Attacks on Some Password Authenticated Key Exchange Pro-

Here, we give the following notations whichthrough this chapter.

κ Let κ be the cryptographic security parameter.

G LetG denote a finite cyclic group of order q, where

|q| = κ. Let g be a generator of G and assume it is included in the description ofG.

C, S The communication parties between a client C and a sever S.

idC C’s identity, which should to be unique to index the verified table stored in the server’s database.

id_S S’s identity, which should to be unique to index the server.

pw C’s password secretly shared with S.

 The exclusive operator.

A→ B :< m > The message m sent from A to B.

SK The session keySK.

G(·), H(·) Two secure one-way hash functions.

In the following, we show some password authenticated key exchange pro-tocols are insecure, which only give attack-response analyses.

The Tseng Scheme

We review the Tseng scheme [81] as follows. The scheme has a predeter-mined way to generate the two integers Q ∈ Zq and Q⁻¹ ∈ Zq from the password pw and secretly shared between C and S. It is similar to employ a hash function G with an input pw and maps to Zq, i.e. Q = G(pw). The protocol is composed of two phases, the key establishment phase and the

key verification phase, as follows:

key Establishment Phase

Step 1. C → S: < idC, X₁ >

C chooses an integer a∈R Zq and computes X₁ = g^aQ. Then, C sends id_C and X₁to S.

Step 2. S → C: < idS, Y₁ >

After receiving C’s message, S chooses an integer b∈RZq to compute Y₁ = g^bQ. Then, S sends idS and Y₁to C.

Step 3. After receiving S’s message, C computes Y = Y₁^Q−1 = g^b and SKC = Y^a = g^ab.

Step 4. After receiving C’s message, S computes X = X₁^Q−1 = g^aand SKS = X^b = g^ab.

key Verification Phase

Step 5. C → S: < idC, Y >

C sends idC and X₁to S.

Step 6. S → C: < idS, X >

S sends idS and X to C.

Step 7. C and S check whether X = g^a and Y = g^b hold or not, respectively.

If they hold, C and S are sure that they have the common session key SK = g^ab.

Ku and Wang [49] have shown that the Tseng scheme is vulnerable to the backward replay attack and forged authenticator attack. They proposed an improved version of the Seo-Sweeny scheme [70]. However, we will present another forged authenticator attack on the Tseng scheme, and it will still successfully break the Ku-Wang scheme as well as the others [53, 70].

On the other hand, we will show that the Tseng scheme and the Ku-Wang scheme are also weak in front of the off-line dictionary attack.

FORGED AUTHENTICATOR ATTACK. An adversary A tries to fool C and S into believing a wrong session key in the Tseng scheme. A first prepares a value e ∈ Zq and its inversion e⁻¹ ∈ Zq. In the key establishment phase, upon seeing X₁ sent by C in Step 1, A replaces it with X₁
= (X1)^e = g^aQe. Then, C performs Step 3 and S performs Steps 2 and 4. C and S will sepa-rately obtain the session keysSKC = Y^a = g^ab andSKS = X^b = g^abe, where Y = (Y1)^Q−1 = g^b and X = (X₁
)^Q−1 = g^ae. Next, they separately verify the validity of the session keys SK_C andSK_S. After receiving Y in Step 5, the check equation Y = g^b will hold in Step 7 on S’s side, so S will believe that it and C have agreed on a common session key. Upon seeing X is sent by S in Step 6, A replaces it with X
= (X)^e−1 = g^a. The check equation X
= g^amod p will hold in Step 7 on C’s side, and C will too believe that it and S have agreed on a common session key. However,SKC = g^ab is not equal toSK_S = g^abe.

O^FF-L^INE D^ICTIONARY A^TTACK. A tries to reveal the secret values Q and Q⁻¹ shared between C and S by mounting the off-line dictionary attack. A first intercepts X₁ = g^aQsent by C in Step 1 and masquerades as S to send Y₁ = g^ein Step 2. C computes Y = Y₁^Q−1 = g^eQ−1 andSKC = Y^a= g^eQ−1a. In

Step 5, C sends Y to S. After intercepting Y ,A can verify the correctness of the guessing password by checking whether Y^Q = g^e holds or not because Y^Q = Y₁^Q−1Q= g^e.

The Ku-Wang Scheme

We have presented another forged authenticator attack in the Tseng scheme, which also threatens the security of the Ku-Wang scheme. Furthermore, the off-line dictionary attack is still successful in their scheme. The key estab-lishment phase in the Ku-Wang scheme is the same as that in the Tseng scheme. We only briefly review the key verification phase of the Ku-Wang scheme that makes a difference.

key Verification Phase

Step 5. C → S: < idC, KC >

C computes KC = (SKC)^Q= g^abQ. Then, C sends idC and KC to S.

Step 6. S → C: < idS, X >

When KC is received, S checks whether KS = (SKS)^Q−1. If it holds, S believes that it has obtained the correct X₁ and C has obtained the correct Y₁. Then, S sends idSand X to C.

Step 7. When X is received, C checks whether X = g^a. If it holds, C believes that it has obtained the correct Y₁ and S has obtained the correct X₁.

FORGED AUTHENTICATORATTACK. A performs the same work in the key establishment phase, described in the above. In the key verification phase, upon seeing KC is sent by C in Step 5, A replaces it with KC
= (KC)^e =

believe that it has obtained the correct X₁and C has obtained the correct Y₁. Then, S sends X = g^aeto C. A replaces it with X
= (X)^e−1 = g^a. The check equation X₁
= g^amod p in Step 7 will hold, which will make C believe that it has obtained the correct Y₁ and S has obtained the correct X₁. However, SK_C = g^abis not equal toSK_S = g^abe.

As a matter of fact, the forged authenticator attack can easily be mounted to break the existing password-related methods [53, 70]. Because all the schemes have the common weakness, any adversary can use some value to replace the original value sent by C in the key establishment phase and then use its inversion to make S return to the original value sent to C in the key verification phase. This will make C and S believe the wrong session key.

O^FF-L^INE D^ICTIONARY A^TTACK. For the same reason, in the Ku-Wang scheme,A performs the same work in the key establishment phase. In the key verification phase, C computes KC = (SKC)^Q= g^aeand sends it to S in Step 5. After intercepting KC, A can verify the correctness of the guessing password by checking whether KC = (X1)^Q−1 holds or not because KC = (X1)^Q−1 = g^ae.

In both schemes, if the password pw is poorly chosen, the adversary can de-termine Q or Q⁻¹ by using the equations to verify if the guessing password is correct. On the other hand, in the Ku-Wang scheme, when a password is compromised, the old session key SKC can be recovered by computing (KC)^Q−1 = SKC = g^ab. Therefore, their scheme cannot provide perfect for-ward secrecy.

We have presented the forged authenticator attack and the off-line

dictio-nary attack to subvert the security of the Tseng scheme and the Ku-Wang scheme. As we have proved, the Ku-Wang scheme is weak against the forged authenticator attack and the off-line dictionary attack; moreover, the forged authenticator attack can be used to break all the existing PAKE-related schemes.

The Tseng-Jan-Chien Scheme

We shall first briefly review the Tseng-Jan-Chien protected password change protocol [82] and then show how the forged authenticator attack can work on their scheme. In the system, the server stores a client C’s idC and pw as v idpw = H(idC, pw) in the database.

The protected password changing scheme works as follows:

Step 1. C → S: < idC, C idpw >

C chooses a random number c ∈R Zq and computes rc = g^c mod p.

Then, it computes C idpw = H(idC, pw) ⊕ rc and sends it along with id_C to S.

Step 2. S → C: < idS, S idpw, S auth token >

Sfirst recovers rc from C idpw by computing C idpw digest⊕ v idpw.

Then, S chooses a random number s ∈R Zq and computes rs = g^s and rcs = (rc)^s = g^cs. Next, S computes S idpw = v idpw ⊕ rs and S auth token = H(v idpw, rcs, rc), and then it sends them and id^S to C.

Step 3. C → S: < idC, C auth token, C new idpw >

C first recovers rs from S idpw by computing S idpw ⊕ H(idC, pw).

Then it computes rcs = (rs)^c = g^sc and uses it together with its own H(idC, pw) and rc to compute H(H(idC, pw), rcs, rc), which is then compared with the received S auth token from S. If they match, C computes C auth token = H(H(idC, pw), rcs, rs). Then, C chooses a new password new pw and computes

C new idpw= H(id^C, new pw) ⊕ H(H(id^C, pw), rcs).

Finally, C sends < idC, C auth token, C new idpw >to S.

Step 4. S uses its own v idpw, rcs and rs to compute H(v idpw, rcs, rs) and compares it with the received C auth token. If they match, S recovers H(idC, new pw) from C new idpw by computing

H(idC, new pw) = C new idpw ⊕ H(v idpw, rcs)

and then stores v idpw = H(idC, new pw) in the database.

The difference between the protected password transmission scheme and protected password changing scheme is that C additionally sends C new idpw to S for changing passwords in the latter scheme. In the following, we point out Tseng-Jan-Chien protected password changing scheme is vulnerable to the forged authenticator attack; that is, any adversary can intercept the re-quest for changing passwords sent by a legal client and modify it with a wrong password.

FORGED AUTHENTICATORATTACK. Note that C sends < idC, C auth token , C new idpw >in Step 3 to S, and the messages C auth token and C new idpw are used to enable the server to authenticate the client and to obtainH(idC

, new pw), respectively. However, because the two messages are separated,

the adversary can replace C new idpw with a random number ra. After re-ceiving < idC, C auth token, ra >, S checks the validity of C auth token.

Since C auth token is generated by the legal client, S will accept it. Then, S computes ra⊕ H(v idpw, rcs) and stores v idpw=ra ⊕ H(v idpw, rcs) in the database.

Unfortunately, the client is mistakenly convinced that it has successfully changed from the old password pw to a new password new pw. When the client tries to login the server the next time, the server will reject the client’s login request because the client cannot recover rs from S idpw by comput-ing S idpw⊕ H(idC, new pw) and therefore cannot compute C auth token correctly. As a result, the server will conclude that the client is illegal, and the client will not be able to change its password successfully.

The Hwang-Yeh Scheme

The different from the Tseng scheme and the Ku-Wang scheme is that the Hwang-Yeh scheme [43] employs the public key cryptosystem. However, there are still some security flaws in the Hwang-Yeh password change scheme.

Any adversary can intercept the request for changing passwords sent by a legal user and modify it with a wrong password. As a result, the user will not be able to successfully login the server next time.

The main difference between Hwang-Yeh password transmission scheme and password change scheme is that in the latter the client sends a password change request to the server. In the system, the server stores v pw = H(pw) instead of pw for each client in the database. Here, we only present the password transmission scheme.

Step 1. C → S: < idC, C cipher >

Cencrypts the random number rc and along with pw with the server’s public key P KS denoted as C cipher = EP K_S(rc, pw) and send it with id_C as a login request to S.

Step 2. S → C: < idS, S auth token, S rs >

Sdecrypts C cipher to obtain rc and pw by using its private key. Then, it computes the hash valueH(pw) and checks whether H(pw) = v pw holds or not. If it holds, S chooses a random number rs and com-putes S auth token = rs ⊕ rc and S rs = H(rs). Then, S sends

< idS, S auth token, S rs >to C.

Step 3. C → S: < idC, C auth token, C new pw >

C retrieves rs by computing S auth token ⊕ rc and then verifies the consistency between the retrieved rs and the received S rs. If the result is positive, C chooses a new password new pw and computes C auth token= H(rc, rs) and C new pw = H(new pw) ⊕ H(rc + 1, rs).

Finally, C sends < idC, C auth token, C new pw >to S.

Step 4. S → C: access granted or access denied

S computes the hash value H(rc, rs) and checks whether H(rc, rs) = C auth token holds or not. If it holds, S can obtain H(new pw) by computing C new pw⊕H(rc+1, rs) and then store v pw = H(new pw) in the database.

