A generic framework for constructing cross-realm C2C-PAKA protocols based on the smart card

CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCEConcurrency Computat.: Pract. Exper. 2011; 23:1386–1398Published online 7 July 2010 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/cpe.1616

A generic framework for constructing cross-realm C2C-PAKAprotocols based on the smart card

Jing Xu1,∗,†, Wen-Tao Zhu2 and Wen-Ting Jin2

1State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,Beijing 100190, People’s Republic of China

2State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences,Beijing 100049, People’s Republic of China

SUMMARY

A cross-realm client-to-client password-authenticated key agreement (C2C-PAKA) protocol allowsnetwork clients from different realms managed by different servers to agree on a session key in anauthentic manner based on easily memorizable passwords. In this paper, we present a generic frameworkfor constructing a cross-realm C2C-PAKA protocol from any secure smart card-based password authen-tication (PA-SC) protocol. The security proof of our construction can be derived from the underlyingPA-SC protocol employing the same assumptions. Our generic framework appears to be the first onewith provable security. In addition, compared with similar protocols, the instantiation of our constructionachieves improved efficiency. Copyright � 2010 John Wiley & Sons, Ltd.

Received 30 November 2009; Revised 30 April 2010; Accepted 4 May 2010

KEY WORDS: cryptographic protocols; password-authenticated key agreement; cross-realm; smart card;provable security

1. INTRODUCTION

Over the past years, password-authenticated key agreement (PAKA) protocols have attracted moreand more research efforts because they are practical and efficient cryptographic techniques forsecure communications. In the literature, many PAKA protocols (to name just a few, [1–3]) adoptthe single-server model, which essentially assumes that every client has a secret password registeredat a common server. The main advantage of such a setting lies in that it facilitates the generationof a shared session key (i.e. key agreement) between two clients in the same realm or domain,and the clients are only required to remember their distinct passwords. However, in the real worldwhere distributed computing has become more and more pervasive, it is always preferable thatclients from different realms are able to establish shared session keys. Such an enabling protocolis popularly referred to as a cross-realm C2C-PAKA (client-to-client password-authenticated keyagreement) protocol, and is the topic of interest in this work.

In a cross-realm C2C-PAKA protocol (e.g. [4]), each network realm is, respectively, managedby a trusted server, which provides security services like password registration to the clients inthe realm. When two clients from different realms need to establish a shared session key, they

∗Correspondence to: Jing Xu, State Key Laboratory of Information Security, Institute of Software, Chinese Academyof Sciences, Beijing 100190, People’s Republic of China.

†E-mail: [email protected]

Copyright � 2010 John Wiley & Sons, Ltd.

A GENERIC FRAMEWORK FOR CONSTRUCTING CROSS-REALM C2C-PAKA PROTOCOLS 1387

typically resort to their respective servers so that the two clients can authenticate each other. Inthis paper, we focus on cross-realm authentication.

1.1. Related work

In 2002, Byun et al. [4] first proposed a cross-realm C2C-PAKA protocol. Subsequent works [5–9]included some attacks and a few variants. In [5], Chen pointed out that one malicious server in thecross-realm scenario in [4] could mount a dictionary attack to reveal the password of a ‘foreign’client who belongs to the other realm. Similarly, Wang et al. [6] identified certain problems in themathematical structure in [4], and demonstrated several attacks as well as corresponding counter-measures. Later, Kim et al. [7] pointed out that Byun et al. protocol [4] was actually susceptibleto the Denning-Sacco attack (which was originally claimed in [4] to be not a security threat), andalso proposed an improved C2C-PAKA protocol. Unfortunately, Phan and Goi [8] unveiled twounknown key-share attacks against the improved C2C-PAKA protocol [7], essentially by meansof replay attacks. At the same time, Yoon and Yoe [9] revealed that the improved protocol [7]was also susceptible to a one-way man-in-the-middle attack and a password-compromise imper-sonation attack, and again presented an enhancement to eliminate the vulnerabilities. Nevertheless,all these protocols [4–9] were designed with intuitive, heuristic security analysis. This explainsthe seemingly endless ‘attack-fix-attack’ process.

The first provably secure cross-realm C2C-PAKA protocols were independently proposed byByun et al. [10] and Yin and Li [11], respectively. But soon, it was again Phan and Goi [12] whofound that both protocols [10, 11] are subject to undetectable online dictionary attacks by so-calledany adversary. Additionally, Phan and Goi [12] showed that the one in [10] is also vulnerable toman-in-the-middle attacks, and the one in [11] inherits a vulnerability to unknown key-share attacks.Moreover, Feng and Xu [13] discovered that Byun et al. scheme [10] was insecure against thepassword-compromise impersonation attack and that it even appeared infeasible to make any coun-termeasures against such attacks in the private-key (i.e. symmetric) cryptosystem. Therefore, theyproposed a new provably secure protocol based on the public-key (i.e. asymmetric) setting, butthe price is inefficient since asymmetric encryption is much more expensive. Very recently, aimingat resistance against common attacks (including the password-compromise impersonation one)but not sacrificing the performance, Jin and Xu [14] proposed a smart card-based C2C-PAKAprotocol, along with a formal security proof. Smart card-based password authentication (PA-SC) isone of the most convenient and commonly used authentication mechanisms. This technology hasbeen widely deployed in various kinds of authentication applications which include remote hostlogin, online banking, and many more. The core feature of such a scheme is to enforce two-factorauthentication in the sense that the client must have the smart card and know the password in orderto gain access to the server.

1.2. Technical contributions

In this paper, by utilizing a secure password authentication protocol based on the smart card(PA-SC protocol) as a building block, we present a generic framework for constructing a cross-realm C2C-PAKA protocol. The proposal generally converts any secure password authenticationprotocol into a secure cross-realm C2C-PAKA protocol. One merit of this work lies in that wecan now design provably secure C2C-PAKA protocols in a systematic way by taking advantageof existent research results on password authentication protocols. In addition, we show that thegeneric construction can be efficiently instantiated, and the computation and communication costsof the instantiation scheme are lower than those of similar schemes.

The remainder of this paper is organized as follows. Section 2 and Section 3 introduce the formaldescriptions of the cross-realm C2C-PAKA protocol and the PA-SC protocol, respectively. Ourgeneric framework is presented in Section 4, along with the security analysis and the performanceevaluation. Section 5 concludes this paper.

Copyright � 2010 John Wiley & Sons, Ltd. Concurrency Computat.: Pract. Exper. 2011; 23:1386–1398DOI: 10.1002/cpe

1388 J. XU, W.-T. ZHU AND W.-T. JIN

2. CLIENT-TO-CLIENT PASSWORD-AUTHENTICATED KEY AGREEMENT

2.1. Protocol description

There are four participants involved in the protocol: Clients={A, B} and Servers={SA, SB}, whereA is a client in the realm of server SA and B is a client in the realm of server SB . Note that thekey K is pre-distributed between SA and SB . The protocol consists of a registration phase and alogin-and-authentication phase.

(1) Registration phase: When a client A (B) registers with his server SA (SB), he selectshis password PW and submits it along with his identifier I D to the server through anauthenticated and secure channel. Then SA (SB) issues a smart card to A (B).

(2) Login-and-Authentication phase: The mutual authentication between A and B in the differentrealms is performed under the assistance of smart cards and two servers (SA and SB). Ifauthenticated, an agreed session key sk is established between A and B for securing futurecommunications.

2.2. Definition of security

In this subsection, we introduce a formal security model, which is mainly adopted from Bellareet al. [15]. In addition, we formally define the special security requirements for smart card-basedC2C-PAKA protocols.

2.2.1. Communication model. Let Pi denote the i-th instance of a participant P , where P is aclient or a server. Let C denote the set of all clients and S denote the set of all servers. Allclients’ passwords are chosen from the same small dictionary D whose distribution is Dpw. TheC2C-PAKA protocol is an interactive protocol among four participants’ instances: Ai , B j , Ss

A, StB .

During the execution of the protocol, an adversary A could interact with protocol participants viaseveral oracle queries, which model adversary’s possible attacks in the real execution. All possibleoracle queries are listed in the following:

• Execute (Ai , B j , SsA, St

B): This query returns transcripts of an honest execution among thefour participants.• Reveal (Ci ): This query models the possibility that an adversary gets session keys. It returns

to the adversary the session key of the client instance Ci .• Corrupt (Ci ,a): This query models the possibility that the adversary corrupts a client Ci . If

a=1, it outputs the client C’s password. If a=2, it outputs all the information stored in C’ssmart card.• Send (Ci/Si ,m): This oracle query is used to simulate active attacks against the client or

server. It outputs the message that Ci or Si would generate upon receipt of message m.• Test (Ci ): After querying the oracle, the session key of Ci or a random number will be

returned according to a pre-defined random bit b. If b=1, the adversary will be given thesession key of Ci ; otherwise, the adversary will be given a random number of the same length.This query is called only once.

Besides the above oracle queries, some terminologies are defined as follows:

• Partnering: Two instances Ci and C j are said to be partners if the following conditions aresatisfied: (1) both Ci and C j accept; (2) both Ci and C j own the same sid; (3) Ci is C j ’spartner and vice versa; and (4) no instance other than Ci and C j accepts with a partneridentity equal to Ci and C j .• Freshness: We say an instance Ci is fresh if the following conditions hold: (1) Ci has accepted

the protocol and generated a valid session key; (2) no Reveal queries have been made to Ci

or its partner; (3) strictly less than 2 Corrupt queries have been made to Ci and its partner.

2.2.2. Security definition. A secure cross-realm C2C-PAKA protocol should satisfy three securityrequirements: (1) the session key cannot be distinguished from a random number by an outside



malicious adversary; (2) any passive server does not know the session key between two clients;(3) even if one client A’s information in the smart card is acquired by the other client B (or theother server SB), B (or SB) cannot learn A’s password. Formally, we define them as follows:

Semantic security against a malicious outside adversary: For any adversary A, let Succss(A) bethe event that A makes a single T est query directed to some fresh instance Ci that has terminated,and correctly outputs a bit b′ equal to the bit b that was selected in the Test query. Let D be theclient’s password dictionary. The advantage of A in violating the semantic security of the protocolis defined as:

AdvssD(A)=2Pr [Succss(A)]−1, Advss

D(t, R)=max{AdvssD(A)},

where the maximum is over all adversaries with time complexity at most t and using at most Rtimes oracle queries.

We say the C2C-PAKA protocol is semantically secure against a malicious outside adversaryif the advantage Advss

D(t, R) is only negligibly larger than O(qs)/|D|, where qs is the number ofactive sessions and |D| is the size of the password dictionary.

Key privacy against a passive server: A passive server S could query only two oracles: Executeand Test. Let Succkp denote the event that the passive server can correctly guess the value of therandom bit b used in the Test query. Let D be client’s password dictionary. For any passive serverS∈S, we define its advantage Advkp

D (S) as

AdvkpD (S)=2Pr [Succkp]−1, Advkp

D (t, R)=max{AdvkpD (S)}

where the maximum is over all adversaries with time complexity at most t and querying oraclesat most R times. We say that the C2C-PAKA protocol is key private against a passive server if theadvantages Advkp

D (t, R) is negligible.Password protection against a malicious client/server: Let Succpp-c(C) (Succpp-s(S)) be the

event that the malicious client C (server S ) can successfully learn the honest client’s password.The advantages of C and S are defined to be

Advpp-cD (C)= Pr [Succpp-c(C)], Advpp-c

D (t, R)=max{Advpp-cD (C)}

Advpp-sD (S)= Pr [Succpp-s(S)], Advpp-s

D (t, R)=max{Advpp-sD (S)}

We say the C2C-PAKA protocol satisfies password protection against a malicious client (server)if the advantage Advpp-c

D (t, R)(Advpp-sD (t, R)) is only negligibly larger than O(qs)/|D|, where qs

is the number of active sessions and |D| is the size of the password dictionary.

2.2.3. Computational assumptions and cryptographic primitives. We briefly introduce somecomputational assumptions and cryptographic primitives required by our cross-realm C2C-PAKAprotocol.

Decisional Diffie–Hellman (DDH) Assumption: Let E(Fq ) be an elliptic curve defined over thefinite field Fq , where q is a large prime and G∈E(Fq ) is a generator point of prime order p. LetA be a DDH-adversary with running time at most Tddh. We denote by Advddh

E (A) the probabilitythat adversary A succeeds in distinguishing xyG of the given (G, xG, yG) from a random pointover E(Fq ) and define Advddh

E (Tddh) as the maximum value of AdvddhE (A) over all A with time

complexity at most Tddh.Secure message authentication code under chosen message attack: A message authentication

code MAC= (Tag,V er ) is defined by the following two algorithms: (1) a MAC generation algorithmT ag, possibly probabilistic, which given a message m and a secret key k, produces a tag �, denotedas �=MACk(m) and (2) a MAC verification algorithm V er , which is given a tag �, a messagem and a secret key k, outputs 1 if � is a valid tag for m under k and 0, otherwise. The securitynotion that we need for the M AC scheme is strong existential unforgeability under chosen-messageattacks, in which the adversary should be unable to create a new valid message-tag pair, even afterseeing many such valid pairs and asking the generation and verification oracles. The maximal



value AdvcmaMAC(Tmac) of the advantage Advcma

MAC(A) with at most Tmac time complexity and at mostqt and qv queries to its M AC generation and verification oracles, respectively, is a negligiblefunction of the parameters above.

Secure symmetric encryption under chosen ciphertext attack: A symmetric scheme SE=(K ey, E, D) is a three-tuple of algorithms where K ey is a randomized key generation algorithm,E is an encryption algorithm, and D is the corresponding decryption algorithm. To define theencryption indistinguishability under chosen-ciphertext attacks, the adversary Ase is supposed torun in two phases specified below. In the find phase, the adversary, after obtaining enough stateinformation s, somehow comes up with a pair of equal-length plaintext messages (x0, x1), the corre-sponding ciphertexts of which the adversary wants to tell apart later. Then in the guess phase, giventhe ciphertext y of one of the two plaintexts and the previously learnt s, the adversary tries to identifywhich of (x0, x1) goes with y. In either phase the adversary can access the encryption oracle (but notconcerning the selected x0 or x1) and the decryption oracle (but not concerning the given y). We saythe adversary wins if it correctly identifies which plaintext goes with y. We say scheme SE is secureunder chosen ciphertext attacks if the difference between 1/2 and the maximal value Advcca

SE (Tse)of the advantage Advcca

SE (A), with at most Tse time complexity and at most qe and qd queriesto the encryption and decryption oracles, respectively, is a negligible function of the parametersabove.

3. SMART CARD-BASED PASSWORD AUTHENTICATION

Our C2C-PAKA protocol is built upon a PA-SC scheme. The notations and security model aremainly borrowed from [16] but slightly adapted for this work.

