Efficient and secure password-based authentication protocols against guessing attacks

Computer Communications 21 (1998) 853–861

Tutorial Efficient and secure password-based authentication protocols against guessing attacks Taekyoung Kwon*, Jooseok Song Department of Computer Science, Yonsei University, Seoul 120 749, South Korea Received 6 October 1997; accepted 5 January 1998

Abstract We propose authentication and key exchange protocols which are both efficient and secure against password guessing attacks. Conventional authentication protocols have assumed that a strong secret should be shared between communicating participants, in the light of a threat of guessing attacks. A cryptographically long secret would be favored for security reasons, but it is not suitable for users to remember. Recent password-based protocols to defeat guessing attacks are more expensive than previous ones, in terms of the computation and communication costs. Using a one-time pad and a strong one-way hash function, we promote both security and efficiency. Thereby, we also verify our protocol formally. q 1998 Elsevier Science B.V. Keywords: Security; Authentication; Key exchange; Cryptographic protocol; Password

1. Introduction Cryptographic protocol for authentication and key exchange is necessary for secure communications. Since such a protocol is an initial step when setting up a communication session, it is essential for overall security of the communication. Most of the important properties of the protocol do not depend upon the underlying cryptographic algorithms, but rather upon the structure of the messages exchanged [7]. Therefore, the protocol must be designed carefully. In recent years, a variety of protocols for authentication and key distribution have been proposed and applied to many communication systems. The Needham–Schroeder protocol is the landmark protocol which uses encryptions to achieve authenticated communications [16] and is followed by a great number of other protocols [3,17]. Their security is based on a pre-shared secret value. Therefore, they have assumed that a cryptographically large or random secret should be shared between communicating participants. But, in most systems, a secret chosen by the user, i.e. password, is utilized for authentication. As a result, conventional protocols are vulnerable to guessing attacks when utilizing a user-chosen password as a shared secret * Corresponding author. Tel.: 0082 2361 2714; fax: 0082 2365 2579; e-mail: [email protected]

0140-3664/98/$19.00 q 1998 Elsevier Science B.V. All rights reserved PII S 01 40 - 36 6 4( 9 8) 0 01 5 3- 4

because users choose an easy-to-remember password by alphabetic keyboards or numeric keypads [10]. Guessing attacks are surprisingly successful since attackers iterate through a relatively small key space to find the correct password [6,15]. Since LGSN protocol was introduced [13], several protocols have been proposed to defeat those attacks and are called password-based protocols. But, they are more expensive in terms of the computation and communication costs than conventional protocols [11,12]. The overheads to defeat guessing attacks have made the protocols expensive, but its reduction can cause another vulnerability [5,19,20]. In an earlier paper [12], we proposed new protocols by which guessing attacks are defeated efficiently, and then made much of their basic design and applications. They were applied to the ISDN and WWW models. But, a formal proof was excluded and the efficiency comparison was insufficient in the work. In this paper, we propose the new protocols further and then provide formal analysis and efficiency comparison. Since our protocols are both efficient and secure against password guessing attacks, they can be called an efficient password-based protocol. In Section 2, we summarize the notations that will be used and clearly describe password guessing attacks. In Section 3, we describe our basic idea more distinctly than in the previous paper, and then give protocols similar to those in the previous work, but at a more

854

T. Kwon, J. Song/Computer Communications 21 (1998) 853–861

advanced level. In Section 4, we verify our protocols using GNY logic and show how they are resistant to guessing attacks. We also make a clear comparison between our protocols and other secure password-based protocols with regard to efficiency. Section 5 concludes this paper.

