Anonymous Password-based Authenticated Key Exchange

Transcription

1 Joint Research Workshop on Ubiquitous Network Security Anonymous Password-based Authenticated Key Exchange Akihiro Yamamura, Duong Quang Viet and Hidema Tanaka NICT Security Fundamentals Group 1

2 Motivation: How can we use password-based authentication methods in anonymous environment? Intutively, password-based methods seem inconsistent with privacy protecting protocols = New protocol where anonymity (privacy) and password-based authentication are compatible 2

3 Key exchange schemes Encryption methods provides secure communication methods. However, it is necessary to share a secret key between legitimate parties before the communication begins. W.Diffie and M.Hellman invented a method (called the DH exchange scheme) to establish a secret key using unsecure communication channel. = DH key exchange scheme is not the ultimate solution for secure key establishment problem 3

4 Outline of DH key exchange scheme ALICE BOB chooses x g x chooses y g y ALICE and BOB shares g xy 4

5 Defects of DH key exchange scheme (Man-in-the-middle attack) Adversaries can control data communications between legitimate parties: copy, resend, modify or delete messages. Therefore, it is easy for adversaries to impersonate somebody, that is, man-in-the-middle attack. DH key exchange scheme does not provide a way to authenticate communicating entities. Thus DH is vulnerable to the man-in-the-middle attack. = No guarantee that the key is agreed with the right person 5

6 Example of man-in-the-middle attack ALICE EVE BOB chooses x g x chooses z chooses y g y g z g z ALICE and EVE share g xz BOB and EVE share g yz EVE can ecrypt secret communicationn between ALICE and BOB 6

7 Authenticated key exchange scheme Authenticated key exchange scheme (AKE) AKE is an essential technique to authenticate the agreed session key using a long-term secret bit sequence. Password-based authenticated key exchange scheme (PAKE) In PAKE, two parties share a human-memorable password, which is relatively short and easily guessed. 7

8 Merits of password-based authenticate schemes It is easy to memorize passwords such as words in a dictionary or digit sequences such as birthdays or telephone numbers. Unnecessary to employ PKI Unnecessary to carry memory devices or laptop PCs = Convenience of users: avoiding many intricate work 8

9 Demerits of password-based authenticate schemes: Off-line dictionary attacks Passwords may be in a dictionary of small size. Possibly it is feasible for adversaries to do an exhaustive search by a computer. Off-line dictionary attacks: Guess the password and check whether or not the guessed password is correct using the data transmitted. The password-based scheme is vulnerable unless sufficient consideration is taken. 9

10 Approach by Bellovin and Merrit (EKE) S.M.Bellovin and M.Merritt proposed a password-based authenticated key exchange scheme secure against the dictionary attack. S.M.Bellovin and M.Merritt, Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks, IEEE Symposium on Security and Privacy, (1992) At IEEE P1363, standardization activity is going on. Practical applications will appear soon(?) 10

11 Anonymous Group Authentication Scheme(AA) An anonymous group authentication scheme (AA) is a protocol that allows a member called a prover of a group Γ to convince a verifier that she is a member of Γ without revealing any information about her (protecting privacy). The protocol consists of two parties, the prover and the verifier, and the prover convinces the verifier that she knows a secret without revealing itself. 11

12 Oblivious transfer (OT) schemes A 1-out-of-n OT is a protocol where a sender S possesses n secret data and a chooser C can obtain only one of them without revealing his choice. = OT plays a crytical role in our proposed scheme 12

13 Outline of a 1-out-of-n OT scheme User U Server S OT Querry for D Database Answer Decrypt D from the answer S does not know that U gets D 13

14 Proposed scheme: Anonymous Password-based Authenticated Key Exchange (APAKE) We introduce anonymous password-based authenticated key exchange (APAKE) in which each user in a legitimate group G can anonymously establish a secret session key with a server. The agreed session key is authenticated using user s password. APAKE is secure against the offline dictionary attack as it is required to PAKE. = APAKE = PAKE + AA, Our goal: APAKE = Password-based methods + Privacy protection 14

15 Outline of simplified APAKE User U i chooses x computes g x g x and ith data querry OT Answer Server S chooses y computes g y {g y g H(pw j) j J} Database Using the answer computes g y g H(pw i) and gets g y only u i can do S does not know who U i U i and S share g xy 15

16 Classification of the related protocols Scheme Examples Type of Goal of Secret data Protocols AKE W.Diffie et al. Random bit sequence KE PAKE S.M.Bellovin et al. Passwords KE (Low entropy bit sequences) AA A.de Santis et al. Random bit sequences ID APAKE Proposed protocol Password KE in this talk (Low entropy bit sequences) 16

17 Security The security of the scheme is reduced to the computational DH problem under the random oracle model. 1. Semantic security No information on the session key is leaked No information on the passwords is leaked (security against dictionary attacks) 2. Anonymity The server cannot detect the user. 3. Authenticity The server can decide whether or not a user is legitimate. 17

18 Some extension: we have already extended to k-out-of-n APAKE. Future work(?): Giving a new proof: Straightforward proof = Universal composability technique Checking the protocol by formal method techniques Enhancing security against active attacks by the server Using some other techniques other than OT, for example, bilinear mappings or so 18