Augmented Encrypted Key Exchange: a Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise Steven M. Bellovin [email protected] Michael Merritt [email protected] AT&T Bell Laboratories Abstract the typed password £¨§ , and seeing if it matches the stored value. The encrypted key exchange (EKE) protocol is augmented We show how to extend the EKE protocol to handle this so that hosts do not store cleartext passwords. Consequently, situation. The new protocol, augmented encrypted key ex- adversaries who obtain the one-way encrypted password ®le change (A-EKE), works by choosing particular functions ¢¡¤£¦¥ may (i) successfully mimic (spoof) the host to the user, and ¢¡¤£¦¥ for host storage of passwords. Both sides use , (ii) mount dictionary attacks against the encrypted passwords, which should be secret, as the shared password in the EKE but cannot mimic the user to the host. Moreover, the im- exchange. However, since we assume that under some portant security properties of EKE are preservedÐan active comparatively-rare circumstances, ¢¡¤£¦¥ might be compro- network attacker obtains insuf®cient information to mount mised, the user must send an additional message containing dictionary attacks. Two ways to accomplish this are shown, a different one-way function of the password; this value, to- one using digital signatures and one that relies on a family of gether with ¢¡¤£¦¥ and the session key, is used by the host to commutative one-way functions. validate the login sequence. We start by reviewing EKE, in Section 2. Section 3 presents the modi®ed protocol and two different ways to 1 Introduction implement the it, one using public-key cryptography, and the other using commutative one-way hash functions. Section 4 Bellovin and Merritt [1] presented a protocol that allowed two analyzes the security of the new protocol. parties sharing a password to communicate without exposing that password. That protocol, encrypted key exchange, or EKE, required that both parties have cleartext versions of 1.1 Assumptions and Constraints the shared password, a constraint that cannot (or ought not) always be met. In particular, consider the problem of a Most of the fundamental assumptions of EKE apply here user logging in to a computer that does not rely on a secure as well. Speci®cally, we assume that the user's sole means key server for authentication. As shown in [13, 4], it is of authenticationÐand sole long-term storageÐis a simple inadvisable for most hosts to store passwords in either clear password, rather than a bulky private key. Furthermore, we form or in a reversibly-encrypted form. Rather, some one- assume that the password must be protected from dictionary £ way hash function ¢¡¤£¦¥ is stored for each user password . attacks; historically, such attacks are quite successful. See, Password validation is performed by calculating ¢¡¤£¨§©¥ on for example, [13, 9, 10, 12], among others. 1.2 Summary of Notation Our notation is shown in Table 1. To avoid confusion, we use the word ªsymmetricº to denote a conventional cryp- tosystem; it uses secret keys. A public-key, or asymmetric, 1 Table 1: Notation ¦ System principals. ( and ). £ The password: a shared secret, often used as a key. A random secret key (for symmetric cryptosystems). , Random exponents. !"$#&%(' Symmetric (secret-key) encryption of ªinfoº with key . !"$#&%(' ¢) 1 Symmetric (secret-key) decryption of ªinfoº with key . *,+ *,+ ¡.-/¥ Digital signature of - with (private) key . + + ¡21 -/¥ 1 - 0 0 Veri®cation of signature of message with (public) key . 436572©98;:< A random challenge generated by . 436572©98;:< A random challenge generated by . ?>@ = One-way hash functions. BA 0 Commutative, one-way hash functions. C , D Base and modulus for discrete exponentiation. cryptosystem has public encryption keys and private decryp- 436572©98;:< 436572©98;:< ,' tion keys. 4. decrypts , and veri®es 436572©98;:< that was echoed correctly. 2 A Review of EKE sends 436572©98;:< O'.N (EKE.4) Assume that two parties, and (Alice and Bob), wish to establish a secret, authenticated session key. Initially, the £ 436572©98;:< only secret they share is , a password that may be subject to dictionary attacks. 5. decrypts to obtain , and veri®es that it matches the original. 1. picks a random number and calculates £ (J £E ¡2I ¥¤' CGF;H D . Since the quantities encrypted with are random numbers, an attacker cannot validate any guesses as to the password. sends (J £E ¡2I ¥¤' CGF;H The fact that depends on inputs from both and defeats D (EKE.1) man-in-the-middle attacks. Furthermore, neither party can to ; note that her name is sent in the clear. control the choice of ; to do so is equivalent to solving the 2. picks a random number and calculates discrete log problem. (J ¡2I ¥ £ CGF,K There is another major variant of EKE, which uses asym- D . also uses the shared password (J £E ¡2I ¥¤' CGF;H metric cryptosytems rather than exponential key exchange. to decrypt D , and calculates In general, that version is not suitable for use with A-EKE; (J ¡ ¥M¡2I ¥?N F;HLF,K C D this is discussed further in Section 4. The session key is derived from this value, perhaps by selecting certain bits. Finally, a random challenge 436572©98;:< 3 EKE with Hashed Passwords is generated. transmits The modi®ed protocol requires some new de®nitions. First, there is ¢¡¤£¦¥ , the password-hashing function. Naturally, (J 436572©98;:< £E ¡2I ¥¤' ,'.N CGF,K D (EKE.2) this must be a one-way function; there must be no feasible ¢¡¤£¦¥ way to recover £ from . By our assumptions, hosts should try to keep ¢¡¤£¦¥ secret, but this cannot be guaran- (J £ £E ¡2I ¥¤' CGF,K 3. uses to decrypt D . From this, teed. The goal is to prevent an intruder who has captured ¢¡¤£¦¥ £ is calculated; it in turn is used to decrypt from succeeding in learning or in mimicking Alice. ¢¡¤£¦¥ 436572©98;:< ,' . then generates her own random Moreover, attackers who have not obtained must re- £ 436572©98;:< challenge . main unable to mount dictionary attacks against as in the ¢¡¤£¦¥ P sends original P protocol. (Note that any intruder with can already mount a dictionary attack, so we need not guard 436572©98;:< 436572©98;:< ,'N (EKE.3) further against that possibility.) 2 436572©98;:< R¥ The second function, =Q¡¤£ is a one-way function that 5. decrypts to obtain , and veri®es that it depends on both the password and the previously-negotiated matches the original. session key. The user calculates this quantity, encrypts it ¢¡¤£¦¥ 6. This ends the execution of EKE using in place with , and sends £ =Q¡¤£ R¥¤' of the cleartext . We are concerned that an adversary that obtained ¢¡¤£¦¥ still not be able to spoof the host as to the host. The protocol is extended by a single message: Finally, de®ne a predicate, sends =Q¡¤£ R¥¤'.N =Q¡¤£ R¥ R¥ S ¡¤ ¢¡¤£¦¥ ; (A-EKE.5) this evaluates to true if and only if the genuine password £ ¢¡¤£¦¥ =Q¡¤£ R¥ R¥ was used to create both and . (That is, =Q¡¤£ TU &V T ¥ 1XWY ¢¡¤£¨§¥ W S ¡21 7. Upon receipt, decrypts to obtain , and con- is true if and only if and &V =Q¡¤£¨§ ¥ £¨§ cludes the protocol successfully only if the predicate =Q¡¤£ R¥ R¥ , for some .) S ¡¤ ¢¡¤£¦¥ ¢¡¤£¦¥ evaluates to true. The basic idea is to ®rst run EKE with in place of £ the cleartext password, . The result is a session key, , that Note that an attacker who obtains ¢¡¤£¦¥ from the host should be known only by and , and can in practice only be could successfully mimic the host to . But without knowl- ¢¡¤£¦¥ known by someone who knows . Most attackers will edge of £ , the attacker still cannot mimic to the host. ¢¡¤£¦¥ not get this far, but one who has captured will be able to The scheme can be strengthened against dictionary attacks impersonate either the host, the user, or both. Consequently, by letting Bob pick a per-user random value [ , and store the =Q¡¤£ R¥ ¢¡¤£¦¥ ¢¡ £¦¥ [ [(] the user must supply to persuade of her identity. pair \ instead of simply . Then Bob would £ £' Simply sending , either in the clear or as , would be send [ (in the clear) to Alice as an added initial step of the ¢¡ £¦¥ ¢¡¤£¦¥ unsafe against an enemy who was mimicking the genuine . EKE protocol, and [ would be used in place of . Below is the protocol in fullÐthe ®rst ®ve steps are simply This provides us with two of the three advantages of the ¢¡¤£¦¥ £ EKE with used in place of : ªsaltº used by Morris and Thompson [13]: it is impossible to tell if two hashed passwords use the same plaintext, and 1. picks a random number and sends it is impossible to build a dictionary of pre-hashed password (J ¢¡¤£¦¥ ¡2I ¥¤' CGF;H guesses. However, this change allows an attacker an addi- D (A-EKE.1) tional degree of freedom over the protocol, which must be to . Note that has £ , and hence can easily calculate considered carefully in designing a secure implementation. ¢¡¤£¦¥ . There may be several different secure choices for ¢¡¥ , =Q¡¥ S ¡¥ , and that will satisfy the protocol requirements. We 2. picks a random number , and uses the ¢¡¤£¦¥ present two here: digital signatures and commutative one- shared, encrypted password to decrypt (J (J ¡2I ¥¤' ¡ ¥E¡2I ¥ ¢¡¤£¦¥ way functions. Other possibilities include functions based CGF;H CGF;HLF,K D D , calculates , 436572©98;:< on Gifford's primitives [8]. and derives from this value. Finally, is generated. 3.1 Digital Signatures transmits (J 436572©98;:< ¡2I ¥¤' ;'N ¢¡¤£¦¥ Conceptually, the most straightforward way to augment EKE CGF,K ¢¡¤£¦¥ D (A-EKE.2) is to de®ne as the public key in a digital signature R¥ scheme. In turn, to compute =Q¡¤£ , Alice signs with her private key. At user registration time, the host (Bob) (J ¢¡¤£¦¥ ¢¡¤£¦¥ ¡2I ¥¤' CGF,K 3.