2. Password guessing attacks 2.1. Summary of notations A and B are system principals of communicating participants, and S is a principal of a trusted center or server. A is a principal of an attacker. nxi means the ith nonce value of principal X. For instance, na1 is the first nonce value of A and ns is a unique nonce value of S. P A is a weak secret chosen by A, and K A and K S are public keys of A and S, respectively. K denotes a new session key. {M} K means that a message M is encrypted under the key K and h(M) is a hashed result of a message M. f(M) is a pre-defined simple function and lXl denotes a bit-wise length of X. For example, f(M) is M þ 1 [16]. F A is a certain partial bit stream of the message sent by A [12]. ! and , represent XOR operator and concatenator, respectively. Finally A → B:X denotes that A sends a message X to B. We can also assume the bit-wise length of major factors as follows. It is common to use an eight-character long password for authentication. Thus, we assume the bit-wise length of P A is 64 bits. Moreover, the size of a random number such as na1 is equal to that of a session key K in our protocol. The size of the random number is 64 or 128 bits where the size of the encryption key in conventional cryptosystems is 64 or 128 bits. A partial bit stream of F A is assumed 64 bits long. Finally, a hashed value h(M) could be 128, 160 or 64 bits long since MD5 (message digest 5), SHA (secure hash algorithm) and DES (data encryption standard) variants are used world-wide for the purpose. 2.2. Defining password guessing attacks Authentication protocols which utilize weak secrets such as passwords or PINs are vulnerable to guessing attacks. Guessing attacks on cryptographic protocols are performed by means of known-plaintext attacks or verifiable-text attacks, and they explore the fact that the weak secret is usually chosen from a relatively small space [6,8,13]. While vulnerabilities to known-plaintext attacks are quite easy to detect and correct, verifiable-text attacks are much more difficult to notice and avoid [13,20]. We can classify guessing attacks into several types. An adversary composes a set of guessed passwords and then performs any of the following kinds of attacks or several combination of them. 2.2.1. Plain off-line attacks An adversary records eavesdropped messages and then verifies iteratively his or her guess off-line [8,13]. Since

other participants are not included in verification, this attack cannot be detected readily. Thus, the only way to defeat it is to enlarge the entropy for guessing passwords. Messages should be designed carefully by encapsulating some random numbers for the purpose [10,13]. 2.2.2. Advanced off-line attacks (with disclosed information) An adversary prepares for his or her verification as above. However, a difference is that some additional disclosed information may be provided for the adversary in this attack. For example, a compromised session key can be used for the off-line verification [3,13]. Therefore, this attack is more powerful than the plain off-line attack. 2.2.3. On-line attacks (with impersonation) An adversary makes a bogus message using a guessed password and then sends it to a counterpart. That is, the adversary impersonates an aimed one. He or she iterates this attack until the bogus message is accepted as a correct one. Since other participants join in his or her verification, this attack can be defeated through a fail-stop protocol design whereby a failed guess is detected and logged. Message authenticity should be provided in the fail-stop protocol [5,11]. 2.2.4. On-line attacks (with message replay) An adversary replays an eavesdropped message and then expects to succeed in authentication on-line. Ding and Horster [5] described that a capability to check freshness or authenticity of request messages could prevent this attack. 2.3. Overcoming password guessing attacks Theoretically, a bit-wise length lP Al can make 2 lPAl different passwords. But, in practice, the 2 lPAl space is reduced considerably because users choose them in an easily remembered word space using an alphabetic keyboard or a numeric keypad. Therefore, the weak secret P A cannot avoid becoming redundant. That is, P A is chosen from a smaller space than 2lPA l . In other words, an entropy of P A cannot be so high as intended. By defining lG(P A)l as a bit-wise length to present all of the practical P A without any bit redundancy, we can say that P A is chosen from a 2lGðPA Þl space which is distinctly smaller than 2lPA l . Therefore, the weak password P A can be guessed within a 2lGðPA Þl complexity. So, to overcome this, we should make the complexity to guess notably larger than 2lGðPA Þl , for example 2lPA l at least. In other related work, sufficiently random numbers have been added in protocol messages, for example a confounder [13]. We can be convinced that the use of additional random numbers is inevitable for enlarging the complexity. However, we should never forget that some additional factors on a cryptographic protocol could make the protocol more expensive than previous one. Thus, we define protocol overheads as computation costs which could run up on account of the

T. Kwon, J. Song/Computer Communications 21 (1998) 853–861

number of cryptographic values, i.e. random numbers, or cryptographic operations, and communication costs on account of the size of messages or the number of protocol steps. The overheads should be minimized deliberately in designing a password-based authentication protocol. 3. Designing a K1 protocol (K1P) 3.1. The basic idea of K1P We described our password-based authentication protocol K1P (k-won protocol) in the earlier paper [12]. The basic idea of K1P is so simple that security and efficiency is promoted just using a one-time pad and a strong one-way hash function. The one-time pad is used to encrypt a new session key securely and the hash function provides integrity. 3.1.1. Basic authentication statement We first propose a basic statement for authentication: na1 ! na2, h(PA ! na1, na2)

(1)

