Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks (original) (raw)

Abstract

There have been many proposals in recent years for passwordauthenticated key exchange protocols. Many of these have been shown to be insecure, and the only ones that seemed likely to be proven secure (against active adversaries who may attempt to perform off-line dictionary attacks against the password) were based on the Diffie-Hellman problem. In fact, some protocols based on Diffie-Hellman have been recently proven secure in the random-oracle model. We examine how to design a provably-secure password-authenticated key exchange protocol based on RSA. We first look at the OKE and protected-OKE protocols (both RSA-based) and show that they are insecure. Then we show how to modify the OKE protocol to obtain a password-authenticated key exchange protocol that can be proven secure (in the random oracle model). The resulting protocol is very practical; in fact the basic protocol requires about the same amount of computation as the Diffie-Hellman-based protocols or the well-known ssh protocol.

Loading...

Loading Preview

Sorry, preview is currently unavailable. You can download the paper by clicking the button above.

References (47)

  1. Bob (B) Step 0: Send B to Alice.
  2. Alice (A) Step 1: Retrieve X from password file for B. Choose m ∈R {0, 1} k , and send (A, m, (N, e)) to Bob.
  3. Bob (B) Step 2: If m ∈ {0, 1} k , N ∈ [2 -2 , 2 ], e ∈ (2 , 2 +1 ], or e is not prime, then reject, Else 1. Set x = H (A|B|π).
  4. Choose µ ∈R {0, 1} k and a ∈R Z * N .
  5. If p ∈ SN then set q = a, Else set q ≡ pa e mod N .
  6. Alice (A) Step 3: If µ ∈ {0, 1} k or gcd(q, N) = 1, then reject, Else 1. Compute p = H(N |e|m|µ|A|B|X).
  7. If p ∈ SN then reject, Else, (a) Set a ≡ (q/p) d mod N (b) Choose γ ∈ Zω. (c) Set r = h(N |e|m|µ|A|B|q|a) and y = g γ . (d) Send (r, y) to Bob.
  8. Bob (B) Step 4: If p ∈ SN or r = h(N |e|m|µ|A|B|q|a), then reject, Else, 1. Send t = h (N |e|m|µ|A|B|q|a|y x ) to Alice.
  9. Set K = h (N |e|m|µ|A|B|q|a), and accept.
  10. Alice (A) Step 5: If t = h (N |e|m|µ|A|B|q|a|X γ ), then reject, Else set K = h (N |e|m|µ|A|B|q|a) and accept.
  11. M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. In STOC'98 [STO98], pages 419-428.
  12. Donald Beaver. Secure multiparty protocols and zero-knowledge proof sys- tems tolerating a faulty minority. Journal of Cryptology, 4(2):75-122, 1991.
  13. D. Bleichenbacher, 1999. Personal Communication.
  14. S. M. Bellovin and M. Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 72-84, 1992.
  15. S. M. Bellovin and M. Merritt. Augumented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise. In CCS'93 [CCS93], pages 244-250.
  16. V. Boyko, P. MacKenzie, and S. Patel. Provably-secure password authen- tication and key exchange using Diffie-Hellman. In EUROCRYPT2000 [EUR00].
  17. M. Boyarsky. Public-key cryptography and password protocols: The multi- user case. In CCS'99 [CCS99], pages 63-72.
  18. M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT2000 [EUR00].
  19. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In CCS'93 [CCS93], pages 62-73.
  20. M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO '93, LNCS vol. 773, pages 232-249. Springer-Verlag, August 1993.
  21. Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption. In EUROCRYPT 94, LNCS vol. 950, pages 92-111. Springer-Verlag, May 1994.
  22. M. Bellare and P. Rogaway. The exact security of digital signatures-how to sign with RSA and Rabin. In EUROCRYPT 96, pages 399-416, 1996.
  23. E. Bach and J. Shallit. Algorithmic Number Theory: Volume 1 Efficient Algorithms. The MIT Press, Cambridge, Massachusetts, 1996.
  24. First ACM Conference on Computer and Communications Security, 1993.
  25. Sixth ACM Conference on Computer and Communications Security, 1999.
  26. R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. In STOC'98 [STO98], pages 209-218.
  27. W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Info. Theory, 22(6):644-654, 1976.
  28. Advances in Cryptology-EUROCRYPT '2000, LNCS vol. 1807. Springer- Verlag, 14-18 May 2000.
  29. L. Gong, T. M. A. Lomas, R. M. Needham, and J. H. Saltzer. Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications, 11(5):648-656, June 1993.
  30. L. Gong. Optimal authentication protocols resistant to password guessing attacks. In Proc. 8th IEEE Computer Security Foundations Workshop, pages 24-29, 1995.
  31. S. Halevi and H. Krawczyk. Public-key cryptography and password pro- tocols. In Proceedings of the Fifth Annual Conference on Computer and Communications Security, pages 122-131, 1998.
  32. IEEE P1363 Annex D/Editorial Contribution 1c: Standard specifications for public-key cryptography, June 1998.
  33. D. Jablon. Integrity sciences web site. http://www.IntegritySciences.com.
  34. D. Jablon. Strong password-only authenticated key exchange. ACM Com- puter Communication Review, ACM SIGCOMM, 26(5):5-20, 1996.
  35. D. Jablon. Extended password key exchange protocols immune to dictio- nary attack. In WETICE'97 Workshop on Enterprise Security, 1997.
  36. H. W. Lenstra. Divisors in residue classes. Mathematics of Computation, 42:331-340, 1984.
  37. Stephan Lucks. Open key exchange: How to defeat dictionary attacks with- out encrypting public keys. In Proc. Workshop on Security Protocols, 1997.
  38. P. MacKenzie, S. Patel, and R. Swaminathan. Password-authenticated key exchange based on rsa. full version.
  39. RSA Laboratories Technical Note. PKCS #1, version 2, RSA encryption standard. http://www.rsa.com/rsalabs/pubs/PKCS/, 1999.
  40. S. Patel. Number theoretic attacks on secure password schemes. In Proc. IEEE Symposium on Research in Security and Privacy, pages 236-247, 1997.
  41. M. Roe, B. Christianson, and D. Wheeler. Secure sessions from weak se- crets. Technical report, Univ. of Cambridge and Univ. of Hertfordshire, 1998.
  42. R. Rivest, A. Shamir and L. Adleman. A method for obtaining digital signature and public key cryptosystems. Comm. of the ACM, 21:120-126, 1978.
  43. V. Shoup. On formal models for secure key exchange. IBM Research Report RZ 3121, April 1999.
  44. Thirtieth ACM Symposium on Theory of Computing, May 1998.
  45. M. Steiner, G. Tsudik, and M. Waidner. Refinement and extension of encrypted key exchange. ACM Operating System Review, 29:22-30, 1995.
  46. T. Wu. The secure remote password protocol. In Proc. 1998 Internet Society Network and Distributed System Security Symposium, pages 97- 111, 1998.
  47. T. Wu. A real world analysis of kerberos password security. In 1999 Internet Society Network and Distributed System Security Symposium, 1999.