Alongside encryption and signatures, key agreement is one of the fundamental issues in modern cryptography and its security is the main concern in cloud computing and World Wide Web-based applications. In this paper, a novel type of more secure 3-pass key agreement protocol is proposed based on a recently proposed matrix-based key agreement protocol of Romańczuk and Ustimenko. By the hash-and-sign approach and immediate use of new session key, explicit key authentication, forward secrecy and bit security are achieved simultaneously. Cryptanalysis also shows that it is immune to the man-in-the-middle attack while matrix entries from a commutative ring provide an advantageous hiding mechanism

Jianhua, Zhang

Jianying, Chen

Jun, Yang

Linxin, Shu

Tiao, Liu

English

AIS Electronic Library (AISeL)

Association for Information SystemsAIS Electronic Library (AISeL)WHICEB 2013 Proceedings Wuhan International Conference on e-BusinessSummer 5-25-2013Authenticated Key Agreement Protocol Based on aMatrix Group and Polynomial Ring over a FiniteFieldYang JunJunCollege of Computer Science and Technology, Southwest University for NationalitiesZhang JianhuaCollege of Computer Science and Technology, Southwest University for NationalitiesChen JianyingCollege of Computer Science and Technology, Southwest University for NationalitiesLiu TiaoCollege of Computer Science and Technology, Southwest University for NationalitiesShu LinxinCollege of Computer Science and Technology, Southwest University for NationalitiesFollow this and additional works at: http://aisel.aisnet.org/whiceb2013This material is brought to you by the Wuhan International Conference on e-Business at AIS Electronic Library (AISeL). It has been accepted forinclusion in WHICEB 2013 Proceedings by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contactelibrary@aisnet.org.Recommended CitationJun, Yang; Jianhua, Zhang; Jianying, Chen; Tiao, Liu; and Linxin, Shu, "Authenticated Key Agreement Protocol Based on a MatrixGroup and Polynomial Ring over a Finite Field" (2013). WHICEB 2013 Proceedings. 67.http://aisel.aisnet.org/whiceb2013/67324 The Twelfth Wuhan International Conference on E-Business——IT/IS Technology for E-Business TrackAuthenticated Key Agreement ProtocolBased on a Matrix Group and Polynomial Ring over a Finite FieldJun Yang，Jianhua Zhang, Jianying Chen，Tiao Liu，Linxin ShuCollege of Computer Science and Technology, Southwest University for Nationalities, Chengdu,Sichuan 610041, ChinaAbstract: Alongside encryption and signatures, key agreement is one of the fundamental issues in moderncryptography and its security is the main concern in cloud computing and World Wide Web-based applications. Inthis paper, a novel type of more secure 3-pass key agreement protocol is proposed based on a recently proposedmatrix-based key agreement protocol of Roma ń czuk and Ustimenko. By the hash-and-sign approach andimmediate use of new session key, explicit key authentication, forward secrecy and bit security are achievedsimultaneously. Cryptanalysis also shows that it is immune to the man-in-the-middle attack while matrix entriesfrom a commutative ring provide an advantageous hiding mechanism.Keywords: Key agreement protocol, Explicit key authentication, Man-in-the-middle attack, Forward secrecy, Bitsecurity1. INTRODUCTIONInformation and multimedia communications technologies provide cyber-infrastructure and platforms toachieve more efficient business in cloud computing over open computer and communications networks such asthe Internet, in particular, via World Wide Web-based tools[1]. Secure services can be realized only ifcommunications are conducted securely and an effective solution is to apply cryptography.In modern cryptography, cryptographic keys are the basis for secure communication channels and theestablishment of secret keys is a major problem and the Achilles’ heel for the large-scale deployment ofsymmetric cryptography[2], [3]. Currently, there are basically two approaches to address the problem: one is theuse of a KDC (Key Distribution Centre), such as Kerberos and the other is the use of a key establishmentprotocol[4]. The latter provides shared secrets between two or more parties, typically for subsequent use assymmetric keys for a variety of information security services including encryption, message authentication, andentity authentication. These protocols may be further subdivided into key exchange (unfortunately,key-exchange protocols