1. No category

RSA-OAEP is Secure under the RSA Assumption

Verifier-Based
Password-Authenticated Key Exchange
Jeong Ok Kwon
December 17th, 2005
CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005
Motivation
• A fundamental problem in cryptography is how to
communicate securely over an insecure channel.
sk
sk
data privacy/integrity
Motivation
How can we obtain a secret session key?
• Public-key encryption or signature
– too high for certain applications
• Password-Authenticated Key Exchange (PAKE)
– PAKE is to share a secret key between specified parties
using just a human-memorable password.
– convenience, mobility, and less hardware requirement
– no security infrastructure
Intrinsic Problem
• Low-entropy of passwords
– i.e., 4 or 8 characters such as natural language phrase to be
easily memorized.
• So they are susceptible to dictionary attacks.
– On-line dictionary attacks
– Off-line dictionary attacks
Even tiny amounts of redundancy in the flows of the protocol
could be used by the adversary to mount dictionary attacks.
-> Protocol for PAKE must be immune to off-line attacks
Classification for PAKE
According to the number of parties sharing a session key
Two-party
Multi-Party (Group)
According to the sameness of pre-shared passwords
Parties with same passwords
Parties with different passwords
According to the need of servers
Model requiring help of server
Model not requiring help of server
According to the password form stored by servers
Symmetric model
Asymmetric model (Verifier-based model)
Our work is about
• In the Client/Server model
– Verifier-based PAKE
• for two-party with same passwords
• for two-party with different passwords
• for multi-party with different passwords
Our work is about
• In the Client/Server model
– Verifier-based PAKE
• for two-party with same passwords
• for two-party with different passwords
• for multi-party with different passwords
U1
(pw1 )
U1
Server
sk
2-party with sk
sk
Information for pw1
Our work is about
• In the Client/Server model
– Verifier-based PAKE
• for two-party with same passwords
• for two-party with different passwords
• for multi-party with different passwords
U1
Information for pw1
U2
Information for pw2
(pw1 )
(pw2 )
U1
U2
Server
sk
2-party with sk
sk
Our work is about
• In the Client/Server model
– Verifier-based PAKE
• for two-party with same passwords
• for two-party with different passwords
• for multi-party with different passwords
(pw4 )
sk
U4
(pw1 )
(pw3 )
sk
sk
U3
U1
Group with sk
(pw2 )
sk
U2
Symmetric model vs. Verifier-based model
• Symmetric model
– the server stores a plaintext-form of a password.
• Asymmetric model (or verifier-based)
U1
pw1
U2
pw2
– the server stores
(pw1a
) verifier for a password.
Symmetric model vs. Verifier-based model
• Asymmetric model (or verifier-based)
– the server stores a verifier for a password.
(pw1)
U1
f(pw1)
U2
f(pw2)
A verifier is the information computed from a password.
It is computable from the password whereas the reverse is
infeasible in polynomial time.
Symmetric model vs. Verifier-based model
• Asymmetric model (or verifier-based)
(pw1)
U1
f(pw1)
U2
f(pw2)
– it is designed to protect against server compromise so
that an attacker that is able to steal a password file from
a server cannot later masquerade as a legitimate user
without performing dictionary attacks.
Symmetric model vs. Verifier-based model
• Symmetric model
– the server stores a plaintext-form of a password.
(pw1)
