Đang tải... (xem toàn văn)
In this paper, we propose a new secured key exchange protocol which is based on two hard problems. The security proofs for the new protocol confirm their novelty and security.
Nghiên cứu khoa học công nghệ AUTHENTICATED KEY EXCHANGE PROTOCOL BASED ON TWO HARD PROBLEMS Do Viet Binh* Abstract: Arazi was the first author to propose the integration of a key exchange protocol with a digital signature algorithm Other authors have subsequently proposed methods to increase the level of security and achieve the necessary properties of authenticated key exchange protocols However, these proposals exhibit several weaknesses and the majority of these protocols are based only on a single hard problem In this paper, we propose a new secured key exchange protocol which is based on two hard problems The security proofs for the new protocol confirm their novelty and security Key words: Authentication, Hard problem, Key exchange INTRODUCTION The Diffie-Hellman key exchange protocol does not guarantee authentication between the two parties of the protocol [1] Based on this fact, it is possible to develop a new key exchange protocol by integrating the Diffie-Hellman key exchange protocol (DH) into a digital signature scheme (DSA) This inherits the advantages of DH and DSA when they are deployed in practice In paper [2], Arazi proposed improving the security of a key exchange protocol by integrating DH and DSA However, later research [3], [4], [8] has highlighted several drawbacks to this method Thus, other authors investigated ways to further improve the level of security and to achieve the required properties of authenticated key exchange (AKE) protocols [4-6], [9-11] Nevertheless, several limitations remain, and the majority of these proposals are based only on a hard problem [2-6], [8-11] This paper proposes a new secured authenticated key exchange protocol based on two hard problems The structure of the rest of the paper is as follows Section presents an overview of related work in this area of study Section briefly describes the digital signature scheme [7], which is the foundation for the new secure key exchange protocol based on two hard problems (DH-MM-KE) and provides security proofs for the proposed protocol The performance result of new protocol is reported in Section Section summarizes the paper RELATED WORK In 1993, Arazi designed a key exchange protocol with the idea of integrating the DH protocol into the DSA scheme [2] However, some other authors [3], [4], [8] have pointed out several weaknesses in Arazi’s scheme, such as small subgroup attacks, known key attacks, unknown key attacks, and key replay attacks Therefore, L.Harn [4] extended Arazi’s scheme to securely integrate the DH protocol into the DSA scheme Harn suggested three protocol alternatives for different types of application The key exchange protocols proposed by Harn hadthree important features: known-key security, unknown key-share security, and key replay security These three security properties are standard requirements for any authenticated key exchange protocol However, these protocols fail to provide the other two security properties: forward secrecy and key freshness [9] In 2005, Phan [9] proposed a new protocol that had forward secrecy In this protocol, even if the long-term private key of one side is exposed, the previous session key cannot be determined In 2010, J Liu and J Li [6] suggested another protocol that overcomes the weaknesses of Phan’s key exchange protocol Liu and Li's protocol was more secure than Phan's protocol while still maintaining its advantages In 2014, D Sow et al [10], pointed Tạp chí Nghiên cứu KH&CN quân sự, Số 50, 08 - 2017 147 Cơng nghệ thơng tin & Cơ sở tốn học cho tin học out weaknesses in the protocol suggested by Jeong et al [5] and presented their improvement However, all of these key exchange protocols are only based on one hard problem (the discrete logarithm problem – DLP) DESIGN OF THE DH-MM-KE PROTOCOL 3.1 Signature scheme based on two hard problems This section provides an overview of a digital signature scheme based on two hard problems [11] (called the MM scheme) This scheme uses a prime modulo p with the special structure = + 1, where = ′ , ′ and are large prime numbers of at least 1024 bits The value is a primitive element in of order satisfying ≡1 The values and are the private key and the public key, respectively, and are generated as in the RSA cryptosystem [26] is selected to be a small number (with a size between 16 and 32 bits) that is relatively prime to ( ) = ( − 1)( − 1), while is computed as = ( ) is a secure