Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

Secure Password Authenticated Key Exchange Protocol for Imbalanced Wireless Networks

비대칭 무선랜 환경을 위한 안전한 패스워드 인증 키 교환 프로토콜

  • 양형규 (강남대학교 컴퓨터미디어정보공학부)
  • Received : 2010.10.25
  • Accepted : 2010.11.24
  • Published : 2011.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

User authentication and key exchange protocols are the most important cryptographic applications. For user authentication, most protocols are based on the users' secret passwords. However, protocols based on the users' secret passwords are vulnerable to the password guessing attack. In 1992, Bellovin and Merritt proposed an EKE(Encrypted Key Exchange) protocol for user authentication and key exchage that is secure against password guessing attack. After that, many enhanced and secure EKE protocols are proposed so far. In 2006, Lo pointed out that Yeh et al.'s password-based authenticated key exchange protocol has a security weakness and proposed an improved protocol. However, Cao and Lin showed that his protocol is also vulnerable to off-line password guessing attack. In this paper, we show his protocol is vulnerable to on-line password guessing attack using new attack method, and propose an improvement of password authenticated key exchange protocol for imbalanced wireless networks secure against password guessing attack.

사용자 인증과 비밀키 교환은 암호학의 매우 중요한 응용 분야 가운데 하나로서, 사용자 인증의 경우 일반적으로 패스워드를 이용하고 있지만, 패스워드를 이용한 사용자 인증은 패스워드 추측 공격에 취약한 문제가 있다. 1992년 Bellovin과 Merritt은 패스워드 추측 공격에 안전하면서 비밀키 교환까지 할 수 있는 EKE(Encrypted Key Exchange) 프로토콜을 제안한 바 있으며, 이후 효율성과 안전성을 개선한 많은 논문이 제안되고 있다. 이 가운데 Lo는 Yeh 등이 제안한 패스워드 기반 인증키 교환 프로토콜의 취약점을 지적함과 동시에 개선된 프로토콜을 2006년에 제안하였다. 하지만, Lo의 프로토콜 역시 오프라인 패스워드 추측 공격에 취약함이 Cao와 Lin에 의해 지적되었다. 본 논문에서는 새로운 공격 방법으로 Lo의 프로토콜이 온라인 패스워드 추측공격에도 취약함을 보이고, 온라인 패스워드 추측 공격에도 안전한 개선된 프로토콜을 제안한다. 제안한 프로토콜은 비대칭 무선 네트워크 환경에서 패스워드 기반 인증키 교환 프로토콜로 사용될 수 있다.

Keywords

References

  1. L. Lamport, "Password authentication with insecure communication," Communcations of the ACM, 24(11), pp. 770-772, 1981. https://doi.org/10.1145/358790.358797
  2. D.S. Wong, A.H. Chan, and F. Zhu, "More Efficient Password Authenticated Key Exchange Based on RSA," Indocrypt 2003, LNCS 2904, pp. 375-387, 2003.
  3. Chae, Kang-Suk, and Jung, Sou-Hwan, "SRTP Key Exchange Scheme Using Split Transfer of Divided RSA Public Key," Journal of The Korea Society of Computer and Information, vol. 14, no. 12, pp.147-156, Dec. 2009.
  4. Y. Ding and P. Horster, "Undetectable On-line Password Guessing Attacks," ACM Operating Systems Review, Vol. 29, pp. 77-86, 1995. https://doi.org/10.1145/219282.219298
  5. T. Wu, "The secure remote password protocol," Proc. of the 1998 Internet Society Network and Distributed System Security Symposium, pp. 97-111, 1998.
  6. M. Bellare, D. Pointcheval and P. Rogaway, "Authenticated Key Exchange Secure Against Dictionary Attacks," Eurocrypt 2000, LNCS 1807, pp. 139-155, 2000.
  7. V. Boyko, P. MacKenzie and S. Patel, "Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman," Eurocrypt 2000, LNCS 1807, pp. 156-171, 2000.
  8. E. Bresson, O. Chevassut and D. Pointcheval, "Group Diffie-Hellman Key Exchange Secure Against Dictionary Attacks," Asiacrypt 2002, LNCS 2501, pp. 603-610, 2002.
  9. S.M. Bellobin and M. Merritt, "Excrypted Key Exchange: Password-based Protocols Secure Against Dictionary Attacks," IEEE Computer Society Conference on Research in Security and Privacy, pp. 72-84, 1992.
  10. Kim, Hoi-Bok, Shin, Jung-Hoon, and Kim, Hyoung-Jin, "Journal of the Korea Society of Computer and Information," Journal of The Korea Society of Computer and Information, Vol. 14, No. 6, pp.51-57, June. 2009.
  11. F. Zhu, D.S. Wong, A.H. Chan, and R. Ye, "Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks," Information Security Conference 2002(ISC 2002), LNCS 2433, pp. 150-161, 2002.
  12. H.T. Yeh, H.M. Sun, C.T. Yang, B.C. Chen, and S.M. Tseng, "Improvement of Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks," IEICE Trans. on Communications, Vol. E86-B, No. 11, pp. 3278-3282, Nov. 2003.
  13. C.C. Yang and R.C. Wang, "Cryptanalysis of Improvement of Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks," IEICE Trans. on Communications, Vol. E88-B, No. 11, pp. 4370-4372, Nov. 2005. https://doi.org/10.1093/ietcom/e88-b.11.4370
  14. J.W. Lo, "The Improvement of YSYCT Scheme for Imbalanced Wireless Network," International J. of Network Security, Vol. 3, No. 1, pp. 39-43, Jul. 2006.
  15. T. Cao and D. Lin, "Cryptanalysis of Two Password Authenticated Key Exchange Protocols Based on RSA," IEEE Communications Letters, Vol. 10, No. 8, pp. 623-625, Aug. 2006. https://doi.org/10.1109/LCOMM.2006.1665131
  16. Jeon, Jeong-Hoon, "An advanced key distribution mechanism and security protocol to reduce a load of the key management system," Journal of The Korea Society of Computer and Information, Vol.11, No.6, pp.35-47, Dec. 2006.