compact and efficient leakage-resilient authenticated key ... · a server) through an authenticated...
TRANSCRIPT
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 159
GESTS-Oct.2005
Compact and Efficient Leakage-ResilientAuthenticated Key Exchange Protocol
SeongHan Shin, Kazukuni Kobara, and Hideki Imai
Institute of Industrial Science, The University of Tokyo,4-6-1 Komaba, Meguro-ku, Tokyo 153-8505, Japan
Abstract. Let us consider the following situation: (1) a user remembersonly one password and has some insecure devices with built-in mem-ory while maintaining its connections with many different servers; (2)the counterpart servers are not perfectly secure against possible attacks(e.g., virus or hacker); (3) neither PKI (Public Key Infrastructures) norTRM (Tamper-Resistant Modules) is available at all. As a currently-known solution to the above situation, Shin et al., [1] have proposeda Leakage-Resilient Authenticated Key Exchange (for short, LR-AKE)protocol whose authenticity is based on a user’s password and his/herstored secrets. In this paper, we improve the LR-AKE protocol to bemore compact and efficient in aspects of both computation costs andmemory size: about 100% decrease of computation costs in the initial-ization phase and about 96% reduction in memory size. In addition tothat, we give a significant countermeasure for minimizing the damagecaused by simultaneous leakage of stored secrets from user’s device andserver’s database. We also discuss its security under the notion of LR-AKE security which ensures enhancement of the overall security leveland usability of passwords.
1 Introduction
Both of the fundamental security goals (authentication and privacy) can beachieved by establishing a secure channel between two parties (say, a client anda server) through an authenticated key exchange (AKE) protocol at the end ofwhich the two parties share a common session key. Since AKE protocols areone of the most crucial cryptographic primitives, they have been widely used inmany applications wherever authentication is needed. For authentication, someprotocols take fully advantage of PKI (Public Key Infrastructures) and othersare based on a human-memorable password that is chosen from a small dic-tionary of size (compared to the cryptographically-secure keys). In particular,password-based authentication can be preferable mainly because special hard-ware, such as TRM (Tamper-Resistant Modules) to carry secrets, as well assecurity infrastructures are not required. However, there are existing two majorattacks: on-line and off-line dictionary attacks. While on-line dictionary attacksare applicable to all of the password-based protocols equally, they can be pre-vented by letting a server take appropriate intervals between invalid trials. But,
160 Compact and Efficient Leakage-Resilient Authenticated Key
GESTS-Oct.2005
we cannot avoid off-line dictionary attacks by such policies, mainly because theattacks are performed off-line and independently of the server. As a result, avoid-ing off-line dictionary attacks in password-based protocols have been one of themost interesting topic in research fields.
The first secure password-based protocols came out of two papers [2, 3] ofBellovin and Merritt who brought forth the problem of off-line attacks. Manysubsequent suggestions for secure protocols have been proposed so far (see [4]).At Asiacrypt 2003, Shin et al., [1] have proposed a new class of AKE protocol,titled ”Leakage-Resilient Authenticated Key Establishment” (we call it LR-AKEfor short). The authenticity of their LR-AKE protocol is based on a user’s pass-word and additional secrets stored on (insecure) devices which guarantees im-munity of the password to the leakage of stored secrets from a client and servers,respectively. In other words, the password is completely protected against off-line attacks even if an attacker can get some verification data from a client orservers. In addition to that, the LR-AKE protocol doesn’t require TRM andPKI at all. Refer to [1] for more detailed discussion compared to SSH, SSL/TLSand secure password-based protocols.
In the following section, we propose a compact and efficient LR-AKE (LR-AKE) protocol, followed by efficiency analysis in terms of computation costs,communication bandwidth and memory size in Section 3. In Section 4, we in-troduce the security model and definitions for the LR-AKE security. Section 4.1and Appendix are devoted to the security of the LR-AKE protocol. We discussabout some extensions in Section 5. Finally, we summarize this paper and giveconclusions in Section 6.