U1
pw1
U2
pw2
Symmetric model vs. Verifier-based model
• Asymmetric model (or verifier-based)
(pw1)
U1
f(pw1)
U2
f(pw2)
– even if the password file is compromised, the attacker
has to perform additional off-line dictionary attacks to
find out passwords of the clients.
• It will give the server system’s administrator time to react
and to inform its clients, which would reduce the damage of
the corruption.
Comparison with the related verifier-based protocol
Scheme/
PAKE for 2-party
PAKE for 2-party
PAKE for multi-party
with same passwords
with different passwords
with different passwords
Parameters
EPA
Our Scheme
Our Scheme
Our Scheme
3
2
3
3
Ui
|p|+|l|
|p|+|l|
|p|+|l|
2|p|
S
|p|+|l|
2|p|+|l|
4|p|
3n|p|
Ui
1
2
3
3
S
2
1
4
2n
Security
Forward Secrecy
Forward Secrecy
Forward Secrecy
Forward Secrecy
Assumptions
DDH in R.O.
DDH in Standard
DDH in Standard
DDH in Standard
Round
Communication
Exponentiation
|p| : length of a prime of Zp*,
|l| : length of an output of a hash/MAC function, n : number of members in a group
[EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key
Exchange,” ACISP 2003.
Comparison with the related verifier-based protocol
PAKE for 2-party with same passwords
Scheme/
Parameters
B-SPEKE
SRP
AMP
PAK-Z
EPA
VB-EKE
Our
protocol
Round
4
4
4
3
3
3
2
Ui
2|p|+|l|
|p|+|l|
|p|+|l|
|p|+|l|
|p|+|l|
3|p|+|l|
|p|+|l|
S
3|p|+2|l|
2|p|+2|l|
2|p|+|l|
2|p|+|l|
|p|+|l|
|p|+|l|
2|p|+|l|
Ui
2
2
2
3
1
1
2
S
2
3
3
3
2
4
1
Security
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Assumptions
DDH in R.O.
DDH in R.O.
CDH in R.O.
DDH in R.O.
DDH in R.O.
CDH in R.O.
DDH in
Standard
Communication
Exponentiation
[B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise
Security, 1997.
[SRP]
T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998.
[AMP]
T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001.
[PAK-Z]
P.
MacKenzie,
“The
PAK
suit:
Protocols
for
Password-Authenticated
Key
Exchange,”
http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02, April, 2002.
[EPA]
Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003.
[VB-EKE] M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted Key Exchange,” PKC 05
Comparison with the related verifier-based protocol
PAKE for 2-party with same passwords
Scheme/
Parameters
B-SPEKE
SRP
AMP
PAK-Z
EPA
VB-EKE
Our
protocol
Round
4
4
4
3
3
3
2
Ui
2|p|+|l|
|p|+|l|
|p|+|l|
|p|+|l|
|p|+|l|
3|p|+|l|
|p|+|l|
S
3|p|+2|l|
2|p|+2|l|
2|p|+|l|
2|p|+|l|
|p|+|l|
|p|+|l|
2|p|+|l|
Ui
2
2
2
3
1
1
2
S
2
3
3
3
2
4
1
Security
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Forward
Secrecy
Assumptions
DDH in R.O.
DDH in R.O.
CDH in R.O.
DDH in R.O.
DDH in R.O.
CDH in R.O.
DDH in
Standard
Communication
Exponentiation
[B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise
Security, 1997.
[SRP]
T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998.
[AMP]
T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001.
[PAK-Z]
P.
MacKenzie,
“The
PAK
suit:
Protocols
for
Password-Authenticated
Key
Exchange,”
http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02, April, 2002.
Password-based protocols submitted to IEEE P1363.2 (Password-based Techniques)
http://grouper.ieee.org/groups/1363/passwdPK/purpose.html
Comparison with the related verifier-based protocol
Scheme/
PAKE for 2-party
PAKE for 2-party
PAKE for multi-party
with same passwords
with different passwords
with different passwords
Parameters
EPA
Our Scheme
Our Scheme
Our Scheme
3
2
3
3
Ui
|p|+|l|
|p|+|l|
