Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

Transcription

1 Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: bstract: Recently He et al. [D. He J. Chen J. Hu parng-free certfcateless authentcated key agreement protocol Internatonal Journal of Communcaton Systems 5 pp. -0 0] proposed a parng-free certfcateless authentcated key agreement protocol demonstrated that ther protocol s provable securty n the rom oracle model. However n ths paper we show that t He et al. protocol s completely broken. ey words: certfcateless cryptography authentcated key agreement provable securty ellptc curve. Introducton To smplfy the complex certfcate management n the tradtonal publc key cryptography PC Shamr [] proposed the concept of dentty-based publc key cryptography ID-PC. In ID-PC there s no need of the certfcate of a publc key snce the user s publc key s hs dentty such as e-mal address telephone number et al. However ID-PC nherently has the key escrow problem.e. the key generaton center GC knows the user s prvate key. To solve the problem l-ryam et al. [] ntroduced the concept of the certfcateless publc key cryptography CLPC. Snce then many certfcateless key agreement protocols usng blnear parngs have been proposed. However the theoretcal analyss [] expermental result [4] show that the relatve computaton cost of a parng s approxmately twenty tmes hgher than that of the scalar multplcaton over ellptc curve group. Therefore the performance of all the above protocols s not satsfactory. To mprove performance He et al. [5] proposed a parng-free certfcateless key agreement protocol. They also demonstrated that ther protocol s provably secure n the rom oracle model. However we wll show He et al. s protocol s nsecure aganst both of the type I adversary the type II adversary.

2 The organzaton of the paper s sketched as follows. The Secton gves a bref revew of He et al. s protocol. Cryptanalyss on He et al. s protocol s shown n Secton. Fnally we gve some conclusons n Secton 4.. He et al. s protocol In ths secton we wll revew He et al. s protocol. For convenence some notatons used n ths paper are descrbed as follows. p n : two large prme numbers F p : a fnte feld E / F p : an ellptc curve defned on F p G : the cyclc addtve group composed of the ponts on E/ F p P : a generator of G H : a secure one-way hash functon where H :{0} Zn H : a secure one-way hash functon where H :{0} Zn ID : the dentty of user x P pub : the GC s prvate/publc key par where Ppub = xp x P : the user s secret value/publc key par where P = x P r R : a rom pont generated by GC where R = r P s R : the user s partal prvate key where s = r + hxmod n h = H ID R t T : the user s ephemeral prvate/publc key par where T = t P In ths secton we present a CT protocol wthout parng. Our protocol conssts of the followng sx algorthms: Setup Partal-Prvate-ey-Extract Set- Secret-Value Set-Prvate-ey Set-Publc-ey ey-greement. Setup: Ths algorthm takes a securty parameter k as nputs returns system parameters a master key. Gven k GC does the followng. GC chooses the master prvate key x Z n computes the master publc key Ppub = xp. GC chooses two cryptographc secure hash functons H :{0} Zn H :{0} Zn. GC publshes params = { Fp E / Fp G P Ppub H H } as system parameters secretly keeps the master key x.

3 Partal-Prvate-ey-Extract: Ths algorthm takes master key a user s dentfer system parameters as nput returns the user s ID-based prvate key. Wth ths algorthm for each user wth dentfer ID GC works as follows. GC chooses at rom r Zn computes R = r P h = H ID R. GC computes s = r + hx mod n. The user s s partal prvate key s the tuple D = s R he can valdate her prvate key by checkng whether the equaton s P= R + h Ppub holds. The prvate key s vald f the equaton holds vce versa. Set-Secret-Value: The user wth dentty x as hs secret value. Set-Prvate-ey: The user wth dentty ID pcks romly x Z sets ID takes the par S = x D as n ts prvate key where D = s R. value Set-Publc-ey: The user wth dentty x as nputs generates ts publc key ID takes params ts secret P = x P. ey-greement: ssume that an entty wth dentty ID has prvate key S = x D publc key P = x P an entty wth dentty ID has prvate key S = x D publc key P = x P. s shown n Fg. run the protocol as follows. send M = ID R P to. fter recevng M chooses at rom the ephemeral key computes T = b P + R + H ID R Ppub then send M = ID R P T to. fter recevng M chooses at rom the ephemeral key b Z n a Z n computes T = a P + R + H ID R Ppub then send M = T to. Then both can compute the shared secrets as follows. computes = x + s T + a P = a x + s T computes

4 = x + s T + b P = b x + s T Fg.. ey agreement of He et al. s protocol. Cryptanalyss of He et al. s protocol In certfcateless sgnature protocol as defned n [ 5] there are two types of adversares wth dfferent capabltes we assume type I adversary acts as a dshonest user whle type II adversary acts as a malcous GC. In ths secton we wll show that He et al. protocol s vulnerable to the mpersonaton attack aganst of. The detaled steps are descrbed as follows... Impersonaton attack of type I adversary Let be a type I adversary. Then does not have access to the master key but can replace the publc keys of any entty wth a value of hs choce snce there s no certfcate nvolved n certfcateless sgnature protocol. Impersonaton attack aganst ntator generates a rom number t replaces s publc key P = x P wth P = tp R H ID R P. pub mpersonate to sends the message M = ID R P to. fter recevng M chooses at rom the ephemeral key computes T = b P + R + H ID R Pp ub then send M = ID R P T to. b Z n 4

