Presentation is loading. Please wait.

Presentation is loading. Please wait.

An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer.

Similar presentations


Presentation on theme: "An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer."— Presentation transcript:

1 An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer Standards & Interfaces, Vol. 27, pp. 313 – 322, 2005 Reporter: Jung-wen Lo ( 駱榮問 ) Date: 2005/07/07

2 2 Introduction  Bellovin-Merritt (1992) Encrypted key exchange  Ding, P. Horster(1995) Password guessing attack  Detectable On-line Password guessing attack  Undetectable On-line Password guessing attack  Off-line Password guessing attack  Zhu et al. (2002) Imbalanced wireless network  Under two dictionary attack by Bao (2003)  Yeh et al. (2003) Vulnerable to off-line dictionary attack

3 3 Zhu et al. ’ s Protocol (2002) Server A (n,e,d,pw) Client B (pw) (n, e), r A r B, s B α=H 2 (pw, ID A,ID B,r A,r B ) z =s B e +α(mod n) z, r B α=H 2 (pw, ID A,ID B,r A,r B ) s B =(z-α) d mod n K =H 3 (s B ) c A  R {0,1} l E K (c A,ID B ) K =H 3 (s B ) D K (E K (c A,ID B )) => c’ A,ID’ B check ID B ? c B =H 4 (s B ) σ’=H 5 (c’ A,c B,ID A,ID B ) H 6 (σ’) H 6 (σ’) ?= H 6 (σ) c B =H 4 (s B ) σ=H 5 (c A,c B,ID A,ID B ) {m i  R Z n } 1  i  N {m i e  R Z n } 1  i  N {H 1 (m i ’)} 1  i  N check H 1 (m ’ i )?=H 1 (m i ) r A  R {0,1} l

4 4 Undetectable On-line Password Guessing Attack Server A (n,e,d,pw) Attacker E (pw’) (n, e), r A r E, s E α’=H 2 (pw’, ID A,ID B,r A,r E ) z’ =s E e +α’ (mod n) z’, r E α’’=H 2 (pw, ID A,ID B,r A,r E ) s’ E = (z’-α’’) d mod n K =H 3 (s’ E ) c A  R {0,1} l E K (c A,ID B ) K’ =H 3 (s E ) D K’ (E K (c A,ID B )) => c’ A,ID’ B If ID’ B = ID B => pw’=pw check H 1 (m’ i )?=H(m i ) Client B (pw) {m i e  R Z n } 1  i  N {H 1 (m i ’)} 1  i  N m ’ i =(m i e ) d r A  R {0,1} l

5 5 Yeh et al. ’ s Protocol (2003) Server A (n,e,d,pw) Client B (pw) (n, e), r A s B  R Z n α=E pw (ID A,ID B,r A,s B ) z =α e mod n z (ID A,ID B,r A,s B )=D pw (z d mod n) c B =H 3 (s B ) σ=H 4 (r A,c B,ID A,ID B ) E σ (ID B ) c B =H 3 (s B ) σ’=H 4 (r A,c B,ID A,ID B ) check D σ’ (E σ (ID B )) ?= ID B H 6 (σ’) H 6 (σ’) ?= H 6 (σ) {m i  R Z n } 1  i  N {m i e  R Z n } 1  i  N {H 1 (m i ’)} 1  i  N m ’ i =(m i e ) d check H 1 (m’ i )?=H(m i ) r A  R {0,1} l

6 6 Cryptanalysis of Yeh et al. ’ s protocol  Off-line dictionary attack Server A (n,e,d,pw) Client B (pw) (n’, e’), r E s B α=E pw (ID A,ID B,r E,s B ) z =α e’ mod n’ z α= z d’ mod n D pw’ (α)?=(ID A,ID B,r E,s B ) {m i  R Z n } 1  i  N {m i e’  R Z n } 1  i  N {H 1 (m i ’)} 1  i  N Attacker E (n’,e’,d’) r E  R {0,1} l

7 7 Proposed scheme Server A (p,q,pw) Client B (pw) E pw (r A ) s B  R Z n σ =F 1 (ID A,ID B,r A,s B ) α=F 2 (r A,s B,σ) z =s B 2 mod n z,α check F 3 (σ’) ?= F 3 (σ) r A = D pw (E pw (r A )) F 3 (σ’) r A  R {0,1} l c 1 =z (p+1)/4 mod p c 2 =(p-z (p+1)/4 ) mod p c 3 =z (q+1)/4 mod q c 4 =(q-z (q+1)/4 ) mod q x=q(q -1 mod p) y=p(p -1 mod q) β 1 =(xc 1 +yc 3 ) mod n β 2 =(xc 1 +yc 4 ) mod n β 3 =(xc 2 +yc 3 ) mod n β 4 =(xc 2 +yc 4 ) mod n s ’ B =β i, i=1,2,3,4 σ ’=F 1 (ID A,ID B,r A,s’ B ) α’=F 2 (r A,s’ B, σ ’) α’ ? = α  ≠ abort ※ n=p*q p ≡ 3 (mod 4) q ≡ 3 (mod 4)