|p|+|l|
2|p|
S
|p|+|l|
2|p|+|l|
4|p|
3n|p|
Ui
1
2
3
3
S
2
1
4
2n
Security
Forward Secrecy
Forward Secrecy
Forward Secrecy
Forward Secrecy
Assumptions
DDH in R.O.
DDH in Standard
DDH in Standard
DDH in Standard
Round
Communication
Exponentiation
|p| : length of a prime of Zp*,
|l| : length of an output of a hash/MAC function, n : number of members in a group
The focus of this work is on the round-efficient verifier-based PAKE protocol
[EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key
Exchange,” ACISP 2003.
Comparison with the related verifier-based protocol
Scheme/
PAKE for 2-party
PAKE for 2-party
PAKE for multi-party
with same passwords
with different passwords
with different passwords
Parameters
EPA
Our Scheme
Our Scheme
Our Scheme
3
2
3
3
Ui
|p|+|l|
|p|+|l|
|p|+|l|
2|p|+|l|
S
|p|+|l|
2|p|+|l|
4|p|
3n|p|
Ui
1
2
3
3
S
2
1
4
2n
Security
Forward Secrecy
Forward Secrecy
Forward Secrecy
Forward Secrecy
Assumptions
DDH in R.O.
DDH in Standard
DDH in Standard
DDH in Standard
Round
Communication
Exponentiation
|p| : length of a prime of Zp*,
|l| : length of an output of a hash/MAC function, n : number of members in a group
The focus of this work is on round-efficient verifier-based PAKE protocol
The focus of this work is to construct secure and round-efficient verifier-based
PAKE protocols for 2-/multi-party with different passwords
Preliminary for our protocols
• Public information
– G : a finite cyclic group has order q
– p : a safe prime such that p=2q+1
– g1,g2 : generators of G
– H : a collision-resistant one-way hash function
– Mac=(Key.gen,Mac.gen,Mac.ver):a secure message authentication
code
• Initialization step
– Ui selects a password pwi
– Ui registers vi,1 = g1H(Ui||S||pwi) mod p and vi,2 = g2H(Ui||S||pwi) mod p
(verifiers of the password) to the server S over a secure
channel.
– S stores them in a password file with an entry for each user Ui.
Verifier-based PAKE for 2-party with same passwords
U1
Server
( pw1 )
(v1,1  g1H (U1||S|| pw1 ) , v1,2  g2 H (U1||S|| pw1 ) )
x R Zq*
R1
y R Zq*
Y1  g1z  v1,2 ; Z1  g1 y  v1,1z
X1  g1x  v1,2
kS ,1  ( X1 / v1,2 ) y  g1xy
k1,S  (Z1 / g1zH (U1||S|| pw1 ) ) x  g1xy
R2
1  Mac.genk (U1 || S || X1 || X S ,1 || X S ,2 )
1,S
 2  Mac.genk (S || U1 || X1 || X S ,1 || X S ,2 )
sk1  H (U1 || S || g xy )  sk2
2,S
Verifier-based PAKE for 2-party with different passwords
• Motivation
– PAKE for 2-party with same passwords
(pw)
(pw)
– If a user wants to communicate securely with many users?
• the number of passwords that the user needs to memorize may be
increased linearly with the number of possible partners.
Verifier-based PAKE for 2-party with different passwords
• Motivation
– PAKE for 2-party with different passwords
(pw1)
U1
f(pw1)
U2
f(pw2)
(pw2)
– each user only shares a password with a trusted server.
– the trusted server helps the users with different passwords to
agree on a common session key.
U1
Server
U2
( pw1 )
(v1,1  g1H (U1||S || pw1 ) , v1,2  g 2 H (U1||S || pw1 ) )
( pw2 )
(v2,1  g1H (U 2 ||S || pw2 ) , v2,2  g 2 H (U 2 ||S || pw2 ) )
x1 R Zq*
R1
yi R Zq*
X1,S  g1x1  v1,2
X s ,1  g1 y1  v1,2
X 2,S  g1x2  v2,2
X S ,2  g1 y2  v2,2
k2,S  g1x2 y2
k1,S  g1x1 y1
R2
x2 R Zq*
1  Mac.genk (U1 || S || X1,S || X S ,1 )
 2  Mac.genk (U1 || S || X 2,S || X S ,2 )
2,S
1,S
s R Z q*
R3
YS ,1  g1x2 s  v1,2y1  k1, S
x1
y2
YS ,2  g1x1s  v2,2
 k2, S
x2
 g1  v1,2 
 g1  v 2,2 
x1 x2 s
sk1   y1H (U1||S || pw1 )   g1 mod p   y2 H (U 2 ||S || pw2 )   sk2
 g1