The statement is composed of two sufficiently large random numbers and a weak secret, P A. Two random numbers, na1 and na2, are XORed and a hash value is computed from a masked P A and na2. Since the random numbers are well chosen by the system, they are not guessable. As we can see, only those who know na1, na2 and P A can construct and verify the statement. For analyzing the statement, either of the random numbers should be disclosed and it can be done in a 2 lna1l complexity. But, since 2 lna1l is sufficiently larger than 2lGðPA Þl , we can state that nobody can guess and verify P A without knowing either na1 or na2 in the basic authentication statement. If only all the participants are able to possess the same random numbers, it is possible to make a password-based authentication secure. Using the above basic statement, we design our protocol. 3.1.2. Authentication and key distribution statement Next, we introduce an abstract statement authentication and key distribution:

for

One ¹ time_Pad ! Session_Key, h(Password, Session_Key, Nonce)

(2)

In other related protocols, a weak secret has been used as a cryptographic key for authentication and key exchange. But, it has made a large number of random numbers, cryptographic operations and protocol steps to counter with guessing attacks. In our statement, the one-time pad, which is the only cryptosystem that achieves perfect secrecy due to the ciphertext that yields no possible information about the plaintext except its length [18], is used for encrypting a session key, and the weak secret hides behind the one-way hash function. The hash function ensures the integrity, authenticity and freshness of the session key. Using the basic authentication statement, we can construct

855

a concrete authentication and key distribution statement: na1 ! na2 ! K, h(PA ! na1, K, na2)

(3)

Two random numbers, na1 and na2, are XORed and then used as a one-time pad as well as a nonce value. A weak secret P A is masked by the random number na1 before inputed into the hash function. Necessary operations are just XOR and hashing as in the basic statement. Two random numbers are utilized as in the basic statement by reason of defeating Denning–Sacco styled attacks which are attempted with a compromised session key. In spite of the disclosure of K, nobody can verify P A without knowing either na1 or na2 as in the basic statement. Both na1 and na2 must have the same bit-wise lengths with K. We know that the length of a well-chosen conventional encryption key is sufficiently long for defeating a brute-force attack. Therefore, for verifying a guessed P A in the basic authentication statement, it is necessary to disclose na1 and na2 within a 2 lna1l 3 2 lna2l complexity without knowing K and within 2 lna1l with a knowledge of K. Since 2 lna1l is sufficiently larger than 2lGðPA Þl , P A is also not guessable in the statement. 3.1.3. Variation using a one-time key Using the hash value, h(P A ! na1, na2), as a one-time key, we can reduce the size of the basic statement (Eq. (1)): {na1}h(PA !na1, na2)

(4)

Since the hash value has a sufficient randomness, it is also secure to use the value as a temporal key for authentication. The length of the statement can be reduced, but on the other hand one more cipher operation is added. The hash value can be used as a key-encryption-key for key distribution as well as for authentication: {na1, K}h(PA !na1, na2)

(5)

To verify the guessed weak secret indicated above, it is necessary to compute in a 2 lna1l 3 2 lna2l complexity in spite of knowing the session key. A more distinctive difference in Eq. (5) is that it is not necessary to preserve the condition of one-time padding. Therefore, the size of na1 and K should not be equal at the cost of efficiency. 3.1.4. Discussion In this subsection, we have assumed that two random numbers, na1 and na2, should be possessed by each participant for secure password-based authentication. But, for practical possession, the random numbers must be shared securely among participants. As in the other passwordbased protocols, we use a public key cryptosystem to share the random numbers [10]. To prevent a replay attack, a challenge–response operation should also be added. In the following subsections, we propose full-scale protocols based on the statements given earlier. 3.2. Two-party K1P We propose a direct authentication protocol called a

856

T. Kwon, J. Song/Computer Communications 21 (1998) 853–861

(a) K ¼ k(h(na, ns))

two-party KIP: 1:A → S : A, {na1, na2, PA ! na1}KS 2: S → A : na1 ! na2 ! K, h(PA ! na1, K, na2)

(b) K ¼ k(gxy mod n) (6)