also tend to be more involved[4], [5]) and key transport: in the former all participatingentities contribute information which is used to derive the shared secret key, while in the latter one entity createsthe secret key and securely transfers it to the other(s) .Up to date, there have been three types of key transport protocols[4],[5]: key transport based on symmetricencryption and hybrid key transport protocols using symmetric encryption in addition to both public-keyencryption and signatures. An authenticated key establishment protocol is a key establishment protocol whichprovides key authentication. It is generally desired that each party in a key establishment protocol be able todetermine the true identity of the other(s) which could possibly gain access to the resulting key, implyingpreclusion of any unauthorized additional parties from deducing the same key. While privacy of keying materialis a requirement in key transport protocols, source authentication is also typically needed and the majority ofthese approaches rely on asymmetric cryptography.The Twelfth Wuhan International Conference on E-Business——IT/IS Technology for E-Business Track 325In 2008, Myasnikov, Shpilrain and Ushakov[6]conjectured that groups of matrices over finite commutativerings could be the best platforms for canonical cryptographic protocols because these groups have “the best ofboth worlds” in the sense that matrix multiplication is non-commutative, but matrix entries coming from acommutative ring provides a good hiding mechanism. In 2010, Romańczuk and Ustimenko[7] proposed a keyagreement protocol based on a matrix group and polynomial ring over a finite field. In 2011, Blackburn, Cid andMullan[8] amounted an attack on it, but it was invalid for the attacker utilized a secret system parameter. In thispaper, however, we observe that it is lack of the mechanisms of identification and data origin authentication thatcauses the RU’s protocol to encounter the man-in-the-middle attack. Inspired by the above work, we propose anddiscuss a hybrid authenticated key agreement transport protocol using the hash-and-sign approach andimmediate use of new session key, which turns out to be more secure against several common attacks than theRU’s protocol. Section 2 describes the proposed 3-pass protocol. Its security and performance analysis areexamined in section 3. Conclusions and future work are presented in section 4.2. THE PROPOSED PROTOCOLIn this section, inspired by the idea of Romańczuk and Ustimenko and introducing a symmetric encryptionalgorithm and digital signatures with a secure one-way hash function, we propose a three-pass variation of thefamous Station-to-Station protocol (STS) which allows the establishment of a shared secret key between twoparties with mutual entity authentication and mutual explicit key authentication. The protocol also facilitatesanonymity – the identities of A and B may be protected from eavesdroppers.The Proposed ProtocolSUMMARY: parties A and B exchange 3 messages.RESULT: key agreement, mutual entity authentication, explicit key authentication.1. One-time setup (definitions and publication of system parameters)Let GL ( )n qF denote the group of invertible n×n matrices over a finite field qF of order q, and let[ ],  q x yF denote the polynomial ring over qF in two variables x and y. Let , GL ( )n qC D∈ F be two commutingmatrices and let nqd ∈F . The matrices ,C D and the vector d are made public.Each user U has a signature scheme, where its signature algorithm is denoted as SigU and verificationalgorithm VerU , and has a public-key certificate ( ) ( ) ( )( )( )CACert ID ,  Ver ,  Sig ID ,  VerU UU U U= , whereCASig is the signature algorithm of a Certification Authority (CA). Let E be a symmetric encryption algorithm.( )AS m denotes A’s signature on a string m using A’s private key, defined as ( )AS m = ( )( )Sig A H m , where H isa secure one-way hash function and any n-dimensional vector is coded as the bitwise concatenation of itscomponents prior to being hashed.2. Protocol messages and actions1) Alice randomly picks a polynomial ( ),Af x y ∈ [ ],  q x yF , computes:( )  ,A Af C D dω ← ,and then sends ( )Cert   AU ωP to Bob.326 The Twelfth Wuhan International Conference on E-Business——IT/IS Technology for E-Business Track2) Bob randomly picks a polynomial ( ),Bf x y ∈ [ ],  q x yF , computes:( )  ,B Bf C D dω ← ,( )  ,B AK f C D ω← ,( )( )   (ID     ) B K B B AE S Aσ ω ω← P P ,and then