Password Authenticated Key Exchange and Protected Password Change Protocols
Abstract
:1. Introduction
- Mutual authentication: the user and the server can authenticate each other.
- Session key security: no-one except the user and the server can agree to the common session key with a non-negligible probability.
- Forward secrecy: when the password is compromised, it does not reveal the earlier session keys.
- Know-key security: when the session key is lost, it does not reveal other session keys. This limits the damage caused by a compromised session key to that compromised session only.
- Withstanding an off-line password guessing attack: an adversary cannot find an equation to verify whether his/her guess password is correct.
2. The Proposed Scheme
- Step 1.
- Client ⟹ Server:The user gives his/her and to the client. The client computes the hash value . Then the client chooses a random number and computes . Then the client sends and to the server.
- Step 2.
- Server ⟹ Client:After receiving and , the server retrieves from the verification table and recovers by computing . Then the server computes , where is the server privacy key and is the server public key. Then the server sends to the client.
- Step 3.
- Client ⟹ Server:After receiving S and , the client computes . Then the client computes and compares it with the received . If these two values are equivalent, the client computes and sends it together with to the server. This check is used for authenticating the server.
- Step 4.
- Server: Access granted or Access deniedAfter receiving and , the server uses its own copies K and his public key to compute and compares it with the received . If these two values are equivalent, the server grants the client’s login request. Otherwise, the server denies the client’s login request.
- Step 1*.
- Client ⟹ Server:The messages and are the same as those in Step 1 in the PAKE protocol. The client additionally sends to the server.
- Step 2*.
- Server ⟹ Client:After receiving , , and , the server retrieves from the verification table to recover by computing . Then the server uses the recovered to further obtain by computing . Then the server computes , and . Then the server sends to the client.
- Step 3*.
- Client ⟹ Server:After receiving S and , the client computes and . Then the client checks whether the received is equal to . If the two values are equivalent, the client sends and to the server.
- Step 4*.
- Server: Access granted or Access deniedAfter receiving and , the server uses it own copies K and public key to compute and compares it with the received in Step 3*. If these two values are equivalent, the server stores the recovered in Step 1* into a verification table. Otherwise, the server denies the client’s password change request.
3. Formal Security Proof
3.1. The Model
Protocol Participants:
Session Identity (SID) and Partner Identity (PID):
Accepting and Terminating:
Oracle Queries (Adversary’s Capabilities):
- Send(): This query models an adversary sending a message m to the oracle , and the oracle responds to what the protocol say to and updates , , and its states. The adversary query of the form Send() initiates an execution of the protocol.
- Execute(): This query models an adversary obtaining an honest execution of the protocol between two oracles and , and outputs a completed transcript corresponding to them.
- Reveal(): This query models an adversary obtaining a session key with an unconditional return by . The Reveal query will let us deal with known-key security. The Reveal query is only available to an adversary if the state of is true.
- Corrupt(): This query models an adversary obtaining a password with unconditional return by . The Corrupt query will let us deal with forward secrecy.
- Hash(m): In the ideal hash model, an adversary gets hash results by making queries to a random oracle. After receiving this query, the random oracle will check whether m has been queried. If so, it returns the result previously generated by the adversary. Otherwise, it generates a random number r, returns r to the adversary, and stores in the Hash table, which is a record set used to record all previous Hash queries.
- Test(): This query models the semantic security of the session key . During an execution of the protocol, the adversary can ask any of the above queries and ask a Test query once. Then flips a coin b and returns if , or a random string if . The Test query is asked only once and is only available if is fresh (see Section 4). This query only measures adversarial success. It does not correspond to any actual adversarial ability.
Description of the PAKE Protocol:
- (1)
- Select two prime numbers p with length and q with length . Let g be a generator with order q in the Galois Field , which is based on the Diffie-Hellman scheme.
- (2)
- Select a hash function : .
- (3)
- Each client sets up an identity and a password from a set D of the dictionary. Let n be the number of passwords in D. The server stores in a verification table.
- (4)
- Each oracle is set to:and.
- (1)
- ;;;;.
- (2)
- , where ;;;;;;;; ;;;;.
- (3)
- , where ;;;;if then;;;;;else; ;.
- (4)
- , where ;;if then // access granted;;else // access denied; ;.
3.2. Definitions of Security
Partnering:
- ,,and .
- CLIENT and S is the SERVER.
- No oracle besides and accepts with a session key .
Freshness:
- has accepted ().
- No oracle has been asked for a Corrupt query before accepts.
- Neither nor its partner has been asked for a Reveal query.
Authenticated Key Exchange Security (AKE Security):
Mutual Authentication (MA):
Computational Diffie-Hellman (CDH) Assumption:
Adversary’s Resources:
- t: the adversary running time. By convention, this includes the amount of space it takes to describe the adversary.
- : these count the number of Send, Execute, Reveal, Corrupt, and Hash queries separately asked by the adversary , i.e., the number of in the PAKE protocol is (, and are, respectively, the number of , , , and queries asked by ).
