Recently, Shim proposed a tripartite authenticated key agreement protocol from Weil pairing to overcome the security flaw in Joux\u27s protocol. Later, Shim also proposed an ID-based authenticated key agreement protocol which is an improvement of Smart\u27s protocol in order to provide the forward secrecy. In this paper, we show that these two protocols are insecure against the key-compromise impersonation attack and the man-in-the-middle attack respectively

Bin-Tsan Hsieh

Hung-Min Sun

Cryptology ePrint Archive

Security Analysis of Shim’s Authenticated KeyAgreement Protocols from PairingsHung-Min Sun and Bin-Tsan Hsieh†Department of Computer Science,National Tsing Hua University, Hsinchu, Taiwan, R.O.C.hmsun@cs.nthu.edu.tw†Department of Computer Science and Information Engineering,National Cheng Kung University, Tainan, Taiwan, R.O.C.bintsan@csie.ncku.edu.twAbstractRecently, Shim proposed a tripartite authenticated key agreement pro-tocol from Weil pairing to overcome the security flaw in Joux’s protocol.Later, Shim also proposed an ID-based authenticated key agreement pro-tocol which is an improvement of Smart’s protocol in order to providethe forward secrecy. In this paper, we show that these two protocols areinsecure against the key-compromise impersonation attack and the man-in-the-middle attack respectively.Keywords: Cryptanalysis, Weil Pairing, ID-based, Key Agreement, Au-thentication1 IntroductionTraditionally, asymmetric cryptographic schemes are based on either the dis-crete logarithm problem or the factoring problem. The most concerned issue inimplementation of cryptographic schemes is the computation cost of modularexponentiation. To overcome such a problem, the elliptic curve cryptographybecomes a good choice because it reduces the computation cost while remain-ing the same security level. It is noticed that the decision of Diffie-Hellmanis regarded as a hard problem in discrete logarithm, however, it is not a hardproblem in elliptic curve cryptography due to Weil pairing [1]. Weil pairing isa new primitive and is interesting to cryptography societies. Several crypto-graphic schemes [2][3][4][5][6] are designed based on the Weil pairing, and enjoythe convenience of the property of Weil pairing.For a sound authenticated key exchange protocol, Wilson and Menezes [7]defined several desirable security attributes. We show these attributes in thefollowing. Here we assume A and B are two honest entities.11. Known-Key Security In each round of key agreement protocol, A andB should generate a unique secret key. Each key generated in one protocolround is independent and should not be exposed if other secret keys arecompromised.2. Forward Secrecy The Forward Secrecy property is that if A and B’ssecret keys are compromised, the session keys used in the past should notbe recovered.3. Key-Compromise Impersonation A protocol which is secure againstthe key compromise impersonation attack means that if A’s secret key iscompromised, the adversary who knows the value can not impersonateothers to A.4. Unknown Key-Share After the protocol, A ends up believing he sharesa key with B, and B mistakenly believes that the key is instead shared withan adversary. Therefore, a sound authenticated key agreement protocolshould prevent the unknown key-share situation.In 2000, Joux [2] proposed a tripartite Diffie-Hellman key agreement protocolbased on the Weil pairing. However, Shim [5] pointed out that Joux’s protocolsuffers from the man-in-the-middle attack and further proposed an improvedtripartite authenticated key agreement protocol. Shim employed the publickey infrastructure to overcome the security flaw in Joux’s protocol and claimedthat the improved protocol can withstand some attacks [5], such as the man-in-the-middle attack, the key-compromise impersonation attack, and the unknownkey-share attack.On the other hand, Smart [4] proposed an ID-based authenticated key agree-ment protocol based on Weil pairing. Later, Shim [6] pointed out that Smart’sprotocol does not provide the forward secrecy which is an important securityrequirement of an authenticated key agreement protocol. Shim [6] further pro-posed an efficient ID-based authenticated key agreement