Password-Based Group Key Exchange Secure ... - Semantic Scholar

1 downloads 0 Views 357KB Size Report
agree on a common secret value (a session key) over an insecure open net- ... regard to the session key. .... exclusive-or operation with the ephemeral key ski.
Password-Based Group Key Exchange Secure Against Insider Guessing Attacks Jin Wook Byun, Dong Hoon Lee, and Jongin Lim Center for Information Security Technologies (CIST), Korea University, Anam Dong, Sungbuk Gu, Seoul, Korea {byunstar, donghlee, jilim}@korea.ac.kr

Abstract. Very recently, Byun and Lee suggested two provably secure group Diffie-Hellman key exchange protocols using n participant’s distinct passwords. Unfortunately, the schemes were found to be flawed by Tang and Chen. They presented two password guessing attacks such as off-line and undetectable on-line dictionary attacks by malicious insider attacker. In this paper, we present concrete countermeasures for two malicious insider attacks, and modify the two group Diffie-Hellman key exchange protocols to be secure against malicious insider password guessing attacks. Our countermeasures do not require additional round costs, hence they are efficient.

1

Introduction

To communicate securely over an insecure public network it is essential that secret keys are exchanged securely. Password-based authenticated key exchange protocol allows two or more parties holding a same memorable password to agree on a common secret value (a session key) over an insecure open network. Most password-based authenticated key exchange schemes in the literature have focused on a same password authentication (SPWA) model which provides password-authenticated key exchange using a shared common password between a client and a server [2, 3, 5, 13]. Normally two parties, client and server, use a shared password to generate a session key and perform key confirmation with regard to the session key. Bellovin and Merrit first proposed Encrypted Key Exchange (EKE) scheme secure against dictionary attacks [3]. EKE scheme has been the basis for many of the subsequent works in the SPWA model. 1.1

Related Works and Our Contribution

Recently, many protocols have been proposed to provide password-based authenticated key exchange between clients with their different passwords and some of them have easily broken and re-designed in 3-party and N-party settings 

This research was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Assessment).

Y. Hao et al. (Eds.): CIS 2005, Part II, LNAI 3802, pp. 143–148, 2005. c Springer-Verlag Berlin Heidelberg 2005 

144

J.W. Byun, D.H. Lee, and J. Lim

[12, 9, 7, 10]. In this different password authentication (DPWA) model clients generate a common session key with their distinct passwords by the help of a server. In N-party setting, Byun and Lee suggested two provably secure N-party encrypted Diffie-Hellman key exchange protocols using different passwords [6]. One is an N-party EKE-U in the unicast network and the other is an N-party EKE-M in the multicast network. However, the schemes were found to be insecure by Tang and Chen. In [11], They showed that N-party EKE-U and N-party EKE-M protocols suffered from off-line dictionary attack and undetectable on-line guessing attack by malicious insider attackers, respectively. In this paper, we suggest concrete countermeasures for the malicious insider attacks by Tang and Chen, and present the modified N-party EKE-U and N-party EKE-M protocols to be secure against malicious insider attacks. Our countermeasures do not require additional round costs, hence they are efficient.

2

Attack on N-Party EKE-U and Its Countermeasure

2.1

Overview of N-Party EKE-U

Let G=g be a cyclic group of prime order q. In N-party EKE-U protocol, three types of functions are used. All clients or server contribute to generation of a common session key by using function φc,i , πc,i , and ξs,i for positive integer i. The description of functions are as follows: φc,i ({α1 , .., αi−1 , αi }, x) = {αx1 , .., αxi−1 , αi , αxi }, πc,i ({α1 , .., αi }) = {α1 , .., αi−1 }, ξs,i ({α1 , α2 , .., αi }, x) = {αx1 , αx2 , .., αxi }. In the up-flow, C1 first chooses two numbers in Zq∗ randomly, calculates X1 = φc,1 (X0 , x1 ) = {g v1 , g v1 x1 }, and sends m1 to C2 , which is an encryption1 of X1 with the password pw1 . Upon receiving m1 , C2 executes a TF protocol with server S. In the TF protocol, C2 sends m1 to S. Then S selects a random number v2 and calculates X1 = ξs,2 (X1 , v2 ). Since S knows all clients’ passwords, it can construct m1 = Epw2 (X1 ) and sends it back to C2 . This is the end of TF protocol. On receiving m1 = Epw2 (X1 ), C2 decrypts it to get X1 . Next C2 chooses its own random number x2 and computes X2 = φc,2 (X1 , x2 ). Finally C2 sends a ciphertext m2 = Epw2 (X2 ) to the next client C3 . The above process is repeated up to Cn−2 . The last client Cn−1 chooses a random number xn−1 , and calculates  Xn−1 = πc,n−1 (φc,n−1 (Xn−2 , xn−1 )). The function πc,n−1 only eliminates the  last element of φc,n−1 (Xn−2 , xn−1 ). Finally the client Cn−1 encrypts Xn−1 with pwn−1 , and sends the ciphertext, mn−1 to the server S. In the down-flow, S first decrypts mn−1 to get Xn−1 , chooses a random number vn , and computes mn = ξs,n (Xn−1 , vn ). For 1 ≤ i ≤ n − 1, let mn,i = (g x1 ...xi−1 xi+1 ...xn−1 )v1 ...vn which is the i-th component of mn . S encrypts each 1

We assume that an encryption algorithm of N-party EKE protocols is an ideal cipher E which is a random one-to-one function such that EK : M → C, where |M | = |C|.

Password-Based Group Key Exchange Secure

145

mn,i with password pwi and sends the resulting ciphertexts to the clients. Each client Ci decrypts Epwi (mn,i ) to obtain mn,i . Next, Ci computes session key sk = H(Clients||K) where K = (mn,i )xi = (g x1 ...xn−1 )v1 ...vn and Clients = {C1 , ..., Cn−1 }. 2.2

Off-Line Dictionary Attack on N-Party EKE-U

In [11], Tang and Chen first presented an off-line dictionary attack on N-party EKE-U protocol by malicious insider attacker as follows. • Step 1: A malicious user Uj first selects two random values α, β, and sends mj to its neighbor Uj+1 where mj = Epwi (Xj ), Xj = {g α , g αβ , g γ3 , ..., g γj , g Vj ξj } γk = Vj (ξj /xk ) where xk ∈ Zq∗ and 3 ≤ k ≤ j Vj = v1 · v2 · · · vj , ξj = x1 · x2 · · · xj . • Step 2: Uj+1 just forwards mj to server S. S decrypts mj with password pwj and computes mj+1 with a password pwj+1 and a randomly selected value vj+1 where mj+1 = Epwj+1 (Xj+1 ), Xj+1 = {g αvj+1 , g αβvj+1 , g γ3 , ..., g γj+1 , g Vj+1 ξj } γk = g Vj+1 (ξj+1 /xk ) where xk ∈ Zq∗ and 3 ≤ k ≤ j + 1 Vj+1 = v1 · v2 · · · vj+1 , ξj+1 = x1 · x2 · · · xj+1 . S sends mj+1 to Uj+1 • Step 3: Uj+1 mounts an off-line dictionary attack on pwj+1 with the message  mj+1 . Uj+1 chooses an appropriate password pwj+1 and decrypts mj+1 as  Dpwj+1 (mj+1 ) = {g1 , g2 , ..., gj+1 } where gl ∈ G and 1 ≤ l ≤ j + 1

Uj+1 checks g1β = g2 . This relation leads to an off-line dictionary attack. 2.3

Countermeasure

The main idea to prevent the malicious insider off-line dictionary attacks is that we apply an ephemeral session key instead of password to encrypt keying material between server and clients. In the protocol, we use two encryption functions; one is an ideal cipher E which is a random one-to-one function such that EK : M → C, where |M | = |C| and the other function is a symmetric encryption E which has adaptively chosen ciphertext security. H is an ideal hash function such that H : {0, 1}∗ → {0, 1}l . The detail descriptions are as follows. [Description of the modified N-party EKE-U]. In the up-flow, C1 first chooses two numbers in Zq∗ randomly, calculates X1 = φc,1 (X0 , x1 ) = {g v1 , g v1 x1 }, and sends m1 to C2 , which is an encryption of X1 with the password pw1 .2 Upon 2

For 2 ≤ i ≤ n − 1, mi is encrypted with ski ephemerally generated between clients and server.

146

J.W. Byun, D.H. Lee, and J. Lim

receiving m1 , C2 executes a TF protocol with server S. In the TF protocol, C2 sends m1 and ζc2 (= Epw2 (g a2 )) to S for a randomly selected value a2 ∈ Zq∗ . Then S selects a random number v2 , b2 and calculates X1 = ξs,1 (X1 , v2 ). S also com putes ζs2 (= Epw2 (g b2 )), sk2 (= H(C2 ||S||g a2 ||g b2 ||g a2 b2 )), η2 (=Esk2 (X1 )), and M ac2 = H(sk2 ||2), and then sends ζs2 , η2 , M ac2 back to C2 . M ac2 is used for key confirmation of sk2 on client sides. For a key confirmation on server sides, we can use an additional key confirmation of M ac2 = h(sk2 ||S). This is the end of TF protocol. On receiving η2 = Esk2 (X1 ), C2 first calculates sk2 by decrypting ζs2 with password pw2 , and decrypts η2 to get X1 . Next C2 chooses its own random number x2 and computes X2 = φc,2 (X1 , x2 ). Finally C2 sends a ciphertext m2 = Esk2 (X2 ) to the next client C3 . The above process is repeated up to Cn−2 . The last client Cn−1 chooses a random number xn−1 , and calculates Xn−1 =  πc,n−1 (φc,n−1 (Xn−2 , xn−1 )). Finally the client Cn−1 encrypts Xn−1 with skn−1 , and sends the ciphertext, mn−1 to the server S. Theorem 1. The modified N-party EKE-U protocol is secure against off-line dictionary attacks by malicious insider users. Proof. Due to the limited space, the proof will be presented in the full paper.

3 3.1

Attack on N-Party EKE-M and Its Countermeasure Overview of N-Party EKE-M Protocol

N-party EKE-M protocol consists of two rounds. One round for generating an ephemeral session key between client and server. The other round is for distributing a common secret key by using the generated ephemeral key. Hi is an ideal hash function such that Hi : {0, 1}∗ → {0, 1}l for 1 ≤ i ≤ 4. In the first round, the single server S sends Epwi (g si ) to n − 1 clients concurrently. Simultaneously each client Ci , 1 ≤ i ≤ n − 1, also sends Epwi (g xi ) to the single-server concurrently in the first round. After the first round finished S and Ci , 1 ≤ i ≤ n − 1, share an ephemeral Diffie-Hellman key, ski = H1 (sid ||g xi si ) where session identifier sid = Epw1 (g x1 )||Epw2 (g x2 )||...||Epwn−1 (g xn−1 ). In the second round, S selects a random value N from Zq∗ and hides it by exclusive-or operation with the ephemeral key ski . S sends N ⊕ski to Ci , 1 ≤ i ≤ n − 1, concurrently. After the second round finished all clients can get a random secret N using its ski , and generate a common session key, sk = H2 (SIDS||N ) where SIDS = sid ||sk1 ⊕ N ||sk2 ⊕ N ||...||skn−1 ⊕ N . 3.2

Undetectable On-Line Dictionary Attack on N-Party EKE-M

Second, Tang and Chen presented undetectable on-line guessing attack on Nparty EKE-M protocol. The undetectable on-line guessing attack is first mentioned by Ding and Horster [8]. An malicious insider user first guesses a password pw of one of the users and uses his guess in an on-line transaction. The

Password-Based Group Key Exchange Secure

147

malicious user verifies correctness of his guess using responses of server S. Note that a failed guess never be noticed by S and other users. Thus, the malicious user can get sufficient information on pw by participating the protocol legally and undetectably many times. The attack on N-party EKE-M is summarized as follows. • Step 1: In the first round, a malicious insider attacker Uj impersonates Ui (1 ≤ i = j ≤ n − 1), and broadcasts Epwi (g xi ) to a server S by using an appropriate password pwi and randomly selected xi . • Step 2: After finishing the second round, A can get Epwi (g si ) and mi = ski ⊕ N sent by S. Uj computes ephemeral session key ski = h(sid ||(Dpwi (Epwi (g si )))xi ). • Step 3: Uj checks N = mi ⊕ ski where ⊕ denotes exclusive-or operator. This relation leads to an undetectable on-line guessing attack. 3.3

Countermeasure

The main idea to prevent an undetectable on-line guessing attack is that we use an authenticator H2 (sk1 ||C1 ) for an ephemeral session key between clients and server. The malicious user can not generate the authenticator since he does not get si , hence the server can detect on-line guessing attack. The detailed explanation is as follows. [Description of Modified N-party EKE-M]. ski (= H1 (sid ||g xi si )) is an ephemeral key generated between S and client Ci in the first round and sk = H3 (SIDS||N ) is a common group session key between clients. • In the first round, the single server S sends Epwi (g si ) to n − 1 clients concurrently. Simultaneously each client Ci , 1 ≤ i ≤ n − 1, also sends Epwi (g xi ) to the single-server concurrently in the first round. After the first round finished S and Ci , 1 ≤ i ≤ n − 1, share an ephemeral Diffie-Hellman key, ski = H1 (sid ||g xi si ). • In the second round, S selects a random value N from Zq∗ and hides it by exclusive-or operation with the ephemeral key ski . S broadcasts N ⊕ ski and authenticator H2 (ski ||S) to Ci for 1 ≤ i ≤ n − 1. Concurrently, clients broadcast authenticators H2 (ski ||Ci ) for ski , respectively. S and Ci checks that its authenticator is valid by using ski . After the second round finished all clients can get a random secret N using its ski , and generate a common session key, sk = H3 (SIDS||N ). To add the mutual authentication (key confirmation) to N-party EKE-M protocol, we can use the additional authenticator H4 (sk||i) described in [4]. Theorem 2. The modified N-party EKE-M protocol is secure against undetectable on-line dictionary attacks by malicious insider users. Proof. Due to the limited space, the proof will be presented in the full paper.

148

4

J.W. Byun, D.H. Lee, and J. Lim

Conclusion and Future Works

We presented countermeasures for off-line and undetectable on-line dictionary attacks against N-party EKE-U and N-party EKE-M protocols, respectively. It would be a good future work to design a generic construction of passwordauthenticated key exchange protocols in the N-party setting based on any secure and efficient 2-party protocols.

Acknowledgement We very thank Ik Rae Jeong and Qiang Tang for valuable discussions.

References 1. M. Abdalla, D. Pointcheval: Interactive Diffie-Hellman Assumptions With Applications to Password-Based Authentication, In Proceedings of FC 2005, SpringerVerlag, LNCS Vol. 3570 (2005) 341-356 2. M. Bellare, D. Pointcheval, P. Rogaway: Authenticated key exchange secure against dictionary attacks, In Proceedings of Eurocrypt’00, Springer-Verlag, LNCS Vol.1807(2000) 139-155 3. S. Bellovin, M. Merrit: Encrypted key exchange: password based protocols secure against dictionary attacks, In Proceedings of the Symposium on Security and Privacy (1992) 72-84 4. E. Bresson, O. Chevassut, D. Pointcheval, J. J. Quisquater: Provably authenticated group diffie-hellman key exchange, In proceedings of 8th ACM Conference on Computer and Communications Security (2001) 255-264 5. V. Boyko, P. MacKenzie, S. Patel, Provably secure password-authenticated key exchange using diffie-hellman, In Proceedings of Eurocrypt’00, Springer-Verlag, LNCS Vol. 1807(2000) 156-171 6. J. W. Byun, D. H. Lee: N-party Encrypted Diffie-Hellman Key Exchange Using Different Passwords, In Proc. of ACNS05’, Springer-Verlag, LNCS Vol. 3531 (2005) 75-90 7. J. W. Byun, I. R. Jeong, D. H. Lee, C. Park: Password-authenticated key exchange between clients with different passwords, In Proceedings of ICICS’02, SpringerVerlag, LNCS Vol. 2513(2002) 134-146 8. Y. Ding, P. Horster: Undetectable On-line Password Guessing Attacks, ACM Operating System Review 29(1995) 77-86 9. R. C.-W. Phan, B. Goi, “Cryptanalysis of an Improved Client-to-Client PasswordAuthenticated Key Exchange (C2C-PAKE) Scheme, In Proceedings of ACNS 2005, Springer-Verlag, LNCS Vol. 3531(2005) 33-39 10. M. Steiner, G. Tsudik, M. Waider: Refinement and extension of encrypted key exchange, In ACM Operation Sys. Review 29(1995) 22-30 11. Q. Tang, L. Chen: Weaknesses in two group Diffie-Hellman Key Exchange Protocols, Cryptology ePrint Archive (2005)2005/197 12. S. Wang, J. Wang, M. Xu: Weakness of a password-authenticated key exchange protocol between clients with different passwords, In Proceedings of ACNS 2004, Springer-Verlag, LNCS Vol. 3089(2004) 414-425 13. T. Wu: Secure remote password protocol, In Proceedings of the Internet Society Network and Distributed System Security Symposium (1998)97-111