认证和密钥交换协议的分析与设计
|
摘要
随着现代计算机通信技术的快速发展和Internet的广泛应用,如何确保信息安全性的问题已经引起了社会的广泛关注。信息安全和密码学中的一个核心问题就是保证通信的参与者能在一个有敌手存在的环境中进行秘密可靠的通信。这个经常通过认证和密钥交换协议来实现,该协议使得参与者们互相认证对方的身份并且生成一个共享的秘密会话密钥。随后,参与者可以将该会话密钥应用到已有的技术中以实现相互之间的安全通信(比如说,应用加密算法、签名算法以及消息认证码到所有的通信中)。认证和密钥交换协议也是保证电子商务和电子政务安全的基础组成部分和理论保证。认证和密钥交换协议的分析和设计已经成为当前信息安全研究的热点问题。
尽管对于认证技术有许多较早的出版物,大家公认Needham和Schroeder出版在1978年Communications of the ACM杂志上的论文是现代认证技术研究的起始点。自此以后,许多认证协议被提出。对密钥交换协议的研究最早是由Diffie和Hellman在1976年提出的。现在,已有许多安全有效的密钥交换协议出现。
众所周知,在大多数的情况下认证和密钥交换都是必须的安全属性,从而产生了可认证密钥交换(AKE)协议。可认证密钥交换协议不仅实现参与者之间的身份认证,而且允许参与者计算共享的会话密钥以实现随后的安全通信。
目前,研究认证和密钥交换协议(在本论文中也称可认证密钥交换协议)主要有三种方法:分别是计算复杂性方法,探索性方法(启发式方法)和形式化分析方法。
本文分别利用计算复杂性方法和探索性方法对认证和密钥交换协议作了一些研究。我们的主要工作集中在认证和密钥交换协议的以下几个方面:
1.标准模型下安全的基于口令的可认证密钥交换协议
在现实环境中,用户希望选择容易记忆的口令作为自己的密钥而不是选择完全随机的口令,因此用户只生成和共享低熵的口令的环境应用更为广泛,并且最近该环境下可认证密钥交换协议的研究引起了研究者的广泛关注。
基于口令环境下的安全模型是由Halevi和Krawczyk首先提出的。在他们的模型中需要一个安全的公钥基础设施(PKI)存在。这是一个很强的前提,因而我们希望避免使用它。Goldreich和Lindell提出了第一个不需要任何附加前提的可证明安全协议。该协议的安全性基于陷门置换的存在性。但是,他们的协议非常复杂从而并不实用。
最近,Katz,Ostrovsky和Yung提出了一个有效并实用的基于口令的可认证密钥交换协议(KOY)。随后,Gennaro和Lindell对KOY协议进行了改进(GL)。此外,Gennaro还通过减少协议的通信带宽的方式改进了KOY协议和GL协议的有效性。
在第四章中,我们提出了一个新的基于口令的可认证密钥交换协议。新协议基于Cash,Kiltz和Shoup在2008年欧密会上提出的孪生确定Diffie-Hellman假定。在Cash等的论文中,他们也提出了一个基于口令的可认证密钥交换协议。但是他们协议的安全性是基于随机谕示假定的。普遍认为即使随机谕示被一个所有用户都知道的确定函数(比如SHA-1)取代,设计的协议仍然是安全的。然而,Canetti,Goldreich和Halevi指出当前没有任何确定的函数可以取代随机谕示。因此,这些协议的安全性仍然是探索性的。
而我们提出协议的安全性是在标准模型下证明的。目前,这个新协议是第一个标准模型下基于孪生确定Diffie-Hellman假定可证明安全的基于口令的可认证密钥交换协议。
除此之外,新提出的协议在有效性上与以前提出的标准模型下基于口令的可认证密钥交换协议是可比较的。具体的说,利用Shamir的指数加速算法,新协议中每方需要大约7次指数运算。而且,协议中的一些数值可以进行预计算,从而进一步改进协议的有效性。
2.随机谕示模型下安全有效的可认证密钥交换协议
2001年,Canetti和Krawzcyk提出了一个著名的安全模型,被称为CK模型。随后,Krawzcyk改进了这个模型以实现弱的前向安全性(wPFS)。然而,这个加强的安全模型依然不能包括参与双方临时密钥暴露攻击和参与双方静态密钥暴露攻击。最近,LaMacchia,Lauter和Mityagin提出了扩展的CK模型(eCK),该模型包含了所有上面提到的安全属性。它被认为是目前最强的安全模型。
NAXOS协议是第一个将安全性建立在eCK模型之下的可认证密钥交换协议。该协议的一个弱点是每个参与者需要进行4次指数运算。最近,Ustaoglu提出了CMQV协议,该协议既有效又安全。但是,CMQV协议有一个不紧的安全性证明。
在第三章中,我们提出了CMQV协议的一个改进版本CMQV+。该新协议也是一个基于Diffie-Hellman方法的可认证密钥交换协议。它满足如下特性:
(ⅰ)与NAXOS协议相比,CMQV+协议更加有效。因为CMQV+协议的计算可以利用Shamir的指数加速算法从而平均减少0.75次指数运算,所以在每次协议的执行过程中,CMQV+协议只需要进行3.25次指数运算,而NAXOS协议需要4次。
(ⅱ)与CMQV协议相比,CMQV+协议在eCK模型下有一个紧的安全性证明。在CMQV协议中,模拟器通过与敌手的一次交互无法回答CDH谕示。因此模拟器必须同敌手进行新一轮的交互,并且要基于相同输入,相同抛币并对模拟过程进行合适的修改。利用分叉引理的证明方法,模拟器对CDH谕示作出回答。分叉引理的使用导致无法得到一个紧的安全性归约。因此,我们对CMQV协议进行了修改,使得模拟器可以通过一次交互就可以回答CDH谕示。这样以来,安全性证明就避免使用到分叉引理,从而使得安全性归约是紧的。
目前,CMQV+协议是eCK模型下有紧的安全性证明的最有效的可认证密钥交换协议。
3.远程用户认证和密钥交换协议的分析和设计
当前,远程用户认证和密钥交换协议也成为一个重要的安全机制,它使得服务器和用户可以在不安全的信道上相互认证身份,并且进一步保证只有合法的用户可以访问到远程服务器提供的资源。
在第五章,我们用探索性方法分析了一个远程用户认证协议。我们证明了该远程用户认证方案是完全可破解的。我们还提出了一个改进方案并给出了安全性分析。
1981年,Lamport提出了第一个基于口令的远程认证方案。随后的几个方案在安全性和有效性方面做出了改进。Hwang和Li发现如果口令表被敌手得到,这些方案将部分或者全部被破解。同时,他们提出了利用智能卡的远程用户认证方案来解决这些方案中存在的问题。不久,Chan-Cheng,Shen-Lin-Hwang,Chang-Hwang和Leung等提出了许多方案以增强安全性或者改进有效性。2004年,Kumar基于Shen-Lin-Hwang的方案提出了一个远程用户认证方案。新的方案可以同时抵抗Chan-Cheng和Shen-Lin-Hwang的攻击。
在2000年,Boneh和Franklin提出了一个实用的利用双线性对的基于身份的加密方案。自此以后,许多利用双线性对的基于身份的密码方案被提出,比如签名方案和可认证密钥交换协议。2006年,Wang和Chai提出了一个利用双线性对的远程用户认证方案。
在第五章中,我们首先回顾了Wang-Chai的方案并对他们的方案进行了安全性分析。我们证明Wang-Chai提出的方案完全不能抵抗冒充攻击。也就是说,一个敌手在获得一个以前的合法登录消息后(比如通过搭线窃听的方式),根据这个合法的登录消息可以很容易的伪造出另一个有效的登录消息,并通过远程服务器的认证,从而冒充合法用户访问远程服务器上的资源。
其次,我们基于Wang-Chai的方案提出了一个基于双线性对的远程用户认证和密钥交换方案。该方案由初始化阶段,注册阶段,登录阶段以及认证和会话密钥协商阶段四个阶段组成。我们证明新方案既可以抵抗上述冒充攻击又可以抵抗重放攻击,并且实现了完备的前向安全性。此外,新方案还实现了双向认证和会话密钥协商。
With the rapid development of modern computer communication techniques and the wide applications of Internet, how to ensure the security of information has been the concern of the whole society. A vital problem in information security and cryptography is to enable parties to communicate secretly and reliably in the presence of an adversary. This is often achieved by authentication and key exchange protocols where the parties authenticate the identity with each other and generate a mutual and secret session key. Then the session key can be involved in secure communications using known techniques (e.g., applying encryption, signature and message authentication codes to all communications). Moreover, authentication and key exchange protocols are fundamental building blocks and theoretical guaranty to realize both secure electronic commerce and electronic government. The analysis and design of authentication and key exchange protocols have been hot topics of researches on information security.
