Delayed Password Disclosure 163
ET_Fleshy writes "Markus Jakobsson has an interesting article discussing a promising new security protocol called "Delayed Password Disclosure" that can validate a computers authenticity before exchanging passwords/keys. While nothing is ever truly secure, this seems to show promise in protecting users from a wide variety of stealth attacks (pdf) used today, specifically man in the middle (pdf) attacks."
And this is new how??? (Score:5, Insightful)
If you know the fingerprint of the host you are connecting to, you are more or less immune from man-in-the-middle attacks. If you have never communicated with the host before, nothing is going to stop a man-in-the-middle - especially if you have to magically share locations of "carbon paper" without the man-in-the-middle knowing about it.
Re:And this is new how??? (Score:1)
Re:And this is new how??? (Score:1)
It's different because it uses a carbon paper template. I suppose that to authenticate an e-mail, you'd put the thing on your computer screen. What if it's not the right size? Oops, that's not good either. False negative authentication makes it impossible to trust. That's not good either.
Maybe this is yet another invention just waiting to be patented, since only unoriginal inventions can get a patent these d
Re:And this is new how??? (Score:5, Informative)
It actually provides a technique of verifying th authenticity of a host with whom your computer has never communicated. The host, presumably, knows your password (or a salted-hash representation). The host either obtained this via connection with another computer at some time in the past, or by some information that you provided when signing up for whatever the service is (think bank). The host uses what it knows about your password to send you specially encoded information that, in combination with what *you* also know about your password can be used to verify that at the very least you aren't giving your password to a system that doesn't already have that information. You can also think of this method as a decent way to validate RSA fingerprints by a system that hasn't already been seeded with pre-shared keys.
Re:And this is new how??? (Score:1)
Re:And this is new how??? (Score:1)
Why include zombies in that? (Score:2)
#1. Zombies
#2. Man in the middle
#3. Traffic analysis
#4. "email-cluster-bomb attack"
#5. "incorrectly update routing tables"
And so forth. Of what possible use would authentication be with a bunch of zombies? If a zombie is an example of a "stealth" attack, then what would be an example of a non-stealth attack?
Anyway, if Alice and Bob (might as well use the common ID's) both have access to the password, why not s
Re:And this is new how??? (Score:2, Funny)
Strong Password Authentication (Score:3, Informative)
Re:And this is new how??? (Score:2, Interesting)
Re:And this is new how??? (Score:2)
SRP [stanford.edu] would do this (although normally with SRP you don't want the host to ever have your password, for an initial contact this could work - then you change your password securely to something else that the host doesn't know). With SRP, if the host can validate your password, that validates the host as well. Since the real host doesn't get any information about the password when you authenticate, neither does a hostile system that hijacks the authentication.
Bigger problem is... (Score:5, Interesting)
My bank (and probably many others) will block an account after three consecutive failed authentication, so any guesswork is going to be hard for the bad guys.
Lockout after failed auths is a DoS (Score:3, Insightful)
My bank (and probably many others) will block an account after three consecutive failed authentication
This is a big hole for denial of service. Try purposely logging into the bank CEO's account with a bad password, and see how quickly the policy is changed.
Re:Lockout after failed auths is a DoS (Score:3, Interesting)
p
Re:Lockout after failed auths is a DoS (Score:1)
Re:Lockout after failed auths is a DoS (Score:3, Interesting)
Re:Lockout after failed auths is a DoS (Score:2)
And now guess how programs like wwwhack work since about a decade...
Re:Lockout after failed auths is a DoS (Score:2, Interesting)
Personally, my bank usernames look like a chunk taken out of some top-secret military encoded spy message--pretty much like the password that goes with it... I think it's a good practice to obfuscate usernames as much as passwords. It's about as likely that stream of space born gamma rays would trigger my account as it is that an actual person or computer would.
Re:Lockout after failed auths is a DoS (Score:2)
Re:Lockout after failed auths is a DoS (Score:1)
I thought the parent was referring to the username being encrypted? Just like the password.
I mean, if his password looked like some huge chunk of encoded text... how on earth would anybody remember it?? I presume his bank does this client side, then transports it via https?
This way the bank users only have to remember stuff that is possible for joe blogs to remember... but a level of hightened security is still achieved.
Re:Lockout after failed auths is a DoS (Score:2, Funny)
It's hell trying to figure out what my balance is.
Re:Lockout after failed auths is a DoS (Score:1)
Personally, my bank usernames look like a chunk taken out of some top-secret military encoded spy message--pretty much like the password that goes with it
So what happens when you want someone to send you money? I thought part of the definition of "username" was that it is the public token for others who want to interact with you to identify you.
Re:How do you deposit a check? (Score:2)
A related situation: I needed to deposit some money into my friend's companies account which is in a bank branch in a different city. I had done this before with no problems. However last time I tried, they couldn't do it because you need to swipe your bank card at the human teller wicket - and I am not a customer of that bank. They had no clue how to han
Re:Bigger problem is... (Score:3, Insightful)
Re:Your sig (Score:1)
Re:Your sig (Score:1, Offtopic)
Re:Your sig (Score:2)
Re:Your sig (Score:1)
An okay article, I guess.... (Score:5, Funny)
Re:An okay article, I guess.... (Score:1, Informative)
Re:An okay article, I guess.... (Score:2)
Re:An okay article, I guess.... (Score:5, Funny)
Re:An okay article, I guess.... (Score:1)
Well, using MS Word for html authoring might not be the best idea
Re:An okay article, I guess.... (Score:2)
Nothing new to see here. Move on. (Score:5, Interesting)
The one described here looks to be a simple shared secret method. In may situations, certificate based methods are used in order to avoid the need to securely distribute a shared secret ahead of time.
For a shared secret based mutual auth, why not do the normal thing and pass random numbers and their hashes back and forth, mixed in with the challenge-response sequences needed to establish an authenticated identity, a shared session secret and liveness? Read various EAP drafts or 802.11i or recent 802.16e drafts for real world examples of how to do this. The details necessarily change with the context.
These methods have the benefit of lots of analysis by the crypto community. This delayed password disclosure scheme doesn't seem to have the same benefit.
Sharing keys? (Score:5, Insightful)
Note that use of encryption software, such as SSH, does not address this problem, since the attacker simply can replace the public keys of the two parties with public keys for which it knows the secret keys. This results in the two parties sharing keys with the attacker, as opposed to with each other; as a consequence, the attacker will be able to read (and even modify) all traffic before re-encrypting it and forwarding it.
And this is why you always share public keys via some other secure means (USB drive, cd, floppy), at least in an ideal world. The article talks about this in regards to someone transmitting data to their bank, however if I am not mistaken SSL(not mentioned in the article) already takes care of this kind of attack. Somehow I doubt any joe user is using SSH to authenticate with their bank :-)
Re:Sharing keys? (Score:5, Interesting)
Re:Sharing keys? (Score:2)
Re:Sharing keys? (Score:1)
Re:Sharing keys? (Score:2)
Otherwise, unless you check that fingerprint every time you visit the bank you won't know if the page hasn't been replaced by another site that has a Verisign-signed SSL cert. In theory Verisign doesn't just had those out to anybody, but if you trusted them you wouldn't need to verify all those fingerprints in the first place...
HTML versions... (Score:5, Funny)
stealth attacks [google.com]
"new"? really? (Score:1)
I think I'll just withdraw my deposit in gold bricks and sleep on it.
This sounds pretty interesting. (Score:5, Funny)
Re:This sounds pretty interesting. (Score:1)
IMarv
Re:This sounds pretty interesting. (Score:2)
p
Re:This sounds pretty interesting. (Score:2)
And how is this better than existing tech? (Score:1)
Breakdown (Score:3, Interesting)
Interesting, but there are probably a million such things you can do to further tighten security.
I don't see how this could work... (Score:3, Insightful)
Re:I don't see how this could work... (Score:4, Informative)
I believe that, in this case, Alice could generate the contents of said envelope with her public key, then send both the envelope and the key to the remote host. That host would respond with its positions, encrypt those with Alice's public key as well, and return the whole bunch to Alice who then decrypts everything with her private key.
There's something missing in my speculation -- why does Alice need to send anything but her public key?
Re:I don't see how this could work... (Score:1)
yes this does sound similar to quantum encription, however it is possible with non quantum technology, "an envelope only Alice can open" is as the above said encripted with Alice's public key. However, no one is looking at how the carbon paper is in the computer world.
actually, if you think of say an array of as many longs as the pasword has bits, and for each pasword bit you know to look at the two Most
Re:I don't see how this could work... (Score:2)
I would at least request and review the actual implementation before making this judgement. It is quite possible the analogy -- not to mention my interpretation -- does not do his system justice.