2 A Compact and Efficient LR-AKE Protocol
First of all, we give the mathematical background and notation to be used. Theprotocol is defined over a finite cyclic group G = 〈g〉 whose order is q with theassumption that G is a prime order subgroup over a finite field Fp. That is,G = {gi mod p : 0 ≤ i < q} where p is a large prime number, q is a large primedivisor of p − 1 and g is an integer such that 1 < g < p − 1, gq ≡ 1 and gi �= 1for 0 < i < q. Hereafter, all the subsequent arithmetic operations are performedin modulo p, unless otherwise stated. Let g and h be two generators of G so thatits DLP (Discrete Logarithm Problem), i.e., calculating a = logg h, should behard.
Let k be the security parameter for p (say, 1024 bits) and let N be a dictionarysize (cardinality) of passwords (say, 36 bits for alphanumerical passwords with6 characters). Let {0, 1}� denote the set of finite binary strings and {0, 1}|N |
the set of binary strings of length |N | where | · | indicates its bit-length. Let”||” denote the concatenation of bit strings in {0, 1}�. Let us define a secureone-way hash function H : {0, 1}� → {0, 1}|N | and a MAC generation functionMACkm(m) with key km on message m which can be chosen from a family ofuniversal one-way hash functions. Let C and S be the identities of client andserver, respectively, with representing each ID ∈ {0, 1}� as IDC and IDS .
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 161
GESTS-Oct.2005
Client C Server Si (i ≥ 1)
[Initialization]
pi1 = αi1 ⊕H(pw, IDC , IDSi) pi1 �pi1
[j-th Protocol Execution]
pij = αij ⊕H(pw, IDC , IDSi)
r1R← (Z/qZ)�
y1 = gr1 · h−pij (C, y1) �
pij
r2R← (Z/qZ)�
y2 = gr2 · hpij
kmSi = (y1 · hpij )r2
Ver2 = MACkmSi(TagSi ||Y )(Si, y2, Ver2)�
kmC =(y2 · h−pij
)r1
If Ver2 = MACkmC (TagSi ||Y ),
Ver1 = MACkmC (TagC ||Y )
and skC = MACkmC (Tagsk||Y ). Ver1 �If Ver1 = MACkmSi
(TagC ||Y ),
skSi = MACkmSi(Tagsk||Y ).
[j-th Stored-Secret Refreshment]
βijR← {0, 1}|N|
αi(j+1) = αij ⊕ βij
Encsk(βij) �pi(j+1) = pij ⊕ βij
Fig. 1. A compact and efficient LR-AKE (LR-AKE) protocol where the enclosed valuesin rectangle represent stored secrets of client and server, respectively, where Y = y1||y2.The underlined values or equations are changed or newly-added parts from the SKIprotocol [1]
2.1 Protocol Description
We consider the same scenario as [1] where a client is communicating withmany disparate i servers. Here is a more compact and efficient LR-AKE (LR-AKE) protocol, rather than [1] (we call SKI for their proposal), which deploysShamir’s (2, 2)-threshold secret sharing scheme [5] and a one-way hash functionH : {0, 1}� → {0, 1}|N |. The rationale is that a client generates i-th verificationdata in size of N for server Si
1 from his password and a pair of client’s ID andserver’s ID. The LR-AKE protocol is optimal in terms of memory size needed for
1 For simplicity, we assign the servers consecutive integer i ≥ 1 where Si can beregarded as i-th server.
162 Compact and Efficient Leakage-Resilient Authenticated Key
GESTS-Oct.2005
storing secrets on client’s and servers’ devices. More detailed discussion will befollowed. The whole protocol is illustrated in Fig. 1.
[Initialization] A client C is willing to register a verification data, generated byone password pw, to one of different servers Si (i ≥ 1). Every time when neededto register to a server, the client picks a distinct value αi1 randomly chosen in{0, 1}|N | and registers securely a verification data pi1 to the respective server Si
pi1 = αi1 ⊕ αi0 where αi0 = H(pw, IDC , IDSi) and pw is the client’s password.
Since αi0 = αi1 ⊕ pi1, each of αi1 and pi1 is a share of (2, 2)-threshold secretsharing scheme [5]. Then, the client just stores the secret value αi1 on devicesthat may happen to leak the secret αi1 and keeps his password pw in mind.