one-way hash function 1) Key generation: ( , ) = - Randomly select integer ∈ such that - Computed such that ≡1 ( ) - Randomly select private key with ∈ ∗ and compute = The public key is ( , , ) The private key is ( , ) 2) Signature generation: - Select secret random number , ∈ [1, − 1] - Compute = - Compute = ( || ) - Compute the value , such that =( − ) i.e., = ( − ) such that = The signature is the pair ( , ) 3) Signature verification: - Compute ∗ = and ∗ = ( || ∗ ) ∗ - Comparethe values and If ∗ = , then the signature is valid Otherwise, the signature is rejected as invalid 3.2 DH-MM-KE protocol This section proposes a new protocol, the Diffie Hellman–MM–Key Exchange protocol (DH-MM-KEP) 3.2.1 DH-MM-KEP design The domain parameters are ( , , , ) as defined for the MM scheme User A: = + 1, where = and , are large prime numbers of at least 1024 bits A's key parameters are a public key ( , ) and a private key ( , ) User B: = + 1, where = and , are large prime numbers of at least 1024 bits B's key parameters are a public key ( , ) and a private key ( , ) Compute such that it is a generator in ∗ and ∗ With a certain probability (roughly equal to 1/4), a random value for is a generator in ∗ and ∗ Therefore try several values of and check if it is a generator in both groups We denote { } = {0, 1, … , − 1} and { } = {0, 1, … , − 1} Compute the intersection ∩ of the two sets and to create a set = ∩ Therefore, the value is also a generator of ∗ 148 Do Viet Binh, “Authenticated key exchange protocol based on two hard problems.” Nghiên cứu khoa học công nghệ We assume that user A wants to share the secret session key with user B Then: 1) A does the following: - Select ∈ [1, − 1] - Compute = and = - Send ( , ) to B 2) B does the following: - Select ∈ [1, − 1] - Compute = - Select ∈ [1, − 1] - Compute = = - Compute the shared secret key = ( || ) - Compute = and = || || || || ) and - Compute = ( || =( − ) - Send ( , , , , ) to A 3) A does the following: - Compute = - Compute = = - Compute the shared secret key = ( || ) - Verify ( , ) || || || || ) - Compute = ( || - Compute = ( − ) - Send ( , ) to B 4) B does the following: - Verify ( , ) A scenario for DH-MM-KEP is depicted in Figure User A ( , Select = , ∈ [1, , , ) − 1] and User B ( , , ) = ( , ) Select Select = = = = ( , Tạp chí Nghiên cứu KH&CN quân sự, Số 50, 08 - 2017 , ∈ [1, − 1] = ∈ [1, − 1] = ( || and = || || || || ( || =( − ) , , ) ) ) 149 Công nghệ thơng tin & Cơ sở tốn học cho tin học = = = ( || ) Verify ( , ) || = ( || =( − ) = || || || ) ( , ) Verify ( , ) Fig DH-MM-KE protocol 3.2.2 Security of the DH-MM-KE protocol Property DH-MM-KE has perfect forward secrecy Proof The session key for the direction A to B is computed by A as = ( || ) = ( || ) (1) while it is computed by B as = ( || ) = ( || ) (2) Therefore, when the long-term private keys ( , ) and ( , ) of A and B are leaked, an attacker cannot compute previously established session keys and using equations (1) and (2) This is because the values and also depend on the secret values and Therefore, this protocol has perfect forward secrecy Property DH-MM-KE has key independency Proof In DH-MM-KE, A and B compute = ( || ) and = ( | which depend on the private keys ( , ) and the random numbers ( , ) It means that the session key is independently computed Property DH-MM-KE is secure against session state reveal (SSR) attacks Proof If an attacker acquires the random numbers used by user A and user B, the attacker cannot compute the session keys and In DH-MM-KE, and are computed as follows: = ( || ) and = ( || ) where and are random values selected by users A and B If the attacker gets and , he cannot compute and because the attacker cannot compute ( ) and Thus, DH-MM-KE is secure against session state reveal attacks Property DH-MM-KE is secure against key-compromise impersonation attacks Proof This protocol uses the mutual authentication between two entities A and B Thus, authentication fails if the attacker is active and does not simultaneously know and ( , ) or and ( , ) Therefore, the only avenue open to the attacker is to try to compute the session key directly, assuming that he knows the long-term private key of A ( , ) and the session’s ephemeral key of B ( ), because the session key is = ( || ) and the attacker can compute However, the attacker cannot compute Thus, DH-MM-KE is secure against key-compromise impersonation attacks Property DH-MM-KE is secure against unknown key-share attacks Proof Key confirmation can prevent unknown key-share attacks User B confirms the receipt of the shared secret key with user A by signing this key along with 150 Do Viet Binh, “Authenticated key exchange protocol based on two hard problems.” Nghiên cứu khoa học công nghệ ( , , , , ) Because this shared secret key is a one-way hash function of random values ( , ) that was computed by user A, user A is convinced that the message is not replay and knows that it is indeed from user B B could also something similar with as A Property DH-MM-KE is secure based on two hard problems Proof In DH-MM-KE, A and B compute = ( || ) and = ( || ) which depend on the values ( , or ) Therefore, it is possible to compute (or ), but it is necessary to compute the values of and (or ) To compute , IFP should be solved and the value of (or ) is DLP Therefore, DH-MM-KE is secure which based on two hard problems EXPERIMENT The time consumption of the proposed protocol is strongly depends on length of choosen Therefore, we operate proposed protocol with several length of The PC that we use to test running jdk1.8 and having two cores of Intel CPU with processing speed of 1.6 GHz and primary memory capacity of 8GB operating with Windows 10 Table Experiment result Time performance (ms) Length of (bit) 256 512 20 1024 114 CONCLUSION We have proposed a authenticated key exchange protocol based on two hard problems Therefore, they have a higher level of security than existing protocols The security of these protocols have been verified, and the existence of all the necessary properties required for a general security protocol has been proven This protocol can also be applied in practice REFERENCES [1] Diffie W, Hellman M (1976), “New Directions in Cryptography.IEEE Transactions on Information Theory”; 22: 644-654 [2] Arazi B (1993), “Integrating a key distribution procedure into the digital signature standard” Electronics Letters; 29: 966-967 [3] Brown D, Menezes A (2001), “A Small Subgroup Attack on Arazi's Key Agreement Protocol” Bulletin of the ICA;37: 45-50 [4] Harn L, Mehta M, Hsin WJ (2004), “Integrating Diffie-Hellman key exchange into the digital signature algorithm (DSA)” IEEE Communications Letters; 8: 198-200 [5] Jeong IR, Kwon JO, Lee DH (2007), “Strong Diffie-Hellman DSA Key Exchange” IEEE Communications Letters; 11: 432-433 [6] Liu J, Li J (2010), “A Better Improvement on the Integrated Diffie-Hellman - DSA Key Agreement Protocol” IEEE Communications Letters; 11: 114-117 [7] Minh NH, Binh DV, Giang NT, Moldovyan NA (2012), “Blind signature protocol based on difficulty of simultaneous solving two difficult problems” Applied Mathematical Sciences; 6: 6903 – 6910 [8] Nyberg K, Rueppel R (1994), “Weaknesses in some recent key agreement protocols” Electronics Letters; 30: 26-27 Tạp chí Nghiên cứu KH&CN quân sự, Số 50, 08 - 2017 151 Công nghệ thông tin & Cơ sở toán học cho tin học [9] Phan RCW (2005), “Fixing the integrated Diffie-Hellman DSA key exchange protocol” IEEE Communications Letters; 9: 570-572 [10] Sow D, Camara1 MG, Sow D (2014), “Attack on “Strong Diffie-Hellman-DSA KE” and Improvement” Journal of Mathematics Research; 6: 70-75 [11] Viet HV, Minh NH, Truyen BT, Nga NT (2013), “Improving on the integrated Diffie-Hellman-DSA key agreement protocol” In: 2013 Third World Congress on Information and Communication Technologies (WICT 2013); 15-18 December 2013; Hanoi, Vietnam: pp 106-110 TÓM TẮT PHÁT TRIỂN GIAO THỨC TRAO ĐỔI KHÓA CĨ XÁC THỰC DỰA TRÊN HAI BÀI TỐN KHĨ Arazi người đề xuất tích hợp chữ ký số giao thức trao đổi khóa Các tác giả khác đề xuất giao thức nhằm nâng cao tính bảo mật đạt tính chất an tồn cần thiết giao thức trao đổi khóa có xác thực Tuy nhiên, giao thức tồn nhiều điểm yếu đa phần dựa tốn khó Trong báo này, xin đề xuất giao thức trao đổi khóa an tồn dựa hai tốn khó chứng minh tính bảo mật giao thức Từ khóa: Xác thực, Bài tốn khó, Trao đổi khóa Nhận ngày 28 tháng năm 2017 Hoàn thiện ngày 28 tháng năm 2017 Chấp nhận đăng ngày 18 tháng năm 2017 Địa chỉ: Military Information Technology Institute, Hanoi, Vietnam; * Email: binhdv@gmail.com 152 Do Viet Binh, “Authenticated key exchange protocol based on two hard problems.” ... 114 CONCLUSION We have proposed a authenticated key exchange protocol based on two hard problems Therefore, they have a higher level of security than existing protocols The security of these protocols... confirms the receipt of the shared secret key with user A by signing this key along with 150 Do Viet Binh, Authenticated key exchange protocol based on two hard problems. ” Nghiên cứu khoa học công... DLP) DESIGN OF THE DH-MM-KE PROTOCOL 3.1 Signature scheme based on two hard problems This section provides an overview of a digital signature scheme based on two hard problems [11] (called the