5 4 fter recevng M chooses at rom the ephemeral key computes T = a P + R + H ID R Ppub send M = T to. 5 fter recevng M wll computes = x + s T + b P = ap + bp = b x + s T = abp the a Z n sesson key sk = H ID ID T T. Snce P = tp R H ID R P pub T = b P + R + H ID R P then computes pub = t T + a P= t b P + R + H ID R P + a P pub = t b tp R H ID R Ppub R H ID R Ppub a P = t b tp+ ap= bp+ ap= = a t T = a t b P + R + H ID R P pub = + + a t b tp R H ID R Ppub R H ID R Ppu b = at btp = abp = 4 Thus could compute sk = H ID ID T T as the sesson key. It s easy to say that sk sk are equal snce = =. Then mpersonate the ntator successfully. Impersonaton attack aganst responder generates a rom number t replaces s publc key P = x P wth P = tp R H ID R P. pub fter ntercept the message M = ID R P sent by chooses at rom the ephemeral key b Z n computes T = b P + R + H ID R P. Then mpersonate to send back pub M = ID R P T to. fter recevng M chooses at rom the ephemeral key a Z n computes T = a P + R + H ID R Pp ub = a x + s T = abp = x + s T + a P = ap + bp sk H ID ID T T = send M = T to. 5

6 4 fter recevng M wll computes = t a T + b P = b t T the sesson key sk = H ID ID T T. Snce P = tp R H ID R P pub T = a P + R + H ID R P then computes pub = t a T + b P= t P + R + H ID R P + b P pub = t a tp R H ID R Ppub R H ID R Ppub b P = t a tp + bp = ap + bp = = b t T = b t a P + R + H ID R P pub = + + b t a tp R H ID R Ppub R H ID R Ppu b = bt atp = abp = 5 6 Thus could compute sk = H ID ID T T as the sesson key. It s easy to say that sk sk are equal snce = =. Then mpersonate the responder successfully.. Impersonaton attack of type II adversary Let be a type I adversary. Then has access to the master key x but cannot replace any user's publc key. Impersonaton attack aganst ntator generates a rom number t computes R = tp P mpersonate to send the message M = ID R P to. fter recevng M chooses at rom the ephemeral key computes T = b P + R + H ID R Ppub then send M = ID R P T to. fter recevng M chooses at rom the ephemeral key computes T = a P + R + H ID R Ppub send M = T to. 4 fter recevng M wll computes b Z n = x + s T + b P = ap + bp = b x + s T = abp the a Z n sesson key sk = H ID ID T T. 6

7 Snce T = b P + R + H ID R Ppub R = tp P knows the mast key x. Then computes = t+ xh ID R T + a P = t+ xh ID R b P + R + H ID R P + a P pub = t+ xh ID R b P + tp P + H ID R P + a P pub = t+ xh ID R b tp+ H ID R xp + a P b = t+ xh ID R t + H ID R x P+ a P = bp + ap = = a t+ xh ID R T = a t+ xh ID R b P + R + H ID R P pub = a t+ xh ID R b P + tp P + H ID R P pub = a t+ xh ID R b tp+ H ID R xp = a t+ xh ID R b t+ H ID R xp = abp = 8 7 Thus could compute sk = H ID ID T T as the sesson key. It s easy to say that sk sk are equal snce = =. Then mpersonate the ntator successfully. Impersonaton attack aganst responder generates a rom number t computes R = tp P. fter ntercept the message M = ID R P sent by chooses at rom the ephemeral key b Z n computes T = b P + R + H ID R P. Then mpersonate to send back pub M = ID R R T to. fter recevng M chooses at rom the ephemeral key a Z n computes T = a P + R + H ID R Ppub = a x + s T = abp = x + s T + a P = ap + bp sk H ID ID T T = send M = T to. 7

8 4 fter recevng M wll computes = t+ xh ID R a T + b P = b t+ xh ID R T the sesson key sk = H ID ID T T. Snce R = tp P T = a P + R + H ID R Ppub then computes = t+ xh ID R T + b P = t+ xh ID R a P + R + H ID R P + b P pub = t+ xh ID R a P + tp P + H ID R P + b P pub = t+ xh ID R a tp+ H ID R xp + b P a = t+ xh ID R t + xh ID R P + b P = ap + bp = = b t+ xh ID R T = b t+ xh ID R a P + R + H ID R P pub = b t + xh ID R a P + tp P + H ID R P pub = b t + xh ID R a tp + H ID R xp = b t+ xh ID R a t + xh ID R P = abp = 5 6 Thus could compute sk = H ID ID T T as the sesson key. It s easy to say that sk sk are equal snce = =. Then mpersonate the responder successfully. 4. Concluson Recently He et al. proposed a certfcateless authentcated key agreement protocol wthout blnear parngs demonstrated ts mmunty aganst varous attacks. However after revew of ther protocol analyss of ts securty we show ther protocol s nsecure aganst both of the type I adversary the type II adversary. The analyses show that the protocol s nsecure for practcal applcaton. 8

9 Reference []. Shamr. Identty-based cryptosystems sgnature protocols. In Proceedngs of CRYPTO 84. Lecture Notes n Computer Scence Vol. 96. Sprnger: erln []. l-ryam S Paterson. Certfcateless publc key cryptography. In Proceedngs of SICRYPT 00. Lecture Notes n Computer Scence Vol Sprnger: erln []. Chen L Cheng Z Smart N Identty-based key agreement protocols from parngs Internatonal Journal of Informaton Securty 6 pp [4]. He D Chen J Zhang R. n effcent provably-secure certfcateless sgnature protocol wthout blnear parngs. Internatonal Journal of Communcaton Systems do: 0.00/dac.0 0. [5]. He D Chen J Hu J. parng-free certfcateless authentcated key agreement protocol Internatonal Journal of Communcaton Systems 5 pp