Applied Cryptography and Network Security

This paper shows several security weaknesses of a MultiFactor Authenticated Key Exchange (MK-AKE) protocol, proposed by Pointcheval and Zimmer at ACNS’08. The Pointcheval-Zimmer scheme was designed to combine three authentication factors in one system, including a password, a secure token (that stores a private key) and biometrics. In a formal model, Pointcheval and Zimmer formally proved that an attacker had to break all three factors to win. However, the formal model only considers the threat that an attacker may impersonate the client; it however does not discuss what will happen if the attacker impersonates the server. We fill the gap by analyzing the case of the server impersonation, which is a realistic threat in practice. We assume that an attacker has already compromised the password, and we then present two further attacks: in the first attack, an attacker is able to steal a fresh biometric sample from the victim without being noticed; in the second attack, he can discover the victim’s private key based on the Chinese Remainder theorem. Both attacks have been experimentally verified. In summary, an attacker actually only needs to compromise a single password factor in order to break the entire system. We also discuss the deficiencies in the Pointcheval-Zimmer formal model and countermeasures to our attacks.

[1]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[2]  Christof Paar,et al.  Higher Order Masking of the AES , 2006, CT-RSA.

[3]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[4]  Jacob C. N. Schuldt,et al.  Efficient Generic Constructions of Signcryption with Insider Security in the Multi-user Setting , 2011, ACNS.

[5]  Kaoru Kurosawa,et al.  Tag-KEM/DEM: A New Framework for Hybrid Encryption , 2008, Journal of Cryptology.

[6]  Jacob C. N. Schuldt,et al.  Efficient Constructions of Signcryption Schemes and Signcryption Composability , 2009, INDOCRYPT.

[7]  S. Hamdy,et al.  Computations in class groups of imaginary quadratic number fields , 2006, 2006 Innovations in Information Technology.

[8]  Ali Aydin Selçuk,et al.  On Probability of Success in Linear and Differential Cryptanalysis , 2008, Journal of Cryptology.

[9]  Brent Waters,et al.  Strongly Unforgeable Signatures Based on Computational Diffie-Hellman , 2006, Public Key Cryptography.

[10]  Vincent Rijmen,et al.  A Side-Channel Analysis Resistant Description of the AES S-Box , 2005, FSE.

[11]  Kyoji Shibutani,et al.  Improving Immunity of Feistel Ciphers against Differential Cryptanalysis by Using Multiple MDS Matrices , 2004, FSE.

[12]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[13]  Ninghui Li,et al.  Universal Accumulators with Efficient Nonmembership Proofs , 2007, ACNS.

[14]  Bart Preneel,et al.  On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds , 2004, ASIACRYPT.

[15]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[16]  Tsuyoshi Takagi,et al.  Reducing Logarithms in Totally Non-maximal Imaginary Quadratic Orders to Logarithms in Finite Fields , 1999, ASIACRYPT.

[17]  Chik How Tan Insider-secure Signcryption KEM/Tag-KEM Schemes without Random Oracles , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[18]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[19]  Vincent Rijmen,et al.  Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches , 2011, Journal of Cryptology.

[20]  Moti Yung,et al.  Blind, Auditable Membership Proofs , 2000, Financial Cryptography.

[21]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[22]  Bodo Möller,et al.  Security of Cryptosystems Based on Class Groups of Imaginary Quadratic Orders , 2000, ASIACRYPT.

[23]  Vincent Rijmen,et al.  On Weaknesses of Non–surjective Round Functions , 1997, Des. Codes Cryptogr..

[24]  Emmanuel Prouff,et al.  Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis , 2008, FSE.

[25]  Chik How Tan,et al.  Signcryption Scheme in Multi-user Setting without Random Oracles , 2008, IWSEC.

[26]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[27]  Kyoji Shibutani,et al.  On Feistel Structures Using a Diffusion Switching Mechanism , 2006, FSE.

[28]  Chik How Tan Insider-secure Hybrid Signcryption SchemeWithout Random Oracles , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[29]  Vincent Rijmen,et al.  Cryptanalysis of McGuffin , 1994, FSE.

[30]  Michael J. Jacobson,et al.  Subexponential class group computation in quadratic orders , 1999 .

[31]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[32]  Eike Kiltz,et al.  Secure Hybrid Encryption from Weakened Key Encapsulation , 2007, CRYPTO.

[33]  Tomas Sander,et al.  Efficient Accumulators without Trapdoor Extended Abstracts , 1999, ICICS.

[34]  Lan Nguyen,et al.  Accumulators from Bilinear Pairings and Applications , 2005, CT-RSA.

[35]  Carl Pomerance,et al.  The Development of the Number Field Sieve , 1994 .

[36]  Carlo Harpes,et al.  A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-Up Lemma , 1995, EUROCRYPT.

[37]  Kaoru Kurosawa,et al.  Multi-recipient Public-Key Encryption with Shortened Ciphertext , 2002, Public Key Cryptography.

[38]  Mihir Bellare,et al.  Randomness Re-use in Multi-recipient Encryption Schemeas , 2003, Public Key Cryptography.