CS387 Unit 5

CS387 Unit 5 is ...

Encrypted Key Exchange (EKE)

Bellovin & Merritt, 1992

EKE adds authentication to Diffie-Hellman key exchange, thus eliminating the Man-in-the-Middle attack.

EKE assumes we have a password P known to both sides - Client and Server.

Instead of sending (g^xA mod q) like in D-H, we encrypt this value by the password P and add the Client name:

< Alice, Ep(g^xA mod q) >

The server answers, instead of (g^xB mod q), with

Ep(g^xB mod q)

Quiz: Which of these are drawbacks of using EKE?

  • It is vulnerable to offline dictionary attacks
  • It requires servers to store password in cleartext
  • It is vulnerable to in-the-middle attacks

Answer: Only the second. Even if the attacker tries dictionary attacks, when they use the correct password, they have no means to recognize (g^xA mod q) is the correct message.

To add authentication to the protocol, the servers sends a random challenge r, encoded with the key k = g^xAxB mod q. The server message is:

< Ep(g^xB mod q), Ek(r) >

Alice decrypts the D-H message, (g^xB mod q), and calculates the key k = g^xAxB mod q.

Next she decrypts Ek(r) and so authenticates the Server.

Now to authenticate herself to the server, she proves she decrypted r. She can't send Ek(r) back, because this is what she received, so she concatenates nounce rA to r and sends back:

< Ek(r || rA) >