A Modular Framework for Multi-Factor Authentication & Key Exchange

Similar documents
CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Security Analysis of a Multi-Factor Authenticated Key Exchange Protocol

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

2-FACTOR AUTHENTICATION WITH OPENLDAP, OATH-HOTP AND YUBIKEY. Axel Hoffmann

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Multi-Factor Password-Authenticated Key Exchange

MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS

PkBox Technical Overview. Ver

Two-Factor Authentication Basics for Linux. Pat Barron Western PA Linux Users Group

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

An Application of the Goldwasser-Micali Cryptosystem to Biometric Authentication

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

Secure Remote Password (SRP) Authentication

A Generic Framework for Three-Factor Authentication

CASQUE SNR Presentation 16 th April 2015

Entrust IdentityGuard

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Internet Banking Two-Factor Authentication using Smartphones

Capture Resilient ElGamal Signature Protocols

NIST E-Authentication Guidance SP and Biometrics

Device-Centric Authentication and WebCrypto

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Managed Portable Security Devices

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

GoldKey Product Info. Do not leave your Information Assets at risk Read On... Detailed Product Catalogue for GoldKey

Authenticity of Public Keys

Key Agreement from Close Secrets over Unsecured Channels Winter 2010

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER

Evaluation and Implementation of SQRL and U2F as 2 nd Factor Authenticators for CERN Single Sign-On

A Method of Risk Assessment for Multi-Factor Authentication

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Introduction to Cryptography

Chapter 15 User Authentication

Biometrics, Tokens, & Public Key Certificates

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Multi Factor Authentication Security Beyond Usernames and Passwords. Brian Marshall Vanguard Integrity Professionals go2vanguard.

Alternative: Strong password Protocols

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Authentication Tokens

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Multi-Factor Authentication of Online Transactions

TELE 301 Network Management. Lecture 18: Network Security

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

INF3510 Information Security. Lecture 8: User Authentication. University of Oslo Spring 2015

Advanced Authentication

Multi Factor Authentication API

Secure Deduplication of Encrypted Data without Additional Independent Servers

Chapter 16: Authentication in Distributed System

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

ARCHIVED PUBLICATION

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Guidance on Multi-factor Authentication

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Research Article. Research of network payment system based on multi-factor authentication

Application-Specific Biometric Templates

Remote Access Securing Your Employees Out of the Office

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Cryptography and Key Management Basics

Swivel Multi-factor Authentication

Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Authenticated encryption

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

A Draft Framework for Designing Cryptographic Key Management Systems

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

Two-Factor Solutions Choosing the Right One"

FIDO Trust Requirements

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

SECURITY IN NETWORKS

CIS 5371 Cryptography. 8. Encryption --

Copyright FIDO Alliance All Rights Reserved.

NetIQ Advanced Authentication Framework

Software Defined Perimeter: Securing the Cloud to the Internet of Things

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Improving Online Security with Strong, Personalized User Authentication

Transcription:

A Modular Framework for Multi-Factor Authentication & Key Exchange Nils Fleischhacker, Mark Manulis, Amir Azodi SSR 2014@RHUL December 17, 2014

Multi-Factor Authentication MFA (client) authentication by combination of 2+ authentication factors aims to guarantee security if one of the factors remains uncompromised something the user knows low-entropy passwords (static, one-time) KNOWLEDGE something the user is biometric features (fingerprints, face, iris behavior, etc..) PRESENCE IDENTITY POSSESSION high-entropy secrets (symmetric, asymmetric crypto) stored in software/hardware e.g. USB tokens, smartcards something the user has ENVIRONMENT existence of social links (plays an increasing role within social networks and co) someone the user knows

MFA standards and products MFA patents and standards PCI Data Security Standard, Ver. 2, 2010 (payment card industry) NIST Special Publication 800-63, 2011 HMAC-based One-Time Password (HOTP, RFC 4226) Time-based One-Time Password (TOTP, RFC 6238) FIDO Alliance Universal Authentication Framework (UAF), Oct 2014 MFA(KE) products 2FA websites: https://twofactorauth.org/ OATH HOTP/TOTP RSA SecureID Google Authenticator,...

