Cryptanalysis on Shim’s tripartite authenticated key agreement protocol from Weil pairing

全文

(1)Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Cryptanalysis on Shim’s tripartite authenticated key agreement protocol from Weil pairing Chu-Hsing Lin* and Hsiu-Hsia Lin Department of Computer Sciences and Information Engineering, Tunghai University E-mail: [email protected] Abstract - In 2003 (Electronics Letters, Vol. 39, No.2), Shim [1] proposed an efficient one-round tripartite authenticated key agreement protocol based on Weil pairing. In this letter, we show that Shim’s protocol cannot satisfy some basic security requirements. Keywords: Weil pairing, man-in-the-middle attack, tripartite authenticated key agreement protocol, insider attack, key-compromise impersonation attack.. points with order q. The modified Weil pairing satisfies the following properties: (i) Bilinear: eˆ(a ⋅ P, b ⋅ Q) = eˆ( P, Q) ab , for all P, Q ∈ E [q] and a, b ∈ Z . (ii) Alternative: eˆ( P, Q ) = eˆ(Q, P) −1 . (iii) Non-degenerate: there exists a point P∈ Gq such that eˆ( P, P) ≠ 1 . (iv) Polynomial-time computable: computable in polynomial time.. ê(P,Q). is. 3. Shim’s tripartite key agreement protocol. 1. Introduction In 2000, Joux [2] first proposed a one-round tripartite Diffiee-Hellman key agreement protocol based on Weil pairing. However, the protocol cannot withstand the man-in-the-middle attack since it does not authenticate messages. To ensure authenticity, Shim [1] proposed an improved tripartite authenticated key agreement protocol. Shim introduced the certified public keys to overcome the security flaw in Joux’s protocol. In this article, we show that Shim’s protocol is still insecure against some attacks, such as the insider attack and the keycompromise impersonation attack.. 2. Modified Weil pairing The bilinear characteristic of Weil pairing can be applied to design tripartite key agreement protocols with less communication rounds than using DiffieHellman’s scheme (Joux’s protocol just needs one round). Let p be a prime such that p = 2 (mod) 3 and p = 6q-1 for some prime q>3. Let E[q] be a supersingular curve defined by y2 = x3+1 over Fp. Let P∈ E/Fp be a generator of the group of points with order q = (p+1)/6. Let µ q be the subgroup of Fp * that contains all elements of order q. The Weil pairing on the curve E/Fp * is a mapping e : Gq × Gq → µq. The modified Weil pairing is defined as ê : Gq × Gq → µq , * eˆ(P, Q) = e( P, φ(Q)) ,where φ (x, y)=( ξx, y), 1 ≠ ξ∈ Fp 2. 2. 2. Setup: The public domain parameters (p, q, E, P, ê) are common to all entities. A certification authority (CA) is used to provide public-key certificates; CertA denotes the certificate of user A, his public key is denoted as YA = a · P, where a is A’s static private key. Similarly, CertB and CertC are the certificates for B and C, with YB = b⋅P and YC = c⋅P as their static public keys, and b and c as their static private keys of B and C, respectively. Shim’s protocol: A (B and C) chooses a random number x (y and z) and computes TA = x⋅YA (TB = y⋅YB and TC = z⋅YC) and broadcasts the value with his certificate, where x, y and z are used as the ephemeral private keys, respectively. A → B, C : {TA, CertA} B → A, C : {TB, CertB} C → A, B : {TC, CertC} On receiving the broadcast message, the three entities can obtain the same keys KA, KB, and KC, respectively, the result are as follows: a abc ˆ K A = eˆ(TB ,TC )a x e( YB ,YC ) = eˆ( P , P)a b c x yˆz( e P, P) b yˆe( YA ,YC )b. K B = eˆ(TA ,TC ). abc. = eˆ( P ,P )a b c x y z(e P, P) ˆ. KC = eˆ(TA ,TB )c zˆe( YA ,YC ) = eˆ( P , P)a b c x yˆz(e P, P) Then they can compute the shared session key: K = kdf(KA || A || B || C) = kdf(KB || A || B || C) = kdf(KC c. abc. || A || B || C) (where kdf is a key derivation function). is a solution of x3-1 = 0 (mod p) and Gq is the group of. 1034.