Obviously, by employing the public key cryptosystem on the server’s side to protect the transmitted password, Hwang and Yeh have effectively avoided the guessing attack and server spoofing that treated the Peyravian-Zunic schemes. However, we show that the Hwang-Yeh scheme is also vulnerable

to the forged authenticator attack as follows.

FORGED AUTHENTICATOR ATTACK. Upon seeing < idC, C auth token, C new pw >sent by C in Step 3, the adversaryA replaces C new pw with a random number ra. After receiving < idC, C auth token, rc >, S first com-putes the hash valueH(rc, rs) and checks whether H(rc, rs) = C auth token holds or not. Since C auth token is computed by C, the equationH(rc, rs) = C auth token checked by the server will turn out positive. Then, S com-putes ra⊕ H(rc + 1, rs) and stores v pw = ra ⊕ H(rc + 1, rs) in place of H(pw) in the database.

However, C is under the impression that it has successfully changed from an old password pw to a new password new pw. Once the client logins to S the next time, it sends < idC, C cipher = EP K_S(rc, new pw) > to S in Step 1. In Step 2, S decrypts the message to obtain rc and new pw with its private key. Then, S computes the hash value H(new pw) and check whetherH(new pw) = v pw holds or not. However, H(new pw) is not equal to v pw because v pw = ra ⊕ H(rc + 1, rs). The server will reject the client’s login request.

Chapter 6

Simple Password Authenticated Key Exchange and Protected

Password Change Protocols

6.1 Password Authenticated Key Exchange Proto-col

In this chapter, we shall present a simple password authenticated key ex-change (PAKE) protocol by modifying the Yeh-Sun scheme [85]. This scheme is proven secure when the symmetric-encryption primitive is instantiated via a mask generation function that is the product of the message with a hash of the password. At the same time, we shall also present a new protected password change (PPC) protocol which unlike the previously proposed schemes [47, 49, 53, 70, 81, 85] where the parties cannot arbi-trarily change their own passwords, offers users the freedom of changing passwords at will. The proposed PAKEprotocol is formally proven using the Ballare-Poincheval-Rogaway security model. The provable security is

demonstrated by reduction. Here, we give the following notations which through this chapter.

G LetG denote a finite cyclic group of order q, where

|q| = κ. Let g be a generator of G and assume it is included in the description ofG.

C, S The communication parties between a client C and a sever S.

id_C C’s identity, which should to be unique to index the verified table stored in the server’s database.

id_S S’s identity, which should to be unique to index the server.

pw C’s password secretly shared with S.

A→ B :< m > The message m sent from A to B.

SK The session keySK.

G A full-domain hash from{0, 1}^∗intoG.

Hi Two hash functions from{0, 1}^∗to{0, 1}^κ, for i = 0, 1.

The parties initially share a low-quality password pw. The password au-thenticated key exchange protocol then runs as in Figure 6.1 and described as follows.

Step 1. C → S: < idC, R_C^∗ >

C chooses a random number c ∈R Zq, computes RC = g^c and R^∗_C = R_C×PW, wherePW= G(pw). Then C sends < idC, R^∗_C >to S,

Step 2. S → C: < idS, R_S,AuthS >

After receiving < idC, R^∗_C >, S recovers RC by computing R^∗_C/PW.

Then S chooses a random number s ∈R Zq, computes RS = g^s, KS = (RC)^s = g^cs,AuthS = H1(KS, R_C) and sends < idS, R_S,AuthS >to C.

Step 3. C → S: < idC,AuthC >

After receiving < idS, R_S,AuthS >, C computes KC = (RS)^c = g^scand verifies whether the receivedAuthS is equal toH1(KC, R_C) or not. If it

Client C Server S

Figure 6.1: An execution of the protocolPAKE

After receivingAuth_C, S verifies whether it is equal toH₁(KS, R_S) or not. If it is, S and C agree on the common session key SK= H0(KC) = H0(KS) = H0(g^cs).

6.2 Protected Password Change Protocol

Assume that C wants to change it’s old password pw to a new password newpw, C needs to follow these steps and illustrated in Figure 6.2.

Step 1*. C → S: < idC, R_C^∗, R^†_C >

C chooses a random number c ∈R Zq, computes RC = g^c, R^∗_C = RC ×

Client C Server S

Figure 6.2: An execution of the protocolSPC

PW and R^†_C = RC ×NPW, whereNPW = G(newpw). Then C sends

After receiving < idS, R_S,AuthS >, C computes KC = (RS)^c = g^scand verifies whether the received AuthS is equal to H1(KC, R_C,NPW) or not. If it holds, C computesAuthC = H1(KC, R_S) and sends it to S.

After receiving < idC,AuthC >, S verifies whether the recovered AuthC is equal toH₁(KS, R_S) or not. If it is, C has successfully changed its old pass-word pw to the new passpass-word newpw and S has successfully updated itsPW to NPWin its database. At the same time, S and C agree on the common session keySK= H0(KS) = H0(KC).

6.3 Security Analysis

In this section, we show the scheme is provable security in the random ora-cle model. We shall employ and simplify the security model [10] to formally prove the security ofPAKEandPPCin the random oracle model. ThePAKE protocol distributes session keys that are semantically secure and provide mutual authentication. Figure 6.3 shows the initialization of both protocols.

Figures 6.4 and 6.5 separately show how instances in the PAKE and PPC protocols behave in response to messages (runs the PAKE andPPC proto-cols).

Before putting the protocols to work, each oracle setsACC(Uⁱ)←TERM(Uⁱ)←

f alse; andSK(Uⁱ)←SID(Uⁱ)←PID(Uⁱ)← null;.

AKE Security. We separately denote the AKE advantage of A in attack-ingPAKEandPPCasAdv^AKE_PAKE,Dict(A) andAdv^AKE_PPC,Dict(A); the advantages are taken over all bit tosses. The advantage ofA distinguishing the session key

Initialize(1^κ)

- Select a finite cyclic groupG of prime order q with g as a generator, where|q| = κ.

- Hash functions.

Hi : {0, 1}^∗ → {0, 1}^κfor i = 0, 1, G : {0, 1}^∗→ G.

- A client C ∈clientholds a password pw.

pw ←Dict.

- A server S ∈serverholds the hash valuesPWof pw.

PW← G(pw).

Figure 6.3: Specification of protocol initialization

is given by

Adv^AKE_PAKE,Dict(A) = 2 · Pr[Succ] − 1, Adv^AKE_PPC,Dict(A) = 2 · Pr[Succ] − 1.

ProtocolsPAKEandPPCareAKE-secure ifAdv^AKE_PAKE,Dict(A) andAdv^AKE_PPC,Dict(A) are negligible, respectively.

Computational Diffie-Hellman Assumption. A (t, ε)-CDHg,G attacker, in finite cyclic groupG of prime order q with g as a generator, is a probabilistic machine ∆ running in time t such that its success probability Succ^CDH_g,G (∆), given random elements g^xand g^y to output g^xy, is greater than ε:

Succ^CDH_g,G (∆) = Pr[∆(g^x, g^y) = g^xy] ≥ ε.

We denote by Succ^CDH_g,G (t) the maximal success probability over every ad-versaries running time within time t. The computational Diffie-Hellman assumption states thatSucc^CDH_g,G (t) ≤ ε for ant t/ε not too large.

Theorem 9. LetA be an adversary against theAKE-security of thePAKEprotocol

Execute-queries Execute(Cⁱ, S^j)

1. Send₁(Cⁱ,start)

c← Z^R q, R_C ← g^c, R_C^∗ ← RC ×PW,msg-out₁ ←< idC, R^∗_C >, internal-stateⁱ_C ←< c, RC >

returnmsg-out₁ 2. Send₂(S^j, m₁)

< ID_I, α >← m₁, R_C ← α/PW, s← Z^R q, R_S ← g^s, K_S ← R^sC, AuthS ← H₁(KS, R_C),msg-out₂ ←< idS, R_S,AuthS >

internal-state^j_S ←< RS, K_S >

returnmsg-out₂

3. Send₃(Cⁱ, m₂), where m2 =start

< ID_I, R_S,AuthS >← m2, < c, R_C >←internal-stateⁱ_C, K_C ← R^cS

ifH1(KC, R_C) = AuthS

AuthC = H1(K^C, RS),msg-out₃ ←< idC,AuthC >

SK(Cⁱ) ← H0(KC),SID(Cⁱ) ←<msg-out₁, m₂,msg-out₃ >

PID(Cⁱ) ← idS,ACC(Cⁱ) ←TERM(Cⁱ) ← true elsemsg-out₃ ← ∗

returnmsg-out₃ 4. Send₄(S^j, m₃)

< ID_I,AuthC >← m₃, < R_B, K_S >←internal-state^j_S ifH1(KS, R_S) = AuthC

SK(S^j) ← H0(KS),SID(S^j) ←< m1,msg-out₂ >

PID(S^j) ← idC,ACC(S^j) ←TERM(S^j) ← true return null

Figure 6.4: Specification of protocolPAKE

Execute-queries Execute(Cⁱ, S^j)

1. Send₁(Cⁱ,start)

c← Z^R q, R_C ← g^c, R_C^∗ ← RC ×PW,NPW← G(newpw), R^†_C ← RC ×NPW,msg-out₁ ←< idC, R^∗_C, R^†_C >,

internal-stateⁱ_C ←< c, RC,NPW>

returnmsg-out₁ 2. Send₂(S^j, m₁)

< ID_I, α, β >← m1, R_C ← α/PW,NPW← β/RC, s← Z^R q, RS ← g^s, KS ← R^sC,AuthS ← H1(K^S, RC,NPW),

msg-out₂ ←< idS, R_S,Auth_S >,internal-state^j_S ←< RC, K_S,NPW>

returnmsg-out₂

3. Send₃(Cⁱ, m₂), where m2 =start

< ID_I, R_S,Auth_S >← m₂, < c, R_C,NPW>←internal-stateⁱ_C, K_C ← R^cS

ifH₁(KC, R_C,NPW) = AuthS

AuthC = H1(KC, R_S),msg-out₃ ←< idC,AuthC >

SK(Cⁱ) ← H0(KC),SID(Cⁱ) ←<msg-out₁, m₂,msg-out₃ >

PID(Cⁱ) ← idS,ACC(Cⁱ) ←TERM(Cⁱ) ← true elsemsg-out₃ ← ∗

returnmsg-out₃ 4. Send₄(S^j, m₃)

< ID_I,Auth_C >← m3, < R_B, K_S >←internal-state^j_S ifH1(KS, R_S) = AuthC

PW←NPW

SK(S^j) ← H0(K^S),SID(S^j) ←< m1,msg-out₂ >

PID(S^j) ← idC,ACC(S^j) ←TERM(S^j) ← true return null

Figure 6.5: Specification of protocol PPC

within a time bound t, after qsand qh. Then we have:

Adv^AKE_PAKE,Dict(t, qs, q_h) ≤ Dpw(qs) + qs× qh× Succ^CDHg,G (t1) + q_s 2^κ, where t₁is the running time of Succ^CDHg,G .

Proof. There are two ways that might lead to A successfully attacking the AKE-security of thePAKEprotocol. First,A might obtain the long-lived key and impersonate C or S by mounting the password guessing attack. Sec-ond, A might directly obtain the session key by solving theCDHproblem.

In the following, we shall analyze the probability of the two situations one by one. To analyze a situation, the others are assumed to be under some known probability.

Dictionary Attacks: C and S separately chooses c ∈R Zq and s ∈R Zq at random, which implies RCand RSare random numbers. Hence,A observes

Dictionary Attacks: C and S separately chooses c ∈R Zq and s ∈R Zq at random, which implies RCand RSare random numbers. Hence,A observes

在文檔中 可證明安全的公開金鑰密碼系統與通行碼驗證金鑰交換 (頁 100-0)