Abstract
In the paper we propose new authenticated key exchange (AKE) protocols from a combination of identity-based signature (IBS) and a password-based authentication. The proposed protocols allows for a client to execute a convenient authentication by using only a human-memorable password and a server’s identity. The use of an IBS gives security enhancements against threats from password leakage. A server authentication method is based on an IBS, which is independent of a password shared with a client. Even if a password is revealed on the side of a client protected poorly, server impersonation can be prevented effectively. In addition, our protocols have resilience to server compromise by using ‘password verification data’, not a true password at the server. An adversary cannot use the data revealed from server compromise directly to impersonate a client without additional off-line dictionary attacks. We emphasize that most of existing password-based AKE protocols are vulnerable to subsequent attacks after password leakage.
Our first hybrid AKE protocol is constructed using concrete parameters from discrete logarithm based groups. It is designed to give resilience to server compromise. Our second protocol is a simplified version of the first protocol where the computation cost of a client is cheap. Generalizing the basic protocols, we present a modular method to convert Diffie-Hellman key exchange into an AKE protocol based on a password and an IBS. Finally, we give performance analysis for our protocols and comparison among known hybrid AKE protocols and ours. As shown later in the paper, our protocols provide better performance. Our experimental results show that the proposed protocols run in at most 20 ms. They can be widely applied for information security applications.
This work was supported by the ICT R&D program of MSIP/IITP [B1206-15-1007, Development of Universal Authentication Platform Technology with Context-Aware Multi-Factor Authentication and Digital Signature].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
These are different from dictionary attacks to reveal a password.
- 2.
The notion of CCA security means that a PKE scheme should reveal no meaningful information about the original message from public ciphertexts to attackers who can probe the decryption oracle with chosen ciphertexts.
- 3.
- 4.
Note that a secure channel is needed because \(\pi _1=H_1(pw_C)\) or \(ESK = {\mathcal {E}}_{H_2(pw_C)}(sk_{ID_C})\) can be used to mount off-line dictionary attacks by an adversary.
- 5.
It is not difficult to fix the instances to follow the generic methods.
- 6.
Even though Charm is not optimised, our results are enough to show feasible and efficient implementation of our protocols.
References
Abdalla, M., Benhamouda, F., Mackenzie, P.: Security of the J-PAKE password-authenticated key exchange protocol. In: IEEE Symposium on Security and Privacy 2015, pp. 571–587. IEEE Computer Society (2015)
Boyarsky, M.K.: Public-key cryptography and password protocols: the multi-user case. In: ACMCCS 1999, pp. 63–72. ACM, New York (1999)
Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: New techniques for SPHFs and efficient one-round PAKE protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 449–475. Springer, Heidelberg (2013)
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)
Barreto, P.S.L.M., Galbraith, S.D., hÉigeartaigh, C.Ó., Scott, M.: Efficient pairing computation on supersingular abelian varieties. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)
Barreto, P.S.L.M., Lynn, B., Scott, M.: Efficient implementation of pairing based cryptosystems. J. Cryptol. 17, 321–334 (2004). Springer-Verlag
Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocol secure against dictionary attack. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)
Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)
Bellare, M., Namprempre, C., Neven, G.: Security proofs for identity-based identification and signature schemes. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 268–286. Springer, Heidelberg (2004)
