1. Technical Field
The disclosed technology relates to the field of computer authentication technology.
2. Related Art
Two major security problems on the Internet are phishing and spyware. Phishing, or server impersonation, occurs when a malicious server convinces a user to reveal sensitive personal information, such as a username and password or other secrets, to a malicious server instead of the server to which the user intended to connect; the malicious server can then use the user's secrets to impersonate the user to the intended server. Additionally, many users' computers are compromised with spyware, which can record users' keystrokes (and thus passwords or other secrets) and again provide this information to a malicious party.
While wide-spread use of certificates obtained through a public key infrastructure (PKI) would obviate these problems the public has not embraced PKI technology. Thus, it is difficult to create a secure channel between a user's client computer and a server system using PKI technology. Several techniques are currently used that are intended to address phishing attacks. For example, physical devices that generate one-time passwords can be used to secure corporate virtual private networks (VPNs) and online banking sessions; server-side multi-layer techniques using additional attributes, such as HTTP cookies, IP address, and browser user agent string, can also be used. These techniques can offer greater assurance as to the identity of the user but, even when deployed over today's web security protocol HTTPS/TLS, remain susceptible to sophisticated impersonation attacks, because the protocols underlying these techniques do not protect authentication secrets or provide strong protocols for client-to-server and server-to-client authentication. In addition, many server systems require a login ID that is difficult to guess, such as a fixed-length string of digits or a combination of alphanumeric characters. But, these login IDs are not easily human-memorable and are difficult to use.
Password-authenticated key exchange is a strong technique to defend against impersonation (phishing) attacks and provide server-to-client authentication, but current protocols depend solely on a long-term password, which can be risky when used on a spyware-infested computer, as the long-term password can be captured and misused by others.
Authentication secrets can be classified as being within an authentication factor. Commonly used authentication factors include: something that a user has, something that a user knows, and something that a user is or does. Multi-factor authentication requires that information from two or more of these authentication factors be used to authenticate the user and server system (that is, the use of multiple information that is classified under the same authentication factor is not multi-factor authentication). Multi-factor authentication adds a further degree of assurance to the authentication procedure. Long-term passwords are easily memorized, infrequently changed, and are used repeatedly. One-time responses are used once, change frequently and, though not easily memorized, can be provided by a small electronic token or a sheet of paper. These factors offer different but complementary resistance to different types of compromise. Together, they offer more assurance in authentication because stealing the long-term password alone (for example, by installing spyware) or losing the one-time password card alone is insufficient to compromise the authentication procedure.
FIG. 1 illustrates an existing security vulnerability 100 when current computer authentication technology is used. Here, a user of a client computer system 101 desires to make a connection to an intended host system 103. However, an adversary system 105 exists that can intercept and forward communication between the client computer system 101 and the intended host system 103 using a man-in-the-middle (MITM) attack. Thus, instead of the client computer system 101 and the intended host system 103 establishing an intended network connection 107, they have established a first adversary network connection 109 between the client computer system 101 and the adversary system 105, and a second adversary network connection 111 between the adversary system 105 and the intended host system 103. Once the adversary system 105 is in the communication path between the user's client computer system 101 and the intended host system 103, the adversary system 105 can capture and misuse the user's secrets.
This vulnerability results from the adversary system 105 being able to fool the user into thinking that the adversary system 105 is the intended host system 103 so that the user establishes the first adversary network connection 109 and makes it secure (thus mimicking the intended host system 103). Once the user has established the first adversary network connection 109 (thinking that he/she has established the intended network connection 107), the adversary system 105 then captures authentication secrets from the user and uses the captured authentication secrets to establish the second adversary network connection 111 and impersonate the user to the intended host system 103. Information sent by the user is captured by the adversary system 105 and forwarded to the intended host system 103, and responses from the intended host system 103 are likewise captured by the adversary system 105 and forwarded to the user. Thus, the user's authentication secrets and other private information are exposed to the adversary system 105. In addition, the adversary system 105 has gathered significant authentication data (account, long-term password, challenge/response information, etc.). Other vulnerabilities exist if the intended host system 103 maintains a readable, guessable, or otherwise cryptographically easy password database.
Password-authenticated key exchange was first introduced by in 1992 (Steven M. Bellovin and Michael Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks, In Proceedings of the 1992 IEEE Computer Society Conference on Research in Security and Privacy, May 1992) in the form of encrypted key exchange (EKE), a protocol in which the client computer and server system shared the plaintext password and exchanged encrypted information to allow them to derive a shared session key.
Bellovin and Merritt introduced an Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise, Technical report, AT&T Bell Laboratories, c. 1994. The augmented EKE removed the requirement that the server have the plaintext password, instead having a one-way function of the password. The former is called a symmetric password-based protocol, because both the client computer and the server system share the same plaintext password, whereas the latter is called asymmetric.
The lack of an easy-to-use secure authentication mechanism has been a long-standing problem, because users like to use passwords that they can remember and because current single-factor password authentication technology offers little protection when weak and easily-guessed passwords are used (such passwords are considered to be low-entropy passwords). For example, such passwords can be discovered when messages captured during a protocol run are used in a “dictionary attack.”
The following United States patents represent password-authenticated key exchange technology: U.S. Pat. No. 5,241,599; U.S. Pat. No. 5,440,635; U.S. Pat. No. 6,226,383; U.S. Pat. No. 6,539,479; and U.S. Pat. App. No. 20050157874. None of these teach or suggest the use of multiple authentication factors in a password-authenticated key exchange protocol where the authentication secrets are not exposed to either party or to the network. They do teach aspects of the technology assumed to be known to one skilled in the art and so U.S. Pat. No. 5,241,599, is hereby incorporated by reference; U.S. Pat. No. 5,440,635 is hereby incorporated by reference; U.S. Pat. No. 6,226,383 is hereby incorporated by reference; U.S. Pat. No. 6,539,479 is hereby incorporated by reference; and U.S. Pat. App. No. 20050157874 is hereby incorporated by reference.
There exist two-factor authentication schemes that do not provide cryptographic protection for the two factors. In a multi-channel system, the short-term password (an authentication factor that the user now has) can be delivered over a separate second channel (for example, via an SMS text message on a mobile phone). Once received, the user can then input the short-term password into their web browser along with their long-term password (an authentication factor that the user knows). In a multi-layer system, the server system evaluates additional attributes such as an HTTP cookie, IP address, and browser user agent string to heuristically analyze whether the user is likely to be authentic.
Some multi-layer systems try to offer additional reassurance to the user of the server's identity by presenting the user with a customized image or string. While these multi-channel and multi-layer approaches can offer some increased assurance, they can be defeated by non-cryptographic means such as sophisticated MITM attacks and spyware, and have been shown to be easily ignored by users.
It would be advantageous to design a multi-factor protocol that can leverage multiple authentication secrets, and that can enable each system to verify that the other system has access to authentication secrets securely in a multi-factor key exchange cryptographic protocol, without exposing the authentication secrets to the network or to the other system.