Mutual Authentication and Key Exchange Protocol (MAKEP)

Reporter: Jung-Wen Lo ( 駱榮問 )

Date: 2008/4/18

2

Outline

Introduction ES-MAKEP: Efficient & Secure MAKEP

Fuw-Yi Yang and Jinn-Ke Jan (2004) ES-MAKEP-Forward Secret Attack F-MAKEP

He Yijun, Xu Nan and Li Jie (2007) Comment

3

Introduction MAKEP: Mutual authentication and key exchange protocol L-MAKEP: Linear MAKEP

Author: D. S. Wong and A. H. Chan Title: Mutual authentication and key exchange for low power wireless communications Src: Military Communications Conference, 2001. MILCOM 2001. Communications for Netwo

rk-Centric Operations: Creating the Information Force, IEEE, Vol. 1, 2001, pp. 39-43 IL-MAKEP: Improved L-MAKEP

Author: K. Shim Title: Cryptanalysis of mutual authentication and key exchange for low-power wireless comm

unications Src: IEEE Communications Letters, Vol. 7, No. 5, pp.248-250, 2003.

I-MAKEP Authors: Jinn-Ke Jan and Yi-Hwa Chen Title: A new efficient MAKEP for wireless communications Src: In Proceedings of the 18th International Conference on Advanced Information Networkin

g and Application (AINA’04), IEEE, Volume 2, pp. 347-350, 2004 ES-MAKEP: Efficient & Secure MAKEP

Authors: Fuw-Yi Yang and Jinn-Ke Jan Title: A Secure and Efficient Key Exchange Protocol for Mobile Communications Src: Cryptology ePrint Archive 2004/167, July 2004, http://eprint.iacr.org

F-MAKEP: Perfect forward secrecy Improved ES-MAKEP

A Secure and Efficient Key Exchange Protocol for Mobile

Communications

Authors: Fuw-Yi Yang and Jinn-Ke Jan Src: Cryptology ePrint Archive 2004/167, July

2004, http://eprint.iacr.org

5

Notation εpk(): an asymmetric encryption function

δSK(): an asymmetric decryption function EK(): a symmetric encryption function

DK(): a symmetric decryption function SKS: a private key of server S

PKS: a public key of server S IDU: the identification of a client entity U

IDS: the identification of a server S p, q: a private key pair of U

g ,n: a public key pair of U x || y: string x concatenates string y |n|: bit length of n rUK, rUF, rUR:three random numbers selected by U

rSK: a random number selected by Sr∈RG : r is a random number selected from the set G

l: the length of session keys

6

ES-MAKEP

User UServer S

rUK,rUR,rUF

C1rUK=εPKS(rUK)CMT=grUF||rUF mod n

M1={C1rUK,CMT,IDU}rUK = δSKS(C1rUK)

Random rsk

σSU=rSKrUK

C2rUK=EσSU(rUK)M2={rSK,C2rUK}σUS=rUKrSK

r’UK=DσUS(C2rUK)

=DσUS(EσSU(rUK))r’UK?= rUK

SF=h(rUK,rSK,IDU,IDS)

C3=EσSU(IDU)SR=2|n|(rUF-SF)+rUR mod λ(n)

※ n=pq ;λ(n)=lcm(p-1, q-1)

M3={C3,SR}SF=h(rUK,rSK,IDU,IDS)CMT’=gSF||SR mod nCMT’?=CMT

(PKS,SKS

)

A Secure Key Exchange and Mutual

Authentication Protocol for Wireless Mobile

CommunicationsAuthors: He Yijun, Xu Nan and Li Jie

Src: The Second International Conference on Availability, Reliability and Security, 2007. ARES 2007, 10-13 April 2007 pp. 558

– 563

8

ES-MAKEP-Forward Secret Attack

User UServer S

rUK,rUR,rUF

C1rUK=εPKS(rUK)CMT=grUF||rUF mod n

M1={C1rUK,CMT,IDU}rUK = δSKS(C1rUK)

Random rsk

σSU=rSKrUK

C2rUK=EσSU(rUK)M2={rSK,C2rUK}σUS=rUKrSK

r’UK=DσUS(C2rUK)

=DσUS(EσSU(rUK))r’UK?= rUK

SF=h(rUK,rSK,IDU,IDS)

C3=EσSU(IDU)SR=2|n|(rUF-SF)+rUR mod λ(n) M3={C3,SR}

SF=h(rUK,rSK,IDU,IDS)CMT’=gSF||SR mod nCMT’?=CMT

Attacker

Conceal SKS (PKS,SKS

)

9

F-MAKEP

User UServer S

rUK,rUR,rUF

C1rUK=εPKS(gr

UK)CMT=grUF||rUF mod n

M1={C1rUK,CMT,IDU}rUK = δSKS(C1rUK)

Random rsk

σSU=grSK

rUK

C2rUK=EσSU(rUK)M2={rSK,C2rUK}σSU=gr

SKrUK

r’UK=DσUS(C2rUK)

=DσUS(EσSU(rUK))r’UK?= rUK

SF=h(rUK,rSK,IDU,IDS)

C3=EσSU(IDU)SR=2|n|(rUF-SF)+rUR mod λ(n)

※ n=pq ;λ(n)=lcm(p-1, q-1)

M3={C3,SR} SF=h(rUK,rSK,IDU,IDS)CMT’=gSF||SR mod nCMT’?=CMT

(PKS,SKS

)

10

Comment

Conceal secret key is difficult ES-MAKEP & F-MAKEP: PKI system

=> Inefficient=> Not suitable for wireless devices

11

DoS-Resistance Protocol

Y⊕H(pwj),σ⊕H(pwi)

Server A

(pw1,pw2)

Client B (pw1,pw2)

3. rA

Y= rA r⊕ B σ=H(rA,rB,IDA,IDB)

2. Try pwi

5. H(σ’)

IDA,IDB,X,

H(IDA,IDB,X)1. rB

X=pwi⊕rB

4. r’A =Y r⊕ B σ’=H(r’A,rB,IDA,IDB) H(σ’) ?= H(σ)

4. H(σ’) ?= H(σ)

12

PK-based MAKEP

13

Server-specific MAKEP

))(,(),(, APKATAAPKABA KIDSignKIDCert

BB

14

Linear MAKEP

),,(,,, 212212 iiii aaATA

aaA

iA ggIDSignggIDCert

15

Unknown key-share attack on L-MAKEP(?)

))(,)(,(,)(,)(, 212212 cacaETA

cacaE

iE

iiii ggIDSignggIDCert

y’=cy

σ’ =rAy’Eσ’(x)

16

IL-MAKEP

Eσ(x,IDA,IDB)

A new efficient MAKEP for wireless

communicationsAuthors: Jinn-Ke Jan and Yi-Hwa Chen

Src: In Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04), IEEE, Volu

me 2, pp. 347-350, 2004

18

I-MAKEPUser U Server S

ID,Yv = ye+ID mod N

Random rs

u,t,s

Random w,ku=gw mod Nt=EPKS(k)s=w+xH(rs||t||u)σ=ks

H(k’)

RegisterPhase

xv=g-x mod N

ID,v

y=(v-ID)d mod N

SessionKey GenerationPhase rs

gsvH(rs||t||u) ?≡u mod Nk’=D(t)σ=k’s

H(k’)?=H(k)