(12) Patent Application Publication (10) Pub. No.: US 2002/0194478 A1 Mackenzie (43) Pub

US 2002O194478A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2002/0194478 A1 MacKenzie (43) Pub. Date: Dec. 19, 2002

(54) METHODS AND APPARATUS FOR (57) ABSTRACT PROVIDING EFFICIENT PASSWORD-AUTHENTICATED KEY A secure protocol is provided which uses a Diffie-Hellman EXCHANGE type shared Secret, but modified Such that the two parties may authenticate each other using a shared password. In (76) Inventor: Philip D. MacKenzie, Maplewood, NJ accordance with the invention, a party generates the Diffie (US) Hellman value g and combines it with a function of at least Correspondence Address: the password using a group operation, wherein any portion of a result associated with the function that is outside the Ryan, Mason & Lewis, LLP group is randomized. The resulting value is transmitted to 90 Forest Avenue the other party. The group operation is defined for the Locust Valley, NY 11560 (US) particular group being used. Every group has a group Appl. No.: 09/827,227 operation and a corresponding inverse group operation. (21) Upon receipt of the value, the other party performs the (22) Filed: Apr. 5, 2001 inverse group operation on the received value and the function of at least the password, and removes the random Publication Classification ization of any portion of the result associated with the function that is outside the group, to extract g Such that the (51) Int. Cl...... H04L 9/00 other party may then generate the shared Secret g using its (52) U.S. Cl...... 713/171 knowledge of y.

resear- so? keg 2 - 3o4 Wve a'la, A, CA, 3,T). Zoe - - - la-laer test a É O Mode h-so Yeaé - 22 3, A. ff en x) ye'rea ey (ist) 2.2 K 3d k = (ACA, B, -, -, or, c)-ste 1 4 S - - 22 test - k3 ACA, B, rn, M.O.) 22A k's t CA, 3, w, u-, o, tr) E.2e K- PCA, B, wu, O, ir) 228 k 2O -S-S -- Test k . ACA, B, , , o, (t)h- 332 k = 4, CA, e, w, u, o, (t)h-324 Patent Application Publication Dec. 19, 2002 Sheet 1 of 4 US 2002/0194478 A1

O 9 g a s|| 8 & 7. < (a 5 - >- Q?)

X -

CA s 8 s & Patent Application Publication Dec. 19, 2002 Sheet 2 of 4 US 2002/0194478 A1

Patent Application Publication Dec. 19, 2002 Sheet 3 of 4 US 2002/0194478 A1

Patent Application Publication Dec. 19, 2002 Sheet 4 of 4 US 2002/0194478 A1

OC) s O t t N

Y S 1. w as r -r a-1r US 2002/0194478 A1 Dec. 19, 2002

METHODS AND APPARATUS FOR PROVIDING adversary imperSonates the Server, So that the client believes EFFICIENT PASSWORD-AUTHENTICATED KEY that it is communicating with the legitimate Server, but EXCHANGE instead is actually communicating with the adversary. In Such an attack, the client may provide Sensitive information CROSS REFERENCE TO RELATED to the adversary. APPLICATIONS 0010 Further, in any password-based authentication pro 0001. The present application is related to the commonly tocol, there exists the possibility that passwords will be weak assigned U.S. patent application identified by Ser. No. Such that they are Susceptible to dictionary attacks. A dic 09/638,320, filed on Aug. 14, 2000 in the name of V. V. tionary attack is a brute force attack on a password that is Boyko et al. and entitled “Secure Mutual Network Authen performed by testing a large number of likely passwords tication and Key Exchange Protocol,” the disclosure of (e.g., all the words in an English dictionary) against Some which is incorporated by reference herein. known information about the desired password. The known information may be publicly available or may have been FIELD OF THE INVENTION obtained by the adversary through one of the above-de 0002 The present invention generally relates to tech Scribed techniques. Dictionary attacks are often effective niques for providing network authentication and key because users often choose easily remembered, and easily eXchange and, more particularly, to techniques for improv guessed, passwords. ing the computational efficiency associated with Such net 0011. There are various known techniques for network work authentication and key exchange. authentication. These known techniques will be divided into two classifications. The first classification includes those BACKGROUND OF THE INVENTION techniques that require persistent Stored data on the client 0003) Authentication over a network is an important part System. The Second classification includes those techniques of Security for Systems that allow remote clients to acceSS which do not require persistent Stored data on the client network Servers. Authentication is generally accomplished System. by verifying one or more of the following: 0012. With respect to the first classification, persistent 0004 (i) Something a user knows, e.g. a password; Stored data may include either Secret data (e.g., Secret keys shared with the authenticating server) which must never be 0005 (ii) something a user is, i.e., biometric infor revealed, or non-Secret but sensitive data (e.g., the authen mation, Such as a fingerprint; and ticating server's public key) which must be tamper-proof. 0006 (iii) something a user has, i.e., some identifi With either type of persistent data, extra Security require cation token, Such as a Smart-card. ments are necessary to Secure the data from attack from an adversary. Further, when using an authentication protocol 0007 For example, an automatic teller machine (ATM) which relies on both passwords and persistent Stored data, a verifies two of these: something a user has, the ATM card, compromise of either may lead to a vulnerability of the and Something a user knows, a personal identification num other. For example, compromising a Secret key may lead to ber (PIN). ATM authentication is significantly easier than a possible dictionary attack on the password. Another prob authentication over a data network because the ATM itself is lem with this first class of protocols is that persistent Stored considered trusted hardware, Such that it is trusted to Verify data requires generation and distribution of keys, which can the presence of the ATM card and to transfer the correct be cumberSome, and generally provides a leSS flexible information Securely to a central transaction Server. System. 0008. In addition to authentication, key exchange is an 0013 The second classification is called password-only important part of communication acroSS a data network. authentication protocols because there is no requirement of Once a client and Server have been authenticated, a Secure persistent Stored data at the client. The client only needs to communication channel must be set up between them. This be able to provide a legitimate password. The notion of is generally accomplished by the client and Server eXchang providing Strong Security and authentication using poten ing a key, called a Session key, for use during communica tially weak passwords Seems to be contradictory. However, tion Subsequent to authentication. there exist Several password-only user authentication and 0009 Authentication over a data network, especially a key exchange protocols that are designed to be Secure. A public data network like the Internet, is difficult because the description of these protocols may be found in D. Jablon, communication between the client and Server is Susceptible Strong Password-Only Authenticated Key Exchange, ACM to many different types of attacks. For example, in an Computer Communication Review, ACM SIGCOMM, eavesdropping attack, an adversary may learn Secret infor 26(5):5-20, 1996, the disclosure of which is incorporated by mation by intercepting communication between the client reference herein. Some of the more notable of the password and the Server. If the adversary learns password information, only protocols include Encrypted Key Exchange (EKE) the adversary may replay that information to the Server to described in S. M. Bellovin and M. Merritt, Encrypted Key imperSonate the legitimate client in what is called a replay Exchange. Password-Based Protocols Secure Against Dic attack. Replay attacks are effective even if the password Sent tionary Attacks, Proceedings of the IEEE Symposium on from the client is encrypted because the adversary does not Research in Security and Privacy, pp.72-84.1992; Aug need to know the actual password, but instead must provide mented-EKE (A-EKE), S. M. Bellovin and M. Merritt, Something to the Server that the Server expects from the Augmented Encrypted Key Exchange. A Password-Based legitimate client (in this case, an encrypted password). Protocol Secure Against Dictionary Attacks and Password Another type of attack is a spoofing attack, in which an File Compromise, Proceedings of the First Annual Confer US 2002/0194478 A1 Dec. 19, 2002

ence on Computer and Communications Security, 1993, Secret, but modified Such that the two parties may authen pages 244-250; Modified EKE (M-EKE), M. Steiner, G. ticate each other using a shared password. Further, we have TSudik, and M. Waidmer, Refinement and Extension of proven that this protocol is Secure. In accordance with the Encrypted Key Exchange, ACM Operating System Review, invention, a party generates the Diffie-Hellman value g and 29:22-30, 1995; Simple Password EKE (SPEKE) and Diffie combines it with a function of at least the password using a Hellman EKE (DH-EKE), both described in D. Jablon, group operation, wherein any portion of a result associated Strong Password-Only Authenticated Key Exchange, ACM with the function that is outside the group is randomized. Computer Communication Review, ACM SIGCOMM, The resulting value is transmitted to the other party. The 26(5):5-20, 1996; Secure Remote Password Protocol (SRP), group operation is defined for the particular group being T. Wu, The Secure Remote Password Protocol, Proceedings used, and will be described in further detail below. For of the 1998 Internet Society Network and Distributed Sys present purposes, it is Sufficient to recognize that every tem. Security Symposium, pages 97-111, 1998; Open Key group has a group operation and a corresponding inverse Exchange (OKE), Stefan Lucks, Open Key Exchange. How group operation. to Defeat Dictionary Attacks Without Encrypting Public 0018. Upon receipt of the value, the other party performs Keys, Security Protocol Workshop, Ecole Normale the inverse group operation on the received value and the Superieure, Apr. 7-9, 1997; Authenticated Key Exchange function of at least the password, and removes the random (AKE), M. Bellare, D. Pointcheval, and P. Rogaway, ization of any portion of the result associated with the Authenticated Key EXchange Secure Against Dictionary function that is outside the group, to extract g Such that the Attacks, Advances in Cryptology, pp. 139-155, Eurocrypt other party may then generate the shared Secret g using its 2000; and commonly assigned U.S. patent application iden knowledge of y. tified by Ser. No. 09/353,468, filed on Jul. 13, 1999 in the name of P. D. MacKenzie et al. and entitled “Secure Mutual 0019. The use of the group operation and the inverse Network Authentication Protocol (SNAPI), the disclosures group operation in conjunction with a Diffie-Hellman type of which are incorporated by reference herein. key exchange protocol as described herein provides benefits 0.014. The problem with most of the known password over password-only mutual network authentication proto only authentication protocols is that they have not been cols. The randomization of any portion of the result asso proven Secure. In fact, the EKE protocol may be Susceptible ciated with the function that is outside the group reduces the to a certain number of theoretic attacks as described in S. computational intensity associated with the operations per Patel, Number Theoretic Attacks On Secure Password formed by the one party. Advantageously, the present inven Schemes, Proceedings of the IEEE Symposium on Research tion provides a protocol which can be proven to be Secure in Security and Privacy, pages 236-247,1997, the disclosure against attacks by adversaries which have access to the of which is incorporated by reference herein. While the AKE communication channel. protocol has been proven Secure, it requires Strong assump 0020. As described above, the Diffie-Hellman value g is tions to prove security. Further, while the SNAPI protocol combined with a function of at least the password. The term has also been proven Secure, the protocol is based on the “at least' is used because, in various embodiments, g may RSA algorithm rather than Diffie-Hellman. be combined with a function of the password alone, or a function of the password along with identifiers of the parties 0.015 Commonly assigned U.S. patent application iden to the protocol in order to ensure that the password is unique tified by Ser. No. 09/638,320, filed on Aug. 14, 2000 in the for any particular pair of parties. name of V. V. Boyko et al. and entitled “Secure Mutual Network Authentication and Key Exchange Protocol,” the 0021. In accordance with one embodiment of the inven disclosure of which is incorporated by reference herein, tion, the parties may authenticate each other by computing discloses a Secure password-only mutual network authenti a function of at least certain parameters, transmitting the cation and key exchange protocol which is provably Secure computed value to the other party, and then each party and uses a Diffie-Hellman type shared secret, but modified checking the received value against its own computed value. Such that the two parties may authenticate each other using The parameters used for the computation may be at least one a shared password. of a party identifier, the Diffie-Hellman value (g org), the shared Secret, and the shared password. By computing a SUMMARY OF THE INVENTION function of at least one of these values, the parties may 0016. The present invention provides a secure password authenticate that the other party is in possession of the only mutual network authentication protocol which is prov shared password. ably Secure. In accordance with the inventive protocol, two 0022. These and other objects, features and advantages of parties generate a shared Secret using a Diffie-Hellman type the present invention will become apparent from the fol key exchange. AS is known, in accordance with a Diffie lowing detailed description of illustrative embodiments Hellman type key exchange, there is a group generator g for thereof, which is to be read in connection with the accom a particular group, an indeX X known to one party, an indeX panying drawings. y known to the other party, and the shared Secret g. One party generates g, the other party generates g, and the parties exchange these values So that each party may now BRIEF DESCRIPTION OF THE DRAWINGS generate the shared secret g’. While Diffie-Hellman defines 0023 FIG. 1 illustrates the Diffie-Hellman key exchange a key exchange protocol, the protocol has no authentication protocol, aspects. 0024 FIG. 2 illustrates a mutual authentication and key 0017 Thus, in accordance with the present invention, we eXchange protocol in which both parties possess a shared provide a protocol which uses a Diffie-Hellman type shared password; US 2002/0194478 A1 Dec. 19, 2002

0.025 FIG. 3 illustrates an improved efficiency mutual in step 114. The shared secret S can now be used by A and authentication and key exchange protocol in accordance B as a Session key for Secure communication. with an embodiment of the present invention in which both 0031. Diffie-Hellman key exchange can also be per parties possess a shared password; and formed over other groups in which the discrete log function 0.026 FIG. 4 illustrates a generalized hardware architec is difficult to compute, Such as certain elliptic curve groups. ture of a data network and computer Systems Suitable for Groups are well-known in the art, as described in I. N. implementing one or more of the password-authenticated Herstein, Topics in Algebra, 2nd edition, John Wiley & key exchange methodologies according to the present inven Sons, New York, 1975, the disclosure of which is incorpo tion. rated by reference herein, as follows. A nonempty Set of elements G is said to form a group if in G there is defined DETAILED DESCRIPTION OF PREFERRED a binary operation, called the product and denoted by, Such EMBODIMENTS that: 0.027 Cryptography is a well-known technique for pro 0032 1. a, b e Gimplies that ab e G (closed). Viding Secure communication between two parties. Prior to 0033 2. a, b, c, e G implies that a (b.c)=(a-b)c describing various embodiments of the present invention, (associative law). Some background and basic terminology will be provided. 0034 3. There exists an element e e G such that 0028 Informally, a function f from a set S to a set T is a are=e a=a for all a e G (the existence of an identity one-way function if f(x) is easy to compute for all x in S but element in G). for most y in T, it is computationally infeasible to find any X in S where f(x)=y. One example of a one-way function is 0035) 4. For every a e G there exists an element a modular exponentiation. Let p be a large prime and g a e G such that a'a' =a'a=e (the existence of inverses generator of the multiplicative group mod p (that is, the in G). numbers in the range 1, . . . , p-1). Then f(x)=g mod p is 0036) Thus, more generally, Diffie-Hellman key generally assumed to be a one-way function. The inverse eXchange operates in a specific group where the Secret keys function, called the discrete log function, is difficult to X and y are indices to elements of the group. Thus, consider compute. There are also other groups in which the discrete a group G with a group generatorge G and G={g, gig, gigg, log function is difficult to compute, Such as certain elliptic gggg,...} where is the group operation. AS examples, if curve groupS. the group operation for G is multiplication, then G={g", g, 0029) Let k and 1 denote security parameters, where k is g, g'. ... }. If the group operation for G is addition, then the main Security parameter and can be thought of as a G={1g, 2g, 3g, 4g, ... }. Since the present invention may general Security parameter for hash functions and Secret be implemented using different groups, as used herein keys (e.g., 160 bits), and lak can be thought of as a Security below, the notation g means that the group operation is parameter for discrete-log-based public keys (e.g., 1024 or applied X times on the group generator g. Further, for every 2048 bits). Let {0,1}* denote the set of finite binary strings group, there is also an inverse group operation represented and {0,1}" denote the set of binary strings of length n. A hereinas. AS used herein below, the inverse group operation real-valued function e(n) is negligible if for every c>0, there is defined as follows. The inverse group operation on X and exists n>0 Such that e(n)-1/n for all n>n. Let q of size at y, I.C., least k and p of Size l be primes Such that p=rq+1 for Some value r co-prime to q. Let g be a generator of a Subgroup of Z* of size q. Call this Subgroup G 0.030. A key exchange protocol called Diffie-Hellman Key Exchange and described in W. Diffie and M. Hellman, New Directions in Cryptography, IEEE Transactions on 0037) is defined as xy". Information Theory, vol. 22, no. 6, 644-654, 1976, the disclosure of which is incorporated by reference herein, is 0038 FIG. 2 illustrates a mutual authentication and key based on the modular exponentiation function. Specifically, eXchange protocol in accordance with an explicit authenti two parties A and B agree on a Secret key in accordance with cation approach in which both parties possess a shared the protocol described in conjunction with FIG. 1. In step password. The communication protocol in FIG. 2 is dis 102, A chooses a random X from the group Z (i.e., Xer Z) closed in the above-referenced U.S. patent application iden where Z={0, 1,..., q-1} (or simply the integers mod q). tified by Ser. No. 09/638,320, filed on Aug. 14, 2000 in the In step 104, A computes X=g mod p. In step 106, A name of V. V. Boyko et al. and entitled “Secure Mutual transmits X to B. In step 108, B chooses a random y from Network Authentication and Key Exchange Protocol.” In Z (i.e., Yer Z.) In step 110, B computes Y=g mod p and general, the communication protocol uses a Diffie-Hellman transmits Y to A in step 112. At this point, a shared secret g’ type shared Secret, but modified Such that the two parties (i.e., a Secret key) can be computed by both A and B. Note may authenticate each other using a shared password. Fur that herein below we may ignore the mod p notation for ther, it has been proven that this protocol is Secure. notational Simplicity if it is clear that we are working in mod 0039. In accordance with FIG. 2, steps shown on the left p. Since X=g was transmitted from A to B in step 106, B can Side of the figure are performed by a first party A, and Steps calculate the shared secret g by computing X instep 116. shown on the right Side of the figure are performed by a Similarly, since Y=g was transmitted from B to A in step Second party B. Typically, A is a client machine (computer 112, A can calculate the shared secret g by computing Y System) and B is a server machine (computer System). US 2002/0194478 A1 Dec. 19, 2002

However, this is not required, and A and B are referred to as 0 mod p. If the value is 0 mod p, the server terminates the client and Server, respectively, only as an example to Show protocol because 0 is not in Z*. Otherwise, in step 210, the the typical case. Thus, it is to be understood that the server chooses a random value for the index y from Z. In approach shown in FIG. 2 is not limited to the case where Step 212, the Server assigns a parameter u to the computed A and B are client and Server, but instead is applicable to any Diffie-Hellman value g. Next, in step 214, the server two parties A and B. Arrows represent communication computes the Diffie-Hellman shared secret g (referred to as between the parties. In accordance with the protocol, the O in this protocol) using the received parameter m as Server authenticates itself to the client and the client authen follows: ticates itself to the server. After both sides have authenti cated, each generates a Secret Session key which may be used for Subsequent Secure communication. O = (H.A. h. 7t)) y 0040 Prior to initiation of the protocol, it is assumed that the client and the Server are in possession of a password at which the client uses to authenticate with the server. 0045 mod p. We will now describe this step in further 0041. It is noted that the following protocol authenticates detail (leaving out the mod p notation for notational Sim both the server and the client. Thus, neither the server nor the plicity). First, it should be recalled that, as described above, client are assumed to be authentic, and thus either the Server for every group operation, there is an inverse group opera or the client may be an adversary. The client may be an tion Such that the inverse group operation on X and y, i.e. adversary attempting to authenticate itself and gain access to the Server. The Server may be an adversary attempting to Spoof another authentic Server in an attempt to gain Sensitive information from an unsuspecting client. 0042. Returning now to FIG. 2, in step 202, the client chooses a random value for the index X from Z. Then, in Step 204, the client computes a parameterm as m=g (H1(A, 0046) is defined as xy". Thus, one skilled in the art B, t))" mod p, where A is a unique identifier of the client, B would recognize that the calculation of is a unique identifier of the Server, It is the client's password for this particular Server, H is a random hash function, and represents the group operation. H (A, B, ) is raised to i the r power in order to ensure that the result is within Ge. (H(A, B, t)) Informally, a function H from a set S to a set T will be called a random hash function if the output of H looks random or at least is unpredictable until the function is computed with 0047 in step 214 is performing the inverse group opera an input X in S. Since H must output Something that looks tion on m and the function of at least the password. Substi random in Z*, it should outputp+Sec bits (where p is the tuting the value of m from step 204, we have number of bits of p and Sec is the Security parameter. The Security parameter may be, for example, 160. Known func tions that generally behave this way are SHA-1, described in FIPS 180-1, Secure Hash Standard, Federal Information Processing Standards Publication 180-1, 1995; and RIP EMD-160, described in H. Dobbertin, A. Bosselaers, B. 0048 Thus, if the server has possession of the correct Preneel, RIPEMD-160: a strengthened version of RIPEMD, password TL, then the server can extract the Diffie Hellman In Fast Software Encryption, 3rd Intl. Workshop, 71-82, value g from the value of the received parameterm. Thus, 1996, the disclosures of which are incorporated by reference the computation in Step 214 results in the Server generating herein. the Diffie-Hellman shared secret g’. 0043. The tuple (A, B, t) is used, rather than only the password, in order to ensure that it is unique for each 0049 Next, in step 216, the server computes k=H (A, B, client-Server pair. The password alone is all that is required m, u, O.J., where H is another random hash function which for heuristic Security, but, as discussed in further detail must output Sec bits, where Sec is the Security parameter. The below, the client and Server names are used to ensure a parameter k will be used by the client A, as described below, formal proof of Security. Thus, in accordance with the to authenticate that the Server is in possession of the correct protocol in FIG. 2, a function of at least the password is password. In Step 218, the Server transmits parameters u and combined with the Diffie-Hellman value g’ by performing k to the client. the group operation on the function of at least the password 0050. Upon receipt of parameters u and k, the client and the Diffie-Hellman value g. This is an important step of computes O=u mod p in Step 220. Since u=g, u=g, the protocol as it ensures that the Diffie-Hellman value g which is the Diffie-Hellman shared secret. In step 222, the may only be extracted from the parameter m by Someone client computes H. (A, B, m, u, O, t) using its own who has knowledge of the password. This extraction of the knowledge of at and tests whether the result is equal to the Diffie Hellman value g will be described in further detail parameter k received from the server in step 218. If they are below in conjunction with step 214. In step 206, the client the Same, then the client has authenticated the Server. If they transmits the parameter m to the Server. are not the Same, then the client terminates the protocol as 0044) Upon receipt of the parameter m, the server tests the Server has not authenticated itself. In Step 224, the client the parameter value in step 208 to ensure that the value is not computes k'-H (A, B, m, u, O, IL) which will be used by the US 2002/0194478 A1 Dec. 19, 2002

Server to authenticate the client as described below. In Step present invention, the client only needs to perform three 226, the client generates Session key Kas K=H(A, B, m, ill, q-bit exponentiations, which generally require much less O, t). In Step 228, the client transmits k" to the server. Again, computation as compared with the protocol of FIG. 2. The H, and H are random hash functions which must output invention is able to provide Such an advantage in the Sec bits, where Sec is the Security parameter. following manner. Instead of forcing the result of the hash function used to generate parameter m to be in the group 0051. In step 230, the server computes H., (A, B, m, u, G, we allow the result of the hash function to be any O, t) using its own knowledge of It grand tests whether the element in Z*, and randomize that part of the hash function result is equal to the parameter k" received from the client in result outside of Gp. This makes the m value indistin step 228. If they are the same, then the server has authen guishable from a random value in Z* (instead of a random ticated the client. If they are not the same, then the Server value in G), but still allows one to extract the hash value terminates the protocol as the client has not authenticated and the extra randomization. itself. In Step 232, the Server generates Session key K as K-H, (A, B, m, u, O, Tl). 0057. In this case, we have p=rq+1 in which gcd(r,q)=1 (where gcd Stands for greatest common divisor), in order to 0.052 At this point, both the client and server have extract the extra randomization. Of course, for randomly authenticated with each other, and both the client and the chosen q and p (for instance, using the NIST approved Server have generated the same Secure Session key K, which algorithm described in U.S. Department of Commerce/ may be used for Subsequent Secure communication between NIST, Springfield, Va., FIPS 186, “Digital Signature Stan the client and the Server. dard.” Federal Information Processing Standards Publica 0053 Thus, while the communication protocol of FIG.2 tion 186, 1994, the disclosure of which is incorporated by provides the advantages of key exchange with password reference herein), this relation may be satisfied with high based authentication, the generation of the parameter m as probability. gx'(H (A, B, t))" mod p can be computationally intense. This 0.058 As with FIG. 2, steps shown on the left side of can be problematic when the client device does not possess FIG. 3 are performed by a first party A, and steps shown on the computational resources to adequately perform this the right side of FIG. 3 are performed by a second party B. portion of the protocol. This maybe the case when the client Again, A is referred to as a client machine (computer A is a Smaller, slower device Such as an older generation System) and B as a server machine (computer System) only personal computer, a Smartcard, or a handheld personal as an example to show a typical case. Thus, it is to be digital assistant (PDA), to name a few examples. Also, while understood that the protocol shown in FIG. 3 is applicable B may be a server and is assumed to be more computation to any two entities or parties A and B. Again, arrows ally equipped than the client, the protocol may be performed represent communication between the parties. In accordance between two client-type devices and thus computational with the protocol of FIG. 3, the server authenticates itself to efficiency is important on both sides of the protocol. A the client and the client authenticates itself to the Server. Solution which is able to reduce the client-Side computation Thus, neither the Server nor the client are assumed to be by at least a factor of two is provided in accordance with the authentic, and thus either the Server or the client may be an present invention and illustrated in the context of FIG. 3. adversary, as explained above. After both sides have authen 0.054 Referring now to FIG. 3, an improved efficiency ticated, each generates a Secret Session key which may be mutual authentication and key exchange protocol is pro used for Subsequent Secure communication. Vided in accordance with an embodiment of the present invention in which both parties possess a shared password. 0059) As with the FIG. 2 protocol, prior to initiation of The communication protocol is a Secure password-authen the FIG. 3 protocol of the invention, it is assumed that the ticated key exchange protocol and assumes the hardness of client and the Server are in possession of a password JL which the Decision Diffie-Hellman problem (DDH) in G. Let the client uses to authenticate with the Server. DH(X,Y) denote the Diffie-Hellman value gy of X=g and 0060 Returning now to FIG. 3, in step 302, the client Y=g, as described above. One formulation is that given g, chooses a random value for the index X from Z. (i.e., X et X, Y, Z in G, where X=g and Y=g are chosen randomly, Z). In step 304, the client chooses a random value h from and Z is either DH(X, Y) or random, each with half the group Z * (i.e., her Z). Then, in step 306, the client probability, determine if Z=DH(X, Y). Breaking DDH computes a parameterm as m=gh-H(A, B, JL) where A is implies constructing a polynomial-time adversary that dis a unique identifier of the client, B is a unique identifier of the tinguishes Z=DH(X, Y) from a random Z with non-negli Server, H is the client's password for this particular server, gible advantage over a random guess. H is a random hash function, represents the group opera 0055) Further, we define hash functions H., H., H:{0, tion, and h is a randomization operation. Recall that in the 1}*->{0, 1} and H: {0,1}*->{0,1}", where me1+K. We protocol of FIG. 2, H (A, B, ) is raised to the r power in also assume that H., H., H 2b, and H are independent order to ensure that the result is within G. However, in random functions, as used above in the approach of FIG. 2. accordance with the present invention, instead of forcing the Note that while H is described as returning a bit String, we result of the hash function used to generate parameter m to operate on its output as a number modulo p. be in the group G, the protocol of FIG.3 allows the result of the hash function to be any element in Z*, and random 0056. In accordance with the communication protocol of izes that part of the hash function result outside of G. This FIG. 2, note that the client performs two q-bit exponen is accomplished via the randomization operation h. This tiations (steps 204 and 220), and one r-bit exponentiation makes the m value indistinguishable from a random value in (step 204). As will be explained below in the context of FIG. instead of a random value in G, but still allows the server 3, in accordance with a communication protocol of the B to extract the hash value and the extra randomization. US 2002/0194478 A1 Dec. 19, 2002

Advantageously, by raising the random parameter h to the random operation hi. Substituting the value of m from step exponent q, everything in the result of the hash function 306, we get g. Thus, if the server has possession of the outside of the Subgroup G is randomized. correct password TL, then the Server can extract the Diffie 0061 AS explained above, a function H from a set S to a Hellman value g from the value of the received parameter set Twill be called a random hash function if the output of m. Thus, the computation in step 316 results in the server H looks random or at least is unpredictable until the function generating the Diffie-Hellman shared secret gy. is computed with an input X in S. Thus, Since H must output 0067 Next, in step 318, the server computes k=H (A, B, Something that looks random in Z*, it should output p+Sec m, u, O, t) where H is another random hash function which bits (where plis the number of bits of p and sec is the must output Sec bits, where Sec is the Security parameter. The Security parameter. The Security parameter may be, for parameter k will be used by the client A, as described below, example, 160. Again, the SHA-1 or the RIPEMD-160 are to authenticate that the Server is in possession of the correct known functions that generally behave this way. password. In Step 320, the Server transmits parameters u and 0062. As in the protocol of FIG. 2, the tuple (A, B, ) is k to the client. used, rather than only the password, in order to ensure that 0068. Upon receipt of parameters u and k, the client it is unique for each client-Server pair. The password alone computes O=lt mod p in Step 322. Since u=g, Lt.-g, is all that is required for heuristic Security, but the client and which is the Diffie-Hellman shared secret. In step 324, the Server names may be used to ensure a formal proof of client computes H. (A, B, m, u, O, t) using its own security. Thus, in accordance with the protocol in FIG. 3, a knowledge of at and tests whether the result is equal to the function of at least the password is combined with the parameter k received from the server in step 320. If they are Diffie-Hellman value g by performing the group operation the Same, then the client has authenticated the Server. If they on the function of at least the password and the Diffie are not the Same, then the client terminates the protocol as Hellman value g. Again, this is an important Step of the the server has not authenticated itself. In step 326, the client protocol as it ensures that the Diffie-Hellman value g may computes k'-H (A, B, m, u, O, IL) which will be used by the only be extracted from the parameterm by Someone who has Server to authenticate the client as described below. In Step knowledge of the password. In step 308, the client transmits 328, the client generates Session key K as K=H (A, B, m, the parameter m to the Server. u, O, t). In step 330, the client transmits k" to the server. 0.063. Upon receipt of the parameter m, the server tests Again, H, and H are random hash functions which must the parameter value in step 310 to ensure that the value is not output Sec bits, where Sec is the Security parameter. 0 mod p. If the value is 0 mod p, the server terminates the 0069. In step 332, the server computes H. (A, B, m, u, protocol because 0 is not in Z*. Otherwise, in step 312, the O, t) using its own knowledge of L and tests whether the server chooses a random value for the index y from Z. In result is equal to the parameter k" received from the client in Step 314, the Server assigns a parameter u to the computed step 330. If they are the same, then the server has authen Diffie-Hellman value g. Next, in step 316, the server ticated the client. If they are not the same, then the Server computes the Diffie-Hellman shared secret g (referred to as terminates the protocol as the client has not authenticated O in this protocol) using the received parameter m as itself. In Step 334, the Server generates Session key K as follows: K=H, (A, B, m, u, O, t). 0070. At this point, both the client and server have ry yr Im authenticated with each other, and both the client and the r = (in))" Server have generated the same Secure Session key K, which may be used for Subsequent Secure communication between the client and the Server. 0064. We will now describe this step in further detail. 0071 AS mentioned above, the communication protocol First, it should be recalled that, as described above, for every of the invention, as illustrated in the context of FIG. 3, group operation, there is an inverse group operation Such reduces the client-side computation by at least a factor of that the inverse group operation on X and y, i.e. two, as compared to the protocol of FIG. 2. This is evident from the following example. ASSume p is a 1024 bit prime, and q is a 160 bit prime. Then, r is 864 bits. Every exponentiation in Z* takes time proportional to the number of bits of the exponent. Then, in the protocol of FIG. 2, where two q-bit exponentiations and one r-bit exponentia tion are performed, the time is proportional to 2* 160+864= 0065) is defined as xy.' Thus, one skilled in the art 1184, while in the protocol of the invention (as illustrated in would recognize that the calculation of FIG.3) where three q-bit exponentiations are performed, the time is proportional to 3* 160=480. Advantageously, this ry yrm value (480) is less than half the value associated with the O = (H. An r) ) odg FIG. 2 protocol (1184). 0072 FIG. 4 illustrates a generalized hardware architec ture of a data network and computer Systems Suitable for 0.066 in step 316 is performing the inverse group opera implementing a password-authenticated key exchange meth tion on m and the function of at least the password, as well odology between two entities A and B according to the as extracting the randomization associated with the client present invention. AS shown, entity A comprises a computer US 2002/0194478 A1 Dec. 19, 2002

System 402, while entity B comprises a computer System Exchange Protocol.” For example, the invention may be 404. The two computer systems 402 and 404 are coupled via employed in accordance with the implicit authentication a data network 406. The data network may be any data approach of the above-reference application, as well as with network acroSS which A and B desire to communicate, e.g., the password verifier approach described therein. Further the Internet. However, the invention is not limited to a more, while certain parameters are used in evaluating the particular type of network. Typically, and as labeled in FIG. hash functions of the communication protocol of the inven 4, A is a client machine and B is a Server machine. However, tion, it is to be understood that not all parameters are this is not required, and A and B are referred to as client and required for heuristic Security. That is, additional parameters Server, respectively, only as an example to show the typical are used to allow the protocol to be formally proven Secure. case. Thus, it is to be understood that the communication For example, in the hash functions used in steps 318, 324, protocol of the present invention is not limited to the case 326, 328,332, and 334, only the parameter O in the function where A and B are client and Server, but instead is applicable may be needed to make the protocol heuristically Secure. to any computing devices comprising A and B. What is claimed is: 0.073 AS would be readily apparent to one of ordinary 1. A method for communication via a data network, skill in the art, the Server and client may be implemented as between two parties that share a password, using a Diffie programmed computerS operating under control of computer Hellman type key exchange on a particular group to generate program code. The computer program code would be stored a shared Secret g’, where g is the group generator known to in a computer readable medium (e.g., a memory) and the both parties and X is an index known to one party and y is code would be executed by a processor of the computer. an index known to the other party, the group having a group Given this disclosure of the invention, one skilled in the art operation and an inverse group operation, the method com could readily produce appropriate computer program code in prising the Steps of order to implement the protocols described herein. one party generating a parameter m by performing the 0.074 Nonetheless, FIG. 4 generally illustrates an exem group operation on g and a function of at least the plary architecture for each computer System communicating password, wherein any portion of a result associated over the network. As shown, the client device comprises I/O with the function that is outside the group is random devices 408-A, processor 410-A, and memory 412-A. The ized, and transmitting m to the other party, whereby the server system comprises I/O devices 408-B, processor 410 other party may perform the inverse group operation on B, and memory 412-B. It should be understood that the term m and the function of at least the password, and remove “processor as used herein is intended to include one or the randomization of any portion of the result associ more processing devices, including a central processing unit ated with the function that is outside the group, to (CPU) or other processing circuitry. Also, the term extract g and calculate the shared Secret g’. “memory” as used herein is intended to include memory 2. The method of claim 1, wherein the particular group, associated with a processor or CPU, such as RAM, ROM, a denoted as G is a Sub-group of a group Z, where p and fixed memory device (e.g., hard drive), or a removable q are prime numberS Such that p equals rq+1 for a value r memory device (e.g., diskette or CDROM). In addition, the co-prime to q, and wherein the Step of randomizing any term “I/O devices” as used herein is intended to include one portion of a result associated with the function that is outside or more input devices (e.g., keyboard, mouse) for inputting the group G is performed by computing a parameter h, data to the processing unit, as well as one or more output randomly selected from the group Z, raising the parameter devices (e.g., CRT display) for providing results associated h to the exponent q and multiplying h by the result asso with the processing unit. Accordingly, Software instructions ciated with the function. or code for performing the methodologies of the invention, 3. The method of claim 1, wherein the one party is a client described herein, may be Stored in one or more of the and the other party is a Server. asSociated memory devices, e.g., ROM, fixed or removable 4. The method of claim 1, further comprising the step of: memory, and, when ready to be utilized, loaded into RAM and executed by the CPU. the one party receiving g from the other party and generating the shared Secret g’. 0075 Although illustrative embodiments of the present 5. The method of claim 4, further comprising the step of: invention have been described herein with reference to the accompanying drawings, it is to be understood that the the one party authenticating the other party by comparing invention is not limited to those precise embodiments, and a received value against a function of at least one of an that various other changes and modifications may be identifier of the one party, an identifier of the other affected therein by one skilled in the art without departing party, m, g, the shared Secret, and the password. from the Scope or Spirit of the invention. For example, while 6. The method of claim 4, further comprising the step of: the teachings of the invention have been illustrated in the the one party transmitting a function of at least one of an context of a communication protocol which provides com identifier of the one party, an identifier of the other putational efficiencies over the communication protocol party, m, g, the shared Secret, and the password, to the described above in FIG. 2, it is to be understood that the other party whereby the other party may authenticate invention may be applied in the context of other communi cation protocols. For example, the randomization operation the one party. of the invention may be employed in accordance with other 7. The method of claim 4 further comprising the step of: protocol embodiments described in the above-referenced the one party generating a Session key as a function of at U.S. patent application identified by Ser. No. 09/638,320, least one of an identifier of the one party, an identifier filed on Aug. 14, 2000 in the name of V. V. Boyko et al. and of the other party, m, g, the shared Secret, and the entitled “Secure Mutual Network Authentication and Key password. US 2002/0194478 A1 Dec. 19, 2002

8. A method for communication via a data network, to authenticate the other party by comparing a received between two parties that share a password, using a Diffie value against a function of at least one of an identifier of the Hellman type key exchange on a particular group to generate one party, an identifier of the other party, m, g, the shared a shared Secret g’, where g is the group generator known to Secret, and the password. both parties and X is an index known to one party and y is 15. The apparatus of claim 13, wherein the at least one an index known to the other party, the group having a group processor associated with the one party is further operative operation and an inverse group operation, the method com to transmit a function of at least one of an identifier of the prising the Steps of one party, an identifier of the other party, m, g, the shared responsive to the one party generating a parameter m by Secret, and the password, to the other party whereby the performing the group operation ong and a function of other party may authenticate the one party. at least the password, wherein any portion of a result 16. The apparatus of claim 13, wherein the at least one asSociated with the function that is outside the group is processor associated with the one party is further operative randomized, and transmitting m to the other party, the to generate a Session key as a function of at least one of an other party performing the inverse group operation on identifier of the one party, an identifier of the other party, m, m and the function of at least the password, removing g, the shared Secret, and the password. the randomization of any portion of the result associ 17. In accordance with a protocol for communication over ated with the function that is outside the group, extract a data network between two parties that share a password, ing g, and calculating the shared Secret g’. using a Diffie-Hellman type key exchange on a particular 9. The method of claim 8, wherein the particular group, group to generate a shared Secret g’, where g is the group denoted as G is a Sub-group of a group Z, where p and generator known to both parties and X is an index known to q are prime numberS Such that p equals rq+1 for a value r one party and y is an index known to the other party, the co-prime to q, and wherein the Step of randomizing any group having a group operation and an inverse group portion of a result associated with the function that is outside operation, apparatus associated with the other party com the group G is performed by computing a parameter h, prising: randomly selected from the group Z, raising the parameter at least one processor operative to, in response to the one h to the exponent q and multiplying h by the result asso party generating a parameter m by performing the ciated with the function. group operation on g and a function of at least the 10. In accordance with a protocol for communication over password, wherein any portion of a result associated a data network between two parties that share a password, with the function that is outside the group is random using a Diffie-Hellman type key exchange on a particular ized, and transmitting m to the other party: (i) perform group to generate a shared Secret g’, where g is the group the inverse group operation on m and the function of at generator known to both parties and X is an index known to least the password; (ii) remove the randomization of one party and y is an index known to the other party, the any portion of the result associated with the function group having a group operation and an inverse group that is outside the group; (iii) extract g; and (iv) operation, apparatus associated with the one party compris calculate the shared Secret g. ing: 18. The apparatus of claim 17, wherein the particular at least one processor operative to: (i) generate a param group, denoted as G, is a Sub-group of a group Z, where eter m by performing the group operation ong and a p and q are prime numberS Such that p equals rq+1 for a function of at least the password, wherein any portion value r co-prime to q, and wherein the Step of randomizing of a result associated with the function that is outside any portion of a result associated with the function that is the group is randomized; and (ii) transmit m to the other outside the group G is performed by computing a param party, whereby the other party may perform the inverse eter h, randomly selected from the group Z, raising the group operation on m and the function of at least the parameter h to the exponent q and multiplying h by the password, and remove the randomization of any por result associated with the function. tion of the result associated with the function that is 19. An article of manufacture for communication via a outside the group, to extract g and calculate the shared data network, between two parties that share a password, secret g’. using a Diffie-Hellman type key exchange on a particular 11. The apparatus of claim 10, wherein the particular group to generate a shared Secret g’, where g is the group group, denoted as G, is a Sub-group of a group Z, where generator known to both parties and X is an index known to p and q are prime numberS Such that p equals rq+1 for a one party and y is an index known to the other party, the value r co-prime to q, and wherein the Step of randomizing group having a group operation and an inverse group any portion of a result associated with the function that is operation, the article comprising a machine readable outside the group G is performed by computing a param medium containing one or more programs which when eter h, randomly selected from the group Z, raising the executed implement the Steps of: parameter h to the exponent q and multiplying h by the one party generating a parameter m by performing the result associated with the function. group operation on g and a function of at least the 12. The apparatus of claim 10, wherein the one party is a password, wherein any portion of a result associated client and the other party is a Server. with the function that is outside the group is random 13. The apparatus of claim 10, wherein the at least one ized, and transmitting m to the other party, whereby the processor associated with the one party is further operative other party may perform the inverse group operation on to receive g from the other party and generate the shared m and the function of at least the password, and remove secret g’. the randomization of any portion of the result associ 14. The apparatus of claim 13, wherein the at least one ated with the function that is outside the group, to processor associated with the one party is further operative extract g and calculate the shared Secret g’. US 2002/0194478 A1 Dec. 19, 2002 9

20. An article of manufacture for communication via a responsive to the one party generating a parameter m by data network, between two parties that share a password, performing the group operation ong and a function of using a Diffie-Hellman type key exchange on a particular at least the password, wherein any portion of a result asSociated with the function that is outside the group is group to generate a shared Secret g’, where g is the group randomized, and transmitting m to the other party, the generator known to both parties and X is an index known to other party performing the inverse group operation on one party and y is an index known to the other party, the m and the function of at least the password, removing group having a group operation and an inverse group the randomization of any portion of the result associ operation, the article comprising a machine readable ated with the function that is outside the group, extract medium containing one or more programs which when ing g, and calculating the shared Secret g’.y executed implement the Steps of: k . . . .