Cross-Realm Password-Based Server Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: Kazuki Yoneyama Presenter: Li-Tzu Chang
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
Introduction YB scheme Secure Cross-Realm C2C-PAKE Protocol, 2006,(27) WZ scheme A New Security Model for Cross-Realm C2C-PAKE Protocol, 2007,(1)
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
New Model Execute( ) : This query models passive attacks. The output of this query consists of messages that were exchanged during the honest execution of the protocol among.
New Model SendClient(U l,m) : This query models active attacks against a client. The output of this query consists of the message that the client instance U l would generate on receipt of message m.
New Model SendServer(S l,m) : This query models active attacks against servers. The output of this query consists of the message that the server instance S l would generate on receipt of message m.
New Model SessionReveal(U l ) : This query models the misuse of session keys. The output of this query consists of the session key held by the client instance U l if the session is completed for U l. Otherwise, return ⊥.
New Model StaticReveal(P) : This query models leakage of the static secret of P (i.e., the password between the client and the corresponding server, or the private information for the server). The output of this query consists of the static secret of P.
New Model EphemeralReveal(P l ) : This query models leakage of all session-specific information (ephemeral key) used by P l. The output of this query consists of the ephemeral key of the instance P l.
New Model EstablishParty(U l, pw U ) : This query models the adversary to register a static secret pw U on behalf of a client. In this way the adversary totally controls that client. Clients against whom the adversary did not issue this query are called honest.
New Model Test(U l ) : This query does not model the adversarial ability, but in distinguishability of the session key. At the beginning a hidden bit b is chosen. If no session key for the client instance U l is defined, then return the undefined symbol ⊥. Otherwise, if b = 1, return the session key for the client instance U l if b = 0, a random key from the same space.
New Model TestPassword(U, pw) : This query does not model the adversarial ability, but no leakage of the password. If the guessed password pw is just the same as the client U’s password pw, then return 1. Otherwise, return 0. Note that, the adversary can only one TestPassword query at any time during the experiment.
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
Proposed Scheme p, q : the large primes such that p = 2q + 1 A,B ∈ U : the identities of two clients in two different realms SA,SB ∈ S: the identities of their corresponding servers respectively.
Proposed Scheme Gen(1 k ) : key generation algorithm Enc pk (m; ω) : encryption algorithm of a message m using a public key pk and randomness ω Dec sk (c) : decryption algorithm of a cipher-text c using a private key sk.
Proposed Scheme Public information : G, g, p,H 1,H 2 Long-term secret of clients : pw A for A and pw B for B Long-term secret of servers : (pw A, sk SA ) for SA and (pw B, sk SB ) for SB
Proposed Scheme
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
setting# of rounds for clients UDonDALEP of servers KCIChannel between servers YBpassword-only2insecure secure channel WZpassword-only2+Psecureinsecure secure channel [19] password and public-key crypto 7secureinsecuresecurenone [20] password and smart cards 4secureinsecuresecurenone Ours password and public-key crypto 2secure Authentic ated channel Where P denote the number of moves of a secure 2-party PAKE. UDonDA: undetectable on-line dictionary attacks LEP: leakage of ephemeral private keys of servers KCI: key-compromise impersonation