Other security issues

The traditional off-line dictionary attacks are mounted by a passive adver-sary who eavesdrops protocol messages and then goes off-line to perform the password search. In this section we consider another kind of off-line dictio-nary attacks. We call it the active dictiodictio-nary attacks. This attack happens when the adversary impersonates the client (server) and communicates with the server (client). Then the adversary can obtain the messages from the server (client) and try to mount the off-line dictionary attacks by using the received information.

We consider the adversary impersonates the server and communicate with an honest client in our ST-PAKE protocol. The adversary can mount the active dictionary attacks by the following steps.

1. The adversary guesses a password π⁰ and computes γ⁰ = g^u0 = g^h0(C,π0).

2. In the first flow, the adversary chooses a random y⁰ and sends Y⁰ = g^y0

to the client.

3. In the second flow, the client responds the X^∗ and V_C to the adversary.

4. The adversary computes the VC0

= H0(C, S, X^∗, Y⁰, (_γ^X0y0^∗)^y0, γ⁰) and compares it with V_C.

5. The adversary repeats the step 1 and 4 until he finds a password π such that V_C⁰ = V_C.

We can see that the adversary mounts an active attack and obtains the password information from an honest client. Then he can try all possible passwords and verify them in private by using the received password infor-mation. This is a successful off-line dictionary attack.

The active dictionary attacks can be partitioned into two cases, the adver-sary impersonates the client or the server. It depend on the first authentica-tion value is sent by the client or the server. If the first authenticaauthentica-tion value is sent by the client, then the adversary can try to impersonate the server.

The ST-PAKE is in this case. Because the first authentication value V_C is sent by the client. The adversary can obtain this information and mount the dictionary attacks.

We modify our ST-PAKE to the ST-PAKE-A which can resist to the ac-tive dictionary attacks. In the first flow, the server sends Y^∗ = Y ⊕ γ instead of Y . And the client computes Y = Y^∗⊕ γ after receiving Y^∗. This mod-ification can ensure that the server must know γ otherwise he can’t mount

the active dictionary attacks successfully. He only can probably eliminate at most one candidate password from consideration per Send query. The complete ST-PAKE-A is shown in Figure 5.1.

Client(C) Server(S)

5.2 Comparison

The comparison with other protocols is given in Figure 5.2. Only the asym-metric protocols are compared. We consider three factors: the number of flows, the number of exponentiations executed by the client and the server.

The mentioned protocols are all completed in three rounds or four rounds.

We can see that AMP [Wu98] is the most efficient protocol because it has the minimum computational overhead mostly. But it doesn’t have a formal security proof. TP-AMP [Kwo04] reduces one-round from the original four-round AMP and gave a formal security proof. Our protocol is a little bit inefficient than the TP-AMP protocol and same as the SRP [Wu98]. PAK-Y [Mac02] using the Schnorr signature for the authentication. So it needs more exponential operations for the signature. SCWL07 [SCWL07] is a PAKE protocol without public information. The all public information such as the prime, the group and the generator will be chosen by the client and sent to the server on the first flow. So this protocol is inefficient than other PAKE protocols.

The above protocols are all triggered by the client. However, our protocol is triggered by the server. This is the most different feature from others.

Number Number Number Security Triggering of of Exp. of Exp. proof side flows (client) (server)

AMP [Wu98] 4 2 3 No client

SRP [Kwo01] 4 3 3 No client

PAK-Y [Mac02] 3 5 3 No client

TP-AMP [Kwo04] 3 2 3 Yes client

SCWL07 [SCWL07] 4 4 5 Yes client

ST-PAKE 3 3 3 Yes server

Figure 5.2: Comparison of PAKEs.

Chapter 6 Conclusion

In this paper, we propose a practical server-triggering password-based au-thenticated key exchange protocol. Different from most previous protocols, our protocol is the new scheme in which the server generates the short-term information first. This idea has a special feature that is useful for the client-server communication architecture. We also consider the active dictionary attack and given an improved version. Furthermore, we provide a formal security proof of our scheme under the CDH assumption and the S-CDH assumption in the random oracle model.

Bibliography

[AP05] Michel Abdalla and David Pointcheval. Simple password-based encrypted key exchange protocols. In Alfred Menezes, editor, CT-RSA, volume 3376 of Lecture Notes in Computer Science, pages 191–208. Springer, 2005.

[BCP03] Emmanuel Bresson, Olivier Chevassut, and David Pointcheval.

