Abstract
Roscoe recently showed how HISPs, a class of protocol to allow humans to contribute to the creation of secure authentic channels between them, can be made auditable in the sense that a failed attack on them cannot be disguised as communication failure. In this paper we study the same issue for PAKEs: password authenticated key exchange protocols. We find that because this second style of protocol relies on long term state, it is harder to make them auditable, and that to do so we have to develop new ideas on how to approximate fair exchange without a TTP.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
There is no need for B to check that the correct value was delayed in Message 3 if he gets the correct Message 5 here. This would have not have been the case if the third and fourth messages of the original protocol were \(H(H(K_A))\) and \(H(K_B)\), namely nested hashing, because the former can be computed from the latter in the case where \(K_A=K_B\) without knowledge of \(K_B\). Since opening delays is potentially expensive, this explains why we used the form of confirmation messages we did.
- 2.
In the case where the delay construction is deterministic, it will be necessary to salt these bits with a random nonce.
- 3.
Optimistic fair exchange protocols, e.g. [1] where TTPs are only used in the case of disagreement, counter some of these.
References
Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digital signatures. IEEE J. Sel. Areas Commun. 18(4), 593–610 (2000). https://doi.org/10.1109/49.839935
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_12. http://dl.acm.org/citation.cfm?id=1756169.1756186
Chen, L.: Nist special publication 800–56C recommendation for key derivation through extraction-then-expansion (2011)
Hao, F., Ryan, P.Y.A.: Password authenticated key exchange by juggling. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 159–171. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22137-8_23. http://dl.acm.org/citation.cfm?id=2022815.2022838
Jablon, D.P.: Strong password-only authenticated key exchange. SIGCOMM Comput. Commun. Rev. 26(5), 5–26 (1996). https://doi.org/10.1145/242896.242897
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34. http://dl.acm.org/citation.cfm?id=1881412.1881456
Lancrenon, J., Skrobot, M., Tang, Q.: Two more efficient variants of the J-PAKE protocol. Cryptology ePrint Archive, Report 2016/379 (2016). http://eprint.iacr.org/2016/379
Nguyen, L., Roscoe, A.: Authentication protocols based on low-bandwidth unspoofable channels: a comparative survey. J. Comput. Secur. 19, 139–201 (2011)
Pagnia, H., Gärtner, F.C.: On the impossibility of fair exchange without a trusted third party. Technical report, Citeseer (1999)
Roscoe, A.: Detecting failed attacks on human-interactive security protocols (2016)
Wikström, D.: A sender verifiable mix-net and a new proof of a shuffle. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 273–292. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_15
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A: a brief survey of PAKEs
Here we briefly describe a number of representative PAKE protocols. This is purely for illustrative purposes; the techniques we describe below should work for all PAKEs. For simplicity we omit various checks that need to be performed. A comprehensive survey of PAKEs can be found in Chap. 40 of the Computer And Information Security Handbook 2nd Edition, Ed J Vacca, Elsevier 2013.
Such protocols come in two phases: key establishment and key confirmation. The first establishes a key based on the shared password, and the second allows each party to confirm that the other knows the password, implying that the key establishment phase was run with the intended party. These phases can generally be chosen independently of each other.
PAKE key establishment
EKE (Encrypted Key Exchange)
The original EKE, [2], is essentially Diffie-Hellman with the DH terms encrypted with a symmetric key \(s^*\) derived from the shared password s using a public, deterministic function f, \(s^*=f(s)\):
The session key is formed as \(K=g^{xy}\).
The original EKE has undergone several fixes to counter flaws, notably the fact that an attacker can eliminate a large number of putative passwords by decrypting the exchanged terms with a guessed password and observing if the resulting plaintext lies in the subgroup.
SPEKE (Simple Password Exponential Key Establishment)
SPEKE, [6], is essentially a D-H protocol but with the difference that the generator is not fixed and public but rather is computed as an agreed function of the shared secret s, for example:
The squaring guarantees that g lies in the appropriate subgroup assuming that we are assuming a safe prime p where \(p=2q-1\) with q also prime. The protocol is thus essentially a D-H protocol using the shared secret generator.
PKK
A rather elegant protocol, PKK due to Boyko et al. [3], is in simplified form for illustration:
Here h denotes a suitable mapping from the password space to the DH group.
A computes: \(K_A:= (Y/h(s_A))^x\)
B computes: \(K_B:= (X/h(s_B))^y\)
J-PAKE
J-PAKE, [5], uses a quite different approach: the so-called juggling of D-H terms. The original J-PAKE involved both parties generating and transmitting two D-H terms. For simplicity of presentation we describe here a lightweight version, [8], that requires just one D-H term from each party but involves a so-called Common Reference String (CRS) construction.
J-PAKE-CRS
Here we assume that there is an agreed element h of the group G with unknown log w.r.t. g (in effect a so-called Common Reference String CRS).
Round two:
A computes: \(K_A:= (Y/g^{y.x.s})^x\)
B computes: \(K_B:= (X/g^{x.y.s})^y\)
Thus, if \(s_A=s_B (=s)\) then \(K_A=K_B=h^{x.y.s}\)
ZKP(x, y) denotes Zero-Knowledge Proofs of knowledge of a discrete log of x w.r.t. the base y.
Appendix B: Key Derivation and Confirmation
Having established a DH shared secret we typically need to derive a suitable session key for a symmetric algorithm. Various approaches have been proposed and we will not go into the details here but we refer the interested reader to, for example the NIST recommendations, [4], and Krawczyk [7]. A typical approach is to derive the key from the DH value is to use a suitable hash function that yields a close to flat distribution over the key space and include parameters associated with the session:
Where K is the DH value. Now the parties have to compare their keys, which they might do by, for example, exchanging hashes of the form:
An alternative approach is to segment the derived key into three parts:
Where || denotes concatenation. A and B now exchange the appropriate segments as follows:
A and B now check that the received values agree with those they computed internally. Assuming that they do indeed find agreement they can proceed to use sk as the session key. This may require the calculation of a much larger key than normal, possibly requiring key expansion, see [7].
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Roscoe, A.W., Ryan, P.Y.A. (2017). Auditable PAKEs: Approaching Fair Exchange Without a TTP. In: Stajano, F., Anderson, J., Christianson, B., Matyáš, V. (eds) Security Protocols XXV. Security Protocols 2017. Lecture Notes in Computer Science(), vol 10476. Springer, Cham. https://doi.org/10.1007/978-3-319-71075-4_31
Download citation
DOI: https://doi.org/10.1007/978-3-319-71075-4_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71074-7
Online ISBN: 978-3-319-71075-4
eBook Packages: Computer ScienceComputer Science (R0)