1 / 60

Simple password-based key agreement protocol

Simple password-based key agreement protocol. Department of Computer Engineering Kyungpook National University Sung-woon Lee. Sequence. Related work Security requirements System parameters Cryptanalysis for SAKA ’ s variants Simple password-based key agreement Protocol (SPKA)

clara
Télécharger la présentation

Simple password-based key agreement protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Simple password-based key agreement protocol Department of Computer Engineering Kyungpook National University Sung-woon Lee

  2. Sequence • Related work • Security requirements • System parameters • Cryptanalysis for SAKA’s variants • Simple password-based key agreement Protocol (SPKA) • Security analysis for SPKA • Conclusion

  3. Related work (1/3) • Diffie-Hellman key agreement protocol (1976) • Session key sharing based on discrete logarithms over a finite field • Vulnerable to man-in-the-middle attack due to not providing authentication • SAKA (Simple authenticated key agreement) protocol (1999) • Providing authentication to Diffie-Hellman protocol using a simple way • Using a pre-shared password for user authentication

  4. Related work (2/3) • Tseng’s protocol (2000) • Addressed a weakness caused by man-in-the-middle attack in the key verification steps of SAKA • Improved verification steps of SAKA • Ku and Wang’s protocol (2000) • Showed Tseng’s protocol is still vulnerable to man-in-the-middle attacks • Improved verification steps of SAKA

  5. Related work (3/3) • Sun (2000) • Showed that SAKA is vulnerable to man-in-the-middle attack, password guessing attack, and perfect forward secrecy • Lin et al.’s protocol (2000) • Improved the verification steps of SAKA to overcome the weaknesses pointed out by Sun • Hsieh et al. (2002) • Showed Lin et al.’s protocol still suffers from password guessing attack

  6. Security requirements (1/3) • Secure to man-in-the-middle attack • Although an attacker eavesdrops, modifies, reflects, or replays messages being transmitted, the session key has to be secure.

  7. Security requirements (2/3) • Secure to password guessing attack • Online • Easily detected by counting authentication fails • Offline • Guessing password by intercepting and using messages being transmitted • Due to using the password that a person is able to memorize

  8. Security requirements (3/3) • Provide perfect forward secrecy • Although the password was compromised, an attacker should not compute old session keys

  9. System parameters

  10. Additional cryptanalysis for Tseng’s protocol • Vulnerable to password guessing attack • XA ?= (YB)Q = gaQ or XB ?=(YA)Q = gbQ XA XB YA YB

  11. Cryptanalysis for Ku and Wang’s protocol • Vulnerable to password guessing attack: ?=YB • Not provide perfect forward secrecy: = gab XA XB VA YB

  12. Weaknesses of SAKA related protocols • Vulnerable to man-in-the-middle attack • Vulnerable to password guessing attack • Not provide perfect forward secrecy

  13. Simple password-based key agreement protocol (SPKA) XA XB VA VB

  14. Security analysis for SPKA (1/4) • Secure to man-in-the-middle attack • If an attacker eavesdrops XA, XB, VA, and VB, he cannot gain information for session key, gabbecause of DLP • If an attacker modifies, reflects, or replays XA, XB, VA, and VB, this attack is detected because verification steps confirm both the correctness of XA, XB and the equality of KA, KB

  15. Security analysis for SPKA (2/4) • Secure to password guessing attack • Since a attacker intercepts the messages, XA, XB, VA, and VB, any way to confirm the correctness of the guessed password P′ does not exist among them.

  16. Security analysis for SPKA (3/4) • Provide perfect forward secrecy • Although password P is compromised, an attacker does not have any way that produce old session key gab using Q or Q-1 computed from P

  17. Security analysis for SPKA (4/4) S: Secure, NS: Not Secure, P: Provide, NP: Not Provide

  18. Conclusion • Reported the additional weaknesses in the variants of SAKA • Proposed simple password-based key agreement protocol (SPKA) • Secure to man-in-the-middle attack • Secure to password guessing attack • Provide perfect forward secrecy • Easily implemented in software and hardware because of its simple structure

  19. Bit-Serial AOP Arithmetic Operators for Modular Exponentiation over GF(2m) Hyun-Sung Kim Information Security Lab.

  20. Goal • Implement Exponentiation • LSB first algorithm • Two multipliers • Squarer and multiplier => Combined squarer and multiplier • MSB first algorithm • Power sum (AB2 + C) • AB2 multiplier => New AB2 multiplier

  21. Index • Crypto System • Modular Exponentiation • Galois Field • Bit-Serial Arithmetic Operators • Comparison • Conclusion

  22. Crypto system • Elgamal cryptosystem • Encryption : C = Mpublic mod p • Decryption : M = Cprivate mod p • public*private mod p  1 • M, C  GF(2m), integer • p : irreducible primitive polynomial • Basic operation=>Modular exponentiation

  23. Modular exponentiation • Basic operation • C = ME mod p • E = em-12m-1+ em-22m-2+…+ e12+ e0 = [ em-1em-2 em-3… e1 e0 ] • Binary method by Knuth • LSB-first algorithm • MSB-first algorithm

  24. LSB-first algorithm • Input • M,E,p(x) • Output • C=ME mod p(x)=Me0(M2)e1(M4)e2…(M2 )em-1 Step1 C=1, T=M Step2 for i=0 to m-1 T=TT mod p(x) if ei == 1 C=CT mod p(x) m-1

  25. LSB-first algorithm • LSB-first algorithm • Basic operation • Squaring • Multiplication • Traditional implementation • Based on two multipliers • Based on a multiplier and a squarer • Proposed implementation • Based on a combined squarer and multiplier

  26. MSB-first algorithm • Input • M,E,p(x) • Output • C=ME mod p(x)=(Me1…(Mem-2(Mem-1)2)2…)2Me0 Step1 if em-1 == 1 C=M else C=1 Step2 for i=m-2 to 0 if ei == 1 C=MC2 mod p(x) else C=1C2 mod p(x)

  27. MSB-first algorithm • MSB-first algorithm • Basic operation • AB2 multiplication • Traditional implementation • Based on Power-sum circuit (AB2+C) • Based on AB2 multiplier • Proposed implementation • Based on a new AB2 multiplier

  28. Galois Field GF(2m) • Finite Field GF(2m) • Contains 2m elements • Canonical basis • {1, , 2, 3,…, m-1} • Element representation GF(2m) • a=am-1m-1+am-2m-2+…+a11+a0 • Why implement based on GF(2m) • Carry free

  29. Galois Field GF(2m) • AB mod P, B2 mod P, AB2 mod P • A, B  GF(2m) • P : Irreducible polynomial • All one polynomial (AOP) • P(x) = xm+xm-1+xm-2+…+x1+1 • Property of AOP • Let  be a root of p(x) • p() = 0, m=m-1+m-2+…+1+1 • Multiply  in both multiplication • m+1+1=0 <= use as an modular in extension field

  30. Galois Field GF(2m) • Extension field • Modular m+1+1 • Element representation  GF(2m+1) • A= amxm+ am-1xm-1+am-2xm-2+…+a1x1+a0 • am=0 • Why use the extension field • Easy modular reduction

  31. CSM architecture • Basic architecture for LSB first Exp. • A2 mod p : Squarer • AB mod p : Multiplier • Proposed Architecture • Combined Squarer and Multiplier(CSM)

  32. CSM architecture • AB mod P multiplication over EF

  33. CSM architecture • AB mod P multiplication, P = m+1+1 5 +1 6 + 7 +2 8 +3

  34. CSM architecture • Ctl = 1m1m-1…100m-1…00 a0…am-1am ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 p0…pm-1pm b0…bm-1bm 1 0 z0 z1 zm-2 zm-1 zm

  35. CSM architecture • Step 1, ctl=1 for mux a0…am-1 am ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 bm b0…bm-1 1 0 z0 z1 zm-2 zm-1 zm

  36. CSM architecture • Step 2, ctl=1 for mux a0…am-3am-2 am am-1 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 bm-1 bm b0…bm-3bm-2 1 0 z0 z1 zm-2 zm-1 zm

  37. CSM architecture • Step m+1, ctl=1 for mux am a3 a2 a1 a0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 am×b0 a3×bm-3 a2×bm-2 a1×bm-1 a0×bm pm 1 0 z0 z1 zm-2 zm-1 zm b0 bm-2 b1 bm-1 bm

  38. CSM architecture

  39. CSM architecture • Step m+2, ctl=0 for mux am a3 a2 a1 a0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 am×bm a3×bm-4 a2×bm-3 a1×bm-2 a0×bm-1 pm-1pm 1 0 z0 z1 zm-2 zm-1 zm bm bm-3 b0 bm-2 bm-1

  40. CSM architecture • A2 mod P =(amm+am-1m-1+…+a1+a0)2 =am2m+am-12(m-1)+…+a24+a12+a0 =am/2m+amm-1+…+a12+am/2+1+a0 • m+1 = 1, m+2 = , m+3 = 2,m+4 = 3

  41. CSM architecture • Example over GF(24) =(a44+a33+a22+a1+a0)2 =a48+a36+a24+a12+a0 = a24+a43+a12+a31+a0 • 5 = 1, 6= , 7 = 2,8= 3

  42. CSM architecture • Squarer over GF(24) b0b1b2b3b4 x4 x3 x2 x1 x0 y4 1 0 y3 1 0 y2 1 0 y1 1 0 y0 s0s1s2s3s4

  43. CSM architecture • Step 4, ctl = 1 for mux b0 b4 b3 b2 b1 b0 x4 x3 x2 x1 x0 b2 b4 b3 b0 b1 y4 1 0 y3 1 0 y2 1 0 y1 1 0 y0

  44. CSM architecture • Proposed CSM Architecture a0…am-1am smsm-1…s0 xm 0 1 x3 0 1 x2 0 1 x1 0 1 x0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 p0…pm-1pm b0…bm-1bm 1 0 z0 z1 zm-2 zm-1 zm

  45. POM architecture • Basic architecture for MSB first Exp. • Multiplier for AB2 mod p • Power-Sum circuit • Proposed Architecture • New Power Multiplier (POM)

  46. POM architecture • AB2 mod P multiplication over EF

  47. POM architecture • AB mod P multiplication, P = m+1+1

  48. POM architecture • Proposed POM Architecture b0…bm-1bm xm x3 x2 x1 x0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 p0…pm-1pm a0…am-1am 1 0 z0 z1 zm-2 zm-1 zm

  49. POM architecture • Step m, ctl=1 for mux a0 a4 a3 a2 a1 a0 am xm x3 x2 x1 x0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 b1 bm-` b2 bm b0 1 0 z0 z1 zm-2 zm-1 zm

  50. Two architectures • Input A and B • m bits • Output for AB multiplication, squaring, and AB2 multiplication • m+1 bits • Computed over extended field • Need to reduce the output => m bits

More Related