Weakness Analysis and Improvement of a Gateway-Oriented Password-Based Authenticated Key Exchange Protocol

W eakness Analysis and Improvement of a Gateway-Oriented Password-Based Authenticated Key Exchange Protocol He Debiao, Chen Jianhua, Hu Jin School of Mathem atics and S tatistics, W uhan Universit y , W uhan, Hubei 430072, China hedebiao@163 .com Abstract : Recently , Abdalla et al. propos ed a new ga teway-oriented password-based authent icate d key exchange (GP AKE) protocol among a client, a gateway , and an authen tication server , where each client shares a hum an-memorable password with a trusted server so t hat they can resort to the server for authentication when want to e stablish a shared session key with the gateway . In the letter , we sho w that a malicious client of GP AKE is still able to gain information of password by performing an undetectable on-line password guessing a ttack and can not provide the im plicit key confirmation. At last, we present a c ountermeasure to against t he attack. Key words : key exc hange protocol, sec ure communicat ion, password, diction ary attack; Categories : D.4.6; C .2.1 1. Introduction The gateway-based auth enticated key exchange (GAKE) pro tocols are important cryptographic techni ques for secure communi cat ions. Conceptually , a typical three-party password-based authenti cated key exchange prot ocol works as follows. As requirement, each client C shares a human-m emorable password with a trus ted server s o that they can resort to the server S for authenticatio n when want to estab lish a shared session key with the gateway G . Among the v arious means of authe ntication that can be considered, the m ost interesting one from a practical poi nt of view is the password-b ased setting in whic h a simple hum an-memorizable secret, called a passwor d, is used for authentica tion. In 2005, Abdalla et al. propo sed the first gateway-orie nted password-based authe nticated key exchange (GP AKE) schem e among a client, a gateway , and an authen tication server [1]. Even though Abdalla et al. had pr oved the session key sem antic security of their schem e in a formal model, Byun et a l. reported an undet ectable on-line gues sing attack on the GP AKE protocol where a gateway can itera tively guess a password a nd verify its guess without being detec ted by the server [2]. Byun et al. also proposed an improved scheme to eliminate the sec urity vulnerability of Abdalla et al.’ s scheme. However , W u et al. [3] found that Byun et al.’ s scheme still cannot resist the on-line undet ectable guessing attack. V ery recently , Abdalla et al. [5] present a new variant of the GP AKE scheme of Abdalla et al. [1]. They used the Schnorr’s signature [6, 7] in the new scheme in order to guarantee the security of the new sc heme. The new scheme can wi thstand the attack by Byun et al . [2]. In this letter , we review Abdalla et al.’ s new prot ocol [5], and sh ow that it does actually leak information of password to a malicious c lient and can no t provide the im plicit key confirm ation. Especially , we show that Abdalla et al.’ s new sc heme is susceptible to an undetectable on-li ne password guessing attac k by a malicious client. W e also give a countermeasure against th e attack by letting th e client generat e a message authenticati on code of keyi ng material. 2. Review of Abdalla et al.’ s prot ocol In this section, we w ill review Abdallar et al.’s protocol. First we intro duce some notations used in our paper . In order illustrate the protocol clearly, some notations are in troduced as follows: z C , G and S denote the client , the gateway and the trusted server separately . z C p w denotes the p assword shared between C and S . z C I D and G I D denote the i dentity of C and G separately . z G denotes a finite cyclic group havin g a generator g of bit prime orde r q . z sk denotes a ses sion key gener ated between the cli ent and the gat eway . z 1 () h ⋅ , and 2 () h ⋅ denote two secure hash function, such as 1 SHA − . z H denotes a secure hash functi on, where * () : { 0 , 1 } H ⋅ → G . z (;, ) NIZKPD L m g h denot es the Schnorr ’ s signature [6, 7] on the message m . In Abdallar et al.’s pr otocol, each client sh ares a human-mem orable password with a trusted server . When a client wants to establish a shared session key wi th a gateway , they resort to the trusted server for authent icating each other . Abdall ar et a l.’s protocol will be des cribed as follows. St e p 1 : C chooses two random nu mbers x and C r . Then C computes * (, , ) x CG C X g H ID ID pw =× , then sends * 1 {, } C M ID X = to G . St e p 2 : Upon receiving the message 1 M , G sends * 2 {, , } CG M ID ID X = to the server S . St e p 3 : Upon receiving the message 2 M , the S generates a random number s , and computes * (/ ( , , ) ) s CG C XX H I D I D p w = , s hg = and * 1 (; , ) NIZKPLD X g h π = . Then S sends 31 {, , } MX h π = to G . St e p 4 : When G receives 3 M , he/she generates a ran dom number y and computes y Yh = , * 2 (; , ) NIZKP LD X g Y π = , () y G KX = , * 2 (, , , , ) CG G Aut hG h ID ID X Y K = and the session key * 1 (, , , , ) GC G G sk h ID ID X Y K = . Then G sends 41 2 {, , , , , } G M ID h Y AuthG π π = to C . St e p 5 : After receivi ng 4 M , C computes () x C KY = and checks weather Aut hG equals * 2 (, , , , ) CG C hI D I D X Y K . If not, C stops the session. Otherwise, C checks weather both of 12 , π π is valid. If not, C stops the session, else C computes the session key * 1 (, , , , ) CC G C sk h ID ID X Y K = . 3. Security analysis 3.1. Undetectable on-line guessing attack Due to the low entropy , password-based auth en ticated key excha nge protocols suf fer from so-called exhaustive dic tionary attacks. T he attack s on P AKE schemes can be classified into three types [10]: 1) Off-line dictionary attacks : an attacker uses a guessed password to verify the correctness of the password in an of fline m anner . The attacker can freely guess a password and then check if it is correct without lim itation in the n umber of guesses. 2) Undetectable on-line dictionary attacks : an attacker t ries to verify the password in a n on-line manne r without being detecte d. That is, a failed guess is never no ticed by the server and the client, an d the attacker c an legally and undet ectably check m any times in order to get s ufficien t information of the password. 3) Detectable on-line dictionary attacks : an attacker first guesse s a password, and tries to verify the passw ord using responses from a server in an on-line manne r . But a failure can be easily detected by counting a ccess failures. In the following, we demonstrate an undetect able on-line di ctionary attack against the Abdalla et al.’ s scheme [5] where an adve rsary is able to legally gain information about the password by repeate dly and indiscernib ly asking queries to the authenticatio n server . W e assume that A has total control ov er the comm unication ch annel between the user C and the gate way G , which m eans that he/she can i nsert, delete, or alter any messages in the channel. The detai led description of the attack is as follows: St e p 1 . A guesses a password C p w ′ from a uniform ly distributed diction ary D and computes (, , ) CC G C PW H ID ID p w ′ ′ = . A generates a random number x ′ and computes * x C X gP W ′ ′ =× . Then A impersonat es C to sends * 1 {, } C M ID X = to G . St e p 2 . Upon receivi ng the message 1 M , G sends * 2 {, , } CG M ID ID X = to the server S . St e p 3 : Upon receiving the message 2 M , the S generates a random number s , and computes * (/ ( , , ) ) s CG C XX H I D I D p w = , s hg = and * 1 (; , ) NIZKPLD X g h π = . Then S sends 31 {, , } MX h π = to G . St e p 4 : When G receives 3 M , he/she generates a ran dom number y and computes y Yh = , * 2 (; , ) NIZKP LD X g Y π = , () y G KX = , * 2 (, , , , ) CG G A uthG h ID ID X Y K = and the session key * 1 (, , , , ) CG G sk h ID ID X Y K = . The n G sends 41 2 {, , , , , } G M ID h Y AuthG π π = to C . St e p 5 : A intercepts the m essage 4 M , C computes () x C KY = and chec ks weath er A uthG equals * 2 (, , , , ) CG C hI D I D X Y K . If A uthG equals * 2 (, , , , ) CG C hI D I D X Y K , A find the correct password. Otherwise, A repeats step 1), 2), 3), 4) and 5) until find th e correct password. It is clear that if C p w ′ equals C p w , then (, , ) CC G C PW H ID ID pw ′ = , * 2 (, , , , ) CG C A uthG h ID ID X Y K = , since * () (( / ( , , )) ) ((( ) / ( , , )) ) () ( ) ( ) ( ) y G sy CG C x sy CC G C x s y s yx yx x C KX X H ID ID p w g PW H ID ID pw gg h Y K ′ ′′ ′ ′ = = ′ =× === = = . From the descripti on of the attack we kno w that Abdalla et al.’ s scheme [5] does not prevent the leakage of information of the password from the malicious c lient A . In addition, the attack can be used to attack Abda lla et al.’ s another scheme [1]. 3.2. Session-Key Problem As in the definitions in [9], a key agreement schem e is said to provide the ex plicit key confirmation i f one entity is assured that the second enti ty has actually com puted the session k ey . The scheme provi des the implicit key confirmation if o ne entity is assured th at the second en tity can compute t he session key . Note that the property of the implicit key confirmation does not necessarily mean that one entity is assured of the second entity actually possessi ng the session key . In many applicati ons, it is highly desirable for a key agreement sch eme to provide the ex plicit key confirmation. W e can see that the schem e of Abdalla et al. [5] merely provides the implicit key confirmation, beca use G cannot confirm C has correctly computed the session key after the log-in phase. 