Re:I don't see how this could work... (Score:2)
As for mentioning quantum, I agree words like "quantum" and "relativity" are often used more for effect than substance, but if you read an intro on quantum cryptography, it reads almost exactly like this story- see for yourself:
here [dartmouth.edu]
An Opportunity to Rant. (Score:5, Interesting)
E.G. Credit card transactions over the internet. These are protected by SSL/TLS. This is somewhat removed from the credit card transaction itself, instead protecting the link rather than the transaction. So you log onto vendorX's web site and use certs with SSL/TLS to protect the link. You feel conforted by the little lock icon in the corner of your screen and proceed to hand VendorX all the details needed to drain arbitary amounts of money from your credit card.
Instead.. Protect the transaction directly, with something like a secure credit card transaction protocol. VendorX doesn't need your credit card details, he needs your money. The security protocols should run between you and the vendor to establish a transaction and the vendor's identity, between you and your credit card company to authorize a payment against the transaction to VendorX and between the credit card company and VendorX to transfer the payment.
VendorX gets the money, not a blank, signed cheque.
Repeat exercise for all activities you need to secure, applying appropriate measures for the situation. Leave SSL/TLS for securing the link, not the application.
Re:An Opportunity to Rant. (Score:4, Informative)
That was called SET. It failed because it was expensive and credit card fraud is already pretty low.
Re:An Opportunity to Rant. (Score:2)
Re:An Opportunity to Rant. (Score:3, Interesting)
SSL can easily serve all of these purposes. Of course, you would not send exactly the same message to both (this makes a known-plaintext attack p
Re:An Opportunity to Rant. (Score:1)
encrypt(Kbankfoo, sign(Kself, "Authorize $20 to [vendor] from account 000001 at bank foo"))
to the bank...
But how does the vendor knows that you didnt sent him:
encrypt(Kbankfoo, sign(Kself, "Authorize $2 to [vendor] from account 000001 at bank foo"))
?
And why would you not just send:
encrypt(Kvendor, sign(Kself, "Authorize $20 to [vendor] from account 000001 at bank foo"))
And let the vendor send
encrypt(Kbankfoo, sign(Kself, "Authorize $20 to [vendor] from accou
Re:An Opportunity to Rant. (Score:1)
Cryptographic cut-and-choose protocols.
Bascially, you send 100 sealed (encrypted), but unsigned, money orders to the vendor. The vendor picks 99 of them, and says "Open these". You do (you provide the decryption keys), he sees that they're all for $200, so he has a pretty good assurance that the 100th is also for $200. You sign the 100th.
You're sort of sign
Re:An Opportunity to Rant. (Score:2)
This is "authorization", not "payment". The vendor will still submit a normal credit card transaction with the amount, and if the authroization does not match the amount, then the normal exception handling processes involved in insufficient funds transpire. None of that has to be new technology, and there's no reason to throw out working code.
The point is that without users
Re:An Opportunity to Rant. (Score:2)
The reason to hide the information you're sending to the bank is that you might include other details in that request that the vendor should not see. If not, then it does not matter which path you choose.
I don't get it (Score:3, Interesting)
Also, it seems like you could come up with an algorithm to make password guesses based upon the numbers that were returned...trying different values that add up to zero. Or would this take too long?
Re:I don't get it (Score:3, Interesting)
It's a metaphor. As far as I can see, the bank would calculate a matrix of numbers and send that to Alice, who would use the bit-pattern from her password to find the correct numbers to use for the key.
However, as has been pointed out, if the bank knows her password, it can simply send her the session key encrypted with her password, which will be impossible for the man-in-the-middle to c
Re:I don't get it (Score:1)
Re:I don't get it (Score:2, Insightful)
X.509 Certificates? (Score:3, Insightful)
Huge text (Score:1, Redundant)
Challenge-response for mutual authentication (Score:2)
Cutesy Layperson Explanations instead of math (Score:3, Interesting)
So nobody technical can tell if they've really done anything new or interesting
Similar to interlock protocol (Score:5, Interesting)
BTW You are quite safe from MITM attacks when using SSH if you use ssh protocol 2 and public key authentication. The public key signature checks are bound to the results of the Diffie-Hellman key exchange that occurs at the start of the protocol. In the case of a MITM, these DH results will be different for the client->MITM and the MITM->server legs, so the real server will refuse to accept the signature that the client presented to the MITM and the authentication will fail.
Re:Similar to interlock protocol (Score:2)
This method is flawed (Score:1, Interesting)
My second Rant of the Day (Score:4, Interesting)
However this is the situation after you have performed the mutual authentication, not before. In all protocols I have seen, this takes place in some order. In order for Alice to authenticate Bob's identity and the other way around, with both exchanges bound together (so differentiating from bilateral authentication), Either Alice or Bob has to first reveal their identity so it can be authenticated. This includes the proposed scheme.
This asks the question "Who goes first". Usually the protocol forces this issue and leaves one side or the other in the disavantageous position of identifying themselves first. This is analagous to the gatekeeper shouting "Halt! Who goes there?" to someone trying to enter. The person trying to enter is forced to go first and reveal themselves.
I may not want to reveal my identity to anyone, especially when it comes to say, wandering around in public with a wireless device. All sorts of tracking mechanisms become possible.
What we want is a "Who goes first protocol" so I can enforce my own policy on revealing my identity. If someone wants to sell to me, they had better go first. If I'm trying to get through a door, the building owner can reasonably expect me to go first. There are plenty of situations where a network may want to only reveal its identity to people who are allowed to know its identity, and noone else.
We already have the algorithms, but the protocols are stuck in the mud and prevent us from moving forward with security that offers more than what SSL gives us.
Re:My second Rant of the Day (Score:2)
I identify myself by passing through said door.
Wireless trasponders on buildings, etc. should identify themselves before I decide to respond or not.
An SSL handshake should begin with the server proving who it is before asking me to prove who I am, etc.
I... can't keep. Reading. (Score:5, Funny)
Damnit, Bones I, can't figure out how to, place commas in, my, sentences I know they, should go somewhere I'm. Just not sure where.
Secure Remote Password (Score:5, Informative)
Stick with something that has been rigorously reviewed, and proven over a period of time. And something that can be explained simply, in terms of the actual technology, rather than resorting to pathetic analogies that do not explain anything!
SRP [stanford.edu]
Re:Secure Remote Password (Score:2)
Re:Secure Remote Password (Score:2)
This approach works in theory but... (Score:3, Interesting)
Alice could log in to the fake bank, and not realize that instead of doing the magic password trick, she's sending her password in plain text. Why? Because at the moment, the password encryption is (putting SSL aside) implemented by javascript!
To be safe, a key encryption algorithm would need an established software running it (in this case, the web browser).
This means:
a) having a W3-approved algorithm to be implemented in browsers, or
b) Having downloaded specific software by the bank (i.e. bankOnline browser(TM) or something).
Actually Pretty Vulnerable (Score:5, Informative)
http://www.eurekalert.org/pub_releases/2005-02/
Hmm. It's basically Kerberos, except totally broken.
So we don't actually know how this protocol works, but the description at the above link is vastly more coherent. (Anything with "magic envelope" and "this is a metaphor" really shouldn't be taken as a protocol specification.)
===
CUSTOMER: Bank, I will send you some information that is encrypted. You can only decrypt it if you know my password. If you don't know the password, you could of course try all possible passwords (although that is a lot of work!), but you would never know from my message if you picked the right one. Once you have decrypted the message, I want you to send it to me. If it is correctly decrypted, I will know that you know my password already. Once I know that you know my password, I will send it to you so that you can verify that I also know it. Of course, if I am lying about my identity and don't know the password in the first place, then I will not learn anything about the password from your message, so it is safe in both directions.
===
It's also wildly exploitable. Here's how:
First of all, password brute forcing? Alot of work? Only if there's no way to execute an offline attack, i.e. you can run attempts as fast as your own computer can calculate them. What we need is an offline attack -- something that lets us try to try as many attempts as possible. The most important thing is verifiability -- we need to know when we guessed the actual password.
Can we possibly verify our guess? Well, Alice sends the bank some random data, which is dutifully returned to Eve. Eve sniffs this traffic, and now has a very simple task:
Guess all possible passwords the bank could have used to decrypt the password. When the content from Alice, decrypted with the guess, equals what came back from the Bank, Eve has found the password.
But then there's Eve's friend Mallory, who thinks Eve isn't ambitious enough and wants to steal anyone's password at the bank, not just Alice's. Suppose Bob has angered her somehow. Mallory can't sniff Bob's traffic, but then, she doesn't actually need to. Mallory can simply blindly provide some arbitrary data to the bank. It's garbage going out, but even garbage will decrypt into something. Unless the bank specifically has users provide some known plaintext in the outgoing data, it's going to "decrypt" that noise, using the password, into more noise.