protocol to provide theforward secrecy. Shim also gave more security analysis to show that the pro-posed protocol provides other attractive security properties of an authenticationkey agreement protocol [7][8], such as known-key security, forward secrecy, keycompromise impersonation resilience, and unknown key-share resilience.In this paper, we show that both Shim’s protocols are still insecure againstthe key-compromise impersonation attack and the man-in-the-middle attack re-spectively. The rest of this paper is organized in the following. In Section 2, webriefly review Shim’s tripartite authenticated key agreement protocol from Weilpairing and show its insecurity. In Section 3, we review Shim’s ID-based authen-ticated key agreement protocol from Weil pairing and point out its weakness.We conclude this paper in Section 4.22 On the security of Shim’s tripartite authenti-cated key agreement protocolThe protocol proposed by Shim is a one round tripartite authenticated keyagreement protocol which enables three parties to obtain a common session keyin a single round. We describe the protocol as follows:2.1 SetupSystem SetupLet p be a prime such that p = 6q − 1 for some prime q, and E be asupersingular elliptic curve defined by y2 = x3 + 1 over Fp. Let P be a pointsgenerator of the group with order q = (p + 1)/6 and the set of points form acyclic group, denoted as G1. Let G2 be the subgroup of F ∗p2 that contains allelements of order q. The modified Weil pairing on the curve E is a bilinearmapping ê : G1 ×G1 → G2 that has the following properties:(1) Bilinear: For any P,Q ∈ G1 and a, b ∈ Z, we have ê(aP, bQ) = e(P,Q)ab.(2) Non-degenerate: ê(P, P ) is a generator of G2.(3) Computable: Let P,Q ∈ G1, there is an efficient algorithm to computeê(P,Q) ∈ G2.Key SetupThe public domain parameters {p, q, E, P , ê} are common to all entities.A user R’s public key is denoted as YR = rP , where r is R’s secret key. CertRdenotes the certificate of user R.2.2 Shim’s tripartite authenticated key agreement proto-colFirst, A, B, and C choose random numbers x, y, and z and compute TA =x(aP ), TB = y(bP ), TC = z(cP ), respectively. Next, they broadcast the com-puted values and their certificates to others.A : TA = x(aP ), CertAB : TB = y(bP ), CertBC : TC = z(cP ), CertCThe keys computed by A, B, and C are:KA = ê(TB , TC)axê(YB ,YC)a= ê(P, P )abcxyzê(P,P )abcKB = ê(TA, TC)byê(YA,YC)b= ê(P, P )abcxyzê(P,P )abcKC = ê(TA, TB)czê(YA,YB)c= ê(P, P )abcxyzê(P,P )abc32.3 Key compromise impersonation attack on Shim’s tri-partite authenticated key agreement protocolIn this subsection, we give the following scenario to show that Shim’s protocol isinsecure against the key compromise impersonation attack. That is an adversaryAdv who knows A’s secret key a can impersonate B to A.First, the adversary Adv selects a random number u and computes T′B = uP .Next, Adv sends T′B and CertB to A. Assuming C is honest, therefore, Areceives two messages from Adv and C as follows:Adv → A : T′B = uP, CertBC → A : TC = z(cP ), CertC .Upon the received messages, A computes the session key KA:KA = ê(T′B , TC)axê(YB ,YC)a= ê(P, P )axuczê(P,P )abc.Similarly, Adv receives the two messages from honest A and C as follows:A→ Adv : TA = x(aP ), CertAC → Adv : TC = z(cP ), CertC .Finally, Adv can compute the common session key KE :KE = ê(TA, TC)uê(YB ,YC)a= ê(P, P )axuczê(P,P )abc.Namely, with the knowledge of A’s secret key a, Adv can impersonate Bto A. Moreover, Adv can surely perform the same steps above to cheat Csimultaneously.3 On the security of Shim’s ID-based authenti-cated key agreement protocolThe protocol is an ID-based authenticated key agreement protocol in whicha user’s identity is regarded as his public key. The details of the protocol isdescribed as follows:3.1 SetupSystem SetupThe system setup is the same as in the previous protocol with an extra hashfunction. The hash function H : {0, 1}∗ → G1 used in the protocol is a mappingof user’s ID to an element in G1.Key Setup4The key generation center computes his public key Ppub = sP , where s ∈RZ∗q is the center’s secret key. The center publishes the system parametersparams = {G1, G2, e, q, P, Ppub,H}. Each user i sends his IDi ∈ {0, 1}∗ tothe