A Secure One-use Dynamic Backdoor Password System Based on Public Key Cryptography YU Haitao A Thesis Submitted in Partial Fulfillment of The Requirements For the Degree of Master of Philosophy in Information Engineering • The Chinese University of Hong Kong Jan 2002 The Chinese University of Hong Kong holds the copyright of this thesis. Any person(s) intending to use a part or whole of the materials in the thesis in a proposed publication must seek copyright release from the Dean of the Graduate School. fen 8 IfH 13 jij ^^SUBRARY SYSWy Acknowledgment Here I want to show appreciation to my academic supervisor, Prof. Victor Keh-Wei, for his patient guidance on my research. I just came to Information Integrity Lab only for more than one year. But just in this year, He showed me an attractive research field of cryptography. With his supervision, I find this field interests me much. Also the lab provides me enough equipment for the research work, which enables my free work on my research topic. My thanks will extend to all of my lab members. All the members in the Information Integrity Lab co-operate very well, providing well research environment for me. This has much effect on my thesis research. Finally, I want to thank my family, who give me all hearts support. They make me able to keep all my time and energy on my research work. i Abstract With the development of information technology, people move their lives and business into digital world. Widely adopted digital systems make information security playing an important role in people's daily activities. From the information security point of view, the current authentication methods implemented in information systems are not safe enough even with special administrations. Backdoor password is a common method to solve the problem of lost or forgotten administrative password of an information system. For its function of convenience, this method weakens the system security against hostile activities. The existence of backdoor account also makes a system vulnerable to attacks. Consequently, the information stored in or delivered by the system will face unexpected danger. In this thesis, a new method based on public key cryptography is proposed to replace the traditional backdoor password authentication. Because the system designed in this thesis starts from a totally different point, it overcomes the security problems that are with traditional backdoor password authentication method. Compare to the current backdoor authentication method, our system is more secure, dynamically process the request and all keys are only used once. Additionally to the principle of our newly method to fulfill the backdoor password authentication, this thesis also provide a rough practical multi-user mode system together with the system analysis. Also a concept of partial account is suggested in the system for real case study. ii 摘要 隨著信息技術的發展人們的生活與工作日益走向數碼時代。廣 泛使用的數碼系統將信息安全技術推向舞台的前沿，在人們的曰常 生活何工作中舉足輕重。但是從信息安全的角度出發，即使有專門 的管理，時下的信息系統的身分認證方式仍然不夠十分安全。 在許多信息系統中，解決遺失或忘記管理員口令的方法通常是 使用系統中的後門口令。爲了功能性的實現和使用方便，後門口令 常常削弱系統抵抗敵意行爲的安全性能。同時後門用戶的存在，也 爲黑客攻擊留下方便之門。結果使得信息系統中存儲或傳送的信息 面臨不可預知的危險。 本論文提出了一種基於公鑰密碼學的驗證方法，用於替代現有 後門口令驗證系統解決遺失口令的問題。由於系統基於全新的觀點 設計，因此可以克服現有傳統後門口令驗證系統的安全隱患。與之 相比，本論文提出的系統具有更好的安全性，動態處理過程和所有 關鍵密鑰均爲一次性使用等良好的特性。 本篇論文不僅提出了解決管理員口令遺失問題的全新解決方 法，而且設計出一個基本接近實用的多用戶系統，並作了系統的安 全性分析。本論文還提出了在該系統的具體實現中使用”半用戶” 的槪念。 iii Contents Chapter 1. Introduction 1 1.1 Introduction 1 1.2 Thesis organization 6 Chapter 2. Conventional password authentication and backdoor password schemes ...7 2.1 Password and password authentication 7 2.1.1 Introduction to password and its security problems 7 2.1.2 Front-door passwords vs. backdoor passwords 8 2.1.3 Dynamic passwords vs. static passwords 9 2.2 Forgotten-password problem 10 Chapter 3. Introduction to Cryptography 12 3.1 Introduction to information security 12 3.2 Conventional cryptography 16 3.3 Public-key cryptography 21 3.4 RSA cryptosystem 24 3.5 One-way function 27 3.6 Digital signature 30 3.7 Secret sharing 34 3.8 Zero-knowledge proof. 34 3.9 Key management 36 3.9.1 Key distribution in conventional cryptography 36 3.9.2 Distribution of public keys ..."39 Chapter 4. A secure one-use dynamic backdoor password system based on Public Key Cryptography 42 4.1 System objectives 42 4.2 Simple system and analysis 45 4.2.1 System diagram 45 4.2.2 System protocol 46 4.2.3 Applied technologies 50 4.2.4 System security analysis 52 4.3 Multi-user system and analysis 55 iv 4.3.1 Modification to the system diagram 56 4.3.2 Modification to the system protocol 57 4.3.3 System analysis for multi-user system 64 4.4 Applicable modes and analysis 66 4.5 Conclusion 68 Chapter 5. Conclusion 69 Bibliography 71 Appendix 72 A. Algorithm of MD5 72 B. Algorithm of DSA 76 C. Algorithm ofRSA 79 V Chapter 1. Introduction 1.1 Introduction As time goes by, people's life changes much with the development of information technologies. Almost everyday, people start to turn on their radio or TV to get the latest news when they open their eyes in the morning. And even when planning to go to bed, people would like to check if they get new email till that moment. When people go to work, they manage their normal work according to the information they got, make decisions by exchanging the information and minds their colleagues provided and handle the urgent issues from newly coming messages; when people go out for recreation, they enjoy the movies or music for the relaxing information they are experiencing from them, feel entertained for sharing the information when joining the activities with other people and are enriched by the books they are reading. Maybe they will choose to die if they cannot gain anything through all the means they can. Modem people live with, on and for the information. Fortunately, technologies help people to get and exchange information fast and easily. In the last ten years, the Internet and the applications based on networks go beyond our imaginations. More and more people become familiar with this Internet and its applications and feel it is a really fast and easy way to exchange information. Now, the Internet has grown strong enough to carry the same amount of information as many traditional medias like newspaper and TV, or even more. More and more business, educations, social services find their wide contacts with their intentions with this advanced technology. The Internet and its applications, now called the information technologies, help people live more efficiently in the convenience of obtaining information. If the computers and their wide adoptions in many fields were new industrial revolution, the information technologies would be another peak of this revolution waves. Now come the questions: who provide all kinds of the information covering as many fields as possible and what make the numerous information available to people 1 allover the world? If you are familiar with the information technologies, you maybe tell us the answers are ICPs and networks. What is ICP? It is short for Internet Content Provider, who provides lots of information to the public, all kinds of，in his powerful computer servers. As to network, maybe a pizza boy can explain this term in very simple way and is able to be understood even by my grandma. All the technical guys know that network has nodes and links. Links are the physical paths connecting to all nodes mutually, including the coaxial cables, twisted cables, optical fibers and wireless channels. The nodes are the major function parts, mostly are computers and special networking equipment. ICPs，servers provide the Internet contents. And the special networking equipment is responsible for making the global network a unity using the broadcasting, switching, routing technologies. In another words, the server nodes provide the information while the special networking nodes direct the information to the destinations according to the requests. Till now, we know where our information comes from and how it reaches us. As it is said that some people would choose to die if they cannot exchange the information with others, we begin to worry about the security of these nodes essential to us. Maybe those guys are too exaggerating to do so if lacking of information, but in nowadays, information equals to wealth. You may think of what it will be if "Yahoo!" or "Google™" is out of services for two days. People will feel disturbed a lot - they cannot get what they want from the Internet as usual for they are relying on these Internet searching portal sites to gather information. Or even worse, if the “Hotmail” is down for a whole day, there will be millions of people affected by the failure of this biggest worldwide public mail system. Maybe many businesses will be delayed because the managers cannot confirm the information from the Internet or check and reply the emails as scheduled, and the loss may be in billion dollars. But in most cases, our worry about the stability of the services for both server and networking nodes is not necessary. Those servers and equipment are all produced by worldwide famous manufacturers such as Sun, IBM, HP for the servers, and Cisco, Lucent, Nortel for the networking equipment. The qualities of the nodes can be reliable enough for the manufacturers' sound reputation. And then these nodes, both servers and networking equipment are placed in special rooms with proper temperature, humidity, cleanness and even electronic- magnetism. These rooms are kept very carefully to avoid physical damages like fire and loss of power. And even more, some are guarded by armed soldiers. Finally, all those nodes have 2 administrators whose responsibility is to make everything all right when the nodes go wrong. If some nodes are of high importance, private administrators will be assigned to ensure the reliabilities and function recoveries.