[j-th Protocol Execution] When client C wants to share an authenticatedsession key securely with one of the servers Si (i ≥ 1), he should recover theverification data pij by XORing the hashed value of (pw, IDC , IDSi
) to αij
stored on devices. The client chooses a random number r1 ←R (Z/qZ)� andthen sends y1 to server Si, after calculating y1 = gr1 ·h−pij using the verificationdata pij for the server. The server Si also calculates y2 = gr2 ·hpij with a randomnumber r2 ←R (Z/qZ)� and its verification data pij , and then transmits it tothe client along with the authentication tag Ver2. On both sides, the client’s(resp., the sever’s) keying material is kmC (resp., kmSi
). Only if the client usesthe right password pw and the corresponding secret value αij to server Si andthe latter uses the right verification data pij , both of them can share the samekeying material km = gr1·r2 . Otherwise, guessing the other’s keying material ishard due to the DLP between g and h. Also, attackers cannot determine thecorrect password of the client through off-line attacks since they don’t know theclient’s random number r1 chosen at the time and the secret αij , both of whichare required to narrow down the password pw. The rest is the same as [1]2.
[j-th Stored-Secret Refreshment] In the stored-secret refreshment phase,the client can update the secret value αij as well as the verification data pij
to new ones without changing his password in order to minimize the damagecaused by the simultaneous leakage. After establishing a secure channel, clientC picks another distinct value βij randomly chosen in {0, 1}|N | and transmitsit securely to the respective server Si Encsk(βij) where Encsk(·) is a symmetricencryption with sk as its key. On decrypting Encsk(βij) with sk, server Si canproduce a refreshed verification data pi(j+1), for (j + 1)-th session, by XORingthe previous verification data pij to βij . Then, the client also updates and storesa secret value αi(j+1) = αij ⊕βij on mobile devices and keeps the same passwordpw in mind.
2 Additional hash functions or derivation functions may be used for the MAC key.
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 163
GESTS-Oct.2005
Table 1. Comparison between the SKI protocol and the LR-AKE protocol as for mem-ory size
Memory size of |p| = 1024, |p| = 1024, |p| = 2048, |p| = 2048,Protocols client∗1 server∗2 |N | = 36∗3 |N | = 60∗4 |N | = 36 |N | = 60
SKI [1] n|p| |p| 96.5% 94.1% 98.2% 97%LR-AKE n|N | |N | saving∗5 saving∗5 saving∗5 saving∗5
*1: Memory size needed for storing secrets on client’s devices*2: Memory size needed for storing verification data on each server’s devices*3: |N | = 36 for alphanumerical passwords with 6 characters*4: |N | = 60 for alphanumerical passwords with 10 characters
*5: The percentages are calculated by |p|−|N||p| × 100.
Table 2. Comparison between the SKI protocol and the LR-AKE protocol as for com-putation costs
Computation costs∗1
In initialization In protocol execution∗2
Protocols phase Client C Per Server Si
SKI [1] n + 1 2.34 (2) 2 (1)
LR-AKE 0 2.34 (2) 2.34 (2)
*1: The number of modular exponentiations where the cost for one simultaneouscalculation of two bases is converted into 1.17 due to [7]. The figures in the paren-theses are the remaining costs after pre-computation of gr1 and gr2 .*2: This is the case that client C establishes a session key with one of the serversSi.
3 Efficiency
We analyze efficiency of the LR-AKE protocol in terms of computation costs,communication bandwidth and memory size needed for devices. The main pa-rameters of the LR-AKE protocol (compared to the SKI one [1]) are: (1) thenumber of modular exponentiations in the initialization phase is 0; and (2) thememory size needed for client’s devices is n|N | where n is the number of serversand N is a dictionary of size from which passwords are chosen. Since n is usuallysmall (say, n = O(1) and certainly n � N), we obtain good parameters consid-ering the generality of the LR-AKE protocol. In particular, the parameters areessentially independent of the security parameter k. We summarize comparativeresults in Table 1 and 2 about how much memory size and computation costsare reduced in the LR-AKE protocol.
As shown in Tab. 1. in terms of memory size, a client (resp., each server) inthe LR-AKE protocol just stores n secret values αij , for server Si (1 ≤ i ≤ n),in size of |N | (resp., one verification data pij in size of |N |) rather than nsecret values hi in size of |p| (resp., one verification data hp(i)·λi in size of |p|)in the SKI protocol. Actually, n|N | is the same size as n passwords. However,recall that the client remembers only one password in the LR-AKE protocol.
