Cryptanalysis of Lee–Hwang–Li's key authentication scheme

https://doi.org/10.1016/j.amc.2003.12.012Get rights and content

Abstract

Key authentication is very important in secret communications and data security. Recently, Lee, Hwang and Li proposed a new public key authentication scheme for cryptosystems with a trusty server. However, in this paper, we will show that Lee–Hwang–Li's key authentication scheme is not secure, from the obtained public information, any one can get the private key of the user. And then, we propose an improved scheme. We conclude that our new key authentication scheme not only resolves the problems appeared but also is secure.

Introduction

The public key cryptography was introduced by Diffie and Hellman in 1976 [1], in such cryptosystem, each user has two keys: a public key and a private key. There is a possible danger event in public key cryptosystem: an intruder can revise the public key from the public key directory and substitute the public key of a target user. In this way, the intruder can impersonate the public key of this target user and, hence, raise a security threat of fabrication. The purpose of key authentication is to verify the public key of a legal user and prevent a forged public key. Therefore, key authentication is very important in secret communications and data security.

Many key authentication schemes have been proposed. In 1996, Horng and Yang [2] proposed a key authentication scheme based on the discrete logarithm problem, but three years later, Zhan et al. [3] pointed out that Horng–Yang's scheme could not prevent from the guessing attack [4] and gave an improved scheme. In [5], Lee, Hwang and Li showed that Zhan et al.'s improved scheme did not achieve non-repudiation of user's public key (i.e., a dishonest legal user can deny his public key), and proposed a new public key authentication scheme for cryptosystems with a trusty server. Their scheme is based on discrete logarithm too, and in their scheme, the certificate of the public key is a combination of user's password and private key. The authors declared that their scheme was secure for the others public key authentication. However, in this paper, we shall show that Lee–Hwang–Li's key authentication scheme is not secure, from the obtained public information, any one can get the private key of the user. And then, we propose an improved scheme. Through our analysis, our new key authentication scheme not only resolves the problems appeared but also is secure.

The organization of this paper is as follows: In Section 2 we describe Lee–Hwang–Li's key authentication scheme, and in Section 3, we propose an attack on this scheme. We propose a new key authentication scheme in Section 4, in Section 5 we give an analysis of our new scheme. We make a concluding remark in the final section.

Section snippets

Lee–Hwang–Li's key authentication scheme

First of all, we review Lee–Hwang–Li's key authentication scheme in brief using the same notation as [5].

The user of the system has Prv as his/her private key and PWD as his/her password. Let Pub of the user's public key bePub=gPrvmodp,where p is a large prime, g is a generator in Zp. The p, g and one-way function f:f(x)=gxmodp are public parameters.

In the user's registration phase, each user chooses a random number r∈Zp such that gcd((PWD+r),Prv)=1, and then calculates f(PWD+r). When gcd((PWD

An attack on Lee–Hwang–Li scheme

In this section, we propose an attack on Lee–Hwang–Li's key authentication scheme. By our attack, any one can recover the private key of any user in their system. The details of our attack are described as follows:

For any one, say Alice, can obtain some public information C, Pub, a, b and f(PWD+r) of any user from the public directory in the network and public password table in the server. We know thatC=(PWD+r)f(PWD+r)+Prvmod(p−1).So we haveC×(f(PWD+r)+Prv)=(PWD+r)mod(p−1),i.e.,Prv=C−1×(PWD

Improved scheme

In this section, we propose an improved key authentication scheme.

The system parameters of our key authentication scheme are as follows: Let p and q be prime numbers such that q|p−1, g is a generator with order q in Zp. The one-way function f is defined by f(x)=gxmodp. The user of the system has Prv as his/her private key and PWD as his/her password. Let Pub of the user's public key bePub=gPrvmodp.In the user's registration phase, the certificate of the public key of the user is generated by

Analysis of the new scheme

Our scheme provides verification of a user's public key. Preventing the impersonation of a public key is managed through the difficulty of discrete logarithm problem. If an intruder attempts to forge a user's public key, suppose that he/she wants to substitute a false key Pubfalse for a user's public key, then the false certificate Cfalse should satisfy the key authentication equation:f(Cfalse)=f(PWD+r)×PubfalsePubfalsemodp.To find Cfalse, the intruder has to computeCfalse=f−1(f(PWD+r)×Pubfalse

Conclusion

In this paper, we have shown that Lee–Hwang–Li's key authentication scheme is not secure, from the obtained public information, any one can get the private key of the user. And then, we proposed an improved scheme, also we gave a ECC version of our new scheme. We conclude that our new key authentication scheme not only withstands the guessing attack but also achieves non-repudiation of the user's public key.

References (7)

There are more references available in the full text version of this article.

Cited by (9)

View all citing articles on Scopus
View full text