Elliptic Curve Authenticated Key
Agreement Protocol (ECAKA)
Introducer: Jung-wen Lo (駱榮問)
Date: 2008/07/25
Outline

Introduction


Elliptic Curve Diffie-Hellman Key Agreement Protocol
Paper 1:

An improved authenticated key agreement protocol with perfect
forward secrecy for wireless mobile communication
Authors: Ai-fen Sui, L.C.K. Hui, S.M. Yiu, K.P. Chow, W.W. Tsang, C.F. Chong, K.H. Pun & H.W. Chan
Source: 2005 IEEE Wireless Communications and Networking Conference, Vol. 4, pp. 2088 – 2093,
13-17 March 2005



A-Key distribution in 3GPP2
A-Key distribution using ECAKA
Paper 2:

An enhanced authenticated key agreement protocol for wireless
mobile communication
Authors: Rongxing Lu, Zhenfu Cao and Haojin Zhu
Source: Computer Standards & Interfaces, Vol. 29, Issu. 6, pp. 647-652, Sep. 2007




Off-line password attack 1
Off-line password attack 2(Active)
Enhanced ECAKA Protocol
Conclusions & Comment

Improved ECAKA Protocol
2
Elliptic Curve Diffie-Hellman Key
Agreement Protocol
Alice
Bob
Random dA
QA=dAP
Random dB
QB=dBP
K=dAQB
QA
QB
K= dBQA
K= dAdBG=dBdAG
※P: Base point (Generator)
3
An improved authenticated key
agreement protocol with perfect
forward secrecy for wireless mobile
communication
Authors: Ai-fen Sui, L.C.K. Hui, S.M. Yiu,
K.P. Chow, W.W. Tsang, C.F. Chong,
K.H. Pun and H.W. Chan
Source: 2005 IEEE Wireless Communications
and Networking Conference, Vol. 4,
pp. 2088 – 2093, 13-17 March 2005
Notation
Alice (A), Bob (B): two communication users
E: an elliptic curve defined over a finite field Fq
with large group order
n: a secure large prime
P: a point in E with large order n
D: a uniformly distributed dictionary of size |D|
S: a low-entropy password shared between Alice
and Bob, which is randomly chosen from D
t: the value t is derived from the password S in a
predetermined way, which is uniformly
distributed in ℤn*
H: a secure one-way hash function
5
Sui et al.’s ECAKA Protocol
Alice
dA  [1,n-1]
QA=(dA+t) P
Bob
QA
QB,tY
dB  [1,n-1]
QB=(dB-t)P
Y=QA-tP=dAP
X=QB+tP=dBP
KA=dAX=dAdBP
tX
KB=dBY=dAdBP
6
Notation for 3GPP2
• MS: Mobile Subscriber
• MSC: Mobile Switching center
• OTAF: Over-the-Air Service Provisioning Function
• HLR: Home Location Register
• AC: Authentication Center
• ACTCODE: ActionCode
• AKEYPV: A Key Protocol Version parameter, indicates MS’s A-key
generation capabilities
• SRVIND: ServiceIndicator parameter
• OTASPREQ: OTASPRequest
• SMDPP; SMSDeliveryPointToPoint
• SMS BearerData: Containing an OTASP data message
• ACK: Acknowledging a message;ACTCODE: ActionCode
• MODVAL: ModulusValue parameter (n)
• PRIMVAL: PrimitiveValue parameter (g)
• BSKEY: encryption key value from the network side. BSKEY= gx mod n ,
where x is randomly selected by AC
• MSKEY: encryption key value from MS. MSKEY=gy mod n . y is randomly
selected by MS
7
A-Key Distribution in 3GPP2
8
A-Key Distribution using ECAKA
9
An enhanced authenticated key
agreement protocol for wireless
mobile communication
Authors: Rongxing Lu, Zhenfu Cao and
Haojin Zhu
Source: Computer Standards & Interfaces,
Vol. 29, Issu. 6, pp. 647-652,
Sep. 2007
Off-line Password Attack 1
Alice
dA  [1,n-1]
QA=(dA+t) P
Bob
QA
QB,tY
dB  [1,n-1]
QB=(dB-t)P
Y=QA-tP=dAP
Attacker: Off-linePasswordAttack-1(Q , td P, D)
A
A
for i :=0 to |D|
S’← D; t’← S’ [predetermined way]
if t’(QA-t’P)=tdAP
then return S’
11
Off-line Password Attack 2(Active)
Bob
Alice Attacker
dA  [1,n-1]
QA=dAP
QA
QB,tY=t(dAP-tP)
dB  [1,n-1]
QB=(dB-t)P
Y=dAP-tP
Off-linePasswordAttack-2(QA, tdAP, D)
choose dA[1,n-1], send dAP to B
receive the value t(dAP- tP)
for i :=0 to |D|
S’← D; t’← S’ [predetermined way]
if t’(dAP-t’P)=t(dAP-tP)
then return S’
12
Enhanced ECAKA Protocol
Alice (A)
Bob (B)
dA  [1,n-1]
QA1=(dA+t) P
QA2=dA2‧P
QA1,QA2
HB=H(A||B||QA1||QB1||QB2),
QB1
X=dAQB1
H(A||B||QA1||QB1||X)?=HB
KA=X
dB1,dB2  [1,n-1]
Y=QA1-tP=dAP
QB1=dB1P+dB2Y
QB2=dB1Y+dB2QA2
HA= H(A||B||QB1||QA1||X)
※ KA=KB=X=dB1dAP+dB2dA2P
H(B||A||QB1||QA1||QB2)?=HA
KB=QB2
13
A-Key Distribution Using Enhanced
ECAKA Protocol
14
Conclusions & Comment

Conclusions




Authenticated key agreement
Off-line password attack prevention
Perfect forward secrecy
Comment

Reduce the computation load
15
Improved ECAKA Protocol
Alice
Bob
(S2)
dA  [1,n-1]
QA=(dA+t) P
(S2)
QA
QB,H(Y||S2)
dB  [1,n-1]
QB=(dB-t)P
Y=QA-tP=dAP
X=QB+tP=dBP
KA=dAX=dAdBP
H(X||Y)
KB=dBY=dAdBP
16