ELSEVIER
Available online at www.sciencedirect.com
computers
&
.c,=.o= ~ ° , . = o T .
mathematics
with applicaUona
Computers and Mathematics with Applications 49 (2005) 703-714
www.elsevier.com/locate/camwa
Simple Authenticated Key Agreement
and Protected
Password Change Protocol
T I N G - Y I C H A N G A N D W E I - P A N G Y A N GDepartment of Computer and Information Science, National Chiao Tung University 1001 Ta Hsueh Road, Hsinchu, Taiwan, R.O.C.
M I N - S H I A N G H W A N G *
Department of Management Information System, National Chung Hsing University 250 Kuo Kuang Road, 402 Taichung, Taiwan, R.O.C.
m s h w a n g © n c h u , edu. tw
(Received January 2003; revised and accepted November 2004)
A b s t r a c t - - I n this article, we shall present an authenticated key agreement protocol which is a modified and faster version of the Yeh-Sun scheme. Compared with the latest Kobara-Imai scheme,
our scheme takes fewer steps and less computation cost. Besides, we shall also propose a protected password change protocol that allows users to change their own passwords freely. (~) 2005 Elsevier Ltd. All rights reserved.
K e y w o r d s - - C r y p t o g r a p h y , Password authentication, Key exchange, Key agreement.
1. I N T R O D U C T I O N
The rapid progress of networks facilitates more and more computers to connect together to exchange large amounts of information and share system resources. A session key is established to provide confidentiality of communication over an open network. The famous Diffie-Hellman key a g r e e m e n t scheme [1] is used to e s t a b l i s h a session key b e t w e e n two p a r t i e s over an insecure network. However, t h e scheme is v u l n e r a b l e to the m a n - i n - m i d d l e a t t a c k b e c a u s e t h e a d v e r s a r y can i m p e r s o n a t e p a r t y A t o p a r t y B and vice versa. In t h i s case, user a u t h e n t i c a t i o n plays an i m p o r t a n t role in m a k i n g t h e Diffie-Hellman scheme more secure.
I n 1998, Law et el. [2] p r o p o s e d t h e M Q V protocol, which is p r o t e c t e d u n d e r t h e public key i n f r a s t r u c t u r e ( P K I ) . S m a r t [3] and Yi [4] further p r o p o s e d i d e n t i t y - b a s e d a u t h e n t i c a t e d key a g r e e m e n t p r o t o c o l s b a s e d on Welt p a i r i n g to o b t a i n lower c o m m u n i c a t i o n overhead and less c o m p u t a t i o n complexity.
However, t h e involved certification m a n a g e m e n t , c r y p t o g r a p h y calculation, a n d t h e a d d i t i o n a l c o m m u n i c a t i o n overhead caused b y t h e digital signature. Because of t h e convenience of pass- This research was partially supported by the National Science Council, Taiwan, R.O.C., under Contract No. NSC 90-2213-E-324-004.
*Author to whom all correspondence should be addressed.
0898-1221/05/$ - see front matter @ 2005 Elsevier Ltd. All rights reserved. Typeset by .4A,/S-~_X
704 TING-YI CHANC et al.
words such as natural language phrases that people can recognize without any assisting devices, password authentication schemes are simple and practical solutions to user identification.
By using a preshared password technique along with the Diffie-Hellman scheme, Seo and Sweeney [5] proposed a simple authenticated key agreement (SAKA) protocol without any sym- metric cryptosystems (such as DES [6,7], Rijndael [8], and others [9]) or asymmetric cryptosys- terns (such as RSA [10,11], E1Camal [12,13], etc.). Two parties online can use a preshared password technique to authenticate each other and apply the Diffie-Hellman scheme to establish a session key. Unfortunately, passwords are weak as secrets because they come from a rather lim- ited set of possibilities; they are vulnerable to the password guessing attacks (dictionary attacks). Sun [14], Tseng [15], and Lu et al. [16] separately showed that the Seo-Sweeney SAKA scheme is insecure under the threat of the replay attack and off-line password guessing attack. At the same time, Lin et al. [17] and Tseng [15] separately proposed an improvement on the Seo-Sweeney SAKA scheme to withstand these attacks. However, Hsieh et al. [18] have pointed out that Lin
et al.'s is still vulnerable to the off-line password guessing attack. On the other hand, Ku and
Wang [19] have also shown that Tseng's scheme is vulnerable to the backward replay attack [20] and modification attack, and they gave an improvement on Tseng's scheme in the meantime.
In 2004, Yang et al. [21] examined all SAKA-related schemes [5,15,17,19] and mounted a modification attack on those schemes to successfully cheat the two parties into believing in the wrong session key. Table 1 below is a summary table of the security of all those schemes. Recently, Yeh and Sun [22], and Kobara and Imai [23] have also combined the preshared password technique and the Diffie-Hellman scheme to achieve the same purpose the SAKA scheme intends to, respectively. Both schemes can withstand those attacks shown in Table 1 and provide perfect forward secrecy [24]. Lee et al. [25] further proposed the parallel version of the Yeh-Sun scheme. Two parties in their scheme compute the message during the protocol simultaneously. In fact, the scheme still need that one of two parties to send out the request message first and then another one knows to prepare the reply message. Hence, the protocol is not real parallel.
In this paper, we shall present a simpler authenticated key agreement protocol by modifying the Yeh-Sun scheme, and we shall also present a new protected password change protocol which unlike the previously proposed schemes [5,15,17,19,22,23] where the parties cannot arbitrarily change their own passwords, offers users the freedom of changing passwords at will. Moreover, compared with the latest Kobara-Imai scheme, our key agreement protocol takes fewer steps and less computation cost. Moreover, we not only give the heuristic security analysis, but also
Table 1. Summary of related schemes in SAKA.
Seo-Sweeney Tseng Line$ al. Ku-Wang
[5] [15] [17] [19]
Withstand Yes Yes Yes Yes
Man-In-Middle Attack
Withstand *No. [16,14] *No. [21] *No. [18] *No. [21]
Dictionary Attack
Withstand *No [15] Yes Yes Yes
Replay Attack
Withstand *No. [19] *No. [19] Yes Yes
Backward Replay Attack
Withstand *No. [21] *No. [19,21] *No. [21] *No. [21]
Modification Attack
Provide *No [14] Yes Yes *No. [21]
Perfect Forward Secrecy
*No [reference]: [reference] points out that the scheme cannot withstand/achieve the attack/perfect forward secrecy.
formally proven using Ballare, Poincheval and Rogaway's model (called B P R model for short) [26]. The provable security is demonstrated by reduction (see [26] for more detailed description). The remainder of this paper is organized as follows. In the next section, we will briefly review the Kobara-Imai scheme. Then, our modified Yeh-Sun key agreement protocol and new protected password change protocol will be presented in Section 3. The security of our schemes will be analyzed in Section 4. After that, we will compare the performance of our key agreement protocol with that of the Kobara-Imal scheme in Section 5. Finally, the concluding remarks will be made in Section 6.
2. R E V I E W O F T H E K O B A R A - I M A I S C H E M E
The system publishes two large prime numbers p and q, such that q divides p - 1. Let gl and g2 be two generators with order q in the Galois field CF(p) [23]. Assume that Alice and Bob share a secret password (pw) and three predetermined distinct values Tag A = (id AII idB II 01), Tag B = (ida II idB II 10) and TagAB = (ida II idB II 11), where idA and idB are separately identities of Alice and Bob, and II denotes the concatenation. Their key agreement protocol includes the following steps.
Step 1. Alice ~Bob: R A
pw
Alice chooses a random number a C [1, q - 1], computes
RA = g~ "g2
mod p, and sendsRA
to Bob.Step 2. Bob ~Alice:
RB
pw
Bob chooses a random number b C [1, q - 1], computes
RB = g~ "g2
mod p, and sendsRB
to Alice.Alice and Bob use the received
RB
andRA
to computeKA -= (RB •
g2PW) a mod p and K s = (RA • g~-pw)b mod p, respectively.Step 3. Alice---*Bob: MACKA(TagA I]
RA H RB)
Alice computes
MACKA(TagA N RA H RB)
and sends it to Bob, where MACK(.) is a message authentication code [27] and the keying materials as its key K. Step 4. Bob ~Alice: MACKB(Tags ]1RAII RB)
Bob computes MACKB (Tag B 11
RA II RB)
and sends it to Alice.Alice and Bob respectively verify whether the received MACKs (Tag B I]RA
I] RB)
is equal toMACKA(TagB [I RAN RB)
and whether the received MACKa (Tag AIIRA II RB)
is equal to MACKB (Tag A ]1RA ]l RB)
or not. If the equations hold, Alice and Bob agree on the common session key Key = MACKA(TagAB IJRAII
RB) = MACK~(TagAB tlRAII
R s ) , whereKA =
K s = g~b rood p.3. O U R P R O P O S E D S C H E M E S
In this section, we shall show our key agreement protocol and protected password change protocol in such order in the following subsections.
3.1. Simple A u t h e n t i c a t e d K e y A g r e e m e n t P r o t o c o l
Here, the same parameters {p, q, pw} in the Kobara-Imal scheme are used, but there is only one generator g with order q in GF(p) used in our schemes.
