1 / 14

RSA-based password authenticated key exchange protocol

RSA-based password authenticated key exchange protocol. Presenter: Jung-wen Lo( 駱榮問 ). Outline. Introduction

stacia
Download Presentation

RSA-based password authenticated key exchange protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. RSA-based password authenticated key exchange protocol Presenter: Jung-wen Lo(駱榮問)

  2. Outline • Introduction • C.C. Yang, R.C. Wang, "Cryptanalysis of improvement of password authenticated key exchange based on RSA for imbalanced wireless networks," IEICE Transactions on Communications, Vol. E88-B, No. 11, pp. 4370-4372, 2005. • Chien-Lung Hsu, Wen-Te Lin, and Yen-Chun Chou, “New Efficient Password Authenticated Key Exchange Protocol for Imbalanced Wireless Networks”, Journal of Computers, Vol.18, No.2, pp. 25-32, 2007 • Conclusion & Comment

  3. Introduction • Password-authenticated key exchange (PAKE) protocol • Two communicating parties share a session key over an insecure channel • 1992: 1st PAKE protocol proposed by Bellovin and Merrit • 2002 Zhu et al.: e-residues attack in BM • 2003 Yeh et al.: impersonation attack in Zhu • 2005 Yang-Wang.: dictionary/man-in-the-middle attack in Yeh • 2007 Hsu et al.: performance improvement • Two classes • Use Diffie–Hellman key exchange • Use RSA cryptosystem • RSA-PAKE protocol • RSA parameter generation/verification phase • challenge/response • qualified parameter which satisfies several conditions • Session key establishment phase

  4. Cryptanalysis of improvement of password authenticated key exchange based on RSA for imbalanced wireless networks Authors: C.C. Yang and R.C. Wang, Src: IEICE Transactions on Communications, Vol. E88-B, No. 11, pp. 4370-4372, 2005.

  5. Yeh et al.’s Protocol Server A Client B Request rAR{0,1}l (n, e), rA {miR Zn}1iN {mieR Zn}1iN {h1(mi’)}1iN h1(m’i) ?= h1(mi) rBRZnπ=Epw(IDA,IDB,rA,rB)z =πe mod n π= zd mod n(IDA,IDB,rA,rB)=Dpw(π) cB=h2(rB)K=h3(rA,cB,IDA,IDB)σ=EK(IDB) z σ c’B=h2(rB)K’=h3(rA,c’B,IDA,IDB)IDB’=DK’(σ)IDB’ ?= IDBδ= h4(K’) δ δ’=h4(K)δ’ ?= δ

  6. Weakness of Yeh et al.’s scheme • Can not against dictionary attack Server A Client B Request Attacker F(n’,d’,e’) (n’, e’), rF rF {miR Zn}1iN {mie’R Zn}1iN {h1(mi’)}1iN rBπ=Epw(IDA,IDB,rA,rB) z =πe’ mod n’ z zd’ => π Dpw’(π)?=(IDA,IDB,rA,rB)

  7. Yang-Wang’s Improved Protocol Server A Client B e||n||rA=ωh1(pw) Request rAR{0,1}lω=(e||n||rA)h1(pw) ω {miR Zn}1iNCi=(mi||rA)e mod n {ci}1iN m’i||rA=cidmod n {h1(mi’)}1iN h1(m’i) ?= h1(mi) rBRZnπ=Epw(IDA,IDB,rA,rB)z =πe mod n z π= zd mod n(IDA,IDB,rA,rB)=Dpw(π) cB=h2(rB)K=h3(rA,cB,IDA,IDB)σ=EK(IDB) σ c’B=h2(rB)K’=h3(rA,c’B,IDA,IDB)IDB’=DK’(σ)IDB’ ?= IDBδ= h4(K’) δ δ’=h4(K)δ’ ?= δ

  8. New Efficient Password Authenticated Key Exchange Protocol for Imbalanced Wireless Networks Authors: Chien-Lung Hsu, Wen-Te Lin, and Yen-Chun Chou Src: Journal of Computers, Vol.18,No.2, pp. 25-32, 2007

  9. Hsu et al.’s Improved Protocol Server A Client B rA||e||n=Epw(ω) Request rAR{0,1}lω=Epw(rA||n||e) ω {miR Zn}1iN {mieR Zn}1iN {h(mi’)}1iN h(m’i) ?= h(mi) rBRZnz =(rBpw rA)e mod nK= rArB(IDA||IDB)σ=h(rA||rB||IDA||IDB||K) r’B= (zd mod n)pw rAK’=rA r’B (IDA||IDB)σ ?= h(rA||r’B||IDA||IDB||K’) σ, z δ δ ?= h(K) δ=h(K’)

  10. Comparison-1

  11. Comparison-2 |ε|:ciphertext |n|: modular n |h|: hash fct

  12. 2 2 4 4 2 2 2 4 2 1 3 2 Conclusion & Comment • Conclusion • Less cost • Computational complexities • Communication overheads • Transmission number • Better security • Comment • Error of Table 3 • Performance improvement

  13. P187 Protocol (Improved) Request Client B(pw) Server A(pw) IDA, n, e, ω, H(IDA,n,e,ω) n,e,d,rAω=rA⊕H(pw) {mie mod n} 1iN {mi}1iN {H (mi )}1iN r’A= ω⊕H(pw) rBz=(r’A||rB)e mod nσ =H(rA,rB,IDA,IDB) δ?=H(σ ⊕rB) z r’A||r’B=zdr’A?=rAσ =H(rA,r’B,IDA,IDB) δ=H(σ ⊕r’B) δ

  14. Comparison New (N+4)Th+(N+1)Texp+2TXOR (N+4)Th+(N+1)Texp+2TXOR 4TXOR 4TXOR ※ 1TE ≒ 10Th

More Related