DOCSLIB.ORG

Authenticated Key Exchange Protocols, SRP-6A and PAKE2+

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Authenticated Key Exchange Protocols, SRP-6A and PAKE2+ DEGREE PROJECT IN TECHNOLOGY, FIRST CYCLE, 15 CREDITS STOCKHOLM, SWEDEN 2019 A Comparison of the Password- Authenticated Key Exchange Protocols, SRP-6a and PAKE2+ FREDIK SEBEK OLIVER PETRI KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE A Comparison of the Password-Authenticated Key Exchange Protocols, SRP-6a and PAKE2+ FREDRIK SEBEK OLIVER PETRI Bachelor in Computer Science Date: June 20, 2019 Supervisor: Arvind Kumar Examiner: Örjan Ekeberg School of Electrical Engineering and Computer Science Swedish title: En komparativ studie av lösenordsbaserad autentisering för nyckeldelning, SRP-6a och PAKE2+ iii Abstract Privacy is a rising concern globally, and more of our personal information is stored online. It is therefore, important to securely authenticate and encrypt all communication between the client and the server. Password authenticated key-exchange (PAKE) protocols are promising schemes for more secure pass- word authentication on the web. This report looks at both the theoretical and practical aspects of the PAKE protocols, SRP-6a and PAKE2+, from a busi- ness perspective. Benchmarks were used to determine the overall performance of both the protocols using latency and memory as metrics. The benchmarked implementations are written in JavaScript. Furthermore, availability of proto- col implementations and theoretical security aspects such as crypto primitives were also analyzed. Our results indicate that SRP6-a is likely the more viable alternative for businesses today. Measured latencies ranged from 368 to 521 ms for PAKE2+ and 114 to 230 ms for SRP-6a, depending on the browser. SRP-6a is not only significantly faster than PAKE2+, but it has greater mar- ket adoption and maturity, which PAKE2+ lacks in comparison. However, PAKE2+ has a stronger theoretical security footprint, which may make it a strong contender in the future. iv Sammanfattning Integritet på internet är en stigande oro och mer av vår personliga information lagras på servrar online. Det är därför viktigt att säkert autentiera och kryptera all kommunikation mellan klienterna och servern. Protokoll för Lösenordsau- tentiserat Nyckelutbyte (PAKE) är lovande för säkrare lösenordsautentisering på webben. Denna rapport tittar på både de teoretiska och praktiska aspek- terna av PAKE-protokollen, SRP-6a och PAKE2+, ur ett företagsperspektiv. Benchmarks användes för att bestämma den övergripande prestandan för båda protokollen med avseende på hasighet och minne. De benchmarkerade imple- mentationerna är skrivna i JavaScript. Dessutom analyserades tillgängligheten av protokollimplementeringarna och deras teoretiska säkerhetsaspekter. Våra resultat tyder på att SRP6-a sannolikt är det mer användbara alternativet för företag idag. Mätvärdena varierade mellan 368 och 521 ms för PAKE2+ och mellan 114 och 230 ms för SRP-6a, beroende på webbläsare. SRP6-a är inte bara betydligt snabbare än PAKE2+ men har också större marknadsupptag- ning och mognad, vilket PAKE2+ saknar i jämförelse. PAKE2+ har dock ett starkare teoretiskt säkerhetsfotavtryck, vilket kan göra det till en stark konkur- rent i framtiden. Contents 1 Introduction 3 1.1 Privacy and Digitalization . .4 1.2 Problem Statement . .5 1.3 Limitations and scope . .5 2 Background 6 2.1 Transport security layer (TLS) . .6 2.1.1 Password over TLS . .6 2.2 Zero Knowledge Proofs . .7 2.3 Password-authenticated key exchange . .8 2.3.1 Diffie–Hellman key exchange . .8 2.3.2 Types of PAKE . .9 2.3.3 Security . .9 2.3.4 PAKE in practice . 10 2.3.5 Implementations . 11 3 Method 16 3.1 Creating benchmarks . 17 3.2 Benchmarking . 17 4 Results 18 4.1 Security analysis . 20 4.1.1 Attributes . 20 4.2 Elliptic Curve . 21 4.3 Key confirmation . 21 4.4 Salt . 22 4.5 Server security . 22 i ii CONTENTS 5 Discussion 23 5.1 "The first contact problem" . 23 5.2 Implementation details . 24 5.3 Performance . 24 5.4 Adoption . 25 6 Conclusion 26 Bibliography 27 A Code 31 Glossary adversaries Plural form of adversary. 4, 7 adversary A malicious entity within in a cryptographic system. 1, 3, 9, 10, 21, 22 brute force attack An attack to gain authentication to a system by consciously trying various combinations of passwords until it succeeds. 4 dictionary attack An attack to gain authentication to a system by generating potential passwords from a large subset of commonly used words. 4, 9, 22 eavesdropper A third party listening in on other parties communication. 9 ECC Elliptic Curve Cryptography. 21 hash function A one way function, which takes a string as input and produces a fixed size string output, which seems random in relation to the original input. 9, 21 IETF Internet Engineering Task Force. 6, 25 JavaScript JavaScript is a programming language, which is widely used by websites and runs primarily in browsers. 5, 11, 14 man-in-the-middle (MITM) An attack where an adversary intercepts, re- lays, or alters the communication between the victim and the victim’s intended host. 6 PAKE Password-authenticated key exchange. A family of cryptographic pro- tocols that allows two parties to exchange a high entropy key using a weaker shared password. 