Security Analysis and Improvement of the Efficient Password-based Authentication Protocol Source： IEEE Communications Letters, Vol.9, No.1, pp.93-95, Jan 2005 Author: Taekyoung Kwon, Young-Ho Park, and Hee Jung Lee Speaker: Shing-Chin Pai

Outline Introduction EPA Protocol Server Compromise Attack on EPA EPA Protocol Improvement Conclusion

Introduction Password authenticated key exchange (PAKE) Memorable password Efficient password-based Authentication Protocol (EPA) Two generators Three message passes Server User Message 1 Message 2 Message 3

EPA Protocol (1/2) Alice, Bob : Two participators p, q : Two large primes f, g : Two generators, gq mod p = 1, f q mod p = 1 IA : Identity of Alice Π : Alice’s password h: One way hash fuction K: Session key Zq*: q of reduced set of residues Bob maintains〈V1 ,V2〉for Alice V1 = f v1 mod p, v1 = h1(IA , Π) V2 = gv2 mod p, v2 = h2(IA , Π)

EPA Protocol (2/2) Alice Bob 2.〈IA , X〉 X’ = (X/V1) = gx mod p V1 = f v1 mod p, v1 = h1(IA , Π) V2 = gv2 mod p, v2 = h2(IA , Π) Alice Bob Alice chooses a random number x Zq*, x≠-h2(IA ,Π) mod q 3. Bob chooses a random number y 2.〈IA , X〉 X’ = (X/V1) = gx mod p 1. X = gxV1 mod p Y = (X’V2)y mod p = g(x+v2)y mod p 4. 〈Y , h3(KB || X)〉 KB = (X’)y = gxy mod p HB= h3(KB || X) KA=KB KA = (Y)x(x+v2)-1 mod p = gxy mod p HA= h4(KA || X) 5. 〈h4(Y || KA)〉 Verifies HA ? Verifies HB ?

Server Compromise Attack on EPA – Basic Attack (1/2) V1 = f v1 mod p, v1 = h1(IA , Π) V2 = gv2 mod p, v2 = h2(IA , Π) Compromise Attack: Attacker Get <V1,V2> form Server. Eva Bob 3. Bob chooses a random number y 1. X = V2V1 mod p 2.〈IA , X〉 X’ = (X/V1) = V2 Y = (X’V2)y mod p = V22y mod p 4. 〈Y , h3(KB || X)〉 KB = (X’)y = (V2) y mod p HB= h3(KB || X) KA = (Y)1/2 mod p = (V2)y mod p HA=h4(Y || KA) 5. 〈h4(Y || KA)〉 Verifies HA ? Verifies HB ?

Server Compromise Attack on EPA – General Attack (2/2) V1 = f v1 mod p, v1 = h1(IA , Π) V2 = gv2 mod p, v2 = h2(IA , Π) Eva Bob Eva chooses a random number r Zq*, 3. Bob chooses a random number y 2.〈IA , X〉 1. X = V2rV1 mod p X’ = (X/V1) = V2r Y = (X’V2)y mod p = V2(r+1) y mod p 4. 〈Y , h3(KB || X)〉 KB = (X’)y = (V2) r y mod p HB= h3(KB || X) KA = (Y)r(r+1)-1 mod p = (V2)ry mod p HA=h4(Y || KA) 5. 〈h4(Y || KA)〉 Verifies HA ? Verifies HB ?

EPA Protocol Improvement(1/3) V1 = f v1 mod p, v1 = h1(IA , Π) V2 = gv2 mod p, v2 = h2(IA , Π) Alice Bob Alice chooses a random number x Zq*, x≠-h2(IA ,Π) mod q 3. Bob chooses a random number y 2.〈IA , X〉 X’ = (X/V1) = gx mod p 1. X = gxV1 mod p Y = (X’V2)y mod p = g(x+v2)y mod p 4. 〈Y , h3(KB || X)〉 KB = (X’g)y = g(x+1)y mod p HB= h3(KB || X) KA = (Y)(x+1)(x+v2)-1 mod p = g(x+1)y mod p HA= h4(Y || KA) 5. 〈h4(Y || KA)〉 Verifies HA ? Verifies HB ?

EPA Protocol Improvement(2/3) (Basic Attack on EPA) Eva Bob 3. Bob chooses a random number y 1. X = V2V1 mod p 2.〈IA , X〉 X’ = (X/V1) = V2 Y = (X’V2)y mod p = V22y mod p 4. 〈Y , h3(KB || X)〉 KB = (X’)y = (V2g) y mod p HB= h3(KB || X) KA = (Y)1/2 mod p = (V2)y mod p HA=h4(Y || KA) 5. 〈h4(Y || KA)〉 Verifies HA ? Verifies HB ?

EPA Protocol Improvement(3/3) (General Attack on EPA) V1 = f v1 mod p, v1 = h1(IA , Π) V2 = gv2 mod p, v2 = h2(IA , Π) Eva Bob Eva chooses a random number r Zq*, 3. Bob chooses a random number y 2.〈IA , X〉 1. X = V2rV1 mod p X’ = (X/V1) = V2r Y = (X’V2)y mod p = V2(r+1)y mod p KA = (Y)r(r+1)-1 mod p = (V2)ry mod p =gv2rymod p HA= h4(Y || KA) 4. 〈Y , h3(KB || X)〉 KB = (X’g)y = (V2rg)y mod p = gv2r y+gy mod p HB= h3(KB || X) 5. 〈h4(Y || KA)〉 Verifies HA ? Verifies HB ?

Conclusion Improve the Security of EPA.