Is this authentication protocol secure against both eavesdropping and server database disclosure?

rationalbeing

8/4/23, 6:42 AM

Consider the following protocol from the book "Network Security: Private Communication in a Public World" by Kaufman et al.

Alice knows a password. Bob, a server that will authenticate Alice, stores a hash of Alice’s password. Alice types her password (say fiddlesticks) to her workstation. The following exchange takes place:

This protocol appears to be secure against both eavesdropping (exchanging hash values of random number and password-hash) and server database disclosure (stores only hash value of password). But, my professor says that password based authentication can only be resilient to either one of these but not both. Therefore, can someone point out why this protocol is not secure against both?

492

0 + 0

hash

authentication

passwords

password-hashing

Score:6

Crypto

poncho

8/4/23, 9:31 AM

Therefore, can someone point out why this protocol is not secure against both?

With this protocol, the 'password' is effectively the value 'hash("fiddlesticks")'. Hence, if you break into the server database (and learn hash("fiddlesticks")), it is straight-forward to create a modified workstation program that uses the value 'hash("fiddlesticks") to authenticate.

That said, I'm not certain that your professor is right when he said "password based authentication can only be resilient to either one of these but not both."; Opaque, for example, is secure against server database disclosure (database disclosure will allow the attacker to test guesses of the password, but that doesn't appear to be what your professor means), and is secure against eavesdropping (assuming that the DLog problem is hard).

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is this authentication protocol secure against both eavesdropping and server database disclosure?

TH: โปรโตคอลการตรวจสอบสิทธิ์นี้มีความปลอดภัยจากการดักฟังและการเปิดเผยฐานข้อมูลเซิร์ฟเวอร์หรือไม่

RO: Este acest protocol de autentificare sigur atât împotriva interceptării cu urechea cât și a dezvăluirii bazei de date pe server?

RU: Защищен ли этот протокол аутентификации как от прослушивания, так и от раскрытия базы данных сервера?

VI: Giao thức xác thực này có an toàn chống nghe trộm và tiết lộ cơ sở dữ liệu máy chủ không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.