On the Limits of Anonymous Password Authentication

Transcription

1 On the Limits of Anonymous Password Authentication Yan-Jiang Yang a Jian Weng b Feng Bao a a Institute for Infocomm Research, Singapore, {yyang,baofeng}@i2r.a-star.edu.sg. b School of Computer Science, Jinan University, Guangzhou, P.R.China, cryptjweng@gmail.com. Abstract: Password authentication is the most commonly accepted means for entity authentication. To meet the increasing need of preserving individual privacy, anonymous password authentication has been proposed recently, to augment password authentication with the protection of user privacy. In this paper, we analyze the weaknesses inherent to anonymous password authentication, which make it questionable for the practicality of anonymous password authentication in real applications. We also show that all the existing anonymous password authentication schemes may subject to undetectable on-line dictionary attacks. Keywords: password authentication, unlinkability, undetectable on-line dictionary attacks AMS Subject classification: 65N30 1. Introduction Using password for entity authentication has been the common practice since the advent of computers, and is still the case today. Every day, there are probably billions of instances of password usage in cyberspace. The wide acceptance of password authentication is due to the fact that password authentication requires no dedicated devices, and a user only needs to memorize his passwords for authentication. However, the weak aspect of password authentication is that passwords are normally drawn from a relatively small space, and short to be memorizable; thus they are subject to brute-force dictionary/guessing attacks. Dictionary attacks can be on-line or off-line. In an on-line dictionary attack, the attacker tries to login to the server in the name of

2 2 the victim user by trying a different password each time until finds the correct one. In an off-line dictionary attack, the attacker does not need to interact with the server; rather, it collects the protocol transcript of a login session between a user and the server, and then checks all possible passwords against the login transcript to determine the actual one. On-line dictionary attacks are inevitable in password authentication, but can be easily addressed at the system level by locking a user s account once the number of repetitive unsuccessful login attempts towards that account passes a threshold. In contrast, off-line dictionary attacks are notoriously harder to address, and they must be addressed at the protocol level. Nowadays, users are becoming increasingly concerned about individual privacy, and they prefer to concealing identification information when accessing online services. However, we know that in its original form, password authentication does not protect user privacy. To see this, the setting of password authentication is as follows: each user needs to register his/her password to the server in advance, so that the server maintains a password file containing all users passwords. Then, to login to the server, a user needs to provide his ID to the server, who then uses the corresponding password to engage in the authentication protocol with the user who also uses the password. To achieve the objective of privacy protection, recently anonymous password authentication [11 13] has been proposed to augment password authentication with the protection of user privacy. In particular, anonymous password authentication offers unlinkability, i.e., the server should not be able to link different login transactions from the same user. Anonymous password authentication seems to be a promising privacy-preserving primitive, considering the wide use of password authentication in practice. However, in this paper we refute the practicality of anonymous password authentication in real world applications, by pointing out several weaknesses of anonymous password authentication. Note that these weaknesses are inherent to anonymous password authentication as a whole, not specific to certain anonymous password authentication schemes. We also show that all the existing anonymous password authentication schemes [1,11 13] may subject to undetectable on-line dictionary attacks [6], where the server does not realize the happening of on-line dictionary attacks. To make our analysis concrete,

3 3 we will take the latest anonymous password authentication scheme [13] (referred to as the YZ scheme hereafter) as an example. Organization. The rest of the paper is organized as follows. In Section 2, we review the related work. In Section 3, we review the YZ scheme, based on which we then show that all the existing anonymous password authentication schemes may be vulnerable to undetectable online dictionary attacks. We analyze the limits of anonymous password authentication in Section 4, and Section 5 concludes the paper. 2. Related work Password authentication can be categorized into two approaches, depending on whether or not public key primitives (e.g., public key encryption and digital signature) are involved: public-key-assisted approach, and password-only approach. In the public-key-assisted approach, the server has a public/private key pair for encryption/signature at its disposal, while the users use passwords. Examples of public-keyassisted password authentication schemes include [5,7,8]. The use of a public key primitive by the server can simplify protocol design, but requires the deployment of PKI (Public Key Infrastructure) for certification. In contrast, the password-only approach does not involve any public key primitive, thereby eliminating the dependence on PKI. The password-only approach, or password authenticated key exchange (PAKE), has been extensively studied in the literature, e.g., [2 4,9,10]. It is well known that password authentication does not protect user privacy, because the server needs to know the logining user s ID and then uses the corresponding password in the password file to authenticate the user. To achieve the protection of user privacy, anonymous password authentication was proposed. The first anonymous password authentication scheme was due to [12], which combines a password-only protocol with a PIR (Private Information Retrieval) protocol. The passwordonly protocol is used to generate a shared key between the user and the server, and the PIR protocol is used to achieve user privacy protection. Subsequently, new anonymous password authentication schemes were given in [11]. These new schemes also rely on PIR to preserve user privacy, but the PIR protocol they use is the trivial construction, i.e., the server passes a whole database to the user. [1] considered threeparty (i.e., user-gateway-server) anonymous password authentication,

4 4 and the proposed protocol also uses PIR to attain user privacy. The latest anonymous password authentication scheme is [13], which uses the trivial PIR solution as well. This scheme is the most efficient compared to other schemes, as part of the computation by the server can be done off-line. We notice that all the above anonymous password authentication schemes belong to the password-only approach. 3. Undetectable on-line dictionary attacks 3.1 Review of the YZ scheme. To make our analysis in the rest of the paper concrete, we take the latest YZ scheme in [13], as an example. While there are minor differences, other anonymous password authentication schemes [1,11,12] can be viewed as variants of the YZ scheme. Figure 1 shows a version of the YZ scheme, where a single user Figure 1. The YZ scheme

5 5 logins to the server. We refrain from further elaborating on the scheme, as the description in Figure 1 is already clear and self-contained. 3.2 Undetectable on-line dictionary attacks. Note that in the YZ scheme in Figure 1, there is no explicit authentication of the user by the server. To be fair, this is not an issue from the key establishment point of view, because of the fact that the user is not able to establish the correct shared key sk unless he uses a valid password. However, this may cause undetectable on-line dictionary attacks, where the server is not aware of the presence of on-line dictionary attacks. To see this, there are two cases to be considered, depending on the usage of the shared session key sk in the subsequent communication between the user and the server. (1) In some applications (e.g., FTP services), the server simply needs to push data to the user, and thus the session key is only needed to protect the channel from the server to the user. In this case, undetectable on-line dictionary attacks clearly apply, since the server does not know whether or not the user has established the correct key. (2) In many other applications, the shared key will be used by the user to interact with the server. In this case, undetectable on-line dictionary attacks are avoided, because the server will learn in retrospection that whether the key used by the user is correct or not. We notice that other anonymous password authentication schemes [1,11,12] have the same problem, lacking explicit authentication of the user by the server. Thus, they may also suffer from the undetectable on-line dictionary attacks. 4. Limits of anonymous password authentication We now analyze the limitations of anonymous password authentication. These limits are inherent to anonymous password authentication as a whole, not specific to certain schemes. Based on these limits, we have reasons to suspect whether anonymous password authentication is indeed practically useful. Limitation 1. Server computation O(n): It is clear that the computation overhead upon the server is O(n), linear with n, the total number of users. The reason is that the server s computation has to involve all user passwords in order to achieve unlinkability; otherwise, those un-touched passwords by the server must not be the requesting user s. To be specific, let us now turn to the YZ scheme in Figure 1:

