1 / 16

Elliptic Curve Authenticated Key Agreement Protocol (ECAKA)

Elliptic Curve Authenticated Key Agreement Protocol (ECAKA). Introducer: Jung-wen Lo ( 駱榮問 ) Date: 2008/07/25. Outline. Introduction Elliptic Curve Diffie-Hellman Key Agreement Protocol Paper 1:

carl
Télécharger la présentation

Elliptic Curve Authenticated Key Agreement Protocol (ECAKA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Elliptic Curve Authenticated Key Agreement Protocol (ECAKA) Introducer: Jung-wen Lo (駱榮問) Date: 2008/07/25

  2. Outline • Introduction • Elliptic Curve Diffie-Hellman Key Agreement Protocol • Paper 1: • An improved authenticated key agreement protocol with perfect forward secrecy for wireless mobile communication Authors: Ai-fen Sui, L.C.K. Hui, S.M. Yiu, K.P. Chow, W.W. Tsang, C.F. Chong, K.H. Pun & H.W. Chan Source: 2005 IEEE Wireless Communications and Networking Conference, Vol. 4, pp. 2088 – 2093, 13-17 March 2005 • A-Key distribution in 3GPP2 • A-Key distribution using ECAKA • Paper 2: • An enhanced authenticated key agreement protocol for wireless mobile communication Authors: Rongxing Lu, Zhenfu Cao and Haojin Zhu Source: Computer Standards & Interfaces, Vol. 29, Issu. 6, pp. 647-652, Sep. 2007 • Off-line password attack 1 • Off-line password attack 2(Active) • Enhanced ECAKA Protocol • Conclusions & Comment • Improved ECAKA Protocol

  3. Elliptic Curve Diffie-Hellman Key Agreement Protocol Alice Bob Random dA QA=dAP Random dB QB=dBP QA QB K=dAQB K= dBQA K= dAdBG=dBdAG ※P: Base point (Generator)

  4. An improved authenticated key agreement protocol with perfect forward secrecy for wireless mobile communication Authors: Ai-fen Sui, L.C.K. Hui, S.M. Yiu, K.P. Chow, W.W. Tsang, C.F. Chong, K.H. Pun and H.W. Chan Source: 2005 IEEE Wireless Communications and Networking Conference, Vol. 4, pp. 2088 – 2093, 13-17 March 2005

  5. Notation Alice (A), Bob (B): two communication users E: an elliptic curve defined over a finite field Fq with large group order n: a secure large prime P: a point in E with large order n D: a uniformly distributed dictionary of size |D| S: a low-entropy password shared between Alice and Bob, which is randomly chosen from D t: the value t is derived from the password S in a predetermined way, which is uniformly distributed in ℤn* H: a secure one-way hash function

  6. Sui et al.’s ECAKA Protocol Alice Bob dA [1,n-1] QA=(dA+t) P QA dB [1,n-1]QB=(dB-t)P Y=QA-tP=dAP QB,tY X=QB+tP=dBP KA=dAX=dAdBP tX KB=dBY=dAdBP

  7. Notation for 3GPP2 • MS: Mobile Subscriber • MSC: Mobile Switching center • OTAF: Over-the-Air Service Provisioning Function • HLR: Home Location Register • AC: Authentication Center • ACTCODE: ActionCode • AKEYPV: A Key Protocol Version parameter, indicates MS’s A-key generation capabilities • SRVIND: ServiceIndicator parameter • OTASPREQ: OTASPRequest • SMDPP; SMSDeliveryPointToPoint • SMS BearerData: Containing an OTASP data message • ACK: Acknowledging a message;ACTCODE: ActionCode • MODVAL: ModulusValue parameter (n) • PRIMVAL: PrimitiveValue parameter (g) • BSKEY: encryption key value from the network side. BSKEY= gxmod n , where x is randomly selected by AC • MSKEY: encryption key value from MS. MSKEY=gymod n . y is randomly selected by MS

  8. A-Key Distribution in 3GPP2

  9. A-Key Distribution using ECAKA

  10. An enhanced authenticated key agreement protocol for wireless mobile communication Authors: Rongxing Lu, Zhenfu Cao and Haojin Zhu Source: Computer Standards & Interfaces, Vol. 29, Issu. 6, pp. 647-652, Sep. 2007

  11. Off-line Password Attack 1 Alice Bob dA [1,n-1] QA=(dA+t) P QA dB [1,n-1]QB=(dB-t)P Y=QA-tP=dAP QB,tY Attacker: Off-linePasswordAttack-1(QA, tdAP, D) for i :=0 to |D| S’← D; t’← S’ [predetermined way] if t’(QA-t’P)=tdAP then return S’

  12. Off-line Password Attack 2(Active) Bob Alice Attacker dA [1,n-1] QA=dAP QA dB [1,n-1]QB=(dB-t)P Y=dAP-tP QB,tY=t(dAP-tP) Off-linePasswordAttack-2(QA, tdAP, D) choose dA[1,n-1], send dAP to B receive the value t(dAP- tP) for i :=0 to |D| S’← D; t’← S’ [predetermined way] if t’(dAP-t’P)=t(dAP-tP) then return S’

  13. Enhanced ECAKA Protocol Alice (A) Bob (B) dB1,dB2 [1,n-1]Y=QA1-tP=dAPQB1=dB1P+dB2YQB2=dB1Y+dB2QA2 dA [1,n-1] QA1=(dA+t) P QA2=dA2‧P QA1,QA2 HB=H(A||B||QA1||QB1||QB2),QB1 X=dAQB1H(A||B||QA1||QB1||X)?=HBKA=X HA= H(A||B||QB1||QA1||X) H(B||A||QB1||QA1||QB2)?=HAKB=QB2 ※ KA=KB=X=dB1dAP+dB2dA2P

  14. A-Key Distribution Using Enhanced ECAKA Protocol

  15. Conclusions & Comment • Conclusions • Authenticated key agreement • Off-line password attack prevention • Perfect forward secrecy • Comment • Reduce the computation load

  16. Improved ECAKA Protocol Alice Bob (S2) (S2) dA [1,n-1] QA=(dA+t) P QA dB [1,n-1]QB=(dB-t)P Y=QA-tP=dAP QB,H(Y||S2) X=QB+tP=dBP KA=dAX=dAdBP H(X||Y) KB=dBY=dAdBP

More Related