Modular Design and Analysis Framework for Multi-Factor Authentication and Key Exchange

Multi-Factor Authentication (MFA), often coupled with Key Exchange (KE), offers very strong protection for secure communication and has been recommended by many major governmental and industrial bodies for use in highly sensitive applications. Instantiations of the MFA concept vary in practice and in the research literature and various efforts in designing secure MFA protocols have proven unsuccessful. We present a modular approach to the design and analysis of arbitrary MFAKE protocols, in form of an (α, β, γ)-MFAKE framework, that can accommodate multiple types and quantities of authentication factors, focusing on the three widely adopted categories that provide evidence of knowledge, possession, and physical presence. The framework comes with (i) a model for generalized MFAKE that implies some known flavors of singleand multi-factor Authenticated Key Exchange (AKE), and (ii) generic and modular constructions of secure MFAKE protocols that can be tailored to the needs of a particular application. Our generic (α, β, γ)-MFAKE protocol is based on the new notion of tag-based MFA that in turn implies tag-based versions of many existing single-factor authentication schemes. We show examples and discuss generic ways to obtain tag-based flavors of password-based, public key-based, and biometric-based authentication protocols. By combining multiple single-factor tag-based authentication-only protocols with a single run of an Unauthenticated Key Exchange (UKE) we construct (α, β, γ)-MFAKE that is in most cases superior to the black-box combination of single-factor AKE schemes.

[1]  Olivier Chevassut,et al.  One-Time Verifier-Based Encrypted Key Exchange , 2005, Public Key Cryptography.

[2]  Feng Hao On Robust Key Agreement Based on Public Key Authentication , 2010, Financial Cryptography.

[3]  Chun-Ta Li,et al.  An efficient biometrics-based remote user authentication scheme using smart cards , 2010, J. Netw. Comput. Appl..

[4]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[5]  Douglas Stebila,et al.  Multi-Factor Password-Authenticated Key Exchange , 2010, AISC.

[6]  Bart Jacobs,et al.  Dismantling MIFARE Classic , 2008, ESORICS.

[7]  Craig Gentry,et al.  A Method for Making Password-Based Key Exchange Resilient to Server Compromise , 2006, CRYPTO.

[8]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[9]  Rafail Ostrovsky,et al.  Forward Secrecy in Password-Only Key Exchange Protocols , 2002, SCN.

[10]  Qiang Tang,et al.  An Application of the Goldwasser-Micali Cryptosystem to Biometric Authentication , 2007, ACISP.

[11]  Dongho Won,et al.  Enhancement of two-factor authenticated key exchange protocols in public wireless LANs , 2010, Comput. Electr. Eng..

[12]  Sang Kyu Park,et al.  Two Factor Authenticated Key Exchange (TAKE) Protocol in Public Wireless LANs , 2004 .

[13]  Feng Hao On robust key agreement based on public key authentication , 2014 .

[14]  Xavier Boyen,et al.  Reusable cryptographic fuzzy extractors , 2004, CCS '04.

[15]  John A. Clark,et al.  Cryptanalysis of Song's advanced smart card based password authentication protocol , 2011, ArXiv.

[16]  Flavio D. Garcia,et al.  Dismantling SecureMemory, CryptoMemory and CryptoRF , 2010, CCS '10.

[17]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[18]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[19]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[20]  David Pointcheval,et al.  Multi-factor Authenticated Key Exchange , 2008, ACNS.

[21]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[22]  Xiong Li,et al.  Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards , 2011, J. Netw. Comput. Appl..

[23]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[24]  Kenneth G. Paterson,et al.  One-Time-Password-Authenticated Key Exchange , 2010, ACISP.

[25]  Xiaomin Wang,et al.  An Efficient and Secure Biometric Remote User Authentication Scheme Using Smart Cards , 2008, 2008 IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application.

[26]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[27]  Rafail Ostrovsky,et al.  Secure Remote Authentication Using Biometric Data , 2005, EUROCRYPT.

[28]  Andreas Dresen An Authentication Protocol with encrypted Biometric Data , 2010 .

[29]  Craig Gentry,et al.  Password authenticated key exchange using hidden smooth subgroups , 2005, CCS '05.

[30]  Emiliano De Cristofaro,et al.  Private discovery of common social contacts , 2011, International Journal of Information Security.

[31]  Cas J. F. Cremers Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK , 2011, ASIACCS '11.

[32]  Tibor Jager,et al.  Generic Compilers for Authenticated Key Exchange , 2010, ASIACRYPT.

[33]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[34]  Feng Hao,et al.  Security Analysis of a Multi-factor Authenticated Key Exchange Protocol , 2012, ACNS.

[35]  Ronggong Song Advanced smart card based password authentication protocol , 2010, Comput. Stand. Interfaces.

[36]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.