The key exchange protocol was initially studied by Diffie and Hellman in 1976. Until now, many efficient and secure key exchange protocols have been presented. It is fair to regard the paper of Needham and Schroeder published in 1978 Communications of the ACM as the starting point for the modern research on protocols for authentication. Since then, many authentication protocols have been proposed.
In most cases, both authentication and key exchange are important, then authenticated key exchange (AKE) protocol is proposed. Authenticated key ex- change protocols allow parities to not only compute the shared key but also ensure authenticity among the parties.
By now there are three different methods for the study of authentication and key exchange protocols, which are computational complexity approach, ad-hoc approach (heuristic approach) and formal approach, respectively.
In this dissertation, we make some researches on authentication and key exchange protocols using computational complexity approach and ad-hoc approach. Our researches focus on the following directions of authenticated key exchange protocols:
1. Secure Password-based Authenticated Key Exchange Protocol in Standard Model
The setting in which users are only capable of storing human-memorable passwords (password-based authenticated key exchange) arises most often in practice and gains more and more attentions recently.
Formal models of security for the password-based setting were first presented by Halevi and Krawczyk, where a secure public key infrastructure (PKI) is required. This is a too strong requirement and we hope to avoid it. Goldreich and Lindell presented the first protocol to achieve security without any additional setup. Their protocol is based on the existence of trapdoor permutations. Unfortunately, the protocol is not very efficient and thus cannot be adopted in practice.
Recently, Katz, Ostrovsky and Yung proposed an efficient and practical password-based authenticated key exchange protocol (KOY) which was subsequently improved by Gennaro and Lindell (GL). Furthermore, Gennaro improved both the KOY and the GL protocols by reducing the communication bandwidth required by the protocols.
In Chapter 4, we propose a new password-based authenticated key exchange protocol. The new protocol is based on twin decisional Diffie-Hellman assumption which is proposed by Cash, Kiltz and Shoup in EuroCrypt'08. In their paper, they also proposed a password-based authenticated key exchange protocol. Their protocol was proved to be secure in random oracle model. The common interpretation of such results is that security is likely to hold even if the random oracle is replaced by a concrete function known explicitly to all parties (e.g., SHA-1). However, Canetti, Goldreich and Halevi pointed out that it is impossible to replace the random oracle in a generic manner with any concrete function. Thus, the security proofs of these protocols are actually heuristic.
The security of our proposed protocol is proved in standard model. As far as we know, the new protocol is the first provably secure password-based authenticated key exchange protocol under the twin DDH assumption in standard model.
In addition, the new protocol has comparable efficiency with previous password-based AKE protocols in standard model. More precisely, using the algorithms for simultaneous multiple exponentiation, the number of exponentiations for per party is close to 7. Moreover, some values can be precomputed and stored so as to further improve the efficiency of the protocol.
2. Secure and Efficient Authenticated Key Exchange Protocol in Random Oracle Model
In 2001, Canetti and Krawzcyk proposed a well-known security model, denoted by CK model. Krawzcyk improved CK model to achieve weak perfect forward secrecy (wPFS). However, the stronger security model does not include attacks such as revaluation of both ephemeral private keys or both static private keys. Recently, LaMacchia, Lauter and Mityagin proposed the extended CK model (eCK) that could capture all these security properties. The eCK model is currently regarded as the strongest security model.
The NAXOS protocol is the first authenticated key exchange protocol whose security is established in the eCK model. One shortcoming of the protocol is that it requires 4 exponentiations per party. Recently, Ustaoglu presented the CMQV protocol that achieves both efficiency and security. However, the security proof of CMQV protocol is not tight.
In Chapter 3, we propose a modified version CMQV+ of the CMQV protocol. The new protocol is also a Diffie-Hellman based authenticated key exchange protocol, and has the following properties.
(i) The CMQV+ protocol is more efficient than NAXOS protocol. Because CMQV+ protocol's computations can be speedup using Shamir's algorithm which results in reducing the costs by 0.75 exponentiations on average, the CMQV+ protocol requires only 3.25 exponentiations per party at every execution. However, NAXOS protocol requires 4 exponentiations per party.
(ii) Compared to the CMQV protocol, the CMQV+ protocol has a tight security proof under extended Canetti-Krawzcyk model. In CMQV protocol, the simulator can not give answer to CDH oracle from one run with the adversary, therefore the simulator must interactive with the adversary again on the same input, the same coin flips and some carefully modifications. Following the approach of the Forking Lemma, the simulator answers to CDH oracle. The forking lemma results in a highly non-tight reduction. We modify the CMQV protocol to satisfy that the simulator answers the CDH oracle from one run. Therefore, the proof of security avoids using the forking lemma and gets a tight reduction.
To our knowledge, CMQV+ protocol is the most efficient authenticated key exchange protocol with a tight security proof in extended Canetti-Krawczyk model under random oracle assumption.
3. Analysis and Design of Remote User Authentication and Key Exchange Protocol
Recently, remote user authentication and key exchange protocol also becomes an important security mechanism. The server can authenticate user's identity over insure channel, and then guarantee that only the legal users have access to the resources provided by the remote servers.
In this part, we analyze a remote user authentication protocol using ad-hoc approach. We show that the scheme is totally broken. Furthermore, we improve the scheme and analysis the security of the improved scheme.
In 1981, Lamport proposed the first well-known password-based remote authentication scheme and then several schemes have been proposed to improve the security, the cost or the efficiency. Subsequently, Hwang and Li pointed that the above scheme will be partially or totally broken if the password table is stolen by the adversary. Further, they also proposed a remote user authentication scheme using smart cards to solve the problems of Lamport's scheme. Soon afterwards, Chan-Cheng, Shen-Lin-Hwang, Chang-Hwang and Leung et al. proposed many similar schemes to increase the security and improve the efficiency. In 2004, Kumar proposed a new remote user authentication scheme based on Shen-Lin-Hwang's scheme. The new scheme is secure against both Chan-Cheng's attack and Shen-Lin-Hwang's attack.
In 2000, Boneh and Franklin proposed a practical ID-based encryption system based on bilinear pairings. Afterwards, large amounts of ID-based cryptographic schemes based on bilinear pairings have been proposed such as signature schemes and authenticated key exchange protocols. In 2006, Wang and Chai also presented a remote user authentication scheme using bilinear pairings.
In Chapter 5, we first review Wang-Chai's remote user authentication scheme using bilinear pairings and demonstrate that their scheme is vulnerable to impersonation attack. Namely, after obtaining a previous valid login message (e.g., by wiretapping), an attacker can easily forge another valid login message to pass the remote server's authentication, and then impersonates a legal user to access the resources at the remote server.
We also propose an improvement of Wang-Chai's remote user authentication scheme based on bilinear pairings. The proposed scheme is composed of four phases: initialization phase, registration phase, login phase and authentication & session key agreement phase. Furthermore, we prove that the scheme not only keeps the merits of Wang-Chai's scheme but also repairs the security flaws of its scheme. In addition, the new scheme provides both mutual authentication and session key agreement.
