I. Introduction
A human memorable password has steadily been a popular mean for authenticating clients over the Internet. The reason is that the password has strengths such that it is easy to be memorized and implemented. Such advantage not only brings clients much convenience but also provides system administrators with economic profits when implementing an authentication system in practice. In fact, most authentication systems rely on password authentication to verify the identity of a user before allowing user to login and obtain various network resources. In addition to the authentication, securely agreeing a common session key between a client and a server is one of the indispensable services for a secure communication over the Internet. The agreed session keys are used to guarantee confidentiality by encrypting (or decrypting) confidential messages and verifying message authentication codes.
In order to provide both the authentication and the confidentiality, an efficient and secure integration of a password-based authentication and a key agreement protocol has been widely studied in the literature. Generally, we call this compound notion as PAKA (password-based authenticated key agreement). However, it has been a challengeable task to design the PAKA protocol satisfying both security and efficiency [4,5,6,7,8,9,10,11,12,13,14,15,17]. It is mainly due to that a selected password from a small space allows an adversary to mount off-line dictionary attacks in which the adversary tries all possible combinations of secret values such as telephone number and identification number in a given small set of dictionary. Nevertheless, many secure PAKA protocols have been suggested and studied in terms of general constructions using minimum cryptographic primitives and how to securely extend to multi-party setting.
However, most PAKA protocols have concentrated on a classical authentication between a client and a server. The issue is that the PAKA protocol itself has limitations to meet various requests of authentication in an end-to-end situation between realms where a client Alice in a realm A wants to establish a secure session with a client Bob in a realm B. To achieve end-to-end security, the setting such that all participants have a same password is not practical since a password is not a common secret but a secret depending on an individual. Thus, following question is naturally raised: If the password is already pre-distributed in a secure manner, respectively, why don't we generate a common session key by using different passwords?
1.1 Related Works and Contributions
To address the above practical issue, Byun et al. have first designed a client to client password authenticated key agreement (C2C-PAKA) with different password which enables two clients only holding own password to mutually authenticate and derive a common session key. Since then, the C2C-PAKA protocol has been extensively analyzed and revised under the various security aspects such as kinds of impersonation and known key attacks based on the diverse attacker's behaviors [16]. In fact, a few improved protocols have been suggested and subsequently have been found to be flawed. Despite of many attempts of cryptanalysis, there are still possibilities that new security breaches can be found because their all security analysis are based on the heuristic approach. In 2007, Byun et al. have first attempted to establish a formal security model for C2C-PAKA and presented a new efficient C2C-PAKA (EC2C-PAKA) with formal security proof [2].
However, in 2009, Feng and Xu have promptly pointed out that the EC2C-PAKA protocol is not secure in terms of a password impersonation attack. Generally, the security on password impersonation means that revealment of client Alice's password should not enable an outside attacker to share a session key with Alice by masquerading as any other client, Bob [1]. They insisted that an attacker A holding a password of Alice is able to make forged authentication messages to be able to pass a verification phase by Alice without being noticed by Alice. Thus, A can share a session key with Alice by masquerading as Bob.
In this paper, first of all, we show that the EC2C-PAKA protocol is secure against a password impersonation attack. Concretely, we demonstrate that the original EC2C-PAKA protocol does not allow the attacker A' even obtaining Alice's password to pass a verification phase for Alice. Second, we examine the security of the improved protocol which has been suggested as a countermeasure against the password impersonation attack by Feng and Xu [1]. Interestingly, the protocol is found to be susceptible against an impersonation attack in which a malicious server in realm A can impersonate any client in realm B. We show how it is possible in the protocol. We finally discuss a countermeasure against the attack.
1.2 Organization
Next chapter we revisit an EC2C-PAKA protocol by Byun et al.[2] In Chapter 3, we show that the EC2C-PAKA protocol is secure against a password impersonation attack. In Chapter 4, we describe the improved protocol by Feng and Xu and demonstrate that it is insecure against an impersonation attack. We conclude in Chapter 5.
II. Overview of EC2C-PAKA Protocol
We assume a large safe prime order q over #. A hash function H is defined as H(•):{0,1} *→0,1l where l is the output size of hash function. Two encryption functions are used; one is an ideal cipher such as one in [3] which is a random one-to-one function such that EK:M→C where |M| = |C| and the other function is a CCA (chosen ciphertext attack) secure symmetric encryption E. Notations throughout paper are listed in Table 1.
[Table 1] Notations
2.1 Protocol Preliminaries
Preliminaries for a protocol run are as follows.
1. g and q are global public parameters shared by all protocol participants, where q is a prime order and g is a generator over a cyclic group #.
2. Alice (Bob) shares her password pwa (pwb) with server KDCA (KDCB, respectively) by using algorithms Gpw and R.
2.2 Protocol Description of EC2C-PAKA
The EC2C-PAKA protocol is illustrated in Figure 1. It works as follows.
[Figure 1] The original EC2C-PAKA Protocol
1. Alice chooses a random value x from # randomly then computes gx and sends Ex= εpwa(gx) to KDCA along with IDA and IDB
2. KDCA obtains gx by decrypting Ex, chooses y∊# andomly, and computesv Ey = εpwa(gy) and R=H(gxy). KDCA also generates a random key k from # for Alice and Bob and computes ER = ER(k,IDA,IDB). KDCA specifies L, a lifetiom of TicketB. Then KDCA makes TicketB ( =EK(k,IDA,IDB,L)) and sends Ey, ER, and TicketB To Alice.
3. Upon receiving the message from KDCA , Alice computes an ephemeral key R and decrypts ER to obtain the distributed key k. Alice also checks whether IDA and IDB are correct or not. The encrypted message, ER(gx) is also sent to Bob for authentication
4. Alice generates a random value a ∊ # and makes Ea = (ga#.) Then she forwards IDA, Ea , and TicketB to Bob.
5. Bob chooses y′ ∊ # randomly and computes Ey'=Epwb(gy'). Then he sends Ey' and TicketB to KDCB.
6. KDCB obtains k, L, and IDA by decrypting TicketB by using its key K. KDCB first examines the validity of TicketB by checking the lifetime L and IDA . If the validation check is successful, KDCB selects x' ∊ # randomly and computes Ex'=Epwb(gx'). and ER = ER(k,IDA,IDB) where R' is H(gx'y') KDCB finally sends Ex' and ER' to Bob.
7. Bob decrypts Ex' and computes R'(= H(gx'y')). Then Bob decrypts ER' = ER(k,IDA,IDB) to get the key k. Bob computes ER' (gy') for a random y′ ∊ # and send it to KDCB for authentication.
8. Bob decrypts Ex' and computes R'. Then Bob decrypts ER' to get the key . Using the key k, Bob checks ga by verifying the previously received Ea . Bob generates a random value b ∊ # and makes sk'(=H(IDA,IDB,ga,gb,gab) and Eb = Eb(# ). Finally Bob sends Eb to Alice. Upon receiving the message Eb , Alice also generates a common session key sk.
9. Upon receiving the message, Alice confirms the authenticator by using sk' and makesH(sk'#2). Alice sends this back to Bob. If the confirmation processes are successful, then Alice and Bob generate a common session key sk=H(sk'#0).
III. Analysis of Attack on EC2C-PAKA Protocol
In this section, we describe an attack scenario suggested by Feng and Xu and demonstrate that the attack is invalid. First, an attacker A' is assumed to have a password pwa of Alice and then tries to masquerade as Bob. Finally the goal of the attacker is to share a common session key with Alice as Bob.
3.1 A scenario of password impersonation attack
1. A' captures message, Ex,IDA,IDB from the step (1). A' can decrypt Ex and obtain gx . Values, # TicketB are chosen randomly by A' then Ey = εpwa(gy). R=H(gxy). # are calculated by A'. A' sends Ey, # to Alice in the step (2) instead of KDCA. Then Alice keeps the key chosen by A'.
2. From the step (4) of the protocol, A' obtains ga and selects b ∊ # andomly. In the step (8), A' sends # to Alice as if it is originated from Bob.
3. The forged message will be valid for Alice during the step (8) since A' has the same as Alice. Finally, A' can be successfully authenticated by Alice as a client Bob and also shares a session key sk=H(IDAII IDBII#II#) with Alice.
3.2 Analysis of the Attack
The attack mainly dues to an assumption that an attacker A' obtaining pwa can go through the verification test at the side of Alice during step (8). To be precisely, the test of step (8) verifies MAC tag with the common key # and gb which were chosen randomly by A', as follows.
#
The above verification is always valid since Alice maintains the same key #. However, before(or even after) sending the above forged tag message to Alice in the step (8), A' must pass critical verification processes remaining in the step (6) and (8). Since A' cannot pass the verification processes, every involving participant finally gets to recognize that all processes are invalid. To be precisely, let's go back the above attack scenario and consider the impersonation attack again.
A' sends the followings to Alice in the step (2)
#
The point is that #, y and # were randomly created by A'.
1. As explained earlier, A' can send Eb = # to Alice in the step (8) as if it is originated from Bob. However, before doing it, the following verification tests in the step (6) and (8) prevent A' from impersonating as Bob.
#
First, in the step (5), the ticket TicketB which is randomly selected by A', is transferred to KDCB. In the step (6), KDCB decrypts it and obtains a distinct key k′ (≠# ) and verifies a validity check of TicketB through the above equation (2). However, the inconsistent key k′ always results in failing of verification in the equation (2). It is attributed to a fact that the common key k of TicketB is selected by the valid KDCA and securely protected by a private key K hence nobody knows it except the valid KDCB and KDCA . Second, in the step (8), Bob should do check the tag message # previously received in the step (4). Originally, this tag message is calculated using the key k chosen by the valid Bob. However, the message of step (2) is forged by A' as the form of equation (1) and it makes Alice to possess the key. Since it is not consistent with the key , the verification of step (8) does not always succeed. Therefore, A' never be able to generate both a valid ticket and MAC tag of Ea to satisfy the equation (2) and (3) without knowing K.
3. Nevertheless, in the step (8), A' may try to generate a session key sk′= # with Alice by just sending# However, the valid client Bob already has noticed that the verification has been invalid in the steps (5) and (8). Even if the message of (8) has been sent to Alice, Bob always still has a chance to reject Alice and be able to let all parties know the current protocol is failed.
IV. Vulnerability of an improved C2C-PAKA protocol
In this section, we briefly introduce an improved version of C2C-PAKA protocol suggested by Feng and Xu [1] and demonstrate that it is insecure against an impersonation attack where a server KDCA in the realm A is able to impersonate Bob in the realm B.
4.1 Overview of an improved C2C-PAKA protocol
The protocol consists of (8) steps. It is illustrated in Figure 2.
[Figure 2] The improved EC2C-PAKA Protocol by Xu and Feng
1. Alice sends the message IDA,IDB to KDCA. KDCA randomly selects t ∊ # and encrypts gt with pwa then transfer M1=εpwa(gt).
2. Alice can obtain gt and randomly chooses x ∊ # . Then she calculates M2 = εpwa(gx), R = H(gtx), and M3 = ER(gt,IDA,IDB). Finally, Alice sends M2,M3 to KDCA.
3. On receiving the message from Alice, KDCA decrypts M2 and obtains gx and checks the validity of M3 by using R. KDCA randomly chooses r ∊ # and calculates M4 = SigKDCA(gr) and TicketB = PEKDCB(SigKDCA(gr,gxr,IDA,IDB,L)) and sends M4, TicketB to Alice.
4. On receiving the message from SA, Alice checks the signature of M4 is valid. Alice computes gxr and forwards IDA, TicketB to Bob.
5. Bob selects y ∊ # and calculates M5 = Epwb(gy) then the messages IDA,IDB,M5, TicketB are forwarded to KDCB.
6. KDCB obtains gy from M5 . KDCB decrypts TicketB and verify the signature of KDCA. KDCB obtains gxr and gr and selects r' ∊ # randomly. KDCB also computes the message gyr',gxrr',grr' and encrypts it with R'(=H(gyr')), then makes M6 = ER'(gxr,gxrr',grr'). M7 = SigKDCB(gr'). which are sent to Bob.
7. With the message from KDCB, Bob checks M7 and computes R' = H(gr'y) and computes gxr,gxrr' by decrypting M6 . Bob calculates cs = gxyrr' , M8 = gxr,grr'y, and M9 = H(IDB,IDA,cs,gxr). Bob sends M8,M9 to Alice for a session key confirmation.
8. With the message M8,M9 , Alice computes s = gxyrr' and computes H(IDB,IDA,cs,gxr) which is verified with the message M9 . If it holds, Alice authenticates Bob. Alice computes M10= H(IDB,IDA,cs,gxr). M10 is also sent to
Bob for a session key confirmation. With the message M10, Bob computes H(IDA,IDB,cs,gxr) and verifies with M10 . If it succeeds, Bob authenticates Alice. A common session key between Alice and Bob is sk = H(IDA,IDB,gxyrr')
4.2 Vulnerability of the improved C2C-PAKA scheme by Xu and Feng
Xu and Feng presented a new improved version of C2C-PAKA protocol [1]. We demonstrate that the improved scheme is weak against an impersonation attack by a malicious server # . If we assume a malicious # which keeps a password pwa for a client Alice, then it can impersonate a client Bob in realm B. The attack is performed as follows. The scenario is illustrated in Figure 3.
[Figure 3] A password impersonation attack on Feng and Xu's protocol
1. Since the malicious server # password pwa, # can decrypt M2,M3 from the step (2) of the protocol and then keeps gxr . In order to impersonate Bob, # should send messages of step (5) instead of Bob. To do so, # randomly chooses m5′ ∊ # and sends IDA,IDB,m5', TicketB to Bob.
2. In the step (6), KDCB sends back M6,M7 to # and then # simply ignores the message M6,M7.
3. For the step (7), # first chooses a random value Φ ∊ # and calculates cs =(gxr)Φ with the value of gxr obtained from the step (2). The forged message
M8', M9′ for the step (7) are calculated as follows.
M8' = grΦ
M9' = H(IDA,IDB,gxrΦ,gxr)
4. On the step (7), the valid client Alice computes cs =(M8')x = gxrΦ by using the chosen random value x and verifies M9' by using the computed cs and gxr. Hence no fail happens
5. In the step (8), # receives M10 and generates sk=H(IDA,IDB,gxrΦ). Therefore, the malicious # succeeds in impersonating Bob and generating a session key .
4.3 Countermeasure
In order to deter the impersonation attack from the malicious KDCA , we need a kind of verification check which enables KDCB to recognize itself that the protocol is being cheated, and finally it is able to let all involving participants know the current protocol fails. Indeed, the difference between two protocols [1, 2] in terms of structure of communication is the absence of the authentication from KDCB to Bob, which actually induces an impersonation attack by an insider server KDCA . Basic idea to deal the attack is to simply inject authentications into weakness point of the protocol. Concretely, two tags for authentications are required. The first authentication tag is added after the step (6), as a form of ER'(gr'), which is transferred from Bob to KDCB . The second authentication tag is for Alice to authenticate Bob, as a form of hash based authenticator #. The first tag is an actual countermeasure for the impersonation attack and the second tag is just for adding mutual authentication for Alice and Bob. Two authentication tags are illustrated in Figure 4.
[Figure 4] Countermeasure
4.4 Analysis of Countermeasure
As illustrated in Figure 4, despite of adding two authentication tags, the malicious # holding password pwa is still able to make messages in the step (5) and to perfectly forge messages M8',M9' ′ in the step (8) to go through verification process.
(5)IDA,IDB,m5',TicketB
(8)Ms'=grΦ,Mg' = H(IDA,IDB,gxrΦ,gxr)
However, on the side of # should face an authentication process ER'(gr') for R' = H(gyr') in the step (7) of Figure 4. # with pwa never be able to compute R' = H(gyr') satisfying R'(Dpwa(m5'))r' because ms ′ was selected randomly by # hence # cannot compute y and r′. Finally, KDCB is able to let everyone know a fail of the protocol.
V. Concluding Remarks
It has been not only complicated but also prone to error to design a password-based key agreement protocol preserving both security and efficiency. Even though a protocol is designed under the well-known security model and computational assumptions with formal security proof, there are still possibilities that subtle faults can be found in the protocol, as we have shown in this paper. It also reminds that we should much more pay attention when performing a security analysis on a certain protocol.
In this paper, we have pointed out that the claim of insecurity on EC2C-PAKA in [1] is not valid. In addition, we have shown that the improved C2C-PAKA protocol by Xu and Feng has vulnerability against an impersonation attack by a malicious server. A countermeasure of the attack is also discussed.
References
- D. Feng and J. Xu, "A new client-to-client password-authenticated key agreement protocol," IWCC'09, LNCS 5557, pp. 63-76, Jun. 2009.
- J. W. Byun, D. H. Lee, J. I. Lim, "EC2C-PAKA: an efficient client-to-client password-authenticated key agreement," Information Science, vol 177, pp. 3995-4013, Oct. 2007. https://doi.org/10.1016/j.ins.2007.03.024
- J. Black and P. Rogaway, "Ciphers with arbitrary finite domains," RSA Data Security Conference, Cryptographer's Track (RSACT '02), LNCS 2271, pp. 114-130, Feb. 2002.
- H. Chung, W. Ku, M. Tsaur, "Weakness and improvement of Wang et al.'s remote user password authentication scheme for resource limited environments," Computer Standards and Interfaces, vol. 31 pp. 863-868, Jun. 2009. https://doi.org/10.1016/j.csi.2008.09.020
- Han-Cheng Hsiang, Wei-Kuan Shih, "Weaknesses and improvements of the Yoon-Ryu-Yoo remote user authentication scheme using smart cards," Computer Communications, vol. 32, issue 4, pp. 649-652 Mar. 2009. https://doi.org/10.1016/j.comcom.2008.11.019
- P. Kocher, J. Jaffe, B. Jun, Differential power analysis, Proc. Advances in Cryptology, CRYPTO'99, pp. 388-397, Aug. 1999.
- N. Y. Lee, Y. C. Chiu, "Improved remote authentication scheme with smart card," Computer Standards and Interfaces, vol. 27 issue. 2, pp. 177-180, Jan. 2005. https://doi.org/10.1016/j.csi.2004.06.001
- J. Munilla, A. Peinado, "Off-line password-guessing attack to Peyravian-Jeffries's remote user authentication protocol," Computer Communications, vol. 30, issue 1, pp. 52-54, Dec. 2006. https://doi.org/10.1016/j.comcom.2006.07.012
- Binod Vaidya, Jong Hyuk Park, Sang-Soo Yeo, Joel J.P.C. Rodrigues, "Robust one-time password authentication scheme using smart card for home network environment," Computer Communications, vol. 34, issue 3, pp. 326-336, Mar. 2010.
- Shengbao Wang, Zhenfu Cao, Maurizio Adriano Strangio, Lihua Wang, "Cryptanalysis and improvement of an elliptic curve Diffie-Hellman key agreement protocol," IEEE Communications Letters, Vol. 12, no. 2, pp. 149-151, Feb. 2008, https://doi.org/10.1109/LCOMM.2008.071307
- Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan, "A more efficient and secure dynamic ID-based remote user authentication scheme," Computer Communications, vol. 32, Issue 4, pp. 583-585, Mar. 2009. https://doi.org/10.1016/j.comcom.2008.11.008
- X.M. Wang, W.F. Zhang, J.S. Zhang, M.K. Khan, "Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards," Computer Standards and Interfaces vol. 29 no. 5, pp. 507-512, Jul. 2007. https://doi.org/10.1016/j.csi.2006.11.005
- Jing Xu, Wen-Tao Zhu, and Deng-Guo Feng, "An improved smart card based password authentication scheme with provable security," Computer Standards and Interfaces, vol. 31, issue 4, pp. 723-728, Jun. 2009. https://doi.org/10.1016/j.csi.2008.09.006
- Her-Tyan Yeh, Hung-Min Sun, Tzonelih Hwang, "Security analysis of the generalized key agreement and password authentication protocol," IEEE Communications Letters, Vol. 5, no. 11, pp. 462-463, Nov. 2001 https://doi.org/10.1109/4234.966034
- Muxiang Zhang, Yuguang Fang, "Security analysis and enhancements of 3GPP authentication and key agreement protocol," IEEE Transactions on Wireless Communications, vol. 4, no. 2, pp. 734-742, Mar. 2005. https://doi.org/10.1109/TWC.2004.842941
- 변진욱, 정익래, 이동훈, "서로 다른 패스워드워드를 가진 사용자간의 패스워드 인증 키 교환 프로토콜," 정보보호학회논문지, 13(1), pp. 27-38, 2003년 2월.
- 변진욱, "효율적이고 안전한 스마트카드 기반 사용자 인증 시스템 연구," 전자공학회논문지 48권 TC편 제 2호, pp. 105-115, 2011년 2월.