Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach

1. Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach Tzong-Chen Wu and Yen-Ching Lin Department of Information Management National Taiwan University of Science and Technology, Taiwan tcwu@cs.ntsut.edu.tw, D9109101@mail.ntust.edu.tw

2. Outline • Introduction • Security attributes • The proposed PAKA protocols • System model • The proposed 2-PAKA protocol • The proposed n-PAKA protocol • Conclusions

3. Introduction • Authenticated key agreement (AKA) protocols • Allow communication parties to mutually authenticate with each other and share an authenticated session key • Establish a secure channel for subsequent communications • Previous works for AKA protocols (based on Decision Diffie-Hellman problem): • 2-AKA: Diffie, van Oorschost, Wiener (1992) Blake-Wilson, Menezes (1998) • n-AKA: Just and Vaudenay (1996) Steiner, Tsudik, Waidner (1997) Ateniese, Steiner, Tsudik (1998, 2000) Bresson, Chevassut, Pointcheval (2001, 2002)

4. Introduction (cont.) • Use of passwords for authentication • Advantages: ease of use, ease of implementation, and low cost • Disadvantages: on-/off-line guessing attacks • Password-only authenticated key agreement ( PAKA) protocols • Achieve the security attributes of AKA • Only use easy-to-remember passwords, even for weak passwords (i.e., against on-/off-line guessing attacks)

5. Introduction (cont.) • Previous works for 2-PAKA protocols (based on Decision Diffie-Hellman problem) • Bellovin and Merritt (1992, 1993) • Jablon (1996) • Lee, Shohn, Yang, Won (1999) • Boyko, Mackenzie, Patae (200) • Bellare, Pointcheval, Rogaway, (2000) • Lin, Sun, Hwang (2000), Lin, Sun, Steiner, Hwang (2001) • Mackenzie, Patel, Swaminathan (2000) • …… • Previous works for n-PAKA protocols • ???

6. Contributions of this paper • Propose a 2-PAKA protocol based on self-certified approach • Communicating parties only use passwords, no more other secret parameters (e.g., long-term private keys) or trusted servers (adopted by three-party PAKA protocols) are required during the key agreement phase • Messages sent between the communication parties are self-certified, and hence, no public key certificates are required while applying public key systems • Achieve the security attributes of AKA • Against on-/off-line guessing attacks • Generalize 2-PAKA to n-PAKA (based on CLIQUES proposed by Steiner, Tsudik, and Waidner, 1997)

7. Security attributes • Know-key security An attacker cannot derive any established session keys from any compromised session key • Perfect forward secrecy An attacker cannot derive any previously established session keys from a compromised password • On-/off-line guessing attacks An attacker cannot find out the parties’ passwords from the intercepted messages by exhaustive search

8. Security attributes (cont.) • Password-compromised impersonation attacks Suppose that the password PWi for party Ui is compromised. However, it may be desirable in some circumstances that an attacker cannot impersonate the other parties Uj to Ui using the compromised PWi • Unknown key-share attacks An attacker intercepted Ui’s message and then replayed to Uj. For the success of such attacks, Uiends up believing he shares a session key with Uj, and although this is in fact the case, Uj mistakenly believes the key is instead shared withsome party Ua≠Ui

9. System model System Authority (SA) • Register with password • SA returns a self-certified public value 3. PAKA protocol 3. PAKA protocol … Party U1 Party U2 Party Un

10. System setup phase N: a composite of P and Q , where P and Q are two large primes R: a prime that can withstand exhaustive search attack g: a generator g modulo N with the order R f : a one-way function, where 0 < f(x) < R for any x At the end of this phase, SA publishes N and f, while keeping P, Q and R secret.

11. User registration phase Pre_shared {IDi, PWi} 2.{ci, wi} Ui SA 1.1 compute f(IDi, PWi)-1, f(IDi)-1 f(IDi, PWi)‧f(IDi, PWi)-1 = 1 modR f(IDi) ‧f(IDi)-1 = 1 mod R 3.1 compute 3.2 verify 1.2 randomly choose an integer 1.3 compute

12. Proposed 2-PAKA protocol 2. {IDi, wi, yi, ri, si} 4. {IDj, wj, yj, rj, sj, mj} Ui 6. {IDi, mi} Uj 1.1 randomly choose two integers xi, ti 3.1 verify 1.2 compute 3.2 compute yj, rj and sj as that in Step 1 3.3 compute 5.1 verify yj, rj and sj as that in Step 3.1 5.2 compute 5.3 verify 7. verify 5.4 compute

13. Proposed n-PAKA protocol • The proposed n-PAKA protocol is somewhat like the CLIQUES (Steiner, Tsudik, Waidner, 1997) • Suppose that the registered parties U1, U2, …, Un want to perform the n-PAKA protocol. U1 is the originator, and the communication priority is in the sequence of U1, U2, …, Un

14. Proposed n-PAKA protocol (cont.) 2. {IDi, Xi, wi, yi, ri, si} Ui Ui+1 1.compute 3 verify

15. Proposed n-PAKA protocol(cont.) 5. broadcast { IDn, Xn, wn, rn, sn, mn } Un Ui 4.1compute Xn, yn, rn and sn, as that in step 1, where 6.1 Ui verify { IDn, Xn, wn, yn, rn, sn, mn } as that step 1. 6.2 compute 4.2 compute 6.3 verify

16. Security analysis • Under the DLMC (discrete logarithm modulo composite) assumption, the proposed PAKA protocols achieve : • known-key security • perfect forward secrecy • resistant of on-/off-line password guessing attacks • resistant of password-compromised impersonation attacks • resistant of unknown key-share attacks

17. Conclusions • A 2-PAKA protocol based on self-certified approach is proposed • An n-PAKA protocol, generalized from 2-PAKA is proposed • The security of proposed PAKA protocols is based on the intractability of DLMC problems

18. Thank You for Your Attention