164 Compact and Efficient Leakage-Resilient Authenticated Key
GESTS-Oct.2005
For the minimum security parameters recommended for use in current practice:|p| = 1024 and |N | = 36 (for alphanumerical passwords with 6 characters), thenumerical reduction in memory size is about 96%! One can easily see that thelonger the prime p, the larger the saving. Furthermore, the memory size in theLR-AKE protocol is optimal by (the first requirement of) Definition 1.
Theorem 1 The memory size in the LR-AKE protocol is optimal by Definition1.
Proof. We prove this theorem according to a well-known fact in the theory of se-cret sharing scheme [5]. The first requirement of Definition 1 is that the password(precisely, αi0) should be guaranteed information-theoretically secure against at-tacker A1 or A2 (specified in Section 4). In order to achieve the information-theoretical security, shares must be of length at least as the size of a secret itself.In the LR-AKE protocol, each of the stored secrets αij and pij is the same size ofthe secret αi0 (or, password chosen from a dictionary of size N). That providesthe optimal memory size on client and server sides. �
When a user, remembering one password (|N | = 36), has access to 30 differentservers (n = 30), the memory size needed on devices becomes only 1.05 KB! Onthe other hand, if a server has one million subscribers, the memory size forstoring one million verification data becomes 34.33 MB!
One of the important factors to evaluate efficiency of a cryptographic proto-col is the number of modular exponentiations that is the most power-consumingand dominant operation. Tab. 2. shows that the LR-AKE protocol doesn’t requireany modular exponentiation in the initialization phase (compared to n+1 mod-ular exponentiations in the SKI protocol) when registering n verification data tothe corresponding server Si (1 ≤ i ≤ n). This represents around 100% reductionin computation costs3 in the initialization phase. In the protocol execution, theLR-AKE protocol needs 1.17 times more modular exponentiations on each sidethan the Diffie-Hellman key exchange protocol [6] (which provides no authenti-cation at all). If pre-computation is possible, client C and server Si is requiredto compute only 2 modular exponentiations.
The LR-AKE protocol has at most 3 rounds of communications compared to4 rounds in the SKI protocol. As for communication bandwidth, its overheadstake 2(|p|+ |MAC|+ |ID|)-bits long in both protocols. If |p| = 1024, |MAC| = 160and |ID| = 48, the bandwidth needed is 2.40 KB.
Consequently, the LR-AKE protocol is more efficient rather than the SKIone, especially when implementing on client’s devices with limited computingpower and limited memory capacity. As we show in this section, the computationcosts, communication bandwidth and memory size needed for mobile devices aresufficiently small so that the LR-AKE protocol can be applicable for wirelessenvironments.
3 The other computation costs for additional operations (e.g., modular multiplica-tion/inversion, MAC and hash function) are negligible.
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 165
GESTS-Oct.2005
4 Security
In order to evaluate its security of the LR-AKE protocol, we first introduce clas-sified attackers and its security definition. Before defining the LR-AKE security,it is convenient to specify attackers depending on the given oracle(s) (see [1] forthe security model).
– A1: An attacker is given access to Leak oracle, which accepts client’s ID,whose goal is to find the correct password.
– A2: An attacker is given access to Leak oracle, which accepts server(s)’ ID(s),whose goal is to find the correct password. In this case, stored secrets of allthe servers are given to the attacker.
– A3: An attacker is given access to all of the oracles presented in the securitymodel where Leak oracle accepts client’s ID. The goal of the attacker is tobreak the semantic security of session keys.
– A4: An attacker is given access to all of the oracles as A3 where Leak oracleaccepts server(s)’ ID(s). The goal of the attacker is to impersonate its part-ner (client) to the other servers. In this case we cannot avoid the attackerimpersonating the victimized server to the client as in the existing AKEprotocols.
– A5: An attacker is given access to Leak oracle, which accepts a pair of clientand server’s IDs, whose goal is to find the correct password with attacks usingtime-memory trade-off techniques [8–10], not off-line dictionary attacks.
Now we are ready to explicitly define the LR-AKE security against the above-mentioned attackers; this will be necessary for stating meaningful results aboutthe LR-AKE protocol in Section 2.
