Documente Academic
Documente Profesional
Documente Cultură
2.1.2. Protocol Description message because, he can’t discard the TicketC as it is issued
by KDCA. In step-5 KDCB sends the message to client C and
KDCA and KDCB are key distribution centers which store the rest of the steps are executed normally. In this way,
(Alice’s identity, ID(A), and password, pwa), and (Bob’s client A establishes the intended session key with client C
identity, ID(B), and password, pwb) respectively. K is a not with the actual client B. In the, modified C2C-PAKE
symmetric key shared between KDCA and KDCB. protocol there is no verifiable message where both A and B
can verify their identities after step-4. In this way, the
1. Alice chooses x ∈R Z∗ p randomly, computes and sends attacker may trap client C and communicate with client A
Epwa(gx), ID(A) and ID(B) to KDCA. pretending as client B. This causes identity mis-binding
attack
2. KDCA obtains gx by decrypting Epwa(gx). KDCA selects r
∈R Z∗ p randomly and makes TicketB = EK(gx·r, gr, ID(A), In step-2, the attacker may modify the Lifetime L of the
ID(B), L). L is a lifetime of TicketB. Then KDCA sends ticket with a higher value than the value specified by KDCA.
TicketB, ID(A), ID(B) and L to Alice. But, KDCB obtains the actual value of L. As client A has a
high L value, she may request KDCB for service within the
3. Upon receiving the message from KDCA, Alice forwards enhanced time period. But, KDCB is unable to provide the
TicketB to Bob with ID(A). service after the actual lifetime L. This causes a Denial of
Service (DOS) attack.
4. Bob chooses y ∈R Z∗ p randomly, and computes Epwb(gy).
Then he sends Epwb(gy), ID(A) and ID(B) to KDCB with 3. Proposed Protocol
TicketB.
In our proposed protocol every host is registered with the
x·r r TTP with different passwords. The hosts and the TTP agree
5. KDCB obtains g and g by decrypting TicketB, selects r’
upon a family of commutative one-way hash functions
∈R Z∗ p randomly and computes gx·r·r’ and gr·r’. Next KDCB which is used for host authentication. One-way hashes of the
sends gx·r·r’ and gr·r’ to Bob. passwords are being stored instead of storing the plaintext
version of the passwords. One-way function is a function F
6. Bob makes cs = H1(gx·y·r·r’ ) using gx·r·r’ and y. Then Bob such that for each x in the domain of F, it is easy to compute
chooses a random number a ∈R Z∗ p and computes Ecs(ga) y=F(x), but given F(x) it is computationally infeasible to
and gr·r’·y. Finally, Bob sends Ecs(ga) and gr·r’·y to Alice. find any x.
7. Alice also can compute cs using gr·r’·y and x. Next, Alice 3.1 Notations
selects b ∈R Z∗ p randomly and computes the session key sk The following notations are used in this paper.
= H2(gab) and Ecs(gb). Finally she sends Esk(ga) and Ecs(gb)
for session key confirmation. Alice, Bob Honest Hosts
TTP Trusted Third Party
8. After receiving Esk(ga) and Ecs(gb), Bob gets gb by IDA, IDB Identities of Alice and Bob
decrypting Ecs(gb) with cs and computes sk with gb and a. pwa, pwb Passwords of Alice and Bob
Bob verifies ga by decrypting Esk(ga) with sk. Bob sends EK(X) Encryption of plaintext X using key K
Esk(gb) to Alice to confirm the session key. DK(X) Decryption of plaintext X using key K
SK Session Key between A and B
9. Alice verifies gb by decrypting Esk(gb) with sk. H(pwa) One way hash of password of A
g Generator of cyclic group
2.2 Cryptanalysis of Modified C2C-PAKE Protocol p, q Large prime numbers
A→B: M A sends message “M” to B
Let an outside attacker having knowledge of the whole TicketB Kerberos Ticket issued to A for service
cross-realm architecture comes in between client A and from B
KDCA. In the first message transfer from A to KDCA, he sgnA( . ) Signature generated using the private
may snoop the message and modify the IDB with some ID key of A
say, IDC which is a legitimate client in the other realm. K Shared Secret Key between TTP1 and
Upon receiving the message from A, KDCA makes TicketC = TTP2
EK(gx·r, gr, IDA, IDC, L) which is not the intended Ticket for
client B. When KDCA sends the message to A in step-2, the
attacker can again change the IDC to IDB. Hence, A doesn’t 3.2 Proposed Protocol
know what happened in between as she can’t decrypt the
Ticket. Here we describe the steps involved in the protocol in detail.