Step 1. Alice ~Bob:
RA ®
pwAlice chooses a random number a C [1, q - 1], computes
RA = ga
mod p, and sendsRA ~)
pw to Bob, where @ denotes the exclusive operator.Step 2. Bob ~Alice:
R B II H(KB, RA)
After receiving RA ~ pw, Bob recovers
RA
by computing (RA ~ pw) • pw. Then Bob chooses a random number b E [ 1 , q - 1], computesRB = gb
m o d p , KB =706 TING-YI CHANG et al.
RbA = gab mod p, and sends RB H H(KB, RA) to Alice, where H(.) is a secure one-way hash function.
Step 3. A l i c e ~Bob: H(KA, RB)
After receiving RB II H(KB, RA), Alice computes KA = RaB -~ gab m o d p and verifies whether the received H(KB, RA) is equal to H(KA, RA) or not. If it is, Alice computes H(KA, RB) and sends it to Bob.
After receiving H(KA, RB), Bob verifies whether it is equal to H(KB, RB) or not. If it is, Alice and Bob agree on the common session key Key = H(KA) = H(KB) = H(g ab mod p).
The difference between the original Yeh-Sun scheme and our proposed scheme is that Bob sends RB II H(KB, RA) to Alice in our scheme, while the message is RB @ pw II H(KB, RA) in the Yeh-Sun scheme. Since only Bob, who knows pw, has the ability to recover RA and then compute the valid H(KB,RA) and send it to Alice in Step 2, RB need not do any XOR with pw; it can be directly sent to Alice. Hence, Bob's computational complexity can be reduced by one X O R operation, and Alice's computational complexity can also be reduced by one XOR operation (She does not compute (RB @ pw) @ pw to recover RB.) in our scheme.
3.2. P r o t e c t e d P a s s w o r d C h a n g e P r o t o c o l
Assume t h a t Alice wants to change her old password pw to a new password new pw, she needs to follow these steps.
Step 1". Alice----~Bob: RA @ pw II RA ® newpw
Alice chooses a random number a 6 [1, q - 1], computes RA = g~ rood p and sends
R A ~)pw ]1RA @ newpw to Bob. Step 2*. Bob---+Alice: RB ]] H ( K s , RA)
After receiving RA@pw II RA@newpw, Bob recovers RA by computing (RA®pw)@ pw and uses the recovered RA to obtain new pw by computing (RA @new pw)@ RA. Then Bob chooses a random number b C [1, q - 1], computes RB = gb mod p and KB = R b = gab mod p, and sends RB ]l H(KB,
RA)
t o Alice.Step 3*. Alice---~Bob: H(KA, RB) @ newpw
After receiving RB II H(KB, RA), Alice computes KA = R~B = gab mod p and verifies whether the received H(KB, RA) is equal to H(KA, RA) or not. If it holds, Alice computes H(KA, RB) @ new pw and sends it to Bob.
After receiving H ( K A , R B ) ~ newpw, Bob uses the recovered newpw in Step 2* to obtain H(KA, RB) by computing (H(KA, RB) @ new pw) @ new pw. Then he verifies whether the recov- ered H(KA, RB) is equal to H(KB, RB) or not. If it is, Alice and Bob have successfully changed their old password (pw) to the new password (new pw).
4 . S E C U R I T Y A N A L Y S I S
In this section, we show the heuristic security analysis and the provable security analysis in the following sections, respectively.
4.1. Heuristic S e c u r i t y A n a l y s i s
Several possible attacks will be raised and fought against to demonstrate the security of our schemes. Here, we assume t h a t Eve is an adversary. Our security definitions are as follows. DEFINITION i. Computational Diffie-Hellman assumption is that giving
ga
mod p and gb mod p to computegab
rood p is hard.DEFINITION 2. The computational assumption of a one-way hash function Y = H(X) is that
MAN-IN-MIDDLE ATTACK ANALYSIS. Obviously, the password pw shared between Alice and Bob is used against the main-in-middle attack. Without knowing pw, Eve has no ability to interpose in the line and impersonate Bob to Alice and Alice to Bob.
PASSWORD GUESSING ATTACK ANALYSIS. The on-line password guessing attack can be pre- vented easily by limiting the number of failed runs. On the other hand, the off-line password guessing attack is also favored by the attacker. Eve tries to find out the weak password by repeatedly guessing a possible password and verifying the correctness of the guess via obtained information in an off-line manner. From the key agreement protocol, Eve gets the knowledge of
RAG
pw,RB I[ H(KB, RA),
andH(KA, RB)
separately in Steps 1, 2, and 3. She first guesses a password pw / and then finds RA ---- RA O pw • pw t. Assume t h a t the length of RA is 1024 bits and pw is 20 bytes. The probability of guessingRA
and pw is less than 1/2 l°24 x 1/22°'s. Then Eve has to break the Diffle-Hellman assumption to findKB (= KA)
and use it to verify her guess password. For the same reason, without knowing R A and KA(-~ K B ) , Eve cannot guess newpw from RA (~ newpw in Step 1" andH(KA,RB)
® n e w p w in Step 3 ' .REPLAY ATTACK ANALYSIS. Eve intercepts RA(~)pw when it is sent by Alice in Step 1 and uses it to masquerade as Alice next time. However, Eve cannot compute a correct
H(KA, RB)
to Bob in Step 3 because she has no pw to obtainRA
and then compute a from RA = ga m o d p by solving the discrete logarithm problem. On the other hand, if Eve interceptsRB II H(KB, RA)
when it is sent by Bob in Step 2 and uses it to masquerade as Bob, obviously,R A
generated by Alice is different for each protocol, so Eve still cannot replayRB II H(KB, RA)
to Alice. For the same reason, the protected password change protocol can also withstand the replay attack. Because some messages sent between the two parties are the same in [5,15], the schemes are vulnerable to the replay attack and backward replay attack. Nevertheless, the messages sent by Alice and Bob are different in both of our schemes, and therefore, Eve cannot intercept any message between t h e m and then replay it to the other side.MODIFICATION ATTACK ANALYSIS. Eve tries to modify the messages transferred between Al- ice and Bob and makes them believe in a wrong session key. Unlike 8AKA-related schemes [5,15,17,19], our schemes have the XOR operation and a one-way hash function to protect the messages transferred between Alice and Bob. Eve cannot replace the original value sent by Alice with a new one and then use its inversion to make Bob return to the original value. Therefore, Yang
et al.'s
modification attack [21] cannot threaten the security of our key agreement protocol. In our protected password change protocol, Eve modifiesRA
~ n e w pw to a random number RE in Step 1". After receivingRAG
pw IIRE,
Bob recoversRA
and uses it to obtain the new passwordRE @ RA
and sends RB ]1H(KB, RA)
to Alice in Step 2*. Then Alice first verifies the receivedH(Ks, RA)
and sendsH(KA, RB) G
new pw to Bob in Step 3*. Then Bob uses the recovered new passwordRE @ RA
to computeH(KA,RB) ~
newpw G(RE • RA)
and compare it withH(KB, Rs).
Obviously,H(KA, RB)
® n e w p w ® (RE ~ RA) is not equal toH(KB, RB).
Bob will reject the password changing request unless Eve can computeH(KA, RB) @ (RE @ RA)
and send it to Bob in Step 3*. However, she has no ability to obtainKA
andRA.
According to the above analyses, our schemes can withstand all those attacks shown in Table 1. Moreover, even when the password is compromised in our scheme, Eve m a y reveal
RA = ga
rood p and R B : gb rood p, but she still cannot reveal the old session key Key= H(g ab
mod p). On the other hand, a stolen session key does not help an adversary to carry out a brute-force guessing attack on the password becauseKA
andKB are
under the protection of the one-way hash function H(.). In a word, our new scheme lives up to the requirement of perfect forward secrecy.4.2. P r o v a b l e S e c u r i t y A n a l y s i s
In this section, we shall employ and simplify the B P R model (see [26] for a more detailed description) to formally prove the security of SAKA and P P C in the random oracle model (ideal hash model).
708 TING-YI CHANG et al.
4.2.1. M o d e l
The model is principally used formally as follows.
1. DEFINE THE CHARACTERISTICS OF PARTICIPATING ENTITIES.
PROTOCOL PARTICIPANTS. A party may have several instances, called oracles, involved in dis- tinct concurrent executions of the protocols. We denote some instance i with an identifier A as 1-ih.
LONG-LIVED KEYS. Two parties A and B share a common password pw. We call pw long-lived key and assume that the password is chosen independently and uniformly at random from the set { 1 , . . . , N}, where N is a constant, independent of the security parameter.
SESSION IDENTITY AND PARTNER IDENTITY. The session identity SID is used to uniquely name the ensuing session. SID(II~) is the concatenation of all flows with the oracle II~. PID(II~) = B, denoted as H~4 , is the communication with another participant B. Both SID and PID are publicly available.
ACCEPTING AND TERMINATING. There are two states, ACC(II~) and TERM(H~), for an oracle II~4. ACC(H~) = true denotes that II~4 has enough information to compute a session key (SK). At any time an oracle can accept messages right away. As soon as II~ is accepted, SK(II~), SID(H~4 ) and PID(H~) are defined. When an oracle sends or receives the last message of the protocol, receives an invalid message, or misses an expected message, the state of TERM(II~) is set to true. As long as II:4 is terminated, no message will be sent out.
