LCN'97 Security and efficiency in authentication protocols by liamei12345


									                           Security and E ciency in Authentication Protocols
                                Resistant to Password Guessing Attacks
                                                        oung Kwon Jooseok Song
                                                   T aeky

                                                 Department of Computer Science
                                              Yonsei University, Se oul120-749, Korea

                                  Abstract                               carefully.
               Cryptographic proto colsfor authentication and key            In most systems, user-c hosen secrets, i.e. pass-
            exchange are ne cessary for secur e communications.          w ords,are used for authentication. Clearly, crypto-
            Most proto colshave assumed that a strong secret for         graphically long passwords or long secrets chosen at
            authentication should be shar edbetwe encommunicat-          random would be better for security only if ordinary
            ing particip antsin the light of a threat of dictionary      users could remember them. But most users want to
            attacks. But a user-chosen we ak secret, i.e. pass-          use a small secret and choose an easy-to-remember
                               u                  ation. Sinc e most
            wor d, is typic ally se d for authentic                      password because well-chosen passwords are also quite
            users want to use an easily memorizable password,                                                h
                                                                         unmemoralbe 5, 6 . Suc h a user-c osen secret is called
            which tends to be easy to guess, several authentication      a poorly-chosen secret or a w eakly-sharedsecret be-
            proto colsthat protect such a we ak secret from pass-        cause it is easy to be guessed by others 8 . The weak
            wor d guessing attacks, have ben developed. However,         secret make authentication protocols vulnerable to
                                   d                   e
            those se curity-oriente proto cols ar e mor exp ensive in    guessing attacks.
            terms of the number of r andom numb cipher oper-                 While, in terms of securit y,most of the previous
            ations, and proto colsteps than the previous proto cols      protocols are vulnerable to guessing attac ks, some
            which are not resistant to guessing attacks. We pro-         protocols 7, 8, 9 to prev en tthem are more expen-
            pose new authentication and key exchange proto cols,         sive in terms of e ciency. F ollo wingthe no velap-
            which are e cient considerably in protecting a poorly-       proach of 9 , w e propose new authen     tication and key
            chosen weak se cret from guessing attacks.                   exc hange protocols which are e cient in protecting
            1 Introduction                                               w eaksecrets from guessing attac ksusing a one-time
                                                                         pad and a strong one-way hash function. We apply
               T o achiev esecure data communications, partici-
            pants should be authenticated when setting up a com-         a one-time pad and a strong one-way hash function
            munication session and a new session key to be used          to our cryptographic protocol for securit y and e -
            for encrypting data must be shared betw een authen     ti-   ciency . Our protocol is more e cient than other re-
            cated participants. How to authenticate participants         lated protocols 7, 8, 9 .
            is a chronical problem of computer netw ork securit .   y        In the rest of this section, notations to be used are
            F or authentication and key distribution, a crypto-          summarized. In the next section, we describe authen-
            graphic protocol is necessary. Since the new session         tication protocols and guessing attacks. In section 3,
            key is utilized to encrypt or decrypt the information                                   k
                                                                         w e de ne guessing attac s more clearly and show ho w
            of communication participants, the cryptographic pro-        to defeat them e ciently. In section 4, we introduce
            tocol is very important. Suc ha protocol is typically        our basic protocol which ensures both security and ef-
            an initial step when a communication session is set            ciency, and analyze it using a formal logic. Basic
            up. Therefore, it is critical for overall security of the    protocol w asalso proposed in our previous w ork 1 .
            communications. F urthermore, most of the importan       t   Section 4 also introduces adv ancedprotocols which
            properties of the protocol do not depend on the un-          are modi ed versions of basic protocol. Section 5 dis-
            derlying cipher systems, but rather on the structure         cuss security of our protocols. Section 6 compares our
            of the messages and procedures of the protocol. That         protocols with other related protocols and the nal
            means the protocol should be designed and veri ed            section concludes this paper.