尽管对于认证技术有许多较早的出版物,大家公认Needham和Schroeder出版在1978年Communications of the ACM杂志上的论文是现代认证技术研究的起始点。自此以后,许多认证协议被提出。对密钥交换协议的研究最早是由Diffie和Hellman在1976年提出的。现在,已有许多安全有效的密钥交换协议出现。
众所周知,在大多数的情况下认证和密钥交换都是必须的安全属性,从而产生了可认证密钥交换(AKE)协议。可认证密钥交换协议不仅实现参与者之间的身份认证,而且允许参与者计算共享的会话密钥以实现随后的安全通信。
目前,研究认证和密钥交换协议(在本论文中也称可认证密钥交换协议)主要有三种方法:分别是计算复杂性方法,探索性方法(启发式方法)和形式化分析方法。
本文分别利用计算复杂性方法和探索性方法对认证和密钥交换协议作了一些研究。我们的主要工作集中在认证和密钥交换协议的以下几个方面:
1.标准模型下安全的基于口令的可认证密钥交换协议
在现实环境中,用户希望选择容易记忆的口令作为自己的密钥而不是选择完全随机的口令,因此用户只生成和共享低熵的口令的环境应用更为广泛,并且最近该环境下可认证密钥交换协议的研究引起了研究者的广泛关注。
基于口令环境下的安全模型是由Halevi和Krawczyk首先提出的。在他们的模型中需要一个安全的公钥基础设施(PKI)存在。这是一个很强的前提,因而我们希望避免使用它。Goldreich和Lindell提出了第一个不需要任何附加前提的可证明安全协议。该协议的安全性基于陷门置换的存在性。但是,他们的协议非常复杂从而并不实用。
最近,Katz,Ostrovsky和Yung提出了一个有效并实用的基于口令的可认证密钥交换协议(KOY)。随后,Gennaro和Lindell对KOY协议进行了改进(GL)。此外,Gennaro还通过减少协议的通信带宽的方式改进了KOY协议和GL协议的有效性。
在第四章中,我们提出了一个新的基于口令的可认证密钥交换协议。新协议基于Cash,Kiltz和Shoup在2008年欧密会上提出的孪生确定Diffie-Hellman假定。在Cash等的论文中,他们也提出了一个基于口令的可认证密钥交换协议。但是他们协议的安全性是基于随机谕示假定的。普遍认为即使随机谕示被一个所有用户都知道的确定函数(比如SHA-1)取代,设计的协议仍然是安全的。然而,Canetti,Goldreich和Halevi指出当前没有任何确定的函数可以取代随机谕示。因此,这些协议的安全性仍然是探索性的。
而我们提出协议的安全性是在标准模型下证明的。目前,这个新协议是第一个标准模型下基于孪生确定Diffie-Hellman假定可证明安全的基于口令的可认证密钥交换协议。
除此之外,新提出的协议在有效性上与以前提出的标准模型下基于口令的可认证密钥交换协议是可比较的。具体的说,利用Shamir的指数加速算法,新协议中每方需要大约7次指数运算。而且,协议中的一些数值可以进行预计算,从而进一步改进协议的有效性。
2.随机谕示模型下安全有效的可认证密钥交换协议
2001年,Canetti和Krawzcyk提出了一个著名的安全模型,被称为CK模型。随后,Krawzcyk改进了这个模型以实现弱的前向安全性(wPFS)。然而,这个加强的安全模型依然不能包括参与双方临时密钥暴露攻击和参与双方静态密钥暴露攻击。最近,LaMacchia,Lauter和Mityagin提出了扩展的CK模型(eCK),该模型包含了所有上面提到的安全属性。它被认为是目前最强的安全模型。
NAXOS协议是第一个将安全性建立在eCK模型之下的可认证密钥交换协议。该协议的一个弱点是每个参与者需要进行4次指数运算。最近,Ustaoglu提出了CMQV协议,该协议既有效又安全。但是,CMQV协议有一个不紧的安全性证明。
在第三章中,我们提出了CMQV协议的一个改进版本CMQV+。该新协议也是一个基于Diffie-Hellman方法的可认证密钥交换协议。它满足如下特性:
(ⅰ)与NAXOS协议相比,CMQV+协议更加有效。因为CMQV+协议的计算可以利用Shamir的指数加速算法从而平均减少0.75次指数运算,所以在每次协议的执行过程中,CMQV+协议只需要进行3.25次指数运算,而NAXOS协议需要4次。
(ⅱ)与CMQV协议相比,CMQV+协议在eCK模型下有一个紧的安全性证明。在CMQV协议中,模拟器通过与敌手的一次交互无法回答CDH谕示。因此模拟器必须同敌手进行新一轮的交互,并且要基于相同输入,相同抛币并对模拟过程进行合适的修改。利用分叉引理的证明方法,模拟器对CDH谕示作出回答。分叉引理的使用导致无法得到一个紧的安全性归约。因此,我们对CMQV协议进行了修改,使得模拟器可以通过一次交互就可以回答CDH谕示。这样以来,安全性证明就避免使用到分叉引理,从而使得安全性归约是紧的。
目前,CMQV+协议是eCK模型下有紧的安全性证明的最有效的可认证密钥交换协议。
3.远程用户认证和密钥交换协议的分析和设计
当前,远程用户认证和密钥交换协议也成为一个重要的安全机制,它使得服务器和用户可以在不安全的信道上相互认证身份,并且进一步保证只有合法的用户可以访问到远程服务器提供的资源。
在第五章,我们用探索性方法分析了一个远程用户认证协议。我们证明了该远程用户认证方案是完全可破解的。我们还提出了一个改进方案并给出了安全性分析。
1981年,Lamport提出了第一个基于口令的远程认证方案。随后的几个方案在安全性和有效性方面做出了改进。Hwang和Li发现如果口令表被敌手得到,这些方案将部分或者全部被破解。同时,他们提出了利用智能卡的远程用户认证方案来解决这些方案中存在的问题。不久,Chan-Cheng,Shen-Lin-Hwang,Chang-Hwang和Leung等提出了许多方案以增强安全性或者改进有效性。2004年,Kumar基于Shen-Lin-Hwang的方案提出了一个远程用户认证方案。新的方案可以同时抵抗Chan-Cheng和Shen-Lin-Hwang的攻击。
在2000年,Boneh和Franklin提出了一个实用的利用双线性对的基于身份的加密方案。自此以后,许多利用双线性对的基于身份的密码方案被提出,比如签名方案和可认证密钥交换协议。2006年,Wang和Chai提出了一个利用双线性对的远程用户认证方案。
在第五章中,我们首先回顾了Wang-Chai的方案并对他们的方案进行了安全性分析。我们证明Wang-Chai提出的方案完全不能抵抗冒充攻击。也就是说,一个敌手在获得一个以前的合法登录消息后(比如通过搭线窃听的方式),根据这个合法的登录消息可以很容易的伪造出另一个有效的登录消息,并通过远程服务器的认证,从而冒充合法用户访问远程服务器上的资源。
其次,我们基于Wang-Chai的方案提出了一个基于双线性对的远程用户认证和密钥交换方案。该方案由初始化阶段,注册阶段,登录阶段以及认证和会话密钥协商阶段四个阶段组成。我们证明新方案既可以抵抗上述冒充攻击又可以抵抗重放攻击,并且实现了完备的前向安全性。此外,新方案还实现了双向认证和会话密钥协商。
With the rapid development of modern computer communication techniques and the wide applications of Internet, how to ensure the security of information has been the concern of the whole society. A vital problem in information security and cryptography is to enable parties to communicate secretly and reliably in the presence of an adversary. This is often achieved by authentication and key exchange protocols where the parties authenticate the identity with each other and generate a mutual and secret session key. Then the session key can be involved in secure communications using known techniques (e.g., applying encryption, signature and message authentication codes to all communications). Moreover, authentication and key exchange protocols are fundamental building blocks and theoretical guaranty to realize both secure electronic commerce and electronic government. The analysis and design of authentication and key exchange protocols have been hot topics of researches on information security.
The key exchange protocol was initially studied by Diffie and Hellman in 1976. Until now, many efficient and secure key exchange protocols have been presented. It is fair to regard the paper of Needham and Schroeder published in 1978 Communications of the ACM as the starting point for the modern research on protocols for authentication. Since then, many authentication protocols have been proposed.
In most cases, both authentication and key exchange are important, then authenticated key exchange (AKE) protocol is proposed. Authenticated key ex- change protocols allow parities to not only compute the shared key but also ensure authenticity among the parties.
By now there are three different methods for the study of authentication and key exchange protocols, which are computational complexity approach, ad-hoc approach (heuristic approach) and formal approach, respectively.
