• 沒有找到結果。

Cryptanalysis of the improved authenticated key agreement protocol

N/A
N/A
Info
下載
Protected

Academic year: 2021

Share "Cryptanalysis of the improved authenticated key agreement protocol"

Copied!
4
0
0

加載中.... (立即查看全文)

立即下載 ( 4 頁 )

全文

(1)

Cryptanalysis of the improved

authenticated key agreement protocol

Ting-Yi Chang

a

, Chou-Chan Yang

b

, Ya-Wen Yang

c,*

aDepartment of Computer and Information Science, National Chiao Tung University,

1001 Ta Hsueh Road, Hsinchu, Taiwan, ROC

bDepartment of Information and Communication Engineering, Chaoyang University

of Technology, 168 Gifeng E. Rd., Wufeng 413, Taichung County, Taiwan, ROC

cGraduate Institute of Networking and Communication Engineering, Chaoyang University

of Technology, 168 Gifeng E. Rd., Wufeng 413, Taichung County, Taiwan, ROC

Abstract

Hsu et al. recently pointed out that the Ku–Wang scheme is vulnerable to modifica-tion attack and further proposed an improvement on their scheme. However, this article will show the improvement which they claim is still vulnerable by off-line password guessing attack.

Ó 2005 Published by Elsevier Inc.

Keywords: Cryptography; Information security; Key agreement; Key exchange

1. Introduction

In 1976, the key agreement protocol was introduced by Diffie and Hellman

[1]. The two parties can establish a secret session key over an insecure channel

0096-3003/$ - see front matter Ó 2005 Published by Elsevier Inc. doi:10.1016/j.amc.2005.01.086

*

Corresponding author.

E-mail address:[email protected](C.-C. Yang).

Applied Mathematics and Computation 171 (2005) 771–774

(2)

which is based on the difficulty of computing discrete logarithms over a finite field. However, Diffie and Hellmans scheme have a serious security flaw which is vulnerable to the man-in-middle attack. It results from the unauthenticated participants.

In order to prevent man-in-middle attacks, Seo and Sweeney[5]proposed a simple authenticated key agreement protocol, which additionally use the pre-shared password method to provide user authentication. In their scheme, two parties share a secret password before the protocol begins. The session key can be established with user authentication and two parties can verify the validity of session key. Unfortunately, Sun [6], Tseng [7], and Lu et al.

[4] separately showed the fact that the Seo–Sweeney scheme is vulnerable to the mounting replay attack and dictionary attack. Indeed, the honest party can be fool into believing a wrong session key by replaying the message sent from honest party himself. At the same time, Tseng proposed an improved scheme to withstand the replay attack. On the other hand, Sun [6] and Lu et al.[4]pointed out the Seo–Sweeney scheme is vulnerable to off-line password guessing attack (dictionary attack). That is, an attacker can guess a password off-line until he/she gets the correct one.

Later, Ku and Wang[3]showed that Tsengs improved scheme is still vulner-able to backward replay attack and modification attack. The backward replay attack is that the honest party can be fool into believing a wrong session key by an adversary masquerades as the one communication party to replay the ex-changed message. The modification attack is that an adversary can modify the exchanged message by interposing in the line between two communicating parties and fool one party into believing a wrong session key. To repair the secu-rity flaws, they further proposed an improved scheme to enhance the secusecu-rity. In 2003, Hsu et al.[2]pointed out the Ku–Wang scheme is still vulnerable by the modification attack. Moreover, they improved the key validation stage of Ku and Wangs protocol by using the identities of two communicators and a one-way hash function. However, in this article, we will point out their im-proved scheme is vulnerable by the off-line password guessing attack.

The organization of this article is as follows. In the next section, we will brief review Hsu et al.s scheme. In Section3, we will show that the off-line password guessing attack threatens the security of their scheme. Finally, we shall give a brief conclusion in Section4.

2. Brief review of Hsu et al.’s scheme

As the Diffie–Hellman scheme, the system publishes a one-way hash func-tion h(Æ) and two values n and g, where n is a large prime and g is a generator with order n 1 in GF(n). In the system, Alice and Bob separately have the identities idA and idB. They share a secret password P and a predetermined

(3)

way to generate the two integers Q mod n and Q1mod n before the protocol begins. The protocol is composed of two phases, the key establishment phase and the key validation phase, as follows.

2.1. Key establishment phase

(e.1) Alice randomly selects an integer a and computes X = gaQmod n. Then, she sends X to Bob.

(e.2) Bob randomly selects an integer b and computes Y = gbQmod n. Then, he sends Y to Alice.

After receiving Y and X, Alice and Bob can separately compute the session key KA¼ ðYQ 1 Þa¼ gabmod n and K B¼ ðXQ 1 Þb¼ gabmod n. 2.2. Key validation phase

(v.1) Alice computes the hash value A = h(idA, KA) and sends it to Bob. (v.2) Bob computes the hash value B = h(idB, KB) and sends it to Alice.

After receiving A, Bob computes the hash h(idA, KB) and then verifies the consistency between the computed h(idA, KB) and the received A. If the result is positive, Bob is convinced that KBis validated. After receiving B, Alice com-putes the hash h(idB, KA) and then verifies the consistency between the com-puted h(idB, KA) and the received B. If the result is positive, Alice is convinced that KAis validated.

3. The off-line password guessing attack

In this section, we show that Hsu et al.s protocol is vulnerable to off-line password guessing attack. Assume that Eve is an adversary, who interposes in the communicating line between Alice and Bob.

In the key establishment phase, Eve intercepts X = gaQmod n in Step (e. 1) sent by Alice and records it. Upon intercepting message Y in Step (e. 2) sent by Bob, Eve impersonates Bob to exchange message with Alice. Eve randomly se-lects an integer e and compute Y0= ge

mod n to replace Y. After receiving Y0, Alice computes KA¼ ðY0Q

1

Þa¼ geQ1amod n. In the key validation phase, upon intercepting message A¼ ðidA; KAÞ ¼ ðidA; geQ

1a

mod nÞ in Step (v. 1) sent by Alice, Eve can perform an off-line password guessing attack as follows. Eve first guess a password P and derives a corresponding Q mod n; thus, she can verify the correctness of the guessed password by checking whether A¼ ðidA;ðXeÞ

Q2

mod nÞ holds or not. If it holds, Eve has guessed the correct password P because of A¼ hðidA;ðXeÞ

Q2

mod nÞ ¼ hðidA; gaeQ

1

mod nÞ.

(4)

For the same reason, Eve also can impersonate Alice to exchange the mes-sage with Bob. Upon intercepting mesmes-sage B, Eve can verify the correctness of the guessing password.

4. Conclusion

People find passwords difficult to use long random strings; rather, they pre-fer natural language phrases that they can recognize easily. Nevertheless, nat-ural language phrases as password are drawn from a rather limited set of possibilities. In this article, we have presented the off-line password guessing attack to subvert the security of Hsu et al.s scheme. The adversary can guess a password off-line until he/she gets the correct one.

Acknowledgement

This research was partially supported by the National Science Council, Taiwan, ROC, under contract no. NSC90-2213-E-324-004.

References

[1] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory IT-22 (6) (1976) 644–654.

[2] Chien-Lung Hsu, Tzong-Sun Wu, Tzong-Chen Wu, Chris Mitchell, Cryptanalysis of enhance-ment for simple authenticated key agreeenhance-ment algorithm, Applied Mathematics and Compu-tation 142 (2–3) (2003) 305–308.

[3] Wei-Chi Ku, Sheng-De Wang, Cryptanalysis of modified authenticated key agreement protocol, IEE Electronics Letters 36 (21) (2000) 1770–1771.

[4] Eric Jui-Lin Lu, Cheng-Chi Lee, Min-Shiang Hwang. Cryptanalysis of some authenticated key agreement protocols, International Journal of Computational and Numerical Analysis and Applications, in press.

[5] D. Seo, P. Sweeney, Simple authenticated key agreement algorithm, IEE Electronics Letters 35 (13) (1999) 1073–1074.

[6] H. Sun, On the security of simple authenticated key agreement algorithm, in: Proceedings of the Management Theory Workshop2000, 2000.

[7] Yuh-Min Tseng, Weakness in simple authenticated key agreement protocol, IEE Electronics Letters 36 (1) (2000) 48–49.

參考文獻

立即下載 ( PDF - 4 頁 - 77.53 KB )

相關文件

弦論和宇宙隱維的幾何

了⼀一個方案,用以尋找滿足 Calabi 方程的空 間,這些空間現在通稱為 Calabi-Yau 空間。.

Areas to be covered in the talk

Now, nearly all of the current flows through wire S since it has a much lower resistance than the light bulb. The light bulb does not glow because the current flowing through it

The hidden dimensions of the Universe

volume suppressed mass: (TeV) 2 /M P ∼ 10 −4 eV → mm range can be experimentally tested for any number of extra dimensions - Light U(1) gauge bosons: no derivative couplings. =>

What is the

Courtesy: Ned Wright’s Cosmology Page Burles, Nolette & Turner, 1999?. Total Mass Density

The Dark Ages of the Universe

• Formation of massive primordial stars as origin of objects in the early universe. • Supernova explosions might be visible to the most

existing key tasks the development of SUSTAINING

Continue to serve as statements of curriculum intentions setting out more precisely student achievement as a result of the curriculum.

on 30 June 2008

Dudley Surveyors Limited (“Dudley”) was commissioned, as an independent party, by the Education Bureau (“EDB”) to conduct this Survey on the expenditure on

The Secret-Key Agreement Problem

• Zero-knowledge proofs yield no knowledge in the sense that they can be constructed by the verifier who believes the statement, and yet these proofs do convince him..!.