1 / 16

Three-Party Encrypted Key Exchange Without Server Public-Keys

Three-Party Encrypted Key Exchange Without Server Public-Keys. C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang IEEE COMMUNICATIONS LETTER, VOL. 5, NO.12, DEC. 2001 Presented by Tung-Her Chen (2002/05/28). Outline. Introduction Related Works LSSH-3PEKE Performance Comparison Conclusions.

raiden
Télécharger la présentation

Three-Party Encrypted Key Exchange Without Server Public-Keys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Three-Party Encrypted Key Exchange Without Server Public-Keys C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang IEEE COMMUNICATIONS LETTER, VOL. 5, NO.12, DEC. 2001 Presented by Tung-Her Chen (2002/05/28)

  2. Outline • Introduction • Related Works • LSSH-3PEKE • Performance Comparison • Conclusions

  3. Introduction(1/5) • 1976 Diffie and Hellman : Key Distribution • public key authentication issue • Men in the middle attack • 1992 Bellovin and Merritt : Encrypted Key Exchange (EKE) • A and B securely share a password in advance • Every two clients share a common secret

  4. Introdcution(2/5) • Password guessing attacks • Detectable on-line password guessing attacks • Undetectable on-line password guessing attacks • Off-line password guessing attacks

  5. Introduction (3/5) • 1995 Steiner, Tsudik, and Waidner : Three-party EKE( STW-3PEKE) • Trusted server S • Threatened by on-line password guessing attacks • Threatened by off-line password guessing attacks

  6. Introduction (4/5) • 2000 Lin, Sun, and Hwang : LSH-3PEKE • Server public-key • 2001 Lin, Sun, Steiner, and Hwang : LSSH-3PEKE • Without server public-key

  7. Introduction (5/5) Every two users share a common secret 1992 EKE (IEEE Symp. On Research in Security and Privacy) Password guessing attack 1995 STW-3PEKE (ACM Operating Syst. Rev.) 2000 LSH-3PEKE (ACM Operating Syst. Rev.) Server’s Public Key 2001 LSSH-3PEKE (IEEE Communications Letters)

  8. Related Work -Notations • A, B, S, A*, B*, S* • PA, PB, KS • [M]K, <M>PI, {M}K • fK(M), h(M), H1(k), H2(k) • p, g • NA, NB, NS, RA= gNA mod p • flow i

  9. Related Work -STW-3PEKE (1995) A, <RA⊕B>PA <RB⊕A>PB A B S <RA⊕B>PA K = (RANS)NB mod p = gNANBNS mod p RANS, RBNS RBNS, [flow1]K K = (RBNS)NA mod p = gNANBNS mod p [[flow1]K]K

  10. Related Work (1995) -STW-3PEKE Weakness(1) Undetectable On-Line Guessing Attacks A B S A, <RA⊕B>PA <R’A⊕A>PB P’A,R’A,set RB=R’A <RA⊕B>PA RANS, R’ANS Check whether RANS = R’ANS P’A = PA

  11. Related Work (2000) -STW-3PEKE Weakness(2) Off-Line Guessing Attack A* B S* A, X <RB⊕A>PB R’A = gN’A X K = (R’AN’S)NB mod p = gN’ANBN’S mod p R’AN’S, Y Y, [flow1]K P’B => R’B => K’ = (R’BN’S)N’A Decrypt [flow1]K by K’ and check whether flow1 = X

  12. Related Work (2000) -LSH-3PEKE A {ra,RA,PA}KS {rb,RB,PB}KS A B S A, {ra, RA, PA}KS [B,RB]ra, [h(flow1), CB]K [B, RB]ra [A, RA]rb K = (RA)NB mod p = gNANB mod p K = (RB)NA mod p = gNANB mod p CB

  13. LSSH-3PEKE (2001) S (5) fKB,S(A, B, RA, RB) fKA,S(A, B, RA, RB) (2) <gNS1>PA <gNS2>PB (4) RA, fKA,S(A, B, gNS1) RB, fKB,S(A, B, gNS2) (1)A, B KA,S = (gNs1)NA mod p KB,S = (gNs2)NB mod p (3)A, RA, fKA,S(A, B, gNS1), <gNS2>PB A B (6) RB, fKA,S(A, B, RB, RA), fK’(A, B, RA) K = H1(RBNA (mod p)) K’ = H2(RBNA (mod p)) K = H1(RANB (mod p)) K’ = H2(RANB (mod p)) (7) fK’(A, B, RB)

  14. Performance analysis

  15. Conclusions • LSSH-3PEKE scheme • Both one-line and off-line guessing attack will not work • Perfect forward secrecy • Without Server public-Keys

  16. Comments • More complex; more insecurity. • Public key techniques are unavoidable for password protocols that resist off-line guessing attack.(1999) • You can try it…

More Related