ces 29 (2007) 580–583www.elsevier.com/locate/csi

Computer Standards & Interfa

Potential weaknesses of AuthA password-authenticatedkey agreement protocols

Kyung-Ah Shim ⁎

Department of Mathematics, Ewha Womans University, 11-1 Daehyun-dong, Seodaemun-gu, Seoul, 120-750, Republic of Korea

Received 31 August 2006; accepted 9 January 2007Available online 17 January 2007

Abstract

In this paper we point out potential weaknesses of AuthA protocols which are in the process of being standardized by IEEE; IEEE P1363-Password-based authentication and key agreement protocols. More precisely, we present chosen protocol attacks on AuthA password-authenticated key agreement protocols. We make suggestions for improvement.© 2007 Elsevier B.V. All rights reserved.

Keywords: Password-authenticated key agreement protocol; Protocol interaction; Chosen protocol attack

1. Introduction

Two entities, who only share a password, and who arecommunicating over an insecure network, want to authenticateeach other and agree on a session key to be used for protectingtheir subsequent communication. This is called the password-authenticated key exchange problem. The first password-authenticated key exchange (PAKE) protocol, known asEncrypted Key Exchange (EKE), was suggested by Bellovinand Merritt [1]. By using a combination of symmetric andpublic-key cryptography, EKE resists dictionary attacks bygiving a passive attacker insufficient information to verify aguessed password. The family of EKE protocols representsstrong level of password-based authentication protocols avail-able. EKE's greatest failure is that it still suffers from plaintext-equivalence, requiring that both the client and server haveaccess to the same secret password or hash thereof. Toovercome these flaws, verifier-based password authenticationprotocols have been proposed such as the Augmented EKE (A-EKE) [2], which makes EKE a verifier-based protocol. Sincethey were invented, many password-authenticated key agree-ment protocols that promised increased security have beendeveloped [8,3,4,10–13]. OKE was introduced as the first

⁎ Tel.: +82 2 3277 2292.E-mail address: kashim@ewha.ac.kr.

0920-5489/$ - see front matter © 2007 Elsevier B.V. All rights reserved.doi:10.1016/j.csi.2007.01.002

provable approach based on the work of Bellare and Rogaway[5] and was followed by SNAPI [12]. Also, AuthA and PAKhave been introduced separately [6,8] and they show theprovable approach in this area is getting matured. In this paperwe show that AuthA protocols which are in the process of beingstandardized by IEEE are vulnerable to chosen protocol attacks.And we make suggestions for improvement.

The rest of this paper is organized as follows. In thefollowing Section, we describe the AuthA password-authenti-cated key agreement protocol. In Section 3, we point out that theprotocol is vulnerable to chosen protocol attacks. In Section 4,we describe countermeasures against the attacks. A concludingremark is given in Section 5.

2. AuthA password-authenticated key agreement protocol

Bellare and Rogaway [6,7] suggest a simple protocol,AuthA, for the problem of password-authenticated keyexchange. They assume the asymmetric trust model; the clientA has a password pwa and the server B has a particular one-wayfunction of this, pwb. Then an authentication tag, AuthA, isflowed from the client to the server. This tag is just the hash ofsome values easily computable by both parties. The serverchecks the received tag prior to accepting the session key. Theprotocol provides security against dictionary attacks, and itensures forward secrecy and client-to-server authentication.

581K.-A. Shim / Computer Standards & Interfaces 29 (2007) 580–583

Server-to-client authentication can be added cheaply, byfollowing a second authentication tag, AuthB, from a server toa client.

First, convert client-server password P, which is a string, intopwa and pwb element of the underlying group as follows;

pwa=the group element represented by H (A||B||P)pwb=gpwa.

To carry out the protocol the client Awill use pwa and pwb,while the server B will use a pwb. The following steps can beperformed in any order. Client A chooses a random number x,computes X=gx and X⁎=Epwb

1 (X). Client A sends X⁎ to theserver. Server B also chooses a random number y, computesY=gy and Y⁎=Epwb

2 (Y), where E1 and E2 are symmetricencryption algorithms. Server B sends Y⁎ to the Client. ClientA receives Y⁎, computes Y

¯=Dpwb

2 (Y⁎) decrypting Y⁎ andthen computes

DiffieHellmanKeyA=Y¯x(=gxy).

Client A computes the following;

MasterKeyA=H (A||B||X||Y¯||DiffieHellmanKeyA),

SessionKeyA=H (MasterKeyA||0),AuthA=H (MasterKeyA||Ypwa).

Server B receives X⁎, computes X¯=Dpwb

2 (Y⁎) and thencomputes

DiffieHellmanKeyB=X¯y (=gxy).

Server B likewise computes the following;

MasterKeyB=H (A||B||X¯||Y||DiffieHellmanKeyB),

SessionKeyB=H (MasterKeyB||0),AuthB=H (MasterKeyB||2).

The flows of AuthA protocols are summarized as follows.

• Server-initiated AuthA protocol (c); client-to-serverauthentication(1.1) B → A: Y⁎

(1.2) A → B : X⁎||AuthA.• Server-initiated AuthA protocol (d); mutual authentication(1.1) B → A : Y⁎

(1.2) A → B : X⁎||AuthA(1.3) B → A : AuthB.

3. Chosen protocol attacks on AuthA protocols

We first describe the definitions of protocol interactions andchosen protocol attacks. Let P and Q be two different protocols,both of which use the same key material, but which do differentthings. These protocols are said to interact whenever some ofderived from the protocol P allows an attacker to successfullymount some attack on the other protocol Q. Kelsey et al. [9]

present a new attack, called a chosen protocol attack, in whichsome attacker convinces one or more intended victims to acceptand start using a new, tailor-made protocol, called a “chosenprotocol”. This protocol is designed specifically to interact withsome already-running protocol, called a “target protocol”. Thechosen protocol itself should have no obvious weaknesses, butmust allow an attack on the target protocol. A protocol may bequite secure alone, but may lose its security when anotherprotocol exists that can be carried out with the same key pair.

Before the description of chosen protocol attacks on theAuthA protocols, we describe assumptions that are made inorder for the attacks to be effective.

• Suppose that both client and server use the same passwordfor unilateral and mutual authentication. More precisely, theyuse AuthA protocol (c) for client-to-server authenticationand AuthA protocol (d) for mutual authentication with thesame password P.

• They also use the same symmetric encryption algorithm.

These assumptions are plausible. Although precaution maybe taken to avoid using the same password for multiple levels ofsecurity and for multiple job functions, in reality, almost allusers do not follow this precaution. Thus, these situations mayexist in a wide range of systems. Also, it is very likely that twoprotocols use the same symmetric encryption algorithm sincethere are few standards for symmetric encryption algorithm.

3.1. Chosen protocol attacks on AuthA protocols on theunilateral AuthA protocol (c)

Suppose that an adversary E wishes to impersonate A to B inthe unilateral AuthA protocol (c). That is, the unilateral one (c)is a target protocol and the mutual one (d) is a chosen protocol.The chosen protocol attack on the unilateral AuthA protocol (c)is mounted as follows.

(1.1) B → E(A) : Y⁎

(2.1) E(B) → A : Y⁎

(2.2) A → E(B) : X⁎||AuthA(2.3) E(B) → A : session abandon

(1.2) E(A) → B : X⁎||AuthA.

1. When B initiates a session of the protocol (c) with Asending Y⁎, the adversary E intercepts it. In fact, E whodoes not know the password cannot compute a validmessage, X⁎||AuthA. However, E can take advantage of aselected attack on A who will provide the necessaryencrypted value X⁎ and proper authenticator AuthA. Forthis, E(B) (impersonating B) starts a new session of theprotocol (d) with A replaying the message (1.1) as an initialmessage (2.1) on that protocol.

2. After receiving the message (2.1), A thinks that it is sentfrom B. Then A replies with the value X⁎ and ownauthenticator AuthA as a message (2.2). In fact, the message(2.2) is the needed encrypted value with password derivedkey pwb for a reply of (1.1) in the session of protocol (c).

582 K.-A. Shim / Computer Standards & Interfaces 29 (2007) 580–583

3. On the receipt of the message (2.2), E abandons the sessionof protocol (d). Returning the session of protocol (c), E(A)(impersonating A) sends X⁎||AuthA to B as a message (1.2).

4. After verifying the authenticator AuthA, B accepts thesession of protocol (c).

5. Finally, E succeeds in impersonating A to B in the AuthAprotocol (c). That is, the client-to-server authentication iscompromised.

If we take a chosen protocol to be the AuthA protocol (c)then the same attack can be applied to the AuthA protocol (d). Inthese attacks, the adversary makes the server have incorrectbeliefs about her identity without the knowledge of the sessionkey. However, in reality, these attacks can derive seriousconsequences to both the deceived party and the impersonatedparty. First, these attacks may cause a Denial of Service attacksto the deceived party. Second, the attacker may collect usefulinformation from the deceived party. Third, these attacks candamage the reputation of the impersonated party. Thus, AuthAprotocols do not provide authentication as intended.

4. Countermeasures

In this section, we describe countermeasures against theattacks.

• These attacks are a kind of chosen protocol attacks [9] thatsome information derived from a protocol allows an attackerto successfully mount some attack on another protocol. Asdescribed in the previous section, two protocols may rely onthe same password for each different purpose then theprotocols interact, since an attacker can now use herobservation of the execution of the AuthA protocol (d) tomount a replay attack on the AuthA protocol (c). Theweakness of the AuthA protocols against chosen protocolattacks is due to the fact that there is no linkage between thecryptographic messages and their protocols, i.e., theencrypted messages are not bound to their protocols. Thus,as discussed in [9], including the unique protocol identifier(pid) in the input of the encryption or the authenticatorprevents these kinds of attacks;

X⁎=Epwb1 (X, pid), Y⁎=Epwb

1 (Y, pid),MasterKeyA=H (A||B||X||Y

¯||DiffieHellmanKeyA|| pid).

• These attacks also take advantage of that the messagecomponent have the same forms in both protocols withdifferent purposes; unilateral and mutual authentication.With the proliferation of authentication or authenticated keyagreement protocols, there is a likelihood that a matching ofmessage format between protocols occurs. Thus, themessage components that are encrypted with the same keyshould have different forms and different length. Thecryptographic messages used in each protocol must bedifferent from another in the sense that it must not bepossible for an attacker to use messages appearing in the oneprotocol to derive or reconstruct messages needed for the

other protocols. In the AuthA protocol, if the message formatof AuthA in the protocol (c) is different from that of AuthA inthe protocol (d), these kinds of attacks are prevented. If weuse AuthA=H (MasterKeyA||Ypwa) for unilateral authentica-tion and AuthA=H (Ypwa||MasterKeyA) for mutual authen-tication then these attacks can be prevented.

5. Conclusion

We have shown that the AuthA password authenticated keyagreement protocols which are in the process being standard-ized by IEEE are insecure against the chosen protocol attacks.Also, some countermeasures against the attacks have beendiscussed. This paper shows that the password-authenticatedkey agreement protocols which are widely trusted, andstandardized are exposed to these attacks. This consequencewarns us that when considering attacks against a protocol, weshould consider not only the protocol itself, but also theinteraction with other protocols.

Acknowledgement

This work was supported by the Korea Research FoundationGrant funded by the Korean Government(MOEHRD)(KRF-2005-217-C00002).

References

[1] S.M. Bellovin, M. Merritt, “Encrypted key exchange: password-basedprotocols secure against dictionary attacks", IEEE Computer SocietyConference on Research in Security and Privacy, 1992, pp. 72–84.

[2] S.M. Bellovin, M.Merritt, Augmented EncryptedKey Exchange: Password-based Protocols Secure Against Dictionary Attacks and Password FileCompromise, Technical Report, AT&T Bell Laboratories, 1994.

[3] V. Boyko, P. MacKenzie, S. Patel, Provably Secure Password-Authenti-cated Key Exchange Using Diffie-Hellman, Advances in Cryptography-Eurocrypt'00, LNCS 1807, Springer-Verlag, 2000, pp. 156–171.

[4] M. Bellare, D. Pointcheval, P. Rogaway, Authenticated Key ExchangeSecure Against Dictionary Attacks, Advances in Cryptography-Euro-crypt'00, LNCS 1807, Springer-Verlag, 2000, pp. 139–155.

[5] M. Bellare, P. Rogaway, “Entity authentication and key distribution",Advances in Cryptology; Crypto'93, LNCS 773, Springer-Verlag, 1994,pp. 232–249.

[6] M. Bellare, P. Rogaway, “The AuthA protocol for Password-basedAuthenticated Key Exchange”, Contribution to IEEE P1363, 2000.

[7] E. Bresson, O. Chevassut, D. Pointcheval, “Security Proofs for an EfficientPassword-Based Key Exchange", Proc. of the 10th ACM Conference onComputer and Communications Security, ACM Press, 2003, pp. 241–250.

[8] V. Boyko, P. Mavkenzie, S. Patal, “Prabably secure password authenticatedkey exchange using Diffie-Hellman”, Advances in Cryptology; Euro-crypt'00, LNCS 1807, Springer-Verlag, 2000, pp. 156–171.

[9] J. Kelsey, B. Schneier, D. Wagner, “Protocol interactions and the chosenprotocol attack", Security Protocols, 5th International Workshop, 1998,pp. 91–104.

[10] D. Jablon, Extended passwordmethods immune to dictionary attack, Proc. oftheWETICE'97 Enterprise SecurityWorkshop, Cambridge,MA, June 1997.

[11] D. Jablon, Strong password-only authenticated key exchange, ComputerCommunication Review 26 (5) (1996) 5–26.

[12] P. MacKenzie, R. Swaminathan, Secure Network Authentication withPassword Identification, IEEE P1363a, 1999.

[13] T. Wu, The secure remote password protocol, Internet Society Symposiumon Network and Distribute System Security, NDSS'99, 1998, pp. 97–111.

583K.-A. Shim / Computer Standards & Interfaces 29 (2007) 580–583

Kyung-Ah Shim received her M.S. and Ph.D. degreesin Mathematics from the Ewha Womans University in1994 and 1999, respectively. From 2000 to 2004, sheworked as a senior researcher in the Korea InformationSecurity Agency. Currently, she is a Research Professorat the Department of Mathematics of the EwhaWomansUniversity. Her research activities are mainly focusedon cryptography and information security.