3, 4, 13, 24 1 2 Glossary PAKE2+ A more modern PAKE implementation of the type augmented. 20, 22 password stretching The process of hashing a password recursively, thus mak- ing it more computationally demanding to guess. 21, 22 salt Random n-bit number to be concatenated with a password before hashing. 9, 21, 22 SJCL Stanford JavaScript Crypto Library. "A secure, powerful, fast, small, easy-to-use, cross-browser library for cryptography in Javascript"[1]. 11 SRP Secure Remote Password Protocol. 10, 11 SRP-6a The latest augmented SRP protocol. 11, 20, 22 TLS Transport Layer Security. 4, 9, 11 Chapter 1 Introduction Encryption is the process of encoding information in a way only authorized parties can consume it. Encryption has been in the forefront of protecting hu- man privacy, by keeping confidential and sensitive information safe and secure on the internet [2]. Passwords are currently the go-to approach for handling au- thentication on the internet [2]. However, human chosen passwords are usually weak, frequently re-used, and even sent in clear-text [3]. That being through an encrypted channel or not. Today, websites use encrypted traffic over TLS (HTTPS) for security, but even TLS has its problems. An encrypted channel may be established with an adversary server, allowing the adversary to decrypt the password sent [4]. Even when the password is sent to an honest server, it is decrypted at the server, which allows for password leaks or implementation bugs, such as logging or storing plain text passwords. In 2016, Twitter urged all their users, 330 million, to change their passwords, after logging them in plain text [5]. Using a password-authenticated key exchange (PAKE) protocol on top of a TLS channel can provide a safer way for users to authenticate themselves online. A PAKE protocol allows two parties to establish an encrypted channel without the user having to send their actual password. PAKE protocols date back as far as 1992 [6]. However, due to various reasons such as patents and privacy concerns, growing interest in PAKE can be seen. The latest PAKE protocol is OPAQUE, which was defined in 2018 [4], the Internet Research Task Force published a requirements document for PAKE in 2017 [7] and multiple cryptography professors have recent (2018) blog posts advocating for PAKE [8][9]. 3 4 CHAPTER 1. INTRODUCTION 1.1 Privacy and Digitalization With the increase in the amount of personal data we put online, especially that case of sensitive information, privacy has become a growing worry [10]. Personal information is distributed and disseminated all over the world. This personal data is collected by adversaries through data breaches. "Many com- panies face the risk of a data breach exposing stored personal information of customers and employees. The frequency of such incidents has been increas- ing over time" [11] The internet has not just created the age of information, but also the age of information collection, "the big data age" [12]. Naturally, the strongest protection for privacy is strong encryption from the client to the server. Today, single factor authentication (username and pass- word) are prone to vulnerabilities [2]. Users often chose weak passwords [2], which adversaries are able to steal using sophisticated techniques such as brute force attack and dictionary attacks [13]. Furthermore companies cannot and be trusted to safely manage passwords. Even large companies such as Twitter, Facebook, and Amazon, face data breaches with twitter even logging pass- words in clear-text [5]. The European union article 8 states, "Everyone has the right to the protec- tion of personal data concerning him or her." [14]. With our current system, we do not have control over what happens to our passwords and information at the other end (the server). PAKE protocols can serve as an alternative to the common method of au- thenticating a client and server using passwords. Sending passwords over TLS in plain-text pose some security risks that PAKE protocols can elimi- nate. While password over TLS may be sufficient for some applications, it is unclear why PAKE is not used more in practice considering its theoretical benefits such as not sending passwords and being more resistant to adversaries. Practical implementation details of the protocol have to be considered along- side theoretical proofs. A protocol proven secure mathematically can still break and leak information if it is not implemented well [7]. To ensure a future where humans can share data with each other securely and maintain their right to privacy, we explore the practicality and security of two PAKE protocols from a business perspective. CHAPTER 1. INTRODUCTION 5 1.2 Problem Statement Which of the two PAKE protocols, SRP-6a and PAKE2+ is the most suitable for business applications with respect to latency, memory, and security? 1.3 Limitations and scope There are 12 well-documented PAKE protocols proposed and implemented in various languages.
