An Offline Dictionary Attack against zkPAKE Protocol

Password Authenticated Key Exchange (PAKE) allows a user to establish a secure cryptographic key with a server, using only knowledge of a pre-shared password. One of the basic security requirements of PAKE is to prevent offline dictionary attacks. In this paper, we revisit zkPAKE, an augmented PAKE that has been recently proposed by Mochetti, Resende, and Aranha (SBSeg 2015). Our work shows that the zkPAKE protocol is prone to offline password guessing attack, even in the presence of an adversary that has only eavesdropping capabilities. Therefore, zkPAKE is insecure and should not be used as a password-authenticated key exchange mechanism.


INTRODUCTION
Password Authenticated Key Exchange (PAKE) is a primitive that allows two or more users that start only from a low-entropy shared secret -which is a typical user authentication se ing today -to agree on the cryptographically strong session key. Since the introduction of PAKE in 1992, a plethora of protocols trying to achieve secure PAKE has been proposed. However, due to patent issues, only recently have PAKEs begun to be considered for a wide-scale use: SRP [9] has been used in password manager called 1Password [1], Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for pro t or commercial advantage and that copies bear this notice and the full citation on the rst page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permi ed. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior speci c permission and/or a fee. Request permissions from permissions@acm.org. WiSec '18, Stockholm, Sweden © 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM. 978-1-4503-5731-9/18/06. . . $15.00 DOI: 10.1145/3212480.3226110 J-PAKE of Hao and Ryan [5] was used in Firefox Sync [3], while Elliptic Curve (EC) version of the same protocol (EC-J-PAKE [2]) has been used to enable authentication and authorization for network access for Internet-of-ings (IoT) devices under the read network protocol [4].
From deployment perspective, the most signi cant advantage of using PAKE compared to a typical key exchange protocol is that it avoids dependence on functional Public Key Infrastructure (PKI). On the downside, the use of low-entropy secret as the primary means of authentication comes with the price: PAKEs are inherently vulnerable to online dictionary a acks. To mount this a ack, all an adversary needs to do is repeatedly send candidate passwords to the verifying server to test for their validity. In practice, this type of a ack can be relatively easily avoided in a two-party se ing by limiting the number of guesses (i.e., wrong login a empts) that can be made in a given time frame.
At the same time, a well-designed PAKE must be resistant against o ine dictionary a acks. In such a ack scenario, the adversary typically operates in two phases: in the rst (usually online) phase, the adversary -either by eavesdropping or impersonating a user -tries to collect a function of the password that is being targeted to serve him as the password veri er. Later, in the second (o ine) phase, the adversary has to correlate the veri er that has been collected in the rst step with o ine password guesses to determine the correct password.

Our contribution
Recently, Moche i, Resende and Aranha [6] proposed a simple augmented PAKE called zkPAKE, which they claim is suitable for banking applications, requiring the server to store only the image of a password under a one-way function.
eir main idea was to use zero-knowledge proof of knowledge (password) to design an e cient PAKE. However, here we present an o ine dictionary a ack against the zkPAKE protocol. In addition, we show that the same a ack works on a slight variant of zkPAKE that has been proposed later in [7]. Our dictionary a ack can be carried out in two ways: passively -by eavesdropping on the zkPAKE protocol execution, or actively -by impersonating the server and having the client a empt to log in.

Previous works
Since in this paper we exclusively deal with an o ine dictionary a ack on zkPAKE, we keep the discussion here short and refer readers to Pointcheval's survey [8] for a more detailed overview of PAKE research eld. zkPAKE, as described in [6] and [7], is a two-party augmented PAKE protocol meant to provide authenticated key exchange between a server S and a client C.

Protocol description
Once the enrollment phase is executed and the public parameters are established, the zkPAKE protocol will run in three communication rounds as follows: (1) First, the server S chooses a random value n from Z q , computes N = n that is supposed to act both as a nonce and Di e-Hellman value, and sends it to the client C.

OFFLINE DICTIONARY ATTACK ON ZKPAKE
Let the enrollment phase be established and let an a acker A be allowed only to eavesdrop on the communication between two honest parties. e a ack on the version of zkPAKE protocol presented in Section 2 proceeds as follows: Step 1. e execution of the protocol starts and S sends his rst message, N . e a acker A sees the message and stores it in his memory.
Step 2. C does all the computations demanded by the protocol and sends u and H 1 (c) in the second transmission to S. A observes the second message and obtains u and H 1 (c).
Step 3. e adversary that now holds N , u and H 1 (c) from the rst two message rounds may go o ine to perform a dictionary a ack. His goal is to compute a candidate c i and then use stored H 1 (c) as a veri er. e adversary will compute c i by hashing H 1 ( , r i , t i , N ). Two intermediate inputs to the hash function are obtained by rst choosing a candidate password π i , and then computing the corresponding r i and t i . Note that the adversary can easily compute t i = N i , since i := u + H 1 (c)r i . Finally, the adversary checks if his guess H 1 (c i ) echoes H 1 (c).
Step 4. e adversary repeats Step 3 until he guesses the correct password.

CONCLUSION
In this paper, we showed that the zkPAKE protocol [6,7] is vulnerable to o ine dictionary a acks. To make ma ers worse, the adversary in case of zkPAKE only needs eavesdropping capabilities to mount the a ack.
Taking a wider view on zkPAKE, the problem with its design lies in a fact that variable r , which is of low-entropy, is used as a mask for the secret value . In contrast, in a typical zero-knowledge proof of knowledge, which was used as an inspiration for zkPAKE design, such value is of high entropy. By showing this vulnerability, we hope that in future protocol designers will be more careful in claiming the security of proposed protocols, especially when a proof of security does not back those claims.