1. Improvement of Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks IEICE Transactions on Communications, Vol. E86-B, No. 11, pp. 3278-3282 Nov. 2003 H.T. Yeh, H.M. Sun, C.T. Yang, B.C. Chen and S.M. Tseng Presented by Chang-Kuo Yeh

2. 2 Outline Introduction Zhu et al. ’ s Protocol Cryptanalysis Zhu et al. ’ s Protocol Improvement of Zhu et al. ’ s Protocol Comments

3. 3 Introduction(1) Types of password guessing Detectable on-line Undetectable on-line: Verify the correctness of his guess using the response of the server. Off-line: un-detectable Types of key authentication Explicit: A is assured that B has actually computed the exchanged key Implicit:

4. 4 Zhu et al ’ s protocol Insecure against undetectable on-line password guessing No provide explicit key authentication The proposed protocol Overcome above problems Introduction(2)

5. 5 Zhu et al. ’ s Protocol Server A Client B (pw) 1. r A (n, e), r A r B, s B π=T(pw, ID A,ID B,r A,r B ) z =s B e +π 3’. k =G 1 (s B ) c B =G 2 (sB) z, r B 3. π=T(pw, ID A,ID B,r A,r B ) Decrypt (z-π) => s B k =G 1 (s B ) c A E k (c A,ID B ) 4. D k (E k (c A,ID B )) => c’ A check ID B ? σ’=G 3 (c’ A,c B,ID A,ID B ) h(σ’) 5. h(σ’) ?= h(σ) 4’. c B =G 2 (s B ) σ=G 3 (c A,c B,ID A,ID B ) 2. {m i  R Z n } 1  i  N {m i e  R Z n } 1  i  N {H(m i ’)} 1  i  N H(m i ’)=H(m i )?

6. 6 Cryptanalysis Zhu et al. ’ s Protocol Server A Attacker E (pw) 1. r A (n, e), r A 2’.r E, s E π’=T(pw’, ID A,ID B,r A,r E ) z’ =s E e +π’ z’, r E 3. π=T(pw, ID A,ID B,r A,r E ) Decrypt (z’-π) => s’ E k =G 1 (s’ E ) c A E k (c A,ID B ) 4. k’ =G 1 (s E ) D k’ (E k (c A,ID B )) => If ID B correct ==> pw’=pw 2. Intercept (n, e), r A Interactive check (n,e) Client B {m i e  R Z n } 1  i  N {H(m i ’)} 1  i  N The server cannot check the authenticity of legal user or the adversary after receiving (z ’, r E )

7. 7 Improvement of Zhu et al. ’ s Protocol Server A Client B (pw) 1. r A (n, e), r A 2’. s B π=E pw (ID A,ID B,r A,s B ) z =π e mod n z 3. Decrypt z => π D pw (π)=(ID A,ID B,r A,s B ) Check ID A, ID B, r A c B =G 1 (s B ) σ=G 2 (r A,c B,ID A,ID B ) E σ (ID B ) 4. c B =G 1 (s B ) σ’=G 2 (r A,c B,ID A,ID B ) check D σ’ (E σ (ID B )) ?= ID B h(σ’) 5. h(σ’) ?= h(σ) 2. {m i  R Z n } 1  i  N {m i e  R Z n } 1  i  N {H(m i ’ )} 1  i  N

8. 8 Comments attacker 自己造出一組 Public Key 及 Private Key, 再假扮 Server 與 Client 溝通. 利用 Client 送來的 資料, 使用 guessing password 來解, 如果得到 正確的資料, 就猜到 Client 的 password 了 這種攻擊發生時,server 最後期待收到使用者的 回應卻沒收到, 既然是 guessing attack, 這種情形 會重複發生,server 便會有所警覺。 Explicit key authentication?: 當 A,B 雙方可以溝通 時,B 不就可以知道 A 確實有算出 session key