Definition 1 (LR-AKE Security) A provably secure LR-AKE protocol mustsatisfy the following requirements at the same time:
1. Security against attacker A1 or A2: The security of password against attackerA1 or A2 remains information-theoretically secure.
2. Security against attacker A3: The protocol is said to be secure if, when at-tacker A3 asks qse queries to the Send oracle and passwords are chosen froma dictionary of size N , the attacker’s advantage in attacking the protocol isbounded by
O(qse/N) + ε(k), (1)for some negligible function ε(·). The first term represents the fact that theattacker can do no better than guess a password during each query to theSend oracle.4
3. Security against attacker A5: The security of password against attacker A5
is guaranteed until naive off-line (dictionary) attacks are mounted. That is,the password should not be deduced by applying attacks using time-memorytrade-off techniques [8–10].
We can easily see that the security against attacker A2 implies that attacker A4
falls into the category of A3 (A4 is weaker than A3).4 It won’t depend on the attacker’s expenditure of computation.
166 Compact and Efficient Leakage-Resilient Authenticated Key
GESTS-Oct.2005
4.1 Security Analysis
Remind that client C stores the secret value αij , such that αij = pij⊕H(pw, IDC , IDSi),
on insecure devices and remembers his password pw whereas the correspondingserver Si holds its verification data pij .
Theorem 2 The password in the LR-AKE protocol of Fig. 1. remains information-theoretically secure against off-line attacks after the leakage of stored secrets fromclient C and servers Si (1 ≤ i ≤ n), respectively, where n is the number of servers.For an attacker (A1 or A2) who obtains stored secrets by querying the Leak or-acle, she cannot retrieve the client’s password through off-line exhaustive searchthat is the best attack for the attacker.
Proof. We start with the fact that XOR is a cryptographic tool, realizing (2, 2)-threshold secret sharing scheme, in a sense. First, we prove the security of pass-word against attacker A1 who obtains stored secret αij of client C and is tryingto deduce αi0 = H(pw, IDC , IDSi
) for the client’s password pw. Only if αi0
(associated with the password) is computed, the attacker can narrow down thepassword by checking possible password candidates one by one through off-lineexhaustive search.
αij = αi1 ⊕ βi1 ⊕ βi2 ⊕ · · · ⊕ βi(j−2) ⊕ βi(j−1) . (2)
Eq. (2) means that the secret αij doesn’t reveal any information on the passwordpw, simply because the secret values (αi1 and βil (1 ≤ l ≤ j−1)) are completelyindependent from αi0.
Second, we prove the security of password against attacker A2 who obtainsstored secrets pij of all the servers Si (1 ≤ i ≤ n) and is trying to deduce αi0 forthe client’s password pw.
pij = pi1 ⊕ βi1 ⊕ βi2 ⊕ · · · ⊕ βi(j−2) ⊕ βi(j−1) . (3)
Though the attacker gathers all of the verification data pij (1 ≤ i ≤ n), thepassword is information-theoretically secure since (1) each pij is a share of therespective αi0; (2) βil (1 ≤ l ≤ j − 1) are completely independent one anotherand from αi0; and (3) the number of shares of (2, 2)-threshold secret sharingscheme included in pij as a secret αi0 is 1 (only pi1). �
As a consequence, Theorem 2 assures that the password in the LR-AKE pro-tocol is protected from off-line attacks even if stored secrets of any side are leakedout.
If a cryptographic protocol is provably secure, one must show that the suc-cess probability (of breaking the protocol) of an attacker can be reduced tothat of solving the fundamental computationally-hard problem. Theorem 3 in-dicates that the LR-AKE protocol of Fig. 1. is provably secure in the standardmodel (without random oracles)5 based on the difficulty of the Decisional Diffie-Hellman (DDH) problem [13], by showing the reduction to the DDH problem,where the stored secret of client is given to an attacker.5 as in [11, 12].
