11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd IEEE International Conference on Information Management and Engineering (ICIME), pp , 2010 Speaker: Shu-Fen Chiou ( 邱淑芬 )
2 Introduction Alice Bob Key Generation Center (KDC) Certificate C A Certificate C B Mutual authentication with certificates Certificateless Public Key Cryptography
3 Alice Key Generation Center Master-key: s KGC public key: P 0 =sP Partial private key D A = sQ A Where Q A =H 1 (ID A ) Private key S A = Public key P A = x A P CL-PKC (Certificateless Public Key Cryptography) 3 Bob Partial private key D B = sQ B Where Q B =H 1 (ID B ) Private key S B = Public key P B = x B P Based on ECC
4 Hybrid P2P network In the same domain In different domain
5 Requirements Certificateless Implicit key authentication Perfect forward secrecy Known-key secrecy Key-compromise impersonation Unknown key-share resilience Known session-specific temporary information security No key control 5
6 Proposed scheme In the same domain 6
77 K 1 =K A1 =e(Q B, P 0 ) a =e(Q B, P) sa =e(sQ B, aP) =e(D B, T A )=K B1 P 0 =sP D A = sQ A D B = sQ B K 2 = K A2 =e(D A, T B ) =e(sQ A, bP) =e(Q A, P) sb =e(Q A, P 0 ) b =K B2 K 3 = K A3 =x A -2 M B =x A -2 x B -1 P A =x A -1 x B -1 P =(x A -1. x B P).x B -1 x B -1 =x B -2 M A =K B3 K 4 = K A4 =aT B =abP=bT A =K B4 K 5 = K A5 =aP B =ax B P=x B T A =K B5 K 6 = K A6 =x A T B =x A bP=bP A =K B6 b
8 Proposed scheme Across the domain Alice P 1 =s 1 P D A = s 1 Q A Q A =H 1 (ID A ) S A = P A = x A P T A =aP M A =x A -1 P B P 2 =s 2 P D B = s 2 Q B Q B =H 1 (ID B ) S B = P B = x B P T B =bP M B =x b -1 P A K A1 =e(Q B, P 2 ) a =e(Q B, P) s 2 a K A2 =e(D A, T B )=e(s 1 Q A, bP)=e(Q A, P) s 1 b T A, M A T B, M B K B1 =e(D B, T A ) =e(s2Q B, aP)=e(QB, P) s 2 a K B2 =e(Q A, P 1 ) b =e(Q A, P) s 1 b K 1 ’=K A1 =K B1 =e(Q B, P) s 2 a K 2 ’=K A2 =K B2 =e(Q A, P) s 1 b SK=K AB =K BA =H 2 (K 1 ’||K 2 ’||K 3 ||K 4 || K 5 ||K 6 ||T A ||T B )
9 Analysis Implicit key authentication Eve personate Bob: Eve computes T E =eP and M E =X E -1 P A, Eve cannot compute K A5 or K B5. (DLP problem) Perfect forward secrecy Eve knows S A, S B, and s. But he needs to solve abP. (CDH problem) Known-key secrecy Each run, a, b are random and secret. Even if session has been compromised, Eve cannot compute the past or future session keys. 9 K A5 =aP B =ax B P=x B T A =K B5
10 Analysis Key-compromise impersonation Eve replace the Bob’s public key P B =x e P, Eve cannot compute K A1 or K B1. Eve knows s, but he cannot generate K A5 or K B5. Unknown key-share resilience Including the identity information, the Eve cannot ask Alice to share a session key to him, while Alice thinks that Eve is Bob. Known session-specific temporary information security Eve get the ephemeral keys of Alice and Bob. He cannot compute the partial session key K 3. No key control Since a result of using a randomly selected ephemeral key in generating the common session key, neither peer can decide the final key. K A3 =x A -2 M B =x A -2 x B -1 P A =x A -1 x B -1 P =(x A -1. x B P).x B -1 x B -1 =x B -2 M A =K B3
11 Comment Reduce the keys (K 1 -K 6 ) with session key. SK=K AB =K BA =H 2 (K 1 ||K 2 ||K 3 ||K 4 ||K 5 ||K 6 ||T A ||T B ) SK=K AB =K BA =H 2 (K 1 ||K 2 ||T A ||T B )
12 Discrete Logarith problem (DLP) Given, find an element a, such that g a = q EC Discrete Logarithm problem Given, find an element a, such that aP = Q EC Computational Diffie-Hellman (CDH) problem Given, compute abP Bilinear Diffie-Hellman (BDH) problem Given, compute ê(P,P) abc DLP > CDHP > BDHP example: ê(abP,cP) = ê(P,cP) ab = ê(P,P) abc Computational Problems