sends ( )Cert     B BB ω σP P to Alice.3) Alice uses VerB to verify Bσ .If the signature Bσ is invalid, then she “rejects and exits”; otherwise she“accepts”, and performs the following steps:3.1) Compute ( )  ,A BK f C D ω←3.2) Hash-sign-and-encrypt:( )( )   (ID     ) A K A A BE S Bσ ω ω← P P3.3)   :  AA B σ→4) Bob uses VerA to verify Aσ .If the signature Aσ is invalid, then she “rejects and exits”; otherwise she“accepts”.3. SECURITYAND PERFORMANCEANALYSISA key establishment protocol should ideally result in the sharing of secret keys that have the same attributesas keys that were established by people who know each other and meet in a secure location to select a key byrepeatedly tossing a fair coin. In particular, subsequent use of the secret keys in a cryptographic protocol shouldnot in any way reduce the security of that protocol. This notion of security has proved very difficult to formalize.Instead, for a two-party key agreement protocol, the main security goals of a key establishment protocol areimplicit/explicit key authentication [2]-[5]:1) Implicit key authentication. A key establishment protocol is said to provide implicit key authentication(of B to A) if entity A is assured that no other entity aside from a specifically identified second entity B canpossibly learn the value of a particular session key. The property does not imply that A is assured of B actuallypossessing the key.2) Explicit key authentication. A key establishment protocol is said to provide key confirmation (of B to A)if entity A is assured that the second entity B can compute or has actually computed the session key. If bothimplicit key authentication and key confirmation (of B to A) are provided, then the key establishment protocol issaid to provide explicit key authentication (of B to A). Explicit key authentication of both entities normallyrequires three passes (messages exchanged).In step 3.1), Alice and Bob have the proof of their shared key K as follows:Since( ) ( ) ( )( ) ( ) ( )  , , ,   , , ,B B A B AA A B A BK f C D f C D f C D dK f C D f C D f C D dωω⎧ ← =⎪⎨ ← =⎪⎩(1)andCD= DC , one has thatThe Twelfth Wuhan International Conference on E-Business——IT/IS Technology for E-Business Track 327( ) ( ) ( ) ( ), , , ,A B B Af C D f C D f C D f C D= .Therefore, A BK K= , which means that Alice is assured that Bob can compute or has actually computed thesession key K . Likewise, after step 4) is successfully executed, Bob is assured that Alice can compute or hasactually computed the session key K . Furthermore, no entity apart from Alice and Bob can compute K , due tothe following two properties: ( ) ( ),  and ,A Bf C D f C D are two secret system parameters any passive attackercannot eavesdrop. And any active attacker cannot solve the system (1) of matrix equations, givenK ( )A BK K= = , Aω , Bω , and d [6]. In other words, the proposed protocol provides explicit key authentication.When examining the security of protocols, it is assumed that the underlying cryptographic mechanismsused, such as encryption algorithms and digital signatures schemes, are secure. Thus, there are other possibleways to attack our protocol as follows.The man-in-the-middle attack: As shown above, any attacker cannot acquire the session key K , and hencehe cannot decrypt Bσ and Aσ in steps 2) and 3.2). Although he can intercept Aω and Bω in steps 1) and 2), andcould substitute them for 'Aω and'Bω , respectively, he has to continue to substitute the original signatures for( ) '(ID     )B B AS A ω ωP P and ( ) '(ID     )A A BS B ω ωP P . Fortunately, since he does not know the signaturealgorithms SigB and Sig A , he cannot compute B’s or A’s signature with respect to the string( )ID  A P '  B Aω ωP or ( ) 'ID     A BB ω ωP P . This means that our protocol is immune to the man-in-the-middleattack.Other merits of our protocol include:Two parties sharing no a priori keying material can end up with a shared secret key.The publicly transported factors Aω and Bω , which are the main contribution to the key agreement and notallowed to be impersonated, are encrypted by a symmetric encryption algorithm together with a secure one-wayhash function H to guarantee the integrity and authenticity[9].Therefore, the proposed protocol can be classifiedas a secret key exchange[10], and thus be assured forward secrecy and bit security providing that the sessionkey K in the above should actually be set to ( )H K .All the inverses of underlying matrix group GL ( )n