An Improvement on Authenticated Key Agreement Scheme Authors: Chin-Chen Chang and Shih-Yi Lin Source: 2007 International Conference on Intelligent Pervasive Computing, Oct. 2007, pp Presenter: Jung-wen Lo ( 駱榮問 )

2 Outline Introduction Notation Lee-Lee ’ s Scheme Weakness of Lee-Lee ’ s scheme Proposed scheme Conclusions & Comment  Improved Lee-Lee ’ s Scheme1  Improved Lee-Lee ’ s Scheme2  Improved Chang-Lin ’ s scheme

3 Introduction Key agreement types  Based on public key techniques Heavy computational overhead  Based on passwords Popular approach Simplicity & convenience Diffie-Hellman key agreement  Vulnerable to man-in-the-middle attack Narn-Yih Lee and Ming-Feng Lee, “ Further improvement on the modified authenticated key agreement scheme, ” Applied Mathematics and Computation, Vol. 157, pp. 729 – 733, Keon-Jik Lee and Byeong-Jik Lee, “ Cryptanalysis of the modified authenticated key agreement scheme, ” Applied Mathematics and Computation, Vol. 170, pp. 280 – 284, 2005.

4 Notation

5 Lee-Lee ’ s Scheme Alice (Q) Bob (Q) Random a X a =g aQ mod p K a =1 => abandon Random b Y b =g bQ mod p h(ID a,X a,K b ) ?= h(ID a,X a,K a ) XaXa YbYb h(ID a,X a,K a ) Key Establishment Phase Key Validation Phase h(ID b,Y b,K b ) h(ID b,Y b,K a ) ?= h(ID b,Y b,K b )

6 Weakness of Lee-Lee ’ s scheme Eve: Chose one pw’  Q’ Alice (Q) Bob (Q) Random a X a =g aQ mod p Random b Y b =g bQ mod p XaXa Y’ b =g mod p Key Establishment Phase Eve X’ a =g mod P YbYb K’ a =1 => abandon h(ID a,X a,K’ a ) Key Validation Phase

7 Proposed scheme Alice (A)Bob (B) Random a M 1 =(g a mod p)  h(ID a,Q,t a ) Check t a g a =M 1  h(ID a,Q,t a ) Random b,r K b =(g a ) b mod p M 2 =(g b mod p)  h(ID b,Q,t b ) M 3 =E[M 2,r] Kb M 1,t a M 2,M 3,t b M4M4 Check t b g b =M 2  h(ID b,Q,t b ) K a =(g b ) a mod p (M 2,r)=D[M 3 ] ka M 4 =E[r] ka r=D[M 4 ] kb

8 Conclusions & Comment Conclusions  Authenticated key agreement  Resistance to replay attack and off-line password attack  Perfect forward secrecy Comments  Improved Lee-Lee’s scheme  Improved Chang-Lin’s scheme Reduce the computation load

9 Improved Lee-Lee ’ s Scheme1 Alice (Q) Bob (Q) Random a X a =g aQ mod p K a =1 or g a/Q => abandon Random b Y b =g bQ mod p h(ID a,X a,K b ) ?= h(ID a,X a,K a ) XaXa YbYb h(ID a,X a,K a ) Key Establishment Phase Key Validation Phase h(ID b,Y b,K b ) h(ID b,Y b,K a ) ?= h(ID b,Y b,K b )

10 Improved Lee-Lee ’ s Scheme2 Alice (Q) Bob (Q) Random a X a =g a mod p K a =1 => abandon Random b Y b =g b mod p h(ID a ||Q||K b ) ?= h(Id a ||Q||K a ) X a  h(Q) Y b  h(Q) h(ID a ||Q||K a ) Key Establishment Phase Key Validation Phase h(ID b ||Q||K b ) h(ID b ||Q||K a ) ?= h(ID b ||Q || K b ) K a =(Y b ) a mod p =g ab mod p K b =(X a ) b mod p =g ab mod p

11 Improved Chang-Lin ’ s scheme Alice (A)Bob (B) Random a M 1 =(g a mod p)  h(ID a,Q,t a ) Check t a g a =M 1  h(ID a,Q,t a ) Random b,r K b =(g a ) b mod p M 2 =(g b mod p)  h(ID b,Q,t b ) M 3 =r  K b M 1,t a M 2,M 3,t b M4M4 Check t b g b =M 2  h(ID b,Q,t b ) K a =(g b ) a mod p r=M 3  k a M 4 =h(Q,r,k a ) M 4 ?=h(Q,r,k b ) Chang-Lin: E[.]+D[.] in A,B Ours:  +h(.) in A,B

12 Diffie-Hellman Key Agreement Protocol Alice Bob Random a X A =g a mod p K=(Y B ) a mod p =g ab mod p Random b Y B =g b mod p K=(X A ) b mod p =g ab mod p A XAXA YBYB