1 / 15

An efficient password authenticated key exchange protocol for imbalanced wireless

An efficient password authenticated key exchange protocol for imbalanced wireless. Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer Standards & Interfaces, Vol. 27, pp. 313 – 322, 2005 Reporter: Jung-wen Lo ( 駱榮問 ) Date: 2005/07/07. Introduction.

naiya
Download Presentation

An efficient password authenticated key exchange protocol for imbalanced wireless

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer Standards & Interfaces, Vol. 27, pp. 313–322, 2005Reporter: Jung-wen Lo (駱榮問)Date: 2005/07/07

  2. Introduction • Bellovin-Merritt (1992) • Encrypted key exchange • Ding, P. Horster(1995) • Password guessing attack • Detectable On-line Password guessing attack • Undetectable On-line Password guessing attack • Off-line Password guessing attack • Zhu et al. (2002) • Imbalanced wireless network • Under two dictionary attack by Bao (2003) • Yeh et al. (2003) • Vulnerable to off-line dictionary attack

  3. Zhu et al.’s Protocol (2002) Client B(pw) Server A(n,e,d,pw) (n, e), rA {miR Zn}1iN rAR {0,1}l {mieR Zn}1iN {H1(mi’)}1iN check H1(m’i)?=H1(mi) rB, sBα=H2(pw, IDA,IDB,rA,rB) z =sBe+α(mod n) z, rB α=H2(pw, IDA,IDB,rA,rB) sB=(z-α)d mod n K =H3(sB) cAR {0,1}l EK(cA,IDB) K =H3(sB)DK(EK(cA,IDB)) => c’A,ID’Bcheck IDB?cB=H4(sB) σ’=H5(c’A,cB,IDA,IDB) cB=H4(sB)σ=H5(cA,cB,IDA,IDB) H6(σ’) H6(σ’) ?= H6(σ)

  4. Undetectable On-line Password Guessing Attack Client B(pw) Server A(n,e,d,pw) Attacker E(pw’) (n, e), rA rAR {0,1}l {mieR Zn}1iN check H1(m’i)?=H(mi) m’i=(mie)d {H1(mi’)}1iN rE, sEα’=H2(pw’, IDA,IDB,rA,rE)z’ =sEe+α’ (mod n) z’, rE α’’=H2(pw, IDA,IDB,rA,rE)s’E= (z’-α’’)d mod n K =H3(s’E) cAR {0,1}l EK(cA,IDB) K’ =H3(sE)DK’(EK(cA,IDB)) => c’A,ID’BIf ID’B = IDB=> pw’=pw

  5. Yeh et al.’s Protocol (2003) Client B(pw) Server A(n,e,d,pw) (n, e), rA rAR {0,1}l {miR Zn}1iN {mieR Zn}1iN m’i=(mie)d {H1(mi’)}1iN check H1(m’i)?=H(mi) sB R Znα=Epw(IDA,IDB,rA,sB) z =αe mod n z (IDA,IDB,rA,sB)=Dpw(zd mod n)cB=H3(sB)σ=H4(rA,cB,IDA,IDB) Eσ(IDB) cB=H3(sB)σ’=H4(rA,cB,IDA,IDB)check Dσ’ (Eσ(IDB)) ?= IDB H6(σ’) H6(σ’) ?= H6(σ)

  6. Cryptanalysis of Yeh et al.’s protocol • Off-line dictionary attack Server A(n,e,d,pw) Attacker E(n’,e’,d’) Client B(pw) (n’, e’), rE {miR Zn}1iN rER {0,1}l {mie’R Zn}1iN {H1(mi’)}1iN sBα=Epw(IDA,IDB,rE,sB) z =αe’mod n’ z α= zd’ mod n Dpw’(α)?=(IDA,IDB,rE,sB)

  7. ※ n=p*q p≡3 (mod 4) q≡3 (mod 4) Proposed scheme Client B(pw) Server A(p,q,pw) Epw(rA) rAR {0,1}l rA = Dpw(Epw(rA)) sB R Znσ =F1(IDA,IDB,rA,sB)α=F2(rA,sB,σ) z =sB2 mod n c1=z(p+1)/4 mod pc2=(p-z(p+1)/4) mod pc3=z(q+1)/4 mod qc4=(q-z(q+1)/4) mod qx=q(q-1 mod p)y=p(p-1 mod q) β1=(xc1+yc3) mod nβ2=(xc1+yc4) mod n β3=(xc2+yc3) mod n β4=(xc2+yc4) mod ns’B=βi, i=1,2,3,4σ’=F1(IDA,IDB,rA,s’B)α’=F2(rA,s’B,σ’)α’ ?=α≠ abort z,α F3(σ’) check F3(σ’) ?= F3(σ)

