600 likes | 718 Vues
Simple password-based key agreement protocol. Department of Computer Engineering Kyungpook National University Sung-woon Lee. Sequence. Related work Security requirements System parameters Cryptanalysis for SAKA ’ s variants Simple password-based key agreement Protocol (SPKA)
E N D
Simple password-based key agreement protocol Department of Computer Engineering Kyungpook National University Sung-woon Lee
Sequence • Related work • Security requirements • System parameters • Cryptanalysis for SAKA’s variants • Simple password-based key agreement Protocol (SPKA) • Security analysis for SPKA • Conclusion
Related work (1/3) • Diffie-Hellman key agreement protocol (1976) • Session key sharing based on discrete logarithms over a finite field • Vulnerable to man-in-the-middle attack due to not providing authentication • SAKA (Simple authenticated key agreement) protocol (1999) • Providing authentication to Diffie-Hellman protocol using a simple way • Using a pre-shared password for user authentication
Related work (2/3) • Tseng’s protocol (2000) • Addressed a weakness caused by man-in-the-middle attack in the key verification steps of SAKA • Improved verification steps of SAKA • Ku and Wang’s protocol (2000) • Showed Tseng’s protocol is still vulnerable to man-in-the-middle attacks • Improved verification steps of SAKA
Related work (3/3) • Sun (2000) • Showed that SAKA is vulnerable to man-in-the-middle attack, password guessing attack, and perfect forward secrecy • Lin et al.’s protocol (2000) • Improved the verification steps of SAKA to overcome the weaknesses pointed out by Sun • Hsieh et al. (2002) • Showed Lin et al.’s protocol still suffers from password guessing attack
Security requirements (1/3) • Secure to man-in-the-middle attack • Although an attacker eavesdrops, modifies, reflects, or replays messages being transmitted, the session key has to be secure.
Security requirements (2/3) • Secure to password guessing attack • Online • Easily detected by counting authentication fails • Offline • Guessing password by intercepting and using messages being transmitted • Due to using the password that a person is able to memorize
Security requirements (3/3) • Provide perfect forward secrecy • Although the password was compromised, an attacker should not compute old session keys
Additional cryptanalysis for Tseng’s protocol • Vulnerable to password guessing attack • XA ?= (YB)Q = gaQ or XB ?=(YA)Q = gbQ XA XB YA YB
Cryptanalysis for Ku and Wang’s protocol • Vulnerable to password guessing attack: ?=YB • Not provide perfect forward secrecy: = gab XA XB VA YB
Weaknesses of SAKA related protocols • Vulnerable to man-in-the-middle attack • Vulnerable to password guessing attack • Not provide perfect forward secrecy
Simple password-based key agreement protocol (SPKA) XA XB VA VB
Security analysis for SPKA (1/4) • Secure to man-in-the-middle attack • If an attacker eavesdrops XA, XB, VA, and VB, he cannot gain information for session key, gabbecause of DLP • If an attacker modifies, reflects, or replays XA, XB, VA, and VB, this attack is detected because verification steps confirm both the correctness of XA, XB and the equality of KA, KB
Security analysis for SPKA (2/4) • Secure to password guessing attack • Since a attacker intercepts the messages, XA, XB, VA, and VB, any way to confirm the correctness of the guessed password P′ does not exist among them.
Security analysis for SPKA (3/4) • Provide perfect forward secrecy • Although password P is compromised, an attacker does not have any way that produce old session key gab using Q or Q-1 computed from P
Security analysis for SPKA (4/4) S: Secure, NS: Not Secure, P: Provide, NP: Not Provide
Conclusion • Reported the additional weaknesses in the variants of SAKA • Proposed simple password-based key agreement protocol (SPKA) • Secure to man-in-the-middle attack • Secure to password guessing attack • Provide perfect forward secrecy • Easily implemented in software and hardware because of its simple structure
Bit-Serial AOP Arithmetic Operators for Modular Exponentiation over GF(2m) Hyun-Sung Kim Information Security Lab.
Goal • Implement Exponentiation • LSB first algorithm • Two multipliers • Squarer and multiplier => Combined squarer and multiplier • MSB first algorithm • Power sum (AB2 + C) • AB2 multiplier => New AB2 multiplier
Index • Crypto System • Modular Exponentiation • Galois Field • Bit-Serial Arithmetic Operators • Comparison • Conclusion
Crypto system • Elgamal cryptosystem • Encryption : C = Mpublic mod p • Decryption : M = Cprivate mod p • public*private mod p 1 • M, C GF(2m), integer • p : irreducible primitive polynomial • Basic operation=>Modular exponentiation
Modular exponentiation • Basic operation • C = ME mod p • E = em-12m-1+ em-22m-2+…+ e12+ e0 = [ em-1em-2 em-3… e1 e0 ] • Binary method by Knuth • LSB-first algorithm • MSB-first algorithm
LSB-first algorithm • Input • M,E,p(x) • Output • C=ME mod p(x)=Me0(M2)e1(M4)e2…(M2 )em-1 Step1 C=1, T=M Step2 for i=0 to m-1 T=TT mod p(x) if ei == 1 C=CT mod p(x) m-1
LSB-first algorithm • LSB-first algorithm • Basic operation • Squaring • Multiplication • Traditional implementation • Based on two multipliers • Based on a multiplier and a squarer • Proposed implementation • Based on a combined squarer and multiplier
MSB-first algorithm • Input • M,E,p(x) • Output • C=ME mod p(x)=(Me1…(Mem-2(Mem-1)2)2…)2Me0 Step1 if em-1 == 1 C=M else C=1 Step2 for i=m-2 to 0 if ei == 1 C=MC2 mod p(x) else C=1C2 mod p(x)
MSB-first algorithm • MSB-first algorithm • Basic operation • AB2 multiplication • Traditional implementation • Based on Power-sum circuit (AB2+C) • Based on AB2 multiplier • Proposed implementation • Based on a new AB2 multiplier
Galois Field GF(2m) • Finite Field GF(2m) • Contains 2m elements • Canonical basis • {1, , 2, 3,…, m-1} • Element representation GF(2m) • a=am-1m-1+am-2m-2+…+a11+a0 • Why implement based on GF(2m) • Carry free
Galois Field GF(2m) • AB mod P, B2 mod P, AB2 mod P • A, B GF(2m) • P : Irreducible polynomial • All one polynomial (AOP) • P(x) = xm+xm-1+xm-2+…+x1+1 • Property of AOP • Let be a root of p(x) • p() = 0, m=m-1+m-2+…+1+1 • Multiply in both multiplication • m+1+1=0 <= use as an modular in extension field
Galois Field GF(2m) • Extension field • Modular m+1+1 • Element representation GF(2m+1) • A= amxm+ am-1xm-1+am-2xm-2+…+a1x1+a0 • am=0 • Why use the extension field • Easy modular reduction
CSM architecture • Basic architecture for LSB first Exp. • A2 mod p : Squarer • AB mod p : Multiplier • Proposed Architecture • Combined Squarer and Multiplier(CSM)
CSM architecture • AB mod P multiplication over EF
CSM architecture • AB mod P multiplication, P = m+1+1 5 +1 6 + 7 +2 8 +3
CSM architecture • Ctl = 1m1m-1…100m-1…00 a0…am-1am ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 p0…pm-1pm b0…bm-1bm 1 0 z0 z1 zm-2 zm-1 zm
CSM architecture • Step 1, ctl=1 for mux a0…am-1 am ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 bm b0…bm-1 1 0 z0 z1 zm-2 zm-1 zm
CSM architecture • Step 2, ctl=1 for mux a0…am-3am-2 am am-1 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 bm-1 bm b0…bm-3bm-2 1 0 z0 z1 zm-2 zm-1 zm
CSM architecture • Step m+1, ctl=1 for mux am a3 a2 a1 a0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 am×b0 a3×bm-3 a2×bm-2 a1×bm-1 a0×bm pm 1 0 z0 z1 zm-2 zm-1 zm b0 bm-2 b1 bm-1 bm
CSM architecture • Step m+2, ctl=0 for mux am a3 a2 a1 a0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 am×bm a3×bm-4 a2×bm-3 a1×bm-2 a0×bm-1 pm-1pm 1 0 z0 z1 zm-2 zm-1 zm bm bm-3 b0 bm-2 bm-1
CSM architecture • A2 mod P =(amm+am-1m-1+…+a1+a0)2 =am2m+am-12(m-1)+…+a24+a12+a0 =am/2m+amm-1+…+a12+am/2+1+a0 • m+1 = 1, m+2 = , m+3 = 2,m+4 = 3
CSM architecture • Example over GF(24) =(a44+a33+a22+a1+a0)2 =a48+a36+a24+a12+a0 = a24+a43+a12+a31+a0 • 5 = 1, 6= , 7 = 2,8= 3
CSM architecture • Squarer over GF(24) b0b1b2b3b4 x4 x3 x2 x1 x0 y4 1 0 y3 1 0 y2 1 0 y1 1 0 y0 s0s1s2s3s4
CSM architecture • Step 4, ctl = 1 for mux b0 b4 b3 b2 b1 b0 x4 x3 x2 x1 x0 b2 b4 b3 b0 b1 y4 1 0 y3 1 0 y2 1 0 y1 1 0 y0
CSM architecture • Proposed CSM Architecture a0…am-1am smsm-1…s0 xm 0 1 x3 0 1 x2 0 1 x1 0 1 x0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 p0…pm-1pm b0…bm-1bm 1 0 z0 z1 zm-2 zm-1 zm
POM architecture • Basic architecture for MSB first Exp. • Multiplier for AB2 mod p • Power-Sum circuit • Proposed Architecture • New Power Multiplier (POM)
POM architecture • AB2 mod P multiplication over EF
POM architecture • AB mod P multiplication, P = m+1+1
POM architecture • Proposed POM Architecture b0…bm-1bm xm x3 x2 x1 x0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 p0…pm-1pm a0…am-1am 1 0 z0 z1 zm-2 zm-1 zm
POM architecture • Step m, ctl=1 for mux a0 a4 a3 a2 a1 a0 am xm x3 x2 x1 x0 ym 1 0 y3 1 0 y2 1 0 y1 1 0 y0 1 0 b1 bm-` b2 bm b0 1 0 z0 z1 zm-2 zm-1 zm
Two architectures • Input A and B • m bits • Output for AB multiplication, squaring, and AB2 multiplication • m+1 bits • Computed over extended field • Need to reduce the output => m bits