source: information sciences in review presenter: tsuei-hung sun ( 孫翠鴻 ) date: 2010/10/29
DESCRIPTION
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol. Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/10/29. Outline. Introduction M otivation Demonstrate Scheme Security analysis - PowerPoint PPT PresentationTRANSCRIPT
Cryptanalysis of a Communication-EfficientThree-Party Password Authenticated KeyExchange Protocol
Source: Information Sciences in review
Presenter: Tsuei-Hung Sun (孫翠鴻 )
Date: 2010/10/29
2
Outline
• Introduction
• Motivation
• Demonstrate
• Scheme
• Security analysis
• Advantage vs. weakness
• Comment
3
Introduction
• Password-based Authenticated Key Exchange (PAKE) protocol
• 3PAKE(Three-party model)
4
Chang et al.’s Protocol
BA idid ,
qRSS Zee 21,pgR Se
S mod11
( T-Y. Chang, M-S. Hwang, W-P. Yang, A Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol, Information Sciences (2010),doi: 10.1016/j.ins.2010.08.032.)
A S B
pgR SeS mod2
2 BSAS pwRpwR 21 ,
AASS pwpwRR )( 11
qRA Ze pgR Ae
A modpRR Ae
SAS mod11
Step 1Step 2
Step 3
BSBASASAA pwRididRRhRid 211 ),,,,(,,
BBSS pwpwRR )( 22
qRB Ze
pgR BeB mod
pRR BeSBS mod22
pRK BeAB mod
Step 4
),( AB RKh),,,(, 11 BASASA ididRRhR ,),,,(, 22 BASBSB ididRRhR ,
5
Chang et al.’s Protocol
pRR SeAAS mod1
1
A S B
),( AB RKh),,,(, 11 BASASA ididRRhR ,),,,(, 22 BASBSB ididRRhR ,
),,,(),,,( 1111 BASASBASAS ididRRhididRRh Check
pRR SeBBS mod2
2
),,,(),,,( 2222 BASBSBASBS ididRRhididRRh Check
Step 5
),(, ABB RKhR),(),,( 21 ABSBAS RRhRRh
pRK AeBA mod
),(),( 11 BASBAS RRhRRh Check
),(),( AAAB RKhRKh Check
),(),( 22 ABSABS RRhRRh Check),(),( BBBA RKhRKh Check
Step 6
),(),,( 2 BAABS RKhRRh
),,mod()()( BAee
BA ididpghKhKhSK BASession key
6
Motivation
• Chang et al. use XOR operation to achieve the security, but it is vulnerable to a partition attack.
• To find a way achieve security base on 3PAKE and without server’s public key and symmetric encryption.
• This paper will prove Chang et al.’s scheme is completely insecure and propose improve scheme.
7
AS pwR 1Step 1 wiretap a valid session and get
If and , it is a feasible password, probability is Other is a infeasible password, probability is
p 1mod pq
2
1
1
p
q
cp
q 2
1
cp
q
Step 3 repeat step 2 until the range of password narrowed down to a single password.
c: the number of possible values not in Zp.
Demonstrate
Step 2 off-line guess password (1) assume a password is a real A’s password. (2) use to distinguish whether the is in G or not.
1SR*1 )( AAS pwpwR
*Apw
8
Demonstrate
• Example
G={ },322,162,82,22,12 54320 122,62,32,132,182 109876 CD=D; D={pw1,pw2,pw3,pw4}={1,2,4,8}
p= 23; Zp={0,1,…,41,22}; generator g=2
Assume A’s password is pw4
14)01110()01000()00110()mod( 41 bbb
e pwpg STrue:
First partition:
Gpwpw bbbA 15)01111()00001()01110(,1*
Gpwpw bbbA 12)01100()00010()01110(,2*
Gpwpw bbbA 10)01010()00100()01110(,3*
Gpwpw bbbA 6)00110()01000()01110(,4*
eS1=9
CD: set of candidate passwords. D: space of password. FD: feasible passwords : infeasible passwords (m)b: binary representation of message m
},{ 42 pwpwFD
},{ 31 pwpwFD
FD
9
DemonstrateSecond partition:
Gpwpw bbbA 14)01110()00010()01100(,2*
Gpwpw bbbA 4)00100()01000()01100(,4*
eS1=2; CD=FD={pw2,pw4}
12)01100()01000()00100()mod( 41 bbb
e pwpg STrue:
CD=FD={pw4}
10
Scheme
BA,
qRBA Zyy ,
AAA PWPyY
A S B
BBB PWPyY BA YY ,
,qRA Zx PxX AA )( AAAAS PWYxK
Step 1Step 2
Step 3
BASA YXA ,,,
,qRB Zx PxX BB
ABAB XxK
)( BBBBS PWYxK
Step 4
)XBSA1( A ABBB KXH ”“
BBSBASA XX ,,,,
)( ASAAAAS KPWYXBSAH
)( BSBBBBS KPWYXASBH
11
SchemeA S B
Step 5
BAAB XxK )(
?
BASAAAAS XKPWYXBSAHCheck
)KXXBSA1( ABBA
?
”“HB Check
)(?
ABSBBBBS XKPWYXASBHCheck
)KXBS0( ABA
?
BA XAH ”“Check
Step 6
BBSBASA XX ,,,,
BSASBBX ,,,
ABS ,)KXXBSA0H( ABBAA ”“
)( BASAAAAS XKPWYXBSAH
)(?
ASAAAAS KPWYXBSAHCheckAAAS XyK ,
)(?
BSBBBBS KPWYXASBHCheckBBBS XyK ,
)( ABSBBBBS XKPWYXASBH
)2( ABBA KXXBSAHSK ”“Session key
12
Security analysis
• Undetectable on-line guessing attack
• Off-line guessing attack
• Forward security of session key
13
Advantage vs. weakness• Advantage– Using elliptic curve cryptography (ECC) additive operation
replace XOR operator that attack can’t distinguish feasible and infeasible passwords.
– ECC can achieve the same level of security with smaller key size.
– It is applicable in low resource environments, like smart cards or mobile unit.
– Easily noting authenticators ( )
• Weakness– Computing time and computational complexity are more
than XOR.
BABSASBSAS ,,,,,
14
Comment
• This paper use elliptic curve to replace Chang et al.’s XOR. Is the performance of this paper better then Chang et al.’s scheme?
• The partition attack mention at demonstrate, something like brute-force attack which is not a efficiency attack.
• The related work about Chang et al.’s scheme, from notation to step statement are the same as Chang et al.’s paper.