qF can be obtained by pre-computation before theprotocol actions are taken. During the whole process of the protocol execution, all the matrix multiplication,exponentiation, and evaluation of polynomials cab be efficiently conducted[11]-[13], which facilitates on-line keyestablishment.4. CONCLUSIONS AND FUTUREWORKThe proposed 3-pass protocol is a novel type of hybrid authenticated key transport protocol satisfyingseveral desirable security properties and efficient in computation and communication. Its basic security is basedon the widespread difficulty problem of the discrete logarithm and secure against the passive attack and someactive attacks: By the hash-and-sign approach and immediate use of new session key, explicit key authentication,forward secrecy and bit security are achieved simultaneously and the man-in-the-middle attack is naturallyprevented. Furthermore, it requires no keys private or public to be exchanged beforehand, which is its inherent328 The Twelfth Wuhan International Conference on E-Business——IT/IS Technology for E-Business Trackadvantage.While it is unconditionally secure and does not depend on any computational intractability assumptions, thequantum key establishment protocol is currently not practical for actual applications[14]. Future work includesdesigning efficient and authenticated key transport protocols provably secure in the random oracle model fornetwork security systems, conducting simulation and doing in-depth performance analysis of the proposed novelprotocol.ACKNOWLEDGEMENTThis research was supported by the Natural Science Foundation of the State Ethnic Affairs Commission ofChina (10XN08), “National College Students Innovation and Entrepreneurship Training Programme” Project ofSWUN (201210656014), Technological Application Basic Project of Sichuan Province (2012JY0096), andHumanities and Social Science Project of Ministry of Education of China (12YJAZH004).REFERENCES[1] Jangra1 A, Bala R. (2012). A Survey on Various Possible Vulnerabilities and Attacks in Cloud ComputingEnvironment[J]. International Journal of Computing and Business Research, 3(1): 1-13[2] Menezes A J, Oorschot P Van, Vanstone S. (1997). Handbook of Applied Cryptography[M]. Boca Raton: CRC Press,489-492, 519-520[3] Cohen H, Frey G. (2006). Handbook of Elliptic and Hyperelliptic Curve Cryptography[M]. Boca Raton: Chapman &Hall/CRC, 573-576[4] Katz J, Lindell Y. (2012). Introduction to Modern Cryptography: Principles and Protocols[M]. Beijing: NationalDefense Industry Press, 212-216 (in Chinese)[5] Zhang Hua, Wen Qiaoyan, Jin Zhengping. (2012). Provably Secure Algorithms and Protocols[M]. Beijing: SciencePress, 280-295 (in Chinese)[6] Myasnikov A, Shpilrain V, Ushakov A. (2008). Group-based Cryptography (in: Advanced Courses in MathematicsCRM Barcelona) [M]. Birkhauser: Verlag AG, 65-67[7] Romanczuk U, Ustimenko V. (2010). On the PSL2(q), Ramanujan graphs and key exchange protocols. http://aca2010.info/index.php/aca2010/aca2010/paper/viewFile/80/3[8] Blackburn S R, Cid C, Mullan C. (2011). Cryptanalysis of three matrix-based key establishment protocols[J]. Journal ofMathematical Cryptology, 5 (2): 159-168[9] Anderson R J, translated by Qi Ning, Han Zhiwen, Liu Guoping. (2012). Security Engineering: A Guide to BuildingDependabale Distributed Systems (2nd Ed.) [M]. Beijing: Tsinghua University Press, 98 (in Chinese)[10] Goldwasser S, Bellare M. (2008). Lecture Notes on Cryptography: 217-218. http://www.math. uni-bonn.de/~saxena/courses/WS2010-ref1.pdf[11] Shoup V. (2008). A Computational Introduction to Number Theory and Algebra [M]. Cambridge: CambridgeUniversity Press, 64-69, 77-82[12] Cormen T H, Leiserson C E, Rivest R L, et al. (2008). Introduction to Algorithms (2nd Ed.) [M]. Massachusetts: TheMIT Press, 735-751[13] Knuth D E. (2010). The Art of Computer Programming,Vol 2: Seminumerical Algorithms (3rd Ed.) [M]. Beijing: Posts& Telecom Press, 499-501[14] Barrett J, Colbeck R, Kent A. (2013). Memory Attacks on Device-Independent Quantum Cryptography[J]. PhysicalReview Letters, American Physical Society, 110 (1): 67-71

Authenticated Key Agreement Protocol Based on a Matrix Group and Polynomial Ring over a Finite Field

https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1050&amp;context=whiceb2013

Authenticated Key Agreement Protocol Based on a Matrix Group and Polynomial Ring over a Finite Field

Abstract

Similar works

Full text

Available Versions

AIS Electronic Library (AISeL)