Proceedings of the 22nd IEEE Conference on Local Computer Networks (LCN’97)
0-8186-8141-1/97 $10.00 ã 1997 IEEE
            1.1 Notations                                               secret is known to others, it is clear that secure com-
               T o describe our protocol clearly we summarize no-
                                               ,                        munication is impossible. Suc hattac ks are classi ed
            tations to be used. A and S are system principals of        into o -line and on-line methods.
            communication participants. A shared secret and a
            public key of A are denoted as PA and KA, respec-                O -line guessing attacks : An attacker ea vesdrops
            tively. The w eakly-sharedsecret PA corresponds to               protocol messages and store them in a local stor-
            password of user A. KS stands for a public key of S              age for veri cation. Therefore, an y other par-
            and K for a new session key. Rx means an i-th random
                                           i                                 ticipants cannot notice the o -line attack. After
            value of principal x. F or instance, RA is the second
                                                   2                         guessing a password included in the eavesdropped
            random value of principal A and RS is a unique ran-              messages, the attacker tries to v erify the guessed
            dom value of principal S . Rx also corresponds to the
                                         i                                   password iteratively in o -line manners. A com-
            nonce for a session. The nonce means a random value              mon method is to compare the eavesdropped mes-
            which is used only for a corresponding session. M K              sages with the arti cial messages which are recon-
            denotes a ciphertext of message M under an encryp-               structed by using the guessed password 8, 10 .
            tion key K . H  is a strong one-way hash function              On-line guessing attacks : An attacker should ac-
            and jX j a bit-wise length of X .  and jj represent             cess to another participant who shares the weak
            a bit-wise XOR operator and a concatenator, respec-              secret legitimately. Therefore, it is not di cult to
            tively. A ! S : M denotes that A sends a message M               notice the on-line guessing attac k. After guess-
            to S . OP means a one-time pad.                                  ing a target password, the attacker tries to use a
            2 Guessing Attacks on Authentication                             guessed password iteratively in on-line manners,
              Protocols                                                      for instance by replaying eavesdropped messages
                                                                             or b y impersonating other users with the guessed
                Since the landmark protocol which uses encryption            password. For impersonation, the attacker should
            to ac hiev e authenicated communications, was sho wn             construct a bogus message through the guessed
            in 3 , a lot of protocols have been proposed and used            password. Using the messages resulted from on-
            in many net w ork systems.Security in them is based on           line guessing attac k, the attac kercan proceed
            a pre-shared secret value. Thus, most of the classical           with guessing in o -line manners. Unless an y
            protocols assumed that a strong remote authentication            other participants could nd authentication fail-
            is possible only if a cryptographically long or random           ures of attac kers,the on-line attac kcouldn't be
            secret is shared betw een the participan in the light            noticed by others 11 .
            of an eternal threat of a dictionary attack or guessing
            attac k 4 . But in most systems, user-c hosensecrets,          In terms of security, most of the previous protocols
            i.e. passwords, are used for authentication. Clearly,       are not su cient. Therefore, many protocols to pre-
            cryptographically long passwords or long secrets cho-                               k e
                                                                        ven t the guessing attac ha v been explored and stud-
            sen at random would be better for security only if ordi-    ied. 7 proposes a ve step protocol which is an aug-
            nary users could remember them. But most users wan t                                             ork,
                                                                        mented v ersion of their previous w the Encrypted
            to use a small secret and choose an easy-to-remember        Key Exchange, to resist the Denning-Sacco attack 12 .
            password because well-chosen passwords are also quite        8 describes both three part y and tw opart y proto-
            unmemoralbe 5, 6 . Suc h a user-c osen secret is called     cols. Authors introduced a confounder which is a
            a poorly-chosen secret or a w eakly-shared secretbe-        su ciently large random number. 9 sho ws a three
            cause it is easy to be guessed by others 8 . The long       step protocol called optimal protocol. But all of them
            secret c hosen at random by the system is to be kept        are more expensive in terms of the computation and
            in some external storage. Therefore, it would result in     communication costs than the previous protocols. In
            other serious problems and couldn't be accepted wide.       terms of e ciency, they are not su cient while they
            Otherwise, additional hardware components which are         satisfy securit y. More e cient protocol resistan tto
            not ubiquitos, are required. They are not the points to     guessing attack is required earnestly for communica-
            be considered in this paper. It is certain that, for con-   tion netw orks 1 .We introduce our protocols as solu-
            vinience of users, the use of weak secret is inevitable     tions for security and e ciency in authentication.
            in most systems.
                Guessing attack, which is performed through an it-      3 How to Defeat Guessing Attacks
            erativ e guessing and v cation, on the weak secret is
                                    eri                                 3.1 De ning Guessing Attacks
            surprisingly successful 8 . The goal of guessing attack        Guessing attacks could be known-plaintext attacks
            is to nd out the shared w eaksecret. If the shared          or v eri able-text attacks 10 .Guessing attacks explore

Proceedings of the 22nd IEEE Conference on Local Computer Networks (LCN’97)
0-8186-8141-1/97 $10.00 ã 1997 IEEE
            the fact that the weak secret is usually chosen from a                                                  e ciency. T o reconstruct RA ; PA  RA KS using
            relativ ely small space.Theoretically, a bit-wise length                                                guessed PA , at least 2 RA complexities are re-
                                                                                                                                            j   j

            jPA j can make 2 PA di erent passwords. But in prac-
                                             j   j
            tice, the 2 PA space is reduced considerably because
                                    j   j

