Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach Tzong-Chen Wu and Yen-Ching Lin Department of Information Management National Taiwan University of Science and Technology, Taiwan

Outline  Introduction  Security attributes  The proposed PAKA protocols System model The proposed 2-PAKA protocol The proposed n-PAKA protocol  Conclusions

Introduction  Authenticated key agreement (AKA) protocols Allow communication parties to mutually authenticate with each other and share an authenticated session key Establish a secure channel for subsequent communications  Previous works for AKA protocols (based on Decision Diffie- Hellman problem): 2-AKA:Diffie, van Oorschost, Wiener (1992) Blake-Wilson, Menezes (1998) n-AKA:Just and Vaudenay (1996) Steiner, Tsudik, Waidner (1997) Ateniese, Steiner, Tsudik (1998, 2000) Bresson, Chevassut, Pointcheval (2001, 2002)

Introduction (cont.)  Use of passwords for authentication Advantages: ease of use, ease of implementation, and low cost Disadvantages: on-/off-line guessing attacks  Password-only authenticated key agreement ( PAKA) protocols Achieve the security attributes of AKA Only use easy-to-remember passwords, even for weak passwords (i.e., against on-/off-line guessing attacks)

Introduction (cont.)  Previous works for 2-PAKA protocols (based on Decision Diffie-Hellman problem) Bellovin and Merritt (1992, 1993) Jablon (1996) Lee, Shohn, Yang, Won (1999) Boyko, Mackenzie, Patae (200) Bellare, Pointcheval, Rogaway, (2000) Lin, Sun, Hwang (2000), Lin, Sun, Steiner, Hwang (2001) Mackenzie, Patel, Swaminathan (2000) ……  Previous works for n-PAKA protocols ???

Contributions of this paper  Propose a 2-PAKA protocol based on self-certified approach Communicating parties only use passwords, no more other secret parameters (e.g., long-term private keys) or trusted servers (adopted by three-party PAKA protocols) are required during the key agreement phase Messages sent between the communication parties are self-certified, and hence, no public key certificates are required while applying public key systems Achieve the security attributes of AKA Against on-/off-line guessing attacks  Generalize 2-PAKA to n-PAKA (based on CLIQUES proposed by Steiner, Tsudik, and Waidner, 1997)

Security attributes  Know-key security An attacker cannot derive any established session keys from any compromised session key  Perfect forward secrecy An attacker cannot derive any previously established session keys from a compromised password  On-/off-line guessing attacks An attacker cannot find out the parties’ passwords from the intercepted messages by exhaustive search

Security attributes (cont.)  Password-compromised impersonation attacks Suppose that the password PW i for party U i is compromised. However, it may be desirable in some circumstances that an attacker cannot impersonate the other parties U j to U i using the compromised PW i  Unknown key-share attacks An attacker intercepted U i ’s message and then replayed to U j. For the success of such attacks, U i ends up believing he shares a session key with U j, and although this is in fact the case, U j mistakenly believes the key is instead shared with some party U a ≠ U i

System model … 3. PAKA protocol 1.Register with password 2.SA returns a self-certified public value Party U 1 System Authority (SA) Party U 2 Party U n 3. PAKA protocol

System setup phase N: a composite of P and Q, where P and Q are two large primes R: a prime that can withstand exhaustive search attack g: a generator g modulo N with the order R f : a one-way function, where 0 < f(x) < R for any x At the end of this phase, SA publishes N and f, while keeping P, Q and R secret.

User registration phase UiUi SA 1.1 compute f(ID i, PW i ) -1, f(ID i ) -1 f(ID i, PW i ) ‧ f(ID i, PW i ) -1 = 1 modR f(ID i ) ‧ f(ID i ) -1 = 1 mod R 1.2 randomly choose an integer 1.3 compute 2.{c i, w i } 3.1 compute Pre_shared {ID i, PW i } 3.2 verify

Proposed 2-PAKA protocol U i U j 1.1 randomly choose two integers x i, t i 1.2 compute 2. {ID i, w i, y i, r i, s i } 3.1 verify 3.2 compute y j, r j and s j as that in Step compute 4. {ID j, w j, y j, r j, s j, m j } 5.1 verify y j, r j and s j as that in Step verify 5.2 compute 5.3 verify 5.4 compute 6. {ID i, m i }

Proposed n-PAKA protocol  The proposed n-PAKA protocol is somewhat like the CLIQUES (Steiner, Tsudik, Waidner, 1997)  Suppose that the registered parties U 1, U 2, …, U n want to perform the n-PAKA protocol. U 1 is the originator, and the communication priority is in the sequence of U 1, U 2, …, U n

Proposed n-PAKA protocol (cont.) UiUi U i+1 2. {ID i, Xi, wi, y i, r i, s i } 1.compute 3 verify

Proposed n-PAKA protocol (cont.) U n U i 5. broadcast { ID n, X n, w n, r n, s n, m n } 4.1compute X n, y n, r n and s n, as that in step 1, where 6.1 U i verify { ID n, X n, w n, y n, r n, s n, m n } as that step compute 6.2 compute 6.3 verify

Security analysis  Under the DLMC (discrete logarithm modulo composite) assumption, the proposed PAKA protocols achieve : known-key security perfect forward secrecy resistant of on-/off-line password guessing attacks resistant of password-compromised impersonation attacks resistant of unknown key-share attacks

Conclusions  A 2-PAKA protocol based on self-certified approach is proposed  An n-PAKA protocol, generalized from 2- PAKA is proposed  The security of proposed PAKA protocols is based on the intractability of DLMC problems

Thank You for Your Attention