Cryptanalysis of Two Provably Secure Cross-Realm C2C-PAKE Protocols

Password-Authenticated Key Exchange (PAKE) protocols allow parties to share secret keys in an authentic manner based on an easily memorizable password. Byun et al. first proposed a cross realm client-to-client (C2C) PAKE for clients of different realms (with different trusted servers) to establish a key. Subsequent work includes some attacks and a few other variants either to resist existing attacks or to improve the efficiency. However, all these variants were designed with heuristic security analysis despite that well founded provable security models already exist for PAKEs, e.g. the Bellare-Pointcheval-Rogaway model. Recently, the first provably secure cross-realm C2C-PAKE protocols were independently proposed by Byun et al. and Yin-Bao, respectively; i.e. security is proven rigorously within a formally defined security model and based on the hardness of some computationally intractable assumptions. In this paper, we show that both protocols fall to undetectable online dictionary attacks by any adversary. Further we show that malicious servers can launch successful man-in-the-middle attacks on the variant by Byun et al., while the Yin-Bao variant inherits a weakness against unknown key-share attacks. Designing provably secure protocols is indeed the right approach, but our results show that such proofs should be interpreted with care.

[1]  Martín Abadi,et al.  Explicit Communication Revisited: Two New Attacks on Authentication Protocols , 1997, IEEE Trans. Software Eng..

[2]  Colin Boyd,et al.  Examining Indistinguishability-Based Proof Models for Key Establishment Protocols , 2005, ASIACRYPT.

[3]  Raphael C.-W. Phan,et al.  Cryptanalysis of an Improved Client-to-Client Password-Authenticated Key Exchange (C2C-PAKE) Scheme , 2005, ACNS.

[4]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[5]  Dongho Won,et al.  Cryptanalysis and Improvement of Password Authenticated Key Exchange Scheme between Clients with Different Passwords , 2004, ICCSA.

[6]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[7]  A. Maximov,et al.  Fast computation of large distributions and its cryptographic applications , 2005 .

[8]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[9]  Dong Hoon Lee,et al.  Efficient and Provably Secure Client-to-Client Password-Based Key Exchange Protocol , 2006, APWeb.

[10]  David Pointcheval,et al.  Interactive Diffie-Hellman Assumptions with Applications to Password-Based Authentication , 2005, Financial Cryptography.

[11]  Ingemar J. Cox,et al.  Digital Watermarking , 2003, Lecture Notes in Computer Science.

[12]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[13]  Sangjin Kim,et al.  Enhanced ID-Based Authenticated Key Agreement Protocols for a Multiple Independent PKG Environment , 2005, ICICS.

[14]  Jacques Stern,et al.  Why Provable Security Matters? , 2003, EUROCRYPT.

[15]  Colin Boyd,et al.  Password Based Server Aided Key Exchange , 2006, ACNS.

[16]  Burton S. Kaliski,et al.  An unknown key-share attack on the MQV key agreement protocol , 2001, ACM Trans. Inf. Syst. Secur..

[17]  Patrick Horster,et al.  Undetectable on-line password guessing attacks , 1995, OPSR.

[18]  Raphael C.-W. Phan,et al.  Cryptanalysis of the N-Party Encrypted Diffie-Hellman Key Exchange Using Different Passwords , 2006, ACNS.

[19]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[20]  Colin Boyd,et al.  A Password-Based Authenticator: Security Proof and Applications , 2003, INDOCRYPT.

[21]  Stefan Katzenbeisser On the Integration of Watermarks and Cryptography , 2003, IWDW.

[22]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Thomas Johansson,et al.  Progress in Cryptology - INDOCRYPT 2003 , 2003, Lecture Notes in Computer Science.

[24]  Jie Wang,et al.  Weaknesses of a Password-Authenticated Key Exchange Protocol between Clients with Different Passwords , 2004, ACNS.

[25]  Serge Vaudenay Public Key Cryptography - PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23-26, 2005, Proceedings , 2005, Public Key Cryptography.

[26]  Antonio Laganà,et al.  Computational Science and Its Applications – ICCSA 2004 , 2004, Lecture Notes in Computer Science.

[27]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[28]  Colin Boyd,et al.  Errors in Computational Complexity Proofs for Protocols , 2005, ASIACRYPT.

[29]  Yin Yin,et al.  Secure Cross-Realm C2C-PAKE Protocol , 2006, ACISP.

[30]  Dong Hoon Lee,et al.  N-Party Encrypted Diffie-Hellman Key Exchange Using Different Passwords , 2005, ACNS.

[31]  Yanchun Zhang,et al.  Frontiers of WWW Research and Development - APWeb 2006, 8th Asia-Pacific Web Conference, Harbin, China, January 16-18, 2006, Proceedings , 2006, APWeb.

[32]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[33]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[34]  Eun-Jun Yoon,et al.  Cryptanalysis of Two User Identification Schemes with Key Distribution Preserving Anonymity , 2005, ICICS.

[35]  Dong Hoon Lee,et al.  Password-Authenticated Key Exchange between Clients with Different Passwords , 2002, ICICS.

[36]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.