A Modular Framework for Multi-Factor Authentication & Key Exchange

Transcription

1 A Modular Framework for Multi-Factor Authentication & Key Exchange Nils Fleischhacker, Mark Manulis, Amir Azodi SSR December 17, 2014

2 Multi-Factor Authentication MFA (client) authentication by combination of 2+ authentication factors aims to guarantee security if one of the factors remains uncompromised something the user knows low-entropy passwords (static, one-time) KNOWLEDGE something the user is biometric features (fingerprints, face, iris behavior, etc..) PRESENCE IDENTITY POSSESSION high-entropy secrets (symmetric, asymmetric crypto) stored in software/hardware e.g. USB tokens, smartcards something the user has ENVIRONMENT existence of social links (plays an increasing role within social networks and co) someone the user knows

3 MFA standards and products MFA patents and standards PCI Data Security Standard, Ver. 2, 2010 (payment card industry) NIST Special Publication , 2011 HMAC-based One-Time Password (HOTP, RFC 4226) Time-based One-Time Password (TOTP, RFC 6238) FIDO Alliance Universal Authentication Framework (UAF), Oct 2014 MFA(KE) products 2FA websites: OATH HOTP/TOTP RSA SecureID Google Authenticator,...

4 MFA research highlights various MFA(KE) protocols e.g. [HAD06, A07, BSS+09, D09, FL09] mostly loose security definitions and partially missing analysis first MFAKE model by Pointcheval and Zimmer [PZ08] three factors (1 password, 1 private key, 1 biometric) liveness assumption (for biometrics) for the client optional pk-based server authentication impersonation attacks found by Hao and Clarke [HC12] provably secure MFAKE protocol by Stebila, Udupi, and Chang [SUC10] n factors as a mix of (one-time) passwords and symmetric keys pk-based server authentication

5 Example MFAKE protocol [PZ08] Three factors biometric template W C = (w 1,..., w n ), each w i is a bit private/public key (sk, pk = g sk ) password pw W C = (w 1,..., w n ) sk pw K = (g a u pw / u pw ) b = g ab g b v pw {g t ig r i} i, g a u pw {g r i, pk r i g w i} i pk = g sk pw K = (g b v pw / v pw ) a = g ab {K i = (g t ig r i) sk g w i} i {K i = pk t i pk r i g w i} i {H(K, pw, K i,...)} i C if at least τ hash values match: {H(K, pw, K i,...)} i

6 Example MFAKE protocol [PZ08] attack in [HC12] shows that knowledge of pw can be used to reveal W C this shows that it is dangerous to mix authentication factors W C = (w 1,..., w n ) sk pw K = (g a u pw / u pw ) b = g ab {K i = (g s i) sk g w i} i g b v pw {g s i} i, g a u pw {H(K, pw, K i,...)} i pk pw K = (g b v pw / v pw ) a = g ab {K 0,i = pk s i g 0 } i {K 1,i = pk s i g 1 } i find w i by comparing hashes with H(K, pw, K 0,i...)} or H(K, pw, K 1,i...)

7 Aiming at Modular MFA Framework Advantage through modularity cleaner design each factor is processed independently of any other factor helps to avoid problems with mixing factors more flexible backwards compatibility with single-factor solutions easier to replace factors, easier to add new factors flexibility in the adoption of multiple communication channels simpler simpler security analysis simpler development and maintenance of MFA standards Eventual drawbacks in general less efficient than customized solutions but optimisation potential (comms, comps) may gain efficiency by deployment (e.g. single vs. multiple channels)

8 Aiming at Generalised MFA (α,β,γ)-mfake framework support for arbitrary combinations of authentication factors initially three factor types: passwords, private/public keys, biometrics each type may occur multiple times or not occur at all α passwords pw C = [pw C,1,..., pw C,α ] with pw C [i] D pw β private keys sk C = [sk C,1,..., sk C,β ] (and corresp. pk C ) γ biometrics W C = [W C,1,..., W C,γ ] with W C [i] Dist C,i independent of channels/devices being used Examples (2,0,0)-MFAKE pw one-time pw (1,1,0)-MFAKE (one-time) pw sk (1,0,1)-MFAKE pw fingerprint (1,1,1)-MFAKE pw sk fingerprint

9 Generalised MFA through Modularity Build on existing single-factor protocols view existing single-factor solutions as instances of (α,β,γ)-mfa (1,0,0)-MFA = (one-time) password authentication (0,1,0)-MFA = public-key authentication (0,1,0)-MFA = biometric authentication construct General MFA as a product of single-factor authentication protocols (α,β,γ)-mfa = α (1,0,0)-MFA + β (0,1,0)-MFA + γ (0,0,1)-MFA with some extra work this would allow for backward compatibility and simple addition of new factors simply by increasing/decreasing α, β, γ adding new factor types, e.g. (0,0,0,1)-MFA for social authentication

10 First Attempt: Template for (α,β,γ)-mfa Use single-factor protocols offering at least unilateral authentication. possibly encrypted hashed W C sk C pw C pw C [i] α password authentication pw C [i] WC pk C pw C sk C [i] β public key authentication pk C [i] W C [i] γ biometric authentication W C [i] This construction is not secure!... but imagine its benefits If all factors ed then C

11 Massive Flexibility through Isolation arbitrary order multiple channels addition/removal of factors backward compatibility ±

12 Impersonation Attack on Isolated Factors MFA security model must allow active attacks for up to n 1 compromised factors. An active adversary has typically full control over the network. f 1,..., f n f n f 1 f 1 f n 1 f n 1 f n f n Server should not be allowed to based on completely isolated factors.

13 Designing secure (α,β,γ)-mfa: Step 1 If S s there must exist an instance of C with the same view as S. Same view is typically defined through matching protocol transcripts. α pw C [i] pw C [i] password authentication tran[i], tran[i] β sk C [i] pk C [i] tran[i] public key authentication, tran[i] W C [i] tran[i] γ biometric authentication W C [i], tran[i] tran C authenticated matching of tran C = tran S This needs to be realized without additional factors. tran S If all factors ed and tran C = tran S then C

14 Designing secure (α,β,γ)-mfa: Step 2 Tag-based Authentication authentication protocols that also ensures matching of input tags pw, tag pw, tag sk, tag pk, tag W, tag W, tag password authentication Unauthenticated Key Exchange public key authentication biometric authentication (forward-)secure key exchange in presence of passive adversary adversary sees (tran, key) pairs and should not be able to tell if key is real or random e.g. standard Diffie-Hellman KE protocol with ephemeral private keys tran, K UKE tran, K

15 Final (α,β,γ)-mfa Framework tran, key tag C = H1(C, S, tran, key) tag C, pw C [i] tran[i] tag C, sk C [i] tran[i] tag C, W C [i] tran[i] μ C = H2(C, S, tran C, key) UKE α password authentication β public key authentication γ biometric authentication μ C tran, key tag S = H1(C, S, tran, key) tag S, pw C [i], tran[i] tag S, pk C [i], tran[i] tag S, W C [i], tran[i] μ S = H2(C, S, tran S, key) If all factors ed and μ C = μ S then C

16 Final (α,β,γ)-mfa Framework with KE tran, key tag C = H1(C, S, tran, key) tag C, pw C [i] tran[i] tag C, sk C [i] tran[i] tag C, W C [i] tran[i] μ C = H2(C, S, tran C, key) K = H3(C, S, tran C, key) UKE α password authentication β public key authentication γ biometric authentication μ C tran, key tag S = H1(C, S, tran, key) tag S, pw C [i], tran[i] tag S, pk C [i], tran[i] tag S, W C [i], tran[i] μ S = H2(C, S, tran S, key) If all factors ed and μ C = μ S then compute K = H3(C, S, tran C, key)

17 (α,β,γ)-mfa(ke) with Server Authentication pk S tran, key tag C = H1(C, S, tran, key) tag C, pk S, tran μ C = H2(C, S, tran C, key) ν C = H2(S, C, tran S, key) If and ν S = ν C then compute K = H3(C, S, tran C, key) UKE password authentication public key authentication biometric authentication public key authentication μ C ν S tran, key tag S = H1(C, S, tran, key) tag S, sk S tran sk S μ S = H2(C, S, tran S, key) ν S = H2(S, C, tran S, key) If all factors ed and μ C = μ S then compute K = H3(C, S, tran C, key)

18 Client MFA(KE) Security Goals Client Multi-Factor Authentication A is given access to Invoke, Send, BioComp, RevealSK, and CorruptC oracles A wins if S s without an existing instance of C with a matching transcript Pr[S s] q α D pw γ false pos i i = 1 + negl AKE security A has further access to Test b oracle in real-or-random model [AFP05] A wins if it outputs b* = b such that Pr[b* = b] q α D pw γ false pos i i = 1 + negl 1 2

19 Tag-based Single-Factor Authentication with passwords PAKE protocols in the model from [BPR00] with client confirm applicable to Ω-method from [GMR06] non-invasive pw* password authentication pw* = H(tag, pw) password authentication with client confirmation pw* with public keys introduced in [JKSS10] challenge-response protocols: signaturebased and 3-move ZK invasive sk public key authentication challenge-response public key authentication random c use c* = H(tag, c) to compute and check response pk

20 Tag-based Single-Factor Authentication with biometric templates e.g. using robust fuzzy extractors (Ext, Rec) from [BDK+05] (K, pub) Ext(W c ) stored on server side after registration K = K if δ(w C, W C ) τ (e.g. matching based on Hamming distance) invasive on client side measure W C K Rec(W c, pub) K = H(C, S, K, tag, pub) K biometric authentication pub challenge-response private key authentication K, pub K = H(C, S, K, tag, pub) K

21 Summary and Relations General MFA(KE) framework single UKE session plus (parallelizable) single-factor authentication sessions α password authentication sessions β public key authentication sessions γ biometric authentication sessions optional server authentication without security risks (in contrast to [PZ08]) has a lot of flexibiity and optimization potential Proven relations symmetric PAKE model in [BPR00] is equivalent to (1,0,0)-MFAKE public-key AKE model in [BJM97] is equivalent to (0,1,0)-MFAKE (α,0,0)-mfake implies multi-password setting in [SUC10] Thank you!