In this dissertation, we make some researches on authentication and key exchange protocols using computational complexity approach and ad-hoc approach. Our researches focus on the following directions of authenticated key exchange protocols:
1. Secure Password-based Authenticated Key Exchange Protocol in Standard Model
The setting in which users are only capable of storing human-memorable passwords (password-based authenticated key exchange) arises most often in practice and gains more and more attentions recently.
Formal models of security for the password-based setting were first presented by Halevi and Krawczyk, where a secure public key infrastructure (PKI) is required. This is a too strong requirement and we hope to avoid it. Goldreich and Lindell presented the first protocol to achieve security without any additional setup. Their protocol is based on the existence of trapdoor permutations. Unfortunately, the protocol is not very efficient and thus cannot be adopted in practice.
Recently, Katz, Ostrovsky and Yung proposed an efficient and practical password-based authenticated key exchange protocol (KOY) which was subsequently improved by Gennaro and Lindell (GL). Furthermore, Gennaro improved both the KOY and the GL protocols by reducing the communication bandwidth required by the protocols.
In Chapter 4, we propose a new password-based authenticated key exchange protocol. The new protocol is based on twin decisional Diffie-Hellman assumption which is proposed by Cash, Kiltz and Shoup in EuroCrypt'08. In their paper, they also proposed a password-based authenticated key exchange protocol. Their protocol was proved to be secure in random oracle model. The common interpretation of such results is that security is likely to hold even if the random oracle is replaced by a concrete function known explicitly to all parties (e.g., SHA-1). However, Canetti, Goldreich and Halevi pointed out that it is impossible to replace the random oracle in a generic manner with any concrete function. Thus, the security proofs of these protocols are actually heuristic.
The security of our proposed protocol is proved in standard model. As far as we know, the new protocol is the first provably secure password-based authenticated key exchange protocol under the twin DDH assumption in standard model.
In addition, the new protocol has comparable efficiency with previous password-based AKE protocols in standard model. More precisely, using the algorithms for simultaneous multiple exponentiation, the number of exponentiations for per party is close to 7. Moreover, some values can be precomputed and stored so as to further improve the efficiency of the protocol.
2. Secure and Efficient Authenticated Key Exchange Protocol in Random Oracle Model
In 2001, Canetti and Krawzcyk proposed a well-known security model, denoted by CK model. Krawzcyk improved CK model to achieve weak perfect forward secrecy (wPFS). However, the stronger security model does not include attacks such as revaluation of both ephemeral private keys or both static private keys. Recently, LaMacchia, Lauter and Mityagin proposed the extended CK model (eCK) that could capture all these security properties. The eCK model is currently regarded as the strongest security model.
The NAXOS protocol is the first authenticated key exchange protocol whose security is established in the eCK model. One shortcoming of the protocol is that it requires 4 exponentiations per party. Recently, Ustaoglu presented the CMQV protocol that achieves both efficiency and security. However, the security proof of CMQV protocol is not tight.
In Chapter 3, we propose a modified version CMQV+ of the CMQV protocol. The new protocol is also a Diffie-Hellman based authenticated key exchange protocol, and has the following properties.
(i) The CMQV+ protocol is more efficient than NAXOS protocol. Because CMQV+ protocol's computations can be speedup using Shamir's algorithm which results in reducing the costs by 0.75 exponentiations on average, the CMQV+ protocol requires only 3.25 exponentiations per party at every execution. However, NAXOS protocol requires 4 exponentiations per party.
(ii) Compared to the CMQV protocol, the CMQV+ protocol has a tight security proof under extended Canetti-Krawzcyk model. In CMQV protocol, the simulator can not give answer to CDH oracle from one run with the adversary, therefore the simulator must interactive with the adversary again on the same input, the same coin flips and some carefully modifications. Following the approach of the Forking Lemma, the simulator answers to CDH oracle. The forking lemma results in a highly non-tight reduction. We modify the CMQV protocol to satisfy that the simulator answers the CDH oracle from one run. Therefore, the proof of security avoids using the forking lemma and gets a tight reduction.
To our knowledge, CMQV+ protocol is the most efficient authenticated key exchange protocol with a tight security proof in extended Canetti-Krawczyk model under random oracle assumption.
3. Analysis and Design of Remote User Authentication and Key Exchange Protocol
Recently, remote user authentication and key exchange protocol also becomes an important security mechanism. The server can authenticate user's identity over insure channel, and then guarantee that only the legal users have access to the resources provided by the remote servers.
In this part, we analyze a remote user authentication protocol using ad-hoc approach. We show that the scheme is totally broken. Furthermore, we improve the scheme and analysis the security of the improved scheme.
In 1981, Lamport proposed the first well-known password-based remote authentication scheme and then several schemes have been proposed to improve the security, the cost or the efficiency. Subsequently, Hwang and Li pointed that the above scheme will be partially or totally broken if the password table is stolen by the adversary. Further, they also proposed a remote user authentication scheme using smart cards to solve the problems of Lamport's scheme. Soon afterwards, Chan-Cheng, Shen-Lin-Hwang, Chang-Hwang and Leung et al. proposed many similar schemes to increase the security and improve the efficiency. In 2004, Kumar proposed a new remote user authentication scheme based on Shen-Lin-Hwang's scheme. The new scheme is secure against both Chan-Cheng's attack and Shen-Lin-Hwang's attack.
In 2000, Boneh and Franklin proposed a practical ID-based encryption system based on bilinear pairings. Afterwards, large amounts of ID-based cryptographic schemes based on bilinear pairings have been proposed such as signature schemes and authenticated key exchange protocols. In 2006, Wang and Chai also presented a remote user authentication scheme using bilinear pairings.
In Chapter 5, we first review Wang-Chai's remote user authentication scheme using bilinear pairings and demonstrate that their scheme is vulnerable to impersonation attack. Namely, after obtaining a previous valid login message (e.g., by wiretapping), an attacker can easily forge another valid login message to pass the remote server's authentication, and then impersonates a legal user to access the resources at the remote server.
We also propose an improvement of Wang-Chai's remote user authentication scheme based on bilinear pairings. The proposed scheme is composed of four phases: initialization phase, registration phase, login phase and authentication & session key agreement phase. Furthermore, we prove that the scheme not only keeps the merits of Wang-Chai's scheme but also repairs the security flaws of its scheme. In addition, the new scheme provides both mutual authentication and session key agreement.
引文
[1]M.Bellare,R.Canetti,and H.Krawczyk.A modular approach to the design and analysis of authentication and key exchange protocols.In The Annual ACM Symposium on Theory of Computing(STOC),pages 378-388.ACM Press,1998.
[2]M.Bellare and A.Palacio.The knowledge-of-exponent assumptions and 3-round zero knowledge protocols.In Advances in Cryptology-CRYPTO 2004,volume 3152 of Lecture Notes in Computer Science,pages 273-289.Springer-Verlag,2004.
[3]M.Bellare,D.Pointcheval,and P.Rogaway.Authenticated key exchange secure against dictionary attacks.In Advances in Cryptology-EUROCRYPT 2000,volume 1807 of Lecture Notes in Computer Science,pages 139-155.Springer-Verlag,2000.
[4]M.Bellare and P.Rogaway.Entity authentication and key distribution.In Advances in Cryptology-CRYPTO 1993,volume 773 of Lecture Notes in Computer Science,pages 232-249.Springer-Verlag,1993.
[5]M.Bellare and P.Rogaway.Random oracles are practical:A paradigm for designing efficient protocols.In First Annual Conference on Computer and Communications Security of ACM,1993.
[6]M.Bellare and P.Rogaway.Provably secure session key distribution:the three party case.In The Annual ACM Symposium on Theory of Computing (STOC),pages 57-66.ACM Press,1995.
[7]S.M.Bellovin and M.Merritt.Encrypted key exchange:Password based protocols secure against dictionary attacks.In Proceedings of IEEE Symposium on Research in Security and Privacy,pages 72-84,1992.
[8]S.M.Bellovin and M.Merritt.Augmented encrypted key exchange:A password based protocol secure against dictionary attacks and password file compromise.In Proceedings of the 1st ACM Conference on Computer and Communication Security,pages 244-250,1993.
