Mutual Authentication and Key Exchange Protocol (MAKEP) Reporter: Jung-Wen Lo ( 駱榮問 ) Date: 2008/4/18

2 Outline Introduction ES-MAKEP: Efficient & Secure MAKEP Fuw-Yi Yang and Jinn-Ke Jan (2004) ES-MAKEP-Forward Secret Attack F-MAKEP He Yijun, Xu Nan and Li Jie (2007) Comment

3 Introduction MAKEP: Mutual authentication and key exchange protocol L-MAKEP: Linear MAKEP Author: D. S. Wong and A. H. Chan Title: Mutual authentication and key exchange for low power wireless communications Src: Military Communications Conference, MILCOM Communications for Network-Centric Operations: Creating the Information Force, IEEE, Vol. 1, 2001, pp IL-MAKEP: Improved L-MAKEP Author: K. Shim Title: Cryptanalysis of mutual authentication and key exchange for low-power wireless communications Src: IEEE Communications Letters, Vol. 7, No. 5, pp , I-MAKEP Authors: Jinn-Ke Jan and Yi-Hwa Chen Title: A new efficient MAKEP for wireless communications Src: In Proceedings of the 18 th International Conference on Advanced Information Networking and Application (AINA’04), IEEE, Volume 2, pp , 2004 ES-MAKEP: Efficient & Secure MAKEP Authors: Fuw-Yi Yang and Jinn-Ke Jan Title: A Secure and Efficient Key Exchange Protocol for Mobile Communications Src: Cryptology ePrint Archive 2004/167, July 2004, F-MAKEP: Perfect forward secrecy Improved ES-MAKEP

A Secure and Efficient Key Exchange Protocol for Mobile Communications Authors: Fuw-Yi Yang and Jinn-Ke Jan Src: Cryptology ePrint Archive 2004/167, July 2004,

5 Notation ε pk (): an asymmetric encryption function δ SK (): an asymmetric decryption function E K () : a symmetric encryption function D K (): a symmetric decryption function SK S : a private key of server S PK S : a public key of server S ID U : the identification of a client entity U ID S : the identification of a server S p, q: a private key pair of U g,n: a public key pair of U x || y: string x concatenates string y |n|: bit length of n r UK, r UF, r UR :three random numbers selected by U r SK : a random number selected by S r ∈ R G : r is a random number selected from the set G l: the length of session keys

6 ES-MAKEP User U Server S r UK,r UR,r UF C1 r UK =ε PK S (r UK ) CMT=g r UF ||r UF mod n M1={C1 r UK,CMT,ID U } r UK = δ SK S (C1 r UK ) Random r sk σ SU =r SK  r UK C2 r UK =E σ SU (r UK ) M2={r SK,C2 r UK } σ US =r UK  r SK r’ UK =D σ US (C2 r UK ) =D σ US (E σ SU (r UK )) r’ UK ?= r UK S F =h(r UK,r SK,ID U,ID S ) C3=E σ SU (ID U ) S R =2 |n| (r UF -S F )+r UR mod λ(n) ※ n=pq ;λ(n)=lcm(p-1, q-1) M3={C3,S R } S F =h(r UK,r SK,ID U,ID S ) CMT’=g S F ||S R mod n CMT’?=CMT (PK S,SK S )

A Secure Key Exchange and Mutual Authentication Protocol for Wireless Mobile Communications Authors: He Yijun, Xu Nan and Li Jie Src: The Second International Conference on Availability, Reliability and Security, ARES 2007, April 2007 pp. 558 – 563

8 ES-MAKEP -Forward Secret Attack User U Server S r UK,r UR,r UF C1 r UK =ε PK S (r UK ) CMT=g r UF ||r UF mod n M1={C1 r UK,CMT,ID U } r UK = δ SK S (C1 r UK ) Random r sk σ SU =r SK  r UK C2 r UK =E σ SU (r UK ) M2={r SK,C2 r UK } σ US =r UK  r SK r’ UK =D σ US (C2 r UK ) =D σ US (E σ SU (r UK )) r’ UK ?= r UK S F =h(r UK,r SK,ID U,ID S ) C3=E σ SU (ID U ) S R =2 |n| (r UF -S F )+r UR mod λ(n) M3={C3,S R } S F =h(r UK,r SK,ID U,ID S ) CMT’=g S F ||S R mod n CMT’?=CMT Attacker Conceal SK S (PK S,SK S )

