In this Chapter, we have proposed an efficient ElGamal-Extension encryp-tion scheme and showed it is secure in theIND-CCA2sense in the random oracle model. Not only does the proposed scheme provides higher secure level, but also the computational complexities of encryption and decryp-tion in the proposed scheme are more efficient than those in the ElGamal encryption scheme and Fujisaki-Okamoto’s scheme when the plaintext is large enough.
Furthermore, we design a new IND-CPAPAIR to demonstrate the security of the ElGamal-Extension encryption scheme when using only two random numbers. There is a question as to whetherIND-CPAPAIRaccurately demon-strate the security. There maybe a more suitable pair goal and adversary model for demonstrating the security. It is conjectured that involvement of the decryption oracle in providing the adversary with plaintext-ciphertext cryptanalysis training in IND-CCAand IND-CCA2 (says IND-CCAPAIR and IND-CCA2PAIR) do not provide the adversary with any undue advantage.
If we give the decryption oracle a different position in IND-CCAPAIR and IND-CCA2PAIR, the results and advantage given to the adversary may be different. For example, if the decryption oracle is lain in after the adversary obtain the plaintext-ciphertext pair and before she sends x0, x1, what are the effects? Future work will undertake to answer these and other questions.
Chapter 5
Password Authenticated Key Exchange Protocols
5.1 Introduction
The rapid growth of networks in both number and size encourages more and more computers to link together for sharing various kinds of data and exchanging huge amounts of information. Two parties need to encrypt and authenticate their message in order to protect the privacy and authentic-ity of these messages. One way of doing so is to use public key encryp-tion and signatures, but which need the support of the Public Key Infras-tructure (PKI). The cost associated with these primitives may be too high for certain applications. Furthermore, Law et al. [51] proposed the MQV protocol, which is still protected under the PKI. Smart [75] and Yi [86] fur-ther proposed identity-based authenticated key exchange protocols based on Weil pairing to obtain lower communication overhead and less compu-tation complexity. However, the involved certification management, cryp-tography calculation, and the additional communication overhead caused
by the digital signature.
Another way of addressing this problem is for users to first establish a com-ment secret key via a key exchange protocol such as the Diffie-Hellman key exchange protocol and then use this key to derive keys for symmetric en-cryption and message authentication schemes. However, the secret key established from the key exchange protocol should be authenticated first.
Otherwise, the channel between the users is not safe. For example, Diffie-Hellman key exchange protocol suffers from the Man-in-the-Middle attack.
There are many types of key exchange protocols currently in use. They all have their own strengths and weaknesses. One of the most popular pro-tocols is the 3-party Kerberos authentication system [77]. The Internet Key Exchange (IKE) protocol uses the 2-party SIGMA protocol [48] as a standard for signature-based modes. Password based protocols are another type of key exchange system that have received attention recently.
PASSWORD-BASED AUTHENTICATED KEY EXCHANGE. Password-based au-thenticated key exchange (PAKE) protocols are the most widely used meth-ods. They assume a more realistic scenario in which two parties share a common secret key are not uniformly distributed over a large space, but rather chosen from a small set of possible values (a four-digit pin, for exam-ple). It is more convenient since human-memorable passwords are simpler to use without any additional cryptographic devices. In practice, people hardly find long random string passwords easy to use and remember. It would be much more user-friendly if the password is a meaningful string that people can recognize easily such as a natural language phrase. How-ever, the human-memorable passwords narrow down the possibilities and
make it easier for adversary to succeed guessing the passwords with a non-negligible chance, so-called dictionary (password guessing) attacks. Dictio-nary attacks are attacks in which an adversary tries to break the security of a scheme by a brute-force method, in which it tries all possible combina-tions of passwords in a given a small set of values (i.e., the dictionary). The dictionary attacks are usually divided in two categories: off-line and on-line dictionary attacks.
The goal of password-based key exchange protocols is to restrict the ad-versary’s success to on-line dictionary attacks only. In these attacks, the adversary must be present and interact with the system in order to be able to verify whether its guess is correct. The system can detect on-line guess-ing by countguess-ing the failed trials. If a certain number of failed attempts has occurred, the use of a password is invalidated or blocked.
PASSWORD-BASED AUTHENTICATED KEY EXCHANGE IN THE 3-PARTY SET
-TING. In large-scale communication environments, similar to the disadvan-tage of symmetric cryptosystem in Section 2.1, password management can be a tough task. Assume that a communication network has n users, and any two of them exchange a key via the 2-party key exchange protocol.
Therefore, there will be n(n − 1)
2 passwords to be shared, and all those pass-words have to be stored securely. Many works [37, 38, 50, 78] have extended the 2-party key exchange protocol into the 3-party applications, in which a trusted server S exists to mediate between the two communication parties A and B to allow their mutual authentication. In this way, any user only needs to share a password with the server. It is particularly well suited for large-scale communication environments.
A nature generic construction of a 3-party PAKEprotocol from any 2-party PAKE protocol presented by Abdalla, Fouque, and Ponitcheval [4]. In this thesis, we focus on the 2-partyPAKEand present a protect password change (PPC) protocol. If the use of password has a certain number of failed at-tempts, the users can via the PPCprotocol to arbitrarily change their pass-words.
