1 / 22

Improved Authenticated Multiple-Key Agreement Protocol

This paper presents an improved protocol for authenticated multiple-key agreement. The proposed protocol enhances security and efficiency by overcoming forgery problems without using one-way hash functions.

corenem
Download Presentation

Improved Authenticated Multiple-Key Agreement Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Improved Authenticated Multiple-Key Agreement Protocol Source: Computer and Mathematics with Applications 46 (2003), pp. 207-211. Author: Her-Tyan Yen, Hung-Min Sun and Tzonelih Hwang

  2. Authenticated multiple-key agreement • Two communication entities are allowed to establish multiple secret keys through the message exchange.

  3. Motivation (1/2) • Authenticated key agreement without using one-way hash functions • L. Harn and H.Y. Lin, Authenticated key agreement protocol without using one-way functions, In Proc. 8th National Conf. Information Security, 155-160 (1998). • Improved authenticated multiple-key agreement protocol • S.M. Yen and M. Joye, Improved authenticated multiple-key agreement protocol, Electron. Lett., 1738-1739, (1998)

  4. Motivation (2/2) • Security of authecticated multiple-key agreement protocols • T.S. Wu, W.H. He and C.L. Hsu, Security of authenticated multiple-key agreement protocols, Electron. Lett., 391-392 (1999). • This paper pointed out that the Wu et al.’s paper still suffers the forgery problem and proposed an improved protocol to overcome the problem.

  5. The past authenticated key agreement protocol • p : large prime • α: primitive element • XA: A’s secret key • XB: B’s secret key • , A’s public key • , B’s public key

  6. The Wu and He’s protocol(Authentication Phase) rA1, rA2, SA, cert(yA) 7. • two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA-h(rA1rA2)kA mod (p-1)

  7. rA1, rA2, SA, cert(yA) = (rA1.rA2)h(rA1rA2).αXA-h(rA1rA2)‧KA = (rA1.rA2)h(rA1rA2).αXA.(αKA)–h(rA1rA2) Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)h(rA1rA2).(α (KA1+KA2) ) –h(rA1rA2).αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)h(rA1rA2).(rA1.rA2) –h(rA1rA2).αXA = αXA

  8. Keys generation • K1 = (rA1)KB1 mod p • K2 = (rA2)KB1 mod p • K3 = (rA1)KB2 mod p • K4 = (rA2)KB2 mod p

  9. Forgery attack • If an attacker can find integers r΄A1, r´A2 satisfying r´A1‧ r´A2 = rA1‧ rA2 , then he can convince B that he is A. rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA)

  10. r’A1, r’A2, SA, cert(yA) = (r’A1.r’A2)h(r’A1r’A2).αXA-h(rA1rA2)‧KA = (r’A1.r’A2)h(r’A1r’A2).αXA.(αKA)–h(rA1rA2) Due to KA = KA1+KA2 mod (p-1) = (r’A1.r’A2)h(r’A1r’A2).(α (KA1+KA2) ) –h(rA1rA2).αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (r’A1.r’A2)h(r’A1r’A2).(rA1.rA2) –h(rA1rA2).αXA Due to r’A1‧r’A2 = rA1‧rA2 = αXA

  11. The proposed protocol rA1, rA2, SA, cert(yA) 7. • two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA- (rA1+rA2)kA mod (p-1)

  12. rA1, rA2, SA, cert(yA) = (rA1.rA2)(rA1+rA2).αXA-(rA1+rA2)‧KA = (rA1.rA2)(rA1+rA2).αXA.(αKA)–(rA1+rA2) Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)(rA1+rA2).(α (KA1+KA2) )–(rA1+rA2).αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)(rA1+rA2).(rA1.rA2)–(rA1+rA2).αXA = αXA

  13. Conclusion • The proposed protocol is secure and efficient against forgery, and does not involve any one-way hash function.

  14. Thanks for your listening

  15. Authentication Phase rA1, rA2, SA, cert(yA) 7. • two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA-rAkA mod (p-1) method (1)

  16. rA1, rA2, SA, cert(yA) = (rA1.rA2)rA.αXA-rA‧KA = (rA1.rA2)rA.αXA.(αKA)-rA Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)rA.(α (KA1+KA2)) -rA.αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)rA.(rA1.rA2) -rA.αXA = αXA method (1)

  17. Forgery attack • If an attacker can find integers r΄A1, r´A2 satisfying r´A1‧ r´A2 = rA1‧ rA2 , then he can convince B that he is A. rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA) method (1)

  18. r΄A1, r΄A2, SA, cert(yA) = (r΄A1.r΄A2)rA.αXA-rA‧KA = (r΄A1.r΄A2)rA.αXA.(αKA)-rA Due to KA = KA1+KA2 mod (p-1), rA1 = αkA1 mod p and rA2 = αkA2 mod p = (r΄A1.r΄A2)rA.(rA1.rA2)-rA.αXA Due to r´A1‧ r´A2 = rA1‧ rA2 = αXA Method (1)

  19. Authentication Phase rA1, rA2, SA, cert(yA) 7. • two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA-rA1rA2kA mod (p-1) Method (2)

  20. rA1, rA2, SA, cert(yA) = (rA1.rA2)rA1rA2.αXA-(rA1rA2)‧KA = (rA1.rA2)rA1rA2.αXA.(αKA)–rA1rA2 Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)rA1rA2.(α (KA1+KA2))–rA1rA2.αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)rA1rA2.(rA1.rA2)–rA1rA2.αXA = αXA Method (2)

  21. Forgery attack • If an attacker can find integers r΄A1, r´A2 satisfying r´A1‧ r´A2 = rA1‧ rA2 , then he can convince B that he is A. rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA) Method (2)

  22. rA1, rA2, SA, cert(yA) = (r’A1.r’A2)r’A1r’A2.αXA-(rA1rA2)‧KA = (r’A1.r’A2)r’A1r’A2.αXA.(αKA)–rA1rA2 Due to KA = KA1+KA2 mod (p-1) = (r’A1.r’A2)r’A1r’A2.(α (KA1+KA2)) –rA1rA2.αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (r’A1.r’A2)r’A1r’A2.(rA1.rA2) –rA1rA2.αXA Due to r’A1.r’A2 = r’A1‧r’A2 Method (2) = αXA

More Related