  8. ※ n=p*q=77 p≡3 (mod 4)=7 q≡3 (mod 4)=11 Proposed scheme(sample) Client B(pw) Server A(p,q,pw) Epw(rA) rA = Dpw(Epw(rA)) rAR {0,1}l=6 z,α sB R Zn=3σ =F1(IDA,IDB,rA,sB)α=F2(rA,sB,σ) z =sB2 mod n=9 c1=z(p+1)/4 mod p=81 mod 7=4c2=(p-z(p+1)/4) mod p=7-81 mod 7=3c3=z(q+1)/4 mod q=729 mod 11=5c4=(q-z(q+1)/4) mod q=11-729 mod 11=8x=q(q-1 mod p)=11×2=22y=p(p-1 mod q)=7×8=56β1=(xc1+yc3) mod n=(22×4+56×5) mod 77=60β2=(xc1+yc4) mod n=(22×4+56×8) mod 77=74β3=(xc2+yc3) mod n=(22×3+56×5) mod 77=38β4=(xc2+yc4) mod n=(22×3+56×8) mod 77=52s’B=βi, i=1,2,3,4σ’=F1(IDA,IDB,rA,s’B)α’=F2(rA,s’B,σ’)α’ ?=α≠ abort F3(σ’) check F3(σ’) ?=F3(σ)

  9. Security Analysis • A malicious user E wants to mount on-line password-guessing attacks on the proposed protocol • E impersonates B => Can not derive rA • A malicious user E wants to mount off-line password-guessing attacks on the proposed protocol • E eavesdrops and records the transmitted data Epw(rA), α, z and h(σ) • E impersonates A to get the essential information => Can not derive sB • E wants to get the session key σ => Protected by hash function • E guesses B’s password by impersonating A => B will not keep on sending the request all the time => When server terminates the protocol several times in a short time, B will detect. • Replay attack => Easily detect, because rA are different all the time

  10. Performance Analyses (1/2) • The numbers of operations for different computation types

  11. Performance Analyses (2/2) • The numbers of transmissions of the participants

  12. Conclusion • Mutual authentication • A and B authenticate each other • Explicit key authentication • A is assured B has computed the exchanged key • Computation efficiency • the computation load of the wireless device is light • Power saving • the power consumption of the wireless device in our protocol is few • Confirmation and completeness • Withstand password-guessing attacks

  13. Comments E impersonates B Detectable on-line guessing attack Authoir: A will discover it E eavesdrops and records the transmitted data Epw(rA), α, z and h(σ) zsB + pw’r’A σ’α’  IF α’=α THEN pw’=pw Performance analysis unfair Interactive protocol Hash # error in Server A 2×(F1+F2)+F3

  14. Rabin Public Key Cryptosystem(1979)-錄自詹進科老師講義 • Probabilistic encryption systems • Rabin的想法 • 是一個密文可以對應到四個明文。因此,在加密時必須加入一些有意義且易於分辨的訊息於明文中,使得解密時能夠明確地還原出原來的明文 • 方法簡介: • 選定n=p*q; 其中p與q是大質數。令明文為M,密文為C,公開加密金匙為 (b,n),秘密解密金匙為(p,q)。 • [加密程序]: • C = M * (M + b) mod n, 其中b是亂數。 • [解密程序]: • 根據上式可知 M2 + M*b - C = 0 mod n. • 故明文可由下述四者之一算出: • M = -b/2 ((b/2)2+C)1/2 mod p • M = -b/2 ((b/2)2+C)1/2 mod q

  15. Rabin Public Key Cryptosystem • Key generation • 選定n=p*q; 其中p與q是大質數, p≡q ≡3 (mod 4) • 令明文為M,密文為C,A的公開加密金匙為 n,秘密解密金匙為(p,q)。 • [加密程序]: B -> A • C = M2 mod n • [解密程序]: • ap+bq=1 by Euclidean algorithm • r = C(p+1)/4 mod p • s = C(q+1)/4 mod q • x = (aps+bqr) mod n • y = (aps-bqr) mod n • 故明文可由下述四者之一算出: • m1 = x • m2 =- x mod n • m3 = -y • m4 = -y mod n

More Related