Monday, May 5, 2014

Dual EC SRP (request for feedback)


I'm looking for feedback on a proposal for adapting Secure Remote Passwords (SRP) to Elliptic Curves.  


Update: Steve Thomas provided an attack on this proposal.  I've been trying to find a way to protect against it without introducing new flaws but I have not been able to do so.  I will post about these efforts soon and link to the new post here.

For readers already familiar with elliptic curves and SRP, the very short version is this: I propose a protocol based on SRP and Diffie-Hellman using a public point Q and a secret point P=xQ where x is the user's password hash. The exchange of public values A and B is modified slightly. The server will generate a value B' = bQ but will also generate a random number r and multiply both P and Q by r. the value rQ is sent to the client along with the value B = B' + rP. The client must calculate the value rP = xrQ and subtract rP from B to get B'. A wrong value of B' resulting from the client's lack of knowledge of x or the server's lack of knowledge of P (in the case of an impostor) will result in a wrong value of S where S=aB'=bA=baQ. After calculating S, the client sends a verifier M1=H(A,B,S) which the server authenticates and responds to with H(A,M1,S).

I look forward to your comments. The (very rough) version follows below.


Abstract
Secure Remote Passwords (SRP) is a password authentication protocol based on Diffie-Hellman Key Exchange (DHKE).  SRP resists both passive and active attacks and does not store a password-equivalent on the authenticating server.  There has  been interest in adapting SRP to work on elliptic curves, but elliptic curves provide only an additive group whereas SRP requires a field (with addition and multiplication of field elements).



Secure Remote Passwords

Secure Remote Passwords (SRP) is a password authentication and key exchange protocol based on Diffie-Hellman Key Exchange (DHKE).  All computations in SRP are done in a finite field n* where n is a large prime(Wu, 1998).  The verifier stored on the server is the value gx where g is a generator of n* and x is the SHA-1 hash of the user's password (Wu, 1998; Wu, 2000).  In addition to the verifier, the server stores a salt value s which is not secret and is used to compute the salted hash of the user's password.  The salt for each user should be unique.


The steps in the SRP protocol, illustrated in Table 1, are as follows:

  1. The client signals his intent to log in and transmits his username, I,  to the server.  The server looks up the user's verifier v=gx mod n and the salt value s.
  2. The server responds to the client with the salt value s.  The client uses the hash function H to hash the salt, username and password into the digest value x.
  3. The client generates a secret ephemeral value a, computes A=ga and sends A to the server.  The server computes B = 3v + gb = 3gx + gb.  Notice that this value of B is different than what we would expect in a Diffie-Hellman Key Exchange.  The addition of the value 3v serves two purposes.  First, the addition of v integrates the verifier into the protocol so that the server can prove knowledge of v and the client can prove knowledge of x.  Second, the multiplication by three introduces an asymmetry that prevents a novel (but not very serious) attack where an active attacker attempting to impersonate the server can make two guesses at the password (Wu, 2002).
  4. The server sends the value B to the client and both sides hash the public values A and B to compute u.  The value u is used to ensure that the following computations are specific to this choice of public values (and therefore the ephemeral keys a and b) in order to prevent attacks where the client knows the verifier and can construct A to cancel out v in the server’s calculation of S.
  5. Both sides compute the value S which will be hashed to create the key in step 8.
    1. The client computes S = (B - 3gx)a+ux = (3gx + gb - 3gx)a+ux = (gb)a+ux = gba+bux
    2. The server computes S = (Avu)b = (ga(gx)u)b = (ga+ux)b = gba+bux
  6. The client hashes the values A, B and S to create the verifier M1 and sends it to the server which verifies M1 using its own calculation for S.
  7. The server calculates M2 by hashing the values A and M1 along with its own calculated value for S and sends the result to the client.  The client verifies M2.
  8. The client and server both hash their previously calculated values of S (which should be equal) to create the session key K.



