1 / 10

Weakness of Shim’s New ID-base Tripartite Multiple-key Agreement Protocol

Weakness of Shim’s New ID-base Tripartite Multiple-key Agreement Protocol. Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu. Outline. Introduction Background Shim’s protocol Attack Conclusion. Introduction.

gharrah
Download Presentation

Weakness of Shim’s New ID-base Tripartite Multiple-key Agreement Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Weakness of Shim’s New ID-base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu

  2. Outline • Introduction • Background • Shim’s protocol • Attack • Conclusion

  3. Introduction • The first one round tripartite D-H key agreement protocol was proposed by Joux in 2000. • Vulnerable to man-in-middle attack • Eight session keys • Unknown-key-share attack • Shim’s protocol • Impersonation attack

  4. Background • Bilinear pairing from G1G1G2, where G1 is a cyclic group generated by P, which has order q, and G2 is a cyclic multiplicative group of order q. • e(aP,bQ)=e(P,Q)ab • There exists P,QG1 such that e(P,Q)1. • Computability.

  5. Shim’s protocol • Setup: KGC set up Ppub = sP and public the system parameters {G1, G2, q, e, P, Ppub, H, H1}, where H, H1 are hash functions. • Private key extraction: 1. User A submits his ID to KGC. 2. KGC computes QID = H1(ID) and SID = sQID.

  6. Three parties key-agreement • A (B, C) randomly chooses a and a’ (respectively, (b, b’), (c, c’)). • A computes PA = aP, PA’ = a’P and TA = SA+a2P+a’Ppub. • B computes PB = bP, PB’ = b’P and TB = SB+b2P+b’Ppub. • C computes PC = cP, PC’ = c’P and TC = SC+c2P+c’Ppub.

  7. User A verifies… computes • e(TB+TC,P) = e(SB+b2P+b’Ppub+SC+c2P+c’Ppub, P) = e(sPB+b’sP+sPC+c’sP, P)e(b2P,P)e(c2P, P) = e(QB+QC+P’B+P’C ,Ppub)e(PB,PB)e(PC,PC) • KA1 = e(PB,PC)a , KA2 = e(PB,P’C)a KA3 = e(P’B,PC)a , KA4 = e(P’B,P’C)a KA5 = e(PB,PC)a’ , KA6 = e(PB,P’C)a’ KA7 = e(P’B,PC)a’ , KA8 = e(P’B,P’C)a’ ?

  8. Keys • K1 = e(P,P)abc, K2 = e(P,P)abc’, K3 = e(P,P)ab’c, K4 = e(P,P)ab’c’, K5 = e(P,P)a’bc, K6 = e(P,P)a’bc’, K7 = e(P,P)a’b’c, K8 = e(P,P)a’b’c’

  9. Attack • Attacker X impersonate B to communication with A and C. (gets four valid keys) • X computes PX = xP, PX’ = x’P-QB and TX = x2P+x’Ppub. • e(TX+TC,P) = e(x2P+x’Ppub+SC+c2P+c’Ppub, P) = e(x’P+QC+c’P, Ppub)e(x2P+c2P, P) = e(Px’+QB+QC+c’P,Ppub)e(PX,PX)e(PC,PC) = e(QB+QC+P’X+P’C,Ppub)e(PX,PX)e(PC,PC)

  10. Conclusion • Shim’s protocol cannot resist impersonation attack. • The memory of Falling-Star.

More Related