Simple password-based key agreement protocol

Department of Computer Engineering Kyungpook National University

Sung-woon Lee

242

Sequence

Related workSecurity requirementsSystem parametersCryptanalysis for SAKA’s variantsSimple password-based key agreement Protocol (SPKA)Security analysis for SPKAConclusion

342

Related work (1/3)

Diffie-Hellman key agreement protocol (1976) Session key sharing based on discrete logarithms over

a finite field Vulnerable to man-in-the-middle attack due to not provi

ding authenticationSAKA (Simple authenticated key agreement) protocol (1999) Providing authentication to Diffie-Hellman protocol usin

g a simple way Using a pre-shared password for user authentication

442

Related work (2/3)

Tseng’s protocol (2000) Addressed a weakness caused by man-in-

the-middle attack in the key verification steps of SAKA

Improved verification steps of SAKA

Ku and Wang’s protocol (2000) Showed Tseng’s protocol is still vulnerable

to man-in-the-middle attacks Improved verification steps of SAKA

542

Related work (3/3)

Sun (2000) Showed that SAKA is vulnerable to man-in-

the-middle attack, password guessing attack, and perfect forward secrecy

Lin et al.’s protocol (2000) Improved the verification steps of SAKA to

overcome the weaknesses pointed out by Sun

Hsieh et al. (2002) Showed Lin et al.’s protocol still suffers from

password guessing attack

642

Security requirements (1/3)

Secure to man-in-the-middle attack Although an attacker eavesdrops,

modifies, reflects, or replays messages being transmitted, the session key has to be secure.

742

Security requirements (2/3)

Secure to password guessing attack Online

Easily detected by counting authentication fails

Offline Guessing password by intercepting and

using messages being transmitted Due to using the password that a person is

able to memorize

842

Security requirements (3/3)

Provide perfect forward secrecy Although the password was

compromised, an attacker should not compute old session keys

942

System parameters

A, B Honest entities

g A primitive root modulo n (generator)

n A large prime number

P The password pre-shared between users

Q Integer value derived from P, Ex) the smallest such integer that is greater than P

Q-1 Inverse of Q

a, b Random numbers chosen by A and B

KA, KB Session key of A and B

XY Value computed by user Y

1042

Additional cryptanalysis for Tseng’s protocol

A B

Key establishment

XA = (ga)Q

XB = (gb)Q

YA = = gb YB = = ga

KA = (YA)a = gab KB = (YB)b = gab

Key verification

Check YA ?= gb

Check YB ?= ga

1

)(Q

BX1

)(Q

AX

Vulnerable to password guessing attack XA ?= (YB)Q = gaQ or XB ?= (YA)Q = gbQ

XA

XB

YA

YB

1142

Cryptanalysis for Ku and Wang’s protocol

Alice Bob

Key establishment

XA = (ga)Q

XB = (gb)Q

YA = = gb YB = = ga

KA = (YA)a = gab KB = (YB)b = gab

Key verification

VA = (KA)Q = gabQ Check ?= KB

Check YB ?= ga

1

)(Q

BX1

)(Q

AX

Vulnerable to password guessing attack: ?= YB

Not provide perfect forward secrecy: = gab

XA

XB

VA

YB

1

)(Q

AV

1

)(Q

AX1

)(Q

AV

1242

Weaknesses of SAKA related protocols

Vulnerable to man-in-the-middle attackVulnerable to password guessing attackNot provide perfect forward secrecy

1342

Simple password-based key agreement protocol (SPKA)

Alice Bob

Key establishment

XA = (ga)Q

XB =

YA = = gb YB = = ga

KA = (YA)a = gab KB = (YB)b = gab

Key verification

VA = = Check VA ?=

Check VB ?= VB = =

1

)(Q

AX

XA

XB

VA

VB

AKAY )( AbKg

BKBY )( BaKg

BKbg )(AKag )(

1

)(Qbg

QBX )(

1442

Security analysis for SPKA (1/4)

Secure to man-in-the-middle attack If an attacker eavesdrops XA, XB, VA, and

VB, he cannot gain information for session key, gab because of DLP

If an attacker modifies, reflects, or replays XA, XB, VA, and VB, this attack is detected because verification steps confirm both the correctness of XA, XB and the equality of KA, KB

1542

Security analysis for SPKA (2/4)

Secure to password guessing attack Since a attacker intercepts the

messages, XA, XB, VA, and VB, any way to confirm the correctness of the guessed password P′ does not exist among them.

