基于RSA的网关口令认证密钥交换协议的分析与改进

doi:10.3969/j.issn.0372-2112.2015.01.028

电子学报 ›› 2015, Vol. 43 ›› Issue (1): 176-184.DOI: 10.3969/j.issn.0372-2112.2015.01.028

基于RSA的网关口令认证密钥交换协议的分析与改进

汪定¹, 王平^1,2, 雷鸣²

1. 北京大学信息科学技术学院, 北京 100871;
2. 北京大学软件与微电子学院, 北京 102600

收稿日期:2013-07-08 修回日期:2014-03-21 出版日期:2015-01-25
- 作者简介:
- 汪定男.1985年12月生, 湖北十堰人.北京大学信息科学技术学院博士研究生.研究方向为公钥密码学与信息安全.E-mail:wangdingg@pku.edu.cn;王平男.1961年5月生, 北京人.北京大学软件工程国家工程研究中心教授, 博士生导师.研究方向为信息安全、系统软件和物联网.E-mail:pwang@pku.edu.cn
- 基金资助:
- 国家自然科学基金 (No.61472016)

Cryptanalysis and Improvement of Gateway-Oriented Password Authenticated Key Exchange Protocol Based on RSA

WANG Ding¹, WANG Ping^1,2, LEI Ming²

1. School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China;
2. School of Software and Microelectronics, Peking University, Beijing 102600, China

Received:2013-07-08 Revised:2014-03-21 Online:2015-01-25 Published:2015-01-25
- Supported by:
- National Natural Science Foundation of China (No.61472016)

摘要/Abstract

摘要：

设计安全高效的基于RSA的口令认证密钥交换协议是密码学领域的公开难题.2011年Wei等学者首次提出了一个基于RSA的可证明安全的网关口令认证密钥交换协议,并声称在随机预言模型下基于大整数的素因子分解困难性证明了协议的安全性.利用该协议中服务器端提供的预言机服务,提出一种分离攻击,攻击者只需发起几十次假冒会话便可恢复出用户的口令.攻击结果表明,该协议无法实现所声称的口令保护这一基本安全目标,突出显示了分离攻击是针对基于RSA的口令认证密钥交换协议的一种严重安全威胁.进一步指出了协议形式化安全证明中的失误,给出一个改进方案.分析结果表明,改进方案在提高安全性的同时保持了较高效率,更适于移动通信环境.

关键词: 网关口令认证, RSA, 随机预言机模型, 分离攻击

Abstract:

It remains an open problem to design a secure and efficient RSA-based password-authenticated key exchange(PAKE)protocol in the areas of cryptography.In 2011,Wei proposed the first provably secure gateway-oriented PAKE protocol using RSA,and claimed that the protocol is provably secure in the random oracle model based on the intractability of the integer factorization problem.However,in this short paper,we point out that an adversary can launch the separation attack on their protocol by exploiting the oracle service unwittingly provided by the server,and a user's password can thus be guessed just after tens of malicious sessions.Our cryptanalysis result invalidates Wei's claim that their protocol can achieve the security goal of password protection,and highlights the damaging threat that separation attack poses to RSA-based PAKE protocols.Furthermore,we uncover the flaws in their formal security proof and put forward an enhancement to overcome the identified defect.The analysis results show that the improved protocol eliminates the vulnerability of Wei's protocol while keeping the merit of high performance,suitable for mobile application scenarios.

Key words: gateway-oriented password authentication, RSA, random oracle model, separation attack

中图分类号:

TP309

汪定, 王平, 雷鸣. 基于RSA的网关口令认证密钥交换协议的分析与改进[J]. 电子学报, 2015, 43(1): 176-184.

WANG Ding, WANG Ping, LEI Ming . Cryptanalysis and Improvement of Gateway-Oriented Password Authenticated Key Exchange Protocol Based on RSA[J]. Acta Electronica Sinica, 2015, 43(1): 176-184.

参考文献

[1] Katz J,Ostrovsky R,Moti Y.Efficient and secure authenticated key exchange using weak passwords[J].Journal of the ACM,2009,57(1):1-39.
[2] Halevi S,Krawczyk H.Public-key cryptography and password protocols[J].ACM Transactions on Information and System Security,1999,2(3):230-268.
[3] Bellovin S M,Merritt M.Encrypted key exchange:password based protocols secure against dictionary attacks[A].Proceedings of IEEE S&P 1992[C].Washington DC,USA:IEEE,1992.72-84.
[4] Patel S.Number theoretic attacks on secure password schemes[A].Proceedings of IEEE S&P 1997[C].Washington DC,USA:IEEE,1997.236-247.
[5] Youn T Y,Park Y H,Kim C,Lim J.Weakness in a RSA-based password authenticated key exchange protocol[J].Information Processing Letters,2008,108(6):339-342.
[6] Zhang Mu-Xiang.New approaches to password authenticated key exchange based on RSA[A].Proceedings of Asiacrypt 2004[C].Berlin:Springer-Verlag,LNCS,Vol 3329,2004.230-244.
[7] Park S,Nam J,Kim S,Won D.Efficient password authenticated key exchange based on RSA[A].Proceedings of CT-RSA 2007[C].Berlin:Springer-Verlag,LNCS,Vol 4377,2007.309-323.
[8] 魏福山,马传贵,程庆丰.基于RSA的网关口令认证密钥交换协议[J].计算机学报,2011,34(1):38-46. Wei Fu-Shan,Ma Chuan-Gui,Cheng Qing-Feng.Gateway oriented password authenticated key exchange based on RSA[J].Chinese Journal of Computers,2011,34(1):38-46.(in Chinese)
[9] Wei Fu-Shan,Ma Chuan-Gui,Cheng Qing-Feng.Anonymous gateway-oriented password-based authenti-cated key exchange based on RSA[J].EURASIP Journal on Wireless Communications and Networking,2011,2011:162-173.
[10] Bellare M,Pointcheval D,Rogaway P.Authenticated key exchange secure against dictionary attacks[A].Proceedings of Eurocrypt 2000[C].Berlin:Springer-Verlag,LNCS,Vol 1807,2000.139-155.
[11] Abdalla M,Chevass O,Fouque P,Pointcheval D.A simple threshold authenticated key exchange from short secrets[A].Proceedings of Asiacrypt 2005[C].Berlin:Springer-Verlag,LNCS,Vol 3788,2005.566-584.
[12] Abdalla M,Fouque P,Pointcheval D.Password-based authenticated key exchange in the three-party setting[A].Proceedings of PKC 2005[C].Berlin:Springer-Verlag,LNCS,Vol 3386,2005.65-84.
[13] Wang Gui-Lin,Yu Jiang-Shan,Xie Qi.Security analysis of a single sign-on mechanism for distributed computer networks[J].IEEE Transactions on Industrial Informatics,2013,9(1):294-302.
[14] Dolev D,Yao A C.On the security of public key protocols[J].IEEE Transactions on Information Theory,1983,29(12):198-208.
[15] Florencio D,Herley C.A large-scale study of web password habits[A].Proceedings of WWW 2007[C].Passau:ACM Press,2007.657-666.
[16] Bonneau J.The science of guessing:analyzing an anonymized corpus of 70 million passwords[A].Proceedings of IEEE S&P 2012[C].Washington DC,USA:IEEE,2012.538-552.

基于RSA的网关口令认证密钥交换协议的分析与改进

Cryptanalysis and Improvement of Gateway-Oriented Password Authenticated Key Exchange Protocol Based on RSA

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	陈智雄, 刘华宁, 杨阳. 基于RSA模数的一类新型广义割圆序列的迹表示[J]. 电子学报, 2019, 47(7): 1512-1517.
[2]	巩林明, 李顺东, 窦家维, 王道顺. 标准模型下抗CPA与抗CCA2的RSA型加密方案[J]. 电子学报, 2018, 46(8): 1938-1946.
[3]	傅启明, 刘全, 尤树华, 黄蔚, 章晓芳. 一种新的基于值函数迁移的快速Sarsa算法[J]. 电子学报, 2014, 42(11): 2157-2161.
[4]	刘全, 李瑾, 傅启明, 崔志明, 伏玉琛. 一种最大集合期望损失的多目标Sarsa(λ)算法[J]. 电子学报, 2013, 41(8): 1469-1473.
[5]	司光东;杨加喜;谭示崇;肖国镇. RSA算法中的代数结构[J]. 电子学报, 2011, 39(1): 242-246.
[6]	康立;唐小虎;范佳. 基于认证的高效公钥加密算法[J]. 电子学报, 2008, 36(10): 2055-2059.
[7]	刘强;佟冬;程旭;. 部分并行的蒙哥马利模乘法器实现研究[J]. 电子学报, 2006, 34(8): 1537-1541.
[8]	刘强;佟冬;程旭;. 一款RSA模乘幂运算器的设计与实现[J]. 电子学报, 2005, 33(5): 923-927.
[9]	张鸿宾;杨成. 图像的自嵌入及窜改的检测和恢复算法[J]. 电子学报, 2004, 32(2): 196-199.
[10]	袁晓宇;张其善. 基于智能卡的RSA数字签名实现关键问题解析[J]. 电子学报, 2004, 32(11): 1897-1900.
[11]	许春香;肖国镇. 门限多重秘密共享方案[J]. 电子学报, 2004, 32(10): 1688-1689.
[12]	马争;郝云飞. 蓝牙服务搜索的设计与实现[J]. 电子学报, 2003, 31(11): 1758-1760.
[13]	何明星;范平志;袁丁;. 一个可验证的门限多秘密分享方案[J]. 电子学报, 2002, 30(4): 540-543.
[14]	董庆宽;傅晓彤;肖国镇. 对大整数n=pq分解的一个有效的搜索算法[J]. 电子学报, 2001, 29(10): 1436-1438.
[15]	宋荣功;杨义先;胡正名. 软件密钥托管加密系统研究[J]. 电子学报, 2000, 28(8): 132-134.