Attacks to Xu-Tilbog’s Conference Key Distribution Scheme

Attacks to Xu-Tilbog’s Conference Key Distribution Scheme Source: IEEE COMMUNICATIONS LETTERS, VOL. 8, NO. 7, JULY 2004 Authors: Bae Eun Jung, Seong-Hun Paeng, and Dae Youb Kim Speaker: Jin-Ru Hou Date: 11/ 01/ 2004

Outline • Introduction • Review Scheme • Initiation phase • User registration phase • Application phase • Analysis • Forward secrecy • Impersonation attack • Improvement • Conclusions

Introduction • Forward Secrecy • Even if private keys are compromised, the session keys used in the past should not be revealed • Xu-Tilborg’s Scheme • Insecure in view of the forward secrecy • Vulnerable to impersonation attacks

Review Scheme (1/3)--Initiation Phase • Basic Notation • KAC : key authentication center • p : a large prime number • α : a primitive element of GF(p) • f (‧) : one-way function • KAC’s • Private key • x : a random number from [1, p-1] • Public key • y : αx (mod p) public

Review Scheme (2/3)--User Registration Phase • Basic Notation • IDi : user identity to the KAC • EIDi : f ( IDi ) • ki : random number from [1, p-1] and gcd(si , p-1) = 1 • Sugnature (ri , si) • ri : αki (mod p) • si : (EIDi – kiri) x-1(mod p-1)

Review Scheme (3/3)--Application Phase (Step1) v1 : a random number from [1, p-1] and gcd(v1, p-1) = 1 w1 = yv1 (mod p) m = f(ID1 || time) η1 = (m - v1w1)s1-1 (mod p-1) User 1 User j Send ( ID1 , r1 , w1 , η1 , time ) Send ( IDj , rj , wj , nj , ηj ) Check ym ?= w1w1(αEID1r1-r1)η1 (mod p) vj : a random number from [1, p-1] and gcd(vj, p-1) = 1 wj = yvj (mod p) nj = w1vj (mod p) ηj= (nj - vjwj)sj-1 (mod p-1)

Review Scheme (3/3)--Application Phase (Step2) Check ynj = wjwj (αEIDjrj-rj)ηj (mod p) r : a random number from [1, p-1] Kc = yr (mod p) zj= njv1-1r (mod p) User 1 User j Send ( zj , EKc(ID1) ) Kc = zjvj-1 (mod p) DKc( EKc(ID1) ) ?= ID1

Analysis--Forward Secrecy • Obtain Kc from zj and vj-1 • vj = (nj - ηjsj)wj-1 (mod p-1) • If gcd (wj, p-1) = 1, we get vj • If gcd (wj, p-1) = r, we can find vj among r-solution too • wj = yvj (mod p) • nj = w1vj (mod p) • 令 p-1 = p1a1… pnan則

Analysis --Impersonation Attacks • zj can obtain without knowing vj • zj =njv1-1r = w1vjv1-1r = (yv1vj)v1-1r = yvjr = wjr (mod p) • Kc = yr (mod p) Hacker (choose r’) User j (get ID1 from DKc’(ID1) ) (zj’ , EKc’(ID1) ) Believe Hacker is User 1

Improvement--Application Phase (Step1) v1 : a random number from [1, p-1] and gcd(v1, p-1) = 1 u1 : a random number from [1, p-1] and gcd(u1, p-1) = 1 w1 = yv1 (mod p) n1 = w1u1 (mod p) η1 = (m-v1w1)s1-1 (mod p-1) m = f(n1 || ID1 || time) User 1 User j Send (ID1, r1, w1,n1, η1, time) Send (IDj, rj, wj, nj, ηj) Check ym ?= w1w1 (αEID1r1-r1)η1 (mod p) vj : a random number from [1, p-1] and gcd(vj, p-1) = 1 uj : a random number from [1, p-1] and gcd(uj, p-1) = 1 wj= yvj (mod p) nj = w1uj (mod p) ηj = (f (nj) - vjwj)sj-1 (mod p-1)

Improvement--Application Phase (Step2) Check yf(nj) ?= wjwj(αEIDjrj-rj)ηj(mod p) Kc = n1u1(mod p) zj = (n1*nj)u1(mod p) User 1 User j Send ( zj, EKc(ID1) ) Kc= zj* (n1uj)-1(mod p) DKc( EKc(ID1) ) ?= ID1

Conclusions • Meet the forward secrecy • Need to know uj to obtain Kc • Secure against impersonation attacks • Need to know w1u1ujfrom n1(w1u1), nj(wjuj)

Attacks to Xu-Tilbog’s Conference Key Distribution Scheme