[9]J.Black,P.Rogaway,and T.Shrimpton.Black-box analysis of the block-cipher-based hash-function constructions from pgv.In Advances in Cryptology-CRYPTO 2002,volume 2442 of Lecture Notes in Computer Science,pages 103-118.Springer-Verlag,2002.
[10]D.Boneh and M.Franklin.Identity-based encryption from the weil pairing.In Advances in Cryptology-CRYPTO'01,volume 2139 of Lecture Notes in Computer Science,pages 213-229.Springer-Verlag,2001.
[11]V.Boyko,P.MacKenzie,and S.Patel.Provably secure password-authenticated key exchange using diffie-hellman.In Advances in Cryptology-EUROCRYPT 2000,volume 1807 of Lecture Notes in Computer Science,pages 156-171.Springer-Verlag,2000.
[12]P.Buhler,T.Eirich,M.Steiner,and M.Waidner.Secure password-based cipher suite for tls.In Internet Society Symposium on Network and Distributed System Security,2000.
[13]M.Burrows,M.Abadi,and R.Needham.A logic of authentiation.ACM Transactions on Computer Systems,8(1):18-36,1990.
[14]R.Canetti,O.Goldreich,and S.Halevi.The random oracle methodology,revisited.In The Annual ACM Symposium on Theory of Computing (STOC),pages 209-218.ACM Press,1998.
[15]R.Canetti and H.Krawczyk.Analysis of key-exchange protocols and their use for building secure channels.In Advances in Cryptology-EUROCRYPT 2001,volume 2045 of Lecture Notes in Computer Science,pages 453-474.Springer-Verlag,2001.Full version available at http://eprint.iacr.org/2002/120.pdf.
[16]D.Cash,E.Kiltz,and V.Shoup.The twin diffie-hellman problem and applications.In Advances in Cryptology-EUROCRYPT 2008,volume 4965 of Lecture Notes in Computer Science,pages 127-145.Springer-Verlag,2008.
[17]J,C.Cha and J.H.Cheon.An identity-based signature from gap diffie-hellman groups.In Advances in Cryptology-PKC'2003,volume 2567 of Lecture Notes in Computer Science,pages 18-30.Springer-Verlag,2003.
[18]C.K.Chan and L.M.Cheng.Cryptanalysis of a remote user authentication scheme using smart cards.IEEE Trans.Consumer Electron,46(3):992-993,2000.
[19]C.C.Chang and K.F.Hwang.Some forgery attacks on a remote user authentication scheme using smart cards.Informatics,14(3):289-294,2003.
[20]K.K.Choo,C.Boyd,and C.Hitchcock.Examining indistinguishability-based proof models for key establishment protocols.In Advances in Cryptology-ASIACRYPT 2005,volume 3788 of Lecture Notes in Computer Science,pages 585-604.Springer-Verlag,2005.
[21]J.S.Chou,Y.Chen,and J.Y.Lin.Improvement of manik et al.'s remote user authentication scheme.2005.Available at http://eprint.iacr.org/2005/450.pdf.
[22]R.Cramer and V.Shoup.A practical public-key cryptosysytem secure against adaptive chosen ciphertexts attacks.In Advances in Cryptology-CRYPTO 1998,volume 1462 of Lecture Notes in Computer Science,pages 13-25.Springer-Verlag,1998.
[23]R.Cramer and V.Shoup.Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption.In Advances in Cryptology-EUROCRYPT 2002,volume 2332 of Lecture Notes in Computer Science,page 45-64.Springer-Verlag,2002.
[24]M.L.Das,A.Saxena,V.P.Gulati,and D.B.Phatak.A novel remote user authentication scheme using bilinear pairings.Computers and Security,25(3):184-189,2006.
[25]W.Diffie and M.E.Hellman.Multiuser cryptgraphic techniques.AFIPS Conference Peoceedings,45:109-112,1976.
[26]W.Diffie and M.E.Hellman.New direction in crytpography.IEEE Transactions on Information Theory,22:644-654,1976.
[27]D.Dolev,C.Dwork,and M.Naor.Non-malleable cryptography.SIAM Journal of Computing,30:391-437,2000.
[28]Ecrypt.The SHA-3 Zoo(The eHash Main Page).Available at http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo.
[29]G.Fang and G.Huang.Improvement of recently proposed remote user authentication schemes.2005.Available at http://eprint.iacr.org/2006/200.pdf.
[30]A.Fiat and A.Shamir.How to prove yourself:Practical solutions to identification and signature problems.In Advances in Cryptology-CRYPTO 1986,volume 263 of Lecture Notes in Computer Science,pages 186-194.Springer-Verlag,1986.
[31]R.Gennaro.Faster and shorter password-authenticated key exchange.In TCC 2008,volume 4948 of Lecture Notes in Computer Science,pages 589-606.Springer-Verlag,2008.
[32]R.Gennaro and Y.Lindell.A framework for password-based authenticated key exchange.ACM Transactions on Infromation and System Security (TISSEC),9(2):181-234,2006.
[33]D.Giri and P.D.Srivastava.An improved remote user authentication scheme with smart cards using bilinear pairings.Cryptology ePrint Archive,2006.Available at http://eprint.iacr.org/2006/274.pdf.
[34]O.Goldreich and Y.Lindell.Session key generation using human passwords only.In Advances in Cryptology-CRYPTO 2001,volume 2139of Lecture Notes in Computer Science,pages 408-432.Springer-Verlag,2001.
[35]S.Goldwasser and S.Micali.Probabilisitic encryption.Journal of Computer and System Science,28(3):270-299,1984.
[36]S.Goldwasser,S.Micali,and R.L.Rivest.A digital signature scheme secure against adaptive chosen-message attacks.SIAM Journal on Computing,17(2):281-308,1988.
[37]T.Goriparthi,M.L.Das,A.Negi,and A.Saxena.Cryptanalysis of recently proposed remote user authentication schemes.Cryptology ePrint Archive,2006.http://eprint.iacr.org/2006/028.pdf.
[38]S.Halevi and H.Krawczyk.Public-key cryptography and password protocols.ACM Transactions on Information and System Security(TISSEC),2(3):230-268,1999.
[39]M.S.Hwang and L.H.Li.A new remote user authentication scheme using smart cards.1EEE Trans.Consumer Electron,46(1):28-30,2000.
[40]ISO/IEC.Information technology-security techniques-entity authentication mechanisms part 1:General model.1991.
[41]ISO/IEC.Information technology-security techniques—entity authentication mechanisms part 2:Entity authentication using symmetric techniques.1993.
[42]ISO/IEC.Information technology-security techniques—entity authentication mechanisms part 4:Entity authentication using cryptographic check functions.1993.
[43]ISO/IEC.Information technology-security techniques—entity authentication mechanisms part 5:Entity authentication using zero knowledge techniques.1993.
[44]ISO/IEC.Information technology-security techniques-entity authentication mechanisms part 3:Entity authentication using a public key algorithm.1995.
[45]D.P.Jablon.Strong password-only authenticated key exchange.SIG-COMM Computer Communication Review,26(5):5-26,1996.
[46]I.R.Jeong,J.Katz,and D.H.Lee.One-round protocols for two-party authenticated key exchange.In ACNS 2004,volume 3089 of Lecture Notes in Computer Science,pages 220-232.Springer-Verlag,2004.
[47]Z.Jia,Y.Zhang,H.Shao,Y.Lin,and J.Wang.A remote user authentication scheme using bilinear pairings and ecc.In ISDA 2006,volume 2,pages 1081-1094,2006.
[48]A.Joux.A one round protocol for tripartite diffie-hellman.In the Proceedings of Algorithmic Number Theory Symposium,volume 1838 of Lecture Notes in Computer Science,pages 385-394.Springer-Verlag,2000.
[49]J.Katz and Y.Lindell.Introduction to modern cryptography.Chapman & Hall/CRC,2007.
[50]J.Katz,R.Ostrovsky,and M.Yung.Practical password-authenticated key exchange provably secure under standard assumptions.In Advances in Cryptology-EUROCRYPT 2001,volume 2045 of Lecture Notes in Computer Science,pages 475-494.Springer-Verlag,2001.
[51]H.Krawczyk.Hmqv:A high-performance secure diffie-hellman protocol.In Advances in Cryptology-CRYPTO 2005,volume 3621 of Lecture Notes in Computer Science,pages 546-566.Springer-Verlag,2005.Full version available at http://eprint.iacr.org/2005/176.pdf.