Once again, outgoing data + bank password = incoming data. Mallory gets to do offline attacks too -- but against any user she wants.
Of course, the bank *could* put some sort of verifier in the message that Alice sends to it. But then Eve has an even easier time guessing passwords, since she just tries random passwords until the verifier is unveiled. No need to sniff the traffic back from the Bank (which is actually significant -- it means Mallory could firewall off the bank and still successfully participate in the auth protocol, with no way for the bank to find out.)
Anyway, long story short, broken. Really, really broken.
--Dan
Re:Actually Pretty Vulnerable (Score:2)
My thoughts exactly - I was hoping to see more details on how it is different in a better way from Kerberos, but there's nothing (well, except "patent pending" which is hardly an improvement)
(Anything with "magic envelope" and "this is a metaphor" really shouldn't be taken as a protocol specification.)
Indeed. Maybe it was taken from the patent application? (can't tell, as there's nothing on uspto.gov so far)
Re:Actually Pretty Vulnerable (Score:2)
Which do you think is more likely, that some security researchers at IU are not at least as smart as you are, or that the description you got from that website, written by a probably clueless reporter, is just plain inaccurate?
Jeremy
Re:Actually Pretty Vulnerable (Score:3, Interesting)
Now, you're right. I could have taken that metaphor seriously. I could have gone ahead and pointed out, gee, they're basically describing a protocol in which the server XOR's arbit
easier to prevent man in the middle for ssh? (Score:1)
I RTFA and I'm not impressed (Score:3, Insightful)
First of all, we already have protection in protocols such as SSH and SSL against man-in-the-middle attacks. Thus, the paper's whole reason for existence disappears.
Secondly, the security of this "masking" technique depends upon the randomness of the numbers chosen by the server (and, by implication, any man-in-the-middle). I could send a packet containing all zeroes and it would guarantee to sum to zero after applying any mask at all. How does the receiver judge whether the numbers passed are sufficiently random?
Re:I RTFA and I'm not impressed (Score:2)
Then if you had another masking packet, you can check all your first words against the second masking packet and eliminate 99% of the incorrect words.
Basically these mas
Emails from the dead (Score:2)
Shout it from the rooftops! (Score:2)
How often does it happen? (Score:3)
Has anyone here at slashdot actually been the victim of a hack as sophisticated as man-in-the-middle on an otherwise encrypted link? I'm curious.
-matthew
Re:How often does it happen? (Score:2)
Re:How often does it happen? (Score:2)
For example many phishers set up a web-site which will ask for your account-nr and pin. And then when you provide it, they store them and *also* forward you to the real banksite.
So, you'll really be logged in at your real bank. And quite likely you'll never notice that someone was sitting inbetween and storing a copy of your pin.
Re:How often does it happen? (Score:2)
-matthew
Obvious Flaw: Attacker can send constructed resps. (Score:1)
Alice seems pretty gullible.
ps. I developed a little encryption scheme to be used between a hardware firewall and client a little while back (the hardware firebox is called a 'WazerBox'). It has since been altered but this paper [wazer.net] describes the basics.
Host Authentication. (Score:2)
Of course, you could always use S/Key or OPIE and have what is essentially a one-time password system.
Geez, take a writing class! (Score:2)
He is about Anonymity, not just security (Score:2)
Re:Quick Question (Score:5, Funny)
Isn't it better if it were called Woman-in-the-middle? It would atleast not make us geeks seem so gay.
Well, feminist do-gooders, in an effort to de-genderify the term whilst keeping the acronym MITM beat you to it, by redefining MITM as "Meet-In-The-Middle".
It was a quite popular term in academia, until it was discovered that "Meat-In-The-Middle" in the context of a three-party situation sounds a lot more gay even.
Re:Quick Question (Score:2)
It was a quite popular term in academia, until it was discovered that "Meat-In-The-Middle" in the context of a three-party situation sounds a lot more gay even.
There's another rendering of MITM that gets thrown around occasionally: "Monkey in the Middle".
It doesn't sound gay.. but it does sound a bit, um, different.
Re:I have met the man in the middle. (Score:2, Interesting)
You take it in both ends then AC? I respect your i/o capabilities
Re:redundant and over-simplified (Score:1)