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Chen, L., Harrison, K., Soldera, D., Smart, N.P.: Applications of multiple trust authorities in pairing based cryptosystems. In: Davida, G.I., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 260–275. Springer, Heidelberg (2002)
Clancy, T.: Eap password authenticated exchange, draft archive (2005). http://www.cs.umd.edu/clancy/eap-pax/
Akinyele, J.A., et al.: Charm: a framework for rapidly prototyping cryptosystems. J. Crypt. Eng. 3(2), 111–128 (2013)
Choi, K.Y., Hwang, J.Y., Cho, J., Kwon, T.: Constructing efficient PAKE protocols from identity-based KEM/DEM, Cryptology ePrint Archive, Report 2015/606 (2015). http://eprint.iacr.org/2015/606. (To appear in WISA 2015)
Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)
Choi, K.Y., Hwang, J.Y., Lee, D.-H.: Efficient ID-based group key agreement with bilinear maps. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 130–144. Springer, Heidelberg (2004)
Dent, A.W., Galbraith, S.D.: Hidden pairings and trapdoor DDH groups. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 436–451. Springer, Heidelberg (2006)
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Elashry, I., Mu, Y., Susilo, W.: Jhanwar-Barua’s identity-based encryption revisited. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 271–284. Springer, Heidelberg (2014)
Gallbraith, S.: Pairings, Advances in Elliptic Curve Cryptography, vol. 317, Chapter IX, pp. 183–213. Cambridge University Press (2005)
Galindo, D., Garcia, F.D.: A schnorr-like lightweight identity-based signature scheme. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 135–148. Springer, Heidelberg (2009)
Gong, L.A., Lomas, T.M., Needham, R., Saltzwe, J.: Protecting poorly chosen secrets from guessing attacks. IEEE J. Sel. Areas Commun. 11(5), 648–656 (1993)
Gentry, C., MacKenzie, P.D., Ramzan, Z.: A method for making password-based key exchange resilient to server compromise. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 142–159. Springer, Heidelberg (2006)
Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. ACM Trans. Inf. Syst. Secur. 2(3), 230–268 (1999)
Housley, R., Polk, T.: Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure. Wiley, Chichester (2001)
Hao, F., Ryan, P.Y.A.: Password authenticated key exchange by juggling. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 159–171. Springer, Heidelberg (2011)
Hao, F., Shahandashti, S.F.: The SPEKE protocol revisited. In: Chen, L., Mitchell, C. (eds.) SSR 2014. LNCS, vol. 8893, pp. 26–38. Springer, Heidelberg (2014). Cryptology ePrint Archive, Report 2014/585. http://eprint.iacr.org/2014/585
Internet Engineering Task Forces, Eap password authenticated exchange (2005). http://www.ietf.org/internet-drafts/draft-clancy-eap-pax-03.txt
Jablon, D.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26(5), 5–26 (1996)
IEEE 1363.2:2008 Specification For Password-based Public-key Cryptographic Techniques
ISO/IEC 11770–4:2006 Information technology - Security techniques - Key management - Part 4: Mechanisms based on weak secrets
ITU-T Recommendation X. 1035: Password-Authenticated Key Exchange (PAK) Protocol. https://www.itu.int/rec/T-REC-X.1035/en
Kwon, T.: Addendum to Summary of AMP, In Submission to the IEEE P1363 study group for future PKC standards (2003)
Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)
Kolesnikov, V., Rackoff, C.: Key exchange using passwords and long keys. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 100–119. Springer, Heidelberg (2006)
Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003)
Lee, H.T., Cheon, J.H., Hong, J.: Accelerating ID-based Encryption Based on Trapdoor DL Using Pre-computation. Cryptology ePrint Archive, Report 2011/187 (2011). http://eprint.iacr.org/2011/187
Paterson, K.: Cryptography from pairings, Advances in Elliptic Curve Cryptography, vol. 317, Chap. X, pp. 215–251. Cambridge University Press, Cambridge (2005)
Pointcheval, D.: Password-based authenticated key exchange. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 390–397. Springer, Heidelberg (2012)
Litzenberger, D.C.: Pycrypto-the python cryptography toolkit (2014). https://www.dlitz.net/software/pycrypto
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)
Paterson, K.G., Srinivasan, S.: On the relations between non-interactive key distribution, identity-based encryption and trapdoor discrete log groups. Des. Codes Crypt. 52(2), 219–241 (2009)
Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1976)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)
Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Certicom, S.E.C.: SEC 2: Recommended elliptic curve domain parameters. In: Proceeding of Standards for Efficient Cryptography, Version 1 (2000)
Brown, D.: SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2 (2010). http://www.secg.org/sec2-v2.pdf
Shin, S., Kobara, K.: Efficient Augumented Password-only Authentication and Key Exchange for IKEv2, RFC 6628, ISSN 2070–1721, IETF (2012)
Sakai, R., Kasahara, M.: ID Based Cryptosystems with Pairing over Elliptic Curve, Cryptology ePrint Archive, Report 2003/054. http://eprint.iacr.org/2003/054
Wu, T.: SRP-6: Improvements and Refinements to the Secure Remote Password Protocol, In Submission to the IEEE P1363 Working Group (2002)
Yi, X., Tso, R., Okamoto, E.: ID-based group password-authenticated key exchange. In: Takagi, T., Mambo, M. (eds.) IWSEC 2009. LNCS, vol. 5824, pp. 192–211. Springer, Heidelberg (2009)
Yi, X., Tso, R., Okamoto, E.: Identity-based password-authenticated key exchange for client/server model. In: SECRYPT 2012, pp. 45–54 (2012)
Yi, X., Hao, F., Bertino, E.: ID-based two-server password-authenticated key exchange. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 257–276. Springer, Heidelberg (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Bilinear Maps [21, 39]
Let \(\mathbb {G}\) \(_1\) and \(\mathbb {G}\) \(_2\) be additive groups and \(\mathbb {G}\) \(_T\) a multiplicative group. Assume that the groups have the same prime order, q. We say that e: \(\mathbb {G}\) \(_1 \times \mathbb {G}\) \(_2 \rightarrow \) \(\mathbb {G}\) \(_T\) is an admissible bilinear map (or a pairing) if the following properties are satisfied: (1) Bilinearity: \(e(aP,bQ) = e(P,Q)^{ab}\) for all \(P \in \mathbb {G}\) \(_1\) and \(Q \in \mathbb {G}\) \(_2\), and \(a,b \in \mathbb {Z}_q^*\). (2) Non-degeneracy: There exist \(P \in \mathbb {G}\) \(_1\) and \(R \in \mathbb {G}\) \(_2\) such that \(e(P,R) \ne 1\). (3) Computability: There exists an efficient algorithm to compute \(e(P',Q')\) for all \(P' \in \mathbb {G}\) \(_1\) and \(Q' \in \mathbb {G}\) \(_2\).
Bilinear maps can be classified in three types, i.e., Type I, II, III according to the existence of morphisms between \(\mathbb {G}\) \(_1\) and \(\mathbb {G}\) \(_2\). Type I pairings, called ‘symmetric’, have \(\mathbb {G}\) \(_1=\mathbb {G}\) \(_2\). Type II pairings have an efficiently computable isomorphism from \(\mathbb {G}\) \(_1\) to \(\mathbb {G}\) \(_2\) or from \(\mathbb {G}\) \(_2\) to \(\mathbb {G}\) \(_1\) but none in the reverse direction. Type III pairings have no efficiently computable isomorphism between \(\mathbb {G}\) \(_1\) and \(\mathbb {G}\) \(_2\). Type II and III pairings are called ‘asymmetric’. For more details, refer to [21, 39].
B Computational Assumptions
Discrete Logarithm (DL) Assumption. Assume that a group \(\mathbb {G}\) of order q and a generator g of \(\mathbb {G}\) are given. To define Discrete Logarithm (DL) problem, we consider the following game:
We define \(\mathsf{Adv}^{DL}_{ \mathcal{A},\mathbb {G}}(t)\)= \(\Pr [r=x]\), where \( \mathcal{A}\) runs in time t. We define that \(\mathsf{Adv}^{DL}_{\mathbb {G}}(t)\) = max\(_{ \mathcal{A}}[\mathsf{Adv}^{DL}_{\mathbb {G}}(t)]\) where the maximum is taken over all \( \mathcal{A}\). We say that DL assumption holds for \(\mathbb {G}\) if \(\mathsf{Adv}^{DL}_{\mathbb {G}}(t)\) is negligible.
Decisional Diffie-Hellman (DDH) Assumption. Assume that a group \(\mathbb {G}\) of order q and a generator g of \(\mathbb {G}\) are given. To define Decisional Diffie-Hellman (DDH) problem, we consider the following distinguishability game:
We define \(\mathsf{Adv}^{DDH}_{ \mathcal{A},\mathbb {G}}(t)\)= \(|\Pr [b=b']-1/2|\), where \( \mathcal{A}\) runs in time t. We define that \(\mathsf{Adv}^{DDH}_{\mathbb {G}}(t)\) = max\(_{ \mathcal{A}}[\mathsf{Adv}^{DDH}_{\mathbb {G}}(t)]\) where the maximum is taken over all \( \mathcal{A}\). We say that DDH assumption holds for \(\mathbb {G}\) if \(\mathsf{Adv}^{DDH}_{\mathbb {G}}(t)\) is negligible.
