📝 Original Info
- Title: Persistent Asymmetric Password-Based Key Exchange
- ArXiv ID: 1004.3037
- Date: 2010-09-28
- Authors: Researchers from original ArXiv paper
📝 Abstract
Asymmetric password based key exchange is a key exchange protocol where a client and a server share a low entropic password while the server additionally owns a high entropic secret for a public key. There are simple solutions for this (e.g. Halevi and Krawczyk (ACM TISSEC 1999) and its improvement by Boyarsky (CCS 1999)). In this paper, we consider a new threat to this type of protocol: if a server's high entropic secret gets compromised (e.g., due to cryptanalysis, virus attack or a poor management), the adversary might {\em quickly} break lots of passwords and cause uncountable damage. In this case, one should not expect the protocol to be secure against an off-line dictionary attack since, otherwise, the protocol is in fact a secure password-only key exchange where the server also only has a password (by making the server high entropic secret public). Of course a password-only key exchange does not suffer from this threat as the server does not have a high entropic secret at all. However, known password-only key exchange are not very efficient (note: we only consider protocols without random oracles). This motivates us to study efficient and secure asymmetric password key exchange that avoids the new threat. In this paper, we first provide a formal model for the new threat, where essentially we require that the active adversary can break $\ell$ passwords in $\alpha\ell |{\cal D}|$ steps (for $\alpha<1/2$) only with a probability negligibly close to $\exp(-\beta\ell)$ for some $\beta>0$. Then, we construct a framework of asymmetric password based key exchange. We prove that our protocol is secure in the usual sense. We also show that it prevents the new threat. To do this, we introduce a new technique by abstracting a probabilistic experiment from the main proof and providing a neat analysis of it.
💡 Deep Analysis
Deep Dive into Persistent Asymmetric Password-Based Key Exchange.
Asymmetric password based key exchange is a key exchange protocol where a client and a server share a low entropic password while the server additionally owns a high entropic secret for a public key. There are simple solutions for this (e.g. Halevi and Krawczyk (ACM TISSEC 1999) and its improvement by Boyarsky (CCS 1999)). In this paper, we consider a new threat to this type of protocol: if a server’s high entropic secret gets compromised (e.g., due to cryptanalysis, virus attack or a poor management), the adversary might {\em quickly} break lots of passwords and cause uncountable damage. In this case, one should not expect the protocol to be secure against an off-line dictionary attack since, otherwise, the protocol is in fact a secure password-only key exchange where the server also only has a password (by making the server high entropic secret public). Of course a password-only key exchange does not suffer from this threat as the server does not have a high entropic secret at all. H
📄 Full Content
Key exchange (KE) is one of the most important issues in secure communication. It helps two communicants to securely establish a common session key, with which the subsequent communication can be protected. In the literature, there are two types of key exchange. In type one, two parties own high entropic secrets (e.g., a signing key of a digital signature). This type has been extensively studied in the literature; see a very partial list [2,25,7,10]. Type two is password authenticated key exchange, in which it is assumed that the two parties share a human-memorable (low entropy) password. The major threat for this type of key exchange is an off-line dictionary attack. In this case, an adversary can catch a function value of the password (say, F (pw)). Since the password space is small, he can find the matching password through an exhaustive search. See [1] for an example. In the literature, two types of password key exchange protocols are studied. In the first type, two parties only own a common password. This type is studied extensively in the literature. In the second type, the client and server share a password while the server additionally owns a high entropic private key of a public key. In this type, there are simple solutions [16,6]. In this paper, we consider a new threat to this type of protocols: when the server high entropic secret is compromised, the attacker might quickly break lots of passwords and cause uncountable damage. It is desired that the pace he breaks passwords is very slow. Under this, the server management will have enough time to realize and defend the attack. Unfortunately, previous protocols (e.g., [16,6]) is not secure against this threat.
The server key leakage problem does not occur in the password-only key exchange protocol since in this setting the server does not own a high entropic secret key at all. Hence, an asymmetric password key exchange against this threat is meaningful only if we have a construction that is more efficient than the known password-only protocols. Password-only key exchange was first studied by Bellovin and Merritt [4] and further studied in [5,19,27]. The first provably secure solution is due to Bellare et al. [3] but security holds in the random oracle model which is not our main focus. The first key exchange without random oracles are due to Goldreich and Lindell [13]. But it is very inefficient. The first reasonably efficient solution without random oracles is KOY protocol [21] which has 15 exponentiations for each party. This protocol was abstracted into a framework by [11] and improved by Gennaro [12](the contribution of the latter is to remove the signature). Jiang and Gong [20] (recently abstracted into a framework by [24]) constructed an efficient protocol, where using the fastest CCA2 secure encryption [18] it costs 5 exponentiations for a client and 6 exponentiations for a server. Katz and Vaikuntanathan [22] constructed a one-round password-only key exchange but less efficient than [20,24].
Asymmetric password based technique was initiated by Gong [14]. Halevi and Krawczyk [15] (also full version [16]) proposed a very efficient asymmetric password based key exchange, which essentially let the client use a CCA2 secure encryption to encrypt the password information. Using encryption [18], this protocol only needs about two exponentiations for the client and one exponentiation for the server. It was later improved by Boyarsky [6] for security in the multi-user setting. However, neither of two protocols can prevent the new threat above because the password is encrypted under a server public key and can be adversely decrypted without a dictionary attack if the private key is leaked.
We first provide a formal model for the above server key leakage problem. It essentially requires that an adversary can break ℓ passwords in αℓ|D| steps (for α < 1/2) only with probability negligibly close to exp(-βℓ) for some β > 0. Under this assertion, the adversary can not quickly break a lots of passwords. Then, we construct a framework of asymmetric password based key exchange. Our construction is based on a tag-based projective hash family that is modified from projective hash family (tag-PHF) of Cramer-Shoup. We show that our framework is secure in the multiuser setting of [6] (under a different formalization, where our approach is a new quantification on the authentication failure). Our proof does not rely on the random oracles. We also prove that our framework is persistent, where we introduce a new technique to achieve this, which is a probabilistic experiment extracted from the main proof. We provide a neat analysis for this experiment. Our persistency holds in the random oracle model. It is open to construct a protocol whose security and persistency both hold without random oracles. We instantiate our framework with a concrete tag-PHF. Our realization only costs 4 exponentiations for the client and 2 exponentiations for the server, which is significa
…(Full text truncated)…
📸 Image Gallery
Reference
This content is AI-processed based on ArXiv data.
