Upload
clara
View
32
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Simple password-based key agreement protocol. Department of Computer Engineering Kyungpook National University Sung-woon Lee. Sequence. Related work Security requirements System parameters Cryptanalysis for SAKA ’ s variants Simple password-based key agreement Protocol (SPKA) - PowerPoint PPT Presentation
Citation preview
Simple password-based key agreement protocol
Department of Computer Engineering Kyungpook National University
Sung-woon Lee
242
Sequence
Related workSecurity requirementsSystem parametersCryptanalysis for SAKA’s variantsSimple password-based key agreement Protocol (SPKA)Security analysis for SPKAConclusion
342
Related work (1/3)
Diffie-Hellman key agreement protocol (1976) Session key sharing based on discrete logarithms over
a finite field Vulnerable to man-in-the-middle attack due to not provi
ding authenticationSAKA (Simple authenticated key agreement) protocol (1999) Providing authentication to Diffie-Hellman protocol usin
g a simple way Using a pre-shared password for user authentication
442
Related work (2/3)
Tseng’s protocol (2000) Addressed a weakness caused by man-in-
the-middle attack in the key verification steps of SAKA
Improved verification steps of SAKA
Ku and Wang’s protocol (2000) Showed Tseng’s protocol is still vulnerable
to man-in-the-middle attacks Improved verification steps of SAKA
542
Related work (3/3)
Sun (2000) Showed that SAKA is vulnerable to man-in-
the-middle attack, password guessing attack, and perfect forward secrecy
Lin et al.’s protocol (2000) Improved the verification steps of SAKA to
overcome the weaknesses pointed out by Sun
Hsieh et al. (2002) Showed Lin et al.’s protocol still suffers from
password guessing attack
642
Security requirements (1/3)
Secure to man-in-the-middle attack Although an attacker eavesdrops,
modifies, reflects, or replays messages being transmitted, the session key has to be secure.
742
Security requirements (2/3)
Secure to password guessing attack Online
Easily detected by counting authentication fails
Offline Guessing password by intercepting and
using messages being transmitted Due to using the password that a person is
able to memorize
842
Security requirements (3/3)
Provide perfect forward secrecy Although the password was
compromised, an attacker should not compute old session keys
942
System parameters
A, B Honest entities
g A primitive root modulo n (generator)
n A large prime number
P The password pre-shared between users
Q Integer value derived from P, Ex) the smallest such integer that is greater than P
Q-1 Inverse of Q
a, b Random numbers chosen by A and B
KA, KB Session key of A and B
XY Value computed by user Y
1042
Additional cryptanalysis for Tseng’s protocol
A B
Key establishment
XA = (ga)Q
XB = (gb)Q
YA = = gb YB = = ga
KA = (YA)a = gab KB = (YB)b = gab
Key verification
Check YA ?= gb
Check YB ?= ga
1
)(Q
BX1
)(Q
AX
Vulnerable to password guessing attack XA ?= (YB)Q = gaQ or XB ?= (YA)Q = gbQ
XA
XB
YA
YB
1142
Cryptanalysis for Ku and Wang’s protocol
Alice Bob
Key establishment
XA = (ga)Q
XB = (gb)Q
YA = = gb YB = = ga
KA = (YA)a = gab KB = (YB)b = gab
Key verification
VA = (KA)Q = gabQ Check ?= KB
Check YB ?= ga
1
)(Q
BX1
)(Q
AX
Vulnerable to password guessing attack: ?= YB
Not provide perfect forward secrecy: = gab
XA
XB
VA
YB
1
)(Q
AV
1
)(Q
AX1
)(Q
AV
1242
Weaknesses of SAKA related protocols
Vulnerable to man-in-the-middle attackVulnerable to password guessing attackNot provide perfect forward secrecy
1342
Simple password-based key agreement protocol (SPKA)
Alice Bob
Key establishment
XA = (ga)Q
XB =
YA = = gb YB = = ga
KA = (YA)a = gab KB = (YB)b = gab
Key verification
VA = = Check VA ?=
Check VB ?= VB = =
1
)(Q
AX
XA
XB
VA
VB
AKAY )( AbKg
BKBY )( BaKg
BKbg )(AKag )(
1
)(Qbg
QBX )(
1442
Security analysis for SPKA (1/4)
Secure to man-in-the-middle attack If an attacker eavesdrops XA, XB, VA, and
VB, he cannot gain information for session key, gab because of DLP
If an attacker modifies, reflects, or replays XA, XB, VA, and VB, this attack is detected because verification steps confirm both the correctness of XA, XB and the equality of KA, KB
1542
Security analysis for SPKA (2/4)
Secure to password guessing attack Since a attacker intercepts the
messages, XA, XB, VA, and VB, any way to confirm the correctness of the guessed password P′ does not exist among them.