4. Countermeasure The vulnerability to the undetectable on-line dictionary attack described above actually stems from an absence of au thentication of m essage in the schem e. T o remedy this vul nerability , we can use the method proposed by Byun et al. [2]. First, we let a two party password-based authenti cated key exchange (2-P AKE) schem e be executed between C and S in order to generate a session key sk . Then w e let C create a message authentication code (MAC) of * X using sk . Then, S can check th e validity of the * X through chec king MAC of * X and find the undetectable on-line dictio nary attack. However , the execution of t he 2-P AKE can increase the burden of the server , the gat eway and the client heavily . So, Byun et al.’ s method can not be appl ied in practice. In fact, we just le t Abd alla et al.’ s scheme provide the im plicit key confirm ation in order t o eliminate the security vulnerability . W e modify Abdalla et al.’ s [5] scheme as follows. In our modified schem e, G requires C provide the key c onfirmation by o ffering AuthC . If malicious client A carry out the undete ctable on-line dictio nary attack described i n section 3.1, G will find the a ttack, since A can’ t offer the correct AuthC . St e p 1 : C chooses two random nu mbers x and C r . Then C computes * (, , ) x CG C X g H ID ID pw =× , then sends * 1 {, } C M ID X = to G . St e p 2 : Upon receiving the message 1 M , G sends * 2 {, , } CG M ID ID X = to the server S . St e p 3 : Upon receiving the message 2 M , the S generates a random number s , and computes * (/ ( , , ) ) s CG C XX H I D I D p w = , s hg = and * 1 (; , ) NIZKPLD X g h π = . Then S sends 31 {, , } MX h π = to G . St e p 4 : When G receives 3 M , he/she generates a ran dom number y and computes y Yh = , * 2 (; , ) NIZKP LD X g Y π = , () y G KX = , and * 2 (, , , , ) CG G Aut hG h ID ID X Y K = . Then G sends 41 2 {, , , , , } G M ID h Y AuthG π π = to C . St e p 5 : After receivi ng 4 M , C computes () x C KY = and checks weather Aut hG equals * 2 (, , , , ) CG C hI D I D X Y K . If not, C stops the session. Otherwise, C checks weather both of 12 , π π is valid. If not, C stops the session, else C computes the session key * 1 (, , , , ) CC G C sk h ID ID X Y K = and * 2 (, , , , ) GC C AuthC h ID ID X Y K = . Then C sends the message 5 {} M AuthC = to S . St e p 6 : After receivi ng 5 M , S check s weathe r A uthC equals * 2 (, , , , ) GC G hI D I D X Y K . If not S stops the session, else S computes the session key * 1 (, , , , ) CG G sk h ID ID X Y K = . 5. Conclusion V ery recently , Abdalla et al. [5] present a new variant of the GP AKE scheme of Abdalla et al. [1]. However , we find that the new scheme is vulnera ble to an undet ectable on-line guessing attack and can not provide the im plicit key confirm ation. We also pro posed a counterm easure for the security vuln erability. Reference [1]. M. Abdalla, O. Chevass ut, P-A, Fouque et al., “A simple threshold authenticated key exchange from short secrets,” in Proc. A SIACR YPT 2005, LNCS vol. 378 8, pp. 566-584, Springer -V erlag, 2005. [2]. J. W . Byun, D. H. Lee, and J . I. Lim, “Security a nalysis and improvem ent of a gateway-oriented password- based authenticated key exchange protocol”, IEEE Communication L etters 10 (9), pp. 683- 685, 2006. [3]. T .-C. W u, H.-Y . Chien, Comments on G ateway-Oriented Password-B ased Authe nticated Key Exchange Protocol, in IIH-MSP 2009, Kyoto, 2009, 262 – 265. [4]. M. Abdalla, M. Izabach`ene, and D. Pointcheval, Anonymous and T ransparent Gateway-based Password-A uthenticated Key Ex change, in CANS '08, Hong-Kong, LNCS 5339, pp. 133–148 , Springer-V erlag, 2008. [5]. Y . Ding and P . Horster , “Undetectabl e on-line password guessing attacks,” ACM Operating Systems Review , vol. 29, pp. 77-86, Apr . 1995. [6]. C.-P .r Schnorr . “Ef ficient ident ification and signatures f or smart cards,” In CR YPT O’89, LNCS vol. 435, pp. 239–252. Sprin ger , 1990. [7]. C.-P . Schnorr . “ Efficient sign ature generati on by sm art cards. Journal of Crypto logy ,” 4(3):161–174, 1991. [8]. C.-I Fan and C.-L. Lei, “Low-com putation blind signat ure schemes based on q uadratic residues,” Electron. Lett., vol. 32, no. 17, pp. 1569-1570, 19 96. [9]. S. Blake-W ilson and A. Menezes, “Authenticat ed Diffie –Hellman key agreem ent protocols,” Proc. 5th Annu. Int. W orkshop SAC, S. T avares and H. Meij er , Eds, LNCS, vol. 1556, (1 999) 339–361. [10]. Y . Ding and P . Horster , “U ndetectable on-lin e password guessing at tacks,” ACM Operating Systems Review , vol. 29, pp. 77-86, Apr . 1995.