center. The center computes Qi = H2(IDi) and returns Si = sQi to user ivia a secure channel. User i keeps Si as his private key.3.2 Shim’s ID-based authenticated key agreement proto-colTwo parties A and B run the protocol as follows:Step 1. A computes Ta = aP , where a is a random number, and sends it toB.Step 2. B computes Tb = bP , where b is a random number, and sends it toA.Step 3. A computes QB = H(IDB) and the shared secretKAB = e(aPpub + SA, Tb + QB)= e(P, P )abse(QA, P )bse(P,QB)ase(QA, QB)sStep 4. B computes QA = H(IDA) and the shared secretKBA = e(Ta + QA, bPpub + SB)= e(P, P )abse(QA, P )bse(P,QB)ase(QA, QB)sStep 5. The session key is K = kdf(KAB ||A||B) = kdf(KBA||A||B), wherekdf() is a public key derivation function.We briefly depict the scenario of Shim’s protocol in figure 1.A BTa = aPTa−→Tb = bPTb←−QB = H(IDB) QA = H(IDA)KAB = e(aPpub + SA, Tb + QB) KBA = e(Ta + QA, bPpub + SB)Figure 1: ID-based authenticated key agreement protocol3.3 Man-in-the-middle attack on Shim’s ID-based authen-ticated key agreement protocolIn this subsection, we demonstrate that an adversary Adv can perform thefollowing steps, referred to as man-in-the-middle attack, to obtain the sessionkeys computed by A and B, respectively.5Step 1. Adv intercepts Ta from A. He computes QA = H(IDA) and sendsT ′a = a′P −QA to B, where a′ is selected by E.Step 2. Adv intercepts Tb from B. He computes QB = H(IDB) and sendsT ′b = b′P −QB to A, where b′ is selected by E.It is clear that two shared secrets computed by A and B areKAB = e(aPpub + SA, T ′b + QB)= e(aPpub + SA, b′P )= e(P, P )asb′e(QA, P )sb′andKBA = e(T ′a + QA, bPpub + SB)= e(a′P, bPpub + SB)= e(P, P )a′sbe(P,QB)a′s.After the masquerade, the adversary Adv can also compute the two sharedsecrets computed by A and BK ′AB = e(Ta, b′Ppub)e(QA, b′Ppub)= e(P, P )asb′e(QA, P )sb′= KABK ′BA = e(Tb, a′Ppub)e(a′Ppub, QB)= e(P, P )a′sbe(P,QB)a′s= KBAThe scenario of the man-in-the-middle attack is given in figure 2.4 Conclusions and RemarksIn this paper, we have shown that both Shim’s protocols from Weil pairing areinsecure against the key-compromise impersonation attack and the man-in-the-middle attack respectively. Moreover, the fact that Shim’s ID-based authenti-cated key agreement protocol is insecure against the man-in-the-middle attackimplies that the protocol does not provide key-compromise impersonation re-silience either. Because the man-in-the-middle attack can be regarded as twoconcurrent impersonation attacks to A and B without key compromising.6A E BTa = aPTa−→T ′a = a′P −QAT ′a−→Ta = aPTb←−T ′b = b′P −QBT ′b←−KAB = e(aPpub + SA, T ′b + QB) KBA = e(T′a + QA, bPpub + SB)= e(P, P )asb′e(QA, P )sb′= e(P, P )a′sbe(P,QB)a′sFigure 2: Man-in-the-middle attack on ID-based authenticated key agreementprotocolReferences[1] P.S.L.M. Barreto, H.Y. Kim, B. Lynn, and M. Scott, ”Efficient algorithmsfor Pairing-based cryptosystems”, Proc. Crypto ’02, Santa Barbara, CA,USA, pp. 354-369, August 2002.[2] A. Joux, ”An one round protocol for tripartite Diffie-Hellman”, Proc. ANTS4, LNCS 1838, pp. 385-394, 2000.[3] D. Boneh, and M. Franklin, ”Identity-based encryption from the Weil pair-ing”, Advances in cryptology, Crypto ’01, Santa Barbara, CA, USA, pp.213-229, August 2001.[4] N. P. Smart, ”An ID-based authenticated key agreement protocol based onthe Weil pairing”, Electron. Lett., 38, (14), pp. 630-632, 2002.[5] K. Shim, ”Efficient one round tripartite authenticated key agreement pro-tocol from Weil pairing”, Electronics Letters, Vol. 39, No. 2, pp. 208-209,2003.[6] K. Shim, ”Efficient ID-based authenticated key agreement protocol basedon Weil pairing”, Electron. Lett, 39, (8), pp. 653-654, 2003.[7] S. B. Wilson, and A. Menezes, ”Authenticated Diffie-Hellman key agreementprotocols”, Proceedings of the 5th Annual Workshop on Selected Areas inCryptography (SAC ’98), Lecture Notes in Computer Science, pp. 339-361,1999.[8] A. Menezes, M. Qu, and S. A. Vanstone, ”Some key agreement protocolsproviding implicit authentication”, Workshop on Selected Areas in Cryp-tography (SAC ’95), pp. 22-32, 1995.7

Security Analysis of Shim\u27s Authenticated Key Agreement Protocols from Pairings

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive