Cross-Realm Password-BasedServer Aided Key Exchange
Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0)Author: Kazuki YoneyamaPresenter: Li-Tzu Chang
Introduction
YB scheme Secure Cross-Realm C2C-PAKE Protocol, 2006,(27)
WZ scheme A New Security Model for Cross-Realm C2C-PAKE
Protocol, 2007,(1)
New Model
Execute( ) : This query models passive attacks. The output of this query consists of messages that were
exchanged during the honest execution of the protocol among .
43212121 ,,, llll SSUU
43212121 and,,, llll SSUU
New Model
SendClient(Ul,m) : This query models active attacks against a client. The output of this query consists of the message that
the client instance Ul would generate on receipt of message m.
New Model
SendServer(Sl,m) : This query models active attacks against servers. The output of this query consists of the message that
the server instance Sl would generate on receipt of message m.
New Model
SessionReveal(Ul) : This query models the misuse of session keys. The output of this query consists of the session key
held by the client instance Ul if the session is completed for Ul. Otherwise, return .⊥
New Model
StaticReveal(P) : This query models leakage of the static secret of P
(i.e., the password between the client and the corresponding server, or the private information for the server).
The output of this query consists of the static secret of P.
New Model
EphemeralReveal(Pl) : This query models leakage of all session-specific
information (ephemeral key) used by Pl. The output of this query consists of the ephemeral key
of the instance Pl.
New Model
EstablishParty(Ul, pwU) : This query models the adversary to register a static
secret pwU on behalf of a client. In this way the adversary totally controls that client. Clients against whom the adversary did not issue this
query are called honest.
New Model
Test(Ul) : This query does not model the adversarial ability, but
in distinguishability of the session key. At the beginning a hidden bit b is chosen. If no session key for the client instance Ul is defined,
then return the undefined symbol . ⊥ Otherwise,
if b = 1, return the session key for the client instance Ul if b = 0, a random key from the same space.
New Model
TestPassword(U, pw) : This query does not model the adversarial ability, but
no leakage of the password. If the guessed password pw is just the same as the
client U’s password pw, then return 1. Otherwise, return 0.
Note that, the adversary can only one TestPassword query at any time during the experiment.
Proposed Scheme
p, q : the large primes such that p = 2q + 1
A,B U ∈ : the identities of two clients in two different realms
SA,SB S∈ : the identities of their corresponding servers
respectively.
Proposed Scheme
Gen(1k) : key generation algorithm
Encpk(m; ω) : encryption algorithm of a message m using a public
key pk and randomness ω
Decsk(c) : decryption algorithm of a cipher-text c using a private
key sk.
Proposed Scheme
Public information : G, g, p,H1,H2
Long-term secret of clients : pwA for A and pwB for B
Long-term secret of servers : (pwA, skSA) for SA and (pwB, skSB) for SB
Conclusionsetting # of
rounds for clients
UDonDA LEP of servers
KCI Channel between servers
YB password-only 2 insecure insecure insecuresecure channel
WZ password-only 2+P secure insecure insecuresecure channel
[19]password and public-key crypto
7 secure insecure secure none
[20]password and smart cards 4 secure insecure secure none
Ourspassword and public-key crypto
2 secure secure secureAuthenticated channel
Where P denote the number of moves of a secure 2-party PAKE.
UDonDA: undetectable on-line dictionary attacks
LEP: leakage of ephemeral private keys of servers
KCI: key-compromise impersonation