Public-key based

Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment cost –Security degree is higher than password-based The security assumption of most signature schemes are based on some well-known computational problems, such as the discrete logarithm problem and the factoring problem.

Authenticated key agreement without using one-way hash function (cont.) The MQV key agreement protocol has been adopted by the IEEE P1363 Committee to become a standard. The MQV protocol used a digital signature to sign the Diffie-Hellman public keys without using any one-way function. Here, the MQV protocol is generalized in three respects. First. signature variants for Diffie-Hellman public keys developed previously are employed in the new protocol.

Authenticated key agreement without using one-way hash function (cont.) Secondly, two communication entities are allowed to establish multiple secret keys in a single round of message exchange. Thirdly, the key computations are simplified. This paper is the improved version of MQV.

Protocol Assume A and B want to share multiple secret keys in one round of message exchange. For simplicity, we assume that A and B want to share four secrets.

Generate short term secret key k A1, k A2 and public key r A1, and r A2. Compute signature S A Generate short term secret key k B1, k B2 and public key r B1, and r B2. Compute signature S B {r A1, r A2, S A, certf(y A )} {r B1,r B2, S B, certf(y B )} y B =r B1 rB1 r B2 rB2 a SB mod p ？ computes K 1 = r K B1 A 1 mod p K 2 = r K B1 A 2 mod p K 3 = r K B2 A 1 mod p K 4 = r K B2 A 2 mod p computes a r A 1 r A 2 mod p verifies {r A1, r A2 }, and computes K 1 = r K A1 B 1 mod p K 2 = r K A2 B 1 mod p K 3 = r K A1 B 2 mod p K 4 = r K A2 B 2 mod p A B Finally, A and B generate four secret key K 1 ~ K 4. Certif(y A ) is the public-key certificate of y A signed by a trusted party. A computes the signature S A for {r A1, r A2 } based on any signature variant as listed in Table 1. So as B. a is a primitive number if GF(p)

Fully-fledged two-way public key authentication and key agreement for low-cost terminals The server is assigned the unique identity j by the CA. The server picks a Rabin secret key (p j,q j ) and gives the corresponding public key (N j = p j *q j ) to the CA. √denotes modular square root operation. (to sign a message.)

Fully-fledged two-way public key authentication and key agreement for low-cost terminals A terminal is assigned a unique identity i, the network public keys, and signature system parameters. then it chooses a random secret key S i, and generates the associated ElGamal public key P i. The CA provides the terminal with a certificate c i.

Fully-fledged two-way public key authentication and key agreement for low-cost terminals The terminal chooses a random secret r, and performs the precomputations.

The server sends its identity, public key, and certificate to the terminal. The terminal verifies the certificate by squaring it modulo the CA’s public key, and comparing to a hashing of the concatenation of the server’s identity and public key. Terminal picks a random number x, considered to be a concatenation of random portions x L and x R combined with some expected ‘colour’ (say, k low-order zero bits, denoted 0 k ) Terminal encrypts x using server’s public key.

The server sends a random challenge containing some expected ‘colour’ The terminal verifies the expected colour that is present after conventional decryption. (it also verifies the session key) Terminal sends its identity, public key, and certificate, along with an ElGamal signature on the random challenge. The server verifies the certificate and signature.