Systems, methods and software for remote password authentication ...
US 20020067832A1
(19) United States (12) Patent Application Publication (10) Pub. No.: US 2002/0067832 A1 (43) Pub. Date:
J ablon (54) SYSTEMS, METHODS AND SOFTWARE FOR
Jun. 6, 2002
password off-line. Further improvements include removing
REMOTE PASSWORD AUTHENTICATION USING MULTIPLE SERVERS
dependency on a prior secure channel and client-stored keys
or certi?cates, increasing performance without introducing new cryptographic assumptions, and better management of
(76) Inventor: David P. J ablon, Westboro, MA (US)
mistakes in password entry. To enroll, a user chooses a
password and constructs a master key K composed of multiple shares. The master key may be used for a variety of purposes, such as encrypting the user’s private keys and
Correspondence Address: IRELL & MANELLA LLP 840 NEWPORT CENTER DRIVE SUITE 400
other sensitive data. A set of random values {y1, y2, . . . yN}
is selected, and each share is computed as Ki=Pyi in a suitable ?nite group. Each yi value is distributed to the ith
NEWPORT BEACH, CA 92660 (US)
(21) Appl. No.:
one of N servers. To authenticate, the client chooses a
09/872,659
random secret X, and with each server, sends PX, retrieves
(22) Filed:
mi=(PX)yi, and computes Ki=mi1/X. The client reconstructs K,
May 31, 2001
performs a validation test on K, and uses K to decrypt a
Related US. Application Data
private digital signature key U. When the validation test
(63) Non-provisional of provisional application No. 60/209,258, ?led on Jun. 5, 2000. Non-provisional of provisional application No. 60/215,835, ?led on Jul. 3, 2000. Publication Classi?cation (51) (52)
succeeds, the client signs a message with U that contains PX and optionally other values sent by the client based on incorrect passwords mistakenly entered by the same user in attempting to authenticate. Each server veri?es the signed message to authenticate the user, and to forgive the user for some reasonable number of mistakes. With knowledge of valid messages, mistakes and all, the server ?ne-tunes the
accounting of bad access attempts. No single server knows K, P, or any of the Ki shares, and no server receives suf?cient
Int. Cl.7 ........................... .. H04L 9/32; H04L 12/22 US. Cl. ......................... .. 380/277; 713/202; 713/182
information to mount a dictionary attack on K or P. Pass
word security is maintained in a very simple model, requir
(57) ABSTRACT Systems, methods and software employ Zero-knowledge password (ZKP) protocols to provide strong authentication using low-grade passwords that people can easily memoriZe.
prevents risks inherent in systems where people must authenticate servers, but don’t. Data protected by a small
We describe protocols that enable multiple servers to verify a password, without providing any single server, client, or network attacker with the ability to validate guesses for the
password, and no other keys, remains secret even against an enemy that compromises any, but not all, of two or more cooperating authentication servers.
200
ing no previously secured or server-authenticated channel between the client and any servers. This model further
F? ENTER PASWORD
2m
1 DERIVE GROUP ELEMENTS
202
(P) FROM PASSWORD
l SEND BLINDED PASSWORD
VALUE (PX) TO sERvERs RETRIEVE BLINDED KEY
204
sRAREs (PXY) FROM sERvERs
l UNBLIND AND COMBINE SHARES
TO CREATE MASTER KEY KM
DECRYPT ENORYPTED PRIVATE DATA USING MASTER KEY KM
IS MASTER KEY
KM VALID?
209 ‘L
USE DECRYPTED PRIVATE DATA
SEND PROOF OF KM AND EACH PX VALUE TO sERvERs
205
Patent Application Publication
_
Jun. 6, 2002 Sheet 1 0f 4
CLIENT
F|g_ 1
(ALICE)
H101
US 2002/0067832 A1
,/1OO 102 I
SERVER A03
(51)
SERVER I103
(B2)
200 \
I
II
ENTER PASWORD
L
201
II
DERIVE GROUP ELEMENTS
I 202
(P) FROM PASSWORD
Hg. 2
" SEND BLINDED PASSWORD
A203
VALuE (PX) TO SERVERS II
RETRIEVE BLINDED KEY
/2o4
SHARES (PXY) FROM SERVERS II
UNBLIND AND COMBINE SHARES /205
TO CREATE MASTER KEY KM II
298
I
DECRYPT ENCFIYPTED PRIVATE DATA USING MASTER KEY KM
299
II
II
USE DECRYPTED PRIVATE DATA
IS MASTER KEY
KM VALID?
II
SEND PROOF OF KM AND EACH PX VALUE TO SERVERS
, 207
Patent Application Publication
Jun. 6, 2002 Sheet 4 0f 4
.5 m
:555x:d5325
US 2002/0067832 A1
icon
8;:Ee:5éLiqbsa
520 5 .A>9.962:
m>mEmEu E0mE9
mm
F?EHN
E
8n653u_623
EPE3m9>mo
mElvrm
t62:2
.mmQNETzomD
20PE9
rPmcTdzw D
_.om mom mom wow m9, wow
m TwE
mmEoIv=
B; [0083] At key retrieval time, in order for Alice to recon stitute her master key and retrieve her private key, Alice sends a randomly blinded form of the passWord Q to each
cation that is secure even With total active compromise of
server. Each server in turn responds With a blinded reply Ri
require stored keys or certi?cates on a client machine. It is also an objective of the present invention to use multiple servers for fault-tolerance. It is also an objective of the
Jun. 6, 2002
US 2002/0067832 A1
consisting of the blinded password raised to power of the secret exponent value (Ri:=Q-yi) Which represents a blinded
iZed by incrementing her illegal access count, Which might
share of the user’s master key. At least one of the server’s
server forgive her mistakes, When she can subsequently
also sends Alice her encrypted private signature key UK and
prove to the server that she ultimately Was able to enter the
proofPKm.
correct passWord.
Client: {request, Q }—>B; Server B;:{reply, Qyi, UK, proofPKm}—>Client
[0084] Interestingly, the channel though Which Alice retrieves UK and proofPKrn does not have to guarantee the integrity of these values. This is discussed further in Section 4.4.
[0085] Alice unblinds each reply to obtain each key share and combines the shares to rebuild her master key Km. She then veri?es that the master key is correct using the proof
value proofpKm and her passWord P. If the proof is incor rect, this implies that at least one of the key shares is
incorrect, and she must abort the protocol Without revealing any further information about Km or P to the netWork.
OtherWise, a key derived from Km is used to decrypt her
encrypted private key (and any other data), and then she completes the protocol by proving her identity to each server. For each blinded passWord Q recently sent to each server, she sends a signed copy of the blinded passWord.
cause premature account lockout. It is desired that each
[0091] Using the forgiveness protocol, a user’s honest mistakes are forgiven. Alice sends evidence of her recent prior invalid access attempts in a request for forgiveness
after each successful authentication. Upon receiving and validating this evidence, each server erases the mistake from the record, or records the event as a corrected forgivable mistake. By ?ne-tuning a server’s event log in this manner, a system administrator gets a more detailed vieW of When the system is truly at risk, as opposed to When valid users are
merely being frustrated. [0092] A forgiving system seems to require at least one signature generation step on the client and one signature veri?cation step for each of the servers. To minimize com
putation (Which may be important When a public-key sig nature method is used, due to the computational cost), the signature steps provide the combined functions of authen ticating the user, and proving that the request came from that user. In constructing a valid authentication message for a
user, the client includes the set of all recent challenge
messages issued by that user, digitally signs the result With the appropriate user’s key, and sends it to all servers. Each
[0086] Each server matches the signed QX values from Alice against its list of recently received blinded passWords, and removes any matching entries that are accompanied by valid signatures. The remaining entries, if not con?rmed Within a reasonable amount of time, are considered to be
suspected illegal access attempts, Which are labeled bad. Counting bad access attempts may be used to limit or delay further blinded share replies for the user’s account if the counts rise above certain thresholds.
[0087] Alice must verify her master key. As mentioned
server veri?es the signature to authenticate the user, and at the same time validate evidence of her recent forgivable
mistakes. (These signatures may be created using a client’s
private key in a public-key digital signature system and veri?ed using the client’s public key, or alternately, using a
keyed-MAC keyed by distinct symmetric keys that are bilaterally shared betWeen the client and each server.) Each server, upon receiving Alice’s con?rm message, attempts to reconcile the proof of her access attempts against his recorded list of recent attempts. He does this by verifying Alice’s signature on each Q value. Upon successful veri? cation, he knoWs that the Q value Was indeed sent by
above, Alice can perform the authentication over insecure
someone Who ultimately kneW the passWord, regardless of
channels. She retrieves (typically from a credentials server) her veri?er proofPKm, and then con?rms the validity of the reconstructed master key by comparing a keyed hash of her passWord With it to proofPKm. If the values don’t match, Alice aborts the protocol.
Whether that request message Was speci?cally used to rec reate her master key.
[0088] Another enhancement of our method relates to hoW Alice proves knoWledge of the master key to each server,
provides for a system that scales to N servers, Where no
and hoW each server reconciles this information With its oWn record of access attempts.
passWord, or any passWord-protected data. It provides strong
[0089]
Each server detects illegal access attempts by look
ing for a message from Alice that contains a proof of her
knoWledge of the master key, and by implication, proof that she knoWs her passWord. If a valid proof is not associated With the blinded passWord value, the server must trigger a bad access event for Alice’s account. The present method is
[0093] In a preferred embodiment of the present invention, vulnerability of the passWord veri?er is spread among the servers so that no one server is able to crack the veri?er. It
attack on any number of up to N-l servers reveals a user’s
assurance even in the face of total active compromise of up to all but one of the authentication servers, and in the face
of prior insecure communication channels. It is to be under
stood that the passWord is the only factor in implementing the system. [0094] It is to be understood that the passWord is the only authentication factor required in implementing the present
different from prior art in the construction of Alice’s proof
invention. PassWord-only authentication is a dominant
and hoW each server uses the proof to forgive Alice’s
method in use today. In the present invention, the passWord
mistakes in passWord entry.
factor is made as strong as possible, and is not dependent on other factors.
[0090] When not using a secure channel, simply sending proof to Bi could eXpose the method to a replay attack. To
[0095]
prevent this, the proof incorporates the blinded request value
or certi?cates may be used. It is envisioned that the present
that is sent by Alice. Furthermore, it is recogniZed that Alice
invention may be used in multi-factor systems. Clearly in non-roaming applications, Where there is the ability to store
occasionally mis-types her passWord, and she is not penal
It is also to be understood that other additional keys
Jun. 6, 2002
US 2002/0067832 A1
local keys, one may do so to provide additional layers of strength. For example, the use of a secure socket layer (SSL)
channel is not required for the security of passWords in the present system, but the additional use of SSL can provide other bene?ts, such as an increased level of privacy for a user’s name When performing these transactions. By remov
ing the dependency on such other factors for passWord security, the strength of the overall system is greatly increased. In particular, the present system stops an entire class of Web-server spoo?ng attacks that are possible against a simplistic passWord-through-SSL system of Web-broWser authentication that is in Widespread use today.
to accommodate the forgiveness protocol. Distinctive func tions are provided to create the passWord-derived base element for the exponential exchange, and We describe forms that permit more ?exible con?gurations of clients 101 and servers 103,104. Alternative methods are provided in a
Weaker security model that may be valuable for specialiZed situations.
[0104] In the preferred embodiments, Alice’s potentially small passWord and all her passWord-protected data remains secure even With total active compromise of up to n-i servers
103,104. Encryption of Alice’s sensitive data under a key derived from Km insures that her data Will be only available
BRIEF DESCRIPTION OF THE DRAWINGS
to parties that use the correct passWord With this authenti cation process.
[0096] The various features and advantages of the present
[0105] At time of enrollment, Alice selects a passWord and
invention may be more readily understood With reference to
a series of shares {y1, y2, . . . yn} that are used to create
the folloWing detailed description taken in conjunction With the accompanying draWing ?gures, Wherein like reference numerals designate like structural elements, and in Which:
master key Km. In this example, the master key derivation
[0097] FIG. 1 is block diagram illustrating client and
tion functions are described beloW. Alice precomputes Km,
server components of an exemplary system in accordance
With the principles of the present invention; [0098] FIG. 2 is a How diagram illustrating an exemplary method of client operations in accordance With the prin
ciples of the present invention; [0099] FIG. 3 is a How diagram illustrating an exemplary method of server operations in accordance With the prin
function is Km=hash(K1
K2
. . . K“), with each share
computed as Ki=P yi, although other alternative key deriva and stores With each Bi the corresponding key share yi and veri?cation data for Km. Veri?cation data is generally a
digitally signed message, using either a public-key digital signature or alternately a symmetric keyed-MAC function. [0106] Each server Bi provides Alice With a share K using the Modi?ed SPEKE protocol, based on his knoWledge of yi. Each run of the protocol retrieves one of her blinded key
shares, Which in this example is the value mi=PXyi. Alice
ciples of the present invention;
combines and hashes these shares to derive the master key,
[0100] FIG. 4 is a How diagram illustrating an exemplary method in accordance With the principles of the present
in this example using:
invention shoWing operation of a client With tWo servers; and
[0108]
[0101] FIG. 5 is a How diagram illustrating an exemplary method in accordance With the principles of the present invention shoWing operation of a client communicating With
[0109] Referring to FIG. 2, Alice retrieves the master key
only one of tWo servers.
Due to the random yi values, these key shares are
independent. from the servers 103,104 at a later time. The client 101 prompts the user to enter a passWord 201, and derives a
DETAILED DESCRIPTION
group element from the passWord 202, in accordance With the Modi?ed SPEKE method. (An example of such a
[0102] Referring to the draWing ?gures, FIG. 1 is block
prime order subgroup of Zp* With (p—1)/2 prime.) Using the
function is P=hash(passWord)2 mod p, When using the large
diagram illustrating an exemplary multiple-server system
Modi?ed SPEKE method, Alice sends the blinded passWord
100 in accordance With the principles of the present inven tion. The exemplary system 100 is shoWn as comprising a client 101 or client computer 101 (Alice) and a plurality of
value PX to each server Bi 203. Each server Bi raises the blinded passWord value to the appropriate poWer as in
authentication servers 103,104, in this instance tWo servers
corresponding blinded value of each key share m1204, and
B1 103 and B2 104 coupled together by Way of a netWork
unblinds each result and combines them to create her master key m2y2205,. .in. mnyn). this example With the function Km=hash(m1yl
102.
mi=(PX)yi, and returns the result to Alice. Alice retrieves the
[0103] The present systems 100 and methods employ the Modi?ed SPEKE method for a client 101 to retrieving shares of a master key from tWo or more servers 103,104.
(The number n is used to designate the number of servers
[0110] The general method for Alice to retrieve a key share Ki from any server, Which is generally labeled Bi, is shoWn here:
103,104 used in a speci?c embodiment.) The model used in
implementing the present invention permits authentication messages to be sent over an unprotected channel or netWork
102, and no secure channel (e. g. SSL) is required. To prevent the possibility that an enemy in control of the channel can
trick Alice into using an improper master key, Alice con?rms that the master key is correct before using it to create any data that might be revealed to the enemy. Furthermore, the
[0111]
authentication step uses a signed message to authenticate
independent from the value y2 that B2 knoWs, and so on.
valid logins, as Well as prior legitimate-but-mistaken logins,
Thus, no one server has suf?cient information to mount a
The secret value y1 that B1 knoWs is completely
Jun. 6, 2002
US 2002/0067832 A1
dictionary attack on either Km or P. With this protocol, each Bi prestores yi, and also stores veri?cation data V that is a one-way function of the master key Km.
[0121] A third approach is where V=gKm, essentially a Diffie-Hellman public key for Km. In this case Alice might authenticate as follows:
[0112] Alice can use Km to decrypt personal private data 208 that has been stored in an encrypted container using a
key derived from Km. This container might be stored on any of the servers 103,104, or anywhere else that is convenient, and can be retrieved over insecure channels. However,
before Alice reveals any data derived from her knowledge of Km to any other party, she must ?rst determine that Km is valid 208. Speci?c validation techniques are discussed below.
[0122] Alice may then send BKm(QA) to prove herself.
[0113] If Km is not valid, then depending on local pass word retry policy, the user may be asked to try again with re-entering the password 201. If a retry is performed, the client 101 saves the PX value used in the failed exchange in
[0123] In any case, when Alice proves knowledge of Km, she is also proving knowledge of the password P.
secure short-term memory.
know a single share Ki, since combined knowledge of Ki and
[0114] If Km is valid, then Alice constructs a proof of knowledge of Km, of PX, and of a list of any recent prior PX
yi gives that server the ability to crack P. In the single server
values generated by the same user that were stored in
that can be used to crack the password. But in the ideal
[0124]
There is good reason for not wanting server Bi to
case, it seems inevitable that the server must store some data
short-term memory, and sends 207 this proof to each of the
multi-server case, it is not desirable for the server to know
servers 103,104. Alice can also now freely use data derived
either P, Km, or Ki, or anything else that can lead to cracking P.
from Km, such as signing public documents with a private key that was stored in the encrypted container 209.
[0125]
In summary, each Bi does not know P or K. Bi uses
[0115] Alice can proves knowledge of Km to any Bi using any appropriate Zero-knowledge protocol, which does not have to be a Zero-knowledge password protocol because Km has large entropy. Each server Bi has veri?cation data information V that corresponds to Km and that allows him to verify Alice’s Zero knowledge proof of Km. [0116] For example, in one embodiment, Km is used by Alice to retrieve the user’s private key U for a public key digital signature scheme, where V is the user’s public
broadly as veri?cation data for Alice’s knowledge of P.
signing key that corresponds to U. Alice can prove knowl edge of Km to Bi in many ways, such as signing a message
public key digital signatures.
using the private key, where Bi veri?es the signature and
[0128] Alice performs the following steps of?ine:
yi to run Modi?ed SPEKE and authenticate Alice’s knowl
edge of Km. Each Bi only knows yi and V, veri?cation data for Km, which also serves as veri?cation data for Ki, or more
[0126] Enrollment [0127] At enrollment time, Alice chooses her password, and a public/private key pair {V,U} suitable for performing
which proves Alice’s knowledge of Km. [0117]
The derivation of U from Km can also be done in
many ways. In one embodiment, the values of U and V can
be derived directly from Km using no other data.
[0118] In a preferred embodiment of the present invention, the value of U is kept sealed in a container encrypted with a symmetric key derived from Km. In this case, Alice uses
Km to derive the symmetric encryption key and then unseals her private key U. [0119] Alice then signs a message that is known by Bi, that proves her knowledge of Km, and she sends the signed message to Bi. In one embodiment of the present invention, the message is a value RBi sent from Bob to Alice.
Construct a group element P based on the password, as in: P = hash(password)2 mod p For i = 1 to n servers 103,104
{ Choose y; as an independent large random number Compute K; := Pyi mod p
Compose K from all the K; shares, as in for example
K... = hash
(19) United States (12) Patent Application Publication (10) Pub. No.: US 2002/0067832 A1 (43) Pub. Date:
J ablon (54) SYSTEMS, METHODS AND SOFTWARE FOR
Jun. 6, 2002
password off-line. Further improvements include removing
REMOTE PASSWORD AUTHENTICATION USING MULTIPLE SERVERS
dependency on a prior secure channel and client-stored keys
or certi?cates, increasing performance without introducing new cryptographic assumptions, and better management of
(76) Inventor: David P. J ablon, Westboro, MA (US)
mistakes in password entry. To enroll, a user chooses a
password and constructs a master key K composed of multiple shares. The master key may be used for a variety of purposes, such as encrypting the user’s private keys and
Correspondence Address: IRELL & MANELLA LLP 840 NEWPORT CENTER DRIVE SUITE 400
other sensitive data. A set of random values {y1, y2, . . . yN}
is selected, and each share is computed as Ki=Pyi in a suitable ?nite group. Each yi value is distributed to the ith
NEWPORT BEACH, CA 92660 (US)
(21) Appl. No.:
one of N servers. To authenticate, the client chooses a
09/872,659
random secret X, and with each server, sends PX, retrieves
(22) Filed:
mi=(PX)yi, and computes Ki=mi1/X. The client reconstructs K,
May 31, 2001
performs a validation test on K, and uses K to decrypt a
Related US. Application Data
private digital signature key U. When the validation test
(63) Non-provisional of provisional application No. 60/209,258, ?led on Jun. 5, 2000. Non-provisional of provisional application No. 60/215,835, ?led on Jul. 3, 2000. Publication Classi?cation (51) (52)
succeeds, the client signs a message with U that contains PX and optionally other values sent by the client based on incorrect passwords mistakenly entered by the same user in attempting to authenticate. Each server veri?es the signed message to authenticate the user, and to forgive the user for some reasonable number of mistakes. With knowledge of valid messages, mistakes and all, the server ?ne-tunes the
accounting of bad access attempts. No single server knows K, P, or any of the Ki shares, and no server receives suf?cient
Int. Cl.7 ........................... .. H04L 9/32; H04L 12/22 US. Cl. ......................... .. 380/277; 713/202; 713/182
information to mount a dictionary attack on K or P. Pass
word security is maintained in a very simple model, requir
(57) ABSTRACT Systems, methods and software employ Zero-knowledge password (ZKP) protocols to provide strong authentication using low-grade passwords that people can easily memoriZe.
prevents risks inherent in systems where people must authenticate servers, but don’t. Data protected by a small
We describe protocols that enable multiple servers to verify a password, without providing any single server, client, or network attacker with the ability to validate guesses for the
password, and no other keys, remains secret even against an enemy that compromises any, but not all, of two or more cooperating authentication servers.
200
ing no previously secured or server-authenticated channel between the client and any servers. This model further
F? ENTER PASWORD
2m
1 DERIVE GROUP ELEMENTS
202
(P) FROM PASSWORD
l SEND BLINDED PASSWORD
VALUE (PX) TO sERvERs RETRIEVE BLINDED KEY
204
sRAREs (PXY) FROM sERvERs
l UNBLIND AND COMBINE SHARES
TO CREATE MASTER KEY KM
DECRYPT ENORYPTED PRIVATE DATA USING MASTER KEY KM
IS MASTER KEY
KM VALID?
209 ‘L
USE DECRYPTED PRIVATE DATA
SEND PROOF OF KM AND EACH PX VALUE TO sERvERs
205
Patent Application Publication
_
Jun. 6, 2002 Sheet 1 0f 4
CLIENT
F|g_ 1
(ALICE)
H101
US 2002/0067832 A1
,/1OO 102 I
SERVER A03
(51)
SERVER I103
(B2)
200 \
I
II
ENTER PASWORD
L
201
II
DERIVE GROUP ELEMENTS
I 202
(P) FROM PASSWORD
Hg. 2
" SEND BLINDED PASSWORD
A203
VALuE (PX) TO SERVERS II
RETRIEVE BLINDED KEY
/2o4
SHARES (PXY) FROM SERVERS II
UNBLIND AND COMBINE SHARES /205
TO CREATE MASTER KEY KM II
298
I
DECRYPT ENCFIYPTED PRIVATE DATA USING MASTER KEY KM
299
II
II
USE DECRYPTED PRIVATE DATA
IS MASTER KEY
KM VALID?
II
SEND PROOF OF KM AND EACH PX VALUE TO SERVERS
, 207
Patent Application Publication
Jun. 6, 2002 Sheet 4 0f 4
.5 m
:555x:d5325
US 2002/0067832 A1
icon
8;:Ee:5éLiqbsa
520 5 .A>9.962:
m>mEmEu E0mE9
mm
F?EHN
E
8n653u_623
EPE3m9>mo
mElvrm
t62:2
.mmQNETzomD
20PE9
rPmcTdzw D
_.om mom mom wow m9, wow
m TwE
mmEoIv=
B; [0083] At key retrieval time, in order for Alice to recon stitute her master key and retrieve her private key, Alice sends a randomly blinded form of the passWord Q to each
cation that is secure even With total active compromise of
server. Each server in turn responds With a blinded reply Ri
require stored keys or certi?cates on a client machine. It is also an objective of the present invention to use multiple servers for fault-tolerance. It is also an objective of the
Jun. 6, 2002
US 2002/0067832 A1
consisting of the blinded password raised to power of the secret exponent value (Ri:=Q-yi) Which represents a blinded
iZed by incrementing her illegal access count, Which might
share of the user’s master key. At least one of the server’s
server forgive her mistakes, When she can subsequently
also sends Alice her encrypted private signature key UK and
prove to the server that she ultimately Was able to enter the
proofPKm.
correct passWord.
Client: {request, Q }—>B; Server B;:{reply, Qyi, UK, proofPKm}—>Client
[0084] Interestingly, the channel though Which Alice retrieves UK and proofPKrn does not have to guarantee the integrity of these values. This is discussed further in Section 4.4.
[0085] Alice unblinds each reply to obtain each key share and combines the shares to rebuild her master key Km. She then veri?es that the master key is correct using the proof
value proofpKm and her passWord P. If the proof is incor rect, this implies that at least one of the key shares is
incorrect, and she must abort the protocol Without revealing any further information about Km or P to the netWork.
OtherWise, a key derived from Km is used to decrypt her
encrypted private key (and any other data), and then she completes the protocol by proving her identity to each server. For each blinded passWord Q recently sent to each server, she sends a signed copy of the blinded passWord.
cause premature account lockout. It is desired that each
[0091] Using the forgiveness protocol, a user’s honest mistakes are forgiven. Alice sends evidence of her recent prior invalid access attempts in a request for forgiveness
after each successful authentication. Upon receiving and validating this evidence, each server erases the mistake from the record, or records the event as a corrected forgivable mistake. By ?ne-tuning a server’s event log in this manner, a system administrator gets a more detailed vieW of When the system is truly at risk, as opposed to When valid users are
merely being frustrated. [0092] A forgiving system seems to require at least one signature generation step on the client and one signature veri?cation step for each of the servers. To minimize com
putation (Which may be important When a public-key sig nature method is used, due to the computational cost), the signature steps provide the combined functions of authen ticating the user, and proving that the request came from that user. In constructing a valid authentication message for a
user, the client includes the set of all recent challenge
messages issued by that user, digitally signs the result With the appropriate user’s key, and sends it to all servers. Each
[0086] Each server matches the signed QX values from Alice against its list of recently received blinded passWords, and removes any matching entries that are accompanied by valid signatures. The remaining entries, if not con?rmed Within a reasonable amount of time, are considered to be
suspected illegal access attempts, Which are labeled bad. Counting bad access attempts may be used to limit or delay further blinded share replies for the user’s account if the counts rise above certain thresholds.
[0087] Alice must verify her master key. As mentioned
server veri?es the signature to authenticate the user, and at the same time validate evidence of her recent forgivable
mistakes. (These signatures may be created using a client’s
private key in a public-key digital signature system and veri?ed using the client’s public key, or alternately, using a
keyed-MAC keyed by distinct symmetric keys that are bilaterally shared betWeen the client and each server.) Each server, upon receiving Alice’s con?rm message, attempts to reconcile the proof of her access attempts against his recorded list of recent attempts. He does this by verifying Alice’s signature on each Q value. Upon successful veri? cation, he knoWs that the Q value Was indeed sent by
above, Alice can perform the authentication over insecure
someone Who ultimately kneW the passWord, regardless of
channels. She retrieves (typically from a credentials server) her veri?er proofPKm, and then con?rms the validity of the reconstructed master key by comparing a keyed hash of her passWord With it to proofPKm. If the values don’t match, Alice aborts the protocol.
Whether that request message Was speci?cally used to rec reate her master key.
[0088] Another enhancement of our method relates to hoW Alice proves knoWledge of the master key to each server,
provides for a system that scales to N servers, Where no
and hoW each server reconciles this information With its oWn record of access attempts.
passWord, or any passWord-protected data. It provides strong
[0089]
Each server detects illegal access attempts by look
ing for a message from Alice that contains a proof of her
knoWledge of the master key, and by implication, proof that she knoWs her passWord. If a valid proof is not associated With the blinded passWord value, the server must trigger a bad access event for Alice’s account. The present method is
[0093] In a preferred embodiment of the present invention, vulnerability of the passWord veri?er is spread among the servers so that no one server is able to crack the veri?er. It
attack on any number of up to N-l servers reveals a user’s
assurance even in the face of total active compromise of up to all but one of the authentication servers, and in the face
of prior insecure communication channels. It is to be under
stood that the passWord is the only factor in implementing the system. [0094] It is to be understood that the passWord is the only authentication factor required in implementing the present
different from prior art in the construction of Alice’s proof
invention. PassWord-only authentication is a dominant
and hoW each server uses the proof to forgive Alice’s
method in use today. In the present invention, the passWord
mistakes in passWord entry.
factor is made as strong as possible, and is not dependent on other factors.
[0090] When not using a secure channel, simply sending proof to Bi could eXpose the method to a replay attack. To
[0095]
prevent this, the proof incorporates the blinded request value
or certi?cates may be used. It is envisioned that the present
that is sent by Alice. Furthermore, it is recogniZed that Alice
invention may be used in multi-factor systems. Clearly in non-roaming applications, Where there is the ability to store
occasionally mis-types her passWord, and she is not penal
It is also to be understood that other additional keys
Jun. 6, 2002
US 2002/0067832 A1
local keys, one may do so to provide additional layers of strength. For example, the use of a secure socket layer (SSL)
channel is not required for the security of passWords in the present system, but the additional use of SSL can provide other bene?ts, such as an increased level of privacy for a user’s name When performing these transactions. By remov
ing the dependency on such other factors for passWord security, the strength of the overall system is greatly increased. In particular, the present system stops an entire class of Web-server spoo?ng attacks that are possible against a simplistic passWord-through-SSL system of Web-broWser authentication that is in Widespread use today.
to accommodate the forgiveness protocol. Distinctive func tions are provided to create the passWord-derived base element for the exponential exchange, and We describe forms that permit more ?exible con?gurations of clients 101 and servers 103,104. Alternative methods are provided in a
Weaker security model that may be valuable for specialiZed situations.
[0104] In the preferred embodiments, Alice’s potentially small passWord and all her passWord-protected data remains secure even With total active compromise of up to n-i servers
103,104. Encryption of Alice’s sensitive data under a key derived from Km insures that her data Will be only available
BRIEF DESCRIPTION OF THE DRAWINGS
to parties that use the correct passWord With this authenti cation process.
[0096] The various features and advantages of the present
[0105] At time of enrollment, Alice selects a passWord and
invention may be more readily understood With reference to
a series of shares {y1, y2, . . . yn} that are used to create
the folloWing detailed description taken in conjunction With the accompanying draWing ?gures, Wherein like reference numerals designate like structural elements, and in Which:
master key Km. In this example, the master key derivation
[0097] FIG. 1 is block diagram illustrating client and
tion functions are described beloW. Alice precomputes Km,
server components of an exemplary system in accordance
With the principles of the present invention; [0098] FIG. 2 is a How diagram illustrating an exemplary method of client operations in accordance With the prin
ciples of the present invention; [0099] FIG. 3 is a How diagram illustrating an exemplary method of server operations in accordance With the prin
function is Km=hash(K1
K2
. . . K“), with each share
computed as Ki=P yi, although other alternative key deriva and stores With each Bi the corresponding key share yi and veri?cation data for Km. Veri?cation data is generally a
digitally signed message, using either a public-key digital signature or alternately a symmetric keyed-MAC function. [0106] Each server Bi provides Alice With a share K using the Modi?ed SPEKE protocol, based on his knoWledge of yi. Each run of the protocol retrieves one of her blinded key
shares, Which in this example is the value mi=PXyi. Alice
ciples of the present invention;
combines and hashes these shares to derive the master key,
[0100] FIG. 4 is a How diagram illustrating an exemplary method in accordance With the principles of the present
in this example using:
invention shoWing operation of a client With tWo servers; and
[0108]
[0101] FIG. 5 is a How diagram illustrating an exemplary method in accordance With the principles of the present invention shoWing operation of a client communicating With
[0109] Referring to FIG. 2, Alice retrieves the master key
only one of tWo servers.
Due to the random yi values, these key shares are
independent. from the servers 103,104 at a later time. The client 101 prompts the user to enter a passWord 201, and derives a
DETAILED DESCRIPTION
group element from the passWord 202, in accordance With the Modi?ed SPEKE method. (An example of such a
[0102] Referring to the draWing ?gures, FIG. 1 is block
prime order subgroup of Zp* With (p—1)/2 prime.) Using the
function is P=hash(passWord)2 mod p, When using the large
diagram illustrating an exemplary multiple-server system
Modi?ed SPEKE method, Alice sends the blinded passWord
100 in accordance With the principles of the present inven tion. The exemplary system 100 is shoWn as comprising a client 101 or client computer 101 (Alice) and a plurality of
value PX to each server Bi 203. Each server Bi raises the blinded passWord value to the appropriate poWer as in
authentication servers 103,104, in this instance tWo servers
corresponding blinded value of each key share m1204, and
B1 103 and B2 104 coupled together by Way of a netWork
unblinds each result and combines them to create her master key m2y2205,. .in. mnyn). this example With the function Km=hash(m1yl
102.
mi=(PX)yi, and returns the result to Alice. Alice retrieves the
[0103] The present systems 100 and methods employ the Modi?ed SPEKE method for a client 101 to retrieving shares of a master key from tWo or more servers 103,104.
(The number n is used to designate the number of servers
[0110] The general method for Alice to retrieve a key share Ki from any server, Which is generally labeled Bi, is shoWn here:
103,104 used in a speci?c embodiment.) The model used in
implementing the present invention permits authentication messages to be sent over an unprotected channel or netWork
102, and no secure channel (e. g. SSL) is required. To prevent the possibility that an enemy in control of the channel can
trick Alice into using an improper master key, Alice con?rms that the master key is correct before using it to create any data that might be revealed to the enemy. Furthermore, the
[0111]
authentication step uses a signed message to authenticate
independent from the value y2 that B2 knoWs, and so on.
valid logins, as Well as prior legitimate-but-mistaken logins,
Thus, no one server has suf?cient information to mount a
The secret value y1 that B1 knoWs is completely
Jun. 6, 2002
US 2002/0067832 A1
dictionary attack on either Km or P. With this protocol, each Bi prestores yi, and also stores veri?cation data V that is a one-way function of the master key Km.
[0121] A third approach is where V=gKm, essentially a Diffie-Hellman public key for Km. In this case Alice might authenticate as follows:
[0112] Alice can use Km to decrypt personal private data 208 that has been stored in an encrypted container using a
key derived from Km. This container might be stored on any of the servers 103,104, or anywhere else that is convenient, and can be retrieved over insecure channels. However,
before Alice reveals any data derived from her knowledge of Km to any other party, she must ?rst determine that Km is valid 208. Speci?c validation techniques are discussed below.
[0122] Alice may then send BKm(QA) to prove herself.
[0113] If Km is not valid, then depending on local pass word retry policy, the user may be asked to try again with re-entering the password 201. If a retry is performed, the client 101 saves the PX value used in the failed exchange in
[0123] In any case, when Alice proves knowledge of Km, she is also proving knowledge of the password P.
secure short-term memory.
know a single share Ki, since combined knowledge of Ki and
[0114] If Km is valid, then Alice constructs a proof of knowledge of Km, of PX, and of a list of any recent prior PX
yi gives that server the ability to crack P. In the single server
values generated by the same user that were stored in
that can be used to crack the password. But in the ideal
[0124]
There is good reason for not wanting server Bi to
case, it seems inevitable that the server must store some data
short-term memory, and sends 207 this proof to each of the
multi-server case, it is not desirable for the server to know
servers 103,104. Alice can also now freely use data derived
either P, Km, or Ki, or anything else that can lead to cracking P.
from Km, such as signing public documents with a private key that was stored in the encrypted container 209.
[0125]
In summary, each Bi does not know P or K. Bi uses
[0115] Alice can proves knowledge of Km to any Bi using any appropriate Zero-knowledge protocol, which does not have to be a Zero-knowledge password protocol because Km has large entropy. Each server Bi has veri?cation data information V that corresponds to Km and that allows him to verify Alice’s Zero knowledge proof of Km. [0116] For example, in one embodiment, Km is used by Alice to retrieve the user’s private key U for a public key digital signature scheme, where V is the user’s public
broadly as veri?cation data for Alice’s knowledge of P.
signing key that corresponds to U. Alice can prove knowl edge of Km to Bi in many ways, such as signing a message
public key digital signatures.
using the private key, where Bi veri?es the signature and
[0128] Alice performs the following steps of?ine:
yi to run Modi?ed SPEKE and authenticate Alice’s knowl
edge of Km. Each Bi only knows yi and V, veri?cation data for Km, which also serves as veri?cation data for Ki, or more
[0126] Enrollment [0127] At enrollment time, Alice chooses her password, and a public/private key pair {V,U} suitable for performing
which proves Alice’s knowledge of Km. [0117]
The derivation of U from Km can also be done in
many ways. In one embodiment, the values of U and V can
be derived directly from Km using no other data.
[0118] In a preferred embodiment of the present invention, the value of U is kept sealed in a container encrypted with a symmetric key derived from Km. In this case, Alice uses
Km to derive the symmetric encryption key and then unseals her private key U. [0119] Alice then signs a message that is known by Bi, that proves her knowledge of Km, and she sends the signed message to Bi. In one embodiment of the present invention, the message is a value RBi sent from Bob to Alice.
Construct a group element P based on the password, as in: P = hash(password)2 mod p For i = 1 to n servers 103,104
{ Choose y; as an independent large random number Compute K; := Pyi mod p
Compose K from all the K; shares, as in for example
K... = hash