MFA research highlights various MFA(KE) protocols e.g. [HAD06, A07, BSS+09, D09, FL09] mostly loose security definitions and partially missing analysis first MFAKE model by Pointcheval and Zimmer [PZ08] three factors (1 password, 1 private key, 1 biometric) liveness assumption (for biometrics) for the client optional pk-based server authentication impersonation attacks found by Hao and Clarke [HC12] provably secure MFAKE protocol by Stebila, Udupi, and Chang [SUC10] n factors as a mix of (one-time) passwords and symmetric keys pk-based server authentication

Example MFAKE protocol [PZ08] Three factors biometric template W C = (w 1,..., w n ), each w i is a bit private/public key (sk, pk = g sk ) password pw W C = (w 1,..., w n ) sk pw K = (g a u pw / u pw ) b = g ab g b v pw {g t ig r i} i, g a u pw {g r i, pk r i g w i} i pk = g sk pw K = (g b v pw / v pw ) a = g ab {K i = (g t ig r i) sk g w i} i {K i = pk t i pk r i g w i} i {H(K, pw, K i,...)} i C if at least τ hash values match: {H(K, pw, K i,...)} i

Example MFAKE protocol [PZ08] attack in [HC12] shows that knowledge of pw can be used to reveal W C this shows that it is dangerous to mix authentication factors W C = (w 1,..., w n ) sk pw K = (g a u pw / u pw ) b = g ab {K i = (g s i) sk g w i} i g b v pw {g s i} i, g a u pw {H(K, pw, K i,...)} i pk pw K = (g b v pw / v pw ) a = g ab {K 0,i = pk s i g 0 } i {K 1,i = pk s i g 1 } i find w i by comparing hashes with H(K, pw, K 0,i...)} or H(K, pw, K 1,i...)

Aiming at Modular MFA Framework Advantage through modularity cleaner design each factor is processed independently of any other factor helps to avoid problems with mixing factors more flexible backwards compatibility with single-factor solutions easier to replace factors, easier to add new factors flexibility in the adoption of multiple communication channels simpler simpler security analysis simpler development and maintenance of MFA standards Eventual drawbacks in general less efficient than customized solutions but optimisation potential (comms, comps) may gain efficiency by deployment (e.g. single vs. multiple channels)

Aiming at Generalised MFA (α,β,γ)-mfake framework support for arbitrary combinations of authentication factors initially three factor types: passwords, private/public keys, biometrics each type may occur multiple times or not occur at all α passwords pw C = [pw C,1,..., pw C,α ] with pw C [i] D pw β private keys sk C = [sk C,1,..., sk C,β ] (and corresp. pk C ) γ biometrics W C = [W C,1,..., W C,γ ] with W C [i] Dist C,i independent of channels/devices being used Examples (2,0,0)-MFAKE pw one-time pw (1,1,0)-MFAKE (one-time) pw sk (1,0,1)-MFAKE pw fingerprint (1,1,1)-MFAKE pw sk fingerprint

Generalised MFA through Modularity Build on existing single-factor protocols view existing single-factor solutions as instances of (α,β,γ)-mfa (1,0,0)-MFA = (one-time) password authentication (0,1,0)-MFA = public-key authentication (0,1,0)-MFA = biometric authentication construct General MFA as a product of single-factor authentication protocols (α,β,γ)-mfa = α (1,0,0)-MFA + β (0,1,0)-MFA + γ (0,0,1)-MFA with some extra work this would allow for backward compatibility and simple addition of new factors simply by increasing/decreasing α, β, γ adding new factor types, e.g. (0,0,0,1)-MFA for social authentication

First Attempt: Template for (α,β,γ)-mfa Use single-factor protocols offering at least unilateral authentication. possibly encrypted hashed W C sk C pw C pw C [i] α password authentication pw C [i] WC pk C pw C sk C [i] β public key authentication pk C [i] W C [i] γ biometric authentication W C [i] This construction is not secure!... but imagine its benefits If all factors ed then C

Massive Flexibility through Isolation arbitrary order multiple channels addition/removal of factors backward compatibility ±

Impersonation Attack on Isolated Factors MFA security model must allow active attacks for up to n 1 compromised factors. An active adversary has typically full control over the network. f 1,..., f n f n f 1 f 1 f n 1 f n 1 f n f n Server should not be allowed to based on completely isolated factors.

