IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based Authenticated Key Exchange Authenticated Key Exchange Dario Catalano David Pointcheval Password-based CNRS-ENS – France Authenticated Key Exchange Thomas Pornin EKE, OKE and a generalization Cryptolog – France Trapdoor Hard-to-Invert Isomorphisms Examples Crypto '04 Santa Barbara – California - USA August 2004 Summary Summary Authenticated Key Exchange Authenticated Key Exchange Two parties (Alice and Bob) agree on a common secret key SK , Password-based in order to establish a secret channel Authenticated Key Exchange Basic security requirement: EKE, OKE and a generalization Trapdoor Hard-to-Invert Isomorphisms implicit authentication Examples only the intended partners can compute the session key
Authentication Password-based Authentication Authentication Password-based Authentication Password (low-entropy secret) e.g. 20 bits exhaustive search is possible To prevent active attacks, some kind basic attack: on-line exhaustive search of authentication of the flows is required: the adversary guesses a password Asymmetric : ( sk A , pk A ) and possibly ( sk B , pk B ) tries to play the protocol with this guess Symmetric : common (high-entropy) secret failure � it erases the password from the list Password : common (low-entropy) secret and restarts… e.g. a 20-bit password after 1,000,000 attempts, the adversary wins cannot be avoided We want it to be the best attack … Summary Summary Dictionary Attack Dictionary Attack Off-line exhaustive search a few passive or active attacks Password-based failure/transcript � erasure of MANY passwords from the list: this is called dictionary attack Authenticated Key Exchange To prevent them: EKE, OKE and a generalization a passive eavesdropping Trapdoor Hard-to-Invert Isomorphisms no useful information about the password Examples an active trial cancels at most one password
Encrypted Key Exchange Open Key Exchange Encrypted Key Exchange Open Key Exchange Bellovin-Merritt Lucks Bellovin-Merritt Lucks The public key pk is sent in clear : Alice Password π Bob Alice, pk' = ES π ( pk ) sk, pk Alice Password π Bob pk = DS π ( pk ') Bob , c' = ES π ( c ) r ∈Μ pk , c= EA pk ( r ) Alice, pk sk, pk c= DS π (c') , r= DA sk ( c ) Bob , c' = ES π ( c ) r ∈Μ pk , c= EA pk ( r ) SK=H (Alice, Bob, pk , c' , r ) c= DS π (c') , r= DA sk ( c ) k k correct ? k=H' (Alice , Bob ,r ) Problems: SK=H (Alice, Bob, pk , c' , r ) Encoding of pk not often uniformly distributed Requirements to avoid partition attacks: in the ES plaintext space ES π must be a cipher from pk and c are rarely on the same space the ciphertext space under pk Nice exception: ElGamal (DH-EKE) on < g > EA pk must be a surjection �� Many security analyses in the ROM, ICM, ... Surjection: Necessary Efficient Implementation Surjection: Necessary Efficient Implementation Using the one-time pad , and bijections If not, given c' , one eliminates the � 's that lead to a c EA pk = f pk and DA sk = g sk = f pk -1 which is not in the image set of EA pk : partition attack Alice Password π Bob If yes, given c' , any � is possible: Alice, pk sk, pk sending the correct k means guessing the good � Bob , c' = c � G ( π ) r ∈Μ pk , c=f pk ( r ) c= c' � G ( π ) , r=g sk ( c ) k k correct ? k=H' (Alice , Bob ,r ) Alice Password π Bob SK=H (Alice, Bob, pk , c' , π , r ) Alice, pk sk, pk Bob , c' = ES π ( c ) f pk must be a bijection onto a group (G pk , � ) r ∈Μ pk , c= EA pk ( r ) c= DS π (c') , r= DA sk ( c ) k k correct ? k=H' (Alice , Bob ,r ) f pk must be “ hard-to-invert ” SK=H (Alice, Bob, pk , c' , r ) G must be a random function ( RO ) onto G pk
Efficiently Samplable Hard-to-Invert: not Enough? Efficiently Samplable Hard-to-Invert: not Enough? f pk must be trapdoor “hard-to-invert”, When pk is chosen by Alice not necessarily “one-way”: but just samplable sk is unknown to the adversary the adversary can know only one pre-image r ( r , c ) ← S( pk ) such that r random in M pk and c = f pk ( r ) (for the guessed password � ) Alice Password π Bob for other � 's, the “hard-to-invert” property prevents Alice, pk sk, pk from extracting/checking other r values Bob , c' = c � G ( π ) (r, c) ← S( pk ) c= c' � G ( π ) , r=g sk ( c ) This is the intuition... For the formal proof k k correct ? k=H' (Alice , Bob ,r ) SK=H (Alice, Bob, pk , c' , π , r ) Hard-to-invert Bijection pk must be easy to generate Morphism f pk must be a bijection � to be checked Trapdoor Hard-to-Invert Trapdoor Hard-to-Invert Morphism: for the Proof Morphism: for the Proof Isomorphisms Family Isomorphisms Family For checking a password, one uses k or SK F = (f pk ) pk trapdoor hard-to-invert isomorphisms �� one must compute r (appears in H-H' queries) ( pk , sk ) ← G( 1 k ): generation Either c' sent by Bob: from any correct ( � , r ) f pk is an isomorphism from M pk onto G pk Passive: <1 such that c' = f pk ( r ) �� G ( � ) , one can invert f pk ( r , c ) ← S( pk ): sample by simulating c' = f pk ( a ) such that r random in M pk and c = f pk ( r ) (random in G pk ) for a known a Given y and pk , check whether y ∈ f pk (M pk ) = G pk by embedding the challenge y in G ( � ) Given y and sk , easy to invert f pk on y Active: <2 y = c' �� f pk ( a ) = f pk ( r ) �� f pk ( a ) = f pk ( r-a ) Without sk , hard to invert f pk Or by the adversary: from two correct pairs ( � , r )
Summary Summary Candidates Candidates Diffie-Hellman : sk = x, pk = g x f pk ( g a ) = g ax = pk a g sk (b) = b 1/ x Password-based f pk is not one-way, but hard-to-invert Authenticated Key Exchange under the CDH assumption �� classical DH-AKE variants (PAK or AuthA) EKE, OKE and a generalization Trapdoor Hard-to-Invert Isomorphisms RSA : sk = d, pk = (n,e) Examples f pk is one-way under the RSA assumption , but pk must contain a valid RSA key: NIZK proof �� variant of “protected OKE” Candidates (Cont'd) Candidates (Cont'd) Square root : sk = (p,q), pk = n f pk is an automorphism onto QR n , but for specific moduli only (Blum moduli) �� to be checked: can be done (verified) efficiently f pk is one-way under the integer factoring problem �� the first Password-Based Authenticated Key Exchange based on factoring
Recommend
More recommend
