easy to make g by æ èp,1è=q where æ generates Zp. æ We can use a secure prime modulus p such that èp, 1è=2q is also prime or each prime factor of èp,

Transcription

1 Additional Notes to ëultimate Solution to Authentication via Memorable Password" May 1, 2000 version Taekyoung Kwon æ May 25, 2000 Abstract This short letter adds informative discussions to our previous contribution, ëultimate Solution to Authentication via Memorable Password"ë1ë. 1 Introduction Message 2 of AMP, G 2, is structured that G 2 = èg 1 çè y while the agreed secret key is g xy è= æ = æè. Note that G 1 = g x and ç = g ç ë1ë. Therefore, a care must be taken in regarding how much information G 2 è= g xy g çy è could leak about g xy, though the probability of ç y = 1 is very low. In this letter, we propose a method to avoid the argument about the information leakage by slightly modifying the protocol. Note that we abbreviate mod p. Hints : 1. Let G 2 be èg e 1 çèy with random e. 2. Let parties agree on g èx 1+ex2èy rather than g xy. 2 Avoiding Information Leakage We propose two extended protocols from original AMP for avoiding the information leakage argument. They are AMP + èhint 1è and AMP ++ èhint 2è. Numerical Assumption. Bob chooses g which generates a prime-order subgroup Z q where p = qr + 1. Note that a prime q must be suæciently large èé lèkèèë1ë to resist Pohlig-Hellman decomposition and various index-calculus methods but much smaller than pë5, 6, 7ë. It is æ 741 Soda Hall, Computer Science Division, EECS, University of California, Berkeley, CA 94720, tkwon@cs.berkeley.edu or ktk@emerald.yonsei.ac.kr. 1

2 easy to make g by æ èp,1è=q where æ generates Zp. æ We can use a secure prime modulus p such that èp, 1è=2q is also prime or each prime factor of èp, 1è=2q is larger than q, or a safe prime modulus p such that p =2q + 1ë3ë. However, we strongly recommend to use a secure prime modulus p. Such a modulus should makes our modiæed protocol secure and eæcient. 2.1 AMP + Our ærst extention is AMP + based on hint 1. Protocol setup of AMP + is exactly the same to that of AMP so that its description is skipped here èsee ë1ë for protocol setupè. Note that Bob stores èid; ç; ç = g ç è where ç = h 1 èç; çè, ç 2 R f0; 1g tèkè, and ç 2 R f0; 1g!èkè. Protocol Run. The following describes how to run AMP +. Note that the cases, x 2f0; 1g 1, y 2f0; 1g 1, g x 2f0; 1g 1,èg xe çè y 2f0; 1g 1, and their small subgroup conænements must be avoided for a security reason. Alice and Bob can easily detect and discard such insecure parameters in the protocol. Alice input èid; çè Bob store èid; ç; çè x 2 R Z q G 1 = g x id;g x,! f etch èid; ç; çè y 2 R Z q e = h 2 èg 1 ; id; Alice; Bobè ç = h 1 èç; çè ç;èg xe çè y è, G 2 = G ey 1 çy e = h 2 èg 1 ; id; Alice; Bobè ç =èxe + çè,1 x mod q æ =èg 2 è ç K 1 = h 3 èæè H 11 = h 4 èg 1 ; K 1 è H 21 = h 5 èg 2 ; K 1 è hèg x ;Kè æ =èg 1 è y K 2 = h 3 èæè,! H 12 = h 4 èg 1 ; K 2 è verify H 11 : = H12 hèèg x çè y ;Kè è, H 22 = h 5 èg 2 ; K 2 è verify H 21 : = H22 Figure 1: AMP + Protocol The following steps explain how the protocol is executed in Figure 1. 2

3 1. Alice computes G 1 = g x bychoosing x 2 R Z q and sends èid; G 1 ètobob. 2. After receiving message 1, Bob loads ç and ç, and computes e = h 2 èg 1 ; id; Alice; Bobè and G 2 = G ey 1 çy bychoosing y 2 R Z q. This can be done by the simultaneous exponentiation method. Note that G 2 =èg xe çè y = g èxe+çèy. He sends èç;g 2 ètoalice. 3. While waiting for message 2, Alice computes e = h 2 èg 1 ; id; Alice; Bobè. After receiving message 2, Alice computes ç = h 1 èç; çè, ç =èxe + çè,1 x mod q and æ =èg 2 è ç. Note that æ =èg èxe+çèy è èxe+çè,1 x = g yx. She computes K 1 = h 3 èæè and H 11 = h 4 èg 1 ; K 1 è. She sends H 11 to Bob. 4. While waiting for message 3, Bob computes æ = èg x è y = g xy, K 2 = h 2 èæè and H 12 = h 4 èg 1 ; K 2 è. After receiving message 3, Bob compares H 12 with H 11. If they are matched, then he computes H 22 = h 5 èg 2 ; K 2 è and sends H 22 to Alice. This means he authenticated Alice who knows ç èactually, çè, and agreed upon Kè= K 1 = K 2 è. 5. While waiting for message 4 from Bob, Alice computes H 21 = h 5 èg 2 ; K 1 è. After receiving message 4, she compares H 21 with H 22. If they are matched, Alice also agrees on Kè= K 1 = K 2 è with authenticating Bob who knows ç. Whole structure of AMP + is exactly the same to that of AMP except that G 2 includes a randomizer e for avoiding the information leakage of g xy ; only computing e has been added to AMP. Therefore, security and eæciency are approximately bounded by AMP. AMP + also passes four messages between Alice and Bob, and beneæts from the simultaneous multiple exponentiation method; æ a æ b needs 16è more multi-precision multiplications than æ a does on the averageë8, 4ë. Therefore, each party's exponentiation number is still two while parallel exponenetiation is still 3E. The randomness of e is totally dependent upon the randomness of g x so that Bob cannot contribute to its randomness. The information leakage argument has been clearly avoided since G 2 = g èxe+çèy related to the agreed key any more without solving log g g ç while the agreed key is still g xy. Now G 2 is not and log g g y. AMP + is a simple extention of AMP for avoiding the information leakage and is as practical as AMP. 2.2 AMP ++ Our second extention is AMP ++ based on hints 2. AMP ++ has a little diæerent protocol setup procedure from AMP and AMP +. Protocol Setup. This step determines and publishes global parameters of AMP Alice and Bob shares g, p and q. 2. Alice chooses ç 2 R f0; 1g!èkè and notify Bob, in an authentic manner. 3. id indicates an identiæer or name of Alice; more precisely a user name. 3

4 4. Bob stores èid; ç = g,ç è where ç = h 1 èid; Bob; çè 1. Bob should throw away ç and ç but keep id and ç. Protocol Run. The following describes how to run AMP ++. Note that the cases, x 1 2 f0; 1g 1, x 2 2 f0; 1g 1, y 2 f0; 1g 1, g x 2 f0; 1g 1, èg x çè y 2 f0; 1g 1, and their small subgroup conænements must be avoided for a security reason. Alice and Bob can easily detect and discard such insecure parameters in the protocol. Alice input èid; çè Bob store èid; çè x 1 ;x 2 2 R Z q ç = h 1 èid; Bob; çè G 0 = x 1 + ç mod q G 1 = g x 2 id; x1+ç; g x 2,! f etch èid; çè e = h 2 èg 0 ; G 1 ; G 2 ; id; Alice; Bobè y 2 R Z q èg x 2 çè y è, G 2 =èg 1 çè y e = h 2 èg 0 ; G 1 ; G 2 ; id; Alice; Bobè ç =èx 2, çè,1 èx 1 + ex 2 èmodq æ =èg 2 è ç K 1 = h 3 èæè H 11 = h 4 èg 0 ; G 1 ; K 1 è H 21 = h 5 èg 2 ; K 1 è hèg x 2 ;Kè æ =ègè G 0y èçè y èg 1 è ey K 2 = h 3 èæè,! H 12 = h 4 èg 0 ; G 1 ; K 2 è verify H 11 : = H12 hèèg x 2 çè y ;Kè è, H 22 = h 5 èg 2 ; K 2 è verify H 21 : = H22 Figure 2: AMP ++ Protocol The following steps describe how the protocol is executed in Figure Alice computes ç = h 1 èid; Bob; çè, G 0 = x 1 + ç mod q, and G 1 = g x 2 by choosing x 1 ;x 2 2 R Z q and sends èid; G 0 ; G 1 ètobob. 2. After receiving message 1, Bob loads ç, and computes G 2 =èg 1 çè y bychoosing y 2 R Z q. 1 We can also use the conventional salt scheme such that ç = h1èç; çè where ç 2 R f0; 1g tèkè. See later part. 4

5 This can be done by the simultaneous exponentiation method, i.e., G y 1 ç y. Note that G 2 =èg x2 çè y = g èx 2,çèy. He sends G 2 to Alice. 3. After receiving message 2, Alice computes e = h 2 èg 0 ; G 1 ; G 2 ; id; Alice; Bobè, ç =èx 2, çè,1 èx 1 + ex 2 èmod q, and æ = èg 2 è ç. Note that æ = èg èx 2,çèy è èx 2,çè,1 èx1+ex2è = g yèx 1+ex2è. She computes K 1 = h 3 èæè and H 11 = h 4 èg 0 ; G 1 ; K 1 è. She sends H 11 to Bob. 4. While waiting for message 3, Bob computes e = h 2 èg 0 ; G 1 ; G 2 ; id; Alice; Bobè, æ = ègè G 0y èçè y èg 1 è ey, K 2 = h 3 èæè and H 12 = h 4 èg 0 ; G 1 ; K 2 è. Note æ = g èx1+çèy g,çy g x 2ey = g èx 1+ex2èy. After receiving message 3, Bob compares H 11 with H 12. If they are equal to each other, then he computes H 22 = h 5 èg 2 ; K 2 è and sends it to Alice. This means he authenticated Alice who knows ç èactually, çè, and agreed upon Kè= K 1 = K 2 è. 5. While waiting for message 4, Alice computes H 21 = h 5 èg 2 ; K 1 è. After receiving message 4, she compares H 12 with H 22. If H 12 = H 12, Alice also agrees on Kè= K 1 = K 2 è with authenticating Bob who knows ç. The information leakage argument has been clearly avoided since the agreed key is g èx 1+ex2èy while G 2 = g èx 2,çèy. AMP ++ also passes four messages between Alice and Bob, and beneæts from the simultaneous multiple exponentiation method; æ a æ b needs 16è and æ a æ b æ c needs 25è more multi-precision multiplications than æ a does on the averageë8, 4ë. Considering the beneæt of the simultaneous method, it can be said that each party of our modiæed protocol needs the exponentiation, Oèèlog nè 3 è, still for two times, respectively. In addition, the parallel exponentiation is still three times è3eèë1ë. Several mod q operations and one mod p exponentiation in æ must compensate for the mod p simultaneous exponentiation in æ, and they are bounded by Oèèlog nè 3 è+æ for negligible expense æ. The use of a secure prime allows qèç lèkèè to be 160 bits long. It is helpful for eæciency in message size and Z q operation. Conventional Salt in AMP ++. For eæciency è3eè, we considered the salt scheme discussed in Bellare and Rogawayë2ë. However, we can accommodate the conventional salt scheme at the cost of parallel exponentiation è4eè. Instead of id-based implicit salt, Bob chooses ç 2 R f0; 1g tèkè and stores èid; ç; ç = g,ç è where ç = h 1 èç; çè on setup phase. Bob should send Alice salt ç with G 2 in step 2. Alice should compute ç after receiving message 2 so that she could compute and pass G 0 with H 1 in step 3. Therefore, Bob is able to compute æ after receiving message 3. That is, the conventional salt protocol loses the parallel compution of æ and æ so that the parallel exponentiation cost is to be 4E rather than 3E. However, it is still comparable to other protocols such asampè3eè, AMP + è3eè, and SRPè4Eèë1, 9ë. 3 Conclusion In this document, we have shown how to avoid the information leakage argument in our previous contribution, ëultimate Solution to Authentication via Memorable Password"ë1ë, 5

6 though we would like to urge it is not critical even in the original AMP. We proposed two extended AMP such asamp + and AMP ++. Note that G 2 = g èxe+çèy while the agreed key was still g xy in AMP +. Also note that the agreed key was g èx 1+ex2èy while G 2 = g èx 2,çèy. Both are clearly preventing the information leakage of the agreed key in G 2 in the way that G 2 and the agreed key are exactly unrelated regading the intractability of the discrete logarithm problem and the Diæe-Hellman problem. The implicit salt scheme discussed in Bellare and Rogawayë2ë and the secure prime modulusë3ë have been helpful for preserving the eæciency of AMP in AMP ++ while AMP + intrinsically preserved the eæciency of AMP. References ë1ë Taekyoung Kwon, ëultimate Solution to Authentication via Memorable Password," Contribution to the IEEE P1363 study group for Future PKC Standards, available from ë2ë M.Bellare and P.Rogaway, ëthe AuthA protocol for password-based authenticated key exchange", Contribution to the IEEE P1363 study group for Future PKC Standards, available from Groupèsubmissions.htmlèautha. ë3ë C.Lim and P.Lee, ëa key recovery attack on discrete log-based schemes using a prime order subgroup," Crypto 97, pp , 1997 ë4ë A.Menezes, P.van Oorschot, S.Vanstone, Handbook of applied cryptography, CRC Press,Inc., 1997 ë5ë P.van Oorschot and M.Wiener, ëon Diæe-Hellman key agreement with short exponents," Eurocrypt 96, pp , 1996 ë6ë S.Pohlig and M.Hellman, ëan improved algorithm for computing logarithms over GF èpè and its cryptographic signiæcance," IEEE Transactions on Information Theory, vol.24, no.1, pp , 1978 ë7ë J.Pollard, ëmonte carlo methods for index computation mod p," Mathematics of Computation, vol.32, pp , 1978 ë8ë C.P.Schnorr, ëeæcient identiæcation and signatures for smart cards," Crypto 89, LNCS 435, pp , 1989 ë9ë T.Wu, ësecure remote password protocol," Internet Society Symposium on Network and Distributed System Security,