2. DEFINE AN ADVERSARY'S CAPABILITIES.
The adversary ,4 has an endless supply of oracles and models various queries to them. Each query models a capability of the adversary, such as forward secrecy, know-key security, etc. The six queries and their responses are listed below.
• Send(II~, m): This query models A sending a message m to H~4. A gets back from his query the response which II~ would have generated in processing message m and updates SID, PID, and its state. A in the form Send(II~,start) initiates an execution of the protocol.
• Execute(II~, H~): This query modelsA obtaining an honest execution of the SAKA pro- tocol in the middle of two oracles II~ and IIJB . Execute(H~, His) models ,4 obtaining an honest execution of the protocols between two oracles H~ and H~. This query may at first seem useless since A already can carry out an honest execution among oracles. Yet, the query is essential for properly dealing with password guessing attacks.
• Reveal(II~): This query models .Aobtaining a session key (SK) with an unconditional return by H~4. The query is for dealing with know-key security. The Reveal query is only available if the state ACC(H~) = true.
• Corrupt(A): This query models A obtaining along-lived key pw with an unconditional return byA. The query is for dealing with forward secrecy.
Initialize(1 k, lZ), where 1 and k are security parameters and 1 < k
Select p, q primes with length [p[ = k, [q[ = l, and q ] p - 1; this defines group G; Choose random generator g ~-- G;
Choose a hash function H ( . ) : {0, 1}* ~ {0,1} t Publish parpmeters q,p, g, H(.);
< pw > A , n ~ { 1 , . . . , N }
Execution (II ~ A, HJB) 1. Send1 (IIJA,start)
< a >R+_R._ Zq; RA = ga modp; msg__outl +-- RA • pw; stateJA +--< a, RA >; return msg__out 1
2. Send2 (II~,mj)
< M1 >+- ml; RA +-- M1 ® pw; < h >+_R__R Zq; R B : gh modp; KB = ( R A ) h m o d p msg_ out2 +--< RBII
H(Kb, R - A) >; stateJB +---< Rb, KB >; return msg__out2 3. Send3 (II{,m2) < RB, M2 >+- m2; < a,RA
>+-- stateJn; KA ---- ( R B ) a modp; if H(KA, RA = M2 msg_ out3 +- H(KA, RB);SK(HJA) +--H(KA); SID(1-IJA) +--< msg__outl, m2,msg outa >; PID(1-IJA) +--B; ACC(1-I~A) +--true;TERM(IIiA) +--true else msg__out3 +- *;
4. Send4 (II j , m3)
< M3 >+- m3; < RB, KB >+-- stateJA; if H(KB, RB) = Ms
SK(H j ) +-- H(Kb); SID(II~) ~-< m l , m s g out2 >; PID(IIJB) +-- A; ACC(II~ +- true; TERM(II~) +-- true return null
Figure 2. Specification of protocol SAKA.
• Hash(m): In the ideal hash model, A gets hashresults by making queries to a random oracle. After receiving this query, the random oracle will check whether m has been queried. If so, it returns the result previously generated to ,4; otherwise it generates a random number r and sends it to A, and stores (m, r) into the H-table, which is a record set used to record all previous hash queries.
• Test(II~): This query models the semantiesecurity of the session key (SK) (the indistin- guishability between the real session key and a random string). During an execution of the protocol, J[ can make any of the above queries, and at once, asks for a test query. Then, H~ flips a coin b and returns SK if b -- 1 or a random string with length ISKI if b = 0. The query is only available if II~ is fresh..4 outputs a bit b I and wins the game of breaking the protocol if b = b'.
3. FORMAL SPECIFICATION OF THE PROPOSED PROTOCOLS.
Figure 1 shows the initialization of both protocols. Figures 2 and 3 separately show how instances in the SAKA and P P C protocols behave in response to messages (runs the SAKA and P P C protocols).
Before putting the protocols to work, each oracle sets ACC(II~) +-- TERM(YI~) +-- false; and SK(II~z ) +-- SID(II~}) +-- PID(II~) ~ null;.
4.2.2. D e f i n i t i o n s of s e c u r i t y
This section defines what constitutes the breaking of our SAKA and P P C protocols. To begin with, let's set the formal notions of security as follows.
710 TXNG-YI CHANG et al.
Execution(II~A, HJB) 1. Send1 (H~'A, start)
< a >R+_R._ Zq; RA = g~ modp; msg__outl *--< RA ~ pw II RA • new pw >; state~ *---< a, RA >;
return msg__out 1 2. Send2 (IIJB,ml)
< M1,M2 >+--ml;RA ~ - M l @ p w ; n e w p w e - M 2 0 R A ; < b > ~ R Zq; Rg = gb modp; Ka = (RA)bmodp; msg out2 ~ R s II H ( K B , R A ) >; state~ ~--< new pw, R B , K B >;
return msg out2 3. Send3(Hi4 , m2)
< a, RA >~- state~; < RB, M3 >*-- M2; KA -~ (RB) a modp; if H(KA, RA) = M3
msg._out3 e- H(KA, RB) • newpw;
SK(H~4) ~ - H ( K A ) ; SID(II~)*--msg_outl, m2,msg_ out3 >; PID(II~) *-- B; ACC(H~) ~- true; TERM(II~) ~- true elsemsg o u t 3 * - * ;
a. Send4(II~, m3)
< M4 >~'-- m3; < n e w p w , R B , K B >+-- stateS; if H ( K s , R s ) = M4
SK(H~) ~ H(KB); SID(IIJB) ~ < ml,msg__out2, m3 >; PID(H~) ~ A; ACC(H~) ~- true; TERM(Hg) *- true return null
Figure 3. Specification of protocol PPC.
FRESHNESS. An oracle A is identified as fresh (or holds a fresh SK) if the following three condi- tions are satisfied:
(1) II~4 has been accepted,
(2) no oracle has been asked for a corrupt query before II~ is accepted, and (3) neither II~ nor its partner has been asked for a reveal query.
PARTNERING. In SAKA and P P C protocols, we say two oracles H i and HJB are partnered if the following conditions are satisfied:
(1) II~ and rI~ have been accepted, (2) SK(YI~) = SK(II/B),
(3) SID(H~) n SID(H~) # 0,
(4) PID(II~) = B and PID(H~) = A, and
(5) no other oracle accepts SK = SK(H~) = SK(II~).
A K E SECURITY (SESSION KEY SECURITY). We say ,4 has the probability Pr(w/n) to win a
game of breaking the session key security of SAKA and P P C if A makes a single test query to a fresh oracle and correctly guesses the bit b used in the game. We separately denote the AKE advantage of ,4 in attacking SAKA and P P C as AdvsAKEA(A ) and Advpp c (A); the advantages AKE are taken over all bit tosses. The advantage of A distinguishing the session key is given by
AKE Advpp c (,4) AKE 2Pr(win) - Protocols SAKA and PPC are AKE-secure if
AdVSAKA (`4) = = 1.
AKE AKE
COMPUTATIONAL DIFFIE-HELLMAN (CDH) ASSUMPTION. Let G = (g) be a cyclic of prime order q and x, y chosen at random in Zq. Let B be a CDH attacker that given a challenge ¢ = (gX,gy), and let ¢ be the probability that B can output an element z in G such that z = gZy. We denote this success probability as SuccCDH(B). The CDH problem is intractable if SuccCDH(B) is negligible.
ADVERSARY'S RESOURCES. The security can be formulated as a function of the amount of resources `4 obtains. The resources are as follows.
• t : time of computing;
• qsei, qex, qre, qco, qh: the number of sendi, execute, reveal, corrupt, and hash queries sepa- rately made. Here, q~e is the total number of qsei.
4.2.3. S e c u r i t y p r o o f
THEOREM 4.1. Let A be an adversary against the AKE-security of the S A K A protocol within a time bound t, after qse and qh. Then we have:
AKE qse qseqhSuccCDH(tl) qse
AdVsAKA(t, qse, qh) <-- -~" + + " ~ , where tl is the running time of
Succ CDH.
PROOF. There are three ways that might lead to `4 successfully attacking the AKE-security of the SAKA protocol. First, `4 might obtain the long-lived key and impersonate A or B by mounting the password guessing attack. Second, `4 might directly obtain the session key by solving the CDH problem. In the following, we shall analyze the probability of the two situations one by one. To analyze a situation, the others are assumed to be under some known probability. PASSWORD GUESSING ATTACKS. A and B separately chooses a C Zq and b C Zq at random, which implies RA and RB are random numbers. Hence, A observes that the message (RA @ pw) returned from send1 is independent of other messages. Therefore, the adversary gets no advantage for the off-line password guessing attack. The probability of the on-line password guessing attack making way is bounded by qse and N as follows:
<~ qse - - N
The on-line guessing attack can be prevented by letting the server take the appropriate intervals between trials. Furthermore, we also provide the P P C protocol to allow clients to change their own passwords.
C D H ATTACK (SESSION KEY). B plays the role of a simulator for indistinguishability. It uses the SAKA protocol to respond to all A's queries and deal with the CDH problem. B sets up the long-lived key pw, picks a random number i from [1,qsel], and sets a counter cnt = 0. When `4 makes send1, B answers according to the protocol to return msg_ouh to send1 and increases cnt by 1. If cnt ¢ i, B answers with msg_out2 to send2. If cnt = i, B answers with (gY H H(random I] g~)) by using the element g~ from the challenge ~b. When `4 makes senda, if the input is the flow corresponding to challenge ¢, B answers with (H(random, gY)} by using the element gY from the challenge ¢. If not, B answers with msg_outa to send3.