3.3. Security Proofs of the Password Authenticated Key Exchange and Protected Password Change Protocols
3.3.1. Password Guessing Attack
3.3.2. Simulator/Computational Diffie-Hellman Attacker:
- When makes a query, increases the counter by 1. If , answers according to the PAKE protocol (return ). If , answers by using the element from the challenge (return ). When makes a query, if the input is not equal to the message , answers according to the PAKE protocol (return ). If the input is the flow corresponding to the challenge , answers by using the element from the challenge (return , where is a random element with length k). Here, it is difficult for to simulate an indistinguishable answer without the ability to solve the challenge .
- When makes a Reveal query, checks whether the oracle has accepted and is fresh. If so, answers by using the session key . However, if the session key has to be constructed from the challenge , halts and output fail.
- When makes a Corrupt or Execute query, answers in a straightforward way.
- When makes a Hash(m) query, checks whether m is in the Hash table. If so, returns the previous result. Otherwise, returns a random number r from and appends to the Hash table.
- When makes a single Test query, answers in a straightforward way. If the session key has to be constructed from the challenge , answers with a random string for the Test query on an oracle.
4. Comparisons
5. Conclusions
Acknowledgments
Author Contributions
Conflicts of Interest
References
- Anwar, N.; Riadi, I.; Luthfi, A. Forensic SIM card cloning using authentication algorithm. Int. J. Electron. Inf. Eng. 2016, 4, 71–81. [Google Scholar]
- Huang, H.-F.; Chang, H.-W. Enhancement of timestamp-based user authentication scheme with smart card. Int. J. Netw. Secur. 2014, 16, 463–467. [Google Scholar]
- Lee, C.-C.; Chiu, S.-T.; Li, C.-T. Improving Security of A Communication-efficient Three-party Password Authentication Key Exchange Protocol. Int. J. Netw. Secur. 2015, 17, 1–6. [Google Scholar]
- Zhu, H.; Zhang, Y.; Xia, Y.; Li, H. Password-Authenticated Key Exchange Scheme Using Chaotic Maps towards a New Architecture in Standard Model. Int. J. Netw. Secur. 2016, 18, 326–334. [Google Scholar]
- Zhu, H.; Zhang, Y. An Improved Two-party Password-Authenticated Key Agreement Protocol with Privacy Protection Based on Chaotic Maps. Int. J. Netw. Secur. 2017, 19, 487–497. [Google Scholar]
- Moon, J.; Lee, D.; Jung, J.; Won, D. Improvement of Efficient and Secure Smart Card Based Password Authentication Scheme. Int. J. Netw. Secur. 2017, 19, 1053–1061. [Google Scholar]
- Wu, M.; Chen, J.; Wang, R. An Enhanced Anonymous Password-based Authenticated Key Agreement Scheme with Formal Proof. Int. J. Netw. Secur. 2017, 19, 785–793. [Google Scholar]
- Ling, C.-H.; Lee, C.-C.; Yang, C.-C.; Hwang, M.-S. A Secure and Efficient One-time Password Authentication Scheme for WSN. Int. J. Netw. Secur. 2017, 19, 177–181. [Google Scholar]
- Lee, C.-C.; Hwang, M.-S.; Yang, W.-P. A flexible remote user authentication scheme using smart cards. ACM Oper. Syst. Rev. 2002, 36, 46–52. [Google Scholar] [CrossRef]
- Li, L.-H.; Lin, I.-C.; Hwang, M.-S. A remote password authentication scheme for multi-server architecture using neural networks. IEEE Trans. Neural Netw. 2001, 12, 1498–1504. [Google Scholar] [PubMed]
- Pecori, R.; Veltri, L. 3AKEP: Triple-authenticated key exchange protocol for peer-to-peer VoIP applications. Comput. Commun. 2016, 85, 28–40. [Google Scholar] [CrossRef]
- Hwang, M.-S. A new redundancy reducing cipher. Int. J. Inform. 2000, 11, 435–440. [Google Scholar]
- Tseng, Y.-M.; Jan, J.-Y.; Chien, H.-Y. On the security of methods for protecting password transmission. Int. J. Inform. 2001, 12, 469–476. [Google Scholar]
- Ghanem, W.R.; Shokir, M.; Dessoky, M. Defense Against Selfish PUEA in Cognitive Radio Networks Based on Hash Message Authentication Code. Int. J. Electron. Inf. Eng. 2016, 4, 12–21. [Google Scholar]
- Lin, C.-L.; Hwang, T. Authentication scheme with secure password updating. Comput. Secur. 2003, 22, 68–72. [Google Scholar] [CrossRef]
- Yang, C.-C.; Chang, T.-Y.; Li, J.W.; Hwang, M.-S. Security enhancement for protecting password transmission. IEICE Trans. Commun. 2003, E86-B, 2178–2181. [Google Scholar]
- Yang, C.-C.; Yang, Y.-W.; Chang, T.-Y. Cryptanalysis of an authentication key exchange protocol. J. Appl. Sci. 2005, 5, 281–283. [Google Scholar]
- Chang, T.-Y.; Hwang, M.-S.; Yang, W.-P. A communication-efficient three-party password authenticated key exchange protocol. Inf. Sci. 2011, 181, 217–226. [Google Scholar] [CrossRef]
- Yeh, H.-Y.; Sun, H.-M. Simple authenticated key agreement protocol resisant to password guessing attacks. ACM SIGOPS Oper. Syst. Rev. 2002, 36, 14–22. [Google Scholar] [CrossRef]
- Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated key exchange secure against dictionary attack. In Proceedings of the 19th International Conference on Theory and Application of Cryptographic Techniques—EUROCRYPT’00, Bruges, Belgium, 14–18 May 2000; pp. 122–138. [Google Scholar]
- Zhang, G.; Fan, D.; Zhang, Y.; Li, X. A Provably Secure General Construction for Key Exchange Protocols Using Smart Card and Password. Chin. J. Electron. 2017, 26, 271–278. [Google Scholar] [CrossRef]
- Ahmed, A.; Younes, A.; Abdellah, A.; Sadqi, Y. Strong Zero-knowledge Authentication Based on Virtual Passwords. Int. J. Netw. Secur. 2016, 18, 601–616. [Google Scholar]
- Liu, Y.; Chang, C.-C.; Chang, S.-C. An Efficient and Secure Smart Card Based Password Authentication Scheme. Int. J. Netw. Secur. 2017, 19, 1–10. [Google Scholar] [CrossRef]
- Wei, J.; Liu, W.; Hu, X. Secure and Efficient Smart Card Based Remote User Password Authentication Scheme. Int. J. Netw. Secur. 2016, 18, 782–792. [Google Scholar]
- Bayat, M.; Aref, M. An attribute based key agreement protocol resilient to KCI attack. Int. J. Electron. Inf. Eng. 2015, 2, 10–20. [Google Scholar]
- Pan, H.-T.; Pan, C.-S.; Tsaur, S.-C.; Hwang, M.-S. Cryptanalysis of Efficient Dynamic ID Based Remote User Authentication Scheme in Multi-server Environment Using Smart Card. In Proceedings of the 12th International Conference on Computational Intelligence and Security, Wuxi, China, 16–19 December 2016; pp. 590–593. [Google Scholar]
- Tsai, C.-Y.; Pan, C.-S.; Hwang, M.-S. An Improved Password Authentication Scheme for Smart Card. In Proceedings of the Advances in Intelligent Systems and Computing, Recent Developments in Intelligent Systems and Interactive Applications, Shanghai, China, 25–26 June 2016; Volume 541, pp. 194–199. [Google Scholar]
- Liu, C.-W.; Tsai, C.-Y.; Hwang, M.-S. Cryptanalysis of an Efficient and Secure Smart Card Based Password Authentication Scheme. In Proceedings of the Advances in Intelligent Systems and Computing, Recent Developments in Intelligent Systems and Interactive Applications, Shanghai, China, 25–26 June 2016; Volume 541, pp. 188–193. [Google Scholar]
Title | [21] | [22] | [23] | [9] | [24] | [16] | Our Scheme |
---|---|---|---|---|---|---|---|
Off-line guessing attack | No | Yes | No | No | No | Yes | No |
Stolen-verifier attack | No | Yes | No | No | No | No | No |
Replay attack | No | No | Yes | Yes | No | No | No |
DOS attack | No | No | No | Yes | No | Yes | No |
Key Compromise Impersonation Attack | No | No | No | No | No | No | No |
Mutual Authentication | Yes | Yes | Yes | No | Yes | Yes | Yes |
Session key establishment | Yes | Yes | Yes | No | Yes | No | Yes |
Forward Secrecy | No | No | No | - | Yes | - | Yes |
Provable security | Yes | No | Yes | No | No | No | Yes |
Known-password by Server | Yes | No | No | No | No | No | No |
© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Chang, T.-Y.; Hwang, M.-S.; Yang, C.-C. Password Authenticated Key Exchange and Protected Password Change Protocols. Symmetry 2017, 9, 134. https://doi.org/10.3390/sym9080134
Chang T-Y, Hwang M-S, Yang C-C. Password Authenticated Key Exchange and Protected Password Change Protocols. Symmetry. 2017; 9(8):134. https://doi.org/10.3390/sym9080134
Chicago/Turabian StyleChang, Ting-Yi, Min-Shiang Hwang, and Chou-Chen Yang. 2017. "Password Authenticated Key Exchange and Protected Password Change Protocols" Symmetry 9, no. 8: 134. https://doi.org/10.3390/sym9080134
APA StyleChang, T. -Y., Hwang, M. -S., & Yang, C. -C. (2017). Password Authenticated Key Exchange and Protected Password Change Protocols. Symmetry, 9(8), 134. https://doi.org/10.3390/sym9080134