Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings

Similar documents
An IBE Scheme to Exchange Authenticated Secret Keys

Pairing-Based One-Round Tripartite Key Agreement Protocols

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Pairing-Based One-Round Tripartite Key Agreement Protocols

Group Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings

An Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings

An improved pairing-free identity-based authenticated key agreement protocol based on ECC

An Enhanced Certificateless Authenticated Key Agreement Protocol

Remove Key Escrow from The Identity-Based Encryption System

Session key establishment protocols

Session key establishment protocols

A modified eck model with stronger security for tripartite authenticated key exchange

Authenticated Key Agreement without Subgroup Element Verification

Robust EC-PAKA Protocol for Wireless Mobile Networks

(In)security of ecient tree-based group key agreement using bilinear map

Key Escrow free Identity-based Cryptosystem

REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM

Authenticated Key Agreement Without Using One-way Hash Functions Based on The Elliptic Curve Discrete Logarithm Problem

Cryptanalysis on Improved Chou et al. s ID-Based Deniable Authentication Protocol

Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number

ID-Based Distributed Magic Ink Signature from Pairings

Improvement of recently proposed Remote User Authentication Schemes

Security Analysis of Batch Verification on Identity-based Signature Schemes

A Novel Identity-based Group Signature Scheme from Bilinear Maps

A Smart Card Based Authentication Protocol for Strong Passwords

T Cryptography and Data Security

A Simple User Authentication Scheme for Grid Computing

On the Security of a Certificateless Public-Key Encryption

1. Diffie-Hellman Key Exchange

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

arxiv: v2 [cs.cr] 9 Sep 2009

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Design of Secure VoIP using ID-Based Cryptosystem

Certificateless Public Key Cryptography

Category: Informational March Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME

An Efficient Two-Party Identity-Based Key Exchange Protocol

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Key Agreement Schemes

Remote User Authentication Scheme in Multi-server Environment using Smart Card

PAijpam.eu A STUDY ON DIFFIE-HELLMAN KEY EXCHANGE PROTOCOLS Manoj Ranjan Mishra 1, Jayaprakash Kar 2

Implementation and Benchmarking of Elliptic Curve Cryptography Algorithms

Key Management and Distribution

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

A Simple User Authentication Scheme for Grid Computing

Diffie-Hellman Protocol as a Symmetric Cryptosystem

Provable Secure Identity Based Key Agrement Protocol With Perfect Forward Secrecy

ID-Based Multi-Proxy Signature and Blind Multisignature from Bilinear Pairings

Trust negotiation with trust parameters

A robust smart card-based anonymous user authentication protocol for wireless communications

An efficient and practical solution to secure password-authenticated scheme using smart card

A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.

A Critical Analysis and Improvement of AACS Drive-Host Authentication

Brief Introduction to Provable Security

Cryptography and Network Security

IBAKE: Identity-Based Authenticated Key Exchange Protocol

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

CIS 4360 Secure Computer Systems Applied Cryptography

scheme in wireless sensor networks

AN EFFICIENT CERTIFICATELESS AUTHENTICATED KEY AGREEMENT

Verifiably Encrypted Signature Scheme with Threshold Adjudication

SM9 identity-based cryptographic algorithms Part 3: Key exchange protocol

A New ID-based Group Signature Scheme from Bilinear Pairings

Notes for Lecture 14

The Modified Scheme is still vulnerable to. the parallel Session Attack

Identity-Based Encryption from the Weil Pairing

Smart-card-loss-attack and Improvement of Hsiang et al. s Authentication Scheme

An Efficient ID-KEM Based On The Sakai Kasahara Key Construction

Simple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

Identity-Based Threshold Cryptography for Electronic Voting

ISSN: (Online) Volume 3, Issue 5, May 2015 International Journal of Advance Research in Computer Science and Management Studies

Security Weaknesses of a Biometric-Based Remote User Authentication Scheme Using Smart Cards

2.1 Basic Cryptography Concepts

Diffie-Hellman. Part 1 Cryptography 136

CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE

A weakness in Sun-Chen-Hwang s three-party key agreement protocols using passwords

Cryptanalysis on Two Certificateless Signature Schemes

Keywords Session key, asymmetric, digital signature, cryptosystem, encryption.