            users have to use an alphabetic keyboard or a numeric                                                   Use a one-time pad to encrypt a new session
            keypad to choose them. The worse is that the space is                                                   key rather than a con ven tionalbloc kcipher al-
            reduced more since users choose each password from a                                                    gorithm. The one-time pad must be chosen at
            remindful word space. Therefore, the weak secret PA                                                     random and it can never be reused. The length of
            cannot help ha ving muc h bit redundancy. It means                                                      it must be equal to that of message which is going
            that PA is chosen from a smaller space than 2 PA . Let                                      j   j
                                                                                                                    to be encrypted. While encryption is to XOR the
            jGPA j be the bit length reduced to represent a prac-                                                 message with the one-time pad, decryption is to
            tical PA without the bit redundancy. We can say that                                                    X OR the ciphertext with the same one-time pad.
            the real PA is chosen from 2 G PA space. It means that    j      j
                                                                                                                    It pro vides very simple and secure encryption.
            an entrop y to determine PA is close to jGPA j rather                                                 The one-time pad system is the only cryptosys-
            than to jPA j. Therefore, at most 2 G PA operations                            j      j
                                                                                                                    tem that achiev esperfect secrecy 17 . It means
            are necessary to nd PA by a brute force search in ef-                                                   that the ciphertext yields no possible informa-
            fect. Here we ha v 2 G PA
                                e            2 PA . F or example, 8
                                                     j          j                j   j
                                                                                                                    tion about the plaintext except its bit-wise length.
            character long password is general for authentication.                                                  We de ne that OP should be made by X ORing
            Thus, the ordinary maximum size of PA is said to be                                                                   alues
                                                                                                                    tw o random v of corresponding principal, i.e.
            64 bits. But the 64 bits ha vemuc h bit redundancy                                                      RA  RA , in our protocol. Since RA and RA cor-
                                                                                                                      1    2                            1       2

            and 2 space may be reduced considerably. While
                                                                                                                    respond to nonce values for a session, they can be
            it is very di cult to perform guessing attacks within                                                   utilized to make a one-time pad for that session.
            2 PA complexity for 64 bit long PA , it is computable
              j   j
                                                                                                                    Since we use a one-time pad to encrypt a new ses-
            within 2 G PA . Therefore, to preven t guessing attacks
                            j          j
                                                                                                                    sion k ey, the size ofOP must be equal to that of
            in authentication protocols, a complexity to guess PA                                                   K , and it cannot be reused for another session.
            should be made over 2 PA at least. But, for enlarging
                                                         j   j
                                                                                                                    OP  K would be better than K OP in terms of
            the complexity, the number of random values, cryp-                                                      e ciency.
            tographic operations or protocol steps has been made
            abnormally large in other related protocols 7, 8, 9 .                                                   Use a strong one-way hash function to exchange
            How ev er, using a one-time pad and a strong one-w    ay                                                Challange-Response messages for con rming a
            hash function, we solv e the e ciency problem. 1 ex-                                                    new session key. Challenge-Response messages
            plains several requirements for making a protocol e -                                                   are necessary for each participant to make a coun-
            cien t and resistan to guessing attacks.                                                                terpart con rm that the new key is exchanged se-
            3.2 Defeating Guessing Attacks                                                                          curely . In other protocols, a con ven tionalbloc k
               Our basic idea to defeat guessing attacks e ciently                                                  cipher algorithm has been used for the purpose.
            is very simple. It is summarized that:                                                                  In general, the hash function is more e cient than
                                                                                                                    the conven tional cipher algorithm.The other ad-
                 Never use a weak secret as an encryption key for                                                   van tage ofthe hash function is that it produces
                 messages that include veri able data. 10 ex-                                                       an output in a same xed length regardless of the
                 plains veri able-text attacks deliberately. If the                                                 length of its input. F or example, MD5 is alw  ays
                 w eak secret is used as an encryption k for those                                                  for 128 bit long output and SHA for 160 bit long
                 messages, additional random values such as a con-                                                  output.
                 founder have been required in other works 8 ,9 .
                 How ev er, for messages whic do not include ver-
                                              h                                                                     Minimize the number of random values. F or ex-
                 i able data, the w eaksecret can be used as an                                                     ample, we introduce a new term FA in section 5.
                 encryption key. Actually, we encrypt a new pub-                                                    We call FA a partial value that is a partial bit
                 lic k ey under the weak secret in section 5.2. The                                                 stream of corresponding messaage. We explain
                 public key is so used carefully as to make other                                                   the partial value in section 5.5.
                 data unveri able in our protocol.
                                                                                                                We can say that a main goal of our idea is to reduce
                      Mask the w eaksecret with nonce in a message                                                      ber
                                                                                                                the n um of random values and protocol steps, the
                      for authentication. F or example, RA ; PA  RA KS                                         amount of encryption, and the size of eac h message
                      would be better than RA ; RA PA KS in terms of                                            in defeating the guessing attac ks. It means that w e

Proceedings of the 22nd IEEE Conference on Local Computer Networks (LCN’97)
0-8186-8141-1/97 $10.00 ã 1997 IEEE
            attempt to provide both security and e ciency in au-        of these is to model and verify the protocol using gen-
            then tication protocols.                                    eral speci cation languages. But this approach fails
                                                                        to detect many a w protocols because it attemps to
            4 Secure and E cient Protocol                                                        .
                                                                        pro ve a correctness only The second is to develop ex-
            4.1 Basic Protocol : two-party K1P                          pert systems which a protocol designer can use to try
               We introduce our basic protocol which is e cient         out di erent scenarios. But it neither guarantees se-
            in defeating guessing attac ks. This protocol w as          curit y nor provides techniques for developing attacks.
            called tw o-part y K1PK-wn Protocol in our previ-
                                       o                                The third approach is to model the requirements of a
            ous work 1 . Since several advanced protocols will be       protocol formally using logics developed for the anal-
            proposed on the basis of tw o-part y K1Pwe call this
                                                   ,                    ysis of kno wledgeand belief. Since the rst formal
            the basic protocol:                                         logical technique the BAN logic for the analysis of
                                                                        authentication protocols was introduced in 15 , sev-
              1: A ! S : RA k RA k PA  RA KS
                                   1   2        1
                                                                        eral v arian ts of the logic ha been proposed and ap-
              2: S ! A : OP  K k H PA  RA k K k RA  1
                                                    1           2       plied to the protocol analysis 16 , for instance, GNY,
              3: A ! S : H PA  RA k K k RA 
                                           2        1                   A T,SVO, and etc. In the meantime, BAN-like log-
                                                                        ics ha ve become the most widely used formal method
            It is assumed that a w eak secret of A, PA , is shared      in the analysis of cryptographic protocols despite its
            bet ween A and S . In step 1, A generates tw o random                wn
                                                                        w ell-kno limitations suc h as their lack of a w ell-
            values RA and RA , masks PA with RA, and encrypts
                       1       2                        1               de ned semantics. The fourth is to develop a formal
            them using S 's public key KS . A sends the message         model based on the algebraic term-rewriting proper-
            1 to S . After decryption, S gets the random values         ties of cryptographic systems. All the details are de-
            and the masked v alue, and uses them to authen    ticate    scribed well in 14 . In the meantime, BAN-like logics
            A and to chec k whether the message is readable. By         ha ve become the most widely used formal method in
            calculating RA  PA  RA  from the message and by
                           1               1                            the analysis of cryptographic protocols despite its well-
            comparing the result with PA of local memory, S can         kno wn limitations.We use the GNY logic 16 that is
            authenticate A and chec k readabilit of the message.
                                                 y                      a varian t of the BAN logic for analyzing our protocol.
            Each participant makes a same one-time pad OP by               First of all, eac h message of our protocol should
            XORing the random values, i.e. RA  RA . The size
                                                1           2           be presented in an idealized form through the GNY's
            of OP should be equal to that of a session key as we        parser algorithm. The parser algorithm w ouldpro-
            mentioned in section 3.2. In step 2, S generates a new      duce the following description of the protocol:
            session key K and encrypts it using OP . S also com-        1: S : fRA; RA;  PA   RA g KS
                                                                                           1        2                       1

            putes a hash value using the known values as shown
            abo ve. The random values endow a randomness on                       ; A j A $ S
            the input image of H  and serve as nonce values. S        2: A : RA  RA  K  ; S j A $ S;
                                                                                       1           2           K
            sends the message 2 to A. After decryption, A gets                                                          K
            and uses K to compute hash value along with PA  RA     1             H  PA RA k K k RA ; S j A $ S
                                                                                                                1   2

            and RA . Comparing the hash values, A can verify the
                                                                        3: S : H  PA RA k K k RA ; A j A $ S
                                                                                                                2   1   K
            integrit y and freshness ofK and con rm the authen-
            tication result. All of them are based on the freshness     A w eaksecret PA used for iden ti cationpurposes is
            and readability of the random values made by A itself.      denoted PA for applying the GNY's message in-
            In step 3, A replies with a new hash value to inform an     terpretation rules.
            admission of K . Hash values of message 2 and 3 also            We assume that the follo wing holds at the begin-
            serv e as a Challenge-Response for K . A distinctive        ning of every run of the protocol:
            feature of our protocol is that the weak secret is not
            used as a temporal cryptographic key for exchanging            A 3 PA ; A 3 RA ; A 3 RA ; A j RA ; A j RA ;
                                                                                               1                2       1               2

            a session key.                                                  A j PA ; A j RA ; A j RA ; A j,K!S ;
                                                                                                            1           2   S       +

            4.2 F ormalAnalysis of Basic Protocol                                   PA
                                                                           A j A $ S ; A j S  S j ; A j S  A $ S ;K
               Researchers ha vefound errors and a ws in seem-
            ingly secure cryptographic protocols proposed many          That is, A possesses his or her password and believes
            years ago. Therefore, systematic methods are neces-         it is a secret betw een himherself andS . A also pos-
            sary for pro vingsecurit y of protocols. These formal       sesses new random numbers, and believes their fresh-
            approaches are classi ed into four classes 14 . The rst     ness and recognizability. The jurisdiction of S over a

Proceedings of the 22nd IEEE Conference on Local Computer Networks (LCN’97)
0-8186-8141-1/97 $10.00 ã 1997 IEEE
            new session key is also believed b yA.                                                             K                 K
                                                                                               A 3 K; A j A $ S; A j S j A $ S
              S 3 PA ; S 3 ,KS ; S 3 K ; S j PA ; S j K ;                         That is, A and S shares K and ensures the authentic-
                S j K ; S j A $ S ; S j S ; S j,K!S ;
                                     K                        S         +
                                                                                        ity of it and each other.
                S j A $ S ; S j A  A j ;                                           4.3 Advanced Protocols
                                                                                          We introduce more protocols which are modi ed
            S believ es that he or she sharesA's password and that                      versions of our basic protocol for various purposes.
            K is a suitable key. The fact that S already has K                          4.3.1 Mutual Key Generation
            and believes its validit y migh be included in the nal                          By simple modi cation in our protocol, it is pos-
            results of protocol analysis.                                               sible to generate a new session key through partici-
              A 3 RA  RA ; A j RA  RA ; A j RA  RA ;
                      1     2               1           2               1           2   pants' mutual negotiation. F or this purpose, a new
               A 3 PA  RA ; A j PA  RA ; A j PA  RA ;
                            1                           1                           1
                                                                                        session key K can be generated by sev eral methods.
                                                                                        F or instance, w can use a one-way hash function or a
            That is, A possesses a one-time pad and a masked                            discrete logarithm problem. The protocol is as follows:
            password for a corresponding session, and believ es
            their freshness and recognizability.                                           1: A ! S : RA k RA k PA  RA KS
                                                                                                           1        2        1

                                                                                           2: S ! A : OP  RS k H PA  RA k K k RS 3
            F or an y run of the protocol:                                                 3: A ! S : H PA  RS k K k RA       1

            Message 1 : applying being-told ruleT1 and posses-
            sion rulesP1,P3,P8 we obtain S 3 RA , S 3 RA , and
                                                            1           2
                                                                                        Message 1 is equal to that of basic protocol. In step 2,
            S 3  PA RA. That is, S decrypts message 1.
                                                                                        S generates a new session key K as K = f H RA; RS    2

            Applying                              recognizability                       or K = f gxy mod n. In the latter case, since its se-
            ruleR1, being-told ruleT1, and message interpre-                        curit y is based on the di culty of calculating discrete
            tation ruleI'2 w e obtain S j RA ; RA ; K  RA 
                                                            1   2               1
                                                                                        logarithms in a nite eld, tw o random v    alues should
            and S j A j RA ; RA; K  RA . That is, A is au-
                                    1   2           1
                                                                                        satisfy RA = gx mod n and RS = gy mod n where n

            then ticated and message 1 is recognized.                                   is a large prime and g is a primitive root 2 .F unction
                                                                                        f  is required for optimizing the size of key. x and
            Message 2 : applying being-told ruleT1 and                                y are secret random values of A and S , respectively.
            possession-rulesP1,P3,P5 we obtain A 3 K . That                           The hash value is appended to ensure the integrit y
            is, A possesses K .                                                         and freshness of K . Message 3 is sent to S for ensur-
            Applying            recognizability           ruleR1,                     ing that A receiv edRS and generated K correctly .
            possession rulesP2,P4, recognizability rulesR1,R5,                      4.3.2 Using A's Public Key
            freshness rulesF1,F10, and message interpretation                            Our protocol can be modi ed to use A's public key
            ruleI3 w eobtain A j H  PA RA; K; RA            1       2
                                                                                        rather than S 's as follo ws:
            and A j S j H  PA RA; K; RA. 1           2

            Applying jurisdiction rulesJ2,J3 w e obtain A j                                   1: A ! S : KA PA
            S j A $ S . That is, A ensures that S believ es                                     2: S ! A : RS k K k PA  RS KA            4
            K.                                                 K
                                                                                                 3: A ! S : H PA  RS k K k RS 
            Applying jurisdiction ruleJ1 we obtian A j A $ S .
            That is, A also believes K .                                                In step 1, A's new public key KA is encrypted under
                                                                                        PA and sen t to S . Let's discuss the use of PA as an
            Message 3 : applying recognizability rulesR1,R5,                          encryption key. Let KA be a guessed KA which re-

            freshness rulesF1,F10, and message interpretation                         sulted from message 1 decrypted under PA , a guessed

            ruleI3 w eobtain S j H  PA RA; K; RA            2       1           PA . A ttackerscannot determine whether KA is cor-   0

            and S j A j H  PA RA; K; RA. 2           1                           rect in all messages because they cannot nd a correct
            Applying jurisdiction rulesJ2,J3 w e obtain S j                          priv ate k ey for bothKA and KA, and a random value

