Improved authenticated multiple-key agreement protocol without using conventional one-way function

https://doi.org/10.1016/S0096-3003(02)00741-5Get rights and content

Abstract

An authenticated multiple-key agreement protocol enables two entities to authenticate each other and establish multiple common keys in a two-pass interaction, and a protocol without using a conventional hash function simplifies its security assumption on only public hard problem. In 2001, Yen et al. proposed an improved multiple-key agreement protocol to overcome the attacks that break the previous variants. However, the authors show that an impersonator can easily forge message without being detected, and can establish common session keys with the communicating party. To overcome all the weakness, we propose an improved scheme that also achieves better key utilization, compared to the previous variants.

Introduction

In 1998, Harn and Lin [7] noticed that the conventional one-way function is widely employed in many digital signature schemes [2], [3], [4], [5]. In these schemes, the system will become insecure because of the forgery attacks if the conventional one-way function is not used [6], [7], [8], [12]. Furthermore, they also noticed that the security of these conventional one-way hash functions, like MD5 [8], is based on the complexity of analysis of iterated functions but is not on a public hard problem [2], [3], [12] (the discrete logarithm problem is a public hard problem, and can be seen as a one-way function). So, it may seem very difficult to break the security of these conventional one-way functions at the beginning, but it may become insecure to some special attacks later [8]. Therefore, Harn and Lin first proposed the authenticated key agreement protocol without using the conventional one-way function [7]. Moreover, their scheme greatly enhances the efficiency of key agreement by allowing two entities to establish multiple keys instead of one common key in a two-pass interaction [7].

Later, Yen and Joye [9] showed that an attacker could easily forge, with high probability, the signature of the exchanged public keys in the Harn–Lin scheme. From this observation, Yen and Joye proposed their modified version. However, Wu et al. [10] found the same weakness in Yen–Joye’s modified version. Wu et al. finally proposed their solution by exploiting the conventional one-way function. Unfortunately, this solution violates Harn–Lin’s original requirement of no conventional one-way function. Therefore, Yen et al. proposed an improved version without using the one-way function. The scheme adopts the timestamp to detect the replay message and verify the authentic message.

In this paper, we show that an impersonator can easily forge the message without being detected, and can share common session keys with the communicating party. That is, the Yen–Sun–Hwang scheme is not secure, like its previous variants. We, therefore, propose an improved scheme to overcome the weakness. The rest of this article is organized as follows. In Section 2, we briefly review Harn–Lin’s scheme, Yen–Joye’s modified version, Wu et al.’s scheme, and Yen–Sun–Hwang’s scheme. In Section 3, we demonstrate that an impersonator can easily forge valid message and establish common session keys with the communicating party. In Section 4, we propose our improved scheme, examine its security and discuss the key utilization. Finally, Section 5 concludes this article.

Section snippets

Review of previous works

In this section, we review the main ideas of those previous works [7], [9], [10], [14].

Impersonation attack and key compromise

In this section, we show that an attacker can easily impersonate A and can establish common session keys with B. That is, Yen–Sun–Hwang’s scheme is not secure.

Suppose that the attacker has eavesdropped a valid message {ra1,ra2,sa,Timea,cert(ya)} from the network. The attacker chooses a random number ka1 and lets ra1ka1modp. Then he lets ra2=(ra1·ra2)(ra1)−1modp and Timea=ra1⊕ra2⊕ra1⊕ra2Timeamodp−1. For each random ka1, there will be a corresponding set of {ra1,ra2,Timea,sa},

Our improved scheme

We first introduce our modified scheme, and then examine the security and the key utilization.

Conclusions

In this article, we have proposed a secure multiple-keys agreement protocol without employing any conventional one-way functions, which simplifies its security assumption. The proposed scheme can withstand the forgery attack and the replay attack that break its previous variants. Furthermore, the improved scheme achieves better key utilization, compared to the previous variants.

References (14)

  • W. Diffe et al.

    New directions in cryptography

    IEEE Trans. Inform. Theory

    (1976)
  • T. ElGamal

    A public-key cryptosystem and a signature scheme based on discrete logarithms

    IEEE Trans. Inform. Theory

    (1985)
  • K. Nyberg, R.A. Rueppel, Message recovery for signature scheme based on the discrete logarithm problem, in: Advances in...
  • NIST

    The digital signature standard by NIST

    Comm. ACM

    (1992)
  • A. Arazi

    Integrating a key cryptosystem into the digital signature standard

    Electron. Lett.

    (1993)
  • K. Nyberg et al.

    Weakness in some recent key agreement protocols

    Electron. Lett.

    (1994)
  • L. Harn, H.Y. Lin, An authenticated key agreement protocol without using one-way function, in: Proceedings of the 8th...
There are more references available in the full text version of this article.

Cited by (9)

View all citing articles on Scopus
View full text
Copyright © 2002 Elsevier Inc. All rights reserved.