Field of the Disclosure
The present disclosure generally relates to secret-key/public-key cryptography, and more specifically to a method and system for providing challenge-response mutual authentication, using encrypted Diffie-Hellman key exchange, based on a symmetric key or zero-knowledge proofs.
Description of the Related Art
The “background” description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description which may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present invention.
The term authentication is defined herein as the process of verifying the identity of a person, program, device, or entity. It is the process of determining whether someone or something is, in fact, who or what it is declared to be. Consider two parties, Alice and Bob, sharing a secret S. Bob who plays the trusted authenticator role would like to authenticate Alice's identity over an insecure channel based on knowledge of S. An adversary Eve, without knowledge of S, should not be able to persuade Bob that she knows S. This type of authentication is known as traditional symmetric key authentication. Authentication can be accomplished using any one or a combination of three factors: what the user is (e.g. fingerprints), what the user has (e.g. smartcards), and what the user knows (e.g. passwords).
The last factor, known as direct password authentication, is the most widely implemented in single factor authentication mechanisms because of the low cost, low requirements, and easy replacement. However, users may choose bad passwords because they are easy to remember, such as date of birth, phone number, or dictionary words. Thus, authenticating users' identities to systems over an insecure network with just a user's ID and password is prone to active and passive attacks.
In an active attack, the adversary guesses a password from a list of dictionary words, known as a dictionary attack, and initiates an authentication attempt with an honest party. If the authentication attempt is successful, the attacker considers the guessed password is correct. However, this attack can easily be thwarted using password lockout mechanisms that lock out the user account after a certain number of invalid login attempts. On the other hand, a passive attack that is difficult to detect can occur when an adversary attempts to mount a dictionary attack or a brute force attack against a password, based on observed messages. Brute force attacks consume a lot of resources and time compared to dictionary attacks, which search through only possibly meaningful words.
To mitigate the risk of active and passive attacks against secret-based authentication systems, the authentication system can implement a challenge-response authentication mechanism. Challenge-response authentication is a mechanism in which one party presents a challenge and another party must provide a valid response to be authenticated.
Challenge-Handshake Authentication Protocol (CHAP), as the name indicates, is a challenge-based authentication mechanism which can authenticate either the client to the server or vice versa, or even extend the authentication phase in both directions and provide mutual authentication. Authenticating a client's identity begins from a server, which generates a random challenge that must be different every time and assigns it a unique challenge identifier, and then sends both the challenge and the identifier to the client. The server also includes its ID in the request so that the client knows to whom it is authenticating. The client concatenates the challenge identifier, the user password, and the random server challenge, and then calculates a MD5 hash (a cryptographic hash function expressed as a hexadecimal number) from the resultant string. This hash, along with the plaintext username, is sent to the server as a valid challenge-response. Both the client and the server calculate the same hash and compare the results to acknowledge successful authentication. CHAP provides protection against replay attacks through the use of an incrementally changing identifier and a variable challenge-value. CHAP is an authentication scheme implemented in communication protocols, such as Point to Point Protocol (PPP) and Link Control Protocol (LCP).
CHAP provides security against replay attacks due to the changing nature of the challenge, which should be unique for every exchange. However, CHAP requires the authentication server to use a password in the clear text format unless encryption is used, which means compromising the CHAP authentication server would result in compromising all user passwords. CHAP is vulnerable to offline attacks if the CHAP authentication is performed over a non-encrypted channel. If using strong passwords is not enforced, it would be feasible for an attacker to mount a brute force or a dictionary attack to recover the password by capturing one challenge/response exchange.
CRAM-MD5 stands for Challenge-Response Authentication Mechanism based on a keyed-hash message authentication code-MD5 (HMAC-MD5) algorithm. A client takes a server up on its offer and returns an AUTH CRAM-MD5 command. The server returns a challenge, which is random data. The client then responds with its username, a space, and a hash value, all of which is base64 encoded. The digest is the output of the HMAC with the MD5 hash function, using the shared secret and the server's challenge as inputs. When the server receives the client's response, it matches the hash value presented to the one it computes over the same data. If the two match, then access is granted. CRAM-MD5 is widely implemented as an authentication method for the email mailbox-management protocols POP and IMAP. Also, CRAM-MD5 is supported by Simple Authentication and Security Layer (SASL).
CRAM-MD5 was designed to avoid having the password transit in cleartext. However, CRAM-MD5 is vulnerable to an offline attack. If the attacker can eavesdrop on the communication channel, a dictionary attack would be feasible to recover the password. Also, CRAM-MD5 does not support mutual authentication, since it provides just client authentication.
The Salted Challenge Response Authentication Mechanism (SCRAM) is a password-based authentication mechanism. SCRAM offers significant improvements over the previous password-based mechanisms, including a feature such as mutual authentication. The client sends the first message which contains a header, username, and a unique randomly generated nonce. The server sends the first message-containing parameters: user's iteration count, the user's salt, and its own nonce to the client. The client then responds by sending the client-final-message with the same nonce and a client proof computed using a symmetric hash function. The server verifies the client's challenge response. If the client's challenge response matches with its calculation, then the server sends a final message to the client, who in turn verifies the server's challenge response. SCRAM is used in Simple Authentication and Security Layer (SASL) mechanism negotiation applications such as Lightweight Directory Access Protocol (LDAP).
SCRAM itself does not provide security layers, which means that SCRAM is implemented in conjunction with Transport Layer Security (TLS) to provide confidentiality for the authentication exchange. It is clear that if SCRAM authentication exchange is performed over an unprotected channel, an eavesdropper can gain knowledge to mount an offline dictionary or a brute-force attack to recover the password.
Diffie-Hellman (DH) key exchange is a public-key encryption scheme. It is a cryptographic method that allows two parties that have no prior knowledge of each other to establish a shared secret key over an insecure communication channel. DH key exchange provides forward secrecy, if correctly implemented because no long-term private keying material exists to be disclosed. However, a classical DH method is an unauthenticated public-key exchange. The DH method does not authenticate exchanged messages which are subject to an active eavesdropper who is able to intercept and alter exchanged messages between the communication parties. By establishing an independent DH exchange with both parties (Alice, Bob), an eavesdropper can replace the DH public keys (gx, gy) with his own public key values (gx′, gy′). Thus, an eavesdropper successfully can impersonate Alice to Bob, and Bob to Alice because Alice will think that the secret key is gxy′ and Bob will believe that it is gx′y. This type of attack is known as Man-In-The-Middle (MITM).