An efficient password authenticated key exchange protocol for imbalanced wireless

1. An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer Standards & Interfaces, Vol. 27, pp. 313–322, 2005Reporter: Jung-wen Lo (駱榮問)Date: 2005/07/07

2. Introduction • Bellovin-Merritt (1992) • Encrypted key exchange • Ding, P. Horster(1995) • Password guessing attack • Detectable On-line Password guessing attack • Undetectable On-line Password guessing attack • Off-line Password guessing attack • Zhu et al. (2002) • Imbalanced wireless network • Under two dictionary attack by Bao (2003) • Yeh et al. (2003) • Vulnerable to off-line dictionary attack

3. Zhu et al.’s Protocol (2002) Client B(pw) Server A(n,e,d,pw) (n, e), rA {miR Zn}1iN rAR {0,1}l {mieR Zn}1iN {H1(mi’)}1iN check H1(m’i)?=H1(mi) rB, sBα=H2(pw, IDA,IDB,rA,rB) z =sBe+α(mod n) z, rB α=H2(pw, IDA,IDB,rA,rB) sB=(z-α)d mod n K =H3(sB) cAR {0,1}l EK(cA,IDB) K =H3(sB)DK(EK(cA,IDB)) => c’A,ID’Bcheck IDB?cB=H4(sB) σ’=H5(c’A,cB,IDA,IDB) cB=H4(sB)σ=H5(cA,cB,IDA,IDB) H6(σ’) H6(σ’) ?= H6(σ)

4. Undetectable On-line Password Guessing Attack Client B(pw) Server A(n,e,d,pw) Attacker E(pw’) (n, e), rA rAR {0,1}l {mieR Zn}1iN check H1(m’i)?=H(mi) m’i=(mie)d {H1(mi’)}1iN rE, sEα’=H2(pw’, IDA,IDB,rA,rE)z’ =sEe+α’ (mod n) z’, rE α’’=H2(pw, IDA,IDB,rA,rE)s’E= (z’-α’’)d mod n K =H3(s’E) cAR {0,1}l EK(cA,IDB) K’ =H3(sE)DK’(EK(cA,IDB)) => c’A,ID’BIf ID’B = IDB=> pw’=pw

5. Yeh et al.’s Protocol (2003) Client B(pw) Server A(n,e,d,pw) (n, e), rA rAR {0,1}l {miR Zn}1iN {mieR Zn}1iN m’i=(mie)d {H1(mi’)}1iN check H1(m’i)?=H(mi) sB R Znα=Epw(IDA,IDB,rA,sB) z =αe mod n z (IDA,IDB,rA,sB)=Dpw(zd mod n)cB=H3(sB)σ=H4(rA,cB,IDA,IDB) Eσ(IDB) cB=H3(sB)σ’=H4(rA,cB,IDA,IDB)check Dσ’ (Eσ(IDB)) ?= IDB H6(σ’) H6(σ’) ?= H6(σ)

6. Cryptanalysis of Yeh et al.’s protocol • Off-line dictionary attack Server A(n,e,d,pw) Attacker E(n’,e’,d’) Client B(pw) (n’, e’), rE {miR Zn}1iN rER {0,1}l {mie’R Zn}1iN {H1(mi’)}1iN sBα=Epw(IDA,IDB,rE,sB) z =αe’mod n’ z α= zd’ mod n Dpw’(α)?=(IDA,IDB,rE,sB)

7. ※ n=p*q p≡3 (mod 4) q≡3 (mod 4) Proposed scheme Client B(pw) Server A(p,q,pw) Epw(rA) rAR {0,1}l rA = Dpw(Epw(rA)) sB R Znσ =F1(IDA,IDB,rA,sB)α=F2(rA,sB,σ) z =sB2 mod n c1=z(p+1)/4 mod pc2=(p-z(p+1)/4) mod pc3=z(q+1)/4 mod qc4=(q-z(q+1)/4) mod qx=q(q-1 mod p)y=p(p-1 mod q) β1=(xc1+yc3) mod nβ2=(xc1+yc4) mod n β3=(xc2+yc3) mod n β4=(xc2+yc4) mod ns’B=βi, i=1,2,3,4σ’=F1(IDA,IDB,rA,s’B)α’=F2(rA,s’B,σ’)α’ ?=α≠ abort z,α F3(σ’) check F3(σ’) ?= F3(σ)

8. ※ n=p*q=77 p≡3 (mod 4)=7 q≡3 (mod 4)=11 Proposed scheme(sample) Client B(pw) Server A(p,q,pw) Epw(rA) rA = Dpw(Epw(rA)) rAR {0,1}l=6 z,α sB R Zn=3σ =F1(IDA,IDB,rA,sB)α=F2(rA,sB,σ) z =sB2 mod n=9 c1=z(p+1)/4 mod p=81 mod 7=4c2=(p-z(p+1)/4) mod p=7-81 mod 7=3c3=z(q+1)/4 mod q=729 mod 11=5c4=(q-z(q+1)/4) mod q=11-729 mod 11=8x=q(q-1 mod p)=11×2=22y=p(p-1 mod q)=7×8=56β1=(xc1+yc3) mod n=(22×4+56×5) mod 77=60β2=(xc1+yc4) mod n=(22×4+56×8) mod 77=74β3=(xc2+yc3) mod n=(22×3+56×5) mod 77=38β4=(xc2+yc4) mod n=(22×3+56×8) mod 77=52s’B=βi, i=1,2,3,4σ’=F1(IDA,IDB,rA,s’B)α’=F2(rA,s’B,σ’)α’ ?=α≠ abort F3(σ’) check F3(σ’) ?=F3(σ)

9. Security Analysis • A malicious user E wants to mount on-line password-guessing attacks on the proposed protocol • E impersonates B => Can not derive rA • A malicious user E wants to mount off-line password-guessing attacks on the proposed protocol • E eavesdrops and records the transmitted data Epw(rA), α, z and h(σ) • E impersonates A to get the essential information => Can not derive sB • E wants to get the session key σ => Protected by hash function • E guesses B’s password by impersonating A => B will not keep on sending the request all the time => When server terminates the protocol several times in a short time, B will detect. • Replay attack => Easily detect, because rA are different all the time

10. Performance Analyses (1/2) • The numbers of operations for different computation types

11. Performance Analyses (2/2) • The numbers of transmissions of the participants

12. Conclusion • Mutual authentication • A and B authenticate each other • Explicit key authentication • A is assured B has computed the exchanged key • Computation efficiency • the computation load of the wireless device is light • Power saving • the power consumption of the wireless device in our protocol is few • Confirmation and completeness • Withstand password-guessing attacks

13. Comments E impersonates B Detectable on-line guessing attack Authoir: A will discover it E eavesdrops and records the transmitted data Epw(rA), α, z and h(σ) zsB + pw’r’A σ’α’  IF α’=α THEN pw’=pw Performance analysis unfair Interactive protocol Hash # error in Server A 2×(F1+F2)+F3

14. Rabin Public Key Cryptosystem(1979)-錄自詹進科老師講義 • Probabilistic encryption systems • Rabin的想法 • 是一個密文可以對應到四個明文。因此，在加密時必須加入一些有意義且易於分辨的訊息於明文中，使得解密時能夠明確地還原出原來的明文 • 方法簡介: • 選定n=p*q; 其中p與q是大質數。令明文為M，密文為C，公開加密金匙為 (b,n)，秘密解密金匙為(p,q)。 • [加密程序]: • C = M * (M + b) mod n， 其中b是亂數。 • [解密程序]: • 根據上式可知 M2 + M*b - C = 0 mod n. • 故明文可由下述四者之一算出: • M = -b/2 ((b/2)2+C)1/2 mod p • M = -b/2 ((b/2)2+C)1/2 mod q

15. Rabin Public Key Cryptosystem • Key generation • 選定n=p*q; 其中p與q是大質數, p≡q ≡3 (mod 4) • 令明文為M，密文為C，A的公開加密金匙為 n，秘密解密金匙為(p,q)。 • [加密程序]: B -> A • C = M2 mod n • [解密程序]: • ap+bq=1 by Euclidean algorithm • r = C(p+1)/4 mod p • s = C(q+1)/4 mod q • x = (aps+bqr) mod n • y = (aps-bqr) mod n • 故明文可由下述四者之一算出: • m1 = x • m2 =- x mod n • m3 = -y • m4 = -y mod n