ITU-T X 1151-2007 Guideline on secure password-based authentication protocol with key exchange (Study Group 17)《带密钥交换基于安全密码验证协议的导则 研究组17》.pdf

《ITU-T X 1151-2007 Guideline on secure password-based authentication protocol with key exchange (Study Group 17)《带密钥交换基于安全密码验证协议的导则 研究组17》.pdf》由会员分享，可在线阅读，更多相关《ITU-T X 1151-2007 Guideline on secure password-based authentication protocol with key exchange (Study Group 17)《带密钥交换基于安全密码验证协议的导则 研究组17》.pdf（20页珍藏版）》请在麦多课文档分享上搜索。

1、 International Telecommunication Union ITU-T X.1151TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2007) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Guideline on secure password-based authentication protocol with key exchange ITU-T Recommendation X

2、.1151 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.199

3、 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer Manage

4、d Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficiency

5、X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Information

6、 X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELECOMMU

7、NICATION SECURITY X.1000 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. X.1151 (11/2007) i ITU-T Recommendation X.1151 Guideline on secure password-based authentication protocol with key exchange Summary A secure password-based authentication protocol with key exc

8、hange is a kind of authentication protocol with authenticated key exchange using a human-memorable password. It is very simple and easy to implement as well as easy to use; no need for other infrastructure, e.g., PKI. A secure password-based authentication protocol with key exchange (SPAK) becomes v

9、ery important, since a variety of usage cases in many applications will emerge in the near future. In addition, SPAK provides both user authentication and strong key exchange with weak password, i.e., the subsequent communication session can be protected by a shared secret during the authentication

10、procedure. ITU-T Recommendation X.1151 is intended to identify a set of requirements for password-based authentication protocols and define the guideline for selecting the most suitable password authentication protocol by presenting the criteria for choosing an optimum SPAK protocol for applications

11、. SPAK can also be used in a wide variety of applications wherein pre-shared secrets based on the weak password exist. Source ITU-T Recommendation X.1151 was approved on 13 November 2007 by ITU-T Study Group 17 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. X.1151 (11/2007)

12、FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for stud

13、ying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study grou

14、ps which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with I

15、SO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisio

16、ns (to ensure e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such

17、words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position

18、concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected

19、by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of thi

20、s publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. X.1151 (11/2007) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Terms and definitions . 1 4 Abbreviations and acronyms 3 5 Conventions 3 6 Secure password-based authentication protocol wi

21、th key exchange (SPAK) 3 6.1 Problems of plaintext password-based authentication . 4 6.2 Operational procedure of SPAK. 4 6.3 Basic characteristics of SPAK 4 7 Requirements for SPAK . 4 7.1 Framework requirement . 4 7.2 Protocol requirement 5 8 Criteria for choosing a suitable SPAK 6 Annex A SPAK fr

22、amework requirements 8 Appendix I Comparison of existing SPAKs in terms of performance and underlying PKC 9 Appendix II Comparison of existing SPAK protocols in terms of several requirements. 10 Bibliography. 11 ITU-T Rec. X.1151 (11/2007) 1 ITU-T Recommendation X.1151 Guideline on secure password-b

23、ased authentication protocol with key exchange 1 Scope This Recommendation is intended to identify a set of requirements for secure password-based authentication protocols with key exchange (SPAK) and define the guidelines for selecting a most suitable SPAK among various secure password authenticati

24、on protocols by presenting the criteria for choosing an optimum SPAK protocol for applications. SPAK can also be used in a wide variety of applications wherein pre-shared secrets based on the weak password exist. 2 References The following ITU-T Recommendations and other references contain provision

25、s which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility

26、 of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendatio

27、n. ITU-T X.805 ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end communications. ITU-T X.1035 ITU-T Recommendation X.1035 (2007), Password-authenticated key exchange (PAK) protocol. ITU-T X.1111 ITU-T Recommendation X.1111 (2007), Framework of security technol

28、ogies for home network. ITU-T X.1121 ITU-T Recommendation X.1121 (2004), Framework of security technologies for mobile end-to-end data communications. 3 Terms and definitions This Recommendation defines the following terms: 3.1 active attack: This attack involves the modification or injection of inf

29、ormation listening. 3.2 dictionary attack: This is an attack wherein an attacker collects a database of commonly used words and passwords that can be encrypted using all possible salts and compares its database of encrypted terms against the encrypted passwords found in a password file on the system

30、. If a match is found, the actual password is known, and access is gained. The dictionary attack can be grouped into two categories: online dictionary attack and offline dictionary attack. In the online dictionary attack, the attacker repeatedly attempts authentication with the server using guessed

31、passwords until he or she succeeds. The online dictionary attack can be detected or prevented by counting the number of access failures. On the other hand, the offline dictionary attack is normally performed by someone posing as a legitimate user to gather information or one eavesdropping on message

32、s between two parties during a successful protocol run. The attacker uses the captured packets to guess the password. 3.3 identity theft: Identity theft and identity fraud are the terms used to refer to all types of crime wherein a person wrongfully obtains and uses another persons personal data in

33、a fraudulent or deceptive manner and usually for economic gain. 2 ITU-T Rec. X.1151 (11/2007) 3.4 man-in-the-middle attack: This is an attack wherein an attacker intercepts the public or cryptographic keys being exchanged by two entities and substitutes his/her own public key to impersonate the reci

34、pient. This successful attack results in the compromise of the cryptosystem or SPAK. 3.5 mutual authentication: This means that a client is able to authenticate a server, which is also able to authenticate a client. In other words, one of two parties proves to the other that it knows the password. 3

35、.6 passive attack: This is an attack that involves listening, i.e., eavesdropping, without modification or injection of information. 3.7 perfect forward secrecy: In cryptography particularly in a key-establishment protocol, the condition wherein the compromise of a session key or a long-term private

36、 key after a given session does not cause the compromise of any of the earlier sessions. In the context of SPAK, this means that the disclosure of the password does not result in revealing the previously recoded encrypted conversation by deriving such session key. 3.8 pharming: Whereas phishing invo

37、lves redirecting the websites traffic to another forged website, pharming attacks by compromising the domain name system (DNS) server. Specifically, pharming modifies into another addresses the correct IP addresses that corresponds to a domain name in the DNS server; thus redirecting the user to a h

38、ackers forged website when he/she is asked to enter the companys Web address. 3.9 phishing: This refers to the act of sending an email to a user, falsely claiming to be an established legitimate enterprise in an attempt to con the user into surrendering private information that will be used for iden

39、tity theft. The email directs the user to a website where he/she is asked to update personal information such as passwords and credit card, social security, and bank account numbers, information that the legitimate organization already has. Note, however, that the website is bogus, set up only to st

40、eal the users information. 3.10 plaintext-equivalent SPAK: This is a type of SPAK wherein the server stores the plaintext of the users password or password-equivalent information. This SPAK is called symmetric SPAK. 3.11 secure password-based authentication protocol with key exchange: In this simple

41、 authentication protocol, using a memorable password between a client and the server results in mutual authentication and shared secret that can be used as session key for the next session. 3.12 server-compromised attack: This is an attack wherein an attacker obtains verifier information from the se

42、rver and launches a dictionary attack on the password file. 3.13 server-compromised dictionary attack: In the case of a server-compromised attack, the password may be obtained by performing a dictionary attack on the compromised verifier. If the server uses a tamper-free token such as smart card to

43、store additional information or other cryptographic methods to prevent a server-compromised attack, a password can still not be derived even if a dictionary attack is launched on the verifier. 3.14 verifier: The verifier is the information computed from the password. Whereas computing the verifier f

44、rom the password is easy, the reverse is infeasible in polynomial time. The verifier is used in the server to prove that a client knows the password. It is similar to a public key in public-key cryptography. On the other hand, the password looks like a private key but has limited entropy and relies

45、on the memory of the user. The verifier must be kept confidential by the server. 3.15 verifier-based SPAK: This is a type of SPAK wherein the server stores only the verifier of a password. The password is different from the verifier of a password. This SPAK is called asymmetric SPAK. ITU-T Rec. X.11

46、51 (11/2007) 3 4 Abbreviations and acronyms This Recommendation uses the following abbreviations: DH Diffie-Hellman DNS Domain Name System PIN Personal Identification Number PKC Public-Key Cryptography PKI Public-Key Infrastructure SPAK Secure Password-based Authentication protocol with Key exchange

47、 SSL Secure Socket Layer 5 Conventions None. 6 Secure password-based authentication protocol with key exchange (SPAK) The techniques for user authentication are based on one or more of the following categories: 1) What you know; 2) What you are; or 3) What you have. Passwords or personal identificat

48、ion number (PIN)s are examples of the first category. The biometric technique falls into the second category. Identification tokens such as smart cards fit in the third category. Two entities sharing a password and communicating over an insecure network want to authenticate each other and agree on a

49、 large session key to be used for protecting their subsequent communication. This is called a password-authenticated key exchange protocol. If one of the entities is a client, and the other, a server, then this can be regarded as a problem in the area of remote user access. A secure password-based authentication protocol with key exchange is defined as a simple authentication protocol wherein using memorizable password between a client and the server results in mutual authentication and shared secret that can be used as session keys