• 沒有找到結果。

一個可證明且伺服器端驅動的密碼認證金鑰交換機制

N/A
N/A
Protected

Academic year: 2021

Share "一個可證明且伺服器端驅動的密碼認證金鑰交換機制"

Copied!
50
0
0

加載中.... (立即查看全文)

全文

(1)

網路工程研究所

一個可證明且伺服器端驅動的密碼認證

金鑰交換制

A Provable Server-Triggering Password-based

Authenticated Key Exchange Protocol

研 究 生:蔡家宏

指導教授:曾文貴 教授

(2)

網路工程研究所

一個可證明且伺服器端驅動的密碼認證

金鑰交換制

A Provable Server-Triggering Password-based

Authenticated Key Exchange Protocol

研 究 生:蔡家宏

(3)

一個可證明且伺服器端驅動的密碼認證金鑰交換機制

A Provable Server-Triggering Password-based

Authenticated Key Exchange Protocol

研 究 生:蔡家宏 Student:Chya-Hung Tsai

指導教授:曾文貴 Advisor:Weng-Guey Tzeng

國 立 交 通 大 學

網 路 工 程 研 究 所

碩 士 論 文

A Thesis

Submitted to Institute of Network Engineering College of Computer Science

National Chiao Tung University in partial Fulfillment of the Requirements

for the Degree of Master

in

Computer Science

June 2009

Hsinchu, Taiwan, Republic of China

(4)

一個可證明且伺服器端驅動的認證金鑰交換機制

學生:蔡家宏

指導教授

曾文貴 博士

國立交通大學網路工程研究所碩士班

摘 要

基於密碼的認證金鑰交換機制僅需要使用者記憶一組安全

度低的密碼即可完成運作,其方便性及彈性被廣泛應用在客戶/

伺服器的架構上。其中在非對稱性的協定中,伺服器端儲存使用

者密碼的相對應轉換值,而非直接儲存明文的密碼,如此一來,

即使伺服器遭到入侵也不會立即洩漏出使用者的密碼。近年來,

許多基於密碼的金鑰交換協定被提出來,這些協定大部分都是由

客戶端先發出訊息傳送至伺服器端,在這篇論文中,我們提出由

伺服器端先發送訊息給客戶端的協定。在這樣的架構下,當同時

有許多客戶與伺服器連線時,伺服器端可以控制流量,避免計算

(5)

ii

資源被大量消耗。更進一步我們也正規的證明了我們所提出的協

定在 random oracle model 下是安全的,同時我們利用了 CDH 以

及 S-CDH 兩個困難的問題在我們的證明中。

(6)

A Provable Server-Triggering Password-based

Authenticated Key Exchange Protocol

Student: Chya-Hung Tsai Advisor: Dr. Wen-Guey Tzeng Institute of Network Engineering College of Computer Science

National Chiao Tung University Abstract

Since it is convenient for users to memorize a low-entropy password, the password-based authentication key exchange (PAKE) protocols have been an active research topic on the client/server-based communication. Especially, the asymmetric protocols which the server stores the password images are resistant to the leak of passwords when the server becomes compromised. Many elegant protocols are proposed in the past. However, most of them will first send the short-term information to the server from client.

In this paper, we propose a provable server-triggering password-based authenticated key exchange protocol (ST-PAKE). We focus on the framework that the server generates the short-term information first and then sends it to the client. This idea has some advantage for communication. For example, when there are a large number of clients connecting to the server, the server can select which client to communicate according to the order of preference. Also, we confront a kind of off-line dictionary attack. We call it active dictionary attack. This attack can be successfully mounted if the protocol

(7)

is not well-design. We modify our ST-PAKE protocol to the ST-PAKE-A, which is designed to resist to the active dictionary attack.

Moreover, our scheme is provably forward secrecy and resilient to the server compromise. We provide a formal security proof of our scheme under the CDH assumption and the S-CDH assumption in the random oracle model. Keywords: key exchange, authenticated key exchange protocol, password-based authentication key exchange

(8)

首先感謝我的指導老師曾文貴教授,傳授我許多關於密碼理論的

知識,讓我對這個領域有更深一層的認識,並了解所謂的安全並非口

說無憑,而是需要提供一套完整的正規證明。另外,我要感謝口試委

員,中研院呂及人教授、交大謝續平教授與交大蔡錫鈞教授,在論文

上給我許多建議與指導,讓我的論文更加完善。除此之外,我也要感

謝實驗室的孝盈學姊、思維、毅睿、韶瑩和學弟們對我的幫忙。特別

感謝畢業學長成康以及助理天心的協助,還有新竹的成大幫陪我度過

第三個兩年。

最後,我要感謝我的家人還有愛犬 Maggy,不論在精神或物質上

都給我極大的支持,讓我在無後顧之憂的情況下可以順利完成學業。

在此,謹以此文獻給所有我想要感謝的人。

(9)

Contents

Abstract in Chinese i Abstract iii Acknowledgement v Table of Contents vi 1 Introduction 1 1.1 Related Works . . . 3 1.2 Our Contribution . . . 4 1.3 Organization . . . 6 2 Definition 7 2.1 Security Model . . . 7 2.2 Security Assumptions . . . 12 3 The Server-triggering Password-based Authenticated Key

(10)

4 Security Proof 17 5 Discussion 29 5.1 Other security issues . . . 29 5.2 Comparison . . . 32 6 Conclusion 34 Bibliography 35

(11)