Computational Diffie-Hellman (CDH) Assumption. Assume that a group \(\mathbb {G}\) of order q and a generator g of \(\mathbb {G}\) are given. To define Computational Diffie-Hellman (CDH) problem, we consider the following game:
We define \(\mathsf{Adv}^{CDH}_{ \mathcal{A},\mathbb {G}}(t)\)= \(\Pr [z=xy]\), where \( \mathcal{A}\) runs in time t. We define that \(\mathsf{Adv}^{CDH}_{\mathbb {G}}(t)\) = max\(_{ \mathcal{A}}[\mathsf{Adv}^{CDH}_{\mathbb {G}}(t)]\) where the maximum is taken over all \( \mathcal{A}\). We say that CDH assumption holds for \(\mathbb {G}\) if \(\mathsf{Adv}^{CDH}_{\mathbb {G}}(t)\) is negligible.
C Simplified IBS-PAKE Protocols
Initialization Phase. Three processes Setup, Extract, and Registration are executed as follows.
-
Setup and Extract are the same to those of PWIBS-AKE.
-
Registration(C, S). First, a client, C generates his or her password, \(pw_C\) according to a pre-defined password creation policy. To register a service, C sends (Register-Req, \(ID_C\), \(g_1^{-H_1(pw_C)}\)) to the server, S over a secure channel. The server appends \(\pi _S[C]=(ID_C,g_1^{-H_1(pw_C)})\) to \({\mathcal {PF}}\).
Key Establishment Phase. A client, C and a server, S execute the protocol to agree on a temporal key to be used for a session. The concrete protocol is described as follows (See Fig. 4).
-
1.
C picks \(x \in {\mathbb {Z}}_q^*\) uniformly at random and computes \(W=g^xg_1^{H_1(pw_C)}\) \(\in \) \(\mathbb {G}\) using the password, \(pw_C\). Then, C sends \([ID_C, W]\) to S.
-
2.
S picks y \(\in \) \({\mathbb {Z}}_q^*\) uniformly at random and computes \(Y=g^y\) \(\in \) \(\mathbb {G}\). Also, using its signing key, \(sk_{ID_S}=(R_S,v_S)\), the server generates a signature, \(\sigma _S = (d_S, z_S, R_S)\) on \(M_S=ID_S||Y\), where \(E_S=g^{e_S}\), \(z = H(m, ID_S, E_S)\) and \(d_S = e_S - v_S z_S \pmod q\) for random \(r_S, e_S \in {\mathbb {Z}}_q^*\). Then S sends [\(ID_S\),Y,\(\sigma _S\)] to C. From the receipt message \([ID_C, W]\), the server finds authentication information corresponding to \(ID_C\), i.e., [\(ID_C\), \(g_1^{-H_1(pw_C)}\)] from a database. It then computes \(X' = W g_1^{-H_1(pw_C)}\) and \(K'=(X')^{y}\). Finally, S computes \(ssk = H_3({\mathsf {pid}}_S||{\mathsf {sid}}_S||K')\), where \({\mathsf {sid}}_S = ID_C||W||Y||\sigma _S\).
-
3.
Upon receiving [\(ID_S\), Y, \(\sigma _S\)], the client C checks if the signature, \(\sigma _S\) is valid, i.e., the equality of \(z_S = H(M_S, ID_S, g^{d_S} \cdot (R_S \cdot u^{w_S})^{z_S})\) holds. Here \(M_S=ID_S||Y\) and \(w_S=H(ID_S,R_S)\). If the validity does not hold then the session is aborted. Otherwise, the client computes \(K=Y^x\). Finally, S computes \(ssk = H_3({\mathsf {pid}}_S||{\mathsf {sid}}_S||K')\), where \({\mathsf {sid}}_S = ID_C||W||Y||\sigma _S\).
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Hwang, J.Y., Kim, SH., Choi, D., Jin, SH., Song, B. (2015). Robust Authenticated Key Exchange Using Passwords and Identity-Based Signatures. In: Chen, L., Matsuo, S. (eds) Security Standardisation Research. SSR 2015. Lecture Notes in Computer Science(), vol 9497. Springer, Cham. https://doi.org/10.1007/978-3-319-27152-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-27152-1_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27151-4
Online ISBN: 978-3-319-27152-1
eBook Packages: Computer ScienceComputer Science (R0)