[52]M.Kumar.New remote user authentication scheme using smart cards.IEEE Trans.Consumer Electron,50(2):597-600,2004.
[53]K.LaMacchia,K.Lauter,and A.Mityagin.Stronger security of authenticated key exchange.In ProvSec 2007,volume 4784 of Lecture Notes in Computer Science,pages 1-16.Springer-Verlag,2007.
[54]L.Lamport.Constructing digital signatures from a one way function.Technical report,SRI International Technical Report SRI-CSL-98,1979.
[55]L.Lamport.Password authentication with insecure communication.Communication of the ACM,24(11):770-772,1981.
[56]K.Lauter and A.Mityagin.Security analysis of kea authenticated key exchange.In Advances in Cryptology-PKC 2006,volume 3958 of Lecture Notes in Computer Science,page 378-394.Springer-Verlag,2006.
[57]L.Law,A.Menezes,M.Qu,J.Solinas,and S.Vanstone.An efficient protocol for authenticated key exchange.Designs,Codes and Cryptography,28:119-134,2003.
[58]J.Lee and J.Park.Authenticated key exchange secure under the computational diffie-hellman assumption.Available at http://eprint.iacr.org/2008/344.pdf.
[59]R.E.Lermon,S.M.Matyas,and C.H.Mayer.Cryptographic authentication of time-invariant quantities.IEEE Trans.Common.,6:773-777,1981.
[60]K.C.Leung,L.M.Cheng,A.S.Fong,and C.K.Chen.Crytpanalysis of a remote user authentication scheme using smart cards.IEEE Trans.Consumer Electron,49(3):1243-1245,2003.
[61]G.Lowe.Breaking and fixing the needham-schroeder public key protocol using fdr.Tools and Algorithms for the Construction and Analysis of Systems,pages 147-166,1996.
[62]S.Lucks.Open key exchange:How to defeat dictionary attacks without encrypting public keys.In Workshop on Security Protocols,volume 1361of Lecture Notes in Computer Science,pages 79-90.Springer-Verlag,1998.
[63]C.Meadows.The nrl protocol analyzer:an overview.The Journal of Logic Programming,26(2):113-131,1996.
[64]A.Menezes.Another look at hmqv.Journal of Mathematical Cryptology,1(1):148-175,2007.
[65]A.Menezes,P.v.Oorschot,and S.Vanstone.Handbook of Applied Cryptography.CRC Press,1996.
[66]A.Menezes and B.Ustaoglu.On the improtance of public-key validation in the mqv and hmqv key agreement protocols.In Advances in Cryptology-INDOCRYPT 2006,volume 4329 of Lecture Notes in Computer Science,pages 133-147.Springer-Verlag,2006.
[67]R.Needham and M.Schroeder.Using encryption for authentication in large nerworks of computers.Communicaition of the ACM,21(12):993-999,1978.
[68]NIST.Secure hash standard.Federal Information Processing Standard,FIPS-180-1,April 1995.
[69]T.Okamoto.Authenticated key exchange and key encapsulation in the standard model.In Advances in Cryptology-ASIACRYPT 2007,volume 4833 of Lecture Notes in Computer Science,pages 474-484.Springer-Verlag,2007.
[70]T.Okamoto and D.Pointcheval.The gap problems:A new class of problems for the security of cryptographic schemes.In Advances in Cryptology-PKC 2001,volume 1992 of Lecture Notes in Computer Science,pages 104-118.Springer-Verlag,2001.
[71]S.Patel.Number theoretic attacks on secure password schemes.In Proceedings of the 1997 IEEE Symposium on Security and Privacy,pages 236-247,1997.
[72]K.G.Paterson.Id-based signature from pairings on elliptic curves.Electron.Lett.,38(18):1025-1026,2002.
[73]D.Pointeval and J.Stern.Security arguments for digital signatures and blind signatures.Journal of Cryptography,13(3):361-396,2000.
[74]R.Rivest.The md4 message-digest algorithm.RFC1320,April,1992.
[75]R.Rivest.The md5 message-digest algorithm.RFC1321,April,1992.
[76]B.Schneier.Applied Cryptography.John Wiley and Sons,1994.
[77]J.J.Shen,C.W.Lin,and M.S.Hwang.A modified remote user authentication scheme using smart cards.IEEE Trans.Consumer Electron,49(2):414-416,2003.
[78]V.Shoup.On formal models for secure key exchange.Available at http://phliby.ucsd.edu/cryptolib.
[79]V.Shoup.On formal models for secure key exchange.Theory of Cryptography Library,1999.Available at http://www.shoup.net/papers/skey.ps.
[80]V.Shoup.Sequences of games:a tool for taming complexity in security proofs.2004.Available at http://eprint.iacr.org/2004/332.pdf.
[81]N.P.Smart.An identity based authentication key agreement protocol based on pairing.Electron.Lett.,38:630-632,2002.
[82]John Stasak.NSAs Elliptic Curve Licensing Agreement.Cryptography Office,National Security Agency,Nov.2004.Available at http://www.machshav.com,smb/saag-11-2004/NSA-EC-License.pdf.
[83]M.Steiner,G.Tsudik,and M.Waidner.Refinement and extension of encrypted key exchange.ACM SIGOPS Oper.Syst.Rev.,29(3):22-30,1995.
[84]G.Thulasi,M.L.Das,and A.Saxena.Cryptanalysis of recently proposed remote user authentication schemes.2006.Available at http://eprint.iacr.org/2006/028.pdf.
[85]Ustalglu.Obtaining a secure and efficent key agreement protocol for (h)mqv and naxos.Designs,Codes and Crytography,46(3):329-342,2008.
[86]Duc-Liem Vo and Kwangjo Kim.Security enhancement of a remote user authentication scheme using bilinear pairings and ecc.In IFIP International Conference on Network and Parallel Computing,pages 144-147,2007.
[87]X.Wang,Y.Lin,and H.Yu.Finding collisions in the full sha-1.In Advances in Cryptology-CRYPTO'05,volume 3621 of Lecture Notes in Computer Science,pages 17-36.Springer-Verlag,2005.
[88]X.Wang and H.Yu.How to break md5 and other hash functions.In Advances in Cryptology-EUROCRYPTO'05,volume 3494 of Lecture Notes in Computer Science,pages 19-35.Springer-Verlag,2005.
[89]X.Wang,H.Yu,and Y.Lin.Efficient collision search attacks on sha-0.In Advances in Cryptology-CRYPTO'05,volume 3621 of Lecture Notes in Computer Science,pages 1-16.Springer-Verlag,2005.
[90]X.G.Wang and Z.C.Chai.Two secure remote user authentication schemes using smart cards.In the Fifth International conference on machine learing and cybernetics,pages 2653-2658,2006.
[91]T.Wu.The secure remote password protocol.In Internet Society Symposium on Network and Distributed System Security,pages 97-111,1998.
[92]S.M.Yen and K.H.Liao.Shared authentication token secure against replay and weak key attack.Information Processing Letters,pages 78-80,1997.
[93]H.J.Yoon,J.H.Cheon,and Y.Kim.Batch verifications with id-based signatures.In Proc.ICISC'2004,volume 3506 of Lecture Notes in Computer Science,pages 233-248.Springer-Verlag,2004.
[2]M.Bellare and A.Palacio.The knowledge-of-exponent assumptions and 3-round zero knowledge protocols.In Advances in Cryptology-CRYPTO 2004,volume 3152 of Lecture Notes in Computer Science,pages 273-289.Springer-Verlag,2004.
[3]M.Bellare,D.Pointcheval,and P.Rogaway.Authenticated key exchange secure against dictionary attacks.In Advances in Cryptology-EUROCRYPT 2000,volume 1807 of Lecture Notes in Computer Science,pages 139-155.Springer-Verlag,2000.
[4]M.Bellare and P.Rogaway.Entity authentication and key distribution.In Advances in Cryptology-CRYPTO 1993,volume 773 of Lecture Notes in Computer Science,pages 232-249.Springer-Verlag,1993.
[5]M.Bellare and P.Rogaway.Random oracles are practical:A paradigm for designing efficient protocols.In First Annual Conference on Computer and Communications Security of ACM,1993.
[6]M.Bellare and P.Rogaway.Provably secure session key distribution:the three party case.In The Annual ACM Symposium on Theory of Computing (STOC),pages 57-66.ACM Press,1995.
[7]S.M.Bellovin and M.Merritt.Encrypted key exchange:Password based protocols secure against dictionary attacks.In Proceedings of IEEE Symposium on Research in Security and Privacy,pages 72-84,1992.
[8]S.M.Bellovin and M.Merritt.Augmented encrypted key exchange:A password based protocol secure against dictionary attacks and password file compromise.In Proceedings of the 1st ACM Conference on Computer and Communication Security,pages 244-250,1993.
[9]J.Black,P.Rogaway,and T.Shrimpton.Black-box analysis of the block-cipher-based hash-function constructions from pgv.In Advances in Cryptology-CRYPTO 2002,volume 2442 of Lecture Notes in Computer Science,pages 103-118.Springer-Verlag,2002.
[10]D.Boneh and M.Franklin.Identity-based encryption from the weil pairing.In Advances in Cryptology-CRYPTO'01,volume 2139 of Lecture Notes in Computer Science,pages 213-229.Springer-Verlag,2001.
[11]V.Boyko,P.MacKenzie,and S.Patel.Provably secure password-authenticated key exchange using diffie-hellman.In Advances in Cryptology-EUROCRYPT 2000,volume 1807 of Lecture Notes in Computer Science,pages 156-171.Springer-Verlag,2000.
[12]P.Buhler,T.Eirich,M.Steiner,and M.Waidner.Secure password-based cipher suite for tls.In Internet Society Symposium on Network and Distributed System Security,2000.
[13]M.Burrows,M.Abadi,and R.Needham.A logic of authentiation.ACM Transactions on Computer Systems,8(1):18-36,1990.
[14]R.Canetti,O.Goldreich,and S.Halevi.The random oracle methodology,revisited.In The Annual ACM Symposium on Theory of Computing (STOC),pages 209-218.ACM Press,1998.
[15]R.Canetti and H.Krawczyk.Analysis of key-exchange protocols and their use for building secure channels.In Advances in Cryptology-EUROCRYPT 2001,volume 2045 of Lecture Notes in Computer Science,pages 453-474.Springer-Verlag,2001.Full version available at http://eprint.iacr.org/2002/120.pdf.
[16]D.Cash,E.Kiltz,and V.Shoup.The twin diffie-hellman problem and applications.In Advances in Cryptology-EUROCRYPT 2008,volume 4965 of Lecture Notes in Computer Science,pages 127-145.Springer-Verlag,2008.
[17]J,C.Cha and J.H.Cheon.An identity-based signature from gap diffie-hellman groups.In Advances in Cryptology-PKC'2003,volume 2567 of Lecture Notes in Computer Science,pages 18-30.Springer-Verlag,2003.
[18]C.K.Chan and L.M.Cheng.Cryptanalysis of a remote user authentication scheme using smart cards.IEEE Trans.Consumer Electron,46(3):992-993,2000.
[19]C.C.Chang and K.F.Hwang.Some forgery attacks on a remote user authentication scheme using smart cards.Informatics,14(3):289-294,2003.
[20]K.K.Choo,C.Boyd,and C.Hitchcock.Examining indistinguishability-based proof models for key establishment protocols.In Advances in Cryptology-ASIACRYPT 2005,volume 3788 of Lecture Notes in Computer Science,pages 585-604.Springer-Verlag,2005.
[21]J.S.Chou,Y.Chen,and J.Y.Lin.Improvement of manik et al.'s remote user authentication scheme.2005.Available at http://eprint.iacr.org/2005/450.pdf.
[22]R.Cramer and V.Shoup.A practical public-key cryptosysytem secure against adaptive chosen ciphertexts attacks.In Advances in Cryptology-CRYPTO 1998,volume 1462 of Lecture Notes in Computer Science,pages 13-25.Springer-Verlag,1998.
[23]R.Cramer and V.Shoup.Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption.In Advances in Cryptology-EUROCRYPT 2002,volume 2332 of Lecture Notes in Computer Science,page 45-64.Springer-Verlag,2002.
[24]M.L.Das,A.Saxena,V.P.Gulati,and D.B.Phatak.A novel remote user authentication scheme using bilinear pairings.Computers and Security,25(3):184-189,2006.
[25]W.Diffie and M.E.Hellman.Multiuser cryptgraphic techniques.AFIPS Conference Peoceedings,45:109-112,1976.
[26]W.Diffie and M.E.Hellman.New direction in crytpography.IEEE Transactions on Information Theory,22:644-654,1976.
[27]D.Dolev,C.Dwork,and M.Naor.Non-malleable cryptography.SIAM Journal of Computing,30:391-437,2000.
[28]Ecrypt.The SHA-3 Zoo(The eHash Main Page).Available at http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo.
[29]G.Fang and G.Huang.Improvement of recently proposed remote user authentication schemes.2005.Available at http://eprint.iacr.org/2006/200.pdf.
[30]A.Fiat and A.Shamir.How to prove yourself:Practical solutions to identification and signature problems.In Advances in Cryptology-CRYPTO 1986,volume 263 of Lecture Notes in Computer Science,pages 186-194.Springer-Verlag,1986.
[31]R.Gennaro.Faster and shorter password-authenticated key exchange.In TCC 2008,volume 4948 of Lecture Notes in Computer Science,pages 589-606.Springer-Verlag,2008.
[32]R.Gennaro and Y.Lindell.A framework for password-based authenticated key exchange.ACM Transactions on Infromation and System Security (TISSEC),9(2):181-234,2006.
[33]D.Giri and P.D.Srivastava.An improved remote user authentication scheme with smart cards using bilinear pairings.Cryptology ePrint Archive,2006.Available at http://eprint.iacr.org/2006/274.pdf.
[34]O.Goldreich and Y.Lindell.Session key generation using human passwords only.In Advances in Cryptology-CRYPTO 2001,volume 2139of Lecture Notes in Computer Science,pages 408-432.Springer-Verlag,2001.
[35]S.Goldwasser and S.Micali.Probabilisitic encryption.Journal of Computer and System Science,28(3):270-299,1984.
[36]S.Goldwasser,S.Micali,and R.L.Rivest.A digital signature scheme secure against adaptive chosen-message attacks.SIAM Journal on Computing,17(2):281-308,1988.
[37]T.Goriparthi,M.L.Das,A.Negi,and A.Saxena.Cryptanalysis of recently proposed remote user authentication schemes.Cryptology ePrint Archive,2006.http://eprint.iacr.org/2006/028.pdf.
[38]S.Halevi and H.Krawczyk.Public-key cryptography and password protocols.ACM Transactions on Information and System Security(TISSEC),2(3):230-268,1999.
[39]M.S.Hwang and L.H.Li.A new remote user authentication scheme using smart cards.1EEE Trans.Consumer Electron,46(1):28-30,2000.
[40]ISO/IEC.Information technology-security techniques-entity authentication mechanisms part 1:General model.1991.
[41]ISO/IEC.Information technology-security techniques—entity authentication mechanisms part 2:Entity authentication using symmetric techniques.1993.
[42]ISO/IEC.Information technology-security techniques—entity authentication mechanisms part 4:Entity authentication using cryptographic check functions.1993.
[43]ISO/IEC.Information technology-security techniques—entity authentication mechanisms part 5:Entity authentication using zero knowledge techniques.1993.
[44]ISO/IEC.Information technology-security techniques-entity authentication mechanisms part 3:Entity authentication using a public key algorithm.1995.
[45]D.P.Jablon.Strong password-only authenticated key exchange.SIG-COMM Computer Communication Review,26(5):5-26,1996.
[46]I.R.Jeong,J.Katz,and D.H.Lee.One-round protocols for two-party authenticated key exchange.In ACNS 2004,volume 3089 of Lecture Notes in Computer Science,pages 220-232.Springer-Verlag,2004.
[47]Z.Jia,Y.Zhang,H.Shao,Y.Lin,and J.Wang.A remote user authentication scheme using bilinear pairings and ecc.In ISDA 2006,volume 2,pages 1081-1094,2006.