Step
Client
Traffic
Server
1

I = username ---->
Lookup the salt s
and verifier v=gx
2
x=H(s, H( I:P))
<-----s

3
A=ga
A---->
B = 3v + gb
4
u = H(A,B)
<----B
u = H(A,B)
5
S = (B - 3gx)a+ux

S = (Avu)b
6
M1 = H(A,B,S)
M1---->
(verify M1)
7
(verify M2)
<----M2
M2 = H(A, M1, S)
8
K = H(S)

K= H(S)

Table 1: The SRP-6 Protocol (Wu, 2002).



A Critical Component of SRP

One of the most critical steps in SRP, and the one that makes it difficult to adapt SRP to elliptic curves is the calculation of B in step 3.  The server adds the user's verifier and the server's public key (gb)  to produce the value B; the client then subtracts out the verifier exponentiating by a+ux.  This critical piece allows the client to prove knowledge of x without giving away any knowledge of what he thinks x is.  Suppose instead that both sides simply calculated gabxAn attacker posing as the server would be able to assemble gab and mount a dictionary attack to discover x since he would be able to check his guesses against the client's value for gabx (using S).  The mechanism used by SRP does not allow this to happen.

The Elliptic Curve Discrete Logarithm Problem
The elliptic curve discrete logarithm problem (ECDLP) is similar to the ordinary discrete logarithm problem except that it involves point addition on elliptic curves instead of exponentiation.  It is also considered to be a hard problem.  Given a starting point P and an ending point T, the ECDLP challenges us to find the value x such that T = xP = P +...+ P (x times) (Paar and Pelzl, 2010, pg. 247). 

Dual_EC_DRBG
Dual_EC_DRBG is a random number generator that uses elliptic curve operations.  (See Figure 1).  In 2007, Shumow and Ferguson discovered that it was possible to backdoor Dual EC by selecting the points P and Q such that P = dQ for some value d.  Since it is relatively easy to reconstruct R*Q (or a handful of possibilities for R*Q) from T, an attacker who knows the value d can calculate R*P = d*(R*Q) which allows him to predict the next state value S.



 Figure 1

Dual EC SRP
The SRP protocol cannot be directly adopted for elliptic curves because elliptic curves provide only an additive group whereas SRP requires a field (with addition and multiplication of field elements).  This paper proposes an adaptation of SRP for elliptic curves using a mechanism inspired by the Dual EC DRBG backdoor to establish a shared parameter.  

Note: this isn't Dual EC DRBG.  I just came about the idea while studying elliptic curve cryptography and Dual EC DRBG.  The two points stored by the server in my scheme aren't necessarily any different than in a previous scheme proposed by Wang, but my proposal is simpler.  

In this protocol, the server stores two points on an elliptic curve, P and Q where P = xQ and where x is the hash of the user’s password (using a strong password hashing function).  The point Q is public.  The point P is the verifier which must be kept secret.  An attacker can use knowledge of P to impersonate the server or to mount a dictionary attack on x (by guessing values x’ and checking whether P = x’Q.
  
Step
Client
Traffic
Server
1
I = username
I ---->
Lookup the salt s
and verifier P = xQ . 
2
x=H(s, I, P)
<-----s

3
A=aQ
A----->

4

<----B, Tq
Generate random values r and b.  Calculate Tp = rP and Tq = rQ

B = Tp + bQ
B’ = bQ
5
Tp = xTq
S = a(B – Tp) = aB’

S = bA
6
M1 = H(A,B,S)
M1---->
(verify M1)
7
(verify M2)
<----M2
M2 = H(A, M1, S)
8
K = H(S)