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 167
GESTS-Oct.2005
Theorem 3 Let P be the LR-AKE protocol of Fig. 1., where passwords arechosen from a dictionary of size N . For any attacker A3 within a polynomialtime t, with less than qse active interactions with the entities (Send-queries), qex
passive eavesdropping (Execute-queries) and qre queries to the Reveal oracle, theadvantage of A3 in attacking the protocol P is upper bounded by
AdvakeP (A3) ≤ 2(n · qse + 1)
N+
2Q
q+
n · q2se
2|N |+1+ 2(Q + 1) · εddh(k1, t
′)
+εmac(k2, t′, Q + qex + qre + 2) (4)
where both k1 and k2 are the security parameters, Q = (qse + qex), n is thenumber of servers and t′ = t + n · tP (tP is the time required for execution of Pby any pair of client and sever).
Here we justify the main terms in the security result. Some ways for attacker A3
to break the protocol are: (1) guess a password and makes an on-line dictionaryattack with respect to client C and server Si involved during the attack. Hencethe term (n · qse + 1)/N ; (2) forge an authentication tag Ver. Hence the termεmac(·, ·, Q + qex + qre + 2); (3) use the authentication tag to check the correctpassword. But this requires the ability to compute hpij or h−pij . Hence theterm (Q + 1) · εddh(·, ·); and (4) find collisions on H. According to the birthdayparadox, the term (n · q2
se)/2|N |+1. The remaining negligible term comes fromthe very unlikely collision. Remind that on-line dictionary attacks for passwordare possible only if the client’s stored secret is given to an attacker. In otherwords, we can avoid even on-line dictionary attacks in the LR-AKE protocol aslong as the client’s secret value is not leaked out.
Remark 1. The advantage of attacker A3 should be carefully evaluated withone password in the multiple server scenario (1-to-n setting). Since client C iscommunicating with n different servers Si (1 ≤ i ≤ n), the success probability ofon-line attacks mounted by attacker A3 increases by a factor of n while runningn instances concurrently. Nevertheless the advantage of A3 grows with the ratioof O(qse/N)
AdvakeP (A3) ≤ O
(n · qse
N
)+ ε(k, t′) ≈ O
(qse
N
)+ ε(k, t′) (5)
since the number of servers is very small in N (n � N).If a higher level of security (e.g., O(qse/N) as in the 2-party setting) is desir-
able in the LR-AKE protocol, one solution is to add one character to alphanumer-ical passwords. This is sufficient up to 64 servers in the 1-to-n setting assumingthat the size of one character in alphanumerical passwords is 6 bits.
Time-memory trade-off techniques in [8–10] reduce the time of cryptanalysisby using pre-calculated data stored in memory. The techniques are mainly usedto deduce a password from its hashed value. Among [8–10], Oechslin proposedan efficient scheme [10] with which they have implemented an attack on hashed
168 Compact and Efficient Leakage-Resilient Authenticated Key
GESTS-Oct.2005
values of MS-Windows passwords (237). Using 1.4GB of data, they cracked 99.9%of the hashed values of all alphanumerical passwords in 13.6 seconds!
In the initialization phase of Section 2, a pair of IDs of client and server(IDC , IDSi
) are included in αi0 of (2, 2)-threshold secret sharing scheme. Thisapproach can’t incur more computational time needed for time-memory trade-offtechniques in [8–10]. However the amount of memory size drastically increasesaccording to the size of a pair of IDs. Section 4.2 shows why this approachbecomes to be more meaningful in the LR-AKE protocol. The following theoremstates the security of password against attacker A5.
Theorem 4 For an attacker A5 who mounts attacks using such kinds of time-memory trade-off techniques, the password in the LR-AKE protocol of Section 2cannot be retrieved efficiently rather than using off-line dictionary attacks.
Proof. Proving this theorem is trivial, since time-memory trade-off techniquesdepend on the size of input of a function (e.g., as input size of hash functionH(·)). When generating verification data in the LR-AKE protocol, a pair of IDsof client and server (IDC , IDS) are included in H(·) in addition to the password.The longer input size, the more amount of memory size is entailed in the time-memory trade-off techniques [8–10] which makes such kinds of attacks inefficientrather than (naive) off-line dictionary attacks. �
4.2 The LR-AKE Security of Stored-Secret Refreshment
After stored-secret refreshment is completed at time T = Trefresh, the previoussecrets (at time T < Trefresh) from client and server will be useless for an attackerin attacking the protocol. In order to simplify the discussion, we assume that thesecret αij (resp., pij) of client C (resp., server Si) is refreshed to αi(j+1) (resp.,pi(j+1)) at T = Trefresh.
The security of password against attacker A1 or A2 is the same as Theorem2. If attacker A3 who obtained the stored secret (αij) of client at time T < Trefresh
has been mounting on-line dictionary attacks one by one in impersonating theclient (or the server), she can only do the same thing until T = Trefresh. In orderto perform on-line attacks successively, attacker A3 should get the refreshedsecret (αi(j+1)) from the client. As for the security of password against attackerA5, the password can be found out through off-line dictionary attacks in theend. However, if the off-line attacks are finished at time T > Trefresh, attacker A5
cannot impersonate the client to server Si (and the other servers) without therefreshed secrets (αi(j+1) or pi(j+1)) of client and server. That’s the reason whythe third requirement of Definition 1 is needed for strengthening its security ofthe LR-AKE protocol.
5 Some Applications
In this section we show the password refreshment in a similar way as in thestored-secret refreshment. In addition, we give a simple solution to provideanonymity that cannot be provided in password-only AKE protocols.
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 169
GESTS-Oct.2005
Client C Server Si (i ≥ 1)
[j-th Password Refreshment]
pij = αij ⊕H(pw, IDC , IDSi)
γijR← {0, 1}|N|
αi(j+1) = γij
Encsk(pij ⊕ γij ⊕ γi0)�
pij
pi(j+1) = pij ⊕ pij ⊕ γij ⊕ γi0 = γij ⊕ γi0
Fig. 2. The password refreshment phase of the LR-AKE protocol where the enclosedvalues in rectangle represent stored secrets of client and server, respectively. γi0 =H(pwnew, IDC, IDSi)
5.1 Password Refreshment
We have discussed about security against the simultaneous leakage in Section 4.1and 4.2. With the simultaneous leakage, an attacker cannot break the LR-AKEprotocol if the stored-secret refreshment was already done before the attackerdeduces the password through off-line attacks. In such a situation, the client isforced to refresh the exposed password to a new one. In the password refresh-ment, the client can change his exposed password pw with a new one pwnew
while refreshing the secret value αij as well as the verification data pij (see Fig.2.).
The client first recovers pij = αij ⊕ H(pw, IDC , IDSi) and picks another
distinct value γij randomly chosen in {0, 1}|N |. Using a symmetric encryptionEncsk(·), client C transmits the following to the respective server Si Encsk(pij ⊕γij ⊕ γi0) and sets γi0 = H(pwnew, IDC , IDSi
) where pwnew is the client’s newpassword. On decrypting Encsk(pij ⊕ γij ⊕ γi0) with sk, server Si can produce arefreshed verification data pi(j+1), for (j+1)-th session, by XORing the previousverification data pij to the decrypted value. Then, the client also stores a secretvalue γij as αi(j+1) on mobile devices and keeps a new password pwnew in mind(whereas the password pw may be forgotten sooner or later).
5.2 The LR-AKE Security of Password Refreshment
Owing to the password refreshment, the previous password and secrets fromclient and server will be useless for an attacker in attacking the protocol. Inorder to simplify the discussion, we assume that the password pw and the secretαij (resp., pij) of client C (resp., server Si) are refreshed to pwnew and αi(j+1)
(resp., pi(j+1)) at time T = T ∗refresh.
The security of password against attacker A1 or A2 is the same as Theorem2. If attacker A3 who obtained the stored secret (αij) of client at time T < T ∗
refresh
has been mounting on-line dictionary attacks one by one in impersonating theclient (or the server), she can only do the same thing until T = T ∗
refresh. At timeT ≥ T ∗
refresh, the password refreshment makes attacker A3 no longer to continue
170 Compact and Efficient Leakage-Resilient Authenticated Key
GESTS-Oct.2005
on-line attacks even if the refreshed stored secret αi(j+1) from the client is given:attacker A3 should start from scratch. As for the security of password againstattacker A5, deriving the password itself through off-line dictionary attacks attime T ≥ T ∗
refresh is meaningless for the attacker. For a new password pwnew,attacker A5 should get the refreshed secrets (αi(j+1) and pi(j+1)) of client andserver again.