1642
Security analysis for SPKA (3/4)
Provide perfect forward secrecy Although password P is compromised,
an attacker does not have any way that produce old session key gab using Q or Q-1 computed from P
1742
Security analysis for SPKA (4/4)
Protocol
AnalysisSAKA Tseng
Ku and
WangLin et
al. SPKA
Man-in-the-
middle Attack
NS NS S S S
Password
guessing attack
NS NS NS NS S
Perfect forward secrecy
NP P NP P PS: Secure, NS: Not Secure, P: Provide, NP: Not Provide
1842
Conclusion
Reported the additional weaknesses in the variants of SAKAProposed simple password-based key agreement protocol (SPKA) Secure to man-in-the-middle attack Secure to password guessing attack Provide perfect forward secrecy
Easily implemented in software and hardware because of its simple structure
Hyun-Sung Kim
Information Security Lab.
Bit-Serial AOP Arithmetic Operators for Modular Exponentiation over
GF(2m)
2042
Goal
Implement Exponentiation LSB first algorithm
Two multipliers Squarer and multiplier=> Combined squarer and multiplier
MSB first algorithm Power sum (AB2 + C) AB2 multiplier=> New AB2 multiplier
2142
Index
Crypto SystemModular ExponentiationGalois Field Bit-Serial Arithmetic OperatorsComparisonConclusion
2242
Crypto system
Elgamal cryptosystem Encryption : C = Mpublic mod p Decryption : M = Cprivate mod p
public*private mod p 1 M, C GF(2m), integer p : irreducible primitive polynomial
Basic operation=>Modular exponentiation
2342
Modular exponentiation
Basic operation C = ME mod p E = em-12m-1+ em-22m-2+…+ e12+ e0
= [ em-1 em-2 em-3 … e1 e0 ]
Binary method by Knuth LSB-first algorithm MSB-first algorithm
2442
LSB-first algorithm
Input M,E,p(x)
Output C=ME mod p(x)=Me0(M2)e1(M4)e2 …(M2 )em-1
Step1 C=1, T=M Step2 for i=0 to m-1
T=TT mod p(x)if ei == 1 C=CT mod p(x)
m-1
2542
LSB-first algorithm
LSB-first algorithm Basic operation
Squaring Multiplication
Traditional implementation Based on two multipliers Based on a multiplier and a squarer
Proposed implementation Based on a combined squarer and
multiplier
2642
MSB-first algorithm
Input M,E,p(x)
Output C=ME mod p(x)=(Me1…(Mem-2(Mem-1)2)2…)2Me0
Step1 if em-1 == 1 C=M else C=1 Step2 for i=m-2 to 0
if ei == 1 C=MC2 mod p(x)else C=1C2 mod p(x)
2742
MSB-first algorithm
MSB-first algorithm Basic operation
AB2 multiplication Traditional implementation
Based on Power-sum circuit (AB2+C) Based on AB2 multiplier
Proposed implementation Based on a new AB2 multiplier
2842
Galois Field GF(2m)
Finite Field GF(2m) Contains 2m elements Canonical basis
{1, , 2, 3,…, m-1} Element representation GF(2m)
a=am-1m-1+am-2m-2+…+a11+a0
Why implement based on GF(2m) Carry free
2942
Galois Field GF(2m)
AB mod P, B2 mod P, AB2 mod P A, B GF(2m) P : Irreducible polynomial
All one polynomial (AOP) P(x) = xm+xm-1+xm-2+…+x1+1
Property of AOP Let be a root of p(x) p() = 0, m=m-1+m-2+…+1+1 Multiply in both multiplication m+1+1=0 <= use as an modular in extension field
3042
Galois Field GF(2m)
Extension field Modular m+1+1 Element representation GF(2m+1)
A= amxm+ am-1xm-1+am-2xm-2+…+a1x1+a0
am=0
Why use the extension field Easy modular reduction
3142
CSM architecture
Basic architecture for LSB first Exp. A2 mod p : Squarer AB mod p : Multiplier
Proposed Architecture Combined Squarer and
Multiplier(CSM)
3242
CSM architecture
AB mod P multiplication over EF
3342
CSM architecture
AB mod P multiplication, P = m+1+1
5 +16 +
7 +2 8 +3
3442
CSM architecture
Ctl = 1m1m-1…100m-1…00
z0 zm-1 zmzm-2z110
b0…bm-1bm
p0…pm-1pm
ym y1 y0y2y3
a0…am-1am
10
10
10
10
10
3542
CSM architecture
Step 1, ctl=1 for mux
z0 zm-1 zmzm-2z110
b0…bm-1
ym y1 y0y2y3
a0…am-1
10
10
10
10
10
am
bm
3642
CSM architecture
Step 2, ctl=1 for mux
z0 zm-1 zmzm-2z110
b0…bm-3bm-2
ym y1 y0y2y3
a0…am-3am-2
10
10
10
10
10
am-1
bm-1
am
bm
3742
CSM architecture
Step m+1, ctl=1 for mux
z0 zm-1 zmzm-2z110
pm
ym y1 y0y2y310
10
10
10
10
a3
b0
am
b1
a1a2 a0
bm-2 bm-1 bm
am×b0 a3×bm-3 a2×bm-2 a1×bm-1 a0×bm
3842
CSM architecture
3942
CSM architecture
Step m+2, ctl=0 for mux
z0 zm-1 zmzm-2z110
pm-1pm
ym y1 y0y2y310
10
10
10
10
a3
bm
am
b0
a1a2 a0
bm-3 bm-2 bm-1
am×bm a3×bm-4 a2×bm-3 a1×bm-2 a0×bm-1
4042
CSM architecture
A2 mod P=(amm+am-1m-1+…+a1+a0)
2
=am2m+am-12(m-1)+…+a24+a12+a0
=am/2m+amm-1+…+a12+am/2+1+a0
m+1 = 1, m+2 = , m+3 = 2, m+4 = 3
4142
CSM architecture
Example over GF(24)=(a44+a33+a22+a1+a0)
2
=a48+a36+a24+a12+a0
= a24+a43+a12+a31+a0
5 = 1, 6 = , 7 = 2, 8 = 3
4242
CSM architecture
Squarer over GF(24)
10
x1 x0
y1 y010
x2
y210
x3
y3
b0b1b2b3b4
10
x4
y4
s0s1s2s3s4
4342
CSM architecture
Step 4, ctl = 1 for mux
10
x1 x0
y1 y010
x2
y210
x3
y3
b0
10
x4
y4
b4 b2b3 b1 b0
b4 b3b2 b1b0
4442
CSM architecture
Proposed CSM Architecture
z0 zm-1 zmzm-2z110
b0…bm-1bm
p0…pm-1pm
ym
01
y1 y0
xm x1 x001
01
y2
x201
y3
x3
a0…am-1am
10
10
10
10
10
smsm-1…s0
4542
POM architecture
Basic architecture for MSB first Exp. Multiplier for AB2 mod p Power-Sum circuit
Proposed Architecture New Power Multiplier (POM)
4642
POM architecture
AB2 mod P multiplication over EF
4742
POM architecture
AB mod P multiplication, P = m+1+1
4842
POM architecture
Proposed POM Architecture
xm
10
x1 x0
ym y1 y010
10
x2
y210
x3
y310
z0 zm-1 zmzm-2z110
b0…bm-1bm
a0…am-1am
p0…pm-1pm
4942
POM architecture
Step m, ctl=1 for mux
xm
10
x1 x0
ym y1 y010
10
x2
y210
x3
y310
z0 zm-1 zmzm-2z110
a0
b0
a3
b1
a4
b2
a1a2 a0
bm-` bm
am
5042
Two architectures
Input A and B m bits
Output for AB multiplication, squaring, and AB2 multiplication m+1 bits Computed over extended field
Need to reduce the output => m bits
5142
MCSM architecture
Output with m bits A : m+1 bits over extended field a : m bits ai = Ai + Am, 0 i m-1
Example over GF(24) A : 10011 p: 11111 a = 1 0 0 1 1 1 1 1 1 1 0 1 1 0 0Am
5242
MCSM architecture
Pre-compute the most significant bit of result p4=a4b0+a3b1+a2b2+a1b3+a0b4, b4=a4=0
=a3b1+a2b2+a1b3
5342
MCSM architecture
Proposed MCSM Architecture
z3 z4z2
a0a1a2a3
z0 z110
b0b1b2b3
01
y1 y0
x1 x001
y2
x201
y3
x3
10
10
10
10
x410
s3s2s1s0
z510
p0p1p2p3
must be initialized before computation operation start
5442
MCSM architecture
Step 3, ctl = 1, p4 = a3b1+a2b2+a1b3
z3 z4z2
a0
z0 z110
b0
01
y1 y0
x1 x001
y2
x201
y3
x3
10
10
10
10
x410
z510
a3 a2 a1
b1 b2 b3
a3
a2a1
b1
b2
b3
5542
MCSM architecture
Step 4, ctl = 1, p4 = a3b1+a2b2+a1b3
z3 z4z2z0 z110
01
y1 y0
x1 x001
y2
x201
y3
x3
10
10
10
10
x410
s3
z510
p3
a3 a2 a1
b1 b2 b3
p4
a0
0
s4
5642
MPOM architecture
Pre-compute the most significant bit of result p4=a4b0+a3b3+a2b1+a1b4+a0b2, b4=a4=0
=a3b3+a2b1+a0b2
5742
MPOM architecture
Proposed MPOM Architecture
10
x1 x0
y0 y410
x2
y110
x3
y210
z0 z3 z4z2z110
b0b1b2b3
a0a1a2a3
p0p1p2p3
z510
5842
Comparison
CSM and MCSM architecture with Fenn’s architecture
5942
Comparison
POM and MPOM architecture with Liu’s architecture
2m+1 2m-1
6042
Conclusion
Proposed 4 multipliers Computes squaring and multiplication Computes AB2 multiplication
Could be used for exponentiation, inversion, and division architecturesEasy to implement VLSI