(2) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. 4. Cryptanalysis on Shim’s protocol In this section, we present two kinds of attacks on Shim’s scheme including the insider attack and the key-compromise impersonation attack.. 4.1. The insider attack In a tripartite key agreement protocol, the insider attack [3] means that some one of the entities tries to impersonate any other entity. For instance, B is an insider attacker who might try to impersonate C (to fool A) that he and C have participated in a key agreement protocol at the same time, while in fact C does not. If the insider attack is successfully launched in Shim’s protocol, it could have damaging consequences: for example, if C acts as an on-line escrow agent or a referee. Assumptions (i) A, B and C: Legal entities appear in a tripartite key agreement protocol. (ii) CertA, CertB and CertC: The certificates of A, B and C, respectively, have been certified by a trusted CA. (iii) B: The insider attacker wants to impersonate C to A and has the CertC beforehand. (iv) C: The insider entity is unknown to the communication round. Based on the above assumptions the insider attacker B, then, initiates a key agreement protocol, and also plays another role C' (masquerades as C to fool A). Therefore, A mistakenly accepts C' as the real C. Insider attack algorithm (I1) B: TC' = z' · YC = z' · (cP). (I2) B → A, C': {TB, CertB} (I3) C' → A, B : {TC', CertC}. trusted CA. (iii) E: The outsider attacker wants to impersonate both of A and C and communicate with B. Note that E now owns the messages {b, TB, CertB} and has got the CertA and CertC beforehand. (iv) A, C: The insider entities are unknown to this communication round. The outsider attacker E pretends to be A and C, indicated as A' and C', respectively. E can initiate a key agreement protocol among the three entities A', B and C' and impersonate both the roles of A and C to cheat B. Therefore, B mistakenly believes that A' is the real A and C' is the real C. Key-compromise impersonation algorithm (K1) E: TA' = u·P and TC' = w·P (K2) E → B: {TA', CertA},{TC', CertC} (K3) B → A', C': {TB, CertB} (K4) Computes KA' = KB = KC' = eˆ( P, P)b y u wˆ(e P, P) (K5) K = kdf ( K A' || A'|| B|| C' ) = kdf ( KB||A' || B|| C' ) = abc. kdf (K C '|| A'|| B|| C' ). 5. Conclusion Shim [1] proposed an improved tripartite authenticated key agreement protocol based on Weil pairing to resist the man-in-the-middle attack. This letter shows that Shim’s tripartite authenticated key agreement protocol is still insecure against some attacks including the insider attack and the keycompromise impersonation. These attacks are due to that the partial messages (such as the public ephemeral key TA, TB and TC) are not authenticated. From the proposed cryptanalysis, Shim’s protocol seems not satisfying some basic security requirements.. References. (I4) A → B, C': {TA, CertA} abc. (I5) Computes KA = KB = KC'= eˆ( P , P)abcxyz'eˆ(P ,P ) (I6) K= kdf ( K A || A || B || C' )= kdf ( K B || A || B || C' )= kdf. ( K ' || A || B || C' ) C. 4.2. Key-compromise impersonation attack An outsider attacker E, who has compromised B’s static private key b, can also impersonate the other entities to B. The details are illustrated as below. Assumptions (i) A, B and C: Legal entities appear n a tripartite key agreement protocol. (ii) CertA, CertB and CertC: The certificates of A, B and C, respectively, have been certified by a. 1035. [1] K. Shim, “Efficient one-round tripartite authenticated key agreement protocol from Weil pairing,” Electronics Letters, Vol. 39, no. 2, pp.208209, January, 2003. [2] A. Joux, “A one-round protocol for tripartite Diffie-Hellman,” Proceedings of the 4th International Algorithmic Number Theory Symposium (ANTS-IV), LNCS 1838, pp.385-394, July, 2000. [3] S.S. Al-Riyami, and K.G. Paterson, “Tripartite authenticated key agreement protocol from pairings,” IMA Conference on Cryptography and Coding 2003, LNCS 2898, pp.332-359, December, 2003..

(3)