6.

857 Computer and Network Security Fall Term, 1996

Lecture 14 : October 24, 1996

Lecturer: Ron Rivest Scribe: V an2

Topics covered in this lecture:

 One-Time Passwords
 Secure Channels
 Zero-Knowledge Protocols

1 One-Time Passwords
Although passwords are useful for security purposes, they can be easily compromised
if the same password is used for long periods of time. Hence, it is always wise
to periodically change your password. An extreme take on this idea is to have a
\continuously" chaning password. In other words, passwords can never be used twice.
Once the password is used to gain access into a system, that password is no longer
valid and a new password must be used in order to gain access the next time. This
method is very robust against attacks (if passwords are chosen randomly). There are
a number of ways to implement one-time passwords. We enumerate a few here.

1.1 S-Key
This method makes use of the idea of hashing to implement one-time passwords.
h(X1 ) h(X2 ) h(X3 ) h(Xn )
X 0 X 1 X 2 X :::Xn
3 1 Xn

With this method, the user uses X :::Xn as passwords beginning with X . The
1 1
computer originally stores X . To gain access, the user inputs X . The computer
0 1
hashes this value. If the output of the hash matches X , the user is allowed access.
0
At this point, the computer updates its internal value to X . Hence, the next time, 1
the user must enter the value X in order to gain access, and so on and so forth. Note
2

1
2 1 ONE-TIME PASSWORDS
that only the user has a list of the passwords. The computer itself doesn't have the
list of passwords since it isn't a safe repository. The computer only has the means
of verifying the validity of the password. Also, the hashing function must be strong
enough that an adversary cannot engineer Xk given Xk . Note also that to generate
1
the list of passwords, the generator must begin with Xn and work backwards until
X. 0

1.2 Challenge-Response
This method is very similar to secret functions. Everytime a user wants access, the
user is prompted with a \challenge." If the user knows the secret function, the user
can calculate the value and \respond."

User R challenge
Host
00
=\

User F R response
! Host
00
( )=\

The host also has the means of calculating the correct value. If the challenge is
di erent everytime the user desires access, the result would be a one-time password
system. Of course, instead of a function, this system could also use, say, public-
private key encryption. The user is present with a message (challenge). The user
must encrypt it with the private key. The host veri es the user by decrypting the
message using the public key and seeing if it matches the original message. If it does,
the user is granted access. In general, however, it is not a good idea to sign arbitrary
messages as the \challenge" could be anything, like an encrypted message which says
that you are giving your home away.

1.3 Weaknesses
The problem with both protocols mentioned is that there is no way of binding the
authentication process with the communication line. In fact, both methods are vul-
nerable to \hijacking": when an active adversary disconnects the line between the
user and host and pretends to be the user and gain access after the user has au-
thenticated. Hence, this solves the problem of authentication, but the channel of
communication is not secure.
 3

2 Secure Channels
The idea behind secure channels is that once established, you can be sure that the
person you are talking to on the other side of the communication line is the person
you began the conversation with.

2.1 Basic Die-Hellman

Let p be a large prime publicly known and g a generator modulo p. Let's also assume
Alice wants to establish a secure channel with Bob.
1. Alice picks a random number mod p 1, which we will call x. This number is kept
secret from the adversary. She then sends Bob gx.

x
A g! B

2. Bob picks a random number mod p 1, which we will call y. This number is kept
secret form the adversary. He then sends Alice gy .

gy
A B

3. Now both Alice and Bob can use gxy as their session key, as Alice knows gy from
Bob and she knows x. Hence, she can calculate (gx)y = gxy . Symmetrically, Bob
knows gx from Alice and he knows y and therefore can calculate (gx)y = gxy .
Once this is established, it is very dicult for an adversary to ascertain gxy and
therefore it is very dicult for an adversary to pretend to be either Alice or Bob.
Note: This protocol relies on another problem in discrete math: the Die-Hellman
problem. Simply stated, it claims that given g x; gy (mod p), it is hard to nd gxy .
This problem is similar to the discrete logarithm problem, although at best this is
as hard, since knowing how to solve discrete logs solves the Die-Hellman problem,
but the inverse is not necessarily true: there may be some trick method to solve this
problem without computing the discrete log.
4 3 ZERO-KNOWLEDGE (LEAKAGE) PROTOCOLS
2.2 Die-Hellman \Die"culties
There are, however, major problems with the Die-Hellman method of establishing
a secure channel:

 Only works if the adversary is passive.