K= H(S)
Table 2: Dual EC SRP

The steps for the proposed Dual EC SRP protocol are as follows:
  1. The client signals his intent to log in and transmits his username, I, to the server.  The server looks up the user’s verifier P=xQ and the salt value s.
  2. The server responds with the salt value.  The client uses the hash function H to hash the salt, username and password into the digest value x.
  3. The client generates a secret ephemeral value a, computes A = aQ and sends A to the server. 
  4. The server generates random values r and b and computes B’ = bQ, Tp = rP and Tq = rQ.  The server sends Tq and B to the client.  Tp is never transmitted.
  5. The client uses his password hash to compute Tp = xTq then calculates B’ = B – Tp.  Finally, S = aB’.
  6. The client calculates and sends M1 = H(A, B, S).
  7. The server calculates and responds with M2 = H(A, M1, S).
  8. Both sides compute K = H(S).

Notes and Analysis
The structure of this protocol is very close to SRP, but the calculation of B and S is different and the value u=H(A,B) is missing entirely.  The value u is not used because the verifier P is not used directly in the calculation of S.  Rather, P is used to generate Tp which is calculated indirectly by the client as xTq.  An attacker with knowledge of the verifier  cannot determine Tp from Tq and cannot trick the server into cancelling it out.

The server does not directly use either T value in the calculation of S.  Instead, the client must be able to determine Tp in order to subtract it from B to learn B’.  The server always knows B and B’.

Notice that the server does not directly use either the verifier or Tp in order to calculate the key.  If an attacker poses as the server without knowing P or x, the attacker will be able to generate the “correct” key: bA = baQ.  The client, however, does use the value Tp in order to determine B’ and will arrive at a different result.  The attacker cannot use the client’s calculation of S to mount a dictionary attack either since the client’s calculations require both Tp and a.  Put differently: the client and server must agree on the value of Tp or the client will end up with the wrong value for B’.

For a passive eavesdropper, the security of Dual EC SRP reduces to Elliptic Curve Diffie-Hellman Problem and the reduction is simpler than in SRP.   The Elliptic Curve Diffie-Hellman Problem asks us to determine the value S=baQ from the values A=aQ and B = bQ.  The best known method for doing so is to compute the discrete logarithm of A or B, but it has not been proven whether the Diffie-Hellman and discrete logarithm problems are actually equivalent.

Here, the only complication is the addition of the value Tp to the server’s transmitted value of B.  The client subtracts out Tp from B and computes aB’.   Assume that the passive observer is able to recover  x or Tp and can calculate B’.   The eavesdropper then has the values A = aQ and B’ = bQ. 

The transmitted values s and Tq do not carry any information about the values a or b.  As with SRP, the verifiers M1 and M2 must be computed using a secure cryptographic hash function in order to prevent pre-image attacks which might reveal information about the computed value S.

Questions
What have I overlooked?

Can an active attacker gather enough information to mount a dictionary attack on the user’s password?

Update: There isn't much in the literature about adopting SRP to elliptic curves, but there have been prior proposals.  The only one I have a copy of, by Yongge Wang, was proposed in 2001.  I believe that my scheme is simpler, easier to analyze and has a more straightforward reduction to the EC Diffie-Hellman Problem.  

References

Hoffstein, J., Pipher, J., & Silverman, J.  (2008).  An Introduction to Mathematical        Cryptography.  New York, NY: Springer.

Paar, C., Pelzl, J.  (2010).  Understanding Cryptography: A Textbook for Students and
            Practitioners.  New York, NY: Springer.

Wu, T.  (1998).  The Secure Remote Password Protocol.  In Proceedings of the1998 Internet
Society Network and Distributed System Security Symposium, San Diego, CA Retrieved from http://srp.stanford.edu/doc.html

Wu, T.  (2000).  The SRP Authentication and Key Exchange System.  In Network Working
Group, Request for Comments: 2945.    Retrieved from http://tools.ietf.org/rfc/rfc2945.txt

Wu, T.  (2002).  SRP-6: Improvements and Refinements to the Secure Remote Password
            Protocol.   Retrieved from http://srp.stanford.edu/srp6.ps

No comments:

Post a Comment