Linkability of Some Blind Signature Schemes

Public Key Cryptography

Protocols for Authenticated Oblivious Transfer

Extended Diffie-Hellman Technique to Generate Multiple Shared Keys at a Time with Reduced KEOs and its Polynomial Time Complexity

Security properties of two authenticated conference key agreement protocols

Secure Key-Evolving Protocols for Discrete Logarithm Schemes

Insecure Provable Secure Network Coding

SM9 identity-based cryptographic algorithms Part 2: Digital signature algorithm

LIGHTWEIGHT TRUSTED ID-BASED SIGNCRYPTION SCHEME FOR WIRELESS SENSOR NETWORKS

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Efficient password authenticated key agreement using bilinear pairings

Station-to-Station Protocol

Applied Cryptography and Computer Security CSE 664 Spring 2017

EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Speed-ups of Elliptic Curve-Based

Software Implementation of Tate Pairing over GF(2 m )

Cryptanalysis and Improvement of a Dynamic ID Based Remote User Authentication Scheme Using Smart Cards

Auth. Key Exchange. Dan Boneh

Attribute-based encryption with encryption and decryption outsourcing

Blind Signature Scheme Based on Elliptic Curve Cryptography

Secure E-Tendering Using Identity Based Encryption from Bilinear Pairings

Transcription:

Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings Hung-Min Sun and Bin-san Hsieh Department of Computer Science, National sing Hua University, Hsinchu, aiwan, R.O.C. hmsun@cs.nthu.edu.tw Department of Computer Science and Information Engineering, National Cheng Kung University, ainan, aiwan, R.O.C. bintsan@csie.ncku.edu.tw Abstract Recently, Shim proposed a tripartite authenticated key agreement protocol from Weil pairing to overcome the security flaw in Joux s protocol. Later, Shim also proposed an ID-based authenticated key agreement protocol which is an improvement of Smart s protocol in order to provide the forward secrecy. In this paper, we show that these two protocols are insecure against the key-compromise impersonation attack and the manin-the-middle attack respectively. Keywords: Cryptanalysis, Weil Pairing, ID-based, Key Agreement, Authentication 1 Introduction raditionally, asymmetric cryptographic schemes are based on either the discrete logarithm problem or the factoring problem. he most concerned issue in implementation of cryptographic schemes is the computation cost of modular exponentiation. o overcome such a problem, the elliptic curve cryptography becomes a good choice because it reduces the computation cost while remaining the same security level. It is noticed that the decision of Diffie-Hellman is regarded as a hard problem in discrete logarithm, however, it is not a hard problem in elliptic curve cryptography due to Weil pairing [1]. Weil pairing is a new primitive and is interesting to cryptography societies. Several cryptographic schemes [2][3][4][5][6] are designed based on the Weil pairing, and enjoy the convenience of the property of Weil pairing. For a sound authenticated key exchange protocol, Wilson and Menezes [7] defined several desirable security attributes. We show these attributes in the following. Here we assume A and B are two honest entities. 1

1. Known-Key Security In each round of key agreement protocol, A and B should generate a unique secret key. Each key generated in one protocol round is independent and should not be exposed if other secret keys are compromised. 2. Forward Secrecy he Forward Secrecy property is that if A and B s secret keys are compromised, the session keys used in the past should not be recovered. 3. Key-Compromise Impersonation A protocol which is secure against the key compromise impersonation attack means that if A s secret key is compromised, the adversary who knows the value can not impersonate others to A. 4. Unknown Key-Share After the protocol, A ends up believing he shares a key with B, and B mistakenly believes that the key is instead shared with an adversary. herefore, a sound authenticated key agreement protocol should prevent the unknown key-share situation. In 2000, Joux [2] proposed a tripartite Diffie-Hellman key agreement protocol based on the Weil pairing. However, Shim [5] pointed out that Joux s protocol suffers from the man-in-the-middle attack and further proposed an improved tripartite authenticated key agreement protocol. Shim employed the public key infrastructure to overcome the security flaw in Joux s protocol and claimed that the improved protocol can withstand some attacks [5], such as the man-inthe-middle attack, the key-compromise impersonation attack, and the unknown key-share attack. On the other hand, Smart [4] proposed an ID-based authenticated key agreement protocol based on Weil pairing. Later, Shim [6] pointed out that Smart s protocol does not provide the forward secrecy which is an important security requirement of an authenticated key agreement protocol. Shim [6] further proposed an efficient ID-based authenticated key agreement protocol to provide the forward secrecy. Shim also gave more security analysis to show that the proposed protocol provides other attractive security properties of an authentication key agreement protocol [7][8], such as known-key security, forward secrecy, key compromise impersonation resilience, and unknown key-share resilience. In this paper, we show that both Shim s protocols are still insecure against the key-compromise impersonation attack and the man-in-the-middle attack respectively. he rest of this paper is organized in the following. In Section 2, we briefly review Shim s tripartite authenticated key agreement protocol from Weil pairing and show its insecurity. In Section 3, we review Shim s ID-based authenticated key agreement protocol from Weil pairing and point out its weakness. We conclude this paper in Section 4. 2