 g1





x2 s
y1
x1s
y2
Verifier-based PAKE for multi-party with different passwords
• Motivation
– PAKE for multi-party with same passwords
(pw )
(pw )
(pw )
Group with sk
(pw )
– If a user wants to communicate securely with many groups?
• the number of passwords that the user needs to memorize may be
increased linearly with the number of possible groups.
• the member have to newly share a password whenever one wants to
communicate securely with new groups
Verifier-based PAKE for multi-party with different passwords
• Motivation
– PAKE for multi-party with different passwords
(pw1 )
(pw4 )
(pw2 )
Group with sk
(pw3 )
– each user only shares a password with a trusted server.
– the trusted server helps the users with different passwords to
agree on a group key.
Verifier-based PAKE for multi-party with different passwords
R1
U1
( pw1 )
U2
U3
( pw2 )
( pw3 )
U4
( pw4 )
x1 R Z q*
x2 R Z q*
x3 R Z q*
x4 R Z q*
X 1  g1x1  v1,2
X 2  g1x2  v2,2
X 3  g1x3  v3,2
X 4  g1x4  v4,2
X1
Y1 || Z1
X2
X3
Y2 || Z 2
Y3 || Z3
X4
Y4 || Z 4
Server
(vi ,1  g1H (Ui ||S|| pwi ) , vi,2  g2 H (Ui ||S|| pwi ) ) for 1  i  4
y1 R Z q*
y2 R Z q*
y3 R Z q*
y4 R Z q*
Z1  g 2z1  v1,1
Z 2  g 2z2  v2,1
Z 3  g 2z3  v3,1
Z 4  g 2z4  v4,1
Y1  g1 y1  v1,2z1
z2
Y2  g1 y2  v 2,2
z2
Y3  g1 y3  v3,2
z4
Y4  g1 y4  v 4,2
Verifier-based PAKE for multi-party with different passwords
R1
U1
( pw1 )
U2
U3
( pw2 )
( pw3 )
U4
( pw4 )
x1 R Z q*
x2 R Z q*
x3 R Z q*
x4 R Z q*
X 1  g1x1  v1,2
X 2  g1x2  v2,2
X 3  g1x3  v3,2
X 4  g1x4  v4,2
k1,S  g1x1 y1
k2,S  g1x2 y2
k3,S  g1x3 y3
k4,S  g1x4 y4
Server
(vi ,1  g1H (Ui ||S|| pwi ) , vi,2  g2 H (Ui ||S|| pwi ) ) for 1  i  4
y1 R Z q*
y2 R Z q*
y3 R Z q*
y4 R Z q*
Z1  g 2z1  v1,1
Z 2  g 2z2  v2,1
Z 3  g 2z3  v3,1
Z 4  g 2z4  v4,1
Y1  g1 y1  v1,2z1
z2
Y2  g1 y2  v 2,2
z2
Y3  g1 y3  v3,2
z4
Y4  g1 y4  v 4,2
Verifier-based PAKE for multi-party with different passwords
R2
U1
( pw1 )
U2
U3
( pw2 )
( pw3 )
U4
( pw4 )
x1 R Z q*
x2 R Z q*
x3 R Z q*
x4 R Z q*
k1, S  g1x1 y1
k2, S  g1x2 y2
k3, S  g1x3 y3
k4, S  g1x4 y4
(K1,  4 ,  2 )
(K 2 , 1,  3 )
(K3 ,  2 ,  4 )
(K 4 ,  3 , 1 )
Server
(vi ,1  g1H (Ui ||S|| pwi ) , vi,2  g2 H (Ui ||S|| pwi ) ) for 1  i  4
kmac  Key.gen ; s R Zq*
K1  kmac  k1, s
K2  kmac  k2, s
K3  kmac  k3,s
K4  kmac  k4, s
1  g1x s  kmac
 2  g1x s  kmac
3  g1x s  kmac
 4  g1x s  kmac
1
2
3
4
Verifier-based PAKE for multi-party with different passwords
R3
U1
U2
( pw1 )
U3
( pw2 )
U4
( pw3 )
( pw4 )
x1 R Z q*
x2 R Z q*
x3 R Z q*
x4 R Z q*
kmac
k mac
kmac
k mac
g1x4 s ; g1x2 s
x1
g 
1   1x4 s 
 g1 
 1  Mac.genkmac ( 1 )
x2 s
g1x1s ; g1x3 s
g1x3 s ; g1x1s
g1x2 s ; g1x4 s
x2
 g1x3s 
 2   x1s 
 g1 
 2  Mac.genkmac (  2 )
x3
x1s x4
 g1x4 s 


g
3   x2 s 
 4   1x3s 
 g1 
 g1 
 3  Mac.genkmac ( 3 )  4  Mac.genk (  4 )
mac
Verifier-based PAKE for multi-party with different passwords
R3
U1
U2
( pw1 )
U3
( pw2 )
U4
( pw3 )
( pw4 )
x1 R Z q*
x2 R Z q*
x3 R Z q*
x4 R Z q*
kmac
k mac
kmac
k mac
g1x1s ; g1x3 s
g1x4 s ; g1x2 s
x3 s


 g

U1 : sk1  g1x x s
4
x2 x3
4
4 1
U 3 : sk3
x2
g 
 2   1 x1s  ,  2
 g1 
x1
 g1 
,1
x4 s 
 g1 
1  
x2 s
1
g1x3 s ; g1x1s
g1x2 s ; g1x4 s
4
1 2
     1 , U 4 : sk4
2
4
 g1x1s 
 4   x3s  ,  4
 g1 

 
 g
 
 13   22   3 , U 2 : sk2  g1x x s
3
3
x4
x3
 g1x4 s 
 3   x2 s  ,  3
 g1 
x3 x4
4
1
sk  g1x1x2 s  x2 x3s  x3 x4s  x4 x1s mod p
3
2
3
4
  32   4
 12   2
Security Goal: Verifier-based PAKE
• Security against dictionary attacks
– passive eavesdropping does not help the adversary in computing
any information about the password.
– only interactions with the instances help the adversary in
computing information about the password.
• Key secrecy
– no computationally bounded adversary (including the server)
should learn anything about session keys shared between honest
parties.
• Server-compromise attack
– even if an adversary steal the password file from the server,
the adversary still cannot impersonate a user without
performing dictionary attacks on the password file.
Security Goal: Verifier-based PAKE
•
Forward secrecy
–
•
the expose of a password does not compromise the previous
session keys.
Denning-Sacco attack
1. even with the session key from an eavesdropped session an
adversary cannot gain the ability to impersonate the user
directly.
2. an outsider attacker cannot gain the ability to performing offline dictionary attacks against the passwords of users from
using the compromised session keys which are successfully
established between honest entities.
3. an insider attacker that knows one’s password does not learn
any information about other users’ passwords from the
successfully established session key with the other.
Q & A
Thank you !

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz