Download presentation

Presentation is loading. Please wait.

Published byMonica Trentham Modified over 2 years ago

1
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157, pp.729-733, 2004. Adviser: Min-Shiang Hwang Speaker: Chun-Ta Li

2
Outline Introduction Review and analysis of the Hsu et al. scheme The proposed scheme Conclusions Comments

3
Introduction In 1976, Diffie and Hellman proposed an asymmetric key agreement scheme. In 1999, Seo and Sweeney proposed an authenticated key agreement scheme, called SAKA –Used a pre-shared password to provide user authentication In 2000, Tseng proposed an scheme to prevent the replay attack. –Attacker can cheat the honest party into believing a wrong session key man-in-middle attack replay attack

4
Introduction (cont.) In 2000, Ku and Wang pointed out the Tseng scheme suffers from two kinds of attacks: –Backward replay attack without modification Attacker can masquerade as one communicating party Replay the exchanged messages to cheat the other one –Modification attack Attacker can alter exchanged messages to cheat one party into believing a wrong session key. In 2003, Hsu et al. proposed an improvement scheme which is more efficient than previous scheme modification attack

5
Review and analysis of the Hsu et al. scheme A, B: two communicating parties; C: an attacker; id A, id B : the identities of A and B; n: a large prime number; g: a generator with the order n-1; P: the common password shared between A and B; Q: an integer computed from P; Q -1 : the inverse of Q (mod n) a: a random number chosen by A; b: a random number chosen by B; H(.): a one-way hash function

6
Review and analysis of the Hsu et al. scheme (cont.) Key establishment phase A B (e.1) computes X 1 = g aQ mod n X 1 (e.2) Y 1 computes Y 1 = g bQ mod n (e.3) computes the session key K 1 (e.4) computes the session key K 2 Y = Y 1 Q -1 mod n = g b mod n X = X 1 Q -1 mod n = g a mod n K 1 = Y a mod n = g ab mod n K 2 = X b mod n = g ab mod n // After the Step (e.4), A and B can compute the same session key K 1 = K 2 = g ab mod n

7
Review and analysis of the Hsu et al. scheme (cont.) Key validation phase A B –(v.1) computes X 2 = H(id A, K 1 ) X 2 –(v.2) verifies X 2 = H(id A, K 2 ) –(v.3) Y 2 computes Y 2 = H(id B, K 2 ) –(v.4) verifies Y 2 = H(id B, K 1 ) // After the Step (v.4), A and B can convince the common secret key K 1 = K 2 = g ab mod n

8
Review and analysis of the Hsu et al. scheme (cont.) Modification attack A C B (e.1`) C replaces X 1 with X 1 `= X 1 t mod n X 1 ` (e.2`) Y 1 ` C replaces Y 1 with Y 1 `= Y 1 t mod n (e.3`) computes the wrong session key K 1 ` (e.4`) computes the wrong session key K 2 ` Y` = Y 1 ` Q -1 mod n (= g bt mod n) X` = X 1 ` Q -1 mod n (= g at mod n) K 1 ` = X` a mod n = (g abt mod n) K 2 ` = X` b mod n = (g abt mod n) // K 1 ` is equal to K 2 `, the message digest X 2 ` = H(id A, K 1 ` ) is equal to X 2 ` = H(id A, K 2 ` ) Similarly, the digest Y 2 ` = H(id B, K 2 ` ) is equal to Y 2 ` = H(id B, K 1 ` )

9
The proposed scheme The Key establishment phase is the same as the Hsu et al. scheme. Key validation phase A B –(v.1) computes X 2 = H(id A, X 1, K 1 ) X 2 –(v.2) verifies X 2 = H(id A, X 1, K 2 ) –(v.3) Y 2 computes Y 2 = H(id B, Y 1, K 2 ) –(v.4) verifies Y 2 = H(id B, Y 1, K 1 )

10
The proposed scheme (cont.) Security analysis and discussions A C B – replaces X 1 and Y 1 with X 1 ` and Y 1 ` – compute X 2 ` = H(id A, X 1 `, K 2 ` ) and convince Y 2 ` = H(id B, Y 1 `, K 1 ` ) convince – needs to know K 1 ` (K 1 ` = K 2 ` ) before computing X 2 and Y 2 – To find K 1 ` (g abt mod n) from X 1 (g aQ mod n) and Y 1 (g bQ mod n) discrete logarithm problem

11
Conclusions Hsu et al. scheme is still vulnerable to the modification attack. This paper further proposes an improvement to repair the security flaw. The improved scheme is as efficient as the Hsu et al. scheme.

12
Comments Improvement scheme? Authentication which communication parties won’t believing the wrong session key. Q and Q -1

Similar presentations

OK

Threshold password authentication against guessing attacks in Ad hoc networks ► Chai, Zhenchuan; Cao, Zhenfu; Lu, Rongxing ► Ad Hoc Networks Volume: 5,

Threshold password authentication against guessing attacks in Ad hoc networks ► Chai, Zhenchuan; Cao, Zhenfu; Lu, Rongxing ► Ad Hoc Networks Volume: 5,

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google