RSA-based password authenticated key exchange protocol

1. RSA-based password authenticated key exchange protocol Presenter: Jung-wen Lo(駱榮問)

2. Outline • Introduction • C.C. Yang, R.C. Wang, "Cryptanalysis of improvement of password authenticated key exchange based on RSA for imbalanced wireless networks," IEICE Transactions on Communications, Vol. E88-B, No. 11, pp. 4370-4372, 2005. • Chien-Lung Hsu, Wen-Te Lin, and Yen-Chun Chou, “New Efficient Password Authenticated Key Exchange Protocol for Imbalanced Wireless Networks”, Journal of Computers, Vol.18, No.2, pp. 25-32, 2007 • Conclusion & Comment

3. Introduction • Password-authenticated key exchange (PAKE) protocol • Two communicating parties share a session key over an insecure channel • 1992: 1st PAKE protocol proposed by Bellovin and Merrit • 2002 Zhu et al.: e-residues attack in BM • 2003 Yeh et al.: impersonation attack in Zhu • 2005 Yang-Wang.: dictionary/man-in-the-middle attack in Yeh • 2007 Hsu et al.: performance improvement • Two classes • Use Diffie–Hellman key exchange • Use RSA cryptosystem • RSA-PAKE protocol • RSA parameter generation/verification phase • challenge/response • qualified parameter which satisfies several conditions • Session key establishment phase

4. Cryptanalysis of improvement of password authenticated key exchange based on RSA for imbalanced wireless networks Authors: C.C. Yang and R.C. Wang, Src: IEICE Transactions on Communications, Vol. E88-B, No. 11, pp. 4370-4372, 2005.

5. Yeh et al.’s Protocol Server A Client B Request rAR{0,1}l (n, e), rA {miR Zn}1iN {mieR Zn}1iN {h1(mi’)}1iN h1(m’i) ?= h1(mi) rBRZnπ=Epw(IDA,IDB,rA,rB)z =πe mod n π= zd mod n(IDA,IDB,rA,rB)=Dpw(π) cB=h2(rB)K=h3(rA,cB,IDA,IDB)σ=EK(IDB) z σ c’B=h2(rB)K’=h3(rA,c’B,IDA,IDB)IDB’=DK’(σ)IDB’ ?= IDBδ= h4(K’) δ δ’=h4(K)δ’ ?= δ

6. Weakness of Yeh et al.’s scheme • Can not against dictionary attack Server A Client B Request Attacker F(n’,d’,e’) (n’, e’), rF rF {miR Zn}1iN {mie’R Zn}1iN {h1(mi’)}1iN rBπ=Epw(IDA,IDB,rA,rB) z =πe’ mod n’ z zd’ => π Dpw’(π)?=(IDA,IDB,rA,rB)

7. Yang-Wang’s Improved Protocol Server A Client B e||n||rA=ωh1(pw) Request rAR{0,1}lω=(e||n||rA)h1(pw) ω {miR Zn}1iNCi=(mi||rA)e mod n {ci}1iN m’i||rA=cidmod n {h1(mi’)}1iN h1(m’i) ?= h1(mi) rBRZnπ=Epw(IDA,IDB,rA,rB)z =πe mod n z π= zd mod n(IDA,IDB,rA,rB)=Dpw(π) cB=h2(rB)K=h3(rA,cB,IDA,IDB)σ=EK(IDB) σ c’B=h2(rB)K’=h3(rA,c’B,IDA,IDB)IDB’=DK’(σ)IDB’ ?= IDBδ= h4(K’) δ δ’=h4(K)δ’ ?= δ

8. New Efficient Password Authenticated Key Exchange Protocol for Imbalanced Wireless Networks Authors: Chien-Lung Hsu, Wen-Te Lin, and Yen-Chun Chou Src: Journal of Computers, Vol.18,No.2, pp. 25-32, 2007

9. Hsu et al.’s Improved Protocol Server A Client B rA||e||n=Epw(ω) Request rAR{0,1}lω=Epw(rA||n||e) ω {miR Zn}1iN {mieR Zn}1iN {h(mi’)}1iN h(m’i) ?= h(mi) rBRZnz =(rBpw rA)e mod nK= rArB(IDA||IDB)σ=h(rA||rB||IDA||IDB||K) r’B= (zd mod n)pw rAK’=rA r’B (IDA||IDB)σ ?= h(rA||r’B||IDA||IDB||K’) σ, z δ δ ?= h(K) δ=h(K’)

10. Comparison-1

11. Comparison-2 |ε|:ciphertext |n|: modular n |h|: hash fct

12. 2 2 4 4 2 2 2 4 2 1 3 2 Conclusion & Comment • Conclusion • Less cost • Computational complexities • Communication overheads • Transmission number • Better security • Comment • Error of Table 3 • Performance improvement

13. P187 Protocol (Improved) Request Client B(pw) Server A(pw) IDA, n, e, ω, H(IDA,n,e,ω) n,e,d,rAω=rA⊕H(pw) {mie mod n} 1iN {mi}1iN {H (mi )}1iN r’A= ω⊕H(pw) rBz=(r’A||rB)e mod nσ =H(rA,rB,IDA,IDB) δ?=H(σ ⊕rB) z r’A||r’B=zdr’A?=rAσ =H(rA,r’B,IDA,IDB) δ=H(σ ⊕r’B) δ

14. Comparison New (N+4)Th+(N+1)Texp+2TXOR (N+4)Th+(N+1)Texp+2TXOR 4TXOR 4TXOR ※ 1TE ≒ 10Th