Procedia Engineering 29 (2012) 3972 – 3979 1877-7058 © 2011 Published by Elsevier Ltd. doi:10.1016/j.proeng.2012.01.604 Procedia Engineering 00 (2011) 1–8 Procedia Engineering
2012 International Workshop on Information and Electronics Engineering (IWIEE)
Cryptanalysis of an e
ffi
cient three-party password-based key
exchange scheme
Eun-Jun Yoona, Kee-Young Yoob,∗aDepartment of Cyber Security, Kyungil University, Republic of Korea bDepartment of Computer Engineering, Kyungpook National University
Abstract
In order to secure communications between two clients with a trusted server’s help in public net-work environments, a three-party password-based authenticated key exchange (3PAKE) scheme is used to provide the transaction confidentiality and efficiency. In 2010, Lou-Huang proposed a new simple three-party password-based authenticated key exchange (LH-3PAKE) scheme based on elliptic curve cryptography (ECC). By analysis, Lou-Huang claimed that the proposed LH-3PAKE scheme is not only secure against various attacks, but also more efficient than previously proposed 3PAKE schemes. However, this paper demonstrates LH-3PAKE scheme is vulnerable to off-line password guessing attacks by an attacker.
c
2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of Harbin University of Science and Technology
Keywords: Cryptography, Key exchange, Password, Three-party, authentication
1. Introduction
Password-based authenticated key exchange scheme has been accepted as one of the simplest and most convenient authentication mechanisms in a network environment to protect unautho-rized access to a networked system. Many Internet applications are based on password authen-tication, for example, remote login, government organizations, private corporations, database management systems, and school systems. Bellovin and Merritt [1] were the first to consider how two parties, who only share a weak, low-entropy password and who are communicating over a public network, authenticate each other and agree on a high-entropy cryptographic key
∗Corresponding author. Tel.:+82-53-950-5553; Fax:+82-53-957-4846.
Email address:[email protected](Kee-Young Yoo)
Open access under CC BY-NC-ND license.
to be used for protecting their subsequent communication. While two-party password-based au-thenticated key exchange (2PAKE) schemes are well suited for client-server architectures, they are inconvenient and costly for use in large scale peer to peer systems. Since 2PAKE protocols require each pair of potential communicating parties to share a password, a large number of parties result in an even larger number of passwords shared.
Recently, various three-party password-based authenticated key exchange (3PAKE) schemes were proposed [2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14] to solve problems of two-party password-based authenticated key exchange (2PAKE) schemes which keeps a large number of secrets for communicating with a group of users. In the 3PAKE schemes, a trusted server assists each pair of users to authenticate each other and share a session key. In addition, the user does not need to keep a large number of secrets for a group of users. With the server’s help, each user only shares one secret with the server in 3PAKE protocols. The main advantage of 3PAKE scheme is that it requires each user only to remember a single password with the trusted server. Consequently, 3PAKE schemes can limit the number of passwords that each user must memorize. This seems to be a more practical scenario in the real world than two-party PAKE solutions. However, the server has to participate during the protocol run to help the two users share a session key.
Since users usually choose easy-to-remember passwords, PAKE schemes can be vulnerable to password guessing attacks [12, 15]. Unlike typical private keys, the password has limited entropy, and is constrained by the memory of the user. For example, one alphanumerical char-acter has 6 bits of entropy, and thus the goal of the attacker, which is to obtain a legitimate communication party’s password, can be achieved within a reasonable time. Therefore, the pass-word guessing attacks on PAKE schemes should be considered a real possibility. In general, the password guessing attacks can be divided into three classes [12, 15]:
• Detectable on-line password guessing attacks: an attacker attempts to use a guessed pass-word in an on-line transaction. He/she verifies the correctness of his/her guess using the response from server. A failed guess can be detected and logged by the server.
• Undetectable on-line password guessing attacks: similar to above, an attacker tries to ver-ify a password guess in an online transaction. However, a failed guess cannot be detected and logged by the server, as the server cannot distinguish between an honest request and an attacker’s request.
• Off-line password guessing attacks: an attacker guesses a password and verifies his/her guess off-line. No participation of server is required, so the server does not notice the attack as a malicious one.
Elliptic curve cryptography (ECC) can achieve the same level of security with smaller key size compared with Diffie-Hellman key agreement [16] or the RSA cryptography system [17]. For example, it has been shown that 160-bit ECC provides comparable security to 1024-bit RSA and 224-bit ECC provides comparable security to 2048-bit RSA [18, 19, 20, 21]. Hence, under the same security level, smaller key sizes of ECC offer merits of the computational efficiency, as well as memory, and bandwidth saving. It is better suited for resource constrained devices, such as smart cards or mobile units.
