电子学报 ›› 2015, Vol. 43 ›› Issue (1): 176-184.DOI: 10.3969/j.issn.0372-2112.2015.01.028

• 科研通信 • 上一篇    下一篇

基于RSA的网关口令认证密钥交换协议的分析与改进

汪定1, 王平1,2, 雷鸣2   

  1. 1. 北京大学信息科学技术学院, 北京 100871;
    2. 北京大学软件与微电子学院, 北京 102600
  • 收稿日期:2013-07-08 修回日期:2014-03-21 出版日期:2015-01-25
    • 作者简介:
    • 汪定 男.1985年12月生, 湖北十堰人.北京大学信息科学技术学院博士研究生.研究方向为公钥密码学与信息安全.E-mail:wangdingg@pku.edu.cn;王平 男.1961年5月生, 北京人.北京大学软件工程国家工程研究中心教授, 博士生导师.研究方向为信息安全、系统软件和物联网.E-mail:pwang@pku.edu.cn
    • 基金资助:
    • 国家自然科学基金 (No.61472016)

Cryptanalysis and Improvement of Gateway-Oriented Password Authenticated Key Exchange Protocol Based on RSA

WANG Ding1, WANG Ping1,2, LEI Ming2   

  1. 1. School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China;
    2. School of Software and Microelectronics, Peking University, Beijing 102600, China
  • Received:2013-07-08 Revised:2014-03-21 Online:2015-01-25 Published:2015-01-25
    • Supported by:
    • National Natural Science Foundation of China (No.61472016)

摘要:

设计安全高效的基于RSA的口令认证密钥交换协议是密码学领域的公开难题.2011年Wei等学者首次提出了一个基于RSA的可证明安全的网关口令认证密钥交换协议,并声称在随机预言模型下基于大整数的素因子分解困难性证明了协议的安全性.利用该协议中服务器端提供的预言机服务,提出一种分离攻击,攻击者只需发起几十次假冒会话便可恢复出用户的口令.攻击结果表明,该协议无法实现所声称的口令保护这一基本安全目标,突出显示了分离攻击是针对基于RSA的口令认证密钥交换协议的一种严重安全威胁.进一步指出了协议形式化安全证明中的失误,给出一个改进方案.分析结果表明,改进方案在提高安全性的同时保持了较高效率,更适于移动通信环境.

关键词: 网关口令认证, RSA, 随机预言机模型, 分离攻击

Abstract:

It remains an open problem to design a secure and efficient RSA-based password-authenticated key exchange(PAKE)protocol in the areas of cryptography.In 2011,Wei proposed the first provably secure gateway-oriented PAKE protocol using RSA,and claimed that the protocol is provably secure in the random oracle model based on the intractability of the integer factorization problem.However,in this short paper,we point out that an adversary can launch the separation attack on their protocol by exploiting the oracle service unwittingly provided by the server,and a user's password can thus be guessed just after tens of malicious sessions.Our cryptanalysis result invalidates Wei's claim that their protocol can achieve the security goal of password protection,and highlights the damaging threat that separation attack poses to RSA-based PAKE protocols.Furthermore,we uncover the flaws in their formal security proof and put forward an enhancement to overcome the identified defect.The analysis results show that the improved protocol eliminates the vulnerability of Wei's protocol while keeping the merit of high performance,suitable for mobile application scenarios.

Key words: gateway-oriented password authentication, RSA, random oracle model, separation attack

中图分类号: