On Strengthening Authentication Protocols to Foil Cryptanalysis

Cryptographic protocols have usually been designed at an abstract level without concern for the cryptographic algorithms used in implementation. In this paper it is shown that the abstract protocol definition can have an important effect on the ability of an attacker to mount a successful attack on an implementation. In particular, it will be determined whether an adversary is able to generate corresponding pairs of plaintext and ciphertext to use as a lever in compromising secret keys. The ideas are illustrated by analysis of two well-known authentication systems which have been used in practice. They are Kerberos and KryptoKnight. It is shown that for the Kerberos protocol, an adversary can acquire at will an unlimited number of known plaintext-ciphertext pairs. Similarly, an adversary in the KryptoKnight system can acquire an unlimited number of data pairs which, by a less direct means, can be seen to be cryptanalytically equivalent to known plaintext-ciphertext pairs. We propose new protocols, using key derivation techniques, which achieve the same end goals as these others without this undesirable feature.

[1]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[2]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[3]  Jerome H. Saltzer,et al.  Section E.2.1 Kerberos Authentication and Authorization System , 1988 .

[4]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[5]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[6]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[7]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[8]  E. Brickell,et al.  Cryptanalysis: a survey of recent results , 1988, Proc. IEEE.

[9]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[10]  Ross Anderson,et al.  Fortifying key negotiation schemes with poorly chosen passwords , 1994 .

[11]  Colin Boyd,et al.  Development of authentication protocols: some misconceptions and a new approach , 1994, Proceedings The Computer Security Foundations Workshop VII.

[12]  Edwin Weiss,et al.  A user authentication scheme not requiring secrecy in the computer , 1974, Commun. ACM.

[13]  Jerome H. Saltzer,et al.  Kerberos authentication and authorization system , 1987 .

[14]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[15]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[16]  Gene Tsudik,et al.  KryptoKnight Authentication and Key Distribution System , 1992, ESORICS.

[17]  L. Gong,et al.  Using one-way functions for authentication , 1989, CCRV.

[18]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  Ralph C. Merkle,et al.  Secure communications over insecure channels , 1978, CACM.

[20]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .