Embed Doc
Copy Link
Readcast
Collections

CommentGo Back

CRITICAL ANALYSIS ON LAMPORT’SAUTHENTICATION ALGORITHM

Ganesh Kumar MuthiahMiddlesex University, London, UK.GM489@mdx.ac.uk 30

June 2008

ABSTRACT:

Authentication is the main issue incommunication between the usersin internet. There are many waysto initiate a secure communicationand many algorithms to provideauthentication one such techniqueto authenticate user is by password, but there is also manyflaws and drawback inauthentication using password. Dr.Leslie Lamport gave a solution for some of the drawback in Michaelo. Rabin’s paper named“Digitalized signatures and publickeyfunctions as intractable asfactorization” [2], in his paper called “password authenticationwith insecure communication” [1]Dr.Lamport implied a techniquesuch as ‘one way hashing’[1]. Inthis paper I would like to criticizeand bring out the possible flawswith Lamport’s technique in password authentication and give possible solution to make it morereliable algorithm for makingsecure authentication.

Key words:

Authentication, hashing, eaves dropping, small ‘n’ attack,mutual SSL, salt, picture password, one way authentication

INTRODUCTION:

The major issue in onlinecommunication is passwordauthentication. When ever the user needs to sign in to a network or communicate with the end user heis need to be authenticated. Thereare many ways to authenticate theend side, one such way is been toldin Dr.Lamport’s paper, [1] heintroduced a new method to over come the problem of password filestealing and eavesdropping. Thetechnique he used to eliminate the password theft from the databaseand eaves dropping by one wayhashing function. Let us see howthis method works and will see anydrawbacks and improvements thatcould be made.

THEORY:

OVERVIEW OFLAMPORT’STECHNIQUES:

According to Dr.Lamport’s solution for avoidingthe password theft which is storedin the system is to store the password in encrypted format i.e.in general when a user need to startthe communication with endsystem he has to send a passwordor a value to the server then theserver checks the value in itsdatabase which is in plain text, if the value is equal then the server establish the service but the Dr.Lamport suggested, the server tosave the user’s password asencrypted value in the database,even if an intruder compromise thesystem or server he will not beable to get the plain text passwordstored in the system. But if theattacker is listening to the victim’s packet he can easily sniff the password and claims the server asan original user. To avoid this problem of eaves dropping theuser’s packet, he suggested another method by using sequence of password hashing or chain hashing[1].In this technique when theuser needs to communicate withthe end system he gives hisusername and password in the browser and the browser send thisdata to the server, now the server sends the username to the end user.End user will reply back with the‘n’ value, this ‘n’ value is been preagreed by the both user and thisvalue will be stored in the databaseof both users and server.

Now theinitiator will compute the hash n-1(password) and reply back to the server which answers the value of ‘n’. “The server calculates hash(hash n-1 (password)) = hash n(password). If this value matchesthe one on file, then the login is successful. The server replaceshash n (password) with hash n-1(password) and decrements ‘n’.”[3].

FLAWS &IMPROVEMENT ONLAMPORT’STECHNIQUES:

There are several flaws in thistechnique let us see the first flawnow. The value of ‘n’ should not be higher value if so it will bedifficult to re hash the function andalso the value should not be lesser,if its lesser they have to be resetvery often. To make this techniquesafer from dictionary attack we canadd a value called salt along withthe ‘n’. Salt is a unique number that is chosen by the user duringthe password installation on theserver, now even if the value of ‘n’=1 the user doesn’t need to resetthe password he/she just need tochange the salt value [3].The next flaw is there is nomutual authentication. The user

will think that he iscommunicating with the server butactually an intruder would have been in the middle of the channel.I.e. man in the middle attack [4].To avoid this attack we shouldhave a strong mutualauthentication between the users.This can be done by implementingmutual SSL [5]. Mutual SSL isdone by mutual authentication process which is similar to SSLwith more authentication and alsonon repudiation. We can alsoincrease the mutual authentication by digital signature or by gettingtheir key from key distributioncentre (KDC). [6]The other flaw is small ‘n’attack. Small ‘n’ attack is similar to man in the middle attack [4].When the user A sends the password and username to server,the server will send the usernameto the user B, now the user B willsend the ‘n’ to the server back, butin this attack the intruder willreceive the value ‘n’ and replacethe value with ‘m’ which is hisown value and forwards it to theuser A. User A will hash thefunction {hash(m-1)(password)}and sends back to theintruder and he will be able tocalculate the { hash m (password)}only if value of ‘m’ is lesser than‘n’[3]. This attack can be over come by the user by justremembering the value of the ‘n’and salt that the user have used before for authentication, but tomake it more secure from theattackers I suggest to implementIPSec based VPN or SSL basedVPN between the users to avoidsmall ’n’ attack or man in themiddle attack.

FUTURE DEVELOPMENT

If the password is going to betext or number it is easy to sniff and we need all these encryptiontechnique to safe guard the password, so what I suggest here isto use picture password where it isvery difficult to crack the password and it is very easy for theuser to remember the passwordthan the text.[8] The future cyber world will be avoiding usingtextual and numeric password. Byusing this picture password we canavoid dictionary attack and manymore. If this picture password is been implemented in internet or online communication then therewill not be much problem withauthentication and all theseauthentication protocols will goworthless.

CONCLUTION:

In this paper I criticallyreviewed about the Dr. Lamport’sauthentication method and I pin pointed the flaws in those methodand I gave the various solutionssuch as using mutual SSL, KDCfor mutual authentication and for

of 00

Lamport Hash Review

hashing,

2,243 Reads

Info and Rating

Category:	School Work
Rating:	(1 Rating)
Upload Date:	02/06/2009
Copyright:	Attribution Non-commercial
Tags:	Reports cryptography hashing lamport Reports cryptography hashing lamport (fewer)