>
>P.S:
>Even though we built this in the lab with the intent of providing it for
>our international banks, we were never able to deploy it due to a security
>flaw in all SSL-capable Web servers that were available at the time -- no one
>provided an interface by which the application running on the server could 
>access the SSL session ID.  Without access to the session ID to link 
>successive connections into a login session, the 128-bit keyed hash provided 
>by SSL is worthless to the application.  Instead the app must fall back on 
>the cookie mechanism as a way to link a login session.  But cookies are
>protected using 40-bit encryption, reducing the assurance with which you can 
>link successive connections from 128 --> 40 bits.  
>
>In the end it was easier to find an off-shore solution to the crypto problem 
>than to get the big name server vendors to support secure applications.
>
>-----END PRIVACY-ENHANCED MESSAGE-----
>
>

Received on Monday, 14 October 1996 18:14:57 UTC