Because cross-realm C2C-PAKE (client-to-client password authenticated key exchange) protocols can not resist some attacks, this paper writes up new attacks on two representative protocols, then designs a new cross-r...Because cross-realm C2C-PAKE (client-to-client password authenticated key exchange) protocols can not resist some attacks, this paper writes up new attacks on two representative protocols, then designs a new cross-realm C2C-PAKE protocol with signature and optimal number of rounds for a client (only 2-rounds between a client and a server). Finally, it is proved that the new protocol can be resistant to all known attacks through heuristic analysis and that it brings more security through the comparisons of security properties with other protocols.展开更多
Dragonfly is Password Authenticated Key Exchange protocol that uses a shared session key to authenticate parties based on pre-shared secret password. It was claimed that this protocol was secure against off-line dicti...Dragonfly is Password Authenticated Key Exchange protocol that uses a shared session key to authenticate parties based on pre-shared secret password. It was claimed that this protocol was secure against off-line dictionary attack, but a new research has proved its vulnerability to off-line dictionary attack and proving step was applied by using “Patched Protocol” which was based on public key validation. Unfortunately, this step caused a raise in the computation cost, which made this protocol less appealing than its competitors. We proposed an alternate enhancement to keep this protocol secure without any extra computation cost that was known as “Enhanced Dragonfly”. This solution based on two-pre-shared secret passwords instead of one and the rounds between parties had compressed into two rounds instead of four. We prove that the enhanced-Dragonfly protocol is secure against off-line dictionary attacks by analyzing its security properties using the Scyther tool. A simulation was developed to measure the execution time of the enhanced protocol, which was found to be much less than the execution time of patched Dragonfly. The off-line dictionary attack time is consumed for few days if the dictionary size is 10,000. According to this, the use of the enhanced Dragonfly is more efficient than the patched Dragonfly.展开更多
Cross-domain password-based authenticated key exchange (PAKE) protocols have been studied for many years. However, these protocols are mainly focusing on multi-participant within a single domain in an open network e...Cross-domain password-based authenticated key exchange (PAKE) protocols have been studied for many years. However, these protocols are mainly focusing on multi-participant within a single domain in an open network environment. This paper proposes a novel approach for designing a cross-domain group PAKE protocol, that primarily handles with the setting of multi-participant in the multi- domain. Moreover, our protocol is proved secure against active adversary in the Real-or-Random (ROR) model. In our protocol, no interaction occurs between any two domain authentication servers. They are regarded as ephemeral certificate authorities (CAs) to certify key materials that participants might subsequently use to exchange and agree on group session key. We further justify the computational complexity and measure the average computation time of our protocol. To the best of our knowledge, this is the first work to analyze and discuss a provably secure multi-participant cross-domain group PAKE protocol.展开更多
Three-party password authenticated key exchange (3PAKE) protocol plays a significant role in the history of secure communication area in which two clients agree a robust session key in an authentic manner based on pas...Three-party password authenticated key exchange (3PAKE) protocol plays a significant role in the history of secure communication area in which two clients agree a robust session key in an authentic manner based on passwords. In recent years, researchers focused on developing simple 3PAKE (S-3PAKE) protocol to gain system e?ciency while preserving security robustness for the system. In this study, we first demonstrate how an undetectable on-line dictionary attack can be successfully applied over three existing S-3PAKE schemes. An error correction code (ECC) based S-3PAKE protocol is then introduced to eliminate the identified authentication weakness.展开更多
Password-based authenticated key exchange(PAKE) protocols are cryptographic primitives which enable two entities,who only share a memorable password,to identify each other and to communicate over a public unreliable n...Password-based authenticated key exchange(PAKE) protocols are cryptographic primitives which enable two entities,who only share a memorable password,to identify each other and to communicate over a public unreliable network with a secure session key.In this paper,we propose a simple,efficient and provably secure PAKE protocol based on Diffie-Hellman key exchange and cryptographic hash function.Our protocol is secure against dictionary attacks.Its security is proved based on the hardness of the computational Diffie-Hellman problem in the random oracle model.展开更多
基金the National Natural Science Foundation of China (2007AA01Z431)
文摘Because cross-realm C2C-PAKE (client-to-client password authenticated key exchange) protocols can not resist some attacks, this paper writes up new attacks on two representative protocols, then designs a new cross-realm C2C-PAKE protocol with signature and optimal number of rounds for a client (only 2-rounds between a client and a server). Finally, it is proved that the new protocol can be resistant to all known attacks through heuristic analysis and that it brings more security through the comparisons of security properties with other protocols.
