Cross-Realm Password-BasedServer Aided Key Exchange

Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0)Author: Kazuki YoneyamaPresenter: Li-Tzu Chang

Outline

Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion

Introduction

YB scheme Secure Cross-Realm C2C-PAKE Protocol, 2006,(27)

WZ scheme A New Security Model for Cross-Realm C2C-PAKE

Protocol, 2007,(1)

Outline

Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion

New Model

Execute( ) : This query models passive attacks. The output of this query consists of messages that were

exchanged during the honest execution of the protocol among .

43212121 ,,, llll SSUU

43212121 and,,, llll SSUU

New Model

SendClient(Ul,m) : This query models active attacks against a client. The output of this query consists of the message that

the client instance Ul would generate on receipt of message m.

New Model

SendServer(Sl,m) : This query models active attacks against servers. The output of this query consists of the message that

the server instance Sl would generate on receipt of message m.

New Model

SessionReveal(Ul) : This query models the misuse of session keys. The output of this query consists of the session key

held by the client instance Ul if the session is completed for Ul. Otherwise, return .⊥

New Model

StaticReveal(P) : This query models leakage of the static secret of P

(i.e., the password between the client and the corresponding server, or the private information for the server).

The output of this query consists of the static secret of P.

New Model

EphemeralReveal(Pl) : This query models leakage of all session-specific

information (ephemeral key) used by Pl. The output of this query consists of the ephemeral key

of the instance Pl.

New Model

EstablishParty(Ul, pwU) : This query models the adversary to register a static

secret pwU on behalf of a client. In this way the adversary totally controls that client. Clients against whom the adversary did not issue this

query are called honest.

New Model

Test(Ul) : This query does not model the adversarial ability, but

in distinguishability of the session key. At the beginning a hidden bit b is chosen. If no session key for the client instance Ul is defined,

then return the undefined symbol . ⊥ Otherwise,

if b = 1, return the session key for the client instance Ul if b = 0, a random key from the same space.

New Model

TestPassword(U, pw) : This query does not model the adversarial ability, but

no leakage of the password. If the guessed password pw is just the same as the

client U’s password pw, then return 1. Otherwise, return 0.

Note that, the adversary can only one TestPassword query at any time during the experiment.

Outline

Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion

Proposed Scheme

p, q : the large primes such that p = 2q + 1

A,B U ∈ : the identities of two clients in two different realms

SA,SB S∈ : the identities of their corresponding servers

respectively.

Proposed Scheme

Gen(1k) : key generation algorithm

Encpk(m; ω) : encryption algorithm of a message m using a public

key pk and randomness ω

Decsk(c) : decryption algorithm of a cipher-text c using a private

key sk.

Proposed Scheme

Public information : G, g, p,H1,H2

Long-term secret of clients : pwA for A and pwB for B

Long-term secret of servers : (pwA, skSA) for SA and (pwB, skSB) for SB

Proposed Scheme

Proposed Scheme

Outline

Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion

Conclusionsetting # of

rounds for clients

UDonDA LEP of servers

KCI Channel between servers

YB password-only 2 insecure insecure insecuresecure channel

WZ password-only 2+P secure insecure insecuresecure channel

[19]password and public-key crypto

7 secure insecure secure none

[20]password and smart cards 4 secure insecure secure none

Ourspassword and public-key crypto

2 secure secure secureAuthenticated channel

Where P denote the number of moves of a secure 2-party PAKE.

UDonDA: undetectable on-line dictionary attacks

LEP: leakage of ephemeral private keys of servers

KCI: key-compromise impersonation