3.1. Scheme description

In a PA-SC scheme, a participant may be a user U or a remote server S. The scheme consists ofthree phases: registration phase, login phase, and authentication phase.

(1) Registration phase (PA-SC.Reg): When a user U registers with a server S, U selects hispassword PW and submits it along with his identifier I D to the server S through a securechannel. Then S issues a certain smart card to U .

(2) Login phase (PA-SC.Log): The user U inserts his smart card to a terminal and keys in hisidentifier I D and password PW . Then the terminal computes and sends on behalf of theuser a login request message m to the remote server S. To authenticate the user, a secretvalue sv should be embedded in the message m in a cryptographic manner (e.g. throughencryption), so that only the user U and the server S are able to compute sv, whereas anyother entity cannot obtain sv even if he eavesdrops on the communication channel and thusknows the message m.

(3) Authentication phase (PA-SC.Auth): The server S checks the legitimacy of the receivedmessage m by verifying the secret value sv, and consequently determines whether to acceptU ’s login request or not.

3.2. Definition of security

In the registration phase (PA-SC.Reg), a secure environment is assumed to be present, and allparties are assumed to be honest and to perform exactly according to the scheme specification.In the login and authentication phases (PA-SC.Log and PA-SC.Auth), the communication channelis no longer supposed to be still secure. Both passive and active adversaries are present and theirobjective is to compromise the protocol’s primary security goal, that is, mutual authenticationbetween S and U . In addition, we do not consider the case when a user’s password and hissmart card are both compromised, as then there will be no way to prevent the adversary A frommasquerading as the legitimate user (i.e. the owner of the smart card). We refer readers to [16] fordetails.



4. GENERIC CONSTRUCTION FOR CROSS-REALM C2C-PAKA PROTOCOL

We now propose a generic approach to construct a cross-realm C2C-PAKA protocol. In ourproposal, we employ a secure PA-SC protocol as the building block.

4.1. Protocol description

Let PA-SC be a smart card-based password authentication protocol that is semantically secure asdefined in Section 3. Suppose in the login phase, the generated login request message is m, and thesecret only known to the client and the remote server is sv. We denote this by m(sv)←PA-SC.Log.As introduced in Section 2, the cross-realm C2C-PAKA protocol consists of a registration phaseand a login-and-authentication phase. p and G are global public parameters shared by all protocolparticipants, and hash function h(·) :{0,1}∗→ Z∗p, where p is a prime order and G is a generatorpoint in E(Fq ).

Phase I: Registration: This phase is the same as the registration phase of the PA-SC protocol(i.e. PA-SC.Reg).

Phase II: Login-and-Authentication: In this phase (outlined in Figure 1), two clients of differentrealms perform the following steps for mutual authentication with their respective servers’ help.Moreover, a session key sk is agreed by two clients. Then the protocol proceeds in the followingsteps:

(1) When client A wishes to communicate with client B, she attaches her smart card SCA toa device and inputs her identity IDA and her password PWA. The device starts the loginphase in the PA-SC protocol and generates the login request message m A embedding thesecret value svA. Then, A sends the message {IDA, IDB,m A} to SA.

(2) Upon receiving the message from A, SA starts the authentication phase in the PA-SCprotocol. He computes the secret value svA to authenticate the client A, and then obtainsK A=h(svA⊕TA), where TA is a timestamp. SA also randomly chooses k∈ Z∗p and computesWA= [k, IDA, IDB]K A , T icketB= [k, IDA, IDB, L]K , where K is the key between SA andSB , L is T icketB’s lifetime, and [X ]K means the encryption of a message X using asymmetric key K . Finally, SA sends {WA, TicketB , TA, L} to A.

(3) Upon receiving the message from SA, A checks whether the timestamp TA is valid. If so, shecomputes K ′A=h(svA⊕TA), uses it to decrypt WA, and obtains IDA, IDB , and k. She alsochecks whether IDA and IDB are both correct. Then, A chooses a random integer a∈ Z∗p,

computes Ea=aG‖M ACk(aG)‡, and forwards {IDA, Ea,T icketB} to client B.(4) Upon receiving the message from A, B attaches his smart card SCB to a device and inputs

his IDB and PWB . Then, the device starts the login phase in PA-SC and generates thelogin request message m B embedding the secret value svB . Finally, B sends the message{TicketB,m B} to SB .

(5) Upon receiving the message from B, SB first decrypts T icket B by using the value K andchecks whether L , IDA, IDB are valid. Then, SB computes the secret value svB and obtainsK B=h(svB⊕TB), WB= [k, IDA, IDB]K B , where TB is the current time. Finally, SB sends{WB,TB} to B.

(6) Upon receiving the message from SB , B first checks whether TB is valid. If so, B computesK ′B=h(svB⊕TB) and decrypts WB to obtain IDA, IDB , and k. He then checks the integrityof aG, and also checks whether IDA and IDB are both correct. If so, B chooses a randominteger b∈ Z∗p, computes Eb=bG‖MACk(bG) and sends Eb to A.

(7) Upon receiving Eb, A checks the integrity of bG. Finally, both A and B can compute theagreed session key sk=h(IDA‖IDB‖aG‖bG‖abG).

‡As aG= (xaG , yaG ) is a point in Ep , this computation can be implemented as Ea= xaG‖yaG‖ M ACk (xaG‖yaG ).



Figure 1. Login-and-Authentication phase.

4.2. Security analysis

We now investigate the security of our generic construction presented above. The analysis concernsthree security properties defined in Section 2.2.2.

Theorem 4.1Let PA-SC be a smart card-based password authentication protocol, and GC be our proposedgeneral construction depicted in Figure 1. Let A be an adversary against the semantic security ofgeneral construction GC within a time bound t , with less than qsend Send queries, qexe Executequeries, qe encryption queries for symmetric encryption SE , qt tag queries, qv verification queries,



and, making less than qh random oracle queries. Then we have

AdvssD(t, R)≤ q2

h

(p−1)+4AdvP A-SC,D(Tsc, Rsc)+6Advcca

SE (Tse,qe,qd )

+4AdvcmaMAC(Tmac,qt ,qv)+2Advddh

E (Tddh)+ qsend

|D| (1)

where AdvPA-SC,D denotes the advantage of an adversary in violating the semantic security ofPA-SC protocol, |D| is the size of the password space, p is a prime order of an elliptic curve E(Fq ),Tsc is the time complexity that an adversaries using at most Rsc times oracle queries to break thesemantic security of a PA-SC protocol, Tse=Tddh≤ t+qsend(�G+�E ), Tmac≤ t+�T(qt+qv), and�G , �E , �T are computational time for scalar multiplication, symmetric encryption SE, messageauthentication MAC, respectively.

ProofOur proof defines a sequence of hybrid experiments, starting with the real attack and ending inan experiment in which the adversary has no advantage. Each experiment addresses a differentsecurity aspect. The detailed proof of Theorem 4.1 can be found in Appendix A. �

Theorem 4.2In our generic construction GC , a passive server cannot learn the session key between two clientsas long as the DDH assumption holds in an elliptic curve E(Fq ). Formally,

AdvkpD (t, R)≤2Advddh

E (Tddh) (2)

where Tddh≤ t+qexe�G and �G is the computational time for scalar multiplication.

ProofSee Appendix B. �

Theorem 4.3In our generic construction GC , the malicious client B (server SB) cannot learn the client A’spassword as long as the PA-SC protocol satisfies the semantic security. Formally,

Advpp-cD (t, R)≤ qsend

|D| +AdvP A-SC,D(Tsc, Rsc) (3)

Advpp-sD (t, R)≤ qsend

|D| +AdvP A-SC,D(Tsc, Rsc) (4)

where |D| is the size of the password space, Tsc is the time complexity that an adversaries usingat most Rsc times oracle queries to break the semantic security of the PA-SC protocol.

ProofSee Appendix C. �

4.3. Instantiation

Following the generic construction, we present a concrete instantiation of transforming a PA-SCprotocol [17] into a C2C-PAKA protocol with smart cards in the cross-realm setting.

Phase I: Registration: In this phase, A and B register with their servers SA and SB , respectively,and obtain their respective smart cards SCA and SCB through a secure channel. Then the protocolproceeds in the following steps:

(1) The client A chooses a random number u A and her password PWA. She then submits theregistration request {IDA,h(PW A‖u A)} to her server SA through a secure channel.



(2) Upon receiving the request messages, the server computes bA= [h(PW A‖u A)‖IDA‖CI A‖h(IDA‖CI A‖h(PWA‖u A))]sA , VA=h(IDA,sA,CI A), where sA is SA’s master secret key,and CI A is the number of cards that the server SA has issued to client A. {IDA,CI A} isstored in the registration table of SA.

(3) SA stores {bA,VA, IDA,CI A, PSA} into a smart card SCA and issues it to A, where PSA= xAGis SA’s public parameter and xA is SA’s secret key. A also stores u A into the smart cardSCA.

Similarly, the client B interacts with his server SB as the above steps. Finally, B obtains the SCBwhich contains {bB,VB, IDB,CIB, PSB,u B}, where bB= [h(PWB‖u B)‖IDB‖CIB‖h(IDB‖CIB‖h(PWB‖u B))]sB , VB=h(IDb,sB,CIB), and PSB= xB G. And the server SB only keeps the valueof its secret key (sB, xB) and the registration table containing {IDB,CIB}.

Phase II: Login-and-Authentication: In this phase, A and B perform mutual authentication andagree on a session key sk under the assistance of their servers SA and SB . The steps of this phaseare explained as follows:

(1) The client A attaches his smart card SCA to a device reader and inputs his identity IDAand his password PWA. Then, the device selects a random number rA, computes eA=rAGand cA=rA PSA, and sends the message {bA, [eA]VA ,h(IDA,T1,VA,h(PWA‖u A),cA)} to SA,where T1 is the current timestamp.

(2) Upon receiving the message from A, the server SA decrypts bA using the secret keysA and obtains h(PWA‖u A)‖IDA‖CI A‖h(IDA‖CI A‖h(PWA‖u A)). Then SA checks theauthentication tag h(IDA‖CI A‖h(PWA‖u A)) and checks whether {IDA,CI A} is stored inthe registration table. If so, SA computes VA=h(IDA,sA,CI A), decrypts [eA]VA to obtaineA, computes cA= xAeA, and checks the validity of h(IDA,T1,VA,h(PWA‖u A),cA). Ifall of above verifications are true, SA successfully authenticates A. Then SA computesK A=h(cA⊕TA), where TA is the current timestamp. SA also randomly chooses kand computes WA= [k, IDA, IDB]K A , TicketB= [k, IDA, IDB, L]K , where K is the keybetween SA and SB , and L is TicketB’s lifetime. Finally, SA sends {WA,T icketB,TA, L}to A.

(3) Upon receiving the message from SA, A checks whether the timestamp TA is valid. Ifso, she computes K ′A=h(cA⊕TA), uses it to decrypt WA, and obtains IDA, IDB , andk. She also checks whether IDA and IDB are both correct. Then, A chooses a randominteger a∈ Z∗p , computes Ea=aG‖MACk(aG), and forwards {IDA, Ea,TicketB} to theclient B.

(4) Upon receiving the message from A, the client B attaches his smart card SCB to a devicereader and inputs his IDB and PWB . Then, B selects a random number rB , computeseB=rB G and cB=rB PSB, and sends the message {TicketB,bB, [eB]VB ,h(IDB,T2,VB,h(PWB‖u B),cB),T2} to SB , where T2 is the current timestamp.

(5) Upon receiving the message from B, SB first checks whether T2 is valid. If so, itdecrypts T icketB using K to obtain k, L , IDA, and IDB . Then SB checks whether L ,IDA, and IDB are valid. If so, SB decrypts bB using the secret key sB and obtainsh(PWB‖u B)‖IDB‖CIB‖h(IDB‖CIB‖h(PWB‖u B)). Then SB checks the authentication tagh(IDB‖CIB‖h(PWB‖u B)) and checks whether {IDB,CIB} is stored in the registrationtable. If so, SB computes VB=h(IDB,sB,CIB), decrypts [eB]VB , computes cB= xBeB andchecks the validity of h(IDB,T2,VB,h(PWB‖u B),cB). If so, SB successfully authenticatesB and computes K B=h(cB⊕TB), WB= [k, IDA, IDB]K B , where TB is the current time.Finally, SB sends {WB,TB} to B.

(6) Upon receiving the message from SB , B first checks whether TB is valid. If so, B computesK ′B=h(cB⊕TB) and decrypts WB to obtain IDA, IDB , and k. He then checks the integrityof aG, and also checks whether IDA and IDB are both correct. If so, B chooses a randominteger b∈ Z∗p, computes Eb=bG‖M ACk(bG) and sends Eb to the client A.

(7) Upon receiving Eb, A checks the integrity of bG. Finally, both A and B can compute theagreed session key sk=h(IDA‖IDB‖aG‖bG‖abG).



Table I. Comparisons of performance.

Our protocol [10] [13]

Scalar multiplication Clients 6 Pre 4 Pre+4 2 Pre+5Servers 2 2 Pre+2 3 Pre+4

Symmetric encryption Clients 2 Pre 2 Pre+2 2 Pre+1Servers 3 5 1 Pre+1

Symmetric decryption Clients 2 4 2Servers 5 5 3

Asymmetric operation Clients N/A N/A 2Servers N/A N/A 6

Number of rounds 3 5 5

Note: ‘Pre’ denotes pre-computed operation.

4.4. Performance evaluation

Next, we evaluate the performance of our instantiation in the login-and-authentication phase sincethe processing during the registration phase is done offline. Readers may have already realized thatif we choose an efficient PA-SC protocol, such as [17], then the C2C-PAKA protocol must alsobe efficient. Next, we compare our C2C-PAKA protocol with Byun et al. [10] and Feng and Xu[13] in Table I.

Table I shows that, for the clients, our instantiation introduces only two symmetric decryp-tion operations. For the servers, our instantiation only introduces two scalar multiplication, threesymmetric encryption, and five symmetric decryption operations. Therefore, the computationcomplexity of our C2C-PAKA protocol is more efficient than those of [10] and [13].

Another advantage of our protocol is its low communication complexity. Our protocol takes onlythree rounds of message exchange (recall Figure 1), whereas Byun et al. protocol [10] and Fengand Xu protocol [13] both take five rounds of message exchanges. Therefore, the communicationcomplexity of our protocol is also more efficient than those of [10] and [13].

In addition, in our protocol, the server only needs to keep the registration table including{I D,C I } instead of the password table for each client. And the registration table does not needto be encrypted, hence our protocol can reduce the storage load of the server.

5. CONCLUSION AND FUTURE WORK

In this paper, we proposed a generic framework which converts a PA-SC protocol into a cross-realm C2C-PAKA protocol, and we proved its security under the same assumptions with theunderlying authentication protocol. Moreover, the construction can be instantiated efficiently, andthe computation and communication costs of the instantiation scheme are lower than those ofsimilar protocols.

Our future work may include real experiments to test the proposed general construction. Inaddition, as user privacy is becoming a crucial problem for emerging services, we are also interestedin privacy protection for network clients, particularly, protecting a client’s identity from beingobtained by eavesdroppers or other parties in a network system.

APPENDIX A: SECURITY PROOF OF THEOREM 4.1

Our proof defines a sequence of hybrid experiments, starting with the real attack and ending inan experiment in which the adversary has no advantage. For each experiment Expn , we define anevent Succn corresponding to the case in which the adversary correctly guesses the bit b involved



in the Test query. By using each difference of probability, we finally get the result of Theorem 4.1.Several experiments are similar to Byun et al. implement [10], hence we explain them briefly.

Experiment Exp0: This experiment corresponds to the real attack in the random oracle model.By definition, we have

AdvssD(t, R)=2Pr [Succ0]−1 (A1)

Experiment Exp1: In this experiment, we simulate the H oracle. According to the birthday paradox,the probability of collisions in the output of the H oracle is q2

h/2(p−1), hence:

|Pr [Succ0]−Pr [Succ1]|≤ q2h

2(p−1)(A2)

Experiment Exp2: In this experiment, we try to construct an algorithm that can break the semanticsecurity of the underlying PA-SC. If the adversary APA-SC can distinguish the session key of thePA-SC protocol from a random value with non-negligible probability, then the secret value sv mustbe obtained by APA-SC. The adversary APA-SC forwards the value of sv to A . Eventually, theadversary A can distinguish the session key from a random value in our C2C-PAKA construction.Therefore the semantic security of the underlying PA-SC guarantees the adversary A cannot getsvC . Thus we have

|Pr [Succ1]−Pr [Succ2]|=2AdvP A−SC,D(Tsc, Rsc) (A3)

Experiment Exp3: In this experiment, we try to construct a polynomial time algorithm Ase tobreak the security of the symmetric encryption. Because there are three symmetric encryptions,hence the formula is

|Pr [Succ2]−Pr [Succ3]|=3AdvccaSE (Tse,qe,qd ) (A4)

Experiment Exp4: The goal of this experiment is to construct an algorithm for the M AC adversaryby using A. This experiment is the same as [10]. There is

|Pr [Succ3]−Pr [Succ4]|≤2AdvcmaMAC(Tmac,qt ,qv) (A5)

Experiment Exp5: In this experiment, we consider a random DDH triple (U,V, Z ) where U=uG,V =vG, and Z=rG. The random DDH triple is injected into the protocol, then the triple is usedfor generating a target session key. By exploiting A which tries to get the advantage of a sessionkey in the Exp4 and Exp5, we can construct a polynomial time algorithm Addh to break theDDH assumption. We get

|Pr [Succ4]−Pr [Succ5]|=AdvddhE (Tddh) (A6)

In [10], there is rigorous analysis about the successful probability of the Exp5, denoted byAdvsk

Exp5(A). In our C2C-PAKA construction, the online password guessing attack is unavoidable.

The advantage AdvskExp5

(A) is bounded by qsend/|D|, where qsend is the maximum number of Sendqueries. Therefore, we have

Pr [Succ5]= 12 Advsk

Exp5(A)+ 1

2 ≤qsend

2|D| +12 (A7)

Consequently from (A1) to (A7), we come to a conclusion in Theorem 4.1.

APPENDIX B: SECURITY PROOF OF THEOREM 4.2

The proof is similar to the proof of Theorem 4.2 in Jin and Xu [14]. Thus we introduce it briefly.A passive server only has access to the Execute and Test oracles, hence he cannot actively usethe value of sv and some transcripts to learn the session key. Owing to his limited ability, the



proof can be concluded by a succinct algorithm. Let SA be an adversary against the key privacyof C2C-PAKA construction whose time complexity is at most t , we would construct anotheradversary Addh for DDH assumption using SA. It means that Addh runs the adversary SA inthis environment and provides answers for all oracle queries with Addh’s input and parameters.To deal with the security of the key privacy with respect to a passive server, we only consider thelast flow of C2C-PAKA construction.

1. For the Execute query, Addh computes communication messages based on his input (G, aG,bG, Z ) and finally computes the session key as described in the protocol.

2. For the Test query, Addh responses the session key to SA when b=1, or responses a randomnumber to SA when b=0.

After all interactions, Addh sets his answer as the answer of the adversary SA. Now we analyzeAddh’s advantage. If Z=abG, the simulation of Addh is perfect. Hence, the probability that Addh

outputs 1 is exactly 12+ 1

2 ·AdvkpD (SA). If Z is a random point over Ep, the session key computed

is a random number. Hence, the probability that Addh outputs 1 is exactly 12 . Thus

AdvddhE (A)= 1

2+ 12 Advkp

D (SA)− 12 (B1)

Therefore, we get the result of Theorem 4.2.

APPENDIX C: SECURITY PROOF OF THEOREM 4.3

We only give the proof of the password protection against a malicious client; the password protectionagainst a malicious server can be proved in a similar method. We suppose that the maliciousclient B has already made the Corrupt(Ai ,2) query, which means that he obtained A’s informationin her smart card. And from the execution of the protocol, he can get the m A(svA). As the PAKA-SC protocol is a semantically secure protocol, B cannot get the password of A. Otherwise, thesemantic security of this PAKA-SC protocol cannot achieve if he obtains the password. Thuswe have

Advpp-cD (t, R)=AdvP A-SC,D(Tsc, Rsc) (C1)

In addition, because the online password guessing attack is unavoidable, this advantage ofAdvpp-c

D (t, R) is bounded by qsend/|D|, where qsend is the maximum number of Send queries.Hence, Theorem 4.3 is concluded.

ACKNOWLEDGEMENTS

This work was supported by the National Grand Fundamental Research (973) Program of China underGrant 2007CB311202, and the National Natural Science Foundation of China (NSFC) under Grants60873197 and 60970138.

REFERENCES

1. Abdalla M, Pointcheval D. Interactive Diffie–Hellman assumptions with applications to password-basedauthentication. Proceedings of the FC’05 (Lecture Notes in Computer Science, vol. 3570), Roseau, Dominica,2005; 341–356.

2. Abdalla M, Fouque P, Pointcheval D. Password-based authenticated key exchange in the three-party setting.Proceedings of the PKC’05 (Lecture Notes in Computer Science, vol. 3386), Switzerland, 2005; 65–84.

3. Lin C-L, Sun H-M, Steiner M, Hwang T. Three-party encrypted key exchange without server public-keys. IEEECommunications Letters 2001; 12(5):497–499.

4. Byun J-W, Jeong I-R, Lee D-H, Park C. Password-authenticated key exchange between clients with differentpasswords. Proceedings of the ICICS’02 (Lecture Notes in Computer Science, vol. 2513), Singapore, 2002;134–146.

5. Chen L. A weakness of the password-authenticated key agreement between clients with different passwordsscheme. ISO/IEC JTC 1/SC27 N3716.



6. Wang S, Wang J, Xu M. Weakness of a password-authenticated key exchange protocol between clients withdifferent passwords. Proceedings of the ACNS’04 (Lecture Notes in Computer Science, vol. 3089), YellowMountain, China, 2004; 414–425.

7. Kim J, Kim S, Kwak J, Won D. Cryptanalysis and improvement of password authenticated key exchange schemebetween clients with different passwords. Proceedings of the ICCSA 2004 (Lecture Notes in Computer Science,vol. 3043), Assisi, Italy, 2004; 895–902.

8. Phan RC-W, Goi B-M. Cryptanalysis of an improved client-to-client password authenticated key exchange (C2C-PAKE) scheme. Proceedings of the ACNS’05 (Lecture Notes in Computer Science, vol. 3531), New York, U.S.A.,2005; 33–39.

9. Yoon E-J, Yoo K-Y. A secure password-authenticated key exchange between clients with different passwords.Proceedings of the APWeb’06 (Lecture Notes in Computer Science, vol. 3842), Harbin, China, 2006; 659–663.

10. Byun JW, Lee DH, Lim JI. EC2C-PAKA: An efficient client-to-client password-authenticated key agreement.Information Sciences 2007; 177(19):3995–4013.

11. Yin Y, Li B. Secure cross-realm C2C-PAKE protocol. Proceedings of the ACISP’06 (Lecture Notes in ComputerScience, vol. 4058), Melbourne, Australia, 2006; 395–406.

12. Phan RC-W, Goi B-M. Cryptanalysis of two provably secure cross-realm C2C-PAKE protocols. Proceedings ofthe INDOCRYPT’06 (Lecture Notes in Computer Science, vol. 4329), Kolkata, India, 2006; 104–117.

13. Feng D-G, Xu J. A new client-to-client password-authenticated key agreement protocol. Proceedings of theIWCC’09 (Lecture Notes in Computer Science, vol. 5557), Zhangjiajie, China, 2009; 63–76.

14. Jin W-T, Xu J. An efficient and provably secure cross-realm client-to-client password-authenticated key agreementprotocol with smart cards. Proceedings of the CANS’09 (Lecture Notes in Computer Science, vol. 5888), Ishikawa,Japan, 2009; 299–314.

15. Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks. Proceedingsof the EUROCRYPT’00 (Lecture Notes in Computer Science, vol. 1807), Bruges, Belgium, 2000; 139–155.

16. Xu J, Zhu W-T, Feng D-G. An improved smart card based password authentication scheme with provable security.Computer Standards and Interfaces 2009; 31(4):723–728.

17. Juang W-S, Chen S-T, Liaw H-T. Robust and efficient password-authenticated key agreement using smart cards.IEEE Transactions on Industrial Electronics 2008; 55(6):2551–2556.


Documents

A generic framework for constructing cross-realm C2C-PAKA protocols based on the smart card