g, p and q are global parameters shared by protocol
In the same way the attacker may snoop the message in the participants.
step-4 and modify IDB to IDC. After decrypting the Ticket,
KDCB assumes that client A wants to communicate with 3.2.1 Single-Server Setting
client C as he receives same IDC from both the message and
the Ticket. He may discard Epwb(gy) as an redundant
(IJCNS) International Journal of Computer and Network Security, 77
Vol. 2, No. 6, June 2010
v. B obtains grtt' (mod p), gtt' (mod p) after An adversary with pwa (or pwb) can easily compute gr by
decrypting the message. He chooses s as random decrypting H(pwa)(gr). But these values do not help to
and finds an ephemeral key Ke= grtt's (mod p). He compute Ke or SK in old sessions because session key
also randomly selects his private key as b and generation is based on the Diffie-Hellman problem.
calculates his public key as RB=gb(mod p). Next, Therefore the proposed protocol provides perfect forward
RB concatenated with the IDs of the hosts is secrecy.
encrypted using the ephemeral key Ke. Then he
sends this encrypted value and gtt's (mod p) to A. 4.4. Denning-Sacco Attack:
B → A : g t .t '.s (mod p ), EKe ( IDA, IDB , RB ) Now we can show that our protocol is secure against
Denning-Sacco attack. Like the original C2C-PAKE
vi. After receiving the message A finds the protocol, we also classify an adversary into two types. One is
ephemeral key Ke using r and gtt's (mod p). She an Insider adversary and the other is an Outsider adversary.
also recovers RB from the message and chooses
her private and corresponding public key as a, RA 4.4.1. In case of Outsider Adversary:
respectively, where RA= ga(mod p). She computes Outsider adversary, with session keys Ke and SK can
the session key SK=(RB)a (mod p)=gba (mod p). A compute ga, gb and all conversations in the protocol. But he
concatenates RA, RB and IDB, creates a signature can not verify a candidate password pwa'(or pwb') of pwa
of the result using his private key a. The (or pwb) since he can not get r (or s) which is a random
signature is encrypted using the session key SK secret value of A (or B).
and sent to B along with the encrypted value of
RA. 4.4.2. In case of Insider Adversary with pwa:
A → B : EKe ( RA), ESK (sgn A( IDB , RA, RB )) We are going to show that an adversary cannot mount a
dictionary attack on pwb. To verify a candidate password
vii. Upon receiving the message B obtains RA by pwb' of pwb, he must get gs. Since the value of s is a random
decrypting the message, computes the intended number of B, he cannot compute valid gs.
session key SK=(RA)b(mod p)=gab(mod p), and
verifies A’s signature. If the signature is verified, 4.4.3. In case of Insider Adversary with pwb:
B creates a signature exactly the same way as Similar to the case of insider adversary with pwa, he must
done by A and encrypts it using the session key get gr to verify a candidate password pwa' of pwa. Since the
SK. Then he sends the encrypted signature to A. value of r is a random number of A, he cannot compute
valid gr.
B → A : ESK (sgn B ( IDA, RA, RB ))
4.5 Dictionary Attack:
viii. Finally, A verifies the signature and if verified, In case of compromise of pwa or pwb, adversary can mount
ensures that both of the hosts have the same a dictionary attack if he gets gr or gs. However, he can not
session key SK. mount a dictionary attack as analyzed in Denning-Sacco
attack.
4. Security Analysis of Proposed Protocol
In this section, security of the proposed protocols is 4.6 On-line guessing attack, man in the middle attack
analysed. Our proposed protocols are secure against the type and replay attack:
It is the same as analyzed in the original C2C-PAKE
of attacks considered in [13,14] including Identity Mis-
protocol with regard to on-line guessing attack, man in the
binding Attack and Denial of Service attack.
middle attack and replay attack.
4.1. Identity Mis-binding Attack:
Unlike the modified C2C-PAKE protocol, the IDs of the 4.7 Chen’s attack:
Regarding Chen’s attack, there is no verifiable cipher text
communicating entities are encrypted using the one-way
based on password in TicketB. So it is secure against the
hash value of the passwords in the proposed protocol. So,
dictionary attack by a malicious TTP2.
the adversary can’t change any of the IDs of the hosts. As a
result, the proposed protocols are secure against identity
mis-binding attack. 5. CONCLUSION
[3] Stallings Williams., Cryptography and Network [19] S. Jiang and G. Gong, “Password-based Key exchange
Security, 3rd Edition, Pearson Education, 2004 With mutual authentication,” in SAC 2004, LNCS
[4] B. A. Forouzan, Cryptography and Network Security, 3006, pp. 291-306, Springer-Verlag, 2004.
Tata McGraw Hill, Special Indian Edition, 2007 [20] S. Kulkarni, D. Jena, and S. K. Jena., “A novel secure
[5] W. Diffie and M. Hellman, “New Directions In key agreement protocol using trusted third party”.
Cryptography”. IEEE Transactions on Information International Journal of Computer Science and
Theory IT-11, pp. 644–654, November 1976 Security, Volume (1): Issue (1), pp. 11–18, 2007.
[6] Y. Her-Tyan and S. Hung-Min, “Simple Authenticated
Key Agreement Protocol Resistant To Password
Guessing Attacks”, ACM SIGOPS Operating Systems Authors Profile
Review, vol. 36, no. 4, pp.14–22, October 2002
[7] M. Steiner, G. Tsudik, and M. Waidner, “Refinement
And Extension Of Encrypted Key Exchange”. ACM Pritiranjan Bijayasingh received the
Operating System Review, vol. 29, no. 3, pp. 22–30, B.E. degree in Computer Science and
1995 Engineering from Balasore College of
[8] Y. Ding and P. Horster, “Undetectable On-Line Engineering and Technology in 2005.
He has joined Balasore College of
Password Guessing Attacks”. ACM Operating System
Engineering and Technology as
Review, vol. 29, no. 4, pp. 77–86, October1995 Lecturer since 26.08.2005. Now, he is
[9] C. L. Lin, H. M. Sun, and Hwang, “Three-Party persuing his M.Tech degree at
Encrypted Key Exchange: Attacks And A Solution”. International Institute of Information Technology-Bhubaneswar,
ACM Operating System Review, vol. 34, no. 4, pp. 12– Orissa, India. His research area of interest is Information Security
20, October 2000
[10] M. Bellare, D. Pointcheval and P. Rogaway, Debasish Jena was born in 18th
“Authenticated key exchange secure against dictionary December, 1968. He received his B
attacks,” in Eurocrypt 2000, LNCS 1807, pp. 139–155, Tech degree in Computer Science and
Springer-Verlag, 2000. Engineering, his Management Degree
and his MTech Degree in 1991, 1997
[11] E. Bresson, O. Chevassut and D. Pointcheval, “New
and 2002 respectively. He has joined
security results on encrypted key exchange,” in PKC Centre for IT Education as Assistant
2004, LNCS 2947, pp. 145–158, Springer-Verlag, Professor since 01.02.2006. He has
Mar. 2004. submitted his thesis for Ph.D. at NIT,
[12] V. Boyko, P. MacKenzie and S. Patel, “Provably secure Rourkela on 5th April 2010. In addition to his responsibility, he
password-authenticated key exchange using Diffie- was also IT, Consultant to Health Society, Govt. of Orissa for a
Hellman,” in Eurocrypt 2000, LNCS 1807, pp. 156– period of 2 years from 2004 to 2006.His research areas of interest
171, Springer-Verlag, May 2000. are Information Security, Web Engineering, Bio-Informatics and
[13] J. W. Byun, I. R. Jeong, D. H. Lee and C. S. Park, Database Engineering.
“Password-authenticated key exchange between clients
with different passwords,” in ICICS’02, LNCS 2513,
pp. 134–146, Springer-Verlag, Dec. 2002.
[14] L. Chen, “A Weakness of the Password-Autenticated
Key Agreement between Clients with Different
Passwords Scheme”. The document was being
circulated for consideration at the 27th the SC27/WG2
meeting in Paris, France, 2003-10-20/24, 2003
[15] J. Kim, S. Kim, J. Kwak and D. Won, “Crypt-analysis
and improvement of password authenticated key
exchange scheme between clients with different
passwords,” in ICCSA’04, LNCS 3043, pp. 895–902,
Springer-Verlag, May 2004.
[16] D. Denning, G. Sacco, “Timestamps in key distribution
protocols”. Communications of the ACM, Vol.24,
No.8, pp. 533-536, 1981
[17] O. Goldreich and Y. Lindell, “Session-key generation
using human memorable passwords only,” in Crypto
2001, LNCS 2139, pp. 408–432, Springer-Verlag,
Aug. 2001.
[18] J. Katz, R. Ostrovsky and M. Yung, “Efficient
password-authenticated key exchange using human-
memorable passwords,” in Eurocrypt 2001, LNCS
2045, pp. 475–494, Springer-Verlag, May 2001.