5.2 Related Work
Password-based authenticated key exchange (PAKE) has been extensively studied in the last few year. The seminal work in this area is the encrypted key exchange protocol proposed by Bellovin and Merritt [16], where two users in this area is the encrypted version of the Diffie-Hellman key ex-change protocol. In their protocol, each flow is encrypted using the pass-word shared between these two users as the symmetric key.
On the other hand, by using a pre-shared password technique along with the Diffie-Hellman scheme, Seo and Sweeney [70] proposed a PAKE pro-tocol without any symmetric cryptosystems or asymmetric cryptosystems.
Two parties (a client C and a server S) online can use a pre-shared password technique to authenticate each other and apply the Diffie-Hellman scheme to establish a session key. Sun [80], Tseng [81] and Lu, Lee, and Hwang [54] separately showed that the Seo-SweeneyPAKEprotocol is insecure un-der the threat of the replay attack and off-line dictionary attack. At the same time, Lin, Chang, and Hwang [53] and Tseng [81] separately proposed an improvement on the Seo-SweeneyPAKEprotocol to withstand these
at-tacks. However, Hsieh, Sun, and Hwang [42] have pointed out that the Lin-Chang-Hwang scheme is still vulnerable to the off-line dictionary attack.
On the other hand, Ku and Wang [49] have also shown that Tseng’s scheme is vulnerable to the backward replay attack [36] and forged authenticator attack, and they gave an improvement on Tseng’s scheme in the meantime.
Unfortunately, the above schemes or improved schemes lack a proper se-curity model. The first sese-curity model for 2-party authenticated key ex-change protocol was introduced by Bellare and Rogaway [11]. Later, Bellare et al. [10] and Boyko et al. [20] separately extended the security model to the password-based setting, with security analyses of the above 2-party password-based key exchange, under idealized assumptions, such as the random oracle and the ideal cipher models. Furthermore, some 2-party PAKEprotocols [32, 34, 46] are provably secure in the standard model. For the 3-party setting, the first work in this area is the protocol of Needham and Schroeder [60], which inspired the Kerberos distributed system. Later, Bellare and Rogaway [14] introduced a formal security model in this sce-nario along with a construction of the first provably secure symmetric-key-based key distribution scheme. Recently, the first provably secure 3-party PAKE protocol was proposed Abdalla, Fouque, and Ponitcheval [4], which define a new notation called key privacy. That is even though the server’s help is required to establish a session key between two users in the system, the server should not be able to gain any information on the value of that session key. In [4], they called their new and stronger model as the Real-Or-Random (ROR) model and Bellare et al.’s model as the Find-Then-Guess (FTG) model. It is worth pointing out that, as proven in [4], any scheme that is proven in theRORmodel is also secure in theFTGmodel. The converse,
however, is not necessarily true due to the non-tightness of the security re-duction.
In Section 5.4, we examine somePAKE-related schemes [49, 53, 70, 81] and mounted a forged authenticator attack on those schemes to successfully cheat the two parties into believing in the wrong session key. Table 5.1 below is a summary table of the security of all those schemes. Recently, Yeh and Sun [85], and Kobara and Imai [47] have also combined the pre-shared password technique and the Diffie-Hellman scheme to achieve the same purpose thePAKEprotocol intends to, respectively. Both schemes can withstand those attacks shown in Table 5.1 and provide perfect forward se-crecy [45]. Lee et al. [52] further proposed the parallel version of the Yeh-Sun scheme. Two parties in their scheme compute the message during the protocol simultaneously. In fact, the scheme still need that one of two par-ties to send out the request message first and then another one knows to prepare the reply message. Hence, the protocol is not real parallel.
On the other hand, some schemes additionally provides the protected pass-word change (PPC) protocols, which allow a client changes its passpass-word freely. However, we point out that the Tseng-Jan-Chien [82] and the Hwang-Yeh [43] schemes are vulnerable to the forged authenticated; that is, any adversary can intercept the request for changing passwords sent by a legal client and modify it with a wrong password along with a forged authenti-cator.
In Chapter 6, we shall present a simpler authenticated key exchange pro-tocol by modifying the Yeh-Sun scheme [85]. This scheme is proven secure when the symmetric-encryption primitive is instantiated via a mask
genera-Table5.1:SummaryofrelatedschemesinPAKE Seo-Sweeney[70]Tseng[81]Linetal.[53]Ku-Wang[49] WithstandMan-in-MiddleAttackYesYesYesYes WithstandDictionaryAttack*No[54,80]*No[Section5.4]*No[42]*No[Section5.4] WithstandReplayAttack*No[81]YesYesYes WithstandBackwardReplayAttack*No[49]*No[49]YesYes WithstandForgedAuthenticatorAttack*No[Section5.4]*No[49],[Section5.4]*No[Section5.4]*No[Section5.4] ProvidePerfectForwardSecrecy*No[80]YesYes*No[Section5.4] *No[reference]:[reference]pointsoutthattheschemecannotwithstand/achievetheattack/perfectforwardsecrecy.
tion function that is the product of the message with a hash of the password.
At the same time, we shall also present a new protected password change protocol which unlike the previously proposed schemes [47, 49, 53, 70, 81, 85] where the parties cannot arbitrarily change their own passwords, offers users the freedom of changing passwords at will. The proposedPAKEand PPCschemes are formally proven using Ballare, Poincheval and Rogaway’s security model [10].