Upload
britton-obrien
View
224
Download
0
Embed Size (px)
Citation preview
Mutual Authentication and Key Exchange Protocol (MAKEP)
Reporter: Jung-Wen Lo ( 駱榮問 )
Date: 2008/4/18
2
Outline
Introduction ES-MAKEP: Efficient & Secure MAKEP
Fuw-Yi Yang and Jinn-Ke Jan (2004) ES-MAKEP-Forward Secret Attack F-MAKEP
He Yijun, Xu Nan and Li Jie (2007) Comment
3
Introduction MAKEP: Mutual authentication and key exchange protocol L-MAKEP: Linear MAKEP
Author: D. S. Wong and A. H. Chan Title: Mutual authentication and key exchange for low power wireless communications Src: Military Communications Conference, 2001. MILCOM 2001. Communications for Netwo
rk-Centric Operations: Creating the Information Force, IEEE, Vol. 1, 2001, pp. 39-43 IL-MAKEP: Improved L-MAKEP
Author: K. Shim Title: Cryptanalysis of mutual authentication and key exchange for low-power wireless comm
unications Src: IEEE Communications Letters, Vol. 7, No. 5, pp.248-250, 2003.
I-MAKEP Authors: Jinn-Ke Jan and Yi-Hwa Chen Title: A new efficient MAKEP for wireless communications Src: In Proceedings of the 18th International Conference on Advanced Information Networkin
g and Application (AINA’04), IEEE, Volume 2, pp. 347-350, 2004 ES-MAKEP: Efficient & Secure MAKEP
Authors: Fuw-Yi Yang and Jinn-Ke Jan Title: A Secure and Efficient Key Exchange Protocol for Mobile Communications Src: Cryptology ePrint Archive 2004/167, July 2004, http://eprint.iacr.org
F-MAKEP: Perfect forward secrecy Improved ES-MAKEP
A Secure and Efficient Key Exchange Protocol for Mobile
Communications
Authors: Fuw-Yi Yang and Jinn-Ke Jan Src: Cryptology ePrint Archive 2004/167, July
2004, http://eprint.iacr.org
5
Notation εpk(): an asymmetric encryption function
δSK(): an asymmetric decryption function EK(): a symmetric encryption function
DK(): a symmetric decryption function SKS: a private key of server S
PKS: a public key of server S IDU: the identification of a client entity U
IDS: the identification of a server S p, q: a private key pair of U
g ,n: a public key pair of U x || y: string x concatenates string y |n|: bit length of n rUK, rUF, rUR:three random numbers selected by U
rSK: a random number selected by Sr∈RG : r is a random number selected from the set G
l: the length of session keys
6
ES-MAKEP
User UServer S
rUK,rUR,rUF
C1rUK=εPKS(rUK)CMT=grUF||rUF mod n
M1={C1rUK,CMT,IDU}rUK = δSKS(C1rUK)
Random rsk
σSU=rSKrUK
C2rUK=EσSU(rUK)M2={rSK,C2rUK}σUS=rUKrSK
r’UK=DσUS(C2rUK)
=DσUS(EσSU(rUK))r’UK?= rUK
SF=h(rUK,rSK,IDU,IDS)
C3=EσSU(IDU)SR=2|n|(rUF-SF)+rUR mod λ(n)
※ n=pq ;λ(n)=lcm(p-1, q-1)
M3={C3,SR}SF=h(rUK,rSK,IDU,IDS)CMT’=gSF||SR mod nCMT’?=CMT
(PKS,SKS
)
A Secure Key Exchange and Mutual
Authentication Protocol for Wireless Mobile
CommunicationsAuthors: He Yijun, Xu Nan and Li Jie
Src: The Second International Conference on Availability, Reliability and Security, 2007. ARES 2007, 10-13 April 2007 pp. 558
– 563
8
ES-MAKEP-Forward Secret Attack
User UServer S
rUK,rUR,rUF
C1rUK=εPKS(rUK)CMT=grUF||rUF mod n
M1={C1rUK,CMT,IDU}rUK = δSKS(C1rUK)
Random rsk
σSU=rSKrUK
C2rUK=EσSU(rUK)M2={rSK,C2rUK}σUS=rUKrSK
r’UK=DσUS(C2rUK)
=DσUS(EσSU(rUK))r’UK?= rUK
SF=h(rUK,rSK,IDU,IDS)
C3=EσSU(IDU)SR=2|n|(rUF-SF)+rUR mod λ(n) M3={C3,SR}
SF=h(rUK,rSK,IDU,IDS)CMT’=gSF||SR mod nCMT’?=CMT
Attacker
Conceal SKS (PKS,SKS
)
9
F-MAKEP
User UServer S
rUK,rUR,rUF
C1rUK=εPKS(gr
UK)CMT=grUF||rUF mod n
M1={C1rUK,CMT,IDU}rUK = δSKS(C1rUK)
Random rsk
σSU=grSK
rUK
C2rUK=EσSU(rUK)M2={rSK,C2rUK}σSU=gr
SKrUK
r’UK=DσUS(C2rUK)
=DσUS(EσSU(rUK))r’UK?= rUK
SF=h(rUK,rSK,IDU,IDS)
C3=EσSU(IDU)SR=2|n|(rUF-SF)+rUR mod λ(n)
※ n=pq ;λ(n)=lcm(p-1, q-1)
M3={C3,SR} SF=h(rUK,rSK,IDU,IDS)CMT’=gSF||SR mod nCMT’?=CMT
(PKS,SKS
)
10
Comment
Conceal secret key is difficult ES-MAKEP & F-MAKEP: PKI system
=> Inefficient=> Not suitable for wireless devices
11
DoS-Resistance Protocol
Y⊕H(pwj),σ⊕H(pwi)
Server A
(pw1,pw2)
Client B (pw1,pw2)
3. rA
Y= rA r⊕ B σ=H(rA,rB,IDA,IDB)
2. Try pwi
5. H(σ’)
IDA,IDB,X,
H(IDA,IDB,X)1. rB
X=pwi⊕rB
4. r’A =Y r⊕ B σ’=H(r’A,rB,IDA,IDB) H(σ’) ?= H(σ)
4. H(σ’) ?= H(σ)
12
PK-based MAKEP
13
Server-specific MAKEP
))(,(),(, APKATAAPKABA KIDSignKIDCert
BB
14
Linear MAKEP
),,(,,, 212212 iiii aaATA
aaA
iA ggIDSignggIDCert
15
Unknown key-share attack on L-MAKEP(?)
))(,)(,(,)(,)(, 212212 cacaETA
cacaE
iE
iiii ggIDSignggIDCert
y’=cy
σ’ =rAy’Eσ’(x)
16
IL-MAKEP
Eσ(x,IDA,IDB)
A new efficient MAKEP for wireless
communicationsAuthors: Jinn-Ke Jan and Yi-Hwa Chen
Src: In Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04), IEEE, Volu
me 2, pp. 347-350, 2004
18
I-MAKEPUser U Server S
ID,Yv = ye+ID mod N
Random rs
u,t,s
Random w,ku=gw mod Nt=EPKS(k)s=w+xH(rs||t||u)σ=ks
H(k’)
RegisterPhase
xv=g-x mod N
ID,v
y=(v-ID)d mod N
SessionKey GenerationPhase rs
gsvH(rs||t||u) ?≡u mod Nk’=D(t)σ=k’s
H(k’)?=H(k)