文摘Dragonfly is Password Authenticated Key Exchange protocol that uses a shared session key to authenticate parties based on pre-shared secret password. It was claimed that this protocol was secure against off-line dictionary attack, but a new research has proved its vulnerability to off-line dictionary attack and proving step was applied by using “Patched Protocol” which was based on public key validation. Unfortunately, this step caused a raise in the computation cost, which made this protocol less appealing than its competitors. We proposed an alternate enhancement to keep this protocol secure without any extra computation cost that was known as “Enhanced Dragonfly”. This solution based on two-pre-shared secret passwords instead of one and the rounds between parties had compressed into two rounds instead of four. We prove that the enhanced-Dragonfly protocol is secure against off-line dictionary attacks by analyzing its security properties using the Scyther tool. A simulation was developed to measure the execution time of the enhanced protocol, which was found to be much less than the execution time of patched Dragonfly. The off-line dictionary attack time is consumed for few days if the dictionary size is 10,000. According to this, the use of the enhanced Dragonfly is more efficient than the patched Dragonfly.
基金This paper was supported by National 863 Program (2013AA01A212), the National Natural Science Foundation of China (Grant Nos. 61370063, 61272512 and 61300177). Beijing Municipal Natural Science Foundation (4121001), Basic Research Foundation of Beijing Institute of Technology (20120742010 and 2013074200).
文摘Cross-domain password-based authenticated key exchange (PAKE) protocols have been studied for many years. However, these protocols are mainly focusing on multi-participant within a single domain in an open network environment. This paper proposes a novel approach for designing a cross-domain group PAKE protocol, that primarily handles with the setting of multi-participant in the multi- domain. Moreover, our protocol is proved secure against active adversary in the Real-or-Random (ROR) model. In our protocol, no interaction occurs between any two domain authentication servers. They are regarded as ephemeral certificate authorities (CAs) to certify key materials that participants might subsequently use to exchange and agree on group session key. We further justify the computational complexity and measure the average computation time of our protocol. To the best of our knowledge, this is the first work to analyze and discuss a provably secure multi-participant cross-domain group PAKE protocol.
基金the National Science Council (Nos. NSC 99-2218-E-011-014 and NSC 100-2219-E-011-002)
文摘Three-party password authenticated key exchange (3PAKE) protocol plays a significant role in the history of secure communication area in which two clients agree a robust session key in an authentic manner based on passwords. In recent years, researchers focused on developing simple 3PAKE (S-3PAKE) protocol to gain system e?ciency while preserving security robustness for the system. In this study, we first demonstrate how an undetectable on-line dictionary attack can be successfully applied over three existing S-3PAKE schemes. An error correction code (ECC) based S-3PAKE protocol is then introduced to eliminate the identified authentication weakness.
基金the National Natural Science Foundation of China(Nos.60703094 and 61070217)
文摘Password-based authenticated key exchange(PAKE) protocols are cryptographic primitives which enable two entities,who only share a memorable password,to identify each other and to communicate over a public unreliable network with a secure session key.In this paper,we propose a simple,efficient and provably secure PAKE protocol based on Diffie-Hellman key exchange and cryptographic hash function.Our protocol is secure against dictionary attacks.Its security is proved based on the hardness of the computational Diffie-Hellman problem in the random oracle model.
基金Project supported by Liaoning Provincial Natural Science Foundation(No.20102202,No.201102201)Foundation of Liaoning Educational Committee(No.2009A665)Liaoning Baiqianwan Talents Program