Designing secure (α,β,γ)-mfa: Step 1 If S s there must exist an instance of C with the same view as S. Same view is typically defined through matching protocol transcripts. α pw C [i] pw C [i] password authentication tran[i], tran[i] β sk C [i] pk C [i] tran[i] public key authentication, tran[i] W C [i] tran[i] γ biometric authentication W C [i], tran[i] tran C authenticated matching of tran C = tran S This needs to be realized without additional factors. tran S If all factors ed and tran C = tran S then C

Designing secure (α,β,γ)-mfa: Step 2 Tag-based Authentication authentication protocols that also ensures matching of input tags pw, tag pw, tag sk, tag pk, tag W, tag W, tag password authentication Unauthenticated Key Exchange public key authentication biometric authentication (forward-)secure key exchange in presence of passive adversary adversary sees (tran, key) pairs and should not be able to tell if key is real or random e.g. standard Diffie-Hellman KE protocol with ephemeral private keys tran, K UKE tran, K

Final (α,β,γ)-mfa Framework tran, key tag C = H1(C, S, tran, key) tag C, pw C [i] tran[i] tag C, sk C [i] tran[i] tag C, W C [i] tran[i] μ C = H2(C, S, tran C, key) UKE α password authentication β public key authentication γ biometric authentication μ C tran, key tag S = H1(C, S, tran, key) tag S, pw C [i], tran[i] tag S, pk C [i], tran[i] tag S, W C [i], tran[i] μ S = H2(C, S, tran S, key) If all factors ed and μ C = μ S then C

Final (α,β,γ)-mfa Framework with KE tran, key tag C = H1(C, S, tran, key) tag C, pw C [i] tran[i] tag C, sk C [i] tran[i] tag C, W C [i] tran[i] μ C = H2(C, S, tran C, key) K = H3(C, S, tran C, key) UKE α password authentication β public key authentication γ biometric authentication μ C tran, key tag S = H1(C, S, tran, key) tag S, pw C [i], tran[i] tag S, pk C [i], tran[i] tag S, W C [i], tran[i] μ S = H2(C, S, tran S, key) If all factors ed and μ C = μ S then compute K = H3(C, S, tran C, key)

(α,β,γ)-mfa(ke) with Server Authentication pk S tran, key tag C = H1(C, S, tran, key) tag C, pk S, tran μ C = H2(C, S, tran C, key) ν C = H2(S, C, tran S, key) If and ν S = ν C then compute K = H3(C, S, tran C, key) UKE password authentication public key authentication biometric authentication public key authentication μ C ν S tran, key tag S = H1(C, S, tran, key) tag S, sk S tran sk S μ S = H2(C, S, tran S, key) ν S = H2(S, C, tran S, key) If all factors ed and μ C = μ S then compute K = H3(C, S, tran C, key)

Client MFA(KE) Security Goals Client Multi-Factor Authentication A is given access to Invoke, Send, BioComp, RevealSK, and CorruptC oracles A wins if S s without an existing instance of C with a matching transcript Pr[S s] q α D pw γ false pos i i = 1 + negl AKE security A has further access to Test b oracle in real-or-random model [AFP05] A wins if it outputs b* = b such that Pr[b* = b] q α D pw γ false pos i i = 1 + negl 1 2

Tag-based Single-Factor Authentication with passwords PAKE protocols in the model from [BPR00] with client confirm applicable to Ω-method from [GMR06] non-invasive pw* password authentication pw* = H(tag, pw) password authentication with client confirmation pw* with public keys introduced in [JKSS10] challenge-response protocols: signaturebased and 3-move ZK invasive sk public key authentication challenge-response public key authentication random c use c* = H(tag, c) to compute and check response pk

Tag-based Single-Factor Authentication with biometric templates e.g. using robust fuzzy extractors (Ext, Rec) from [BDK+05] (K, pub) Ext(W c ) stored on server side after registration K = K if δ(w C, W C ) τ (e.g. matching based on Hamming distance) invasive on client side measure W C K Rec(W c, pub) K = H(C, S, K, tag, pub) K biometric authentication pub challenge-response private key authentication K, pub K = H(C, S, K, tag, pub) K

Summary and Relations General MFA(KE) framework single UKE session plus (parallelizable) single-factor authentication sessions α password authentication sessions β public key authentication sessions γ biometric authentication sessions optional server authentication without security risks (in contrast to [PZ08]) has a lot of flexibiity and optimization potential Proven relations symmetric PAKE model in [BPR00] is equivalent to (1,0,0)-MFAKE public-key AKE model in [BJM97] is equivalent to (0,1,0)-MFAKE (α,0,0)-mfake implies multi-password setting in [SUC10] Thank you!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information