Download presentation
Presentation is loading. Please wait.
1
Improved Authenticated Multiple-Key Agreement Protocol
Source: Computer and Mathematics with Applications 46 (2003), pp Author: Her-Tyan Yen, Hung-Min Sun and Tzonelih Hwang
2
Authenticated multiple-key agreement
Two communication entities are allowed to establish multiple secret keys through the message exchange.
3
Motivation (1/2) Authenticated key agreement without using one-way hash functions L. Harn and H.Y. Lin, Authenticated key agreement protocol without using one-way functions, In Proc. 8th National Conf. Information Security, (1998). Improved authenticated multiple-key agreement protocol S.M. Yen and M. Joye, Improved authenticated multiple-key agreement protocol, Electron. Lett., , (1998)
4
Motivation (2/2) Security of authecticated multiple-key agreement protocols T.S. Wu, W.H. He and C.L. Hsu, Security of authenticated multiple-key agreement protocols, Electron. Lett., (1999). This paper pointed out that the Wu et al.’s paper still suffers the forgery problem and proposed an improved protocol to overcome the problem.
5
The past authenticated key agreement protocol
p : large prime α: primitive element XA: A’s secret key XB: B’s secret key , A’s public key , B’s public key
6
The Wu and He’s protocol (Authentication Phase)
rA1, rA2, SA, cert(yA) 7. two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA-h(rA1rA2)kA mod (p-1)
7
rA1, rA2, SA, cert(yA) = (rA1.rA2)h(rA1rA2).αXA-h(rA1rA2)‧KA
= (rA1.rA2)h(rA1rA2).αXA.(αKA) –h(rA1rA2) Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)h(rA1rA2).(α (KA1+KA2) ) –h(rA1rA2).αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)h(rA1rA2).(rA1.rA2) –h(rA1rA2) .αXA = αXA
8
Keys generation K1 = (rA1)KB1 mod p K2 = (rA2)KB1 mod p
9
Forgery attack rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA)
If an attacker can find integers r΄A1, r´A2 satisfying r´A1‧ r´A2 = rA1‧ rA2 , then he can convince B that he is A. rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA)
10
r’A1, r’A2, SA, cert(yA) = (r’A1.r’A2)h(r’A1r’A2).αXA-h(rA1rA2)‧KA
= (r’A1.r’A2)h(r’A1r’A2).αXA.(αKA) –h(rA1rA2) Due to KA = KA1+KA2 mod (p-1) = (r’A1.r’A2)h(r’A1r’A2).(α (KA1+KA2) ) –h(rA1rA2).αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (r’A1.r’A2)h(r’A1r’A2).(rA1.rA2) –h(rA1rA2) .αXA Due to r’A1‧r’A2 = rA1‧rA2 = αXA
11
The proposed protocol rA1, rA2, SA, cert(yA) two random secret
7. two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA- (rA1+rA2)kA mod (p-1)
12
rA1, rA2, SA, cert(yA) = (rA1.rA2)(rA1+rA2).αXA-(rA1+rA2)‧KA
= (rA1.rA2)(rA1+rA2).αXA.(αKA) –(rA1+rA2) Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)(rA1+rA2).(α (KA1+KA2) ) –(rA1+rA2).αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)(rA1+rA2).(rA1.rA2) –(rA1+rA2) .αXA = αXA
13
Conclusion The proposed protocol is secure and efficient against forgery, and does not involve any one-way hash function.
14
Thanks for your listening
15
Authentication Phase rA1, rA2, SA, cert(yA) two random secret
7. two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA-rAkA mod (p-1) method (1)
16
rA1, rA2, SA, cert(yA) = (rA1.rA2)rA.αXA-rA‧KA
= (rA1.rA2)rA.αXA.(αKA) -rA Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)rA.(α (KA1+KA2)) -rA .αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)rA.(rA1.rA2) -rA .αXA = αXA method (1)
17
Forgery attack rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA)
If an attacker can find integers r΄A1, r´A2 satisfying r´A1‧ r´A2 = rA1‧ rA2 , then he can convince B that he is A. rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA) method (1)
18
r΄A1, r΄A2, SA, cert(yA) = (r΄A1.r΄A2)rA.αXA-rA‧KA
= (r΄A1.r΄ A2)rA.αXA.(αKA) -rA Due to KA = KA1+KA2 mod (p-1), rA1 = αkA1 mod p and rA2 = αkA2 mod p = (r΄A1.r΄A2)rA.(rA1.rA2) -rA .αXA Due to r´A1‧ r´A2 = rA1‧ rA2 = αXA Method (1)
19
Authentication Phase rA1, rA2, SA, cert(yA) two random secret
7. two random secret number kA1 and kA2 2. 3. 4. 5. 6. SA = XA-rA1rA2kA mod (p-1) Method (2)
20
rA1, rA2, SA, cert(yA) = (rA1.rA2)rA1rA2.αXA-(rA1rA2)‧KA
= (rA1.rA2)rA1rA2.αXA.(αKA) –rA1rA2 Due to KA = KA1+KA2 mod (p-1) = (rA1.rA2)rA1rA2.(α (KA1+KA2)) –rA1rA2.αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (rA1.rA2)rA1rA2.(rA1.rA2) –rA1rA2 .αXA = αXA Method (2)
21
Forgery attack rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA)
If an attacker can find integers r΄A1, r´A2 satisfying r´A1‧ r´A2 = rA1‧ rA2 , then he can convince B that he is A. rA1, rA2, SA, cert(yA) r΄A1, r΄A2, SA, cert(yA) Method (2)
22
rA1, rA2, SA, cert(yA) = (r’A1.r’A2)r’A1r’A2.αXA-(rA1rA2)‧KA
= (r’A1.r’A2)r’A1r’A2.αXA.(αKA) –rA1rA2 Due to KA = KA1+KA2 mod (p-1) = (r’A1.r’A2)r’A1r’A2.(α (KA1+KA2)) –rA1rA2.αXA Due to rA1 = αkA1 mod p and rA2 = αkA2 mod p = (r’A1.r’A2)r’A1r’A2.(rA1.rA2) –rA1rA2 .αXA Due to r’A1.r’A2 = r’A1‧r’A2 Method (2) = αXA
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.