Robust Authenticated Key Exchange Using Passwords and Identity-Based Signatures

Abstract

In the paper we propose new authenticated key exchange (AKE) protocols from a combination of identity-based signature (IBS) and a password-based authentication. The proposed protocols allows for a client to execute a convenient authentication by using only a human-memorable password and a server’s identity. The use of an IBS gives security enhancements against threats from password leakage. A server authentication method is based on an IBS, which is independent of a password shared with a client. Even if a password is revealed on the side of a client protected poorly, server impersonation can be prevented effectively. In addition, our protocols have resilience to server compromise by using ‘password verification data’, not a true password at the server. An adversary cannot use the data revealed from server compromise directly to impersonate a client without additional off-line dictionary attacks. We emphasize that most of existing password-based AKE protocols are vulnerable to subsequent attacks after password leakage.

Our first hybrid AKE protocol is constructed using concrete parameters from discrete logarithm based groups. It is designed to give resilience to server compromise. Our second protocol is a simplified version of the first protocol where the computation cost of a client is cheap. Generalizing the basic protocols, we present a modular method to convert Diffie-Hellman key exchange into an AKE protocol based on a password and an IBS. Finally, we give performance analysis for our protocols and comparison among known hybrid AKE protocols and ours. As shown later in the paper, our protocols provide better performance. Our experimental results show that the proposed protocols run in at most 20 ms. They can be widely applied for information security applications.

This work was supported by the ICT R&D program of MSIP/IITP [B1206-15-1007, Development of Universal Authentication Platform Technology with Context-Aware Multi-Factor Authentication and Digital Signature].

Appendices

A Bilinear Maps [21, 39]

Let \(\mathbb {G}\) \(_1\) and \(\mathbb {G}\) \(_2\) be additive groups and \(\mathbb {G}\) \(_T\) a multiplicative group. Assume that the groups have the same prime order, q. We say that e: \(\mathbb {G}\) \(_1 \times \mathbb {G}\) \(_2 \rightarrow \) \(\mathbb {G}\) \(_T\) is an admissible bilinear map (or a pairing) if the following properties are satisfied: (1) Bilinearity: \(e(aP,bQ) = e(P,Q)^{ab}\) for all \(P \in \mathbb {G}\) \(_1\) and \(Q \in \mathbb {G}\) \(_2\), and \(a,b \in \mathbb {Z}_q^*\). (2) Non-degeneracy: There exist \(P \in \mathbb {G}\) \(_1\) and \(R \in \mathbb {G}\) \(_2\) such that \(e(P,R) \ne 1\). (3) Computability: There exists an efficient algorithm to compute \(e(P',Q')\) for all \(P' \in \mathbb {G}\) \(_1\) and \(Q' \in \mathbb {G}\) \(_2\).

Bilinear maps can be classified in three types, i.e., Type I, II, III according to the existence of morphisms between \(\mathbb {G}\) \(_1\) and \(\mathbb {G}\) \(_2\). Type I pairings, called ‘symmetric’, have \(\mathbb {G}\) \(_1=\mathbb {G}\) \(_2\). Type II pairings have an efficiently computable isomorphism from \(\mathbb {G}\) \(_1\) to \(\mathbb {G}\) \(_2\) or from \(\mathbb {G}\) \(_2\) to \(\mathbb {G}\) \(_1\) but none in the reverse direction. Type III pairings have no efficiently computable isomorphism between \(\mathbb {G}\) \(_1\) and \(\mathbb {G}\) \(_2\). Type II and III pairings are called ‘asymmetric’. For more details, refer to [21, 39].

B Computational Assumptions

Discrete Logarithm (DL) Assumption. Assume that a group \(\mathbb {G}\) of order q and a generator g of \(\mathbb {G}\) are given. To define Discrete Logarithm (DL) problem, we consider the following game:

We define \(\mathsf{Adv}^{DL}_{ \mathcal{A},\mathbb {G}}(t)\)= \(\Pr [r=x]\), where \( \mathcal{A}\) runs in time t. We define that \(\mathsf{Adv}^{DL}_{\mathbb {G}}(t)\) = max\(_{ \mathcal{A}}[\mathsf{Adv}^{DL}_{\mathbb {G}}(t)]\) where the maximum is taken over all \( \mathcal{A}\). We say that DL assumption holds for \(\mathbb {G}\) if \(\mathsf{Adv}^{DL}_{\mathbb {G}}(t)\) is negligible.

Decisional Diffie-Hellman (DDH) Assumption. Assume that a group \(\mathbb {G}\) of order q and a generator g of \(\mathbb {G}\) are given. To define Decisional Diffie-Hellman (DDH) problem, we consider the following distinguishability game:

We define \(\mathsf{Adv}^{DDH}_{ \mathcal{A},\mathbb {G}}(t)\)= \(|\Pr [b=b']-1/2|\), where \( \mathcal{A}\) runs in time t. We define that \(\mathsf{Adv}^{DDH}_{\mathbb {G}}(t)\) = max\(_{ \mathcal{A}}[\mathsf{Adv}^{DDH}_{\mathbb {G}}(t)]\) where the maximum is taken over all \( \mathcal{A}\). We say that DDH assumption holds for \(\mathbb {G}\) if \(\mathsf{Adv}^{DDH}_{\mathbb {G}}(t)\) is negligible.

Computational Diffie-Hellman (CDH) Assumption. Assume that a group \(\mathbb {G}\) of order q and a generator g of \(\mathbb {G}\) are given. To define Computational Diffie-Hellman (CDH) problem, we consider the following game:

We define \(\mathsf{Adv}^{CDH}_{ \mathcal{A},\mathbb {G}}(t)\)= \(\Pr [z=xy]\), where \( \mathcal{A}\) runs in time t. We define that \(\mathsf{Adv}^{CDH}_{\mathbb {G}}(t)\) = max\(_{ \mathcal{A}}[\mathsf{Adv}^{CDH}_{\mathbb {G}}(t)]\) where the maximum is taken over all \( \mathcal{A}\). We say that CDH assumption holds for \(\mathbb {G}\) if \(\mathsf{Adv}^{CDH}_{\mathbb {G}}(t)\) is negligible.

C Simplified IBS-PAKE Protocols

Initialization Phase. Three processes Setup, Extract, and Registration are executed as follows.

• Setup and Extract are the same to those of PWIBS-AKE.

• Registration(C, S). First, a client, C generates his or her password, \(pw_C\) according to a pre-defined password creation policy. To register a service, C sends (Register-Req, \(ID_C\), \(g_1^{-H_1(pw_C)}\)) to the server, S over a secure channel. The server appends \(\pi _S[C]=(ID_C,g_1^{-H_1(pw_C)})\) to \({\mathcal {PF}}\).

Table 3. Experimental results of our simplified PWIBS-AKE (time:msec)

Key Establishment Phase. A client, C and a server, S execute the protocol to agree on a temporal key to be used for a session. The concrete protocol is described as follows (See Fig. 4).

1. 1.

   C picks \(x \in {\mathbb {Z}}_q^*\) uniformly at random and computes \(W=g^xg_1^{H_1(pw_C)}\) \(\in \) \(\mathbb {G}\) using the password, \(pw_C\). Then, C sends \([ID_C, W]\) to S.

2. 2.

   S picks y \(\in \) \({\mathbb {Z}}_q^*\) uniformly at random and computes \(Y=g^y\) \(\in \) \(\mathbb {G}\). Also, using its signing key, \(sk_{ID_S}=(R_S,v_S)\), the server generates a signature, \(\sigma _S = (d_S, z_S, R_S)\) on \(M_S=ID_S||Y\), where \(E_S=g^{e_S}\), \(z = H(m, ID_S, E_S)\) and \(d_S = e_S - v_S z_S \pmod q\) for random \(r_S, e_S \in {\mathbb {Z}}_q^*\). Then S sends [\(ID_S\),Y,\(\sigma _S\)] to C. From the receipt message \([ID_C, W]\), the server finds authentication information corresponding to \(ID_C\), i.e., [\(ID_C\), \(g_1^{-H_1(pw_C)}\)] from a database. It then computes \(X' = W g_1^{-H_1(pw_C)}\) and \(K'=(X')^{y}\). Finally, S computes \(ssk = H_3({\mathsf {pid}}_S||{\mathsf {sid}}_S||K')\), where \({\mathsf {sid}}_S = ID_C||W||Y||\sigma _S\).

3. 3.

   Upon receiving [\(ID_S\), Y, \(\sigma _S\)], the client C checks if the signature, \(\sigma _S\) is valid, i.e., the equality of \(z_S = H(M_S, ID_S, g^{d_S} \cdot (R_S \cdot u^{w_S})^{z_S})\) holds. Here \(M_S=ID_S||Y\) and \(w_S=H(ID_S,R_S)\). If the validity does not hold then the session is aborted. Otherwise, the client computes \(K=Y^x\). Finally, S computes \(ssk = H_3({\mathsf {pid}}_S||{\mathsf {sid}}_S||K')\), where \({\mathsf {sid}}_S = ID_C||W||Y||\sigma _S\).

Fig. 2.

\(\mathsf {PWIBS}\)-\(\mathsf {AKE}\): AKE from a combination of PAK and a Schnorr-based IBS

Fig. 3.

Generic construction of a simplified IBS-PAKE protocol

Fig. 4.

Simplified \(\mathsf {PWIBS}\)-\(\mathsf {AKE}\)