cross-realm password-based server aided key exchange
DESCRIPTION
Cross-Realm Password-Based Server Aided Key Exchange. Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author : Kazuki Yoneyama Presenter : Li-Tzu Chang. Outline. Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion. Introduction. YB scheme - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/1.jpg)
Cross-Realm Password-BasedServer Aided Key Exchange
Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0)Author: Kazuki YoneyamaPresenter: Li-Tzu Chang
![Page 2: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/2.jpg)
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
![Page 3: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/3.jpg)
Introduction YB scheme
Secure Cross-Realm C2C-PAKE Protocol, 2006,(27) WZ scheme
A New Security Model for Cross-Realm C2C-PAKE Protocol, 2007,(1)
![Page 4: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/4.jpg)
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
![Page 5: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/5.jpg)
New Model Execute( ) :
This query models passive attacks. The output of this query consists of messages that were
exchanged during the honest execution of the protocol among .
43212121 ,,, llll SSUU
43212121 and,,, llll SSUU
![Page 6: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/6.jpg)
New Model SendClient(Ul,m) :
This query models active attacks against a client. The output of this query consists of the message that
the client instance Ul would generate on receipt of message m.
![Page 7: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/7.jpg)
New Model SendServer(Sl,m) :
This query models active attacks against servers. The output of this query consists of the message that
the server instance Sl would generate on receipt of message m.
![Page 8: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/8.jpg)
New Model SessionReveal(Ul) :
This query models the misuse of session keys. The output of this query consists of the session key
held by the client instance Ul if the session is completed for Ul. Otherwise, return .⊥
![Page 9: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/9.jpg)
New Model StaticReveal(P) :
This query models leakage of the static secret of P (i.e., the password between the client and the corresponding
server, or the private information for the server). The output of this query consists of the static secret of
P.
![Page 10: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/10.jpg)
New Model EphemeralReveal(Pl) :
This query models leakage of all session-specific information (ephemeral key) used by Pl.
The output of this query consists of the ephemeral key of the instance Pl.
![Page 11: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/11.jpg)
New Model EstablishParty(Ul, pwU) :
This query models the adversary to register a static secret pwU on behalf of a client.
In this way the adversary totally controls that client. Clients against whom the adversary did not issue this
query are called honest.
![Page 12: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/12.jpg)
New Model Test(Ul) :
This query does not model the adversarial ability, but in distinguishability of the session key.
At the beginning a hidden bit b is chosen. If no session key for the client instance Ul is defined,
then return the undefined symbol . ⊥ Otherwise,
if b = 1, return the session key for the client instance Ul if b = 0, a random key from the same space.
![Page 13: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/13.jpg)
New Model TestPassword(U, pw) :
This query does not model the adversarial ability, but no leakage of the password.
If the guessed password pw is just the same as the client U’s password pw, then return 1.
Otherwise, return 0.
Note that, the adversary can only one TestPassword query at any time during the experiment.
![Page 14: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/14.jpg)
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
![Page 15: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/15.jpg)
Proposed Scheme p, q :
the large primes such that p = 2q + 1 A,B U ∈ :
the identities of two clients in two different realms SA,SB S∈ :
the identities of their corresponding servers respectively.
![Page 16: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/16.jpg)
Proposed Scheme Gen(1k) :
key generation algorithm Encpk(m; ω) :
encryption algorithm of a message m using a public key pk and randomness ω
Decsk(c) : decryption algorithm of a cipher-text c using a private
key sk.
![Page 17: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/17.jpg)
Proposed Scheme Public information :
G, g, p,H1,H2
Long-term secret of clients : pwA for A and pwB for B
Long-term secret of servers : (pwA, skSA) for SA and (pwB, skSB) for SB
![Page 18: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/18.jpg)
Proposed Scheme
![Page 19: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/19.jpg)
Proposed Scheme
![Page 20: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/20.jpg)
Outline Introduction New Model: Cross-Realm PSAKE Security Proposed Scheme Conclusion
![Page 21: Cross-Realm Password-Based Server Aided Key Exchange](https://reader035.vdocuments.net/reader035/viewer/2022062502/56816008550346895dcf0955/html5/thumbnails/21.jpg)
Conclusionsetting # of
rounds for clients
UDonDA LEP of servers
KCI Channel between servers
YB password-only 2 insecure insecure insecure secure channel
WZ password-only 2+P secure insecure insecure secure channel
[19]password and public-key crypto
7 secure insecure secure none
[20] password and smart cards 4 secure insecure secure none
Ourspassword and public-key crypto
2 secure secure secureAuthenticated channel
Where P denote the number of moves of a secure 2-party PAKE.
UDonDA: undetectable on-line dictionary attacksLEP: leakage of ephemeral private keys of serversKCI: key-compromise impersonation