1. Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/10/29

2. 2 Outline Introduction Motivation Demonstrate Scheme Security analysis Advantage vs. weakness Comment

3. 3 Introduction Password-based Authenticated Key Exchange (PAKE) protocol 3PAKE(Three-party model)

4. 4 Chang et al.’s Protocol ( T-Y. Chang, M-S. Hwang, W-P. Yang, A Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol, Information Sciences (2010),doi: 10.1016/j.ins.2010.08.032.) A SB Step 1 Step 2 Step 3 Step 4,,

5. 5 Chang et al.’s Protocol A SB,, Check Step 5 Check Step 6 Session key

6. 6 Motivation Chang et al. use XOR operation to achieve the security, but it is vulnerable to a partition attack. To find a way achieve security base on 3PAKE and without server’s public key and symmetric encryption. This paper will prove Chang et al.’s scheme is completely insecure and propose improve scheme.

7. 7 Step 1 wiretap a valid session and get If and, it is a feasible password, probability is Other is a infeasible password, probability is Step 3 repeat step 2 until the range of password narrowed down to a single password. c: the number of possible values not in Z p. Demonstrate Step 2 off-line guess password (1) assume a password is a real A’s password. (2) use to distinguish whether the is in G or not.

8. 8 Demonstrate Example G={ } CD=D; D={pw 1,pw 2,pw 3,pw 4 }={1,2,4,8} p= 23; Z p ={0,1,…,41,22}; generator g=2 Assume A’s password is pw 4 True: First partition: e S1 =9 CD: set of candidate passwords. D: space of password. FD: feasible passwords : infeasible passwords (m) b : binary representation of message m

9. 9 Demonstrate Second partition: e S1 =2; CD=FD={pw 2,pw 4 } True: CD=FD={pw 4 }

10. 10 Scheme A SB Step 1 Step 2 Step 3 Step 4

11. 11 Scheme A SB Step 5 Check Step 6 Check,, Session key

12. 12 Security analysis Undetectable on-line guessing attack Off-line guessing attack Forward security of session key

13. 13 Advantage vs. weakness Advantage – Using elliptic curve cryptography (ECC) additive operation replace XOR operator that attack can’t distinguish feasible and infeasible passwords. – ECC can achieve the same level of security with smaller key size. – It is applicable in low resource environments, like smart cards or mobile unit. – Easily noting authenticators ( ) Weakness – Computing time and computational complexity are more than XOR.

14. 14 Comment This paper use elliptic curve to replace Chang et al.’s XOR. Is the performance of this paper better then Chang et al.’s scheme? The partition attack mention at demonstrate, something like brute-force attack which is not a efficiency attack. The related work about Chang et al.’s scheme, from notation to step statement are the same as Chang et al.’s paper.

15. 15 References Entropy http://en.wikipedia.org/wiki/Introduction_to_entropy http://en.wikipedia.org/wiki/Introduction_to_entropy Random oracle model http://www.wordiq.com/definition/Random_oracle_model http://www.wordiq.com/definition/Random_oracle_model Random oracle http://en.wikipedia.org/wiki/Random_oracle http://en.wikipedia.org/wiki/Random_oracle Low (High)-entropy http://www.phate.tw/viewthread.php?tid=6679http://www.phate.tw/viewthread.php?tid=6679 Cyclic group http://en.wikipedia.org/wiki/Cyclic_group http://en.wikipedia.org/wiki/Cyclic_group

16. 16 Appendix Entropy is a quantifiable measure of how evenly energy is distributed in a system. In a physical system entropy provides a measure of the amount of energy that cannot be used to do work. Low-entropy ： easy-to-remember high-entropy ： difficult-to-remember (Reflection Attack on a Generalized Key Agreement and Password Authentication Protocol) Random oracle model – Definition ： A random oracle is a theoretical model of a perfect cryptographic hash function. It is used in proofs that indicate that cryptographic systems or protocols are secure by showing that an attacker must either consider how the hash function works, or solve some other problem believed hard, in order to break the protocol. Cyclic group (a group of prime order q): In group theory, a cyclic group is a group that can be generated by a single element, in the sense that the group has an element g (called a "generator" of the group) such that, when written multiplicatively, every element of the group is a power of g (a multiple of g when the notation is additive).

17. 17 invalidate or block the use of a password: when a number of failed attempts occurs. (undetectable online dictionary attack) password becomes an element in G: additional function is needed to obtain this element from the password string, we do not care about details of the function and simply use the result PW (in group G) as the “effective password” instead: anyone knowing PW is actually able to impersonate the client or the server, and the security proof shows that attacking the protocol reduces to finding PW. In other words, at the protocol level, PW is the password needed for authentication and password string is just a way to remember it.