Andreas Gaupmann
2005-Nov-22 20:49 UTC
[PATCH] Introducing Zero-Knowledge user authentication
Hello! With this email we release an extension to OpenSSH that was initially developed as project for our studies at the Univerity of Applied Sciences in Hagenberg. First we would like to describe the purpose of using Zero-Knowledge (ZK) for user authentication. Traditional authentication methods like challenge-response with passwords or public keys leak information about the credentials of a user (prover) to the verifying or any other party that can access the exchanged messages. Thus, with every finished authentication process the adversary has a greater chance of successfully purporting to third parties to be the prover. ZK avoids this drawback. The theory is more than twenty years old and is accepted by the cryptographic community. We have chosen the ZK protocol of Ohta-Okamoto for implementation. This protocol is not encumbered by any patents. We have set up a website[1] that gives a short introduction on ZK and on how this new user authentication method can be enabled and used. Patches for the OpenBSD and portable versions can be downloaded from our website. They are not attached to this email because of their size. We have developed the ZK extension for the 4.0/4.0p1 releases of OpenSSH and can currently only offer patches for these releases. We are aware that this is not ideal. Depending on the feedback of the OpenSSH community, we would also release patches for the newest version and maintain the patch. Now some notes on the actual implementation. We have used the existing user authentications as templates for incorporating the ZK protocol into OpenSSH. Like pubkey authentication the user has a key pair. Subsequently, we have adjusted the ssh-keygen for generating keys of type OO-ZK that can be used in the usual way as identity files and in the authorized keys files. Currently, the keygen cannot be used for changing the passphrase or other metadata in the key file. Please have a look at our patch and comment on it. We are interested in your feedback. Regards Andreas Gaupmann Christian Schausberger Ulrich Zehl [1] http://zk-ssh.cms.ac/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20051122/e8792bd5/attachment.bin
Darren Tucker
2005-Nov-24 10:47 UTC
[PATCH] Introducing Zero-Knowledge user authentication
On Tue, Nov 22, 2005 at 09:49:40PM +0100, Andreas Gaupmann wrote:> First we would like to describe the purpose of using Zero-Knowledge (ZK) for > user authentication. Traditional authentication methods like > challenge-response with passwords or public keys leak information about the > credentials of a userI'm not qualified to comment on the crypto aspects nor on the prospects for inclusion. That said, I have some comments on the patch itself. Obviously password or C/R authentication leaks authentication information to the server, but how does public-key? (assuming the public-key algorithm has not been broken) Are you referring to a server collecting signatures with various sessionids?>From the patch, it looks like multiple rounds are required. What impactdoes that have on the authentication times, particularly on high-latency links? You use the string "oo-zk" in the SSH protocol to identify the publickey mechanism you implement. Unless this has been registered with IANA you should use a local method (ie "oo-zk at yourdomain.org") as specified in section 6 of the "SSH Protocol Architecture" document. The OpenBSD patch on your page includes all of the *.orig files, which makes it hard to read. Some of the files you add are under the GPL. This isn't a problem while you're publishing it as a patch, but it would prevent it from being incorporated. You also have some minor errors in the patch (use of C++/c99 "//" style comments, declarations after code eg in key_fingerprint_raw()). While some compilers will permit those, some won't. There's also some whitespace-only changes which are unnecessary. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.