1 / 21

Cross-Realm Password-Based Server Aided Key Exchange

Cross-Realm Password-Based Server Aided Key Exchange. Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author : Kazuki Yoneyama Presenter : Li-Tzu Chang. Outline. Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion. Introduction. YB scheme

zavad
Download Presentation

Cross-Realm Password-Based Server Aided Key Exchange

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cross-Realm Password-BasedServer Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: KazukiYoneyama Presenter: Li-Tzu Chang

  2. Outline • Introduction • New Model: Cross-Realm PSAKE Security • Proposed Scheme • Conclusion

  3. Introduction • YB scheme • Secure Cross-Realm C2C-PAKE Protocol, 2006,(27) • WZ scheme • A New Security Model for Cross-Realm C2C-PAKE Protocol, 2007,(1)

  4. Outline • Introduction • New Model: Cross-Realm PSAKE Security • Proposed Scheme • Conclusion

  5. New Model • Execute( ) : • This query models passive attacks. • The output of this query consists of messages that were exchanged during the honest execution of the protocol among .

  6. New Model • SendClient(Ul,m) : • This query models active attacks against a client. • The output of this query consists of the message that the client instance Ulwould generate on receipt of message m.

  7. New Model • SendServer(Sl,m) : • This query models active attacks against servers. • The output of this query consists of the message that the server instance Slwould generate on receipt of message m.

  8. New Model • SessionReveal(Ul) : • This query models the misuse of session keys. • The output of this query consists of the session key held by the client instance Ulif the session is completed for Ul. Otherwise, return ⊥.

  9. New Model • StaticReveal(P) : • This query models leakage of the static secret of P • (i.e., the password between the client and the corresponding server, or the private information for the server). • The output of this query consists of the static secret of P.

  10. New Model • EphemeralReveal(Pl) : • This query models leakage of all session-specific information (ephemeral key) used by Pl. • The output of this query consists of the ephemeral key of the instance Pl.

  11. New Model • EstablishParty(Ul, pwU) : • This query models the adversary to register a static secret pwUon behalf of a client. • In this way the adversary totally controls that client. • Clients against whom the adversary did not issue this query are called honest.

  12. New Model • Test(Ul) : • This query does not model the adversarial ability, but in distinguishability of the session key. • At the beginning a hidden bit b is chosen. • If no session key for the client instance Ulis defined, then return the undefined symbol ⊥. • Otherwise, • if b = 1, return the session key for the client instance Ul • if b = 0, a random key from the same space.

  13. New Model • TestPassword(U, pw) : • This query does not model the adversarial ability, but no leakage of the password. • If the guessed password pw is just the same as the client U’s password pw, then return 1. • Otherwise, return 0. Note that, the adversary can only one TestPassword query at any time during the experiment.

  14. Outline • Introduction • New Model: Cross-Realm PSAKE Security • Proposed Scheme • Conclusion

  15. Proposed Scheme • p, q : • thelarge primes such that p = 2q + 1 • A,B ∈ U : • the identities of two clients in two different realms • SA,SB ∈ S: • the identities of their corresponding servers respectively.

  16. Proposed Scheme • Gen(1k) : • key generation algorithm • Encpk(m; ω) : • encryption algorithm of a message m using a public key pkand randomness ω • Decsk(c) : • decryption algorithm of a cipher-text c using a private key sk.

  17. Proposed Scheme • Public information : • G, g, p,H1,H2 • Long-term secret of clients : • pwAfor A and pwBfor B • Long-term secret of servers : • (pwA, skSA) for SA and (pwB, skSB) for SB

  18. Proposed Scheme

  19. Proposed Scheme

  20. Outline • Introduction • New Model: Cross-Realm PSAKE Security • Proposed Scheme • Conclusion

  21. UDonDA: undetectable on-line dictionary attacks LEP: leakage of ephemeral private keys of servers KCI: key-compromise impersonation Conclusion Where P denote the number of moves of a secure 2-party PAKE.

More Related