Load more

Recommended publications
  • The Twin Diffie-Hellman Problem and Applications
    The Twin Diffie-Hellman Problem and Applications David Cash1 Eike Kiltz2 Victor Shoup3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This problem is closely related to the usual (computational) Diffie-Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie-Hellman problem. Moreover, the twin Diffie-Hellman problem is at least as hard as the ordinary Diffie-Hellman problem. However, we are able to show that the twin Diffie-Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the Diffie-Hellman problem in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie-Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie-Hellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer-Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh-Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
    [Show full text]
  • 2.4 the Random Oracle Model
    國 立 交 通 大 學 資訊工程學系 博 士 論 文 可證明安全的公開金鑰密碼系統與通行碼驗證金鑰 交換 Provably Secure Public Key Cryptosystems and Password Authenticated Key Exchange Protocols 研 究 生:張庭毅 指導教授:楊維邦 教授 黃明祥 教授 中 華 民 國 九 十 五 年 十 二 月 可證明安全的公開金鑰密碼系統與通行碼驗證金鑰交換 Provably Secure Public Key Cryptosystems and Password Authenticated Key Exchange Protocols 研 究 生:張庭毅 Student:Ting-Yi Chang 指導教授:楊維邦 博士 Advisor:Dr. Wei-Pang Yang 黃明祥 博士 Dr. Min-Shiang Hwang 國 立 交 通 大 學 資 訊 工 程 學 系 博 士 論 文 A Dissertation Submitted to Department of Computer Science College of Computer Science National Chiao Tung University in partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy in Computer Science December 2006 Hsinchu, Taiwan, Republic of China 中華民國九十五年十二月 ¡¢£¤¥¦§¨© ª« ¬ Æ ¯ « ¡¨ © ¡¢£¤¥ ¦§¨©¢ª«¬ Æ ¯ Æ ­Æ Æ ¡ ElGamal ¦§ °±¥ ²³´ ·§±¥¸¹º»¼½¶­¾¿§­¾¿¸¹³ °µ¶ p ­° p§­¾¿ ElGamal Hwang §°À¡Á²±¥·§ÂÃÄŨ© ElGamal-like È ÆǧȤÉÀÊËÌ¡ÍÎϧElGamal-like IND-CPA ¡¦ÃÅ Á²±¥·ÁÃÄŧ¨©­§Æ ° ½¡ÐÑÒµ§ IND-CPA ElGamal IND- ±È¤±¥ÓÔÕ§ CCA2§ ElGamal-extended ¡Ö×ج­Ù¶ÚÀÛÜ°§¨©ÝÞ­°ÛÜߧ ¡¦§ËÌ IND-CPAPAIR ElGamal-extended Ô°°ÃÄÅ ¬§DZàáâ ãäåæçèé°¡êÛÜ°ëìíîï§åÉ i ïíîÛܰ먩ǰ § ðñòóô ¨©õ­ö÷°§Àäå ­øù×Øú§ûüÀÆý°þÿì° ÛÜµÌ °Ûܱ¡ Bellare-Pointcheval-Rogaway ¯À°úÐÑÒ·§¨© ° Diffie-Hellman õ­°Ý§¡¦§ ò°¥§§±¥§Diffie- Hellman ¯§¥§§È秧 È秧ô§§ç±Ûܧ §ÐÑÒ ii Provably Secure Public Key Cryptosystems and Password Authenticated Key Exchange Protocols Student: Ting-Yi Chang Advisor: Dr. Wei-Pang Yang Dr. Min-Shiang Hwang Institute of Computer Science and Engineering National Chiao Tung University ABSTRACT In this thesis, we focus on two topics: public key cryptosystems and pass- word authenticated key exchange protocols.
    [Show full text]
  • Multi-Server Authentication Key Exchange Approach in Bigdata Environment
    International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 04 Issue: 07 | July -2017 www.irjet.net p-ISSN: 2395-0072 MULTI-SERVER AUTHENTICATION KEY EXCHANGE APPROACH IN BIGDATA ENVIRONMENT Miss. Kiran More1, Prof. Jyoti Raghatwan2 1Kiran More, PG Student. Dept. of Computer Engg. RMD Sinhgad school of Engineering Warje, Pune 2Prof. Jyoti Raghatwan, Dept. of Computer Engg. RMD Sinhgad school of Engineering Warje, Pune ---------------------------------------------------------------------***--------------------------------------------------------------------- Abstract - The key establishment difficulty is the maximum Over-all Equivalent Files System. Which are usually required central issue and we learn the trouble of key organization for for advanced scientific or data exhaustive applications such secure many to many communications for past several years. as digital animation studios, computational fluid dynamics, The trouble is stimulated by the broadcast of huge level and semiconductor manufacturing. detached file organizations behind similar admission to In these milieus, hundreds or thousands of file various storage space tactics. Our chore focal ideas on the structure clients bit data and engender very much high current Internet commonplace for such folder systems that is summative I/O load on the file coordination supporting Parallel Network Folder System [pNFS], which generates petabytes or terabytes scale storage capacities. Liberated of employment of Kerberos to establish up similar session keys the enlargement of the knot and high-performance flanked by customers and storing strategy. Our evaluation of computing, the arrival of clouds and the MapReduce the available Kerberos bottommost procedure validates that it program writing model has resulted in file system such as has a numeral of borders: (a) a metadata attendant make the Hadoop Distributed File System (HDFS).
    [Show full text]
  • Speke Cycle Route
    www.LetsTravelWise.org 1253 330 0151 Telephone: need. might you else 090305/IS/TM/08O9/P anything and times, the through you talk will bike. by easily more Speke around get and person local a – 33 22 200 0871 travel to way wiser a is cycling how shows leaflet This future. our and us on Traveline call want, for move wise a is out them trying Merseyside, in options of lots have We Updated you train or bus which out find To Getting around Speke on your bike your on Speke around Getting September journey. each making of way Manchester. best the about think to need all we cities big other in seen pollution and and Widnes Warrington, in stations 2011. congestion the avoid to want we If slower. getting is travel car meaning Cycle Speke Cycle for outwards and Centre City the in MA. rapidly, rising is Merseyside in car by made being trips of number the Central Liverpool and Street Lime but journeys, their of many or all for TravelWise already are people Most Liverpool towards stations rail Cross Hunts and Parkway South Liverpool from both operate trains Line City and Northern Frequent Centre. City car. a without journeys make the to Parkway South Liverpool from minutes 15 to 10 about takes only It to everyone for easier it make to aim we Merseytravel, and Authorities Local Merseyside the by Funded sharing. car and transport public cycling, trains. Merseyside walking, more – travel sustainable more encourage to aims TravelWise all on free go Bikes problem. a be can parking where Centre City Liverpool into travelling when or workplace, your or school to get to easier it makes www.transpenninetrail.org.uk Web: This way.
