Score:1

Is this authentication protocol secure against both eavesdropping and server database disclosure?

jp flag

Consider the following protocol from the book "Network Security: Private Communication in a Public World" by Kaufman et al.

Alice knows a password. Bob, a server that will authenticate Alice, stores a hash of Alice’s password. Alice types her password (say fiddlesticks) to her workstation. The following exchange takes place: enter image description here

This protocol appears to be secure against both eavesdropping (exchanging hash values of random number and password-hash) and server database disclosure (stores only hash value of password). But, my professor says that password based authentication can only be resilient to either one of these but not both. Therefore, can someone point out why this protocol is not secure against both?

Score:6
my flag

Therefore, can someone point out why this protocol is not secure against both?

With this protocol, the 'password' is effectively the value 'hash("fiddlesticks")'. Hence, if you break into the server database (and learn hash("fiddlesticks")), it is straight-forward to create a modified workstation program that uses the value 'hash("fiddlesticks") to authenticate.

That said, I'm not certain that your professor is right when he said "password based authentication can only be resilient to either one of these but not both."; Opaque, for example, is secure against server database disclosure (database disclosure will allow the attacker to test guesses of the password, but that doesn't appear to be what your professor means), and is secure against eavesdropping (assuming that the DLog problem is hard).

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.