            A j A $ S . That is, S also ensures that A be-                             RS . As a result, w ecan say that KA is un veri able
                                                                                        in our protocol. Since KA is un veri abledata, the
            liev es K .                                                                 w eak secretPA can be used as an encryption key for
            F rom the protocol analysis abo vew esummarize the
                                                                                        KA. In step 2, S replies with a new session key which
            results as follows.                                                         are encrypted under KA. RS generated by S and the
                                 K                K
                                                                                        masked PA are included to ensure the freshness in au-
                   S 3 K; S j A $ S; S j A j A $ S                                   then tication.Message 3 is sent to S to ensure that A

Proceedings of the 22nd IEEE Conference on Local Computer Networks (LCN’97)
0-8186-8141-1/97 $10.00 ã 1997 IEEE
            receiv ed K correctly . Using PA which is masked by              2: A ! S : A k RA k RS k PA  RA KS       1            1                     1

            RS and the fact that A decrypted message 2 correctly,
            S is able to con rm the authenticity of A. Though A        We assume that A is a clien twho requests a service
            is authenticated by S in step 3, the modi ed version       and S is a serv er who pro videsit. After receiving a
            is as secure as basic protocol.                            request from A, S replies with message 1 instead of
            4.3.3 Not Using Public Key                                 a service reply. CERT S denotes a certi cate of S .
               We can modify our protocol not to use a complete        In step 2, A replies with encrypted message 2 for au-
            public key algorithm. This solves a problem of export      then tication. After initialization procedure, S is able
            limitation. The following protocol is only based upon      to pro vide an authen ticated service. But in a connec-
            the di culty of calculating discrete logarithms:           tionless en vironment, a succeeding authentication is
                                                                       necessary for next connection. In our protocol, the re-
                    1: A ! S : RA PA                                   peated procedure exists for succeeding services. The
                    2: S ! A : RS PA k H RA k RAS            5     repeated procedure is as follows for i = 1; 2; 3; ::::
                    3: A ! S : H RAS k RS                                 1: S ! A : RA  RS k
                                                                                             i      i                  +1

            In this protocol, random values should be generated                            H PA  RA k RS k A  S  7
                                                                                                         i    i                             +1

            under the condition of RA = gx mod n and RS =                   2: A ! S : RA  RS k
                                                                                             i       +1i                   +1

            gy mod n where n is a large prime and g is a primitive                         H PA  RA k RS k A  S 
                                                                                                         i      i           +1                   +1

            root. RAS denotes gxy mod n. We de ne that a new
            session key should be produced from H RAS  rather        After receiving the next request from A, S replies with
            than from RAS . That means K = f H gxy mod n.          message 1 to make A recognize RS . A replies with
                                                                                                            i                               +1

            We mentioned the use of x, y, and f  in section 5.1.     message 2 for authentication. The repeated procedure
            A distinctive feature in generating K is that a one-way    is performed iterativ ely. Compared with the initial-
            hash function is used to make RAS un veri able evn    e    ization procedure, the repeated procedure is ligh tto
            through K . Since RAS is un veri able data, an attac er
                                                                 k                             h
                                                                       compute. F or k ey excange, a new session key can be
            cannot succeed in guessing and in veri cation in spite     made as K = f H RA   RS  for eac h connection.
                                                                                             i        i
            of nding K . In step 1, A generates RA and sends
            message 1. In step 2, S replies with RS which is en-
                                                                       5 Security of Our Protocol
                                                                          We examine how secure our protocol is against sev-
            crypted under PA . Though K is made from RA and            eral kinds of attacks launched to nd out K or PA .
            RS , nobody can go inverse operation to nd RA and          5.1 O -line Guessing Attacks
            RS only through K . This is the property and secu-            O -line guessing attac ks are launched by recon-
            rity of the discrete logarithm problem and the one-        structing messages with guessed or veri ed elements
            w ay hash function.Since RA and RS are unveri able,        and by comparing them with messages eavesdropped.
            PA can be used as a cryptographic key for encrypting                                       to
                                                                       A ttackers can be classi ed in tw o kinds according to
            them. Hash value is appended to ensure the integrit y      their knowledge about a new session key K . One is an
            and freshness of K . Message 3 is sent to S for ensur-     inside attacker who knows K and the other is an out-
            ing that A receiv edRS and generated K correctly .         side attacker who does not know K 8, 10 . The inside
            4.3.4 Repeated Authentication                              attac k corresponds to the Denning-Sacco attac k 12 .
               We can extend our protocol to be accommodated           Even if K is stolen or compromised later, an attacker
            in a connectionless en vironment. Compared with a          can get nothing but OP and K . Thus, for verifying
            connection oriented environment, a connectionless en-      a guessed PA o line, an inside attacker should 2know
            vironment requires a repeated authentication for pro-      both RA and RA in advance. It requires 2 R1A RA op-
                                                                              1           2                                                                   j+j

            viding con tinuousservices. In other w ords,a clien t
                                                                                                                                                      j             j

            should be authenticated whenever sending a request.        erations in message 1 and 3. Since the inside attacker
            Thus, our connectionless protocol is composed of tw o      could nd OP in message 2, 2 RiA operations are re-       j       j

            procedures, an initialization procedure and a repeated     quired for nding both RA and RA . F or an outside at-
                                                                                                               1                    2