2 On the security of Shim s tripartite authenticated key agreement protocol he protocol proposed by Shim is a one round tripartite authenticated key agreement protocol which enables three parties to obtain a common session key in a single round. We describe the protocol as follows: 2.1 Setup System Setup Let p be a prime such that p = 6q 1 for some prime q, and E be a supersingular elliptic curve defined by y 2 = x 3 + 1 over F p. Let P be a points generator of the group with order q = (p + 1)/6 and the set of points form a cyclic group, denoted as G 1. Let G 2 be the subgroup of Fp that contains all 2 elements of order q. he modified Weil pairing on the curve E is a bilinear mapping ê : G 1 G 1 G 2 that has the following properties: (1) Bilinear: For any P, Q G 1 and a, b Z, we have ê(ap, bq) = e(p, Q) ab. (2) Non-degenerate: ê(p, P ) is a generator of G 2. (3) Computable: Let P, Q G 1, there is an efficient algorithm to compute ê(p, Q) G 2. Key Setup he public domain parameters {p, q, E, P, ê} are common to all entities. A user R s public key is denoted as Y R = rp, where r is R s secret key. Cert R denotes the certificate of user R. 2.2 Shim s tripartite authenticated key agreement protocol First, A, B, and C choose random numbers x, y, and z and compute A = x(ap ), B = y(bp ), C = z(cp ), respectively. Next, they broadcast the computed values and their certificates to others. A : A = x(ap ), Cert A B : B = y(bp ), Cert B C : C = z(cp ), Cert C he keys computed by A, B, and C are: K A = ê( B, C ) axê(y B,Y C ) a K B = ê( A, C ) byê(y A,Y C ) b K C = ê( A, B ) czê(y A,Y B ) c abcxyzê(p,p )abc = ê(p, P ) abcxyzê(p,p )abc = ê(p, P ) abcxyzê(p,p )abc = ê(p, P ) 3

2.3 Key compromise impersonation attack on Shim s tripartite authenticated key agreement protocol In this subsection, we give the following scenario to show that Shim s protocol is insecure against the key compromise impersonation attack. hat is an adversary Adv who knows A s secret key a can impersonate B to A. First, the adversary Adv selects a random number u and computes B = up. Next, Adv sends B and Cert B to A. Assuming C is honest, therefore, A receives two messages from Adv and C as follows: Adv A : B = up, Cert B C A : C = z(cp ), Cert C. Upon the received messages, A computes the session key K A : K A = ê( B, C ) axê(y B,Y C ) a = ê(p, P ) axuczê(p,p )abc. Similarly, Adv receives the two messages from honest A and C as follows: A Adv : A = x(ap ), Cert A C Adv : C = z(cp ), Cert C. Finally, Adv can compute the common session key K E : K E = ê( A, C ) uê(y B,Y C ) a = ê(p, P ) axuczê(p,p )abc. Namely, with the knowledge of A s secret key a, Adv can impersonate B to A. Moreover, Adv can surely perform the same steps above to cheat C simultaneously. 3 On the security of Shim s ID-based authenticated key agreement protocol he protocol is an ID-based authenticated key agreement protocol in which a user s identity is regarded as his public key. he details of the protocol is described as follows: 3.1 Setup System Setup he system setup is the same as in the previous protocol with an extra hash function. he hash function H : {0, 1} G 1 used in the protocol is a mapping of user s ID to an element in G 1. Key Setup 4

he key generation center computes his public key P pub = sp, where s R Z q is the center s secret key. he center publishes the system parameters params = {G 1, G 2, e, q, P, P pub, H}. Each user i sends his ID i {0, 1} to the center. he center computes Q i = H 2 (ID i ) and returns S i = sq i to user i via a secure channel. User i keeps S i as his private key. 3.2 Shim s ID-based authenticated key agreement protocol wo parties A and B run the protocol as follows: Step 1. A computes a = ap, where a is a random number, and sends it to B. Step 2. B computes b = bp, where b is a random number, and sends it to A. Step 3. A computes Q B = H(ID B ) and the shared secret K AB = e(ap pub + S A, b + Q B ) = e(p, P ) abs e(q A, P ) bs e(p, Q B ) as e(q A, Q B ) s Step 4. B computes Q A = H(ID A ) and the shared secret K BA = e( a + Q A, bp pub + S B ) = e(p, P ) abs e(q A, P ) bs e(p, Q B ) as e(q A, Q B ) s Step 5. he session key is K = kdf(k AB A B) = kdf(k BA A B), where kdf() is a public key derivation function. We briefly depict the scenario of Shim s protocol in figure 1. A a = ap a B b = bp b Q B = H(ID B ) Q A = H(ID A ) K AB = e(ap pub + S A, b + Q B ) K BA = e( a + Q A, bp pub + S B ) Figure 1: ID-based authenticated key agreement protocol 3.3 Man-in-the-middle attack on Shim s ID-based authenticated key agreement protocol In this subsection, we demonstrate that an adversary Adv can perform the following steps, referred to as man-in-the-middle attack, to obtain the session keys computed by A and B, respectively. 5

Step 1. Adv intercepts a from A. He computes Q A = H(ID A ) and sends a = a P Q A to B, where a is selected by E. Step 2. Adv intercepts b from B. He computes Q B = H(ID B ) and sends b = b P Q B to A, where b is selected by E. It is clear that two shared secrets computed by A and B are and K AB = e(ap pub + S A, b + Q B ) = e(ap pub + S A, b P ) = e(p, P ) asb e(q A, P ) sb K BA = e( a + Q A, bp pub + S B ) = e(a P, bp pub + S B ) = e(p, P ) a sb e(p, Q B ) a s. After the masquerade, the adversary Adv can also compute the two shared secrets computed by A and B K AB = e( a, b P pub )e(q A, b P pub ) = e(p, P ) asb e(q A, P ) sb = K AB K BA = e( b, a P pub )e(a P pub, Q B ) = e(p, P ) a sb e(p, Q B ) a s = K BA he scenario of the man-in-the-middle attack is given in figure 2. 4 Conclusions and Remarks In this paper, we have shown that both Shim s protocols from Weil pairing are insecure against the key-compromise impersonation attack and the man-in-themiddle attack respectively. Moreover, the fact that Shim s ID-based authenticated key agreement protocol is insecure against the man-in-the-middle attack implies that the protocol does not provide key-compromise impersonation resilience either. Because the man-in-the-middle attack can be regarded as two concurrent impersonation attacks to A and B without key compromising. 6

A E B a = ap a a = a P Q A b = b P Q B a a = ap b b K AB = e(ap pub + S A, b + Q B) K BA = e( a + Q A, bp pub + S B ) = e(p, P ) asb e(q A, P ) sb = e(p, P ) a sb e(p, Q B ) a s Figure 2: Man-in-the-middle attack on ID-based authenticated key agreement protocol References [1] P.S.L.M. Barreto, H.Y. Kim, B. Lynn, and M. Scott, Efficient algorithms for Pairing-based cryptosystems, Proc. Crypto 02, Santa Barbara, CA, USA, pp. 354-369, August 2002. [2] A. Joux, An one round protocol for tripartite Diffie-Hellman, Proc. ANS 4, LNCS 1838, pp. 385-394, 2000. [3] D. Boneh, and M. Franklin, Identity-based encryption from the Weil pairing, Advances in cryptology, Crypto 01, Santa Barbara, CA, USA, pp. 213-229, August 2001. [4] N. P. Smart, An ID-based authenticated key agreement protocol based on the Weil pairing, Electron. Lett., 38, (14), pp. 630-632, 2002. [5] K. Shim, Efficient one round tripartite authenticated key agreement protocol from Weil pairing, Electronics Letters, Vol. 39, No. 2, pp. 208-209, 2003. [6] K. Shim, Efficient ID-based authenticated key agreement protocol based on Weil pairing, Electron. Lett, 39, (8), pp. 653-654, 2003. [7] S. B. Wilson, and A. Menezes, Authenticated Diffie-Hellman key agreement protocols, Proceedings of the 5th Annual Workshop on Selected Areas in Cryptography (SAC 98), Lecture Notes in Computer Science, pp. 339-361, 1999. [8] A. Menezes, M. Qu, and S. A. Vanstone, Some key agreement protocols providing implicit authentication, Workshop on Selected Areas in Cryptography (SAC 95), pp. 22-32, 1995. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback