Presentation is loading. Please wait.

Presentation is loading. Please wait.

Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.

Similar presentations


Presentation on theme: "Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu."— Presentation transcript:

1 Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu

2 Outline Introduction Background Shim’s protocol Attack Conclusion

3 Introduction The first one round tripartite D-H key agreement protocol was proposed by Joux in 2000. Vulnerable to man-in-middle attack Eight session keys Unknown-key-share attack Shim’s protocol Impersonation attack

4 Background Bilinear pairing from G 1  G 1  G 2, where G 1 is a cyclic group generated by P, which has order q, and G 2 is a cyclic multiplicative group of order q. 1.e(aP,bQ)=e(P,Q) ab 2.There exists P,Q  G 1 such that e(P,Q)  1. 3.Computability.

5 Shim’s protocol Setup: KGC set up P pub = sP and public the system parameters {G 1, G 2, q, e, P, P pub, H, H 1 }, where H, H 1 are hash functions. Private key extraction: 1. User A submits his ID to KGC. 2. KGC computes Q ID = H 1 (ID) and S ID = sQ ID.

6 Three parties key-agreement A (B, C) randomly chooses a and a’ (respectively, (b, b’), (c, c’)). A computes P A = aP, P A ’ = a’P and T A = S A +a 2 P+a’P pub. B computes P B = bP, P B ’ = b’P and T B = S B +b 2 P+b’P pub. C computes P C = cP, P C ’ = c’P and T C = S C +c 2 P+c’P pub.

7 User A verifies… computes e(T B +T C,P) = e(S B +b 2 P+b’P pub +S C +c 2 P+c’P pub, P) = e(sP B +b’sP+sP C +c’sP, P)e(b 2 P,P)e(c 2 P, P) = e(Q B +Q C +P’ B +P’ C,P pub )e(P B,P B )e(P C,P C ) K A1 = e(P B,P C ) a, K A2 = e(P B,P’ C ) a K A3 = e(P’ B,P C ) a, K A4 = e(P’ B,P’ C ) a K A5 = e(P B,P C ) a’, K A6 = e(P B,P’ C ) a’ K A7 = e(P’ B,P C ) a’, K A8 = e(P’ B,P’ C ) a’ ?

8 Keys K 1 = e(P,P) abc, K 2 = e(P,P) abc’, K 3 = e(P,P) ab’c, K 4 = e(P,P) ab’c’, K 5 = e(P,P) a’bc, K 6 = e(P,P) a’bc’, K 7 = e(P,P) a’b’c, K 8 = e(P,P) a’b’c’

9 Attack Attacker X impersonate B to communication with A and C. (gets four valid keys) X computes P X = xP, P X ’ = x’P-Q B and T X = x 2 P+x’P pub. e(T X +T C,P) = e(x 2 P+x’P pub +S C +c 2 P+c’P pub, P) = e(x’P+Q C +c’P, P pub )e(x 2 P+c 2 P, P) = e(P x ’+Q B +Q C +c’P,P pub )e(P X,P X )e(P C,P C ) = e(Q B +Q C +P’ X +P’ C,P pub )e(P X,P X )e(P C,P C )

10 Conclusion Shim’s protocol cannot resist impersonation attack. The memory of Falling-Star.


Download ppt "Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu."

Similar presentations


Ads by Google