5.3 Anonymity
Anonymity, concealing the fact that who is communicating with whom, is an-other important topic in the real world. Especially in the 2-party protocol, hidinga user’s identity is critical to many implementations. Most AKE protocols basedon PKI can easily accomplish anonymity by encrypting an ID with messages.However, exposure of stored secrets (e.g., decryption keys) subsequently entailsto reveal its identity. On the contrary, password-only AKE protocols can’t startthe protocol itself without sending an ID through open networks.
In the LR-AKE protocol, the alternative for anonymity is simply change its IDevery time whenever the protocol is executed. For example, we suppose a clientin the j-th protocol execution with server Si (see Fig. 1.). After establishing asecure channel, the client chooses one-time ID (IDij) from {0, 1}� and sends itsecurely as follows: Encsk(IDij).
6 Conclusions
In this paper, we have proposed a more compact and efficient LR-AKE (LR-AKE)protocol, rather than [1], especially considering mobile devices with restrictionof computation ability and memory capacity. After explicitly defining the notionof LR-AKE security, we have showed its security of the LR-AKE protocol againstpossible attacks. In the LR-AKE protocol, we gave a significant countermeasurefor minimizing the damage caused by the simultaneous leakage of stored se-crets. Finally, we showed how much the LR-AKE protocol can be resistant to thesimultaneous leakage by coupling the solution to attacks (using time-memorytrade-off techniques) with the stored-secret refreshment. As extensions of theLR-AKE protocol, we discussed about the password refreshment, its LR-AKEsecurity and anonymity.
References
1. S. H. Shin, K. Kobara, and H. Imai, ”Leakage-Resilient Authenticated Key Estab-lishment Protocols”, In Proc. of ASIACRYPT 2003, LNCS 2894, pages 155-172.Springer-Verlag, 2003.
2. S. M. Bellovin and M. Merritt, ”Encrypted Key Exchange: Password-based Proto-cols Secure against Dictioinary Attacks”, In Proc. of IEEE Symposium on Securityand Privacy, pages 72-84, 1992.
GESTS Int’l Trans. Computer Science and Engr., Vol.19, No.1 171
GESTS-Oct.2005
3. S. M. Bellovin and M. Merritt, ”Augumented Encrypted Key Exchang: APassword-Based Protocol Secure against Dictionary Attacks and Password FileCompromise”, In Proc. of the 1st Annual Conference on Computer and Commu-nications Security, ACM, 1993.
4. Phoenix Technologies Inc., ”Research Papers on Strong Password Authentication”,available at http://www.integritysciences.com/links.html
5. A. Shamir, ”How to Share a Secret”, In Proc. of Communications of the ACM,Vol. 22(11), pages 612-613, 1979.
6. W. Diffie and M. Hellman, ”New Directions in Cryptography”, In IEEE Transac-tions on Information Theory, Vol. IT-22(6), pages 644-654, 1976.
7. A. J. Menezes, P. C. Oorschot, and S. A. Vanstone, ”Simultaneous Multiple Ex-ponentiation”, In Handbook of Applied Cryptography, pages 617-619, CRC Press,1997.
8. M. E. Hellman, ”A Cryptanalytic Time-Memory Trade-Off”, In IEEE Transactionson Information Theory, IT-26, pages 401-406, 1980.
9. D. E. Denning, ”Cryptography and Data Security”, page 100. Addison-Wesley,1982.
10. P. Oechslin, ”Making a Faster Cryptanalytic Time-Memory Trade-Off”, In Proc.of CRYPTO 2003, LNCS 2729, pages 617-630. Springer-Verlag, 2003.
11. J. Katz, R. Ostrovsky, and M. Yung, ”Efficient Password-Authenticated Key Ex-change using Human-Memorable Passwords”, In Proc. of EUROCRYPT 2001,LNCS 2045, pages 475-494. Springer-Verlag, 2001.
12. K. Kobara and H. Imai, ”Pretty-Simple Password-Authenticated Key-Exchange under Standard Assumptions”, IACR ePrint Archive, 2003,http://eprint.iacr.org/2003/038
13. D. Boneh, ”The Decision Diffie-Hellman Problem”, In Proc. of the Third Algorith-mic Number Theory Symposium, 1998.