Analysis of the SPEKE Password-Authenticated Key Exchange Protocol

1. Analysis of the SPEKE Password-Authenticated Key Exchange Protocol Source: IEEE COMMUNICATIONS LETTERS, Vol. 8, No. 1, Jan. 2004, pp. 63-65 Authors: Muxiang Zhang Speaker: Chia-Chi Wu Date: 2004/10/6

2. Outline • SPEKE Password-authenticated Key Exchange • A Fully constrained SPEKE • Password Guessing Attack on SPEKE • Conclusions

3. Notations • Role: A, B • : The password shared by A and B. • : The set of all possible passwords. • rA, rB: random numbers chosen by A, and B. • f (S): a function that converts S into suitable DH base. • h( ) : a strong one-way hash function. • K: generated session key.

4. Primitive Roots • If p is a prime, gGp, then g is a primitive root mod p if for each b from 1 to p-1, there exists some a where gab mod p. 21=1 mod 11 P=11, g=2, T=10 22=2 mod 11 (10)=4 ,{1,3,7,9} 23=8 mod 11 21=2 mod 11 24=5 mod 11 23=8 mod 11 25=10 mod 11 27=7 mod 11 26=9 mod 11 29=6 mod 11 27=7 mod 11 28=3 mod 11 29=6 mod 11 210=1 mod 11

5. SPEKE Password-authenticated Key Exchange SPEKE(Simple Password Exponential Key Exchange) xA xA =f()rA mod p, rAZp* xB xB=f()rB mod p , rBZp* h(h(K)) K= xBrA mod p h(K) K= xBrA mod p = f()rB*rA mod p = f() rA*rB mod p = xArBmod p A B

6. Subgroups of ZP* for a safe prime p=2q+1 GP-1 Gq G2 P-1 1 G1 generator of Gq primitive roots We know XA(p-1)/t is of order q. Consider any Gt and Gq, q is prime, and t<q. We can see that intersection GtGq=G1. Since KGq, if K is also confined to Gt, then KG1, or K=1.

7. A Fully constrained SPEKE • Assume that the password space  is a small subset of Zp*. • P is a safe prime: • P=2q+1 and q is also a prime. • f()= 2 mod P • =0,1,p-1 are excluded.

8. A Fully constrained SPEKE xA xA =(2)rA mod p, rAZp* xB,h(h(h(K))) xB =(2)rB mod p , rBZp* K= (xA2)rB mod p (Note:K>2) h(h(K)) K= (xA2)rB mod p =((2) rA)2*rB mod p = ((2) rB)2*rA mod p = (xB2)rA mod p session key:h(K) A B

9. Password Guessing Attack on SPEKE • a=bi mod p • i=logab (without mod p) • We say that b and a are exponentially equivalent • Assume that there are m passwords, say 1, 2,…, m, whichareexponentially equivalent to a integer a, that is, 1=aj1,2=aj2,…,m=ajm • {2,4,8,…},{3,9,27,…},{5,25,125,…},{6,36, 216…}

10. Password Guessing Attack on SPEKE 1.E picks a random r and compute x=ar mod p x xB,h(h(h(K))) 2.xB =(2)rB mod p , rBZp* K= (x2)rB mod p ,V=h(h(h(K))) (Note:K>2) 3.E aborts after receiving xB and V from B. E B

11. Password Guessing Attack on SPEKE • E performs off-line password guessing on . • E computes the inverse of j1,j2,…,jm mod p-1. • For each i , 1i m, E computes Ki=(xB)rji-1 mod p Vi=h(h(h(Ki))) • If the password of B is equal to i=aji, then Ki= (xB)r ji-1 mod p =(i2)rBrji-1 mod p =(a2ji)rBrji-1 mod p =x 2rBmod p =K E checks if V=Vi for every 1i m. If V=Vi , then the password of B is i..

12. Conclusions • It can attack generic SPEKE protocol. (when f() is used as the base for exponentiation) • The adversary can test multiple possible passwords in an impersonation. • A hash function is no guarantee that all passwords are exponentially inequivalent.