List of Figures

3.1 The ST-PAKE protocol. . . 16

4.2 Simulation of the oracle queries. . . 20

4.3 Simulation of th game G5. . . 23

4.4 Simulation of the case 1 of the game G7.2. . . 26

4.5 Simulation of the case 2 of the game G7.2. . . 27

5.1 The ST-PAKE-A protocol. . . 31

(12)

Chapter 1

Introduction

How to establish a secure channel between two communicating parties is an important problem on the networks. Generally speaking, a public key exchange protocol (KE) allows two parties who share no secret information to compute a shared session key over a public channel [DH76]. Due to lack of identity authentication, it’s vulnerable to the man in the middle attack. The authenticated key exchange (AKE) protocols not only generate the session key between two parties, but also ensure authenticity of the involved parties. There are many efficient AKE protocols. Some of them require the users to hold devices, mainly for holding secret keys of a public key system. It is sometimes inconvenient. Therefore it is preferred to establish secure channels on a short memorable secret.

Password-based authenticated key exchange (PAKE) protocols are at-tractive, since each user needs to remember just one password. However, it is hard to design such protocols since low-entropy passwords are vulnerable to malicious dictionary attacks. A secure PAKE protocol should meet the

(13)

following requirements for the dictionary attacks.

• Resilient to on-line dictionary attacks: Even if the active adversary deviates from the protocol arbitrarily, he cannot eliminate a significant number of possible passwords.

• Resilient to off-line dictionary attacks: Any eavesdropper who records the transcripts of one or more sessions cannot eliminate a significant number of possible passwords by examining the recorded transcripts. The on-line dictionary attacks can be easily avoided by the server. The server can reject the connection from the client after a few failure tries of login. So we focus on resilience to the off-line dictionary attacks.

PAKE protocols are also useful under the client-server architecture. In this architecture, the server needs to store the identities of the clients and the corresponding verification values for passwords which are called verifiers. The server can check the validity of incoming messages from the clients via the verifiers. In addition to resilience to the dictionary attacks, the protocols should meet the following security requirements.

• Forward secrecy: The compromise of the long-term keys of a set of prin-cipals does not reveal the session keys established in previous protocol runs involving those principals.

• Resilient to the server compromise: The compromise of the secret in-formation of the server does not compromise the session key established

(14)

in the current session.

The forward secrecy models the case that even the long-term keys are revealed some day, the session keys generated in the old sessions are still safe. This is necessary since we cannot ensure the safety of the long-term keys in a very long period of time. In a risky environment, it is possible that the server is compromised. The adversary may obtain all the information stored in the server. Even if all the information in the server is revealed, the adversary can’t get more information about the current session key.

The security proof for a protocol is essential. The protocols for security purposes should have some sort of security guarantee. We usually give a reduction proof for security of the given protocol. The security of the subject protocol S is reduced to a well-known hard problem P in the sense that if there is an efficient algorithm that can break S, then there is an efficient algorithm to solve P.

1.1

Related Works

Password-based authenticated key exchange (PAKE) has been extensively studied in the last few years. The first PAKE scheme is introduced in 1989 [LGSN89]. The seminal work in this area is the encrypted key exchange protocol (EKE) proposed by Bellovin and Merritt [BM92]. EKE proposes a novel method that using a long-term symmetry key to protect a short-term public key. This method can effectively resist to the off-line

(15)

dictio-nary attacks. The original EKE protocol requires that the server stores the plaintext password in order to decrypt the message sent from the client. Subsequently Bellovin and Merritt propose an augmented EKE protocol (A-EKE) [BM93], which requires the server to store the verifier of the password. Even the adversary compromises the server; he can’t extract the password from the verifier easily. It’s also called the asymmetric protocol. Due to its simplicity and convenience, many proposed protocols are based on A-EKE [Wu98, Kwo01, Mac02, Jab97]. However, the above schemes or improved schemes lack a formal security proof. The first security model for 2-party authenticated key exchange protocols is introduced by Bellare and Rogaway [BR93]. Since then, a number of provable secure protocols and improvements have been proposed [BCP03, Kwo04, WZ06, PNKW07, SCWL07].

The AMP (Authentication via Memorable Password) protocol of Kwon [Kwo01] is a variant of A-EKE. It is also a standard for IEEE P1363. Nev-ertheless, the AMP protocol does not have a formal security proof. Kwon later proposes TP-AMP [Kwo04] which reduced one-round from the original four-round AMP and gives a formal security proof.

1.2

Our Contribution

In this paper, we propose a practical server-triggering password-based au-thenticated key exchange protocol (ST-PAKE). Different from the most of previous protocols, our protocol is the scheme that the server generates the

(16)

short-term information first and is proved secure. In most network protocols, the client and the server run the handshaking protocol before executing the subsequent task. Our protocol is suitable for the following situation. When there are a large number of clients connecting with the server, the server can select which clients to communicate with and efficiently control the flows. It prevents the server from the exhaustion of the computational resources. In contrast, the traditional key exchange protocols are triggered by the client. It may be that a large number of clients triggering the protocol simultaneously. This cause heavy system load.

In addition to the passive dictionary attack, we confront a kind of off-line dictionary attack. We call it active dictionary attack. This attack can be successfully mounted in our PAKE protocols. We modify our ST-PAKE protocol to the ST-ST-PAKE-A, which is designed to resist to the active dictionary attack.

Our protocol is based on the A-EKE protocol. We use the verifier as the long-term secret key to protect the message from the client. The server can use the verifier to decrypt the message and compute the session key. Our scheme is provably secure with forward secrecy and resilience to the server compromise attack under the CDH assumption and the S-CDH assumption in the random oracle model.

(17)

1.3

Organization

The remainder of this thesis is organized as follows. The chapter 2 de-scribes the security model and two security assumptions for our security proof. Chapter 3 introduces our new ST-PAKE protocol for detail. Chapter 4 gives a formal security proof for our ST-PAKE protocol. Chapter 5 dis-cusses the active dictionary and gives the comparison of our ST-PAK protocol with other famous PAKE protocols. Finally, chapter 6 gives a conclusion for this paper.

(18)

Chapter 2

Definition

2.1

Security Model

In this section, we recall the security model of Bellare et al. [BPR00] and Bresson et al. [BCP03] for password-based key exchange protocols.

Participants: We define a set PARTY of users, and partition them into two finite sets CLIENT and SERVER. Each participant in the password-based key exchange protocol is either a client C ∈ CLIENT or a server S ∈ SERVER.

Long-Term keys: Each client C ∈ CLIENT has a secret password πc and

each server S ∈ SERVER has a table which stores the verifiers V (πc) for

passwords . The verifier can be used to verify the client’s password.

Protocol Execution: The capabilities of an adversary A are modeled in the form of oracle queries. For all U ∈ {C, S}, let Ui denote the instance i

(19)

to invoke a party in the protocol, he must create an instance of a party via oracle queries. The query types available to the adversary are as follow:

- Send(M, Ui): This query models the active attack in which the

adver-sary may modify or inject the message on the public channel. The output of this query is a message that the oracle Ui would generate

upon receipt of message M .

- Execute(Ci, Sj): This query models the passive attack in which the

ad-versary eavesdrops on honest execution between a client instance Ci

and a server instance Sj. The output of this query consists of the mes-sages that were exchanged during the honest execution of the protocol. - Reveal(Ui): This query models the compromise of session keys by the adversary. The output of this query is the session key held by the in-stance Ui.

- Corrupt(U ): This query models the compromise of the password (client) or the transformed-password (server) by the adversary, in order to deal with forward secrecy. The output of this query is the password or its verifier.

- Test(Ui): This query models the semantic security of session keys. It

(20)

key. Otherwise, a random value is returned.

Partnering: Two instance Ci and Sj are said to be partners if all of the following condition hold:

(1) Both of Ci and Sj accept.

(2) Ci and Sj share the same session.

(3) The partner identification for Ci is Sj, and vice versa.

(4) No instances other than Ci and Sj accept a partner identification that is equal to Ci and Sj.

Freshness: The notion of freshness is defined to avoid the trivial attacks mounted by the adversary. The adversary can test a fresh session only. We now define two freshness notions fresh and semi-fresh. Note that the fresh is defined only for the case that the server is not compromised and the semi-fresh is defined in order to consider the resistance to server compromise. Furthermore, we add the requirement of the forward secrecy into the above two cases. So we describe all the four combinations respectively.

-An instance Ui is nfs-fresh (fresh with no requirement for forward secrecy)

(21)

(1) a Reveal(Ui) query occurs

(2) a Reveal(Uj) query occurs where Uj is the partner of Ui

(3) a Corrupt(U ) query occurs

-An instance Ui is fs-fresh (fresh with forward secrecy) unless all of the

fol-lowing events do not occur: (1) a Reveal(Ui) query occurs

(2) a Reveal(Uj) query occurs where Uj is the partner of Ui

(3) a Corrupt(U ) query occurs before the Test query and the Send(Ui, M )

query

-An instance Ui is semi-nfs-fresh (semi-fresh with no requirement for forward secrecy) unless all of the following events do not occur:

(1) a Reveal(Ui) query occurs

(2) a Reveal(Uj) query occurs where Uj is the partner of Ui (3) a Corrupt(C) query occurs

(22)

-An instance Ui is semi-fs-fresh (semi-fresh with forward secrecy) unless all

of the following events do not occur: (1) a Reveal(Ui) query occurs

(2) a Reveal(Uj) query occurs where Uj is the partner of Ui

(3) a Corrupt(C) query occurs before the Test query and the Send(Ui, M )

query

(4) a U ∈ CLIENT and Corrupt(S) query occurs before the Test query and the Send(Ui, M ) query

Semantic Security: Consider an execution of the key exchange protocol P by the adversary A, who can given access to the Reveal, Execute, Send oracles and ask a single Test query to a nfs-fresh instance. Then, outputs a guess bit b0. If b0 = b, we say that A wins the game. The advantage of the adversary A in the security game of the AKE protocol is defined as by Advnfs−akeP (A) def= |2 Pr[b = b0] − 1|. Similarly, we also define Advfs−akeP (A), Advs.nfs−akeP (A) and Advs.fs−akeP (A) for the different secure proposes.

(23)

2.2

Security Assumptions

The security proof of our protocol is based on the CDH and S-CDH assump-tions.

Computational Diffie-Hellman Assumption: The CDH assumption states that given gu and gv, where u and v are drawn from Z

p randomly, it is hard

to compute guv.

The CDH assumption is defined formally by considering an Experiment ExpCDHG (A), in which we select two values u and v in Zp, compute U = gu,

and V = gv, and then give U and V to the adversary A. Let Z be the output of A. Then, the Experiment ExpCDHG (A) outputs 1 if Z = guv and 0

other-wise. Then, we define the advantage of A in violating the CDH assumption as AdvCDH

G (A) = Pr[Exp CDH

G (A) = 1] and the advantage function Adv CDH

G (t),

as the maximum value of AdvCDHG (A) over all A with time-complexity at most t.

Strong-CDH Assumption: The strong-CDH assumption (S-CDH) states that given gu and gv, where u and v are drawn randomly from Z

p, it is hard

to compute the pair (Q, T ) with Q = (gTuv)u ,and T is an arbitrary value.

The S-CDH assumption is defined formally by considering an Experiment ExpxxxG (A), in which we select two values u and v in Zp, compute U = gu,

(24)

output of A. Then, the Experiment ExpS-CDH

G (A) outputs 1 if Q = ( T guv)u

and 0 otherwise. Then, we define the advantage of A in violating the S-CDH assumption as AdvS-CDHG (A) = Pr[ExpS-CDHG (A) = 1] and the advantage function AdvS-CDHG (t), as the maximum value of AdvS-CDHG (A) over all A with time-complexity at most t.

(25)

Chapter 3

The Server-triggering

Password-based Authenticated

Key Exchange Protocol

Our protocol uses a cyclic group G = hgi of order a k-bit prime number q and four hash functions, h0 : {0, 1}∗ → {0, 1}k and Hi : {0, 1}∗ → {0, 1}k

0

, i ∈ {0, 1, 2}, where k and k0 are security parameters.

As shown in Figure 3.1, the protocol runs between a client C and a server S. The client C holds the password π and the server S holds the correspond-ing verifier γ. We assume that the password is a low-entropy strcorrespond-ing that is chosen uniformly from the password space Λ with size |Λ| = N . The public information, such as the group G, the generator g and the hash functions are known to all participants. Note that all computations are in G except for stating otherwise.

(26)

The protocol consists of three flows and is initiated by the server.

1. The server S chooses a random value y, sets Y = gy, and then sends

(Y, C) to the client C.

2. After receiving (Y, C) from S, C chooses a random value x and sets X∗ = (Y X)u with X = gx. To obtain the DH value, C computes α = Yu·x and sets V

C = H0(C, S, X∗, Y α, γ) as the authenticator. We can

see that X∗ depends on the previous flow from S. Finally, ((X∗, VC), S)

is sent to S.

3. On receiving ((X∗, VC), S), S computes the DH value β = (X∗/γy)y

and checks whether VC ?

= H0(C, S, X∗, Y, β, γ). If they are not equal,

S aborts the session. Otherwise, S computes VS = H1(C, S, X∗, Y, β, γ)

as its authenticator. Finally, (VS, C) is sent to C. After this step, S

computes the session key SKS = H2(C, S, X∗, Y, β, γ).

4. On receiving the S’s authenticator, C checks whether VS = H1(C, S, X∗, Y, α, γ).

If they are not equal, C aborts the session. Otherwise, C computes the session key SKS = H2(C, S, X∗, Y, α, γ).

(27)

Client(C) Server(S) π γ,where γ = gu = gh0(C,π) y ∈RZ∗q Y = gy Y,C ←−− x ∈RZ∗q X = gx u = h0(C, π), γ = gu X∗ = (Y X)u α = Yu·x VC = H0(C, S, X∗, Y, α, γ) (X∗,VC),S −−−−−−→ β = (X∗/γy)y VC0 = H0(C, S, X∗, Y, β, γ) verify VC = VC0? VS = H1(C, S, X∗, Y, β, γ) VS,C ←−−− VS0 = H1(C, S, X∗, Y, α, γ) verify VS ? = VS0 SKC = H2(C, S, X∗, Y, α, γ) SKS = H2(C, S, X∗, Y, β, γ)

(28)

Chapter 4

Security Proof

In this section, we prove that our protocol is secure in the random oracle model by using the CDH assumption and the S-CDH assumption. We use the security model mentioned before and accomplish our proof with the semantic security goal.

Theorem 1. Let P be the ST-PAKE protocol in Figure 3.1. with a uni-formly distributed dictionary of size |Λ| = N . A is the adversary who makes qsend queries to Send oracle, qexe queries to Execute oracle, and qhash queries

to Hash oracles. Denote t0 the running time of the CDH-solver and t” the running time of the S-CDH-solver. Then the advantage of the adversary A is bounded by:

AdvakeP (A) ≤ 2qro(qsend+ qexe) · (AdvCDHGq (t0, qro) + AdvS-CDHGq (t”, qro))

+ 2qsend N + (qsend+ qexe)2 q − 1 + (qro+ qsend)2 2k0

(29)

Proof. We incrementally define a sequence of games starting at the real at-tack game G0 and ending up at game G7. In the final stage, we give a bound

for AdvakeP (A) by using the triangle inequality to sum up the probability in each pair of neighboring games.

Game G0: This game represents the real attack game in the random oracle

model. The oracles are defined previously that including four hash oracles (h0, H0, H1, H2) and all instances Ci and Sj can be available to adversary.

We define the success event in the game Gn:

-Succn: This event occurs if b = b0, where b is the bit involved in the

Test query, and b0 is the output of the adversary after the Test game. In other word, this event means that the adversary wins the semantic game. By definition,

AdvakeP (A)def= 2 Pr[Succ0] − 1.

Game G1: In this game, we simulate all the hash oracles for each query. We

maintain three hash lists Lh, LH and LAin order to the reason of consistency.

The former two lists are used for random queries to hash oracles and the latter is used for hash queries asked by the adversary. Another list LP is used to

record the sending message between the instance Ci and Sj. We also simulate all the queries to any instance, including Send, Execute, Reveal, Corrupt and

(30)

Test queries. The rules for the simulation are described in Figure 4.2. Note that we omit descriptions of recording for oracle answers in the figure.

From this simulation, we can easily see that the transcript distribution of the game is identical to that of the real attack game in the random oracle model. Thus we have:

Pr[Succ1] = Pr[Succ0].

Game G2: This is the game to avoid the collision occurring in Y or X∗ and

in the hash queries asked by the adversary. In other words, if Y or X∗ is randomly generated by honest parties and appeared in the old session of the protocol, the execution is aborted. Since either Y or X∗ was simulated by choosing them randomly, according to the birthday paradox, the probability of collisions is bounded by (qsend+qexe)2

2(q−1) . Also we modify the simulation of the

hash oracle queries so that if hi, ∗, ri ∈ LA for a random value r ∈ {0, 1}k

0

, then we abort the game with probability bounded by qro2

2k0+1.

The two games G2 and G1 are identical except for the above-mentioned

collisions case. Thus the distance between G2 and G1 is:

| Pr[Succ2] − Pr[Succ1]| ≤

(qsend+ qexe)2

2(q − 1) + qro2

2k0+1.

Game G3: In this game, we exclude the case that the adversary has been

(31)

corre--Hi(q) with i ∈ {0, 1, 2} -Execute(Ci, Sj)

Ifhi, q, ri /∈ Lh (Y, Ci) ←Send(Start, Sj)

r← {0, 1}R k0 ((X, V

C), Sj) ←Send(Y, Ci)

Add hi, q, ri to Lh (VS, Ci) ← Send((X∗, VC), Sj)

If the query was asked by A Send(VS, Ci)

Add hi, q, ri to LA Return((Y, Ci), ((X∗, VC), Sj), (VS, Ci))

Return r -Send(Start, Sj) -Send((X∗, VC), Sj) y← ZR q∗ β ← (X∗/γy)y Y ← gy V0 C ← H1(C, S, X∗, β, γ) Return(Y, Ci) If VC = VC0 VS = H2(C, S, X∗, Y, β, γ) Return(VS, Ci) SKS ← H3(C, S, X∗, Y, β, γ) Terminate -Send(Y, Ci) -Send(V S, Ci) x← ZR q∗ VS0 = H2(C, S, X∗, Y, α, γ) X ← gx If V S = VS0 u ← H0(C, π) SKC ← H2(C, S, X∗, Y, α, γ) X∗ ← (Y X)u Terminate α ← Yu·x VC ← H1(C, S, X∗, Y, α, γ) Return((X∗, VC), Sj) -Test(Ui) -Corrupt(U ) SKU ←Reveal(U ) If U = C b← {0, 1}R Return π SKU R ← {0, 1}k0 Else if U = S Return SKU u ← H0(C, π) γ ← gu Return γ -Reveal(Ui) Return SKU

(32)

sponding random oracles. For this reason, we slightly modify the rule of the Send queries.

When invoking the Send((X∗, VC), Sj) query, the server first checks whether

h1, C, S, X∗, Y, β, γ, V

Ci ∈ LA or h(Y, C), ((X∗, VC), S), ∗i ∈ LP. If both tests

fail, the server terminates without accepting.

Similarly, when invoking the Send((VS, Ci) query, the client first checks

whether if h1, C, S, X∗, Y, α, γ, VSi ∈ LA or h(Y, C), ((X∗, VC), S), (VS, C)i ∈

LP. If both tests fail, the client terminates without accepting. This

modifi-cation ensures that the authenticator VC and VS must be generated by the

simulator via correct random oracle queries.

Games G3 and G2 are identical unless the server (client) aborts without

accepting the authenticator VC(VS). This event happens only if the adversary

has been lucky in guessing the correct value VC(VS) without querying the

corresponding random oracle. So the distance between G3and G2is bounded

by:

| Pr[Succ3] − Pr[Succ2]| ≤

qsend

2k0 .

Game G4: In this game, we exclude the case that the adversary has been

lucky in guessing the verifier u without querying the corresponding random oracle. We slightly modify the process of the hash oracle by adding an extra test before returning the random value.

(33)

When the Hi(C, S, X∗, Y, ∗, γ)(i ∈ {0, 1, 2}) query is asked by the

adver-sary and h0, C, π, ui ∈ Lh, it must be checked whether h0, C, π, ui /∈ LA. In

this case, the game will abort. This game ensures that the value u must be derived from π by the random oracle. Games G4 and G3 are identical unless

the adversary has correctly guessed the value u without asking the oracle. So we have:

| Pr[Succ4] − Pr[Succ3]| ≤

qro

2k0.

Game G5: This game simulates the case that a correct password guess is

made by the adversary without using a Corrupt query and he furthermore asks Execute queries, then he succeeds in solving the session key by asking the hash query. We use a reduction from the CDH assumption to prove that the probability of this case is negligible.

Given a random CDH input (A, B) with A ← ga and B ← gb, the CDH-solver uses A as a subroutine to solve the CDH problem and outputs CDH(A, B) = gab. We archive this goal by modifying the oracle answers, as shown in Figure 4.3. Note that the list LCDH is used to record the candidates

of the CDH output.

Under the random oracle model, the adversary must query the hash oracle to win the game. We except that the element of the hash oracle input Ω is

(34)

-Execute(Ci, Sj) H

i(C, S, X∗, Y, Ω, γ) with i ∈ {0, 1, 2}

Y ← A If h (Y, C), ((X∗, VC), S), (VS, C)i ∈ LP

and

ϕ← ZR q∗ h0, C, π, ui ∈ LA without asking

Cor-rupt(C)

X∗ ← (AB)ϕ Adding Z = Ω−1ϕ to the L

CDH

VC, VS R

← {0, 1}k0

Else

Return h (Y, C), ((X∗, VC), S), (VS, C)i The game aborts

Figure 4.3: Simulation of th game G5.

equal to CDH(A, B)ϕ. The correct CDH output Z is picked up from the list

LCDH with the probability at least q1

ro. We denote t

0 the running time of the

CDH-solver. Games G5 and G4 are indistinguishable unless the game aborts.

So we have:

| Pr[Succ5] − Pr[Succ4]| ≤ qro· AdvCDHGq (t0, qro).

Game G6: In this game, we exclude the case that if the adversary has

been lucky in guessing the password π without using a Corrupt query and he furthermore asks the Send queries. Since the password is the only secret information in the PAKE protocol, we disallow this case to happen. For this reason, we slightly modify the process of the Send query by adding an extra test.

(35)

h1, C, S, X∗, Y, β, γ, V

Ci ∈ LA or h(Y, C), ((X∗, VC), S), ∗i ∈ LP. If both tests

fail, the server terminates without accepting. Otherwise, check if h0, C, π, ui ∈ LA and the Corrupt query has not been asked. If this is the case, we abort

the game.

Similarly, when invoking the Send((VS, Ci) query, the client first checks

that if h1, C, S, X∗, Y, α, γ, VSi ∈ LA or h(Y, C), ((X∗, VC), S), (VS, C)i ∈ LP.

If both tests fail, the client terminates without accepting. Otherwise, check if h0, C, π, ui ∈ LA and the Corrupt query has not been asked. If this is the

case, we abort the game. This modification ensures that the correct password must be obtained via Corrupt query. The two games G6 and G5 are perfectly

indistinguishable unless the adversary has correctly guessed the password without asking a Corrupt query and made the Send query. Hence,

| Pr[Succ6] − Pr[Succ5]| ≤

qsend

N .

Now we partition the game G7 into two independent sub-games foe the

two secure requirements, forward secrecy and server compromise.

Game G7.1(forward secrecy): In this game, we consider the forward secrecy.

We need to ensure that old session keys still security after the LL-key is compromised. By the definition of freshness, the Corrupt(C) query was made

(36)

by an adversary after the Test query but in the old game. We modify the current game to another corrupted game in a way to reply with old transcripts when an Execute query is asked. This situation is similar to G5. The only

different thing is that how does the adversary obtain the password. In this game, the adversary obtains the password by means of making a Corrupt(C) query, instead of lucky guessing in G5. Since the simulator needs to consider

the overhead of choosing the transcripts from the old sessions, the success probability of the adversary is bounded by (qsend+ qexe)qro· AdvCDHGq (t

0, q ro).

So we have:

| Pr[Succ7.1] − Pr[Succ6]| ≤ (qsend+ qexe)qro· AdvCDHGq (t0, qro).

Game G7.2 (server compromise): In this game, we consider the case that

server is compromised. In order to resist to server compromise, we allow the adversary to make a Corrupt(S) query before the Test query (Test(Sj) only)

in our proof by the definition of semi-freshness. We modify the current game to another semi-corrupted game in the following ways. We discuss two cases that the adversary invokes the Execute queries or the Send queries. Note that the adversary obtains the value γ in the semi-corrupted game.

• If the adversary invokes the Execute query, then he succeeds in solving the session key by asking the hash query. We use a reduction from

(37)

the CDH problem to prove that the probability of this case occurs is negligible.

Given a random CDH input (A, B) with A ← gaand B ← gb, the

CDH-solver uses A as a subroutine to solve CDH and outputs CDH(A, B) = gab. We achieve this goal by modifying the oracle answers, as shown in

Figure 4.4.

Under the random oracle model, the adversary must query the hash oracle to win the game. We except that the element of the hash ora-cle input Ω is equal to CDH(A, B)u. It is similar to the game G

5, we

could observe that this event may happen with probability bounded by qro· AdvCDHGq (t0, qro).

-Execute(Ci, Sj) Hi(C, S, X∗, Y, Ω, γ) with i ∈ {0, 1, 2}

Y ← A If h (Y, C), ((X∗, VC), S), (VS, C)i ∈ LP and

X∗ ← (AB)u Corrupt(S) has been queried

VC, VS R

← {0, 1}k0

Adding Z = Ωu1 to the LCDH

Return h (Y, C), ((X∗, VC), S), (VS, C)i Else

Same as the previous rules. Figure 4.4: Simulation of the case 1 of the game G7.2.

• If the adversary invokes the Send query, we use a reduction from the S-CDH problem.

(38)

the S-CDH-solver uses A as a subroutine to solve S-CDH and out-puts S-CDH(U, V ) = (Q, T ) with Q = (gTuv)u and T is a arbitrary

value. We achieve this goal by modifying the oracle answers, as shown in Figure 4.5. We denote t” the running time of the S-CDH-solver. It is clear that this event may happen with probability bounded by qro· AdvS-CDHGq (t”, qro).

-Corrupt(U ) Hi(C, S, T, Y, Q, γ) with i ∈ {0, 1, 2}

If U = C If h (V, C), ((T, Q), S), ∗i /∈ LP

abort Adding Z = Q to the LS-CDH

Else if U = S Else

γ ← U Same as the previous rules. Return γ

-Send(Start, Sj) Y ← V

Return(Y, Ci)

Figure 4.5: Simulation of the case 2 of the game G7.2.

