Cryptanalysis of an Enhanced Authentication Key Exchange Protocol

全文

(1)Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Cryptanalysis of an Enhanced Authentication Key Exchange Protocol Fuw-Yi Yang Department of Applied Mathematics National Chung Hsing University E-mail:[email protected]. Jinn-Ke Jan Department of Computer Science National Chung Hsing University E-mail:[email protected]. Abstract-An enhanced authentication key. the capability of authenticating participants. In. exchange protocol was proposed to exchange. addition, the participants can exchange multiple. multiple session keys between two participants at. session keys at one execution of the H-protocol.. a time. This paper shows that this enhanced. Therefore, the users of H-protocol have an. protocol is insecure under the known session key. efficient way to share a set of session keys. However, H-protocol lacks rigorous treatment. attack, the known long-term private key attack,. on security. Section 3 will present three attacks on. and the signature forgery attack.. the H-protocol, i.e., the known session key attack, Keywords: Authentication, Diffie-Hellman key. the known long-term private key attack, and the. exchange, forward secrecy.. signature forgery attack. The first two attacks concern information leakage when losing session. 1. Introduction. keys and long-term private key. The third attack considers forging the signatures without the. In order to achieve secret communication over. knowledge of user’s signing key. The paper show. an insecure channel, the messages must be. that H-protocol cannot withstand any of these. transmitted in cipher. Therefore, two participants. attacks.. must agree on a shared session key before starting. 2. Review of H-protocol. to transmit/receive messages. The shared session key is used to encrypt plaintext or decrypt ciphertext.. The. famous. Diffie-Hellman. key. The system authority chooses a large prime p to. exchange protocol [1] is often used to establish a. initialize the system. Let g be the generator of the. shared session key for every protocol execution.. finite field GF(p). Assume the participants Alice. However, this protocol does not authenticate the. and Bob have registered at the system. Therefore,. participants engaging in exchanging their session. Alice has a long-term private key xa, long-term. keys. This gives chance to an adversary to. public key ya = g xa mod p, and a certificate. impersonate one of the participants. Thus, this. cert(ya). The certificate cert(ya) is a signature of a. protocol is suffered from the middleman attacks.. trust third party (TTP) on the public key ya.. An enhanced protocol is proposed in [2],. Similarly, Bob has a long-term private key xb,. henceforth called H-protocol. To resist the attack. long-term public key yb = g xb mod p, and a. of middleman, H-protocol has been furnished with. certificate cert(yb). After registering on the system,. 1. 853.

(2) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. these two participants can exchange a set of. of four session keys after executing the protocol. authenticated Diffie-Hellman keys by executing. cooperatively. If both participants have chosen n. the H-protocol. The following steps describe the. random elements from the finite field GF(p). details of the H-protocol.. during executing the protocol, then they will agree on a set of n2 session keys. In order to achieve. Step 1. Alice randomly selects two elements, ka1. perfect forward secrecy, only n2-1 session keys are. and ka2, from the finite field GF(p). The quantities. available to participants.. ra1 = g. ka 1. mod p, ra2 = g. ka 2. mod p, and sa = xa. (ra1 ⊕ ra2) + ka1 ra2 mod p-1 are computed,. 3. Cryptanalysis. respectively. Then, the initiator Alice sends the In order to investigate the security of. message ma1 = {ra1, ra2, sa, cert(ya)} to the recipient Bob.. H-protocol, three famous attacks are mounted to. Step 2. Upon receiving the message ma1, Bob first. attack it. The details are shown in the following. verifies the certificate cert(ya). Then he starts on. subsections.. verifying the validity of ma1 by checking y ara 1⊕ra 2. r raa1 2. g sa. =. mod p. A valid verification leads. 3.1 Known session key attack The known session key attack considers what. Bob to construct a response message mb1;. are the side effects if some previous session keys. otherwise, Bob stops this instance of H-protocol. To form a response message, Bob picks two. are disclosed. No secret information of the. random elements, kb1 and kb2, from the finite field. participants or system must be revealed by the. kb1. mod p, rb2 =. disclosure of previous session keys. In the. g kb 2 mod p, and sb = xb (rb1 ⊕ rb2) + kb1 rb2 mod. followings, we show how to compute the. p-1 are computed, respectively. Then, Bob sends. long-term Diffie-Hellman key yab = g xa xb mod p if. the response message mb1 = {rb1, rb2, sb, cert(yb)}. the session key K1 is compromised. Express sa and. to Alice. While constructing a response message,. sb in (1) and (2).. Bob also computes a set of Diffie-Hellman keys,. sa = xa (ra1 ⊕ ra2) + ka1 ra2 mod (p-1). (1). sb = xb (rb1 ⊕ rb2) + kb1 rb2 mod (p-1). (2). GF(p). The quantities rb1 = g. i.e., the shared session keys K1 = = rak2b1. mod p, K3 =. k ra1b 2. k ra1b1. mod p, K2. mod p, and K4 =. xa xb (ra1 ⊕ ra2) (rb1 ⊕ rb2) = (sa sb - ka1 ra2 sb -. k ra 2b 2. kb1 rb2 sa + ka1 ra2 kb1 rb2) mod (p-1). mod p.. ( r ⊕ r )( r ⊕r ) y aba1 a 2 b1 b 2. Step 3. Alice verifies the certificate cert(yb) when. =. receiving the message mb1. In order to certify that. =. r ⊕r y bb1 b 2. r rb1b 2. −r s ra 1 a 2 b. −r s rb1 b 2 a. mod p. yab = (. mod p holds true. Alice stops. g sa sb. −r s ra1 a 2 b. −r s rb1 b 2 a. r r u K 1a 2 b 2 ). (3). r r K 1a 2 b 2. (4). u = 1 / ((ra1 ⊕ ra2) (rb1 ⊕ rb2)) mod (p – 1). mb1 is sent from Bob, Alice must check whether g sb. g sa sb. mod p. (5) (6). the execution if the check is invalid; otherwise, Alice also computes a set of shared session keys K1 =. k rb1a 1. mod p, K2 =. mod p, and K4 =. k rb 2a 2. k rb1a 2. mod p,. Equation (3) is obtained by multiplying (1) by. K3 = rbk2a1. (2). Raising both sides of (3) to the exponentials of. mod p.. the generator g, (4) is obtained. As can be seen in (5) and (6), given the quantity of the session key. Therefore, Bob and Alice have agreed on a set. 2. 854.

(3) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. ( ra 1 ⊕ra 2 )( rb1 ⊕ rb 2 ) − sa sb ra 2 sb rb 2 sa v g ra 1 rb1 ) K1 = ( y ab. K1, the long-term Diffie-Hellman key yab is derived, where the quantities sa, sb, ra1, ra2, rb1, and. mod p. (7). rb2 are obtained by listening on the public channel. From (1), the adversary can compute the 3.2 Perfect forward secrecy (Known long-term. quantity ka1 if Alice’s private key xa is available.. secret key attack). Thus the session keys K1 and K3 are computed.. A very desirable security property of key. Similarly, From (2), the adversary can compute the. exchange protocol is the perfect forward secrecy.. quantity kb1 and the session keys K1 and K2 if. Communications are usually among insecure. Bob’s private key xb is available.. channels. The insecure channels have many. Therefore the H-protocol does not satisfy the. unacceptable properties, e.g., the adversaries can. requirement of perfect forward secrecy, since the. eavesdrop on, intercept, and modify data over the. disclosure of either Alice’s or Bob’s long-term. channels. Therefore, the shared session keys are. private keys xa or xb enables an adversary to. used to encrypt the confidential messages before. compute the shared session key K1, K2, or K3.. putting them in an insecure transmission channel. Suppose that a secure encryption function is used.. 3.3 Signature forgeries attack. Then, the adversaries cannot learn any information. Bob verifies the received message ma1 = {ra1,. about the confidential messages since they do not. ra2, sa, cert(ya)} by checking g sa = y ara 1⊕ra 2 rara1 2. know the session keys used.. mod p. Similarly, Alice certifies the received. Assume that an adversary has recorded some. message mb1 = {rb1, rb2, sb, cert(yb)} by the. ciphertext from an insecure channel; and further,. verification equation g sb = y brb1⊕rb 2 rbr1b 2 mod p.. the exposure of participant’s long-term secret key. Essentially, {ra1, ra2, sa} and {rb1, rb2, sb} are one of. lead the session keys to be revealed. Thus, the. variants of ElGamal signatures [3]. The following. adversary is able to decrypt those intercepted. steps show how to counterfeit signatures so as to. ciphertext and thereby reads the confidential. pass the verification equation. Assume that an. messages that were sent in the past sessions. This. adversary wants to construct a message ma1 = {ra1,. result would be undesirable. Hence, a stronger. ra2, sa, cert(ya)}.. security property is required. This is the property of perfect forward secrecy. It requires that the. Step 1. The certificate cert(ya) is obtained from a. session keys should be concealed even the. previous intercepted message.. participant’s long-term secret key is disclosed.. Step 2. Let ra1 = gv yau mod p, where v is chosen. From (4), anyone can compute the session key. randomly from Z(p – 1) and -u = 2 mod (p – 1). Step 3. Substituting ra1 = gv yau mod p into. K1 if yab is available. From (7), the adversary listening on the public. verification. equation. (8),. (9). is. obtained.. (10) and. (11). are. obtained. channel can compute the session key K1 if yab is. Equations. available. The details are as follows.. combining the terms with the same base in (9). g sa = y ara1 ⊕ ra 2 raa1 2 mod p r. v = 1 / (ra2 rb2) mod (p–1). 3. 855. by. (8).

(4) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. g sa = y ara1 ⊕ ra 2 g vra 2 y aura 2 mod p. ra1 ⊕ ra2 = -u ra2 = 2 ra2. mod (p–1). sa = v ra2 mod (p–1). (9). 1. W. Diffie and M. E. Hellman, “New directions. (10). in. cryptography,”. IEEE. Transactions. on. (11). Information Theory, Vol. 22, pp. 644-654, 1976. 2. M. S. Hwang, T. Y. Chang, S. C. Lin, and C. S.. Step 4. Assume that the most significant bit of ra2. Tsai, “On the security of an enhanced. is 0 such that the quantity 2 ra2 is derived by. authentication key exchange protocol,” In. merely left shifting one bit on all bits of ra2 (the. Proceedings. of. least significant bit of the result is filled by 0).. Conference. on. Please note that this assumption occurs with high. Networking and Application (AINA’04), IEEE,. probability. Then, ra2 can be solved from (10) by. Volume 2, pp. 160-163, 2004.. the. 18th. International. Advanced. Information. the following equations. Let ra2[1] and ra2[|p|]. 3. T. ElGamal, “A public key cryptosystem and a. denote the least significant bit and the most. signature scheme based on discrete logarithms,”. significant bit of ra2.. IEEE Trans. Inform. Theory, IT-31, (4), pp. 469-472, 1985.. ra2[1]= ra1[1], ra2[2]= ra1[2] ⊕ ra2[1],..., ra2[j]= ra1[j] ⊕ ra2[j-1],..., ra2[|p|]= ra1[|p|] ⊕ ra2[|p|-1]. If ra2[|p|] ≠ 0, redo Step 2.. Therefore, without knowing Alice’s long-term private key the adversary has constructed a message ma1 = {ra1, ra2, sa, cert(ya)}, which would pass the verification equation g sa = y ara1 ⊕ ra 2 rara1 2 mod p. Although the adversary cannot compute the shared session keys, this undesired result may still cause problem, if the shared session keys are used to encrypt random messages and no further key confirmation protocol is used.. 4. Conclusion It is shown that H-protocol is vulnerable to the known session key attack, known long-term secret key attack, signature forgery attack.. References. 4. 856.

(5)