100 likes | 112 Views
This article analyzes the vulnerabilities and limitations of server-specific MAKEP and linear MAKEP protocols for low power wireless communications. It proposes improvements to overcome these limitations, particularly in addressing the unknown key-share attack.
E N D
Comments on Mutual Authentication and Key Exchange Protocols for Low Power Wireless Communications Source: IEEE COMMUNICATIONS LETTERS, Vol.8, No.4, APRIL 2004, pp.262-263 Author: Siaw-Lynn Ng and Chris Mitchell Speaker: Ming-Chai Li Date: 2004/12/27
Outline • Introduction • Server-Specific MAKEP • Linear MAKEP • Conclusion
Introduction • MAKEP (Wong and Chan,2001) • Server-specific MAKEP • Each certificate is server-specific • If there are n distinct server that A wants to communicate, she needs n distinct certificates • Linear MAKEP( ) • Allow each client to communicate with as many servers as it wants without inducing any scalability problems. • Any certificate can be used to communicate with any server
Introduction • Unknown key-share (U K-S) attack (Shim,2003): A – E – B • This paper proposed that: • The attack on linear MAKEP does not achieve • Demonstrate further limitations of the two protocols
Server-Specific MAKEP • A -> B: • B -> A: • A -> B: : A’s long-live symmetric key : nonces chosen by A, B Session key
Server-Specific MAKEP • Problem: the server B can always control the session key by putting • This problem can be avoided by • A -> B: • B -> A: • A -> B: • h is a one-way hash function
Linear MAKEP • Let p be a prime, be a primitive element • A chooses as its secret keys • The corresponding public keys is • For each pair of public keys ,a certificate is obtained from the TA • A -> B: • B -> A: • A -> B: B checks , computes key • B -> A:
Linear MAKEP(U K-S Attack) • The unknown key-share attack proposed by Shim will fail at the last step: A E B
Weakness of the protocol • An eavesdropper E can obtain in the first run, in a subsequent run • Compute to get and then get • After that E can impersonate A to any other servers • In the third step, change to would prevent an eavesdropper from launching such an attack
Conclusions • Point out an error in the U K-S attack proposed by Shim • Show further limitations of these protocols and suggested improvements