Cross-Realm Password-BasedServer Aided Key Exchange

Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0)Author: Kazuki YoneyamaPresenter: Li-Tzu Chang

Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion

Introduction YB scheme

Secure Cross-Realm C2C-PAKE Protocol, 2006,(27) WZ scheme

A New Security Model for Cross-Realm C2C-PAKE Protocol, 2007,(1)

Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion

New Model Execute( ) :

This query models passive attacks. The output of this query consists of messages that were

exchanged during the honest execution of the protocol among .

43212121 ,,, llll SSUU

43212121 and,,, llll SSUU

New Model SendClient(Ul,m) :

This query models active attacks against a client. The output of this query consists of the message that

the client instance Ul would generate on receipt of message m.

New Model SendServer(Sl,m) :

This query models active attacks against servers. The output of this query consists of the message that

the server instance Sl would generate on receipt of message m.

New Model SessionReveal(Ul) :

This query models the misuse of session keys. The output of this query consists of the session key

held by the client instance Ul if the session is completed for Ul. Otherwise, return .⊥

New Model StaticReveal(P) :

This query models leakage of the static secret of P (i.e., the password between the client and the corresponding

server, or the private information for the server). The output of this query consists of the static secret of

P.

New Model EphemeralReveal(Pl) :

This query models leakage of all session-specific information (ephemeral key) used by Pl.

The output of this query consists of the ephemeral key of the instance Pl.

New Model EstablishParty(Ul, pwU) :

This query models the adversary to register a static secret pwU on behalf of a client.

In this way the adversary totally controls that client. Clients against whom the adversary did not issue this

query are called honest.

New Model Test(Ul) :

This query does not model the adversarial ability, but in distinguishability of the session key.

At the beginning a hidden bit b is chosen. If no session key for the client instance Ul is defined,

then return the undefined symbol . ⊥ Otherwise,

if b = 1, return the session key for the client instance Ul if b = 0, a random key from the same space.

New Model TestPassword(U, pw) :

This query does not model the adversarial ability, but no leakage of the password.

If the guessed password pw is just the same as the client U’s password pw, then return 1.

Otherwise, return 0.

Note that, the adversary can only one TestPassword query at any time during the experiment.

Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion

Proposed Scheme p, q :

the large primes such that p = 2q + 1 A,B U ∈ :

the identities of two clients in two different realms SA,SB S∈ :

the identities of their corresponding servers respectively.

Proposed Scheme Gen(1k) :

key generation algorithm Encpk(m; ω) :

encryption algorithm of a message m using a public key pk and randomness ω

Decsk(c) : decryption algorithm of a cipher-text c using a private

key sk.

Proposed Scheme Public information :

G, g, p,H1,H2

Long-term secret of clients : pwA for A and pwB for B

Long-term secret of servers : (pwA, skSA) for SA and (pwB, skSB) for SB

Proposed Scheme

Proposed Scheme

Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion

Conclusionsetting # of

rounds for clients

UDonDA LEP of servers

KCI Channel between servers

YB password-only 2 insecure insecure insecure secure channel

WZ password-only 2+P secure insecure insecure secure channel

[19]password and public-key crypto

7 secure insecure secure none

[20] password and smart cards 4 secure insecure secure none

Ourspassword and public-key crypto

2 secure secure secureAuthenticated channel

Where P denote the number of moves of a secure 2-party PAKE.

UDonDA: undetectable on-line dictionary attacksLEP: leakage of ephemeral private keys of serversKCI: key-compromise impersonation