6 6 for a login request, the server has to compute {A j } 1 j n. The server s computation is thus O(n). In practice, O(n) of server computation will cause the scalability problem in large systems with a large number of users, making the server the bottleneck of the systems. This means that in principle, anonymous password authentication can only be feasible in small systems. Limitation 2. On-line dictionary attacks: As we mentioned earlier, on-line dictionary attacks are easy to address in password authentication, by mandating the number of repetitive failed login attempts made by a user, such that his/her account is locked as long as the failed login attempts pass a threshold. However, in anonymous password authentication, addressing on-line dictionary attacks is not that easy. The reason is that the server cannot discern users in anonymous password authentication. Thus even if the server realizes that there are on-line dictionary attacks, it does not know the victim user. As such, there seems no better way than locking all users accounts. It is clearly not acceptable practice in real applications to affect innocent users. Note that asking users to frequently update their passwords cannot solve the problem, since on-line dictionary attacks can happen at any time. Limitation 3. Passive server: In anonymous password authentication, the server should be assumed passive; otherwise, unlinkability cannot be achieved (note that a passive entity is honest, but tries to find out more useful information from the data it is supposed to get; in contrast, a malicious entity can behave arbitrarily in order to achieve its objective). To see this, recall that the server needs to touch every password in order to respond to a user s login request: if the server is malicious, it can always use a different data on different passwords (to compute the shared session key), and then determines the password the user uses from the associated data. To be specific, let us again turn to the YZ scheme in Figure 1. Instead of using the same r s, the server can use a distinct r sj to compute different A j, 1 j n. Subsequently, the server can determine which password the user uses from the session key established between them. Here, we assume that measures are in place to prevent undetectable online dictionary attacks (e.g., the server explicitly authenticates the user), so that the server can know which r sj is used to compute the shared key. Passive server is a quite strong assumption, and it may not easy to find

7 7 a server of this nature in practice. 5. Conclusion In this paper, we first showed that all the existing anonymous password authentication schemes are subject to undetectable on-line dictionary attacks, in the applications where the established session key is only needed to protect the channel from the server to the user. We then analyzed several weaknesses, inherent to anonymous password authentication. These weaknesses make us to suspect the practicality of anonymous password authentication in real world applications. References [1] M. Abdalla, M. Izabachene, and D. Pointcheval. Anonymous and transparent gateway-based password-authenticated key exchange. Proc. International Conference on Cryptology and Network Security, CANS 08(2008), pp [2] E. Bresson, O. Chevassut, and D. Pointcheval. Security proofs for an efficient password-based key exchange. Proc. ACM. Computer and Communication Security(2003), pp [3] S. Bellovin and M. Merritt. Encrypted key exchange: password-based protocols secure against dictionary attacks. Proc. IEEE Symposium on Research in Security and Privacy(1992), pp [4] S. Bellovin and M. Merritt. Augmented encrypted key exchange: a passwordbased protocol secure against dictionary attacks and password file compromise. Proc. ACM. Computer and Communication Security(1993), pp [5] M.K. Boyarsky. Public-key cryptography and password protocols: the multiuser case. Proc. ACM Conference on Computer and Communication Security(1999), pp [6] Y. Ding and P. Horster. Undetectable on-line password guessing attacks. ACM SIGOPS Operating Systems Review, Vol. 29(4)(1995), pp [7] L. Gong, M. Lomas, R. Needham, and J. Saltzer. Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Seclected Areas in Communications, 11(5)(1993), pp [8] S. Halevi, and H. Krawczyk. Public-key cryptography and password protocols. Proc. ACM. Computer and Communication Security, CCS 98(1998), pp [9] J. Katz, R. Ostrovsky, and M. Yung. Efficient password-authenticated key exchange using human-memorable passwords. Proc. Advances in Cryptology, Eurocrypt 01, LNCS 2045(2001), pp [10] M.H.Nguyen, and S.P. Vadhan. Simpler session-key generation from short random passwords. Proc. Theory of Cryptography, TCC 04(2004), pp

8 8 [11] S. Shin, K. Kobara, and H. Imai. A secure construction for threshold anonymous password-authenticated key exchange. IEICE Transactions on Fundamentals, Vol. E91-A, No. 11(2008), pp [12] D. Q. Viet, A. Yamamura, and T. Hidema. Anonymous password-based authenticated key exchange. Proc. Indocrypt 2005, LNCS 3797(2005), pp [13] J. Yang and Z. Zhang. A new anonymous password-based authenticated key exchange protocol. Proc. Indocrypt 2008, pp