 There is forward secrecy but no authentication.
This makes Die-Hellman vulnerable to "man in the middle" attack (a type of active
attack where the intruder controls the ow of messages, and pretends to be the person
the participants are trying to talk to).
x x0
Alice g! Eve g! Bob

gy 0
gy
Alice Eve Bob

1. Eve, for example, can pretend that she is Bob to get gx from Alice during the
initial transmission. She can then send Alice some gy which Alice would think is
0

from Bob.
2. She can then send Bob some gx which Bob would think is from Alice. Bob, under
0

the protocol, would return gy which would be intercepted by Eve.

3. Now Eve has gx; y0; gx ; y, which she can get gxy to talk to Alice with, and gx y
0 0 0

to talk to Bob with. Neither Alice nor Bob realize that Eve is decrypting all their
communications, reading it, and then passing them on encrypted with the other key.
This problem can be xed if authentication is also used as part of the process, such
as using public keys. More about this will be discussed later.

3 Zero-Knowledge (Leakage) Protocols

The idea behind zero-knowledge protocols is that you prove a fact (knowledge of a
password, solutions to a hard problem), without giving away any information (the
password, the solution, etc.)This means the person you are talking with will at the end
 5

strongly believe that you know the secret, but have no way of knowing what the secret
is. You don't \leak" any information. This method prevents potential adversaries
from learning your password when you type it in, as in conventional password based
systems.
For example let (n; e) be an RSA public{key. Assume that Alice wants to prove that
she knows some m where c = me mod n is her public.
She could do the following:
1. Alice sends Bob y = re where r is a random number mod n.
2. Bob sends Alice either b = 0 or b = 1
3. Alice sends Bob z = r  mb that is either r or rm.
4. Bob then checks the result, that is if he sent b = 0 he checks that ze = y, if he
sent b = 1 he checks that ze = yc.
This basic protocol should be repeated many times (say 20.)
Why does this protocol work? In particular what does it achieve?
We have to prove the following things:

1. The correct Alice who knows m should always pass the protocol. This property
is usually called completeness. This is clearly true in our case.
2. If a bad Eve tries to impersonate Alice without knowing m she should fail with
high probability. This property is usually called soundness. Notice that since
Alice is prepared to answer both questions b = 0 or b = 1, then she must know
m. For Eve instead the only possibility would be to guess what Bob is going
to ask. She chooses r at random. If she thinks Bob is going to ask b = 0 then
she behaves like Alice in the rst message sending y = re. If she thinks Bob is
going to ask b = 1 then she sends y = re=c. Her answer in the rst message
will always be the only e{root she knows, i.e. r. However if the protocol is
repeated 20 times and Bob's choices are always randomly and independently
chosen Eve will have a probability of convincing him equal to 2 . Notice that
20

by increasing the number of repetitions one can bring this probability as low as
desired.
3. Finally we want that Bob learns nothing from his interaction with Alice. This
is why this kind of protocols is called zero{knowledge. We have to argue
6 3 ZERO-KNOWLEDGE (LEAKAGE) PROTOCOLS
that the transcript of the conversation with Alice reveals nothing to Bob. A
way to argue this is to prove that Bob can construct such transcript on his
own without interacting with Alice. Indeed Bob could (behaving like Eve)
generate a transcript with the same identical probability distribution of the
true conversations.

NOTE: One could argue that Challenge-Response is also a zero-knowledge protocol;

however, this isn't the case. The host cannot generate the transcript of a conversation
with the same probability distribution as that of a true conversation.