220 likes | 244 Views
This paper presents an improved protocol for authenticated multiple-key agreement. The proposed protocol enhances security and efficiency by overcoming forgery problems without using one-way hash functions.
E N D
Improved Authenticated Multiple-Key Agreement Protocol Source: Computer and Mathematics with Applications 46 (2003), pp. 207-211. Author: Her-Tyan Yen, Hung-Min Sun and Tzonelih Hwang
Authenticated multiple-key agreement • Two communication entities are allowed to establish multiple secret keys through the message exchange.
Motivation (1/2) • Authenticated key agreement without using one-way hash functions • L. Harn and H.Y. Lin, Authenticated key agreement protocol without using one-way functions, In Proc. 8th National Conf. Information Security, 155-160 (1998). • Improved authenticated multiple-key agreement protocol • S.M. Yen and M. Joye, Improved authenticated multiple-key agreement protocol, Electron. Lett., 1738-1739, (1998)
Motivation (2/2) • Security of authecticated multiple-key agreement protocols • T.S. Wu, W.H. He and C.L. Hsu, Security of authenticated multiple-key agreement protocols, Electron. Lett., 391-392 (1999). • This paper pointed out that the Wu et al.’s paper still suffers the forgery problem and proposed an improved protocol to overcome the problem.
The past authenticated key agreement protocol • p : large prime • α: primitive element • XA: A’s secret key • XB: B’s secret key • , A’s public key • , B’s public key
The Wu and He’s protocol(Authentication Phase) rA1, rA2, SA, cert(yA) 7. • two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA-h(rA1rA2)kA mod (p-1)
rA1, rA2, SA, cert(yA) = (rA1.rA2)h(rA1rA2).αXA-h(rA1rA2)‧KA = (rA1.rA2)h(rA1rA2).αXA.(αKA)–h(rA1rA2) Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)h(rA1rA2).(α (KA1+KA2) ) –h(rA1rA2).αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)h(rA1rA2).(rA1.rA2) –h(rA1rA2).αXA = αXA
Keys generation • K1 = (rA1)KB1 mod p • K2 = (rA2)KB1 mod p • K3 = (rA1)KB2 mod p • K4 = (rA2)KB2 mod p
Forgery attack • If an attacker can find integers r΄A1, r´A2 satisfying r´A1‧ r´A2 = rA1‧ rA2 , then he can convince B that he is A. rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA)
r’A1, r’A2, SA, cert(yA) = (r’A1.r’A2)h(r’A1r’A2).αXA-h(rA1rA2)‧KA = (r’A1.r’A2)h(r’A1r’A2).αXA.(αKA)–h(rA1rA2) Due to KA = KA1+KA2 mod (p-1) = (r’A1.r’A2)h(r’A1r’A2).(α (KA1+KA2) ) –h(rA1rA2).αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (r’A1.r’A2)h(r’A1r’A2).(rA1.rA2) –h(rA1rA2).αXA Due to r’A1‧r’A2 = rA1‧rA2 = αXA
The proposed protocol rA1, rA2, SA, cert(yA) 7. • two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA- (rA1+rA2)kA mod (p-1)
rA1, rA2, SA, cert(yA) = (rA1.rA2)(rA1+rA2).αXA-(rA1+rA2)‧KA = (rA1.rA2)(rA1+rA2).αXA.(αKA)–(rA1+rA2) Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)(rA1+rA2).(α (KA1+KA2) )–(rA1+rA2).αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)(rA1+rA2).(rA1.rA2)–(rA1+rA2).αXA = αXA
Conclusion • The proposed protocol is secure and efficient against forgery, and does not involve any one-way hash function.
Authentication Phase rA1, rA2, SA, cert(yA) 7. • two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA-rAkA mod (p-1) method (1)
rA1, rA2, SA, cert(yA) = (rA1.rA2)rA.αXA-rA‧KA = (rA1.rA2)rA.αXA.(αKA)-rA Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)rA.(α (KA1+KA2)) -rA.αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)rA.(rA1.rA2) -rA.αXA = αXA method (1)
Forgery attack • If an attacker can find integers r΄A1, r´A2 satisfying r´A1‧ r´A2 = rA1‧ rA2 , then he can convince B that he is A. rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA) method (1)
r΄A1, r΄A2, SA, cert(yA) = (r΄A1.r΄A2)rA.αXA-rA‧KA = (r΄A1.r΄A2)rA.αXA.(αKA)-rA Due to KA = KA1+KA2 mod (p-1), rA1 = αkA1 mod p and rA2 = αkA2 mod p = (r΄A1.r΄A2)rA.(rA1.rA2)-rA.αXA Due to r´A1‧ r´A2 = rA1‧ rA2 = αXA Method (1)
Authentication Phase rA1, rA2, SA, cert(yA) 7. • two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA-rA1rA2kA mod (p-1) Method (2)
rA1, rA2, SA, cert(yA) = (rA1.rA2)rA1rA2.αXA-(rA1rA2)‧KA = (rA1.rA2)rA1rA2.αXA.(αKA)–rA1rA2 Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)rA1rA2.(α (KA1+KA2))–rA1rA2.αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)rA1rA2.(rA1.rA2)–rA1rA2.αXA = αXA Method (2)
Forgery attack • If an attacker can find integers r΄A1, r´A2 satisfying r´A1‧ r´A2 = rA1‧ rA2 , then he can convince B that he is A. rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA) Method (2)
rA1, rA2, SA, cert(yA) = (r’A1.r’A2)r’A1r’A2.αXA-(rA1rA2)‧KA = (r’A1.r’A2)r’A1r’A2.αXA.(αKA)–rA1rA2 Due to KA = KA1+KA2 mod (p-1) = (r’A1.r’A2)r’A1r’A2.(α (KA1+KA2)) –rA1rA2.αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (r’A1.r’A2)r’A1r’A2.(rA1.rA2) –rA1rA2.αXA Due to r’A1.r’A2 = r’A1‧r’A2 Method (2) = αXA