1. Introduction. Weakness Analysis and Improvement of a Gateway-Oriented. Password-Based Authenticated Key Exchange Protocol

Transcription

1 Weakness Analsis and Improvement of a atewa-oriented Password-Based Authenticated Ke Exchange Protocol He Debiao, hen Jianhua, Hu Jin School of Mathematics and Statistics, Wuhan Universit, Wuhan, Hubei 3007, hina hedebiao@63.com Abstract: Recentl, Abdalla et al. proposed a new gatewa-oriented password-based authenticated ke exchange (PAKE) protocol among a client, a gatewa, and an authentication server, where each client shares a human-memorable password with a trusted server so that the can resort to the server for authentication when want to establish a shared session ke with the gatewa. In the letter, we show that a malicious client of PAKE is still able to gain information of password b performing an undetectable on-line password guessing attack and can not provide the implicit ke confirmation. At last, we present a countermeasure to against the attack. Ke words: ke exchange protocol, secure communication, password, dictionar attack; ategories: D..6;... Introduction The gatewa-based authenticated ke exchange (AKE) protocols are important crptographic techniques for secure communications. onceptuall, a tpical three-part password-based authenticated ke exchange protocol works as follows. As requirement, each client shares a human-memorable password with a trusted server so that the can resort to the server S for authentication when want to establish a shared session ke with the gatewa. Among the various means of authentication that can be considered, the most interesting one from a practical point of view is the password-based setting in which a simple human-memorizable secret, called a password, is used for authentication. In 005, Abdalla et al. proposed the first gatewa-oriented password-based authenticated ke exchange (PAKE) scheme among a client, a gatewa, and an authentication server []. Even though Abdalla et al. had proved the session ke semantic securit of their scheme in a formal model, Bun et al. reported an undetectable on-line guessing attack on the PAKE protocol where a gatewa can iterativel guess a password and verif its guess without being detected b the server []. Bun et al. also proposed an improved scheme to eliminate the securit vulnerabilit of Abdalla et al. s scheme. However, Wu et al. [3] found that Bun et al. s scheme still cannot resist the on-line undetectable guessing attack. Ver recentl, Abdalla et al. [5] present a new variant of the PAKE scheme of Abdalla et al. []. The used the Schnorr s signature [6, 7] in the new scheme in order to guarantee the securit of the new scheme. The new scheme can withstand the attack b Bun et al. []. In this letter, we review Abdalla et al. s new protocol [5], and show that it does actuall leak information of password to a malicious client and can not provide the implicit ke confirmation. Especiall, we show that Abdalla et al. s new scheme is susceptible to an undetectable on-line password guessing attack b a malicious client. We also give a countermeasure against the attack b letting the client generate a message authentication code of keing material.

2 . Review of Abdalla et al. s protocol In this section, we will review Abdallar et al. s protocol. First we introduce some notations used in our paper. In order illustrate the protocol clearl, some notations are introduced as follows:, and S denote the client, the gatewa and the trusted server separatel. pw denotes the password shared between and S. ID and ID denote the identit of and separatel. denotes a finite cclic group having a generator g of bit prime order q. sk denotes a session ke generated between the client and the gatewa. h (), and h () denote two secure hash function, such as SHA. H denotes a secure hash function, where H ():0,}. NIZKPDL( m; g, h) denotes the Schnorr s signature [6, 7] on the message m. In Abdallar et al. s protocol, each client shares a human-memorable password with a trusted server. When a client wants to establish a shared session ke with a gatewa, the resort to the trusted server for authenticating each other. Abdallar et al. s protocol will be described as follows. Step : chooses two random numbers x and r. Then computes x X g H ID ID pw = (, then sends M = ID X to., } Step : Upon receiving the message M, sends M = ID ID X to the server,, } S. Step 3: Upon receiving the message M, the S generates a random number s, and computes X = X H ID ID pw, ( / ( ) s h s = g and π = NIZKPLD( X ; g, h). Then S sends M3 = X, h, π} to. Step : When receives M 3, he/she generates a random number and computes Y = h, π =, K = ( X), NIZKPLD( X ; g, Y) Auth = h ID ID X Y K (,, and the session ke sk = h ID ID X Y K. Then sends (,, M = ID, h, Y, Auth, π, π } to. Step 5: After receiving M, computes K = ( Y) x and checks weather Auth

3 equals h ID ID X Y K. If not, stops the session. Otherwise, checks weather (,, both of π, π is valid. If not, stops the session, else computes the session ke sk = h ID ID X Y K. (,, 3. Securit analsis 3.. Undetectable on-line guessing attack Due to the low entrop, password-based authenticated ke exchange protocols suffer from so-called exhaustive dictionar attacks. The attacks on PAKE schemes can be classified into three tpes [0]: )Off-line dictionar attacks: an attacker uses a guessed password to verif the correctness of the password in an offline manner. The attacker can freel guess a password and then check if it is correct without limitation in the number of guesses. )Undetectable on-line dictionar attacks: an attacker tries to verif the password in an on-line manner without being detected. That is, a failed guess is never noticed b the server and the client, and the attacker can legall and undetectabl check man times in order to get sufficient information of the password. 3)Detectable on-line dictionar attacks: an attacker first guesses a password, and tries to verif the password using responses from a server in an on-line manner. But a failure can be easil detected b counting access failures. In the following, we demonstrate an undetectable on-line dictionar attack against the Abdalla et al. s scheme [5] where an adversar is able to legall gain information about the password b repeatedl and indiscernibl asking queries to the authentication server. We assume that A has total control over the communication channel between the user and the gatewa, which means that he/she can insert, delete, or alter an messages in the channel. The detailed description of the attack is as follows: Step. A guesses a password pw from a uniforml distributed dictionar D and computes PW = H ( ID, ID, pw ). A generates a random number x and computes =. Then A impersonates to sends x X g PW Step. Upon receiving the message M, sends M = ID X to., } M = ID ID X to the server,, } S. Step 3: Upon receiving the message M, the S generates a random number s, and computes X = X H ID ID pw, ( / ( ) s h s = g and NIZKPLD( X ; g, h) π =. Then

4 S sends M3 = X, h, π} to. Step : When receives M 3, he/she generates a random number and computes Y = h, π =, K = ( X), NIZKPLD( X ; g, Y) Auth = h ID ID X Y K (,, and the session ke sk = h ID ID X Y K. Then sends (,, M = ID, h, Y, Auth, π, π } to. Step 5: A intercepts the message M, computes K = ( Y) x and checks weather Auth equals h ID ID X Y K. If Auth equals (,, h ID ID X Y K, (,, A find the correct password. Otherwise, A repeats step ), ), 3), ) and 5) until find the correct password. It is clear that if pw equals pw, then PW = H ( ID, ID, pw ), Auth = h ID ID X Y K, since (,, K = = ( X) s (( X / H ( ID, ID, pw)) ) x s ((( g PW ) / H ( ID, ID, pw)) ) x s s x x x ( g ) ( g ) ( h ) ( Y) K = = = = = = From the description of the attack we know that Abdalla et al. s scheme [5] does not prevent the leakage of information of the password from the malicious client A. In addition, the attack can be used to attack Abdalla et al. s another scheme []. 3.. Session-Ke Problem As in the definitions in [9], a ke agreement scheme is said to provide the explicit ke confirmation if one entit is assured that the second entit has actuall computed the session ke. The scheme provides the implicit ke confirmation if one entit is assured that the second entit can compute the session ke. Note that the propert of the implicit ke confirmation does not necessaril mean that one entit is assured of the second entit actuall possessing the session ke. In man applications, it is highl desirable for a ke agreement scheme to provide the explicit ke confirmation. We can see that the scheme of Abdalla et al. [5] merel provides the implicit ke confirmation, because cannot confirm has correctl computed the session ke after the log-in phase..

5 . ountermeasure The vulnerabilit to the undetectable on-line dictionar attack described above actuall stems from an absence of authentication of message in the scheme. To remed this vulnerabilit, we can use the method proposed b Bun et al.[]. First, we let a two part password-based authenticated ke exchange (-PAKE) scheme be executed between and S in order to generate a session ke sk. Then we let create a message authentication code (MA) of X using sk. Then, S can check the validit of the X through checking MA of X and find the undetectable on-line dictionar attack. However, the execution of the -PAKE can increase the burden of the server, the gatewa and the client heavil. So, Bun et al. s method can not be applied in practice. In fact, we just let Abdalla et al. s scheme provide the implicit ke confirmation in order to eliminate the securit vulnerabilit. We modif Abdalla et al. s [5] scheme as follows. In our modified scheme, requires provide the ke confirmation b offering Auth. If malicious client A carr out the undetectable on-line dictionar attack described in section 3., will find the attack, since A can t offer the correct Auth. Step : chooses two random numbers x and r. Then computes x X g H ID ID pw = (, then sends M = ID X to., } Step : Upon receiving the message M, sends M = ID ID X to the server,, } S. Step 3: Upon receiving the message M, the S generates a random number s, and computes ( / ( ) s X = X H ID ID pw, h s = g and NIZKPLD( X ; g, h) π =. Then S sends M3 = X, h, π} to. Step : When receives M 3, he/she generates a random number and computes Y = h, π =, K = ( X), and NIZKPLD( X ; g, Y) Auth = h ID ID X Y K. (,, Then sends M = ID, h, Y, Auth, π, π } to. Step 5: After receiving M, computes K = ( Y) x and checks weather Auth equals h ID ID X Y K. If not, stops the session. Otherwise, checks weather (,, both of π, π is valid. If not, stops the session, else computes the session ke sk = h ID ID X Y K and (,, Auth = h ID ID X Y K. Then sends the (,,

6 message M 5 = Auth} to S. Step 6: After receiving M 5, S checks weather Auth equals h ID ID X Y K. (,, If not S stops the session, else S computes the session ke sk = h ID ID X Y K. (,, 5. onclusion Ver recentl, Abdalla et al. [5] present a new variant of the PAKE scheme of Abdalla et al. []. However, we find that the new scheme is vulnerable to an undetectable on-line guessing attack and can not provide the implicit ke confirmation. We also proposed a countermeasure for the securit vulnerabilit. Reference []. M. Abdalla, O. hevassut, P-A, Fouque et al., A simple threshold authenticated ke exchange from short secrets, in Proc. ASIARYPT 005, LNS vol. 3788, pp , Springer-Verlag, 005. []. J. W. Bun, D. H. Lee, and J. I. Lim, Securit analsis and improvement of a gatewa-oriented password-based authenticated ke exchange protocol, IEEE ommunication Letters 0 (9), pp , 006. [3]. T.-. Wu, H.-Y. hien, omments on atewa-oriented Password-Based Authenticated Ke Exchange Protocol, in IIH-MSP 009, Koto, 009, []. M. Abdalla, M. Izabach`ene, and D. Pointcheval, Anonmous and Transparent atewa-based Password-Authenticated Ke Exchange, in ANS '08, Hong-Kong, LNS 5339, pp. 33 8, Springer-Verlag, 008. [5]. Y. Ding and P. Horster, Undetectable on-line password guessing attacks, AM Operating Sstems Review, vol. 9, pp , Apr [6]..-P.r Schnorr. Efficient identification and signatures for smart cards, In RYPTO 89, LNS vol. 35, pp Springer, 990. [7]..-P. Schnorr. Efficient signature generation b smart cards. Journal of rptolog, (3):6 7, 99. [8]..-I Fan and.-l. Lei, Low-computation blind signature schemes based on quadratic residues, Electron. Lett., vol. 3, no. 7, pp , 996. [9]. S. Blake-Wilson and A. Menezes, Authenticated Diffie Hellman ke agreement protocols, Proc. 5th Annu. Int. Workshop SA, S. Tavares and H. Meijer, Eds, LNS, vol. 556, (999) [0]. Y. Ding and P. Horster, Undetectable on-line password guessing attacks, AM Operating Sstems Review, vol. 9, pp , Apr. 995.