When `4 makes a reveal(H~) or reveal(H/B), B checks whether the oracle has been accepted and is fresh. If so, B1 answers by using the session key SK. However, if the session key has to be constructed from the challenge ~b, B halts. When .4 makes a corrupt(A), corrupt(B) execute(H~, H/B), or hash(m), B answers in a straightforward way. When ,4 makes a single test query, B answers in a straightforward way. However, if the session key has to be constructed from the challenge ¢, B answers with a random string for the test(II~4 ) or test(H/B).
712 TING-YI CHANG et al.
This simulation is perfectly indistinguishable from any execution of the real SAKA protocol except for one execution in which the challenge ¢ is involved. The probability a of B correctly guessing the session key `4 will use test(H~) is the probability of c n t = i. Then, we have:
1 1
qsel qse
Assume that `4 has broken the CDH problem (.4, outputting b' after the test query, wins),
then at least one of the hash queries equals SK. The probability of B correctly choosing among the possible hash queries is:
1
qh
From the above description, the probability SuccCDH(B) t h a t B outputs z from the challenge ¢ is the probability s that .4 breaks the AKE-secure scheme multiplied by the probability a t h a t B1 correctly guesses the moment at which ,4 breaks the AKE-secure scheme multiplied by the probability fl t h a t B1 correctly chooses among the possible hash queries:
1 1
S u c c $ ° H ( ~ l ) = ~ x ~ × Z _> e × - - × - - . ( I ) qse qh
THEOREM 4.2. Let A be an adversary against the AKE-security of the P P C protocol within a time bound t, after qse and qh. Then we have:
AKE q~e qseqhSucc~DH(tl) -b qse
Advpp c (t, qse, qh) <-- - ~ + 2- 7 ,
where t 1 is the running time of SUCC CDH.
PaOOF. This proof is similar to the analysis of SAKA. We omit it here. 5. E F F I C I E N C Y A N D C O M P A R I S O N
In this section, we shall compare the computational complexity of our key agreement protocol with t h a t of the Kobara-Imai scheme. To analyze the computational complexity, we first define the following notations.
TEXP the time for computing modular exponentiation. TMUL the time for computing modular multiplication. TMAC the time for computing the adopted MACK(.).
TH the time for computing the adopted H(.).
TXOR the time for computing the XOR operation of two numbers.
Assume that in the Diffie-Hellman scheme's computation gC rood p, the length of the prime number p is 1024 bits, and the random number c is 160 bits. In our scheme, Alice computes
(RA = g~ mod p) @ pw and sends it to Bob; it means the largest number of bytes for pw can be p w
up to 128. Oppositely, when Alice computes g~ • g2 rood p and sends it to Bob, it means the largest number of bytes for pw is 20 in the Kobara-Imai scheme. Hence, the selectivity of pw in our scheme is more freedom (i.e., choose a sentence as a password).
Table 2. Computational complexity comparisons between our scheme and the Ko- ~ara-Imai scheme.
Our Scheme Kobara-Imai Scheme
Alice's computations 2TExP ÷ 3TH + 1TxoR 4TExP ~ 3TMAc -b 2TMuL Bob's computations 2TExP q- 3TH Jr 1TxoR 4TExP -k 3TMAc -b 2TMuL
For simplicity, to compare the computational complexities of our scheme and the Kobara- Imal scheme, we assume that the password length in both schemes is 20 bytes. To compute gC mod p by repeatedly squaring and multiplying requires an average of 240 1024-bit modular multiplications (i.e., 1TEXP = 240TMuL) [27]. According to Table 2, it is obvious that two parties' computational complexities in our scheme are more economical than in the Kobara-Imai
scheme. Moreover, our scheme requires fewer steps to agree on a session key t h a n the K o b a r a - I m a i scheme, a n d we provide a password changing protocol. O n the other h a n d , Alice a n d Bob should use p r e d e t e r m i n e d values TagA, TagB, a n d TagAB to avoid t h e replay attack, backward replay a t t a c k (each message transferred is different) a n d generate a session key in t h e K o b a r a - Imai scheme. I n our scheme, t h e distinct values R A a n d R B can easily be used to make each transferred message is different.
6. C O N C L U S I O N
In this article, we have proposed a slight improvement on the Yeh-Sun scheme to make it more efficient. In additional, we have designed a protected change password protocol to allow two parties to arbitrarily change their own password freely. Compared with other SAKA-related schemes, our schemes not only can withstand those attacks shown in Table 1 but also is more
efficient.
