Security Analysis of a Multi-Factor Authenticated Key Exchange Protocol. Feng Hao, Dylan Clarke Newcastle University, UK ACNS 12, Singapore

Transcription

1 Security Analysis of a Multi-Factor Authenticated Key Exchange Protocol Feng Hao, Dylan Clarke Newcastle University, UK ACNS 12, Singapore

2 Authentication factors Password Token Biometrics

3 Authenticated Key Exchange AKE = Key exchange + Authentication Built upon the breakthrough by Diffieand Hellman in 1976 The original Diffie-Hellman key exchange protocol is unauthenticated, hence vulnerable to man-in-the-middle attack. However, adding authentication proves nontrivial: 35 years research, still active

4 Overview of AKE Authenticated Key Exchange 1. Password-based AKE (password factor) 2. PKI-based AKE (token factor) 3. Biometrics-based AKE (biometrics factor) All based on single-factor authentication.

5 Multi-factor AKE (MK-AKE) A new primitive to combine multiple authentication factors in one protocol. Many multi-factor AKE proposed in recent years; most of them have been broken. We will review one specific protocol.

6 Pointchevel-Zimmer protocol (ACNS 08) First AKE protocol that combines all three factors: password, token and biometrics. It has a formal model and formal proofs. The three-party extension of the protocol is published in Inscrypt However, the original model is found deficient and the protocol not secure.

7 Overview of the protocol Client side: - Password - Private key in a tamper-res token - Live iris sample A common session key at the end of the protocol Server side: - Password - User s public key - Encrypted iris template

8 Overview of attacks Attacker stole password (assumption) Password Step 1: steal biometrics Iris biometrics Step 2: steal private key Private key

9 Step 1: stealing biometrics Underlying assumption: Server honestly follows the protocol and doesn t know the exponent of g Si

10 Intuition of the attack A dishonest server selects random values for the exponents. The deviation is undetectable to the client. The clients sends back its response. Based on the response, an attacker is able to guess each iris code bit correctly with p= Hence, he is able to guess all iris bits correct with p 1024 =99.994%.

11 Step 2: steal the private key Based on the success of the previous attack, the attacker can further compromise a third factor: private key. The private key is normally stored in a tamper resistant token, but the physical tamper resistance is irrelevant here.

12 Intuition (I) Client accepts the input data without any validation

13 Intuition (II) A dishonest server sends to the client small * subgroup elements in Z p Let ban element with a small prime order s. By exploiting correlation between iris codes bits, the attacker can obtain xmod swith high success probability (x is the private key) An attacker may recover the full private key based on the Chinese remainder theorem(see the paper for details).

14 The importance of public key validation A prudent engineering principle. But in reality, this is often disputed. For example, debates between MQV vshmqv HMQV (2005) had formal security proofs to prove that public key validation should be discarded. But Menezes et al (2006) presented attacks to argue that the HMQV formal model was flawed. Our attack confirms the importance of public key validation, but the debate will likely go on.

15 Countermeasures Attack 1: stealing biometrics A basic defect in the protocol design. No easy countermeasures (without making major changes to the protocol) Attack 2: stealing the private key Adding public key validation But at the expense of decreased efficiency.

16 Analysis of the formal model Our attacks don t counter the proofs. But they highlight deficiencies in the model. Two assumptions are challengeable. 1. The server is assumed to be trusted. 2. Biometrics are assumed fully public.

17 A broader view on formal model Modern cryptography Formal security definition Formal adversarial model Formal security proofs If a protocol is formally proven secure, that is great, but there are reasons to be careful.

18 How to tell if a model is right? A very tricky question with no obvious answer. A right model should correctly cover all of the attacker s capabilities. Easier said than done -it often takes year to discover deficiencies in a formal model. This is not to dispute the usefulness of a formal model, but it shows the need for more caution.

19 Conclusion Compromising one password factor breaks the Pointcheval-Zimmer three-factor AKE scheme. This shows the three factor scheme is no more secure than a single factor protection. The attacks reflect the deficiencies in the original formal model. They highlight the importance of making right assumptions in a formal model.