Password authenticated key exchange protocols among diverse network domains

https://doi.org/10.1016/j.compeleceng.2005.03.001Get rights and content

Abstract

Up to now, all papers in password-authenticated key exchange protocols are constrained to two-party or three-party models. Under these two models, the clients are registered or authenticated by the same server. However, in reality two communicants may register under two different servers. In this case, the above models are inefficient or not suitable any more. This paper will discuss password authenticated key exchange protocol where both communicants are registered in two distinct servers.

Introduction

Network security consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information. Consider the following examples of security violations:

  • (1)

    User A transmits a file to user B. The file contains sensitive information that are to be protected from disclosure. User C, who is not authorized to read the file, is able to monitor the transmission and capture a copy of the file during the transmission.

  • (2)

    A network manager, D, transmits a message to a computer, E, under its management. User F intercepts the message, alters its contents to add or delete entries, and then forwards the message to E, which accepts the message as coming from the manager D and updates its authorization file accordingly.

  • (3)

    Rather than intercept a message, user F constructs its own message with the desired entries and transmits that message to E as if it has come from manager D. Computer E accepts the message as coming from the manager D and updates its authorization file accordingly.

  • (4)

    A message is sent from a customer to a stockbroker with instructions for various transactions. Subsequently, the investments lose value and the custom denies sending the message.

Network security is both fascinating and complex. User authentication is the first mechanism in ensuring a secure service. It is a process that verifies a user’s identity to ensure that the person requesting access to the private network is in fact, that person to whom entry is authorized. In open distributed network environments, the extended problem after authenticated each other is how to protect the sensitive information transmitted between a user and a server. How to efficient achieve user authentication and protect sensitive information becomes a very important issue. Encryption and integrity checks of transmitted information can be used to protect sensitive data against eavesdropping and modification between a user and a server. Symmetric key based algorithms for encryption and message authentication are the most efficient techniques for encryption and checking integrity. In general, user authentication is usually combined with a key establishment scheme among the parties. A protocol that involves user authentication and key establishment is referred to as authenticated key exchange protocol (AKE). Password-based mechanism has been the most widely used method for user authentication since it allows people to choose and remember their own passwords without any assistant device. A protocol that involves password-based user authentication and key establishment is referred to as password authenticated key exchange protocol (PAKE).

From the viewpoint of the session key creation, the protocols can be classified into two flavors: key transfer protocols and key agreement protocols. In a two-party (a server and a client) setting, key transfer protocols means that the session key is created by the server and securely transmitted to the client, and key agreement protocols means that the client and the server contribute information to derive the common session key. In a three-party (a server and two clients) setting, key transfer protocols means that the session key is created by the server and securely transmitted to these two clients, and key agreement protocols means that both clients contribute information to derive the common session key. In a four-party (two servers and two clients) setting, key transfer protocols means that the session key is negotiated by the two servers and securely transmitted to these two clients, and key agreement protocols means that both clients contribute information to derive the common session key. Compared with key transfer protocols, the latter (key agreement protocols) is fairer and more secure, while the former (key transfer protocols) is more suitable for some environments in which computational capability of the clients is weaker or the server wants to monitor the communication message.

The scenario in which there are two entities—a client A(Alice) and a server B(Bob)-where A holds a password pw shared with B. These two parties would like to engage in a conversation at the end of which each holds a common session key, K, which is known to nobody but the two of them. In recent years, a variety of protocols for authentication and key distribution have been proposed and applied to many communication systems. Diffie and Hellman [1] described how to establish a common session key by public message. In 1992, Bellovin and Merritt [2] presented a new protocol known as Encrypted Key Exchange, or EKE in short. EKE can resist password guessing attacks by giving the attacker insufficient information to verify a guessed password. EKE performs a key exchange as well, so both parties can encrypt their transmissions once authentication is established. It is the landmark of two-party authentication and key exchange protocols [2], [3], [4], [5], [6], [7], [8], [9], [10].

On the other hand, Gong et al. [11] proposed a protocol, called GLNS protocol, in a three-party setting in which two users (A and B) establish a session key through an authentication server S. Timestamps are used in the protocol to guarantee message freshness. By using nonces and confounders, the protocol is successful in generating a large search space to resist off-line password guessing attacks. Many schemes [8], [11], [12], [13], [14], [15], [16], [17] have been addressed to discuss this problem.

Up to now, all papers discussing the problems of password-based key exchange are constrained to two-party [2], [3], [5], [6], [7], [9], [10] or three-party [8], [11], [12], [13], [14], [15], [16], [17] models, where the clients are registered and authenticated by the same server. However, in reality, two potentially communicated clients may register under distinct servers. The clients are under their own infrastructure and each trusts only his/her own server. Each client has to be authenticated and certified by their own servers. In this case, how to efficiently authenticate two communicants via the cooperation of two distinct servers becomes a very important issue. Kerberos [18] allows the interoperability among N realms and requires on the order of N2 Kerberos-to-Kerberos relationships. Although version 5 of Kerberos supports a method that requires fewer relationships, it is still too complicated. The straightforward solution for this problem is to combine multiple two-party PAKE protocols to match the four-party situation. However, the cost is very high. Furthermore, the three-party PAKE which all clients are required to register in the same server is not suitable any more in this environment (two clients are registered under two distinct servers). In this paper, two authentication and key distribution protocols: four-party key transfer authentication protocol (KTAP) and four-party key agreement authentication protocol (KAAP), are proposed to solve this problem.

The remainder of this paper is organized as follows. In Section 2, we briefly describe the security requirements and notations used in this paper. In Sections 3 Four-party KTAP, 4 Four-party KAAP, the four-party KTAP and four-party KAAP will be presented. Then, a straightforward solution using a basic two-party EKE is compared to the new scheme in Section 5. Finally, we will give a conclusion to this paper in Section 5.

Section snippets

Security requirements and notations

In this section, we briefly describe the security requirements and notations used in this paper.

Description of four-party KTAP

In this section, a new key transfer authentication scheme is proposed for supporting four parties to generate a session key. The four parties consist of two clients requested the session key and two server whose duties are to authenticate the clients under their Section jurisdiction and give assistance to generate the session key.

Our idea of this kind of protocol is divided into two parts, one is the clients’ tasks and the other is the servers’ assignments. The clients only present their

Description of four-party KAAP

A new key agreement authentication scheme (four-party KAAP) is proposed. The new scheme can be used to generate a secure session key between two communicants A and B registering under two distinct authentication servers SA and SB respectively. The duty of these servers is to authenticate the clients and to help generate the session key for the clients. We assume that the public key PSA of SA is known to all clients who are registered in the server SA and PSB of SB is known to all clients who

Comparison of the new schemes to a straightforward solution

One straightforward solution for this problem is to combine three two-party PAKE protocols, i.e., A and SA authenticate each other and agree on a session key, say KA by using a two-party PAKE; so do B and SB who authenticate each other and agree on a session key, say KB; and then SA and SB authenticate each other and agree on a session key, say KAB, by using the two-party PAKE once again.

The main advantage of this approach is that we can employ the formally proved secure two-party PAKE

Conclusions

EKE was first proposed to be used between two parties to generate a session key with a easy-to-remember password. Later, three-party authenticated key exchange protocols were proposed to establish a session key between two clients through an authentication server. In this paper, we further extend the EKE to a four-party situation where each communicant can register to a server whom she/he trusts. The proposed schemes are compared to a straightforward solution using three two-party EKE scheme.

Her-Tyan Yeh was born in Tainan, Taiwan, in 1965. He received his B.S. degree in Department of Information Science from Soochow University in 1987, his M.S. degree in Department of Computer Science and Information Engineering from Nation Taiwan University in 1995, and his Ph.D. degree in Department of computer science and information engineering from National Cheng Kung University in 2003. He was now an associate professor with the Department of Information and Communication, Southern Taiwan

References (19)

  • W. Diffie et al.

    New directions in cryptography

    IEEE Trans Inform Theory

    (1976)
  • Bellovin SM, Merritt M. Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE...
  • Bellovin SM, Merritt M. Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks...
  • Boyko V, MacKenzie P, Patel S. Provably secure password-authenticated key exchange using Diffie–Hellman. In: Advances...
  • D. Jablon

    Strong password-only authenticated key exchange

    ACM Comput Commun Rev

    (1996)
  • Jablon D. Extended password key exchange protocols immune to dictionary attack. In: Proceedings of the WETICE’97...
  • J. Katz et al.

    Efficient password-authenticated key exchange using human-memorable passwords

    Adv Cryptol–EUROCRYPT’01

    (2001)
  • T. Kwon et al.

    Authentication key exchange protocols resistant to password guessing attacks

    IEE Commun

    (1998)
  • Lucks S. Open key exchange: how to defeat dictionary attacks without encrypting public keys. In: Proceedings of the...
There are more references available in the full text version of this article.

Cited by (13)

  • An inter-domain authentication scheme for pervasive computing environment

    2010, Computers and Mathematics with Applications
    Citation Excerpt :

    A large amount of message exchange brings about long time delay. Yeh and Sun [8] proposed two four-party password-based authentication and key establishment protocols, which need public key infrastructure to distribute and verify the servers’ public keys for the clients. This is a significant requirement for standard password-based authentication protocols in wired network applications, but less desirable for lightweight computing environments.

  • Security in network functions virtualization

    2017, Security in Network Functions Virtualization
View all citing articles on Scopus

Her-Tyan Yeh was born in Tainan, Taiwan, in 1965. He received his B.S. degree in Department of Information Science from Soochow University in 1987, his M.S. degree in Department of Computer Science and Information Engineering from Nation Taiwan University in 1995, and his Ph.D. degree in Department of computer science and information engineering from National Cheng Kung University in 2003. He was now an associate professor with the Department of Information and Communication, Southern Taiwan University of Technology. His research interests include cryptography, information security, network security and computer communication.

Hung-Min Sun received his B.S. degree in applied mathematics from National Chung-Hsing University in 1988, his M.S. degree in applied mathematics from National Cheng Kung University in 1990, and his Ph.D. degree in computer science and information engineering from National Chiao-Tung University in 1995, respectively. Currently he is an associate professor with the Department of Computer Science, National Tsing Hua University. His research interests include cryptography, information theory, network security, image compression.

View full text