R E F E R E N C E S
1. W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory IT-22, 644-654, (Nov. 1076).
2. L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone, Security of authenticated multiple-key, Technical Report CORR 9805, Department of C&O, University of Waterloo, (1998).
3. N. P. Smart, Identity-based authenticated key agreement protocol based on well pairing, Electronics Letters 38 (13), 630-632, (2002).
4. X. Yi, Efficient id-based key agreement from weft pairing, Electronics Letters 39 (2), 206-208, (2003). 5. D. Seo and P. Sweeney, Simple authenticated key agreement algorithm, IEE Electronics Letters 35 (13),
1073-1074, (1999).
6. National Bureau of Standard, Data Encryption Standard, NBS: FIPS, (1977).
7. M.E. Smid and D.K. Branstad, The data encryption standard: Past and future, Proc. of the IEEE 76, 550-559, (May 1988).
8. J. Daemen and V. Rijmen, Rijndael, the advanced encryption standard, Dr. Dobb's Journal 26 (3), 137-139, (2001).
9. M.-S. Hwang, A n e w redundancy reducing cipher, International Journal of In]ormatica 11 (4), 435-440, (2000).
10. C.-C. Chang and M.*S. Hwang, Parallel computation of the generating keys for RSA cryptosystems, IEE Electronics Letters 82 (15), 1365-1366, (1996).
11. R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryp- tosystems, Communications of the A C M 21, 120-126, (Feb. 1978).
12. T. E1Gamal, A public-key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans-
actions on Information Theory IT-31,469-472, (July 1985).
13. M.-S. Hwang, C.-C. Chang and K.-F. Hwang, An E1Gamal-like cryptosystem for enciphering large messages, I E E E Transactions on Knowledge and Data Engineering 14 (2), 445-446, (2002).
14. H. Sun, On the security of simple authenticated key agreement algorithm, In Proceedings of the Management
Theory Workshop'2000, (2000).
15. Y.-M. Tseng, Weakness in simple authenticated key agreement protocol, Electronics Letters 36 (1), 48-49, (2000).
16. E.J.-L. Lu, C.-C. Lee and M.-S. Hwang, Cryptanalysis of some authenticated key agreement protocols, International Journal of Computational and Numerical Analysis and Applications (to appear).
17. I.-C. Lin, C.-C. Chang and M.-S. Hwang, Security enhancement for the simple authentication key agree- ment algorithm, In The Twenty-Fourth Annual International Computer Software and Applications Confer-
ence(COMPSAC)'2000, pp. 113-115, (2000).
18. B.-T. Hsieh, H.-M. Sun and T. Hwang, Cryptanalysis of enhancement for simple authenticated key agreement algorithm, IEE Electronics Letters 38 (1), 20-21, (2002).
19. W.-C. Ku and S.-D. Wang, Cryptanalysis of modified authenticated key agreement protocol, IEE Electronics Letters 36 (21), 1770-1771, (2000).
20. L. Gong, Variations on the themes of message freshness and replay, In Proc. IEEE Computer Security
714 TING-YI CHANG et al.
21. C.-C. Yang, T.-Y. Chang and M.-S. Hwang, Cryptanalysis of simple authenticated key agreement proto- cols, IEICE Fundamentals on Electronics, Communications and Computer Sciences E 8 7 - A (8), 2174-2176, (2004).
22. H.-T. Yeh and H.-M. Sun, Simple authenticated key agreement protocol resisant to password guessing attacks,
A CM S I G O P S Operating Systems Review 36 (4), 14-22, (2002).
23. K. Kobara and H. Imai, Pretty-simple password-authenticated key-exchange protocol proven to be secure in the standard model, IEICE Transactions on Fundamentals E 8 5 - A (10), 2229-2237, (2002).
24. D.P. Jablon, Strong password only authenticated key exchange, Computer Communication Review 26, 5-26, (Oct. 1996).
25. S.-W. Lee, W.-H. Kim, H.-S. Kim and K.-Y. Yoo, Parallizable simple authenticated key agreement protocol,
A C M SIGOPS Operating Systems Review 37 (3), 17-22, (2003).
26. M. Bellare, D. Pointcheval and P. Rogaway~ Authenticated key exchange secure against dictionary attack, In
Advances in Cryptology--EUROCRYPT'O0, pp. 122-138, (2000).
27. M. Naor and M. Yung, Universal one-way hash functions and their cryptographic applications, In Proc. of the P1 st STOC, pp. 33-43, (1989).
28. N. Koblitz, A. Menezes and S.A. Vanstone, The state of elliptic curve cryptography, Designs, Codes and Cryptography 9 (2/3), 173-193, (2000).