8 8 Proposed scheme(sample) Server A (p,q,pw) Client B (pw) E pw (r A ) s B  R Z n =3 σ =F 1 (ID A,ID B,r A,s B ) α=F 2 (r A,s B,σ) z =s B 2 mod n=9 z,α check F 3 (σ’) ?=F 3 (σ) r A = D pw (E pw (r A )) r A  R {0,1} l =6 c 1 =z (p+1)/4 mod p=81 mod 7=4 c 2 =(p-z (p+1)/4 ) mod p=7-81 mod 7=3 c 3 =z (q+1)/4 mod q=729 mod 11=5 c 4 =(q-z (q+1)/4 ) mod q=11-729 mod 11=8 x=q(q -1 mod p)=11×2=22 y=p(p -1 mod q)=7×8=56 β 1 =(xc 1 +yc 3 ) mod n=(22×4+56×5) mod 77=60 β 2 =(xc 1 +yc 4 ) mod n=(22×4+56×8) mod 77=74 β 3 =(xc 2 +yc 3 ) mod n=(22×3+56×5) mod 77=38 β 4 =(xc 2 +yc 4 ) mod n=(22×3+56×8) mod 77=52 s ’ B =β i, i=1,2,3,4 σ ’=F 1 (ID A,ID B,r A,s’ B ) α’=F 2 (r A,s’ B, σ ’) α ’ ? = α  ≠ abort ※ n=p*q=77 p ≡ 3 (mod 4)=7 q ≡ 3 (mod 4)=11 F 3 (σ’)

9 9 Security Analysis  A malicious user E wants to mount on-line password- guessing attacks on the proposed protocol E impersonates B => Can not derive r A  A malicious user E wants to mount off-line password- guessing attacks on the proposed protocol E eavesdrops and records the transmitted data E pw (r A ), α, z and h(σ) E impersonates A to get the essential information => Can not derive s B  E wants to get the session key σ => Protected by hash function  E guesses B ’ s password by impersonating A => B will not keep on sending the request all the time => When server terminates the protocol several times in a short time, B will detect.  Replay attack => Easily detect, because r A are different all the time

10 10 Performance Analyses (1/2)  The numbers of operations for different computation types Participants (Computation type)AB Zhu et al. ’ s protocol Exponential computationN+1 Symmetric en(de)cryption11 HashN+5 Yeh et al. ’ s protocol Exponential computationN+1 Symmetric en(de)cryption22 HashN+3 Our proposed protocol Exponential computation20 Symmetric en(de)cryption11 Hash8/4/23

11 11 Performance Analyses (2/2)  The numbers of transmissions of the participants Participants Protocol AB Zhu et al. ’ s protocol33 Yeh et al. ’ s protocol33 Our proposed protocol21

12 12 Conclusion  Mutual authentication A and B authenticate each other  Explicit key authentication A is assured B has computed the exchanged key  Computation efficiency the computation load of the wireless device is light  Power saving the power consumption of the wireless device in our protocol is few  Confirmation and completeness Withstand password-guessing attacks

13 13 Comments  E impersonates B Detectable on-line guessing attack Authoir: A will discover it  E eavesdrops and records the transmitted data E pw (r A ), α, z and h(σ) zs B + pw ’ r ’ A  σ’ α’  IF α’=α THEN pw’=pw  Performance analysis unfair Interactive protocol  Hash # error in Server A  2 ×(F 1 +F 2 )+F 3

14 14 Rabin Public Key Cryptosystem(1979) - 錄自詹進科老師講義  Probabilistic encryption systems  Rabin 的想法 是一個密文可以對應到四個明文。因此,在加密時必須加入一些有意義且 易於分辨的訊息於明文中,使得解密時能夠明確地還原出原來的明文  方法簡介 : 選定 n=p*q; 其中 p 與 q 是大質數。令明文為 M ,密文為 C ,公開加密金匙為 (b,n) ,秘密解密金匙為 (p,q) 。  [ 加密程序 ]: C = M * (M + b) mod n , 其中 b 是亂數。  [ 解密程序 ]: 根據上式可知 M 2 + M*b - C = 0 mod n.  故明文可由下述四者之一算出 : M = -b/2  ( (b/2) 2 +C ) 1/2 mod p M = -b/2  ( (b/2) 2 +C ) 1/2 mod q

15 15 Rabin Public Key Cryptosystem  Key generation 選定 n=p*q; 其中 p 與 q 是大質數, p≡ q ≡ 3 (mod 4) 令明文為 M ,密文為 C , A 的公開加密金匙為 n ,秘密解密金匙為 (p,q) 。  [ 加密程序 ]: B -> A C = M 2 mod n  [ 解密程序 ]: ap+bq=1 by Euclidean algorithm r = C (p+1)/4 mod p s = C (q+1)/4 mod q x = (aps+bqr) mod n y = (aps-bqr) mod n  故明文可由下述四者之一算出 : m 1 = x m 2 =- x mod n m 3 = -y m 4 = -y mod n


Download ppt "An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer."

Similar presentations


Ads by Google