Security proofs for an efficient password-based key exchange. In Sushil Jajodia, Vijayalakshmi Atluri, and Trent Jaeger, editors, ACM Conference on Computer and Communications Security, pages 241–250. ACM, 2003.

[BCP04] Emmanuel Bresson, Olivier Chevassut, and David Pointcheval.

New security results on encrypted key exchange. In Feng Bao, Robert H. Deng, and Jianying Zhou, editors, Public Key Cryp-tography, volume 2947 of Lecture Notes in Computer Science, pages 145–158. Springer, 2004.

[BM92] Steve M. Bellovin and Michael Merritt. Encrypted key exchange:

Password-based protocols secure against dictionary attacks. In

IEEE Computer Society Symposium on Research in Security and Privacy, May 1992, Oakland, CA, pages 72–84, 1992.

[BM93] Steven M. Bellovin and Michael Merritt. Augmented encrypted key exchange: A password-based protocol secure against dic-tionary attacks and password file compromise. In ACM Confer-ence on Computer and Communications Security, pages 244–250, 1993.

[BM03] Colin Boyed and Anish Mathuria. Protocols for Authentication and Key Establishment. Springer-Verlag Berlin Heidelberg New York, 2003.

[BMP00] Victor Boyko, Philip D. MacKenzie, and Sarvar Patel. Prov-ably secure password-authenticated key exchange using diffie-hellman. In EUROCRYPT, pages 156–171, 2000.

[BPR00] Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authen-ticated key exchange secure against dictionary attacks. In EU-ROCRYPT, pages 139–155, 2000.

[BR93] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In Douglas R. Stinson, editor, CRYPTO, vol-ume 773 of Lecture Notes in Computer Science, pages 232–249.

Springer, 1993.

[CK01] Ran Canetti and Hugo Krawczyk. Analysis of key-exchange pro-tocols and their use for building secure channels. In Birgit Pfitz-mann, editor, EUROCRYPT, volume 2045 of Lecture Notes in Computer Science, pages 453–474. Springer, 2001.

[DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, 1976.

[GLNS93] Li Gong, T. Mark A. Lomas, Roger M. Needham, and Jerome H.

Saltzer. Protecting poorly chosen secrets from guessing attacks.

IEEE Journal on Selected Areas in Communications, 11(5):648–

656, 1993.

[Jab97] David P. Jablon. Extended password key exchange protocols im-mune to dictionary attacks. In WETICE, pages 248–255. IEEE Computer Society, 1997.

[Kwo01] Taekyoung Kwon. Authentication and key agreement via mem-orable passwords. In NDSS. The Internet Society, 2001.

[Kwo04] Taekyoung Kwon. Practical authenticated key agreement using passwords. In Kan Zhang and Yuliang Zheng, editors, ISC, vol-ume 3225 of Lecture Notes in Computer Science, pages 1–12.

Springer, 2004.

[LGSN89] T. Mark A. Lomas, Li Gong, Jerome H. Saltzer, and Roger M.

Needham. Reducing risks from poorly chosen keys. In SOSP, pages 14–18, 1989.

[Mac01] Philip D. MacKenzie. More efficient password-authenticated key exchange. In David Naccache, editor, CT-RSA, volume 2020 of Lecture Notes in Computer Science, pages 361–377. Springer, 2001.

[Mac02] Philip MacKenzie. The pak suite: Protocols for password-authenticated key exchange. In IEEE P1363.2, 2002.

[PNKW07] Sangjoon Park, Junghyun Nam, Seungjoo Kim, and Dongho Won. Efficient password-authenticated key exchange based on rsa. In Masayuki Abe, editor, CT-RSA, volume 4377 of Lecture Notes in Computer Science, pages 309–323. Springer, 2007.

[SCWL07] Jun Shao, Zhenfu Cao, Licheng Wang, and Rongxing Lu. Effi-cient password-based authenticated key exchange without pub-lic information. In Joachim Biskup and Javier Lopez, editors, ESORICS, volume 4734 of Lecture Notes in Computer Science, pages 299–310. Springer, 2007.

[Wu98] Thomas D. Wu. The secure remote password protocol. In NDSS.

The Internet Society, 1998.

[WZ06] Shuhua Wu and Yuefei Zhu. Practical password-based authen-ticated key exchange protocol. In Yuping Wang, Yiu ming Che-ung, and Hailin Liu, editors, CIS, volume 4456 of Lecture Notes in Computer Science, pages 523–533. Springer, 2006.