[48]A.Joux.A one round protocol for tripartite diffie-hellman.In the Proceedings of Algorithmic Number Theory Symposium,volume 1838 of Lecture Notes in Computer Science,pages 385-394.Springer-Verlag,2000.
[49]J.Katz and Y.Lindell.Introduction to modern cryptography.Chapman & Hall/CRC,2007.
[50]J.Katz,R.Ostrovsky,and M.Yung.Practical password-authenticated key exchange provably secure under standard assumptions.In Advances in Cryptology-EUROCRYPT 2001,volume 2045 of Lecture Notes in Computer Science,pages 475-494.Springer-Verlag,2001.
[51]H.Krawczyk.Hmqv:A high-performance secure diffie-hellman protocol.In Advances in Cryptology-CRYPTO 2005,volume 3621 of Lecture Notes in Computer Science,pages 546-566.Springer-Verlag,2005.Full version available at http://eprint.iacr.org/2005/176.pdf.
[52]M.Kumar.New remote user authentication scheme using smart cards.IEEE Trans.Consumer Electron,50(2):597-600,2004.
[53]K.LaMacchia,K.Lauter,and A.Mityagin.Stronger security of authenticated key exchange.In ProvSec 2007,volume 4784 of Lecture Notes in Computer Science,pages 1-16.Springer-Verlag,2007.
[54]L.Lamport.Constructing digital signatures from a one way function.Technical report,SRI International Technical Report SRI-CSL-98,1979.
[55]L.Lamport.Password authentication with insecure communication.Communication of the ACM,24(11):770-772,1981.
[56]K.Lauter and A.Mityagin.Security analysis of kea authenticated key exchange.In Advances in Cryptology-PKC 2006,volume 3958 of Lecture Notes in Computer Science,page 378-394.Springer-Verlag,2006.
[57]L.Law,A.Menezes,M.Qu,J.Solinas,and S.Vanstone.An efficient protocol for authenticated key exchange.Designs,Codes and Cryptography,28:119-134,2003.
[58]J.Lee and J.Park.Authenticated key exchange secure under the computational diffie-hellman assumption.Available at http://eprint.iacr.org/2008/344.pdf.
[59]R.E.Lermon,S.M.Matyas,and C.H.Mayer.Cryptographic authentication of time-invariant quantities.IEEE Trans.Common.,6:773-777,1981.
[60]K.C.Leung,L.M.Cheng,A.S.Fong,and C.K.Chen.Crytpanalysis of a remote user authentication scheme using smart cards.IEEE Trans.Consumer Electron,49(3):1243-1245,2003.
[61]G.Lowe.Breaking and fixing the needham-schroeder public key protocol using fdr.Tools and Algorithms for the Construction and Analysis of Systems,pages 147-166,1996.
[62]S.Lucks.Open key exchange:How to defeat dictionary attacks without encrypting public keys.In Workshop on Security Protocols,volume 1361of Lecture Notes in Computer Science,pages 79-90.Springer-Verlag,1998.
[63]C.Meadows.The nrl protocol analyzer:an overview.The Journal of Logic Programming,26(2):113-131,1996.
[64]A.Menezes.Another look at hmqv.Journal of Mathematical Cryptology,1(1):148-175,2007.
[65]A.Menezes,P.v.Oorschot,and S.Vanstone.Handbook of Applied Cryptography.CRC Press,1996.
[66]A.Menezes and B.Ustaoglu.On the improtance of public-key validation in the mqv and hmqv key agreement protocols.In Advances in Cryptology-INDOCRYPT 2006,volume 4329 of Lecture Notes in Computer Science,pages 133-147.Springer-Verlag,2006.
[67]R.Needham and M.Schroeder.Using encryption for authentication in large nerworks of computers.Communicaition of the ACM,21(12):993-999,1978.
[68]NIST.Secure hash standard.Federal Information Processing Standard,FIPS-180-1,April 1995.
[69]T.Okamoto.Authenticated key exchange and key encapsulation in the standard model.In Advances in Cryptology-ASIACRYPT 2007,volume 4833 of Lecture Notes in Computer Science,pages 474-484.Springer-Verlag,2007.
[70]T.Okamoto and D.Pointcheval.The gap problems:A new class of problems for the security of cryptographic schemes.In Advances in Cryptology-PKC 2001,volume 1992 of Lecture Notes in Computer Science,pages 104-118.Springer-Verlag,2001.
[71]S.Patel.Number theoretic attacks on secure password schemes.In Proceedings of the 1997 IEEE Symposium on Security and Privacy,pages 236-247,1997.
[72]K.G.Paterson.Id-based signature from pairings on elliptic curves.Electron.Lett.,38(18):1025-1026,2002.
[73]D.Pointeval and J.Stern.Security arguments for digital signatures and blind signatures.Journal of Cryptography,13(3):361-396,2000.
[74]R.Rivest.The md4 message-digest algorithm.RFC1320,April,1992.
[75]R.Rivest.The md5 message-digest algorithm.RFC1321,April,1992.
[76]B.Schneier.Applied Cryptography.John Wiley and Sons,1994.
[77]J.J.Shen,C.W.Lin,and M.S.Hwang.A modified remote user authentication scheme using smart cards.IEEE Trans.Consumer Electron,49(2):414-416,2003.
[78]V.Shoup.On formal models for secure key exchange.Available at http://phliby.ucsd.edu/cryptolib.
[79]V.Shoup.On formal models for secure key exchange.Theory of Cryptography Library,1999.Available at http://www.shoup.net/papers/skey.ps.
[80]V.Shoup.Sequences of games:a tool for taming complexity in security proofs.2004.Available at http://eprint.iacr.org/2004/332.pdf.
[81]N.P.Smart.An identity based authentication key agreement protocol based on pairing.Electron.Lett.,38:630-632,2002.
[82]John Stasak.NSAs Elliptic Curve Licensing Agreement.Cryptography Office,National Security Agency,Nov.2004.Available at http://www.machshav.com,smb/saag-11-2004/NSA-EC-License.pdf.
[83]M.Steiner,G.Tsudik,and M.Waidner.Refinement and extension of encrypted key exchange.ACM SIGOPS Oper.Syst.Rev.,29(3):22-30,1995.
[84]G.Thulasi,M.L.Das,and A.Saxena.Cryptanalysis of recently proposed remote user authentication schemes.2006.Available at http://eprint.iacr.org/2006/028.pdf.
[85]Ustalglu.Obtaining a secure and efficent key agreement protocol for (h)mqv and naxos.Designs,Codes and Crytography,46(3):329-342,2008.
[86]Duc-Liem Vo and Kwangjo Kim.Security enhancement of a remote user authentication scheme using bilinear pairings and ecc.In IFIP International Conference on Network and Parallel Computing,pages 144-147,2007.
[87]X.Wang,Y.Lin,and H.Yu.Finding collisions in the full sha-1.In Advances in Cryptology-CRYPTO'05,volume 3621 of Lecture Notes in Computer Science,pages 17-36.Springer-Verlag,2005.
[88]X.Wang and H.Yu.How to break md5 and other hash functions.In Advances in Cryptology-EUROCRYPTO'05,volume 3494 of Lecture Notes in Computer Science,pages 19-35.Springer-Verlag,2005.
[89]X.Wang,H.Yu,and Y.Lin.Efficient collision search attacks on sha-0.In Advances in Cryptology-CRYPTO'05,volume 3621 of Lecture Notes in Computer Science,pages 1-16.Springer-Verlag,2005.
[90]X.G.Wang and Z.C.Chai.Two secure remote user authentication schemes using smart cards.In the Fifth International conference on machine learing and cybernetics,pages 2653-2658,2006.
[91]T.Wu.The secure remote password protocol.In Internet Society Symposium on Network and Distributed System Security,pages 97-111,1998.
[92]S.M.Yen and K.H.Liao.Shared authentication token secure against replay and weak key attack.Information Processing Letters,pages 78-80,1997.
[93]H.J.Yoon,J.H.Cheon,and Y.Kim.Batch verifications with id-based signatures.In Proc.ICISC'2004,volume 3506 of Lecture Notes in Computer Science,pages 233-248.Springer-Verlag,2004.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |