An Efficient and Leakage-Resilient RSA-Based Authenticated Key Exchange Protocol with Tight Security Reduction

Both mutual authentication and generation of session keys can be accomplished by an authenticated key exchange (AKE) protocol. Let us consider the following situation: (1) a client, who communicates with many different servers, remembers only one password and has insecure devices (e.g., mobile phones or PDAs) with very-restricted computing power and built-in memory capacity; (2) the counterpart servers have enormous computing power, but they are not perfectly secure against various attacks (e.g., virus or hackers); (3) neither PKI (Public Key Infrastructures) nor TRM (Tamper-Resistant Modules) is available. The main goal of this paper is to provide security against the leakage of stored secrets as well as to attain high efficiency on client's side. For those, we propose an efficient and leakage-resilient RSA-based AKE (RSA-AKE) protocol suitable for the above situation whose authenticity is based on password and another secret. In the extended model where an adversary is given access to the stored secret of client, we prove that its security of the RSA-AKE protocol is reduced tightly to the RSA one-wayness in the random oracle model. We also show that the RSA-AKE protocol guarantees several security properties (e.g., security of password, multiple sever scenario with only one password, perfect forward secrecy and anonymity). To our best knowledge, the RSA-AKE protocol is the most efficient, in terms of both computation costs of client and communication costs, over the previous AKE protocols of their kind (using password and RSA).

[1]  Duncan S. Wong,et al.  The performance measurement of cryptographic primitives on palm devices , 2001, Seventeenth Annual Computer Security Applications Conference.

[2]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[3]  Feng Bao,et al.  Security Analysis of a Password Authenticated Key Exchange Protocol , 2003, ISC.

[4]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[5]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[6]  Feng Zhu,et al.  More Efficient Password Authenticated Key Exchange Based on RSA , 2003, INDOCRYPT.

[7]  Vladimir Kolesnikov,et al.  Key Exchange Using Passwords and Long Keys , 2006, TCC.

[8]  Muxiang Zhang New Approaches to Password Authenticated Key Exchange Based on RSA , 2004, ASIACRYPT.

[9]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[10]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[11]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[12]  SeongHan Shin,et al.  Efficient and Leakage-Resilient Authenticated Key Transport Protocol Based on RSA , 2005, ACNS.

[13]  Christos Politis,et al.  Personal network security architecture , 2005 .

[14]  Jerome H. Saltzer,et al.  Reducing risks from poorly chosen keys , 1989, SOSP '89.

[15]  Sarvar Patel,et al.  Password-Authenticated Key Exchange Based on RSA , 2000, ASIACRYPT.

[16]  Feng Zhu,et al.  Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks , 2002, ISC.

[17]  Maurizio Kliban Boyarsky,et al.  Public-key cryptography and password protocols: the multi-user case , 1999, CCS '99.

[18]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[19]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[20]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[21]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[22]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[23]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[24]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[25]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[26]  David Pointcheval,et al.  Trapdoor Hard-to-Invert Group Isomorphisms and Their Application to Password-Based Authentication , 2006, Journal of Cryptology.

[27]  Sarvar Patel,et al.  Number theoretic attacks on secure password schemes , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[28]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[29]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[30]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[31]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[32]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.