1642

Security analysis for SPKA (3/4)

Provide perfect forward secrecy Although password P is compromised,

an attacker does not have any way that produce old session key gab using Q or Q-1 computed from P

1742

Security analysis for SPKA (4/4)

Protocol

AnalysisSAKA Tseng

Ku and

WangLin et

al. SPKA

Man-in-the-

middle Attack

NS NS S S S

Password

guessing attack

NS NS NS NS S

Perfect forward secrecy

NP P NP P PS: Secure, NS: Not Secure, P: Provide, NP: Not Provide

1842

Conclusion

Reported the additional weaknesses in the variants of SAKAProposed simple password-based key agreement protocol (SPKA) Secure to man-in-the-middle attack Secure to password guessing attack Provide perfect forward secrecy

Easily implemented in software and hardware because of its simple structure

Hyun-Sung Kim

Information Security Lab.

Bit-Serial AOP Arithmetic Operators for Modular Exponentiation over

GF(2m)

2042

Goal

Implement Exponentiation LSB first algorithm

Two multipliers Squarer and multiplier=> Combined squarer and multiplier

MSB first algorithm Power sum (AB2 + C) AB2 multiplier=> New AB2 multiplier

2142

Index

Crypto SystemModular ExponentiationGalois Field Bit-Serial Arithmetic OperatorsComparisonConclusion

2242

Crypto system

Elgamal cryptosystem Encryption : C = Mpublic mod p Decryption : M = Cprivate mod p

public*private mod p 1 M, C GF(2m), integer p : irreducible primitive polynomial

Basic operation=>Modular exponentiation

2342

Modular exponentiation

Basic operation C = ME mod p E = em-12m-1+ em-22m-2+…+ e12+ e0

= [ em-1 em-2 em-3 … e1 e0 ]

Binary method by Knuth LSB-first algorithm MSB-first algorithm

2442

LSB-first algorithm

Input M,E,p(x)

Output C=ME mod p(x)=Me0(M2)e1(M4)e2 …(M2 )em-1

Step1 C=1, T=M Step2 for i=0 to m-1

T=TT mod p(x)if ei == 1 C=CT mod p(x)

m-1

2542

LSB-first algorithm

LSB-first algorithm Basic operation

Squaring Multiplication

Traditional implementation Based on two multipliers Based on a multiplier and a squarer

Proposed implementation Based on a combined squarer and

multiplier

2642

MSB-first algorithm

Input M,E,p(x)

Output C=ME mod p(x)=(Me1…(Mem-2(Mem-1)2)2…)2Me0

Step1 if em-1 == 1 C=M else C=1 Step2 for i=m-2 to 0

if ei == 1 C=MC2 mod p(x)else C=1C2 mod p(x)

2742

MSB-first algorithm

MSB-first algorithm Basic operation

AB2 multiplication Traditional implementation

Based on Power-sum circuit (AB2+C) Based on AB2 multiplier

Proposed implementation Based on a new AB2 multiplier

2842

Galois Field GF(2m)

Finite Field GF(2m) Contains 2m elements Canonical basis

{1, , 2, 3,…, m-1} Element representation GF(2m)

a=am-1m-1+am-2m-2+…+a11+a0

Why implement based on GF(2m) Carry free

2942

Galois Field GF(2m)

AB mod P, B2 mod P, AB2 mod P A, B GF(2m) P : Irreducible polynomial

All one polynomial (AOP) P(x) = xm+xm-1+xm-2+…+x1+1

Property of AOP Let be a root of p(x) p() = 0, m=m-1+m-2+…+1+1 Multiply in both multiplication m+1+1=0 <= use as an modular in extension field

3042

Galois Field GF(2m)

Extension field Modular m+1+1 Element representation GF(2m+1)

A= amxm+ am-1xm-1+am-2xm-2+…+a1x1+a0

am=0

Why use the extension field Easy modular reduction

3142

CSM architecture

Basic architecture for LSB first Exp. A2 mod p : Squarer AB mod p : Multiplier

Proposed Architecture Combined Squarer and

Multiplier(CSM)

3242

CSM architecture

AB mod P multiplication over EF

3342

CSM architecture

AB mod P multiplication, P = m+1+1

5 +16 +

7 +2 8 +3

3442

CSM architecture

Ctl = 1m1m-1…100m-1…00

z0 zm-1 zmzm-2z110

b0…bm-1bm

p0…pm-1pm

ym y1 y0y2y3

a0…am-1am

10

10

10

10

10

3542

CSM architecture

Step 1, ctl=1 for mux

z0 zm-1 zmzm-2z110

b0…bm-1

ym y1 y0y2y3

a0…am-1

10

10

10

10

10

am

bm

3642

CSM architecture

Step 2, ctl=1 for mux

z0 zm-1 zmzm-2z110

b0…bm-3bm-2

ym y1 y0y2y3

a0…am-3am-2

10

10

10

10

10

am-1

bm-1

am

bm

3742

CSM architecture

Step m+1, ctl=1 for mux

z0 zm-1 zmzm-2z110

pm

ym y1 y0y2y310

10

10

10

10

a3

b0

am

b1

a1a2 a0

bm-2 bm-1 bm

am×b0 a3×bm-3 a2×bm-2 a1×bm-1 a0×bm

3842

CSM architecture

3942

CSM architecture

Step m+2, ctl=0 for mux

z0 zm-1 zmzm-2z110

pm-1pm

ym y1 y0y2y310

10

10

10

10

a3

bm

am

b0

a1a2 a0

bm-3 bm-2 bm-1

am×bm a3×bm-4 a2×bm-3 a1×bm-2 a0×bm-1

4042

CSM architecture

A2 mod P=(amm+am-1m-1+…+a1+a0)

2

=am2m+am-12(m-1)+…+a24+a12+a0

=am/2m+amm-1+…+a12+am/2+1+a0

m+1 = 1, m+2 = , m+3 = 2, m+4 = 3

4142

CSM architecture

Example over GF(24)=(a44+a33+a22+a1+a0)

2

=a48+a36+a24+a12+a0

= a24+a43+a12+a31+a0

5 = 1, 6 = , 7 = 2, 8 = 3

4242

CSM architecture

Squarer over GF(24)

10

x1 x0

y1 y010

x2

y210

x3

y3

b0b1b2b3b4

10

x4

y4

s0s1s2s3s4

4342

CSM architecture

Step 4, ctl = 1 for mux

10

x1 x0

y1 y010

x2

y210

x3

y3

b0

10

x4

y4

b4 b2b3 b1 b0

b4 b3b2 b1b0

4442

CSM architecture

Proposed CSM Architecture

z0 zm-1 zmzm-2z110

b0…bm-1bm

p0…pm-1pm

ym

01

y1 y0

xm x1 x001

01

y2

x201

y3

x3

a0…am-1am

10

10

10

10

10

smsm-1…s0

4542

POM architecture

Basic architecture for MSB first Exp. Multiplier for AB2 mod p Power-Sum circuit

Proposed Architecture New Power Multiplier (POM)

4642

POM architecture

AB2 mod P multiplication over EF

4742

POM architecture

AB mod P multiplication, P = m+1+1

4842

POM architecture

Proposed POM Architecture

xm

10

x1 x0

ym y1 y010

10

x2

y210

x3

y310

z0 zm-1 zmzm-2z110

b0…bm-1bm

a0…am-1am

p0…pm-1pm

4942

POM architecture

Step m, ctl=1 for mux

xm

10

x1 x0

ym y1 y010

10

x2

y210

x3

y310

z0 zm-1 zmzm-2z110

a0

b0

a3

b1

a4

b2

a1a2 a0

bm-` bm

am

5042

Two architectures

Input A and B m bits

Output for AB multiplication, squaring, and AB2 multiplication m+1 bits Computed over extended field

Need to reduce the output => m bits

5142

MCSM architecture

Output with m bits A : m+1 bits over extended field a : m bits ai = Ai + Am, 0 i m-1

Example over GF(24) A : 10011 p: 11111 a = 1 0 0 1 1 1 1 1 1 1 0 1 1 0 0Am

5242

MCSM architecture

Pre-compute the most significant bit of result p4=a4b0+a3b1+a2b2+a1b3+a0b4, b4=a4=0

=a3b1+a2b2+a1b3

5342

MCSM architecture

Proposed MCSM Architecture

z3 z4z2

a0a1a2a3

z0 z110

b0b1b2b3

01

y1 y0

x1 x001

y2

x201

y3

x3

10

10

10

10

x410

s3s2s1s0

z510

p0p1p2p3

must be initialized before computation operation start

5442

MCSM architecture

Step 3, ctl = 1, p4 = a3b1+a2b2+a1b3

z3 z4z2

a0

z0 z110

b0

01

y1 y0

x1 x001

y2

x201

y3

x3

10

10

10

10

x410

z510

a3 a2 a1

b1 b2 b3

a3

a2a1

b1

b2

b3

5542

MCSM architecture

Step 4, ctl = 1, p4 = a3b1+a2b2+a1b3

z3 z4z2z0 z110

01

y1 y0

x1 x001

y2

x201

y3

x3

10

10

10

10

x410

s3

z510

p3

a3 a2 a1

b1 b2 b3

p4

a0

0

s4

5642

MPOM architecture

Pre-compute the most significant bit of result p4=a4b0+a3b3+a2b1+a1b4+a0b2, b4=a4=0

=a3b3+a2b1+a0b2

5742

MPOM architecture

Proposed MPOM Architecture

10

x1 x0

y0 y410

x2

y110

x3

y210

z0 z3 z4z2z110

b0b1b2b3

a0a1a2a3

p0p1p2p3

z510

5842

Comparison

CSM and MCSM architecture with Fenn’s architecture

5942

Comparison

POM and MPOM architecture with Liu’s architecture

2m+1 2m-1

6042

Conclusion

Proposed 4 multipliers Computes squaring and multiplication Computes AB2 multiplication

Could be used for exponentiation, inversion, and division architecturesEasy to implement VLSI