Cross-Realm Password-Based Server Aided Key Exchange
description
Transcript of Cross-Realm Password-Based Server Aided Key Exchange
Cross-Realm Password-BasedServer Aided Key Exchange
Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0)Author: Kazuki YoneyamaPresenter: Li-Tzu Chang
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
Introduction YB scheme
Secure Cross-Realm C2C-PAKE Protocol, 2006,(27) WZ scheme
A New Security Model for Cross-Realm C2C-PAKE Protocol, 2007,(1)
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
New Model Execute( ) :
This query models passive attacks. The output of this query consists of messages that were
exchanged during the honest execution of the protocol among .
43212121 ,,, llll SSUU
43212121 and,,, llll SSUU
New Model SendClient(Ul,m) :
This query models active attacks against a client. The output of this query consists of the message that
the client instance Ul would generate on receipt of message m.
New Model SendServer(Sl,m) :
This query models active attacks against servers. The output of this query consists of the message that
the server instance Sl would generate on receipt of message m.
New Model SessionReveal(Ul) :
This query models the misuse of session keys. The output of this query consists of the session key
held by the client instance Ul if the session is completed for Ul. Otherwise, return .⊥
New Model StaticReveal(P) :
This query models leakage of the static secret of P (i.e., the password between the client and the corresponding
server, or the private information for the server). The output of this query consists of the static secret of
P.
New Model EphemeralReveal(Pl) :
This query models leakage of all session-specific information (ephemeral key) used by Pl.
The output of this query consists of the ephemeral key of the instance Pl.
New Model EstablishParty(Ul, pwU) :
This query models the adversary to register a static secret pwU on behalf of a client.
In this way the adversary totally controls that client. Clients against whom the adversary did not issue this
query are called honest.
New Model Test(Ul) :
This query does not model the adversarial ability, but in distinguishability of the session key.
At the beginning a hidden bit b is chosen. If no session key for the client instance Ul is defined,
then return the undefined symbol . ⊥ Otherwise,
if b = 1, return the session key for the client instance Ul if b = 0, a random key from the same space.
New Model TestPassword(U, pw) :
This query does not model the adversarial ability, but no leakage of the password.
If the guessed password pw is just the same as the client U’s password pw, then return 1.
Otherwise, return 0.
Note that, the adversary can only one TestPassword query at any time during the experiment.
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
Proposed Scheme p, q :
the large primes such that p = 2q + 1 A,B U ∈ :
the identities of two clients in two different realms SA,SB S∈ :
the identities of their corresponding servers respectively.
Proposed Scheme Gen(1k) :
key generation algorithm Encpk(m; ω) :
encryption algorithm of a message m using a public key pk and randomness ω
Decsk(c) : decryption algorithm of a cipher-text c using a private
key sk.
Proposed Scheme Public information :
G, g, p,H1,H2
Long-term secret of clients : pwA for A and pwB for B
Long-term secret of servers : (pwA, skSA) for SA and (pwB, skSB) for SB
Proposed Scheme
Proposed Scheme
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
Conclusionsetting # of
rounds for clients
UDonDA LEP of servers
KCI Channel between servers
YB password-only 2 insecure insecure insecure secure channel
WZ password-only 2+P secure insecure insecure secure channel
[19]password and public-key crypto
7 secure insecure secure none
[20] password and smart cards 4 secure insecure secure none
Ourspassword and public-key crypto
2 secure secure secureAuthenticated channel
Where P denote the number of moves of a secure 2-party PAKE.
UDonDA: undetectable on-line dictionary attacksLEP: leakage of ephemeral private keys of serversKCI: key-compromise impersonation