1 / 12

Analysis of the SPEKE Password-Authenticated Key Exchange Protocol

Analysis of the SPEKE Password-Authenticated Key Exchange Protocol. Source: IEEE COMMUNICATIONS LETTERS, Vol. 8, No. 1, Jan. 2004, pp. 63-65 Authors: Muxiang Zhang Speaker: Chia-Chi Wu Date: 2004/10/6. Outline. SPEKE Password-authenticated Key Exchange

kpapke
Download Presentation

Analysis of the SPEKE Password-Authenticated Key Exchange Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Analysis of the SPEKE Password-Authenticated Key Exchange Protocol Source: IEEE COMMUNICATIONS LETTERS, Vol. 8, No. 1, Jan. 2004, pp. 63-65 Authors: Muxiang Zhang Speaker: Chia-Chi Wu Date: 2004/10/6

  2. Outline • SPEKE Password-authenticated Key Exchange • A Fully constrained SPEKE • Password Guessing Attack on SPEKE • Conclusions

  3. Notations • Role: A, B • : The password shared by A and B. • : The set of all possible passwords. • rA, rB: random numbers chosen by A, and B. • f (S): a function that converts S into suitable DH base. • h( ) : a strong one-way hash function. • K: generated session key.

  4. Primitive Roots • If p is a prime, gGp, then g is a primitive root mod p if for each b from 1 to p-1, there exists some a where gab mod p. 21=1 mod 11 P=11, g=2, T=10 22=2 mod 11 (10)=4 ,{1,3,7,9} 23=8 mod 11 21=2 mod 11 24=5 mod 11 23=8 mod 11 25=10 mod 11 27=7 mod 11 26=9 mod 11 29=6 mod 11 27=7 mod 11 28=3 mod 11 29=6 mod 11 210=1 mod 11

  5. SPEKE Password-authenticated Key Exchange SPEKE(Simple Password Exponential Key Exchange) xA xA =f()rA mod p, rAZp* xB xB=f()rB mod p , rBZp* h(h(K)) K= xBrA mod p h(K) K= xBrA mod p = f()rB*rA mod p = f() rA*rB mod p = xArBmod p A B

  6. Subgroups of ZP* for a safe prime p=2q+1 GP-1 Gq G2 P-1 1 G1 generator of Gq primitive roots We know XA(p-1)/t is of order q. Consider any Gt and Gq, q is prime, and t<q. We can see that intersection GtGq=G1. Since KGq, if K is also confined to Gt, then KG1, or K=1.

  7. A Fully constrained SPEKE • Assume that the password space  is a small subset of Zp*. • P is a safe prime: • P=2q+1 and q is also a prime. • f()= 2 mod P • =0,1,p-1 are excluded.

  8. A Fully constrained SPEKE xA xA =(2)rA mod p, rAZp* xB,h(h(h(K))) xB =(2)rB mod p , rBZp* K= (xA2)rB mod p (Note:K>2) h(h(K)) K= (xA2)rB mod p =((2) rA)2*rB mod p = ((2) rB)2*rA mod p = (xB2)rA mod p session key:h(K) A B

  9. Password Guessing Attack on SPEKE • a=bi mod p • i=logab (without mod p) • We say that b and a are exponentially equivalent • Assume that there are m passwords, say 1, 2,…, m, whichareexponentially equivalent to a integer a, that is, 1=aj1,2=aj2,…,m=ajm • {2,4,8,…},{3,9,27,…},{5,25,125,…},{6,36, 216…}

  10. Password Guessing Attack on SPEKE 1.E picks a random r and compute x=ar mod p x xB,h(h(h(K))) 2.xB =(2)rB mod p , rBZp* K= (x2)rB mod p ,V=h(h(h(K))) (Note:K>2) 3.E aborts after receiving xB and V from B. E B

  11. Password Guessing Attack on SPEKE • E performs off-line password guessing on . • E computes the inverse of j1,j2,…,jm mod p-1. • For each i , 1i m, E computes Ki=(xB)rji-1 mod p Vi=h(h(h(Ki))) • If the password of B is equal to i=aji, then Ki= (xB)r ji-1 mod p =(i2)rBrji-1 mod p =(a2ji)rBrji-1 mod p =x 2rBmod p =K E checks if V=Vi for every 1i m. If V=Vi , then the password of B is i..

  12. Conclusions • It can attack generic SPEKE protocol. (when f() is used as the base for exponentiation) • The adversary can test multiple possible passwords in an impersonation. • A hash function is no guarantee that all passwords are exponentially inequivalent.

More Related