Combine these two cases, we have : | Pr[Succ7.2] − Pr[Succ6]| ≤ qro(AdvCDHGq (t

0

(39)

Summary: By the triangle inequality, we have AdvakeP (A) ≤ 2P7

i=0| Pr[Succi+1]−

Pr[Succi]| and, thus:

AdvakeP (A) ≤ 2qro(qsend+ qexe) · (AdvCDHGq (t

0 , qro) + AdvS-CDHGq (t”, qro)) + 2qsend N + (qsend+ qexe)2 q − 1 + (qro+ qsend)2 2k0

(40)

Chapter 5

Discussion

5.1

Other security issues

The traditional off-line dictionary attacks are mounted by a passive adver-sary who eavesdrops protocol messages and then goes off-line to perform the password search. In this section we consider another kind of off-line dictio-nary attacks. We call it the active dictiodictio-nary attacks. This attack happens when the adversary impersonates the client (server) and communicates with the server (client). Then the adversary can obtain the messages from the server (client) and try to mount the off-line dictionary attacks by using the received information.

We consider the adversary impersonates the server and communicate with an honest client in our ST-PAKE protocol. The adversary can mount the active dictionary attacks by the following steps.

1. The adversary guesses a password π0 and computes γ0 = gu0 = gh0(C,π0).

(41)

to the client.

3. In the second flow, the client responds the X∗ and VC to the adversary.

4. The adversary computes the VC0 = H0(C, S, X∗, Y0, (X

γ0y0)

y0

, γ0) and compares it with VC.

5. The adversary repeats the step 1 and 4 until he finds a password π such that VC0 = VC.

We can see that the adversary mounts an active attack and obtains the password information from an honest client. Then he can try all possible passwords and verify them in private by using the received password infor-mation. This is a successful off-line dictionary attack.

The active dictionary attacks can be partitioned into two cases, the adver-sary impersonates the client or the server. It depend on the first authentica-tion value is sent by the client or the server. If the first authenticaauthentica-tion value is sent by the client, then the adversary can try to impersonate the server. The ST-PAKE is in this case. Because the first authentication value VC is

sent by the client. The adversary can obtain this information and mount the dictionary attacks.

We modify our ST-PAKE to the ST-PAKE-A which can resist to the ac-tive dictionary attacks. In the first flow, the server sends Y∗ = Y ⊕ γ instead of Y . And the client computes Y = Y∗⊕ γ after receiving Y∗. This

(42)

the active dictionary attacks successfully. He only can probably eliminate at most one candidate password from consideration per Send query. The complete ST-PAKE-A is shown in Figure 5.1.

Client(C) Server(S) π γ,where γ = gu = gh0(C,π) y ∈RZ∗q Y = gy Y∗ = Y ⊕ γ Y∗,C ←−−− x ∈RZ∗q X = gx u = h0(C, π), γ = gu Y = Y∗⊕ γ X∗ = (Y X)u α = Yu·x VC = H0(C, S, X∗, Y, α, γ) (X∗,VC),S −−−−−−→ β = (X∗/γy)y VC0 = H0(C, S, X∗, Y, β, γ) verify VC = VC0? VS = H1(C, S, X∗, Y, β, γ) VS,C ←−−− VS0 = H1(C, S, X∗, Y, α, γ) verify VS ? = VS0 SKC = H2(C, S, X∗, Y, α, γ) SKS = H2(C, S, X∗, Y, β, γ)

(43)

5.2

Comparison

The comparison with other protocols is given in Figure 5.2. Only the asym-metric protocols are compared. We consider three factors: the number of flows, the number of exponentiations executed by the client and the server.

The mentioned protocols are all completed in three rounds or four rounds. We can see that AMP [Wu98] is the most efficient protocol because it has the minimum computational overhead mostly. But it doesn’t have a formal security proof. TP-AMP [Kwo04] reduces one-round from the original four-round AMP and gave a formal security proof. Our protocol is a little bit inefficient than the TP-AMP protocol and same as the SRP [Wu98]. PAK-Y [Mac02] using the Schnorr signature for the authentication. So it needs more exponential operations for the signature. SCWL07 [SCWL07] is a PAKE protocol without public information. The all public information such as the prime, the group and the generator will be chosen by the client and sent to the server on the first flow. So this protocol is inefficient than other PAKE protocols.

The above protocols are all triggered by the client. However, our protocol is triggered by the server. This is the most different feature from others.

(44)

Number Number Number Security Triggering of of Exp. of Exp. proof side flows (client) (server)

AMP [Wu98] 4 2 3 No client SRP [Kwo01] 4 3 3 No client PAK-Y [Mac02] 3 5 3 No client TP-AMP [Kwo04] 3 2 3 Yes client SCWL07 [SCWL07] 4 4 5 Yes client ST-PAKE 3 3 3 Yes server

(45)

Chapter 6

Conclusion

In this paper, we propose a practical server-triggering password-based au-thenticated key exchange protocol. Different from most previous protocols, our protocol is the new scheme in which the server generates the short-term information first. This idea has a special feature that is useful for the client-server communication architecture. We also consider the active dictionary attack and given an improved version. Furthermore, we provide a formal security proof of our scheme under the CDH assumption and the S-CDH assumption in the random oracle model.

(46)

Bibliography

[AP05] Michel Abdalla and David Pointcheval. Simple password-based encrypted key exchange protocols. In Alfred Menezes, editor, CT-RSA, volume 3376 of Lecture Notes in Computer Science, pages 191–208. Springer, 2005.

