Cryptanalysis of a Communication-Efficient
Three-Party Password Authenticated Key
Exchange Protocol
Source: Information Sciences in review
Presenter: Tsuei-Hung Sun (孫翠鴻)
Date: 2010/10/29
Outline
•
•
•
•
•
•
•
Introduction
Motivation
Demonstrate
Scheme
Security analysis
Advantage vs. weakness
Comment
2
Introduction
• Password-based Authenticated Key Exchange
(PAKE) protocol
• 3PAKE(Three-party model)
3
Chang et al.’s Protocol
( T-Y. Chang, M-S. Hwang, W-P. Yang, A Communication-Efficient
Three-Party Password Authenticated Key Exchange Protocol,
Information Sciences (2010),doi: 10.1016/j.ins.2010.08.032.)
S
A
Step 1
id A , id B
RS1  pwA , RS 2  pwB
Step 3
B
Step 2
eS 1 , eS 2 R Z q
RS1  g eS 1 mod p
RS 2  g eS 2 mod p
RS1  ( RS1  pwA )  pwA
e A R Z q
RA  g eA mod p
RAS1  RS1 A mod p
e
id A, RA , h( RAS1 , RS1 , id A , id B ), RS 2  pwB
Step 4
RS 2  ( RS 2  pwB )  pwB
eB R Z q
RB  g eB mod p
e
RBS 2  RS 2 B mod p
K B  RAeB mod p
RA , h( RAS1 , RS1 , id A , id B ) ,
RB , h( RBS 2 , RS 2 , id A , id B ), h( K B , RA )
4
Chang et al.’s Protocol
S
A
B
RA , h( RAS1 , RS1 , id A , id B ) ,
RB , h( RBS 2 , RS 2 , id A , id B ), h( K B , RA )
Step 5
RS1A  RA S 1 mod p
e
Check h( RAS1 , RS1 , id A , id B )  h( RS1A , RS1 , id A , id B )
e
RS 2 B  RB S 2 mod p
Check h( RBS 2 , RS 2 , id A , id B )  h( RS 2 B , RS 2 , id A , id B )
RB , h( K B , RA )
Step 6
h( RS1 A , RB ), h( RS 2 B , RA )
Check h( RS1A , RB )  h( RAS1 , RB )
e
K A  RB A mod p
Check h(K B , RA )  h(K A , RA )
Session key
h( RS 2 B , RA ), h( K A , RB )
SK  h( K A )  h( K B )  h( g eAeB mod p, id A , id B )
Check h( RS 2 B , RA )  h( RBS 2 , RA )
Check h( K A , RB )  h( K B , RB )
5
Motivation
• Chang et al. use XOR operation to achieve the
security, but it is vulnerable to a partition
attack.
• To find a way achieve security base on 3PAKE
and without server’s public key and symmetric
encryption.
• This paper will prove Chang et al.’s scheme is
completely insecure and propose improve
scheme.
6
Demonstrate
Step 1 wiretap a valid session and get RS1  pwA
Step 2 off-line guess password
*
pw
(1) assume a password
A is a real A’s password.
(2) use   ( RS1  pwA )  pw*A to distinguish whether the RS 1 is
in G or not.
If   p and  q mod p  1, it is a feasible password, probability is
q
q
1
Other is a infeasible password, probability is p  c  p  1  2
q
1

pc 2
Step 3 repeat step 2 until the range of password narrowed down to a
single password.
c: the number of possible values not in Zp.
7
Demonstrate
• Example
p= 23; Zp={0,1,…,41,22}; generator g=2
G={ 20  1,22  2,23  8,24  16,25  32,26  18,27  13,28  3,29  6,210  12 }
CD=D; D={pw1,pw2,pw3,pw4}={1,2,4,8}
Assume A’s password is pw4
First partition:
eS1=9
True: ( g eS 1 mod p)  pw4  (00110)b  (01000)b  (01110)b  14
pw*A 
pw*A 
pw*A 
pw*A 
pw1 ,   (01110)b  (00001)b  (01111)b  15  G
pw2 ,   (01110)b  (00010)b  (01100)b  12  G
pw3 ,   (01110)b  (00100)b  (01010)b  10  G
pw4 ,   (01110)b  (01000)b  (00110)b  6  G
FD  { pw2 , pw4}
FD  { pw1 , pw3}
CD: set of candidate passwords. D: space of password.
8
FD: feasible passwords FD : infeasible passwords (m)b: binary representation of message m
Demonstrate
Second partition:
eS1=2; CD=FD={pw2,pw4}
True: ( g eS 1 mod p)  pw4  (00100)b  (01000)b  (01100)b  12
pw*A  pw2 ,   (01100) b  (00010) b  (01110)b  14  G
pw*A  pw4 ,   (01100)b  (01000)b  (00100)b  4  G
CD=FD={pw4}
9
Scheme
S
A
A, B
Step 1
Step 3
YA , YB
B
Step 2
y A , y B R Z q
YA  y A P  PWA
YB  yB P  PWB
x A R Z q , X A  xA P
K AS  x A (YA  PWA )
 AS  H ( A S B X A YA PWA K AS )
A, X A ,  AS , YB
Step 4
xB R Z q , X B  xB P
K BS  xB (YB  PWB )
 BS  H ( B S A X B YB PWB K BS )
K AB  xB X A
 B  H“( 1” A S B XA X B K AB )
X A ,  AS , X B ,  BS ,  B
10
Scheme
S
A
B
X A ,  AS , X B ,  BS ,  B
Step 5
?
K AS  y A X A , Check  AS  H ( A S B X A YA PWA K AS )
?
K BS  yB X B, Check   H ( B S A X Y PW K )
BS
B
B
B
BS
X B ,  B ,  AS ,  BS
Step 6
 AS  H ( A S B X A YA PWA K AS X B )
 BS  H ( B S A X B YB PWB K BS X A )
?
Check  AS  H ( A S B X A YA PWA K AS X B )
K AB  xA X B
?
Check
 B  H“( 1” A S B X A X B K AB )
 A  H(
“ 0” A S B XA X B K AB )
 BS ,  A
?
Check  BS  H ( B S A X B YB PWB K BS X A )
?
Check  A  H“( 0” A S B X A X B K AB )
Session key
SK  H“( 2” A S B X A X B K AB )
11
Security analysis
• Undetectable on-line guessing attack
• Off-line guessing attack
• Forward security of session key
12
Advantage vs. weakness
• Advantage
– Using elliptic curve cryptography (ECC) additive operation
replace XOR operator that attack can’t distinguish feasible
and infeasible passwords.
– ECC can achieve the same level of security with smaller
key size.
– It is applicable in low resource environments, like smart
cards or mobile unit.
– Easily noting authenticators ( AS ,  BS , AS , BS ,  A ,  B )
• Weakness
– Computing time and computational complexity are more
than XOR.
13
Comment
• This paper use elliptic curve to replace Chang
et al.’s XOR. Is the performance of this paper
better then Chang et al.’s scheme?
• The partition attack mention at demonstrate,
something like brute-force attack which is not
a efficiency attack.
• The related work about Chang et al.’s scheme,
from notation to step statement are the same as
Chang et al.’s paper.
14