An RSA-Based Leakage-Resilient Authenticated Key Exchange Protocol Secure against Replacement Attacks, and Its Extensions

Secure channels can be realized by an authenticated key exchange (AKE) protocol that generates authenticated session keys between the involving parties. In [32], Shin et al., proposed a new kind of AKE (RSA-AKE) protocol whose goal is to provide high efficiency and security against leakage of stored secrets as much as possible. Let us consider more powerful attacks where an adversary completely controls the communications and the stored secrets (the latter is denoted by “replacement” attacks). In this paper, we first show that the RSA-AKE protocol [32] is no longer secure against such an adversary. The main contributions of this paper are as follows: (1) we propose an RSA-based leakage-resilient AKE (RSA-AKE2) protocol that is secure against active attacks as well as replacement attacks; (2) we prove that the RSA-AKE2 protocol is secure against replacement attacks based on the number theory results; (3) we show that it is provably secure in the random oracle model, by showing the reduction to the RSA one-wayness, under an extended model that covers active attacks and replacement attacks; (4) in terms of efficiency, the RSA-AKE2 protocol is comparable to [32] in the sense that the client needs to compute only one modular multiplication with pre-computation; and (5) we also discuss about extensions of the RSA-AKE2 protocol for several security properties (i.e., synchronization of stored secrets, privacy of client and solution to server compromise-impersonation attacks).

[1]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[3]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[4]  David Pointcheval,et al.  Trapdoor Hard-to-Invert Group Isomorphisms and Their Application to Password-Based Authentication , 2006, Journal of Cryptology.

[5]  SeongHan Shin,et al.  Leakage-Resilient Authenticated Key Establishment Protocols , 2003, ASIACRYPT.

[6]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[7]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[8]  David Pointcheval,et al.  Multi-factor Authenticated Key Exchange , 2008, ACNS.

[9]  Gerhard Rosenberger,et al.  Number Theory: An Introduction via the Distribution of Primes , 2006 .

[10]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[11]  SeongHan Shin,et al.  A Simple Leakage-Resilient Authenticated Key Establishment Protocol, Its Extensions, and Applications , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[12]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[13]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[14]  Sarvar Patel,et al.  Password-Authenticated Key Exchange Based on RSA , 2000, ASIACRYPT.

[15]  Feng Zhu,et al.  More Efficient Password Authenticated Key Exchange Based on RSA , 2003, INDOCRYPT.

[16]  Dongho Won,et al.  Efficient Password-Authenticated Key Exchange Based on RSA , 2007, CT-RSA.

[17]  Maurizio Kliban Boyarsky,et al.  Public-key cryptography and password protocols: the multi-user case , 1999, CCS '99.

[18]  Tsuyoshi Takagi,et al.  Fast RSA-Type Cryptosystem Modulo pkq , 1998, CRYPTO.

[19]  Chris J. Mitchell,et al.  Installing Fake Root Keys in a PC , 2005, EuroPKI.

[20]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[21]  Sarvar Patel,et al.  Number theoretic attacks on secure password schemes , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[22]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[23]  Vladimir Kolesnikov,et al.  Key Exchange Using Passwords and Long Keys , 2006, TCC.

[24]  Muxiang Zhang New Approaches to Password Authenticated Key Exchange Based on RSA , 2004, ASIACRYPT.

[25]  SeongHan Shin,et al.  An Efficient and Leakage-Resilient RSA-Based Authenticated Key Exchange Protocol with Tight Security Reduction , 2007, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[26]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1999 .

[27]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[28]  Nikolaos Kritikos Lectures on Number Theory , 1985 .

[29]  Xiaotie Deng,et al.  Two-factor mutual authentication based on smart cards and passwords , 2008, J. Comput. Syst. Sci..

[30]  Craig Gentry,et al.  A Method for Making Password-Based Key Exchange Resilient to Server Compromise , 2006, CRYPTO.