Scholarly article on topic 'Cryptanalysis of an efficient password-based group key agreement protocol'

Cryptanalysis of an efficient password-based group key agreement protocol Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
Procedia Engineering
OECD Field of science
Keywords
{"Group key agreement" / Password-based / Cryptanalysis / "ideal-cipher model" / "Random oracle model"}

Abstract of research paper on Computer and information sciences, author of scientific article — Wei Yuan, Liang Hu, Hongtu Li, Jianfeng Chu

Abstract Password-based group key agreement protocols are fundamental component of the communications systems. In 2009, Zheng et al. proposed an efficient and provably secure password-based agreement protocol and declared their protocol is secure in the ideal-cipher and random oracle models under the DDH problem. In this paper, we propose an online dictionary attack against Zheng et al.’ protocol, which an adversary can test more than one password in a session. If the number of users is few, this attack can not lead to security problem. However, if many users participate in this protocol, the security problem can not be ignored.

Academic research paper on topic "Cryptanalysis of an efficient password-based group key agreement protocol"

Available online at www.sciencedirect.com

SciVerse ScienceDirect

Procedía Engineering 15 (2011) 14016 - 1420

Procedía Engineering

www.elsevier.com/Iocate/procedia

Advanced in Control Engineeringand Information Science

Cryptanalysis of an efficient password-based group key

agreement protocol

Wei Yuan, Liang Hu, Hongtu Li, Jianfeng Chu*a

aCollege of Computer Science and Technology, Jilin University, Changchun, 130012, China

Abstract

Password-based group key agreement protocols are fundamental component of the communications systems. In 2009, Zheng et al. proposed an efficient and provably secure password-based agreement protocol and declared their protocol is secure in the ideal-cipher and random oracle models under the DDH problem. In this paper, we propose an online dictionary attack against Zheng et al.' protocol, which an adversary can test more than one password in a session. If the number of users is few, this attack can not lead to security problem. However, if many users participate in this protocol, the security problem can not be ignored.

© 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of [CEIS 2011]

Keywords: Group key agreement; password-based; cryptanalysis; ideal-cipher model; random oracle model

1. Introduction

Group key agreement protocols allow a group of users to agree on a session key and achieves implicit authentication, which simply ensures secrecy of session keys against an adversary passively eavesdropping. Authentication group key agreement protocols further allow these users to agree upon session key even in the presence of active adversaries. Since the first two-party key agreement protocol [1] was proposed by Diffie-Hellman in 1976, lots of papers [2,3,4,5] have extended this protocol to the group key cases.

* Corresponding author: Jianfeng Chu, Tel: +86-139-4416-8927. E-mail address: chujf@jlu.edu.cn.

1877-7058 © 2011 Published by Elsevier Ltd. doi:10.1016/j.proeng.2011.08.262

Among these protocols, password is one of the ideal authentication approaches to agree a session key in the absence of PKI or pre-distributed symmetric keys. Since the password based authenticated key agreement protocols require users only to remember a human-memorable (low-entropy) password, this kind of protocols is widely used in many Internet systems, such as Kerberos and KryptoKnight. However, due to the low-entropy, the password-based group key agreements easily suffer from the dictionary attack.

Usually dictionary attacks are classified into two classes: online dictionary attacks and offline ones. In online dictionary attacks, an adversary usually attempts one guessed password a time by participating in a key agreement protocol. If the attempts failed, the adversary shall send another message to initiate a new session until he finds the correct password [6]. In offline dictionary attacks, an adversary selects a password form a dictionary and sends the corresponding message he generates with the password to other users. Then he repeats to guess all the possible passwords in his dictionary with the responded information.

In 2009, Zheng et al. [7] proposed a provably secure password-based agreement protocol based on Horng's group key agreement protocol [8] and prove that it is secure against the offline dictionary in the ideal-cipher and random oracle models under the DDH problem. In this paper, we present a new online dictionary attack against Zheng et al.' protocol that an adversary can test more than one password in a session. If the number of users is very few, this attack can not lead to security problem. However, if many users participate in this protocol, the security problem can not be ignored.

2. Preliminaries

1.1. Computational assumptions

• Decisional Diffie-Hellman (DDH) problem

Let G be a finite cyclic group of prime order q. Given rreal = {g, gx, gy, g"} and rrand = {g, gx, gy, gz} where x, y, z e Zq, it is difficult to distinguish gz and gxy. Formally, if we define the advantage function AdvDDH ( ) =|Pr[ (x) = 1] - Pr[ (a) = 1]| where X erreal ,a errand, we say that the DDH problem is hard in group G ifAdvDDH ( ) is negligible for any probabilistic polynomial time adversary . AdvDDH (t) is the maximum value of AdvDDH ( ) running in time at most t.

• Multi-Decisional Diffie-Hellman (MDDH) assumption

Givennreal = (g,{gx }iSSn,g1'12"Xn} andnmd = {g,{gxi}issn,gy}where *;,...,Xn,ye zq, it is difficult to distinguish gX,X2andgy. Define the advantage functionAdvMDDH( ) =|Pr[ (X) = 1]-Pr[ (a) = 1]|, where xerreal,aerrand, the DDH problem is hard in group G ifAdvMDDH ( ) is negligible for any probabilistic polynomial time adversary . AdvMDDH (t) is the maximum value of AdvMDDH ( ) running in time at most t.

1.1. Security model

A protocol P for password-based group key agreement assumes that there is a set U = {U1 ,-,Un} fo n users, who share a low-entropy secret password pw which is uniformly drawn from a small dictionary of size N. This security model allows concurrent execution of the protocol among n users, so each of users may have several instances called oracles involved in distinct ones. We denote

the jth instance of Ui by U/ . During the execution of the protocol, the adversary is given control over all

communication in the external network. The interaction between the adversary and users occur only via oracle queries, which model the adversary' capabilities in a real attack. These queries are as follows:

Send (Uf , m): The adversary can carry out an active attack by this query. The output of the query is the response generated by the instance Uf upon receipt of message m according to the execution of the protocol P. The adversary is allowed to prompt the unused instance Uf to initiate the protocol by invoking Send (Uf , start)

Test (Uf): This query models the misuse of the session key by instance Uf . Once the instance Uf has accepted a session key, the adversary can attempt to distinguish it from a random key as the basis of determining security of the protocol. A random bit b is chosen; if b=0 then session key is returned while if b=1 then a random key is returned. The random keys must be consistent among users in the same session. Therefore, a random key is simulated by the evaluation of a random function on the view a user has of the session: all the participants have the same view, they thus have the same random key but independent of the actual view.

Finally adversary outputs a guess bit b . Such an adversary is said to win the game if b = b where b is the hidden bit used by the Test oracle.

In the ROR model, Execute, Send and Test queries can be asked by the adversary. Execute queries were introduced to model passive attack. However, they can easily be simulated using the Send and queries.

2.3. Review of Horng's protocol

In 2001, Horng [8] proposed an efficient GKA protocol based on BD protocol [9]. Horng indicated that the protocol is secure against passive attack under the DDH assumption. It proceeds as follows. Step1. Initially, each user ut chooses X,e zq, computes and broadcasts y, = gXi mod p.

Step2. After receiving all y (1 < j < n, j * i), u, (1 < i < n) computes z, = (y,_j ■ y,+1)Xi mod p. Note theU choosesR1e Gq and computesz1 = R ■ yX mod p, andun choosesRn e Gq and computes zn = Rn ■ ynI_1 mod p. Then, u, (1 < i < n) broadcasts z,.

Step3. After receiving all zt (1 < j < n, j * i), ut computes the session key as

K ={ g_'ni/2_'z2i.1 mod p ,f n " 'V'n = g _X1X2 +X2X3+K+Xn_1Xn mod „

"I (g-1)2 nM"^ mod p ,f n is odd ~ g m°" p

where g- = g_XX2 mod p. Therefore, if gj_' is known, session key Kt is easy to compute. The computation of g- is different for each user:

U computes gj_'"g_X1 mod p. u2 computes g_ "gt_X2 mod p. u3 computesgj_' = y2X3/z2 mod p. u (4 < i < n) computes gr1 " {jftf* ff^ mod p lf 1 is even

A ' v l(yX_1rt;-:?pz2,+1)/(ri;-:!',pz2,) mod p ,f, ,s odd

3. Review of Zheng et al.'s protocol

In this protocol, the following notations are used throughout Zheng et al.'s protocol:

q: a secure large prime.

p: a large prime such that p=2q+1.

G: a subgroup of quadratic residues in Z*, that is G = {i21 i e Z*p }

g: a generator for the subgroup G. k, k: of an ideal-cipher system, k is a i bit key. : {0,1}* ^ {0,1}1 is a hash function for generating the symmetric key. : {0,1}* ^ {0,1}1 is a hash function for generating the session key. : {0,1}* ^ {0,1}1 is a hash function for key confirmations.

Suppose n players share a low-entropy password pw which is uniformly drawn from a small dictionary of size N, and wish to agree a high-entropy common session key among themselves. Zheng et al.'s PGKA protocol is obtained by modifying the non-authenticated GKA protocol of Horng [] by using password encrypted authentication mechanism. The protocol was described as follows:

Step1. Each player ut (1 < i < n) chooses a random nonce Nt and broadcasts (U,, N) . Upon receiving all (Ui, ni ) (1 < i < n, j * i), u, sets session S = {(u, , n, ),(1 < i < n)}.

Step2. Each player ut chooses xte zq, computes and broadcasts z,* = k (z,), where z, = gx mod p,

k, = (S, i, pw) .

Step3. Each player ut decrypts y,-1 = k _ (z-), z,+1 = k + (z*+1), and u1 computes left key zf = r1, zR = zX mod p, where R e G . U, (1<i<n) computes left key zf = z^ mod p, right key zR = z'^ mod p. un computes left key zf = z^ mod p, right key zR = Rn, where Rn e G . Then each player u, (1 < i < n) computes and broadcasts xt = zfzR mod p. Notes that zR = zR+1.

Step4. Each playerut computes Kt = g-XX2+X2X3+ +Xn-Xn mod p exactly using the same approach in the Step3 of Horng's protocol then computes and broadcasts his key confirmation , = (S, i,a, k,) , where a={(z**, zj) 11 < j < n}.

Step5. After receiving and checking all key confirmations, player ut computes session key as sk= G (S ,P, K), p = {(z**, zj, j )1 < j < n} .

4. Cryptanalysis of Zheng et al.'s protocol

First, the adversary starts a session in which all the honest players have indices of the form 3(i -1)+2 fori = 1,...,k. The adversary plays the role of player3(i-1)+1 and3(i-1)+3 . There are 3k players in all. Then, let {pw1,...,pwm} be a list of candidate passwords that an adversary wants to try. The adversary gets out k candidate passwords to test in this message.

1. He chooses 2k random nonce and computes S = {(U,, Nt), (1 < i < 3k)}.

2. He chooses 2k random numbersxi,x3,...,x3(t-1)+1,x3(k-1)+3e zq, computes the correspondingz, = gx mod p, computes z* = k (z,), where k3(,-1)+1 = (S, 3(i -1)+1, pwt) and k3(1-1)+3 = (S,3(i -1)+3, pw,), i = 1,., k, and broadcasts zi* .

3. He decrypts z3(,-1)+1 = k,^ z3*(, -!)+!) and z3(,-!)+3 = k^i-D+j (z3*(,-1)+3) with the guessed pw, ,

computes z^,^ = z^ , z3L(,-1)+3 = z^;, and checks whether zR0-m ■ z3L0-1)+3 = X30-1)+2. Therefore, the Adversary can erase k candidate passwords from the list with one message.

5. The countermeasures

Step1. Each player ut (1 < i < n) chooses a random nonce Nt and broadcasts (U,, n, ). Upon receiving

all (U, nj) (1 < i < n, j * i), ut sets session s = {(U,, n, ),(1 < i < n)}.

Step2. Each playerut chooses x, e zq, computes and broadcasts z* = k(z, ||k ), where z, = gXi mod p,

k, = H (S, i, pw) .

Step3. Each player ut decrypts zi-11| ki-1 = k _ (z*_j), zM 11 ki+1 = k + (z*+1), and checks whether k,_j = (S, i _1, pw) and k1+1 = (S, i +1, pw). If both the two equations hold, u1 computes left key zR- = R, zR = zX1 mod p, where R e Gq. Ut (1<i<n) computes left key zf = z,\ mod p, right key zR = z'^ mod p. uu computes left key zR = zmod p, right key zR = ru , where ru e G . Then each player u, (1 < i < n) computes and broadcasts X, = zRzR mod p. Notes that zR = zR+1.

Step4. Each playerut computes Kt = g_XX2+xxxз+к+xu_lxu mod p exactly using the same approach in the Step3 of Horng's protocol then computes sk = (S, Kt)

Acknowledgements

This work is supported by the National Natural Science Foundation of China under Grant No. 60873235 and 60473099, the National Grand Fundamental Research 973 Program of China (Grant No. 2009CB320706), Scientific and Technological Developing Scheme of Jilin Province (20080318), and Program of New Century Excellent Talents in University (NCET-06-0300).

References

[1] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transaction on Information Theory 22 (6) (1976) 644-654.

[2] R. Dutta, R. Barua, Password-based encrypted group key agreement, International Journal of Network Security 3 (1) (2006) 30-41.

[3] X. F. Guo, J. S. Zhang, Secure group key agreement protocol based on chaotic Hash, Information Sciences 180 (2010) 40694074.

[4] S. M. Bellovin and M. Merritt, Encrypted key exchange: Password-based protocols secure against dictionary attacks, 1992 IEEE Symposium on Security and Privacy, 1992, 72-84.

[5] M. Abdalla, P. A. Fouque, D. Pointcheval, Password-based Authenticated Key Exchange in the Three-Party Setting, PKC 2005: 8th International Workshop on Theory and Practice in Public Key Cryptography, Lecture Notes in Computer Science 3386 (2005) 65-84.

[6] M. Abdalla, E. Bresson, O. Chevassut, D. Pointcheval, Password-based group key exchange in a constant number of rounds, PKC 2006, Lecture Notes in Computer Science, vol. 3958, 2006, pp.427-442.

[7] M. H. Zheng, H. H. Zhou, J. Li and G. H. Cui, Efficient and provably secure password-based group key agreement protocol, Computer Standards & Interfaces 31 (2009) 948-953.

[8] G. Horng, An efficient and secure protocol for multi-party key establishment, Computer Journal 44 (5) (2001) 464-470.

[9] M. Burmester, Y. Desmedt, A secure and scalable group key exchange system, Information Processing Letters 94 (3) (2005) 137-143.