            procedure. While the initialization procedure needs a      tacker, while 2R1A 1 R2A 2 operations are required in mes-
                                                                                      j       j+j    j

            public key encryption, the repeated procedure does         sage 1 and 2, 2 RA RA K operations are required in
                                                                                          j    j+j       j+j       j

            a relativ ely ligh t computation suc h as a one-time       message 3. As a result, an yo -line guessing attacks
            padding and hashing. The initialization procedure is       are infeasible in our protocol.
            as follo ws:                                               5.2 On-line Guessing Attacks
                                                                          On-line guessing attack can be defeated by detec-
                  1: S ! A : S k RS k CERT S
                                                               6     tion of its failed guess 11 . F ailed guess means that an

Proceedings of the 22nd IEEE Conference on Local Computer Networks (LCN’97)
0-8186-8141-1/97 $10.00 ã 1997 IEEE
            incorrectly guessed password is tried for authentica-          same-sized pairs is extremely low. Even if they are
                                                       ticity of mes-
            tion. F or detection of failed guess, authen                   found, it is infeasible to cheat participants without
            sages should be ensured in the protocol 11 . Our pro-            nding the correct random values because attac kers
            tocol is designed deliberately to defeat undetectable          cannot make a correct one-time pad.
            on-line guessing attacks. As we mentioned previously,
            on-line guessing attack is launched by means of imper-         6 E ciency of Our Protocols
            sonating someone with guessed password or replaying               Most protocols, which cannot pro vide securit y in
            eavesdropped messages. When a impersonating at-                protecting weak secrets, are not the points to be con-
            tack is attempted on line, S can detect it easily by           sidered in our comparison. We compare our protocols,
            the masked PA in step 1. Replaying attack is as ex-            in terms of e ciency, only with other related protocols
            pensive as o -line guessing attac k because attac kers         which are known resistant to guessing attacks.
            should nd nonce values which are unveri able in our               As shown in table 1, our protocols are more e cient
            protocol. As a result, any on-line guessing attacks are        than other related protocols in terms of the number
            defeated in our protocol.                                      of protocol steps, random values, and cryptographic
                                                                                                                      tication and
                                                                           operations. F or tw o part y's direct authen
            5.3 Replay Attack                                                                                             e
                                                                           key exchange, we compare our tw o distinctiv proto-
               We examine the possiblity of gaining authenticity           cols suc h as protocol 1 and 4 with others. In all
            by repla ying message1. Since tw orandom numbers               of protocols which are resistan tto guessing attac ks,
            included in message 1 is used always to encrypt a new          a public key algorithm has been inevitable for defeat-
            session key in message 2, replaying the same message                                    k
                                                                           ing v eri able text attac s. How ev er, our protocol 5
            1 results in generating the same one-time pad. There-          solv es the problem at the cost of computation on dis-
            fore, if an adversary obtaines K by some cryptanalytic         crete logarithms.
            methods, then she can possess a corresponding one-
            time pad and message 1. By replaying message 1, it
            seems that the adversary can get K in the new mes-              Protocols        the number of
                                                                                             protocol steps
                                                                                                              the number of
                                                                                                              random values
                                                                                                                              the number of cryptographic operations
                                                                                                                              PublicKey      Conventional      Hash
            sage 2 because K might be encrypted under the same              Basic Protocol         3          A
                                                                                                                                  1                0             2

            one-time pad that w asfound. How ev er,the repla y              Protocol Using
                                                                            A's Public Key
                                                                                                   3          A
                                                                                                                                  1                1             1
            attac k is infeasible. The adv ersarymust reply with            Strengthened           5          A        2          1                3             2
            message 3 to complete the protocol but she cannot             EKE 7
                                                                            GLNS nonce             5
                                                                                                                       1          1                5             0
            construct the message in which not only the new ses-            direct 8
                                                                            Gong's                 3
                                                                                                                       1          1                3             0
            sion k ey but alsoRA , RA , and PA should be included.
                                1   2                                       Optimal 9                         S        2

            As w e kno w,it is compuationally infeasible to nd                   T able 1:E ciency Comparison of Protocols
            the conten ts. Thus, our protocol is secure against the
            message replay attac k.
            5.4 Attacks on K                                               7 Conclusion
               Since K is encrypted by one-time padding in mes-                                       e
                                                                              In this paper, we ha v proposed new cryptographic
            sage 2, an attacker should launch a brute force attack         protocols, which ensure security and e ciency in pro-
            to nd it in our protocol. It means that 2 K opera-
                                                         j   j
                                                                           tecting weak secrets from guessing attacks, for authen-
            tions are necessary. We assume that K is a cipher key          tication of communicating participants and for sharing
            for a famous conven tional bloc cipher system such as          of a session key. Compared with other related research
            DES, FEAL, or IDEA, and it is chosen well at random.           results 7, 8, 9 , our protocols are more e cient in terms
            Thus, K may ha v a su ciently large size such as 64
                               e                                           of the number of random values, cryptographic opera-
            bits or 128 bits to defeat a brute force attack. By ob-        tions, and protocol steps. It is due to the appropriate
            taining OP in advance or by verifying the hash value           use of one-time pad and one-way hash function which
            with guessed elements, an attacker could attempt to            are relatively fast and secure. Since we attempted to
              nd K . But it is more di cult for attacker to obtain                                       ty
                                                                           achiev e securit y and e cien in authentication proto-
            OP or to v erify hash v lue because at least 2 R1A R2A
                                    a                        j   j+j   j
                                                                           cols which are resistant to guessing attacks, our proto-
            operations are necessary. As a result, a new session           cols can be used in a variet y of area of computer com-
            key K can be distributed securely in our protocol.             munications. Protocols 1 is for common tw o part y
            5.5 Attacks on H                                             authentication. Protocol 3 is for generating a session
               We assume the use of strong one-way hash function                               t
                                                                           key b y participans' negotiation. While protocol 4 is
            in our protocol. F or an attac on integrity by nding
                                            k                              for using A's public key, protocol 5 is for not using
            collision pairs of hash value, the probability to nd the       a complete public key algorithm. Protocol 6 7 is

Proceedings of the 22nd IEEE Conference on Local Computer Networks (LCN’97)
0-8186-8141-1/97 $10.00 ã 1997 IEEE
            for repeated authentication in a connectionless en vi-      12 D.Denning and G.Sacco, Timestamps in Key
            ronment.                                                       Distribution Protocols," Communications of the
                                                                           A CM, V  ol.24, No.8, pp.533-536, 1981
              1 T.Kwon, M.Kang, and J.Song, An Adaptable                                                   t
                                                                        13 D.Otw ay and O.Rees, E cien and Timely Mu-
                and Reliable Authentication Protocol for Com-              tual Authentication," A CMOperating Systems
                munication Net w orks,"IEEE INFOCOM 97,                    Review, Vol.21, No.1, pp.8-10, 1987
                pp.738-745, 1997.                                       14 C.Meadows, Applying F ormal Methods to the
              2 W.Di e and M.Hellman, New Directions in                    Analysis of a Key Management Protocol," Jour-
                Cryptography," IEEE T ransactionson Informa-               nal of Computer Security, V ol.1,No.1, pp.5-35,
                tion Theory, Vol.22, No.6, pp.644-654, Nov. 1976.          1992
              3 R.Needham and M.Schroeder, Using Encryption             15 M.Burrows, M.Abadi, and R.Needham, A Logic
                F or Authentication in Large Net w orks f Com-
                                                      o                    of Authentication," T echnicalReport SRC TR
                puters," Communications of the A CM, V ol.21,              39, Digital Equipment Corporation, Feb. 1989
                No.12, pp.993-999, Dec. 1978                            16 L.Gong, R.Needham, and R.Yahalom, Reason-
                                                                           ing about Belief in Cryptographic Protocols,"
              4 R.Morris and K.Thompson, Password Security:                IEEE Symposium on Research in Security and
                A Case History," Communications of the A CM,               Priv acy , pp.234-248, 1990
                vol.22, no.11, pp.594-597, Nov. 1979
                                                                        17 B.Schneier, Applied Cryptography , 2nd ed., John
              5 D.Feldmeier and P.Karn UNIX Password Secu-                 Wiley & Sons, 1996
                rity - T en Y earsLater," Crypto'89, V ol.435of
                LNCS, pp.44-63, 1989
              6 D.Klein F oilingthe Cracker: A Survey of, and
                Improvements to P assw Security," the 2nd
                USENIX Unix Security Workshop, pp.5-14, Aug.
              7 S.Bellovin and M.Merritt, Encrypted Key Ex-
                change : P assw    ord-Based Protocols Secure
                Against Dictionary A ttacks,"IEEE Computer
                Societ y Symposium on Researc in Security and
                Priv acy , pp.24-29, 1995
              8 L.Gong, M.Lomas, R.Needham, and J.Saltzer,
                 Protecting P oorlyChosen Secrets from Guess-
                ing Attacks," IEEE Journal on Selected Area in
                Communications, vol.11, no.5, pp.648-656, June
              9 L.Gong, Optimal Authentication Protocols Re-
                sistant to Password Guessing Attacks," 8th IEEE
                Computer Security Foundation Workshop, pp.24-
                29, June 1995
             10 L.Gong, V eri able-text A ttacks in Crypto-
                graphic Protocols," IEEE INFOCOM 90, pp.686-
                693, 1990
             11 Y.Ding and P .Hoster, Undetectable On-line
                P assw Guessing A ttacks,"A CM Operating
                Systems Review, vol.29, no.4, pp.77-86, Oct. 1995

Proceedings of the 22nd IEEE Conference on Local Computer Networks (LCN’97)
0-8186-8141-1/97 $10.00 ã 1997 IEEE

To top