In 2010, Lou-Huang [21] proposed a new simple three-party password-based authenticated key exchange (LH-3PAKE) scheme based on ECC. By analysis, Lou-Huang claimed that the proposed LH-3PAKE scheme is not only secure against various attacks, but also more efficient than previously proposed 3PAKE schemes [8]. Actually, the proposed LH-3PAKE scheme is
Table 1: Notation used in LH-3PAKE scheme
A,B Two identity numbers of clients (users) TS Trusted server (remote server)
pwA Password shared between userAandTS
pwB Password shared between userBandTS
Eq Elliptic curve
P Generator of the group with ordernof at least 160 bits
d Private key ofTS
F=dP Public key ofTS
h(·) Public one-way hash function ⊕ Bitwise exclusive-or (XOR) operation
suitable for hardware-limited users, such as the limited memory or lower computation capacity, because the ECC can achieve the same level of security with smaller key size. Nevertheless, this paper demonstrates LH-3PAKE scheme is vulnerable to off-line password guessing attacks by an attacker [12, 15, 22].
The remainder of this paper is organized as follows. We subsequently review LH-3PAKE scheme in Section 2. The off-line password guessing attacks on LH-3PAKE scheme are presented in Section 3. Finally, we draw conclusions in Section 4.
2. Review of LH-3PAKE Scheme
This section briefly review LH-3PAKE scheme [21]. Table 1 details the notation used. Before running the scheme, the trusted server first chooses a large prime numberq(q ≈ 2160) and an elliptic curve Eq (the elliptic curveE is over the finite fieldFq); a cyclic groupG =< P >of points over the elliptic curveEq, wherePis the generator of the group and has an ordernof at least 160 bits. It providesnP=Oand its point at infinity isO.
Assume that two clientsA andB wish to construct a common session key. They cannot directly authenticate each other since they do not hold any shared information beforehand. They have to resort to the trusted serverTSfor a session key agreement. Fig. 1 depicts the LH-3PAKE scheme, which involves the following six steps:
1. A→B: (A,ZA,FA)
UserAchooses a random numbertaand computes two pointsQA =taP=(QAx,QAy) and
FA = taF = ta(dP) = d(taP) =dQA over the elliptic curveEq, whereQAxandQAy are thex-component andy-component of pointQA, respectively. Then,Asends (A,ZA,FA) to userB, whereZA=(QAx||QAy)⊕h(pwA,A,B).
2. B→TS: (A,ZA,FA,B,ZB,FB)
UserBalso selects a random numbertband computes two pointsQB =tbP=(QBx,QBy) andFB = tbF = tb(dP) = d(tbP) = dQB over the elliptic curve Eq, where QBx and
QBy are the x-component andy-component of point QB, respectively. Next, Bforwards (A,ZA,FA,B,ZB,FB) to the trusted serveTS, whereZB =(QBx||QBy)⊕h(pwB,A,B). 3. TS →B: (RA,RB)
Upon receiving (A,ZA,FA,B,ZB,FB), TS first uses pwA and pwB to derive two points
QA = ZA ⊕h(pwA,A,B) and QB = ZB ⊕h(pwB,A,B); and then computes two points
F
A =dQA =d(taP) andFB =dQB =d(tbP) overEq. Then,TS checks whetherFA=FA andF
B = FBhold or not. If any of the conditions does not hold,TS will terminate this request for a period of time. Otherwise the trusted serverTS chooses a random numbert and uses the passwordspwAandpwBto compute two pointsRA=t(pwA)QA=t(pwA)(taP) andRB =t(pwB)QB =t(pwB)(tbP) over the elliptic curveEq. Next,TS sends (RA,RB) to userB.
Shared Information:A,B,F=dP,Eq,P,Z∗p,h(·).
Information held byA:A,pwA.
Information held byB:B,pwB.
Information held byTS:S,d,pwA,pwB.
UserA UserB Trusted ServerTS
ta∈Z∗p QA=taP FA=taF ZA=(QAx||QAy)⊕h(pwA,A,B) A,ZA,FA −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ tb∈Z∗p QB=tbP FB=tbF ZB=(QBx||QBy)⊕h(pwB,A,B) A,ZA,FA,B,ZB,FB −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ QA=ZA⊕h(pwA,A,B) QB=ZB⊕h(pwB,A,B) VerifyFA=?dQA VerifyFB=?dQB t∈Z∗ p RA=t(pwA)QA=t(pwA)(taP) RB=t(pwB)QB=t(pwB)(tbP) RA,RB ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− K=tb(pwB)RA SB=h(Kx,Ky,B) RB,SB ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− K=ta(pwA)RB VerifySB=?h(Kx,Ky,B) SA=h(Kx,Ky,A) SA −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ VerifySA=?h(Kx,Ky,A)
Shared session key betweenAandB:K=ttatbpwApwBP
Figure 1: LH-3PAKE scheme
WhenBreceives (RA,RB), he/she uses the random numbertband his/her passwordpwBto compute the common key (point)K =tb(pwB)RA =tb(pwB)t(pwA)(taP)=(Kx,Ky) over
EqandSB=h(Kx,Ky,B). Here,KxandKyare thex-component andy-component of point
K, respectively. And userBforwards (RB,SB) to userA. 5. A→B: (SA)
After receiving (RB,SB), user Auses the random numberta and his/her password pwA to derive K = ta(pwA)RB = ta(pwA)t(pwB)(tbP) = (Kx,Ky). Then, A checks whether
SB =h(Kx,Ky,B) holds or not. If it does not hold,Aterminates the protocol. Otherwise,
Kis a valid session key. Then,AcomputesSA=h(Kx,Ky,A) and sends it to userB. 6. Upon receivingSA, userBverifies whetherSA =h(Kx,Ky,A) holds or not. If it does not
hold,Bterminates the protocol. Otherwise,Kis a valid session key andTSis a real trusted server. Both usersAandBcan use this session keyKfor a secure communication. Here, Kis only used for one session.
For security, the random numberstaandtbfor usersAandBare only used once.
3. Cryptanalysis of LH-3PAKE Scheme
This section shows that LH-3PAKE scheme is not secure to off-line password guessing at-tacks [12, 15, 22]. First, we define the security term needed for security problem analysis of the LH-3PAKE scheme as follows:
Definition 1. A weak secret (password pwi) is a value of low entropy Weak(k), which can be
guessed in polynomial time.
3.1. Off-line password guessing attack
Theoff-line password guessing attackscenario is outlined in Fig. 2. LetE be a malicious
attacker mediating betweenBandTS. Then, the malicious attackerEcan perform the following “off-line password guessing attack”.
1. A→B: (A,ZA,FA)
2. B→E(TS): (A,ZA,FA,B,ZB,FB)
WhenBsends (A,ZA,FA,B,ZB,FB) toTS,Eintercepts the message. 3. E→B: (R∗
A,R∗B)
Without any help ofTS,Bchoosese∈Z∗
p randomly. Bthen computesR∗A =ePand lets
R∗
B=R∗A. Finally,Esends (R∗A,R∗B) toB. 4. B→E(A): (R∗
B,SB) Upon receiving (R∗
A,R∗B) fromE,Bwill use the random numbertband his/her password
pwB to compute the common key (point)K=tb(pwB)RA =tb(pwB)eP=(pwB)eQBover
Eq andSB = h(Kx,Ky,B). Here, Kx andKy are the x-component and y-component of pointK, respectively. Finally, the userBwill forward (R∗
B,SB) to userA. At this time,E intercepts the message (R∗
5. By using the interceptedR∗
BandZB,Bguesses a passwordpw∗Band computesQ∗B =ZB⊕
h(pw∗
B,A,B) andK∗=(pw∗B)eQ∗B. Bthen checks ifZA=?h(pw∗A,X⊕h(pw∗A,A,B)). If the check passes, thenBconfirms that the guessed passwordpw∗
Ais the correct one. 6. If it is not correct,Bchooses another password pw∗
Band repeatedly performs above step (5) untilSB=?h(K∗x,K∗y,B).
UserA UserB AttackerE
A,ZA,FA −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ tb∈Z∗p QB=tbP FB=tbF ZB=(QBx||QBy)⊕h(pwB,A,B) A,ZA,FA,B,ZB,FB −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Intercept (A,ZA,FA,B,ZB,FB) Choosee∈Z∗ p ComputeR∗ A=eP LetR∗ B=RA R∗ A,R∗B ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− K=tb(pwB)RA=tb(pwB)eP=(pwB)eQB SB=h(Kx,Ky,B) R∗ B,SB ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− AttackerE Intercept (R∗ B,SB)
Perform Off-line password guessing attack 1 (ZB,R∗
B,A,B,D){ fori:=0 to|D| { Guesspw∗ B←D; ComputeQ∗ B=ZB⊕h(pw∗B,A,B); ComputeK∗=(pw∗ B)eQ∗B; ifSB==h(K∗ x,K∗y,B) then returnpw∗B } }
Figure 2: Off-line password guessing attack
3.2. Real applications for the proposed password guessing attacks
In the modern life which the Internet has strong influence to people, passwords are the most common means of user authentication on the Internet. For practical applications, password-based authentication protocols are required when making use of Internet network services like E-learning, on-line polls, on-line ticket-order systems, roll call systems, on-line games, etc. Sup-pose that the passwordpwAof userAcan be revealed by the attacker due to the above described password guessing attacks. In real applications, users offer the same password as above to access
several application servers for their convenience. Thus, an attacker may try to use the guessed password pwAto impersonate the userAto login to other systems that the userAhas registered with outside this LH-3PAKE protocol-based server. If the targeted outside server adopts the nor-mal authentication protocol, it is possible that the attacker can successfully impersonate the user Ato login to it by using the guessed password pwA. Therefore, the password breach cannot be revealed by the attacker’s actions.
4. Conclusions
Three-party authenticated key exchange technology has been widely deployed in various kinds of applications. Recently, Lou-Huang proposed a new simple three-party password-based authenticated key exchange (LH-3PAKE) scheme based on ECC. However, we have demon-strated that LH-3PAKE scheme still falls prey to off-line password guessing attacks by an at-tacker. For this reason, LH-3PAKE scheme is insecure for practical application. It is important that security engineers should be made aware of this, if they are responsible for the design and development of three-party password-based authenticated key exchange systems.
References
[1] Bellovin SM, Merritt M. Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proc. 1992 IEEE Symposium on Research in Security and Privacy.Lecture Notes in Computer Science, 1992; 72–84.
[2] Steiner M, Tsudik G, and Waidner M. Refinement and extension of encrypted key exchange.ACM Operating Systems Review.1995;29:22–30.
[3] Lin CL, Sun HM, Hwang T. Three-party encrypted key exchange: attacks and a solution.ACM Operating Systems Review.2000;34:12–20.
[4] Chang CC, Chang, YF. A novel three-party encrypted key exchange protocol.Computer Standards and Interfaces. 2004;26(5):472–476.
[5] Lee TF, Hwang T, Lin CL. Enhanced three-party encrypted key exchange without server public keys.Computer& Security.2004;23(7):571–577.
[6] Lee SW, Kim HS, Yoo KY. Efficient verifier-based key agreement protocol for three parties without server’s public key.Applied Mathematics and Computation.2005;167(2), 996–1003.
[7] Sun HM, Chen BC, Hwang T. Secure key agreement protocols for three-party against guessing attacks.Journal of Systems and Software.2005;75:63–68.
[8] Lu RX, Cao ZF. Simple three-party key exchange protocol.Computers&Security.2007;26:94–97.
[9] Yoon EJ, Yoo KY, Improving the novel three-party encrypted key exchange protocol.Computer Standards& Inter-faces.2008;30(5);309–314.
[10] Phan RCW, Yau WC, Goi BM, Cryptanalysis of simple three-party key exchange protocol (S-3PAKE).Information Sciences.2008;178:2849–2856.
[11] Guo H, Li Z, Mu Y. Zhang X. Cryptanalysis of simple three-party key exchange protocol.Computers&Security.
2008;27:16–21.
[12] Kim HS, Choi JY. Enhanced password-based simple three-party key exchange protocol.Computers&Electrical Engineering.2009;35:107–114.
[13] Huang HF. A simple three-party password-based key exchange protocol.International Journal Of Communication Systems.2009;22:857–862.
[14] Yang JH, Chang CC. An efficient three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environments.Journal of Systems and Software.2009;82(9):1497–1502.
[15] Ding Y, Horster P. Undetectable on-line password guessing attacks.ACM Operating Systems Review. 1995;
29(4):77–86.
[16] Diffie W, Hellman ME. New directions in cryptography. IEEE Transactions on Information Theory. 1976;
22(6):644–654.
[17] Rivest RL, Shamir A, Adleman ML. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM.1978;21:120–126.
[19] Miller V. Uses of elliptic curves in cryptography.Advances in Cryptology.CPYPTO’85. Lecture Notes in Computer Science, vol. 218. Springer: Berlin, 1986; 417–426.
[20] Vanstone S. Responses to NIST’s proposal.Communications of the ACM.1992;35:50–52.
[21] Lou DC, Huang HF. Efficient three-party password-based key exchange scheme.International Journal Of Commu-nication Systems.2010; Article first published online: 26 SEP 2010 — DOI: 10.1002/dac.1172.
[22] Yoon EJ, Yoo KY. Cryptanalysis of a simple three-party password-based key exchange protocol.International Journal Of Communication Systems.2010; Article first published online: 12 JUL 2010 — DOI: 10.1002/dac.1168. [23] Diffie W, van Oorschot PC, Wiener MJ. Authentication and authenticated key exchanges.Design, Codes and
Cryp-tography.1992;2(2):107–125.
[24] Choo KKR, Boyd C, Hitchcock Y. Examining indistinguishability-based proof models for key establishment pro-tocols.In: Advances in Cryptology-Asiacrypt’05.Lecture Notes in Computer Science, vol. 3788. Springer: Berlin, 2005; 585–604.
[25] BruteForceCalc. Brute force attack estimator. Mandylion Research Labs. 2006; Available from: http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm.