1. Efficient Short-Password Key Exchange (ESP-KE)
Proposed in 2001 by Michael Scott
Problem: We want a key-exchange protocol which makes Man-in-the-Middle attacks easily detected
Solution: Both parties share a small secret that the MITM cannot guess without revealing his presence.

2. ESP-KE - Setup (Some Number Theory Required)
Global Parameters: , , p and q
Let p be a prime (of say 1024 bits)
Let q be a prime divisor of p-1 (of say 160 bits).
 and  are unrelated generators the prime-order sub-group of order q.
If  and  are related, there's a successful off-line dictionary attack. [Scott01]
Password is on the order of 16-bits.

3. ESP-KE - Protocol (Note that the password P << q)
Bob Generate random b in [1, q). B = b mod p B If A=0 Abort k = (A · P)b mod p Mb = H(0, k, P) Mb If H(1, k, P) ≠ Ma Abort
Alice Generate random a in [1, q). A = a / P mod p A k = Ba mod p If H(0, k, P) ≠ Mb Abort Ma = H(1, k, P) Ma
Session key k = ab for both Alice and Bob.

4. Interesting Properties
With P=0, then ESP-KE is a simple Diffie-Hellman Key exchange.
Small Protocol – Can be condensed into 3 messages across the wire.
Fast – Extra operations when compared to DH are two small exponentiations, and two multiplications.
Some values can be computed off-line (such as P mod p).
Since P is on the order of 16-bits versus 160-bits for q, ESP-KE will take 10% longer than DH .

5. Modeling ESP-KE
Used Common Authentication Protocol Specification Language (CAPSL).
CAPSL is a high-level translator which outputs CAPSL Intermediate Language (CIL).
Secondary “bundle” program takes CIL and outputs Prolog strands.
The bundle program was buggy.
Very hard to model password-guessing attacks in the strand framework.

6. Simplifications for Modeling
We can simplify the math down to encryption and decryption with a shared secret key (the password) for analysis.
The values A = a/P and B = b are effectively nonces, obfuscated with the password.
Replaced with E(P, nA) and nB.
The key k is some combination of those nonces.
Replaced with [nA, nB].

7. ESP-KE – Simplified
Alice A = E(P, nA) A k = [nA, nB] If H(0, k, P) ≠ Mb Abort Ma = H(1, k, P) Ma
Bob B = nB B k = [D(P, A), nB] = [nA, nB] Mb = H(0, k, P) Mb If H(1, k, P) ≠ Ma Abort

8. CAPSL Model (abridged)
PROTOCOL ESPKE;
IMPORTS SKEY, ARITH;
VARIABLES
Zero, One: Field;
Alice, Bob: Principal;
Na, Nb: Nonce, FRESH,
CRYPTO;
P: Skey;
ASSUMPTIONS
HOLDS Alice: Bob, Na, Zero
One, P;
HOLDS Bob: Alice, Nb, Zero,
MESSAGES
1. Alice -> Bob:
{Na}P;
2. Bob -> Alice: [
Nb,
sha([Zero,[Na,Nb], P]) ];
3. Alice -> Bob:
sha([One, [Na,Nb], P]);

9. Resulting Strands (manually simplified)
strand(roleAlice,Alice,Bob,Na,P,Nb,[
send(Na+P),
recv([ Nb, sha([ zero, [[Na,Nb], P] ]) ]),
send(sha([one, [ [Na,Nb], P]]))
]).
strand(roleBob,Bob,Alice,Nb,P,Na,[
recv(Na+P),
send([ Nb, sha([zero, [ [Na,Nb], P]]) ]),
recv(sha([one, [ [Na,Nb], P]]))
strand(test,X,[ recv(X), send(stop) ]).

10. Modeling Results
Used a constraint solver to check for secrecy of the key and P.
No attacks found.
Not too surprising, since the underlying system is basically Diffie-Hellman.
Well, what about all that stuff we simplified? Is there an attack based on the mathematics of the protocol?
Found a somewhat trivial, yet interesting attack.

11. Online Password Guessing Attack
Alice Generate random a in [1, q). A = a / P mod p A k = Ba mod p = 1a = 1 If H(0, k = 1, P) ≠ Mb Abort Ma = H(1, k, P) Ma
Evil Bob B = 1 B Mb = H(0, 1, Guess(P)) Mb If not aborted, guess is correct
<insert evil laugh here>
Normally, Bob would have to guess k and P, but in this attack he can predict the value of k, and so only needs to guess P.
Bob checks for A= 0, so why no checks on Alice's side?
Neat, but trivial to both fix and catch a guess attempt in progress.

12. What about Off-line Password Guessing Attacks?
On-line Guessing Attacks aren't very serious.
Gavin Lowe (of NSL fame) provided a formalization of guessing attacks in 2001
“A guessing attack consists of an intruder guessing a value g, and then verifying that guess in some way. The verification will be by the intruder using g to produce a value v which we call the verifier”
So, one way to look for guessing attacks is to look for verifiers an eavesdropper observes during the protocol.

13. Any Verifiers Present? The following values are sent across the wire:
A = a / P mod p
B = b mod p
Ma = H(0, ab, P)
Mb = H(1, ab, P)
B contains no information about P, so its useless.
Ma and Mb can be seen as forms of M(ab, P)
So, two possible verifiers – A and M.

14. Can we use A as a verifier?
In order to use A as a verifier for P, we need to compute some value A' from our guess of P to compare against A.
In order to construct some A' = a / Guess(P) to compare, we'd need to a.
Since a = log(P / A), we would need to know log().
If we could find it, we would break the assumption that discrete-logs are hard.

15. Can we use M as a verifier?
In order to use M as a verifier for P, we need to compute some value M' from our guess of P to compare against M.
Since M' = H(ab, Guess(P)), our goal then becomes to compute ab to plug into H.
We know B = b and can derive a a from our Guess(P) since a = A⋅Guess(P).
However, if we were able to compute ab from a and b, we would break the Computational Diffie-Hellman assumption which is presumed to be hard.

16. What if =? Can we use M as a verifier?
Suppose Alice transmits A=a and then stops after receiving B and Mb.
Mb now equals H(0, (a⋅P)b, P) = H(0, ab + Pb, P) = H(0, b(a + P), P)
Alice can now calculate some M' from P' = Guess(P) to verify against Mb: M' = H(0, Ba+P', P'') = H(0, (b)a+P', P') = H(0, (b)a+P', P') = H(0, b(a+P'), P')

17. Conclusions About modeling: About the protocol: Prolog is hard.
Don't use CAPSL next time.
About the protocol:
The online guessing attack removes the need to compute the session key to guess P.
More input checks are needed for robustness on Alice's side.
Nonetheless, seems secure against offline dictionary attacks.