RSA-Based Password-Authenticated Key Exchange, Revisited

The RSA-based Password-Authenticated Key Exchange (PAKE) protocols have been proposed to realize both mutual authentication and generation of secure session keys where a client is sharing his/her password only with a server and the latter should generate its RSA public/private key pair (e, n), (d, n) every time due to the lack of PKI (Public-Key Infrastructures). One of the ways to avoid a special kind of off-line (so called e-residue) attacks in the RSA-based PAKE protocols is to deploy a challenge/response method by which a client verifies the relative primality of e and φ(n) interactively with a server. However, this kind of RSA-based PAKE protocols did not give any proof of the underlying challenge/response method and therefore could not specify the exact complexity of their protocols since there exists another security parameter, needed in the challenge/response method. In this paper, we first present an RSA-based PAKE (RSA-PAKE) protocol that can deploy two different challenge/response methods (denoted by Challenge/Response Method1 and Challenge/Response Method2). The main contributions of this work include: (1) Based on the number theory, we prove that the Challenge/Response Method1 and the Challenge/Response Method2 are secure against e-residue attacks for any odd prime e; (2) With the security parameter for the on-line attacks, we show that the RSA-PAKE protocol is provably secure in the random oracle model where all of the off-line attacks are not more efficient than on-line dictionary attacks; and (3) By considering the Hamming weight of e and its complexity in the RSA-PAKE protocol, we search for primes to be recommended for a practical use. We also compare the RSA-PAKE protocol with the previous ones mainly in terms of computation and communication complexities.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  Faculteit der Wiskunde en Natuurwetenschappen,et al.  Divisors in residue classes , 1983 .

[3]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[4]  Nikolaos Kritikos Lectures on Number Theory , 1985 .

[5]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[7]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[8]  Sarvar Patel,et al.  Number theoretic attacks on secure password schemes , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[9]  Stefan Lucks,et al.  Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys , 1997, Security Protocols Workshop.

[10]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[11]  Feng Zhu,et al.  Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks , 2002, ISC.

[12]  Feng Zhu,et al.  More Efficient Password Authenticated Key Exchange Based on RSA , 2003, INDOCRYPT.

[13]  Feng Bao,et al.  Security Analysis of a Password Authenticated Key Exchange Protocol , 2003, ISC.

[14]  Muxiang Zhang,et al.  Further Analysis of Password Authenticated Key Exchange Protocol Based on RSA for Imbalanced Wireless Networks , 2004, ISC.

[15]  Muxiang Zhang New Approaches to Password Authenticated Key Exchange Based on RSA , 2004, ASIACRYPT.

[16]  Gerhard Rosenberger,et al.  Number Theory: An Introduction via the Distribution of Primes , 2006 .

[17]  David Pointcheval,et al.  Trapdoor Hard-to-Invert Group Isomorphisms and Their Application to Password-Based Authentication , 2006, Journal of Cryptology.

[18]  Dongho Won,et al.  Efficient Password-Authenticated Key Exchange Based on RSA , 2007, CT-RSA.

[19]  Kenneth H. Rosen Elementary Number Theory: And Its Applications , 2010 .

[20]  Sarvar Patel,et al.  Password-authenticated key exchange based on RSA , 2000, International Journal of Information Security.