[BCP03] Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Security proofs for an efficient password-based key exchange. In Sushil Jajodia, Vijayalakshmi Atluri, and Trent Jaeger, editors, ACM Conference on Computer and Communications Security, pages 241–250. ACM, 2003.

[BCP04] Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. New security results on encrypted key exchange. In Feng Bao, Robert H. Deng, and Jianying Zhou, editors, Public Key Cryp-tography, volume 2947 of Lecture Notes in Computer Science, pages 145–158. Springer, 2004.

[BM92] Steve M. Bellovin and Michael Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In

(47)

IEEE Computer Society Symposium on Research in Security and Privacy, May 1992, Oakland, CA, pages 72–84, 1992.

[BM93] Steven M. Bellovin and Michael Merritt. Augmented encrypted key exchange: A password-based protocol secure against dic-tionary attacks and password file compromise. In ACM Confer-ence on Computer and Communications Security, pages 244–250, 1993.

[BM03] Colin Boyed and Anish Mathuria. Protocols for Authentication and Key Establishment. Springer-Verlag Berlin Heidelberg New York, 2003.

[BMP00] Victor Boyko, Philip D. MacKenzie, and Sarvar Patel. Prov-ably secure password-authenticated key exchange using diffie-hellman. In EUROCRYPT, pages 156–171, 2000.

[BPR00] Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authen-ticated key exchange secure against dictionary attacks. In EU-ROCRYPT, pages 139–155, 2000.

[BR93] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In Douglas R. Stinson, editor, CRYPTO, vol-ume 773 of Lecture Notes in Computer Science, pages 232–249. Springer, 1993.

(48)

[CK01] Ran Canetti and Hugo Krawczyk. Analysis of key-exchange pro-tocols and their use for building secure channels. In Birgit Pfitz-mann, editor, EUROCRYPT, volume 2045 of Lecture Notes in Computer Science, pages 453–474. Springer, 2001.

[DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, 1976.

[GLNS93] Li Gong, T. Mark A. Lomas, Roger M. Needham, and Jerome H. Saltzer. Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications, 11(5):648– 656, 1993.

[Jab97] David P. Jablon. Extended password key exchange protocols im-mune to dictionary attacks. In WETICE, pages 248–255. IEEE Computer Society, 1997.

[Kwo01] Taekyoung Kwon. Authentication and key agreement via mem-orable passwords. In NDSS. The Internet Society, 2001.

[Kwo04] Taekyoung Kwon. Practical authenticated key agreement using passwords. In Kan Zhang and Yuliang Zheng, editors, ISC, vol-ume 3225 of Lecture Notes in Computer Science, pages 1–12. Springer, 2004.

(49)

[LGSN89] T. Mark A. Lomas, Li Gong, Jerome H. Saltzer, and Roger M. Needham. Reducing risks from poorly chosen keys. In SOSP, pages 14–18, 1989.

[Mac01] Philip D. MacKenzie. More efficient password-authenticated key exchange. In David Naccache, editor, CT-RSA, volume 2020 of Lecture Notes in Computer Science, pages 361–377. Springer, 2001.

[Mac02] Philip MacKenzie. The pak suite: Protocols for password-authenticated key exchange. In IEEE P1363.2, 2002.

[PNKW07] Sangjoon Park, Junghyun Nam, Seungjoo Kim, and Dongho Won. Efficient password-authenticated key exchange based on rsa. In Masayuki Abe, editor, CT-RSA, volume 4377 of Lecture Notes in Computer Science, pages 309–323. Springer, 2007. [SCWL07] Jun Shao, Zhenfu Cao, Licheng Wang, and Rongxing Lu.

Effi-cient password-based authenticated key exchange without pub-lic information. In Joachim Biskup and Javier Lopez, editors, ESORICS, volume 4734 of Lecture Notes in Computer Science, pages 299–310. Springer, 2007.

[Wu98] Thomas D. Wu. The secure remote password protocol. In NDSS. The Internet Society, 1998.

(50)

[WZ06] Shuhua Wu and Yuefei Zhu. Practical password-based authen-ticated key exchange protocol. In Yuping Wang, Yiu ming Che-ung, and Hailin Liu, editors, CIS, volume 4456 of Lecture Notes in Computer Science, pages 523–533. Springer, 2006.

數據

Figure 3.1: The ST-PAKE protocol.
Figure 4.2: Simulation of the oracle queries.
Figure 4.3: Simulation of th game G 5 .
Figure 4.4: Simulation of the case 1 of the game G 7.2 .
+4

參考文獻

相關文件

• A put gives its holder the right to sell a number of the underlying asset for the strike price.. • An embedded option has to be traded along with the

zero-coupon bond prices, forward rates, or the short rate.. • Bond price and forward rate models are usually non-Markovian

• P u is the price of the i-period zero-coupon bond one period from now if the short rate makes an up move. • P d is the price of the i-period zero-coupon bond one period from now

Too good security is trumping deployment Practical security isn’ t glamorous... USENIX Security

 Promote project learning, mathematical modeling, and problem-based learning to strengthen the ability to integrate and apply knowledge and skills, and make. calculated

Using this formalism we derive an exact differential equation for the partition function of two-dimensional gravity as a function of the string coupling constant that governs the

O.K., let’s study chiral phase transition. Quark

Courtesy: Ned Wright’s Cosmology Page Burles, Nolette & Turner, 1999?. Total Mass Density