1 / 15

Authenticated key agreement without using one-way hash functions

Authenticated key agreement without using one-way hash functions. Harn, L.; Lin, H.-Y. Electronics Letters , Volume: 37 Issue: 10 , 10 May 2001 Presented by Bin-Cheng Tzeng 2002/10/01. Outlines. Introduction Digital signature schemes for Diffie-Hellman public keys Key agreement protocols

harlow
Download Presentation

Authenticated key agreement without using one-way hash functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y.Electronics Letters , Volume: 37 Issue: 10 , 10 May 2001 Presented by Bin-Cheng Tzeng 2002/10/01

  2. Outlines • Introduction • Digital signature schemes for Diffie-Hellman public keys • Key agreement protocols • Possible attacks • Proposed protocol • Conclusions

  3. Introduction • Diffie and Hellman proposed in 1976 the public-key distribution scheme • The scheme requires an authentication channel to exchange the public keys • Use digital signatures of the exchanged public keys to provide authentication

  4. Introduction • The security assumption for most signature schemes are based on some well-known computational problems • The security of a one-way hash function is based on the complexity of analysing a simple iterated function • It would be more secure to have a key distribution without using one-way hash functions

  5. Introduction • The MQV key agreement protocol proposed in 1995 • In 1998, authors published a key agreement protocol • Some attacks on this key agreement protocol were found • The attacks can easily be avoided by modifying the signature signing equation

  6. Digital signature schemes for Diffie-Hellman public keys • r = k mod p • k and r : short-term private key and short-term public key • x : long-term private key • y = x mod p : long-term public key

  7. Key agreement protocols • A sends {rA, sA, cert(yA)} to B • B sends {rB, sB, cert(yB)} to A • A verifies rB and computes the shared secret key • B verifies rA and computes the shared secret key

  8. Possible attack • Does not offer perfect forward secrecy • Assume that the protocol uses x = rk + s • is the long-term shared secret key

  9. Proposed protocol • Enables A and B to share multiple secret keys in one round of message exchange • To share four secrets :A generates two random short-term secret keys, kA1 and kA2 ,public keys rA1, rA2signature sA for {rA1, rA2}for example :

  10. Proposed protocol(cont.) • A sends {rA1, rA2, sA, cert(yA)} to B • B does the same things • A verifies {rB1, rB2} • A computes the shared secret keys as

  11. Proposed protocol(cont.) • B verifies {rA1, rA2} and computes the shared secret keys as

  12. Discussion • Have modified the original protocol in signature signing and verification equations • The attacks on the original protocol cannot work successfully in this modified protocol • This modified protocol does not increase any computational load and does not involve any additional one-way hash function

  13. Discussion(cont.) • Multiplying these two equations together

  14. Discussion(cont.) • If the adversary knows four consecutive shared secret keys, he can solve the long-term shared secret KAB • To achieve the perfect forward secrecy, limit ourselves to use only three out of the four shared secret keys • The protocol can be generalised to enable A and B to share n2-1 secrets if each user sends n Diffie-Hellman public keys in each pass

  15. Conclusions • The security assumption relies solely on solving the discrete logarithm problem • This protocol allows two parties to share multiple secret keys in two-pass interaction • The computation for shared secret keys is simpler than the MQV protocol

More Related