an efficient password authenticated key exchange protocol for imbalanced wireless authors: ya-fen...
TRANSCRIPT
An efficient password authenticated key
exchange protocol for imbalanced wireless
Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho YangSource: Computer Standards & Interfaces, Vol. 27, pp. 313–322, 2005Reporter: Jung-wen Lo ( 駱榮問 )Date: 2005/07/07
2
Introduction Bellovin-Merritt (1992)
Encrypted key exchange Ding, P. Horster(1995)
Password guessing attack Detectable On-line Password guessing attack Undetectable On-line Password guessing attack Off-line Password guessing attack
Zhu et al. (2002) Imbalanced wireless network
Under two dictionary attack by Bao (2003) Yeh et al. (2003)
Vulnerable to off-line dictionary attack
3
Zhu et al.’s Protocol (2002)
Server A(n,e,d,pw)
Client B(pw)
(n, e), rA
rB, sB
α=H2(pw, IDA,IDB,rA,rB) z =sB
e+α(mod n)z, rBα=H2(pw, IDA,IDB,rA,rB)
sB=(z-α)d mod n K =H3(sB) cAR {0,1}l
EK(cA,IDB) K =H3(sB)DK(EK(cA,IDB)) => c’A,ID’B
check IDB?cB=H4(sB)σ’=H5(c’A,cB,IDA,IDB)
H6(σ’)H6(σ’) ?= H6(σ)
cB=H4(sB)σ=H5(cA,cB,IDA,IDB)
{mi R Zn }1iN{mie R Zn }1iN
{H1(mi’)}1iN check H1(m’i)?=H1(mi)
rA R {0,1}l
4
Undetectable On-line Password Guessing Attack
Server A(n,e,d,pw)
Attacker E(pw’)
(n, e), rA
rE, sE
α’=H2(pw’, IDA,IDB,rA,rE) z’ =sE
e+α’ (mod n)
z’, rEα’’=H2(pw, IDA,IDB,rA,
rE) s’E= (z’-α’’)d mod n K =H3(s’E) cAR {0,1}l
EK(cA,IDB) K’ =H3(sE)DK’(EK(cA,IDB)) => c’A,ID’B
If ID’B = IDB=> pw’=pw
check H1(m’i)?=H(mi)
Client B(pw)
{mie R Zn }1iN
{H1(mi’)}1iNm’i=(mie)d
rA R {0,1}l
5
Yeh et al.’s Protocol (2003)Server A
(n,e,d,pw)Client B
(pw)
(n, e), rA
sB R Zn α=Epw(IDA,IDB,rA,sB) z =αe mod n
z(IDA,IDB,rA,sB)=Dpw(zd mod n)cB=H3(sB)σ=H4(rA,cB,IDA,IDB) Eσ(IDB)
cB=H3(sB)σ’=H4(rA,cB,IDA,IDB)
check Dσ’ (Eσ(IDB)) ?= IDBH6(σ’)H6(σ’) ?= H6(σ)
{mi R Zn }1iN{mie R Zn }1iN
{H1(mi’)}1iNm’i=(mi
e)dcheck H1(m’i)?=H(mi)
rA R {0,1}l
6
Cryptanalysis of Yeh et al.’s protocol Off-line dictionary attack
Server A(n,e,d,pw)
Client B(pw)
(n’, e’), rE
sB
α=Epw(IDA,IDB,rE,sB) z =αe’ mod n’z
α= zd’ mod n Dpw’(α)?=(IDA,IDB,rE,sB)
{mi R Zn }1iN{mie’ R Zn }1iN
{H1(mi’)}1iN
Attacker E(n’,e’,d
’)rE R {0,1}l
7
Proposed schemeServer A(p,q,pw)
Client B(pw)
Epw(rA)
sB R Zn
σ =F1(IDA,IDB,rA,sB)α=F2(rA,sB,σ) z =sB
2 mod n
z,α
check F3(σ’) ?= F3(σ)
rA = Dpw(Epw(rA))
F3(σ’)
rA R {0,1}l
c1=z(p+1)/4 mod pc2=(p-z(p+1)/4) mod pc3=z(q+1)/4 mod qc4=(q-z(q+1)/4) mod qx=q(q-1 mod p)y=p(p-1 mod q) β1=(xc1+yc3) mod nβ2=(xc1+yc4) mod n β3=(xc2+yc3) mod n β4=(xc2+yc4) mod ns’B=βi, i=1,2,3,4σ’=F1(IDA,IDB,rA,s’B)α’=F2(rA,s’B,σ’)α’ ?=α ≠ abort
※ n=p*q p≡3 (mod 4) q≡3 (mod 4)
8
Proposed scheme(sample)Server A(p,q,pw)
Client B(pw)Epw(rA)
sB R Zn=3σ =F1(IDA,IDB,rA,sB)α=F2(rA,sB,σ) z =sB
2 mod n=9
z,α
check F3(σ’) ?=F3(σ)
rA = Dpw(Epw(rA))rA R {0,1}l=6
c1=z(p+1)/4 mod p=81 mod 7=4c2=(p-z(p+1)/4) mod p=7-81 mod 7=3c3=z(q+1)/4 mod q=729 mod 11=5c4=(q-z(q+1)/4) mod q=11-729 mod 11=8x=q(q-1 mod p)=11×2=22y=p(p-1 mod q)=7×8=56β1=(xc1+yc3) mod n=(22×4+56×5) mod 77=60β2=(xc1+yc4) mod n=(22×4+56×8) mod 77=74β3=(xc2+yc3) mod n=(22×3+56×5) mod 77=38β4=(xc2+yc4) mod n=(22×3+56×8) mod 77=52s’B=βi, i=1,2,3,4σ’=F1(IDA,IDB,rA,s’B)α’=F2(rA,s’B,σ’)α’ ?=α ≠ abort
※ n=p*q=77 p≡3 (mod 4)=7 q≡3 (mod 4)=11
F3(σ’)
9
Security Analysis A malicious user E wants to mount on-line password-guessing att
acks on the proposed protocol E impersonates B=> Can not derive rA
A malicious user E wants to mount off-line password-guessing attacks on the proposed protocol E eavesdrops and records the transmitted data Epw(rA), α, z and h(σ) E impersonates A to get the essential information=> Can not derive sB
E wants to get the session key σ=> Protected by hash function
E guesses B’s password by impersonating A=> B will not keep on sending the request all the time=> When server terminates the protocol several times in a short ti
me, B will detect. Replay attack
=> Easily detect, because rA are different all the time
10
Performance Analyses (1/2) The numbers of operations for different computation types
Participants (Computation type) A B
Zhu et al.’s proto
col
Exponential computation N+1 N+1
Symmetric en(de)cryption 1 1
Hash N+5 N+5
Yeh et al.’s proto
col
Exponential computation N+1 N+1
Symmetric en(de)cryption 2 2
Hash N+3 N+3
Our proposed
protocol
Exponential computation 2 0
Symmetric en(de)cryption 1 1
Hash 8/4/2 3
11
Performance Analyses (2/2) The numbers of transmissions of the participants
ParticipantsProtocol
A B
Zhu et al.’s protocol 3 3
Yeh et al.’s protocol 3 3
Our proposed protocol 2 1
12
Conclusion Mutual authentication
A and B authenticate each other Explicit key authentication
A is assured B has computed the exchanged key Computation efficiency
the computation load of the wireless device is light Power saving
the power consumption of the wireless device in our protocol is few
Confirmation and completeness Withstand password-guessing attacks
13
Comments E impersonates B
Detectable on-line guessing attack Authoir: A will discover it
E eavesdrops and records the transmitted data Epw(rA), α, z and h(σ) zsB + pw’r’A
σ’α’ IF α’=α THEN pw’=pw
Performance analysis unfair Interactive protocol
Hash # error in Server A 2×(F1+F2)+F3
14
Rabin Public Key Cryptosystem(1979)- 錄自詹進科老師講義
Probabilistic encryption systems Rabin 的想法
是一個密文可以對應到四個明文。因此,在加密時必須加入一些有意義且易於分辨的訊息於明文中,使得解密時能夠明確地還原出原來的明文
方法簡介 : 選定 n=p*q; 其中 p 與 q 是大質數。令明文為 M ,密文為 C ,公開加密金
匙為 (b,n) ,秘密解密金匙為 (p,q) 。 [ 加密程序 ]:
C = M * (M + b) mod n , 其中 b 是亂數。 [ 解密程序 ]:
根據上式可知 M2 + M*b - C = 0 mod n. 故明文可由下述四者之一算出 :
M = -b/2 ((b/2)2+C)1/2 mod p M = -b/2 ((b/2)2+C)1/2 mod q
15
Rabin Public Key Cryptosystem Key generation
選定 n=p*q; 其中 p 與 q 是大質數 , p≡q ≡3 (mod 4) 令明文為 M ,密文為 C , A 的公開加密金匙為 n ,秘密解密金匙為 (p,q) 。
[ 加密程序 ]: B -> A C = M2 mod n
[ 解密程序 ]: ap+bq=1 by Euclidean algorithm r = C(p+1)/4 mod p s = C(q+1)/4 mod q x = (aps+bqr) mod n y = (aps-bqr) mod n
故明文可由下述四者之一算出 : m1 = x m2 =- x mod n m3 = -y m4 = -y mod n