Scholarly article on topic 'Offline dictionary attack on a universally composable three-party password-based key exchange protocol'

Offline dictionary attack on a universally composable three-party password-based key exchange protocol Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
Procedia Engineering
OECD Field of science
Keywords
{Cryptanalysis / password-based / "three party" / "key exchange" / "universally composable"}

Abstract of research paper on Computer and information sciences, author of scientific article — Wei Yuan, Liang Hu, Hongtu Li, Jianfeng Chu

Abstract Key exchange protocols are fundamental for establishing secure communication channels over public networks. Password-based key exchange protocols allow parties to share a secret key in an authentic manner based on an easily memorizable password. Recently, Deng et al. proposed a three-party password-based key exchange protocol in the universal composable framework in China Communications, where two users, each one of whom shares a human-memorable password with a trusted server, can authenticate each other and compute a secure session key. In this letter, we show that Deng et al.’s protocol is insecure against offline dictionary attack by any other client. Hence, the protocol doesn’t achieve their aim.

Academic research paper on topic "Offline dictionary attack on a universally composable three-party password-based key exchange protocol"

Available online at www.sciencedirect.com

SciVerse ScienceDirect

Procedía Engineering 15 (2011) 1(591 - 1694

Procedía Engineering

www.elsevier.com/Iocate/procedia

Advanced in Control Engineeringand Information Science

Offline dictionary attack on a universally composable three-party password-based key exchange protocol

Wei Yuan, Liang Hu, Hongtu Li, Jianfeng Chu*a

aCollege of Computer Science and Technology, Jilin University, Changchun, 130012, China

Abstract

Key exchange protocols are fundamental for establishing secure communication channels over public networks. Password-based key exchange protocols allow parties to share a secret key in an authentic manner based on an easily memorizable password. Recently, Deng et al. proposed a three-party password-based key exchange protocol in the universal composable framework in China Communications, where two users, each one of whom shares a human-memorable password with a trusted server, can authenticate each other and compute a secure session key. In this letter, we show that Deng et al.'s protocol is insecure against offline dictionary attack by any other client. Hence, the protocol doesn't achieve their aim.

© 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of [CEIS 2011]

Keywords: Cryptanalysis; password-based; three party; key exchange; universally composable

1. Introduction

Password-based authenticated key exchange protocols are important cryptographic tools in secure communications and have been widely used in many online websites. Among numerous authentication schemes, the password-based authenticated key agreement protocols require users only to remember a human-memorable low-entropy password and share it with a trusted server. When two users want to establish a shared session key, they resort to the trusted server to authenticate each other; it is rather

* Corresponding author. Jianfeng Chu, Tel.: +86-139-4416-8927. E-mail address: chujf@jlu.edu.cn.

1877-7058 © 2011 Published by Elsevier Ltd. doi:10.1016/j.proeng.2011.08.315

simple and efficient. Therefore, it has attracted much attention and a lot of three-party authenticated key exchange protocols have been proposed [1].

The first known password-based authenticated key agreement protocol is due to Bellovin and Merritt [2]. This concept has also been extended to the three-party case [3] and the group case [4]. Nowadays, most on-line services over the Internet are based on the client/server architecture, such as Kerberos and KryptoKnight [5]. In this architecture, there is a single server to serve a lot of clients. Authentication is basic and is the first step to identify whether a remote client is authorized or not. After the verification of the identity, the client can be held accountable and the system can decide to give a specific access privilege. Hence the password-based authenticated key agreement protocols are well suited for the client/server architectures.

Due to their simplicity and efficiency, the password-based protocols suffer from various kinds of security problems. T. Kwon et al. [6] proposed an improved password-based authentication protocol; SeongHan SHIN et al. [7] showed an impersonation attack on that protocol. Wen et al. [8] proposed a provably secure Three Party Password-Based Authenticated Key Exchange Protocol using Weil pairings; Nam et al. [9] pointed out that protocol could not resist the man-in-the-middle attack. Lu and Cao [10] presented a simple three-party key exchange protocol; an online dictionary attack was found by Guo et al. [11]. Besides the man-in-the-middle attack, which is a key threat to the DH key agreement protocol [12], the main attacks on password-based key agreement protocols include two kinds as below:

1. Undetectable online dictionary attack: an attacker tries to verify the password in an online manner without being detected. That is, a failed guess is never noticed by the server and the client, and the attacker can legally and undetectably check many times in order to get sufficient information of the password.

2. Offline dictionary attack: an attacker uses a guessed password to verify the correctness of the password in an offline manner. The attacker can freely guess a password and then check if it is correct without limitation in the number of guesses.

Recently, Deng et al. [13] proposed a three party password-based key exchange protocol based on reference [14, 15] and declared their protocol was secure under the universal composable framework (UC-SECURE) and was the minimum among the published works. In this letter, we find that their protocol is insecure against offline dictionary attack and proposed a detailed instance to attack their scheme.

2. Brief Review of the UC-SECURE 3PKE protocol

In Deng et al.'s protocol, E=(E,D) is a symmetric encryption scheme, h is a pseudorandom function, G = <g> is a finite cyclic group of order a l-bit prime number q, M, N are two elements in G, where the operation is denoted multiplicatively. The system contains two kinds of roles: The trustedserver PT and the users. One user may be an initiator or a responder when they participate in the protocol. At the beginning, PT should broadcast his identity sid to all the users and wait for users' requests. The protocol is described as follows:

1. When a user Pi (called the initiator) wants to initiate a key exchange process with another user Pj (called responder), he sends a notice pid = (p, P], PT), which stands for the two users' requesting the key

exchange service, chooses a random exponent x and computes the value X = gx ■ MF"', then sends (flow-one, X) to Pj.

2. When Pj, who was waiting for a flow-one message, receives a message (flow-one, X) from Pi, he chooses a random exponent y and computes the value Y = gy ■ NP]. Then he sends (flow-two, X, Y) to Pt.

3. When PT receives a message (flow-two, X, Y) from Pj, he chooses a random exponent z and computes U = Esid^ ((y/n^ )z), Uj = Esid]]pWj ((X/M^ )z). Then Pt sends (flow-three, Ui) and (flow-three, Uj) to Pi and Pj respectively.

4a. When Pi receives a message (flow-three, Ui) from PT, he gets the secret value (y/NpWj )z by decrypting the ciphertext Ui. Then it computes the Diffie-Hellman secret value Kt = ((y/NpWj )z )x = gxyz, the session key ski = h(sid || P || Pj || Ki), and terminates the session.

4b. When Pj receives a message (flow-three, Uj) from PT, he gets the secret value (X/Mpw-)z by decrypting the ciphertext Uj. Then it computes the Diffie-Hellman secret value Kj = ((x/mpWi )z)y = gxyz, the session key skj = h(sid || p || Pj || Kj), and terminates the session.

3. Offline Dictionary Attack on the protocol

1. Pj informs PT that p and he is going to start a key exchange process. Then he selects two random exponents r and y, computes X = Mr, Y = My ■ NpWj , and sends (flow-two, X, Y) to PT .

2. Upon receiving (flow-two, X, Y), PT selects a random exponent z, computes Ut = E^SY/n^T) = E^ (My), Uj = E^ ((X/M™ )z) = E^ (Mz(r>) , and sends (flow-three, Ut) and (flow-three, Uj ) to p and Pj .

3. Pj intercepts or eavesdrops (flow-three, Uj). Note, even if Pj fails to intercept (flow-three, Uj) and Pi may detect only once that Ui is invalid, it does not mean that PT detects this attack and Pi can not find that he is being attacked. Then he computes Mz(r-^ = D^^ (Uj) with the message (flow-three, Uj ), and getsMyz(r= (Mz(r-pwiy)y . Next, he repeats to guess a password pWj to decrypt Ui, My = D^^ (Ui) for an unknown z , and checks until the equation (Myz )(r-pW1} = Myz^r-pWi} holds. Finally, Pj gets Pi 's password pw1 = pw1.

4. Discussion

In this article, we have shown that Deng et al.'s password-based key exchange protocol suffers from offline dictionary attack. Due to the public algebraic structure exchanged between the server and the client, any password-based key exchange protocols can not prevent adversaries from forging the intermediate message like X, Y, Ui, Uj. However, the main reason that our attack succeeds is that the intermediate messages which contain the encrypted password are not proper protected so that the attacker can verify whether the password he guessed correctly or not using the result feedback from the server. Thus, to avoid this problem, the server should make sure that the message sent from a user is unique to that user. Namely, only the server can authenticate the user, the useful message with encrypted key won't be revealed and our proposed attack is invalid.

As a conclusion, we can say, to prevent offline dictionary, the server should have the ability to authenticate that the encrypted message is unique to that user. The potential offline dictionary attack may exist on any password based protocols without authentication.

Acknowledgements

This work is supported by the National Natural Science Foundation of China under Grant No. 60873235 and 60473099, the National Grand Fundamental Research 973 Program of China (Grant No. 2009CB320706), Scientific and Technological Developing Scheme of Jilin Province (20080318), and Program of New Century Excellent Talents in University (NCET-06-0300).

References

[1] SeongHan SHIN, Kazukuni KOBARA, and Hideki IMAI, Anonymous Password-Authenticated Key Exchange: New Construction and Its Extensions, IEICE Trans. Fundamentals, E93-A (1) (2010): 102-114.

[2] S.M. Bellovin, M. Merrit, Encrypted key exchanged: password-based protocols secure against dictionary attacks, In: Proceedings of IEEE symposium on research in security and privacy. IEEE Computer Society Press, pp.72-84, May 1992

[3] Chun-Li LIN, Hsiang-An WEN, Tzonelih HWANG, and Hung-Min SUN, "Provably Secure Three-Party Password-Authenticated Key Exchange," IEICE Trans. Fundamentals, E87-A (11) (2004): 2990-3000.

[4] Ming-Hui Zheng, Hui-Hua Zhou, Jun Li, Guo-Hua Cui, Efficient and provably secure password-based group key agreement protocol, Computer Standards&Interfaces, 31 (2009): 948-953.

[5] Jeng-Ping Lin, Jih-Ming Fu, A Secure DoS-resistant User Authenticated Key Agreement Scheme with Perfect Secrecies, Life Science Journal, 7 (1) 2010: 88-94.

[6] T. Kwon, Y.h. Park, and H.j. Lee, Security analysis and improvement of the efficient password-based authentication protocol, IEEE Commun Lett. 9 (1) (2005): 93-95.

[7] SeongHan SHIN, Kazukuni KOBARA, and Hideki IMAI, Security Analysis of Two Augmented Password-Authenticated Key Exchange Protocols, IEICE Trans. Fundamentals, E93-A (11) (2010): 2092-2095.

[8] H.A. Wen, T.F. Lee, T.Hwang, Provably Secure Three Party Password-Based Authenticated Key Exchange Protocol Using Weil Pairing, IEE Proceedings of Communications, 2005,152(2):138-143.

[9] J. Nam, Y. Lee, S. Kim, "Security Weakness in a Three-Party Pairing-Based Protocol for Password Authenticated Key Exchange," Information Science, 2007, 6:1364-1375.

[10] R. Lu, Z. Cao, "Simple three-party key exchange protocol," Computers & Security, 2007, 26(1): 94-97.

[11] H. Guo, ZJ. Li, Y. Mu, X. Zhang, "Cryptanalysis of simple three-party key exchange protocol," Computers & Security, 2008, 27(1):16-21.

[12] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transaction on Information Theory, 22 (6) (1976): 644-654.

[13] Deng Miaolei, Ma Jianfeng, Le Fulong, Universally Composable Three Party Password-based Key Exchange Protocol, China Communications, 6 (3) (2009):150-154.

[14] M. Abdalla, D. Catalano, C. Chevalier, "Efficient Two-Party Password-Based Key Exchange Protocols in the UC Framework," CT-RSA 2008, pp.335-351, 2008

[15] T.M. Chang, Y.F. Zhou, Y.J. Zhang, Universally Composable Three-Party Key Distribution, ARES'07, 2007.