Jan's Blog

Research Weekly, starting on October 16th, 2023

In a security system that allows people to choose their own passwords, people tend to choose passwords that can be easily guessed. This weakness exists in practically all widely used systems. Instead of forcing users to choose secrets that are likely to be difficult for them to remember, solutions that maintain user convenience and a high level of security at the same time are proposed. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an offline verification of whether a guess is successful or not. Common forms of guessing attacks are examined, examples of cryptographic protocols that are immune to such attacks are developed, and a systematic way to examine protocols to detect vulnerabilities to such attacks is suggested.

Classical cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. We introduce a novel combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network. These protocols are secure against active attacks, and have the property that the password is protected against off-line “dictionary”attacks. There ar Device-Enhanced-Password-Protocols-with-Optimal-Online-Offline-Protection.md e a number of other useful applications as well,including secure public telephones.

ProVerif可以用来自动分析密码协议的Security性质，功能涵盖对称和非对称加密、数字签名、哈希函数、比特承诺、非交互式零知识证明。ProVerif可以证明可达性(reachability)，对应断言(correspondence assertion)，和可观察的等价性(observational equivalence)。这个能力使得它能对计算机安全领域中的机密性和认证性质进行分析，也可以考虑一些新兴的性质，如隐私性(privacy)、可追溯性(traceability)、可验证性(verifiability)。它还具有攻击重构的功能，如果某个性质不能被证明，ProVerif就会尝试构造一个反例trace。

2011 年 Wei 等学者首次提出了一个基于 RSA 的可证明安全的网关口令认证密钥交换协议，并声称在随机预言模型下基于大整数素因子分解的困难性证明了协议的安全性。利用该协议中服务器端提供的预言机服务，提出一 种分离攻击，攻击者只需发起几十次假冒会话便可恢复出用户的口令。攻击结果表明，该协议无法实现所声称的口令保护这一基本安全目标，突出显示了分离攻击是针对基于 RSA 的口令认证密钥交换协议的一种严重安全威胁。进一步指出了协议形式化安全证明中的失误，给出一个改进方案。分析结果表明，改进方案在提高安全性的同时保持了较高效率，更适于移动通信环境。

As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is no comprehensive and systematical metric available for schemes to be assessed objectively, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found short of important security goals or lack of critical properties, especially being stuck with the security-usability tension. To overcome this issue, in this work we first explicitly define a security model that can accurately capture the practical capabilities of an adversary and then suggest a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum. As our main contribution, a new scheme is advanced to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating “honeywords”, traditionally the purview of system security, with a “fuzzy-verifier”, our scheme hits “two birds”: it not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound.

In this paper, we analyse the SPEKE protocol as specified in the ISO/IEC and IEEE standards. We identify that the protocol is vulnerable to two new attacks

• impersonation attack

  allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim

• key-malleability attack

  allows a man-in-the-middle (MITM) to manipulate the session key without being detected by the end users

We propose a patched SPEKE called P-SPEKE and present a formal analysis in the Applied Pi Calculus using ProVerif to show that the proposed patch prevents both attacks.

2023spring 密码协议课程笔记
授课老师：汪定