9 F-MAKEP User U Server S r UK,r UR,r UF C1 r UK =ε PK S (g r UK ) CMT=g r UF ||r UF mod n M1={C1 r UK,CMT,ID U } r UK = δ SK S (C1 r UK ) Random r sk σ SU =g r SK  r UK C2 r UK =E σ SU (r UK ) M2={r SK,C2 r UK } σ SU =g r SK  r UK r’ UK =D σ US (C2 r UK ) =D σ US (E σ SU (r UK )) r’ UK ?= r UK S F =h(r UK,r SK,ID U,ID S ) C3=E σ SU (ID U ) S R =2 |n| (r UF -S F )+r UR mod λ(n) ※ n=pq ;λ(n)=lcm(p-1, q-1) M3={C3,S R } S F =h(r UK,r SK,ID U,ID S ) CMT’=g S F ||S R mod n CMT’?=CMT (PK S,SK S )

10 Comment Conceal secret key is difficult ES-MAKEP & F-MAKEP: PKI system => Inefficient => Not suitable for wireless devices

11 DoS-Resistance Protocol Y ⊕ H(pw j ),σ ⊕ H(pw i ) Server A (pw1,pw2) Client B (pw1,pw2) 3. r A Y= r A ⊕ r B σ=H(r A,r B,ID A,ID B ) 2. Try pw i 5. H(σ’) ID A,ID B,X, H(ID A,ID B,X) 1. r B X=pw i ⊕ r B 4. r’ A =Y ⊕ r B σ’=H(r’ A,r B,ID A,ID B ) H(σ’) ?= H(σ) 4. H(σ’) ?= H(σ)

12 PK-based MAKEP

13 Server-specific MAKEP

14 Linear MAKEP

15 Unknown key-share attack on L- MAKEP(?) y’=cy σ’ =r A  y’ E σ’ (x)

16 IL-MAKEP E σ (x,ID A,ID B )

A new efficient MAKEP for wireless communications Authors: Jinn-Ke Jan and Yi-Hwa Chen Src: In Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04), IEEE, Volume 2, pp , 2004

18 I-MAKEP User U Server S ID,Y v = y e +ID mod N Random r s u,t,s Random w,k u=g w mod N t=E PK S (k) s=w+x  H(rs||t||u) σ=k  s H(k’) Register Phase x v=g -x mod N ID,v y=(v-ID) d mod N Session Key Generation Phase rsrs g s  v H(r s ||t||u) ?≡u mod N k’=D(t) σ=k’  s H(k’)?=H(k)

19 ES-MAKEP Performance- Client’s Computations

20 Remark for Table 1

21 ES-MAKEP Performance- Server’s Computations

22 Remark for Table 2

23 ES-MAKEP Performance- Message Sizes

24 WTLS The security of WAP Operate over the transport layer Provide privacy, data integrity & authentication Two layer protocol Lower layer: Record protocol encrypt/decrypts data Upper layer protocol (4 sub-protocols) 1. Handshake Protocol  Establish/resume the secure connection between WAP client and WAP gateway. 2. Alert Protocol  Send urgent data or signals. 3. Change Cipher Protocol  Exchange keys on the fly to guarantee the security dynamically. 4. Application Protocol  Send data from application to Record Protocol and deliver the received data from Record Protocol to applications.

25 WTLS Handshake Notation V: version of WTLS SID: session ID SecNeg E : key exchange suit, cipher suit, key fresh, etc of entity E K P : pre_master_secret K m : master_secret h: one-way hush function f: a function to compute master_secret with KP Cert E : Certificate of E X E : private key of E P E : public key of E

26 WTLS based on F-MAKEP