    [Show full text]
  • Authentication and Key Distribution in Computer Networks and Distributed Systems
    13 Authentication and key distribution in computer networks and distributed systems Rolf Oppliger University of Berne Institute for Computer Science and Applied Mathematics {JAM) Neubruckstrasse 10, CH-3012 Bern Phone +41 31 631 89 51, Fax +41 31 631 39 65, [email protected] Abstract Authentication and key distribution systems are used in computer networks and dis­ tributed systems to provide security services at the application layer. There are several authentication and key distribution systems currently available, and this paper focuses on Kerberos (OSF DCE), NetSP, SPX, TESS and SESAME. The systems are outlined and reviewed with special regard to the security services they offer, the cryptographic techniques they use, their conformance to international standards, and their availability and exportability. Keywords Authentication, key distribution, Kerberos, NetSP, SPX, TESS, SESAME 1 INTRODUCTION Authentication and key distribution systems are used in computer networks and dis­ tributed systems to provide security services at the application layer. There are several authentication and key distribution systems currently available, and this paper focuses on Kerberos (OSF DCE), NetSP, SPX, TESS and SESAME. The systems are outlined and reviewed with special regard to the security services they offer, the cryptographic techniques they use, their conformance to international standards, and their availability and exportability. It is assumed that the reader of this paper is familiar with the funda­ mentals of cryptography, and the use of cryptographic techniques in computer networks and distributed systems (Oppliger, 1992 and Schneier, 1994). The following notation is used in this paper: • Capital letters are used to refer to principals (users, clients and servers).
    [Show full text]
  • Strong Password-Based Authentication in TLS Using the Three-Party Group Diffie–Hellman Protocol
    284 Int. J. Security and Networks, Vol. 2, Nos. 3/4, 2007 Strong password-based authentication in TLS using the three-party group Diffie–Hellman protocol Michel Abdalla* École normale supérieure – CNRS, LIENS, Paris, France E-mail: [email protected] *Corresponding author Emmanuel Bresson Department of Cryptology, CELAR Technology Center, Bruz, France E-mail: [email protected] Olivier Chevassut Lawrence Berkeley National Laboratory, Berkeley, CA, USA E-mail: [email protected] Bodo Möller Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Bochum, Germany E-mail: [email protected] David Pointcheval École normale supérieure – CNRS, LIENS, Paris, France E-mail: [email protected] Abstract: The internet has evolved into a very hostile ecosystem where ‘phishing’ attacks are common practice. This paper shows that the three-party group Diffie-Hellman key exchange can help protect against these attacks. We have developed password-based ciphersuites for the Transport Layer Security (TLS) protocol that are not only provably secure but also believed to be free from patent and licensing restrictions based on an analysis of relevant patents in the area. Keywords: password authentication; group Diffie–Hellman key exchange; transport layer security; TLS. Reference to this paper should be made as follows: Abdalla, M., Bresson, E., Chevassut, O., Möller, B. and Pointcheval, D. (2007) ‘Strong password-based authentication in TLS using the three-party group Diffie-Hellman protocol’, Int. J. Security and Networks, Vol. 2, Nos. 3/4, pp.284–296. Biographical notes: Michel Abdalla is currently a Researcher with the Centre National de la Recherche Scientifique (CNRS), France and a Member of the Cryptography Team at the Ecole Normale Supérieure (ENS), France.
    [Show full text]
  • Fast and Secure Generating and Exchanging a Symmetric Key for TVWS Protocol
    International Journal of Computer Science and Telecommunications [Volume 9, Issue 3, May 2018] 15 Fast and Secure Generating and Exchanging a Symmetric Key for TVWS Protocol ISSN 2047-3338 Mubark M. A. Elmubark Department of MIS Blue Nile University, Sudan [email protected] Abstract– In network security, symmetric key encryption security key. So many security protocols can be used in methods are commonly used in order to generate and exchange TVWS with pros and cons. a secret key between the sender and the receiver. The main This paper concentrated on security issues in spectrum drawbacks of this method are that, the attackers might access database access and studies these protocols and proposed new the transmitted data and use it to obtain the key and even methods for key generation and exchange. generate new keys. Also, the process of generating the key is inefficient and time consuming. In this paper a new key PKMv1: WiMAX security, as specified by IEEE 802.16 generation and exchange protocol is proposed to overcome the standard [2] is provided by a security sublayer resided in the aforementioned problems in the conventional symmetric key MAC layer. A protocol called PKM has been adopted in the encryption methods. In the proposed protocol, the results show security sublayer of WiMAX to provide authorization, that the protocol is saved. authentication and keys exchange and distribution between Index Terms– Security, Key Generation and Key Exchange Base Stations (BSs) and Subscriber Stations (SSs). The standard has approved two versions of PKM protocol. PKMv1 which is approved in IEEE 802.16-2004 standards I.
    [Show full text]
  • IEEE P1363.2: Password-Based Cryptography
    IEEE P1363.2: Password-based Cryptography David Jablon CTO, Phoenix Technologies NIST PKI TWG - July 30, 2003 What is IEEE P1363.2? • “Standard Specification for Password-Based Public-Key Cryptographic Techniques” • Proposed standard • Companion to IEEE Std 1363-2000 • Product of P1363 Working Group • Open standards process PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 2 One of several IEEE 1363 standards • Std 1363-2000 • Sign, Encrypt, Key agreem’t, using IF, DL, & EC families • P1363a • Same goals & families as 1363-2000 • P1363.1: Lattice family • Same goals as 1363-2000, Different family • P1363.2: Password-based • Same families • More ambitious goals PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 3 Scope of P1363.2 • Modern “zero knowledge” password methods • Uses public key techniques • Uses two or more parties • Needs no other infrastructure • Authenticated key establishment • Resists attack on low-grade secrets • passwords, password-derived keys, PINs, ... PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 4 Rationale (1) • Why low-grade secrets? • People have trouble with high-grade keys • storage -- memorizing • input -- attention to detail • output -- typing • Passwords are ubiquitous • Easy for people to memorize, recognize, and type. • Reduce security/convenience tradeoffs. PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 5 Rationale (2) • Why use public-key techniques? • Symmetric methods can’t do it. • Why new methods? • Different than symmetric, hash, or other PK crypto. • AES, SHA-1, DH, and RSA can’t do it alone. PKI TWG July 2003 IEEE P1363.2: Password-based Cryptography 6 Chosen Password Quality Summarized from Distribution Morris & Thompson ‘79, Klein ‘90, Spafford ‘92 0 30 or so 60 or so Password Entropy (bits) History of protocols that fail to dictionary attack (or worse) • Clear text password π • Password as a key Eπ (verifiable text) • (e.g.
    [Show full text]
  • Distribution Scheme for Fog Networks Nikkhah Bahrami, P, Javadi, HHS, Dargahi, T, Dehghantanha, a and Choo, KKR
    A hierarchical key pre-distribution scheme for fog networks Nikkhah Bahrami, P, Javadi, HHS, Dargahi, T, Dehghantanha, A and Choo, KKR http://dx.doi.org/10.1002/cpe.4776 Title A hierarchical key pre-distribution scheme for fog networks Authors Nikkhah Bahrami, P, Javadi, HHS, Dargahi, T, Dehghantanha, A and Choo, KKR Type Article URL This version is available at: http://usir.salford.ac.uk/id/eprint/47188/ Published Date 2019 USIR is a digital collection of the research output of the University of Salford. Where copyright permits, full text material held in the repository is made freely available online and can be read, downloaded and copied for non-commercial private study or research purposes. Please check the manuscript for any further copyright restrictions. For more information, including our policy and submission procedure, please contact the Repository Team at: [email protected]. ReceivED -; ReVISED -; Accepted 31 MaY 2018 DOI: xxx/XXXX SPECIAL ISSUE PAPER A HierARCHICAL KEY Pre-Distribution Scheme FOR FOG Networks POONEH Nikkhah BahrAMI1 | Hamid H.S.JaVADI2 | TOOSKA Dargahi3 | Ali Dehghantanha4 | Kim-KWANG RaYMOND Choo5 1Department OF Computer Science, TEHRAN UnivERSITY, Kish Campus, IrAN Summary 2Department OF Computer Science, Shahed UnivERSITY, TEHRan, IrAN Security IN FOG COMPUTING IS multi-faceted, AND ONE PARTICULAR CHALLENGE IS ESTABLISHING A SECURE 3 School OF Computing, Science AND Engineering, COMMUNICATION CHANNEL BETWEEN FOG NODES AND END DEvices. This EMPHASIZES THE IMPORTANCE UnivERSITY OF Salford, Manchester, UK 4Department OF Computer Science, UnivERSITY OF DESIGNING EFfiCIENT AND SECRET KEY DISTRIBUTION SCHEME TO FACILITATE FOG NODES AND END DEVICES OF Sheffield, Sheffield, UK TO ESTABLISH SECURE COMMUNICATION channels.
    [Show full text]
  • On Robust Key Agreement Based on Public Key Authentication Feng Hao Thales E-Security, Cambridge, UK [email protected]
    1 On Robust Key Agreement Based on Public Key Authentication Feng Hao Thales E-Security, Cambridge, UK [email protected] Abstract—This paper discusses public-key authenticated key Elliptic Curve Cryptography (ECC) [10]. Using ECC essen- agreement protocols. First, we critically analyze several authen- tially replaces the underlying (multiplicative) cyclic group ticated key agreement protocols and uncover various theoretical with another (additive) cyclic group defined over some elliptic and practical flaws. In particular, we present two new attacks on the HMQV protocol, which is currently being standardized curve. The essence of the protocol remains unchanged. by IEEE P1363. The first attack presents a counterexample to The acute problem with the Diffie-Hellman key agreement invalidate the basic authentication in HMQV. The second attack is that it is unauthenticated [2]. While secure against passive is applicable to almost all past schemes, despite that many of attackers, the protocol is inherently vulnerable to active attacks them have formal security proofs. These attacks highlight the such as the man-in-the-middle attack [6]. This is a serious lim- difficulty to design a crypto protocol correctly and suggest the caution one should always take. itation, which for many years has been motivating researchers We further point out that many of the design errors are caused to find a solution [3]–[5], [7], [9], [11], [13], [20]. by sidestepping an important engineering principle, namely To add authentication, we must start with assuming some “Do not assume that a message you receive has a particular shared secret. In general, there are two approaches.
    [Show full text]
  • Analysing and Patching SPEKE in ISO/IEC
    1 Analysing and Patching SPEKE in ISO/IEC Feng Hao, Roberto Metere, Siamak F. Shahandashti and Changyu Dong Abstract—Simple Password Exponential Key Exchange reported. Over the years, SPEKE has been used in several (SPEKE) is a well-known Password Authenticated Key Ex- commercial applications: for example, the secure messaging change (PAKE) protocol that has been used in Blackberry on Blackberry phones [11] and Entrust’s TruePass end-to- phones for secure messaging and Entrust’s TruePass end-to- end web products. It has also been included into international end web products [16]. SPEKE has also been included into standards such as ISO/IEC 11770-4 and IEEE P1363.2. In the international standards such as IEEE P1363.2 [22] and this paper, we analyse the SPEKE protocol as specified in the ISO/IEC 11770-4 [24]. ISO/IEC and IEEE standards. We identify that the protocol is Given the wide usage of SPEKE in practical applications vulnerable to two new attacks: an impersonation attack that and its inclusion in standards, we believe a thorough allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, analysis of SPEKE is both necessary and important. In and a key-malleability attack that allows a man-in-the-middle this paper, we revisit SPEKE and its variants specified in (MITM) to manipulate the session key without being detected the original paper [25], the IEEE 1363.2 [22] and ISO/IEC by the end users. Both attacks have been acknowledged by 11770-4 [23] standards.
    [Show full text]
  • Analysis of Two Pairing-Based Three-Party Password Authenticated Key Exchange Protocols
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Loughborough University Institutional Repository This item was submitted to Loughborough’s Institutional Repository (https://dspace.lboro.ac.uk/) by the author and is made available under the following Creative Commons Licence conditions. For the full text of this licence, please go to: http://creativecommons.org/licenses/by-nc-nd/2.5/ 2009 Third International Conference on Network and System Security Analysis of Two Pairing-based Three-party Password Authenticated Key Exchange Protocols Raphael C.-W. Phan Wei-Chuen Yau, Bok-Min Goi Electronic and Electrical Engineering Faculty of Engineering Loughborough University Multimedia University United Kingdom Cyberjaya, Malaysia [email protected] [email protected], [email protected] Abstract—Password-Authenticated Key Exchange (PAKE) • Dictionary attack resilience: Originally, a dictionary protocols allow parties to share secret keys in an authentic attack is a password guessing technique in which the manner based on an easily memorizable password. Recently, adversary attempts to determine a user’s password by Nam et al. showed that a provably secure three-party password- based authenticated key exchange protocol using Weil pairing successively trying words from a dictionary (a compiled by Wen et al. is vulnerable to a man-in-the-middle attack. In list of likely passwords) in the hope that one of these doing so, Nam et al. showed the flaws in the proof of Wen et al. password guesses will be the user’s actual password. and described how to fix the problem so that their attack no This attack can be performed in online mode (trying longer works.
    [Show full text]