下載/瀏覽

Download Report

Transcript 下載/瀏覽 

Cryptanalysis of Two Identity-Based
Authenticated Key Agreement Protocols
Author:Kyung-Ah Shim
Published in:Communications Letters,
IEEE(Volume:16, Issue:4)
Date of Publication:April 2012
Speaker:Chia-Ying Yen
1
OUTLINE
1. INTRODUCTION
2. REVIEW OF HOLBL-WELZER’S
AUTHENTICATED KEY AGREEMENT
PROTOCOLS
3. CRYPTANALYSIS OF HOLBL-WELZER’S
PROTOCOLS
4. CONCLUSION
2
1.INTRODUCTION
• 一個密鑰產生協議允許兩個(或以上)單位,
建立用於不安全網路通訊加密用的密鑰
• 密鑰隨後能被用於加密目標,比方說保護
數據的完整性
• Diffie-Hellman的密鑰協議是第一個有實
用性的解決密鑰分配的問題
3
1.INTRODUCTION
• 由Shamir引入的以ID為基礎(IdentityBased)的架構
– 允許一個用戶的公開金鑰來自他公開的身分
訊息,比方說用戶的email或電話
– 系統包含一個私鑰產生器(PKG和KGC),系統
保有一個主公/私鑰對
– PKG負責產生用戶私鑰
• 一些ID認證的密鑰協議陸續被提出,以滿
足各種安全性和性能要求
4
1.INTRODUCTION
• Holbl和Welzer提出基於ID的認證協議,
滿足了所有需要的特性
–
–
–
–
隱含密鑰認證(implicit key authentication)
已知密鑰攻擊(known-key security)
前向安全(forward secrecy)
密鑰洩漏偽裝復原(key-compromise
impersonation resilience)
– 未知密鑰分享復原(unknown key-share
resilience)
– 金鑰控制(key control)
• 在本文我們證明了這協議已被破解
5
2.REVIEW OF HOLBL-WELZER’S AUTHENTICATED
KEY AGREEMENT PROTOCOLS
• 第一協議為基於Hsieh等人的協議,其模擬
滿足密鑰洩漏的應變能力(which satisfies
key compromise impersonation resilience)
• 第二協議則為改良Tseng的協議
• 該協議包含三個部分:系統設置、私鑰提
取、金鑰協議
6
2.REVIEW OF HOLBL-WELZER’S AUTHENTICATED
KEY AGREEMENT PROTOCOLS
(一)Holbl-Welzer's protocol 1
• System Setup:
–
–
–
–
–
KGC chooses a large prime integer p
a primitive root g ∈ Zp*
a one-way function h
a random integer xs ∈ Zp*
Computes ys=gxs(mod p)
• Afterwards {g, f, p, ys} are made public
• xs is kept secret
7
2.REVIEW OF HOLBL-WELZER’S AUTHENTICATED
KEY AGREEMENT PROTOCOLS
• Private Key Extraction:
• For each user, the KGC computes Ii = h(IDi)
– IDi is the identity of user i
• Next, a random number ki ∈ Zp* is chosen
• The user’s public key is computed as ui =
gki (mod p)
• The private key as vi = Iiki + xSui mod(p−1)
• For simplicity,we omit the operation“mod
p”
8
2.REVIEW OF HOLBL-WELZER’S AUTHENTICATED
KEY AGREEMENT PROTOCOLS
• Key Agreement:
• The key agreement is conducted as follows:
– A selects a
tA = grA and
– B selects a
tB = grB and
random number
sends {uA, tA,
random number
sends {uB, tB,
rA ∈
IDA}
rB ∈
IDB}
Zp*, computes
to B
Zp*, computes
to A
• A computes IB = h(IDB)
9
2.REVIEW OF HOLBL-WELZER’S AUTHENTICATED
KEY AGREEMENT PROTOCOLS
• Key Agreement:
• Similarly, B computes IA = h(IDA)
• The shared secret key after a successful
run is
10
2.REVIEW OF HOLBL-WELZER’S AUTHENTICATED
KEY AGREEMENT PROTOCOLS
(二)Holbl-Welzer's protocol 2
• System Setup:
–
–
–
–
–
KGC chooses a large prime integer p
a primitive root g ∈ Zp*
a one-way function h
a random integer xs ∈ Zp*
Computes ys=gxs(mod p)
• Afterwards {g, f, p, ys} are made public
• xs is kept secret
11
2.REVIEW OF HOLBL-WELZER’S AUTHENTICATED
KEY AGREEMENT PROTOCOLS
• Private Key Extraction:
• For each user, the KGC computes Ii = h(IDi)
– IDi is the identity of user i
• Next, a random number ki ∈ Zp* is chosen
• The user’s public key is computed as ui =
gki (mod p)
• the private key as vi = ki + xSh(IDi , ui)
mod(p − 1)
12
2.REVIEW OF HOLBL-WELZER’S AUTHENTICATED
KEY AGREEMENT PROTOCOLS
• Key Agreement:
• The key agreement is conducted as follows:
– A selects a
tA = grA and
– B selects a
tB = grB and
random number
sends {uA, tA,
random number
sends {uB, tB,
rA ∈
IDA}
rB ∈
IDB}
Zp*, computes
to B
Zp*, computes
to A
• A computes IB = h(IDB), wA = rA + vA
13
2.REVIEW OF HOLBL-WELZER’S AUTHENTICATED
KEY AGREEMENT PROTOCOLS
• Key Agreement:
• Similarly, B computes IA = h(IDA), wB = rB
+ vB
• The shared secret key after a successful
run is
14
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• Now, we show that Holbl-Welzer’s
two protocols are vulnerable to manin-the-middle attacks and
impersonation attacks
– Man-in-the-middle Attacks on Protocol 1
– Impersonation Attack I on Protocol 1
– Impersonation Attack II on Protocol 2
15
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• Man-in-the-middle Attacks on Protocol 1
• An adversary E eavesdrops on a communication
of A and B
• When A sends {uA , tA , IDA} to B, E
intercepts it and sends {uA , t’A , IDA} to B
– α is a random number chosen by E
– t’A = gα−vA
• B sends {uB , tB , IDB} to A , E intercepts it
and sends {uB , t’B , IDB} to A
– T‘B = gβ−vB
16
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• After receiving {uB , t’B , IDB} , A
computes KAB as
• After receiving {uA , t’A , IDA } , B
computes KBA as
• Finally, E can compute two keys KAB and KBA
as
17
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• In fact, A and B cannot know that
they have different shared secret
keys because there is no additional
key confirmation procedure in the
protocol
• Therefore, E can decrypt all
ciphertexts encrypted KAB (or KBA)
between A and B
18
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• Impersonation Attack I on Protocol 1
• Suppose that an adversary E wants to
impersonate A to B
• E chooses a random value t ∈ Zp*
– Let t be equal to rA + vA
• Note that neither rA nor vA is known to E
• E can obtain grA by computing gt · (gvA)−1
– where anyone can obtain gvA from known values
as uAIA · ysua =gva
• Next, E sends {uA , tA=grA , IDA } to B
impersonating A
19
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• After receiving the message, B
computes the shared secret KBA as
• After receiving {uB , tB , IDB}, E
can compute the shared secret KAB as
20
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• since t = rA + vA, without the
knowledge of A ’s long-term secret
key vA
• Finally, E succeeds in impersonating
A to B as well as the knowledge of
the session key K = KAB = KBA
21
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• Impersonation Attack II on Protocol 2
• Suppose that an adversary E wants to
impersonate A to B
• E chooses a random value τ ∈ Zp*
• computes
• Next, E sends {uA , tA = gτ−vA , IDA } to
B impersonating A
22
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• After receiving the message, B
computes the shared secret
• After receiving {uB , tB , IDB } , E
can compute the shared secret
23
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• without the knowledge of A ’s longterm secret key vA
• Finally, E succeeds to impersonate A
to B as well as the knowledge of the
session key K = KAB = KBA
24
3.CRYPTANALYSIS OF HOLBLWELZER’S PROTOCOLS
• The above two attacks are based on the
same idea
• The adversary is able to generate tA
removing A ’s public key so that the
corresponding private key is
meaningless
• The same attacks can be applied the
other protocol
• These results show that the protocols
are completely broken
25
4. CONCLUSION
• Some of them satisfy all the
desirable security properties:
implicit key authentication, knownkey security, and etc
• However, having a formal security
model and a ‘provably secure’
protocol in that model is no panacea
since the security proof only works
within the model of the security
26
4. CONCLUSION
• Because of the adaption of insufficient
security model which do not entirely
capture all the attacks that might be
considered realistic.
• Therefore, formal security model should
contains several type of granular
security to modulate adversaries’
power and to guarantee security against
the possibility of potential attacks
including various algebraic attacks.
27