Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach Tzong-Chen Wu and Yen-Ching Lin Department of Information Management.

Published byKory West Modified over 8 years ago

Similar presentations

Presentation on theme: "Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach Tzong-Chen Wu and Yen-Ching Lin Department of Information Management."— Presentation transcript:

1 Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach Tzong-Chen Wu and Yen-Ching Lin Department of Information Management National Taiwan University of Science and Technology, Taiwan tcwu@cs.ntsut.edu.tw, D9109101@mail.ntust.edu.tw

2 Outline  Introduction  Security attributes  The proposed PAKA protocols System model The proposed 2-PAKA protocol The proposed n-PAKA protocol  Conclusions

3 Introduction  Authenticated key agreement (AKA) protocols Allow communication parties to mutually authenticate with each other and share an authenticated session key Establish a secure channel for subsequent communications  Previous works for AKA protocols (based on Decision Diffie- Hellman problem): 2-AKA:Diffie, van Oorschost, Wiener (1992) Blake-Wilson, Menezes (1998) n-AKA:Just and Vaudenay (1996) Steiner, Tsudik, Waidner (1997) Ateniese, Steiner, Tsudik (1998, 2000) Bresson, Chevassut, Pointcheval (2001, 2002)

4 Introduction (cont.)  Use of passwords for authentication Advantages: ease of use, ease of implementation, and low cost Disadvantages: on-/off-line guessing attacks  Password-only authenticated key agreement ( PAKA) protocols Achieve the security attributes of AKA Only use easy-to-remember passwords, even for weak passwords (i.e., against on-/off-line guessing attacks)

5 Introduction (cont.)  Previous works for 2-PAKA protocols (based on Decision Diffie-Hellman problem) Bellovin and Merritt (1992, 1993) Jablon (1996) Lee, Shohn, Yang, Won (1999) Boyko, Mackenzie, Patae (200) Bellare, Pointcheval, Rogaway, (2000) Lin, Sun, Hwang (2000), Lin, Sun, Steiner, Hwang (2001) Mackenzie, Patel, Swaminathan (2000) ……  Previous works for n-PAKA protocols ???

6 Contributions of this paper  Propose a 2-PAKA protocol based on self-certified approach Communicating parties only use passwords, no more other secret parameters (e.g., long-term private keys) or trusted servers (adopted by three-party PAKA protocols) are required during the key agreement phase Messages sent between the communication parties are self-certified, and hence, no public key certificates are required while applying public key systems Achieve the security attributes of AKA Against on-/off-line guessing attacks  Generalize 2-PAKA to n-PAKA (based on CLIQUES proposed by Steiner, Tsudik, and Waidner, 1997)

7 Security attributes  Know-key security An attacker cannot derive any established session keys from any compromised session key  Perfect forward secrecy An attacker cannot derive any previously established session keys from a compromised password  On-/off-line guessing attacks An attacker cannot find out the parties’ passwords from the intercepted messages by exhaustive search

8 Security attributes (cont.)  Password-compromised impersonation attacks Suppose that the password PW i for party U i is compromised. However, it may be desirable in some circumstances that an attacker cannot impersonate the other parties U j to U i using the compromised PW i  Unknown key-share attacks An attacker intercepted U i ’s message and then replayed to U j. For the success of such attacks, U i ends up believing he shares a session key with U j, and although this is in fact the case, U j mistakenly believes the key is instead shared with some party U a ≠ U i

9 System model … 3. PAKA protocol 1.Register with password 2.SA returns a self-certified public value Party U 1 System Authority (SA) Party U 2 Party U n 3. PAKA protocol

10 System setup phase N: a composite of P and Q, where P and Q are two large primes R: a prime that can withstand exhaustive search attack g: a generator g modulo N with the order R f : a one-way function, where 0 < f(x) < R for any x At the end of this phase, SA publishes N and f, while keeping P, Q and R secret.

11 User registration phase UiUi SA 1.1 compute f(ID i, PW i ) -1, f(ID i ) -1 f(ID i, PW i ) ‧ f(ID i, PW i ) -1 = 1 modR f(ID i ) ‧ f(ID i ) -1 = 1 mod R 1.2 randomly choose an integer 1.3 compute 2.{c i, w i } 3.1 compute Pre_shared {ID i, PW i } 3.2 verify

12 Proposed 2-PAKA protocol U i U j 1.1 randomly choose two integers x i, t i 1.2 compute 2. {ID i, w i, y i, r i, s i } 3.1 verify 3.2 compute y j, r j and s j as that in Step 1 3.3 compute 4. {ID j, w j, y j, r j, s j, m j } 5.1 verify y j, r j and s j as that in Step 3.1 7. verify 5.2 compute 5.3 verify 5.4 compute 6. {ID i, m i }

13 Proposed n-PAKA protocol  The proposed n-PAKA protocol is somewhat like the CLIQUES (Steiner, Tsudik, Waidner, 1997)  Suppose that the registered parties U 1, U 2, …, U n want to perform the n-PAKA protocol. U 1 is the originator, and the communication priority is in the sequence of U 1, U 2, …, U n

14 Proposed n-PAKA protocol (cont.) UiUi U i+1 2. {ID i, Xi, wi, y i, r i, s i } 1.compute 3 verify

15 Proposed n-PAKA protocol (cont.) U n U i 5. broadcast { ID n, X n, w n, r n, s n, m n } 4.1compute X n, y n, r n and s n, as that in step 1, where 6.1 U i verify { ID n, X n, w n, y n, r n, s n, m n } as that step 1. 4.2 compute 6.2 compute 6.3 verify

16 Security analysis  Under the DLMC (discrete logarithm modulo composite) assumption, the proposed PAKA protocols achieve : known-key security perfect forward secrecy resistant of on-/off-line password guessing attacks resistant of password-compromised impersonation attacks resistant of unknown key-share attacks

17 Conclusions  A 2-PAKA protocol based on self-certified approach is proposed  An n-PAKA protocol, generalized from 2- PAKA is proposed  The security of proposed PAKA protocols is based on the intractability of DLMC problems

18 Thank You for Your Attention

Download ppt "Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach Tzong-Chen Wu and Yen-Ching Lin Department of Information Management."

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur 2004.05.12.

1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
1 Three-Party Encrypted Key Exchange Without Server Public-Keys C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang IEEE COMMUNICATIONS LETTER, VOL. 5, NO.12,

1 Three-Party Encrypted Key Exchange Without Server Public-Keys C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang IEEE COMMUNICATIONS LETTER, VOL. 5, NO.12,
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.

1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
電子商務與數位生活研討會 1 Further Security Enhancement for Optimal Strong-Password Authentication Protocol Tzung-Her Chen, Gwoboa Horng, Wei-Bin Lee,Kuang-Long Lin.

電子商務與數位生活研討會 1 Further Security Enhancement for Optimal Strong-Password Authentication Protocol Tzung-Her Chen, Gwoboa Horng, Wei-Bin Lee,Kuang-Long Lin.
A password authentication scheme with secure password updating SEC 期末報告 學號: 89321037 姓名:翁玉芬.

A password authentication scheme with secure password updating SEC 期末報告 學號: 姓名:翁玉芬.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
Certificateless Authenticated Two-Party Key Agreement Protocols

Certificateless Authenticated Two-Party Key Agreement Protocols
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

Similar presentations

Ads by Google