3: A → S : h(PA ! na2, K, na1) In step 1, after generating two random numbers na1 and na2, and masking the password P A with na1, A encrypts them under the public key of S and then sends message 1. After decrypting message 1, S can authenticate A by XORing na1 with P A ! na1 and by comparing the result with A’s password stored in a secure database. If A is correctly authenticated, S makes a one-time pad by XORing na1 with na2 and then generates a new session key K. In step 2, S encrypts K by one-time padding and replies with message 2. A decrypts K using na1 and na2, and then computes the hash value. A compares the result with the rear part of message 2. If two hash values are matched, A is able to confirm the integrity, freshness, authenticity of the new session key and thereby, A can believe that S has authenticated him or her correctly. Moreover, A can authenticate S through S’s public key since it is possible for A to believe that S must have decrypted message 1 correctly from the result of message 2. In step 3, after computing a new hash value in which the locations of na1 and na2 are to be exchanged, A replies with message 3. By performing the same computation and then by comparing the result with the message 3, S is able to believe that A has accepted K and the replay attack never has been launched. In other words, hash values of message 2 and 3 are utilized for a challange–response operation. Only after a normal termination of all steps are the authentication of A and the session key are valid. It is based on the fail-stop concept in which any abnormal terminations could nullify authentication and key distribution. For example, simple replay of an old message 1 is meaningless because an abnormal termination is inevitable owing to the fact that an adversary who does not know correct P A cannot create a new message 3. This concept defeats the replay attack.

(na ¼ gx mod n, ns ¼ gy mod n) Both A and S generate each of random numbers to be used for key generation. Basic structure of the protocol is similar to that of two-party K1P. For key generation, either a hash function as (a) or Diffie–Hollman method [4] based on a discrete logarithm problem as (b) can be used. A function k() makes a generated key conformed to a corresponding cryptosystem. 3.3.2. Client’s public key K1P This protocol utilizes A’s public key chosen at random for a certain session rather than a semipermanent S’s key: 1:A → S : A, {KA }PA 2: S → A : {ns, K; PA ! ns}KA

(8)

3: A → S : h(PA ! ns, K, ns) In step 1, A chooses a public key–private key pair at random and then encrypts the public key under the weak secret P A. S decrypts message 1 sent from A and obtains the public key of A. The public key is not verifiable because it is chosen at random. In step 2, after choosing a random number ns and the new session key, S masks the password of A with ns and then encrypts them all under A’s public key. Still in this step, S cannot confirm the validity of K A and the authenticity of A. But, they are to be confirmed in the following step. After decrypting message 2 sent from S, A gets the new session key and then XORs ns with P A ! ns. If P A is correctly computed out, A can believe the integrity, freshness and authenticity of K as well as the fact that a session with S is being set up. In step 3, A computes the hash value and sends it to S. S also computes the same hash value and compares it with message 3. If they match together, S can authenticate A. 3.4. Three-way K1P

3.3. Variants of two-party K1P In this subsection, we propose two variants of two-party K1P. One is a mutual key agreement protocol and the other is a client’s public key protocol.

We propose a mutual three-way authentication protocol called a three-way K1P: 1:A → B : {A, B, na1, na2, PA ! na1}KS 2: B → S : {A, B, na1, na2, PA ! na1}KS ,

3.3.1. Mutual key agreement K1P This protocol allows both A and S to participate in generating a new session key:

{B, A, nb1, nb2, PB ! nb1}KS

1:A → S : A, {na, PA ! na}KS

3: S → B : {na1, K}k(h(PA !na1, na2, A!B)) ,

2: S → A : na ! ns, h(PA ! na, ns) 3: A → S : h(PA ! ns, K, na)

(7)

{nb1, K}k(h(PB !nb1, nb2, A!B)) 4: B → A : {na1, K}k(h(PA !na1, na2, A!B))

T. Kwon, J. Song/Computer Communications 21 (1998) 853–861

{f (FA ), nb1 ! nb2}K 5: A → B : {f (nb1 ! nb2)}K

(9)

In step 1, A generates two random numbers and constructs a message as in the two-party K1P. Identifiers of A and B are included in the encrypted message to ensure who the valid participants are. A calls B by sending message 1. In step 2, B called by A constructs a similar message and then sends them to S who will authenticate each participant and generate a new session key. After decrypting the message 2, S can authenticate both A and B as in the two-party K1P and also believes that they are the valid participants. In step 3, S generates a new session key and then generates messages as in Eq. (5). The reason for applying Eq. (5) instead of Eq. (3) is that a challange–response operation cannot be provided between each party and S in this protocol flow, i.e. the Otway–Rees protocol style [17]. Such a challange–response operation was useful to counter with the replay attack in two-party K1P. To defeat the replay of old message, Eq. (5) is applied to this protocol. k() is a function for conforming the key size. The XORed identifier A ! B is included in the hash input to ensure that S has authenticated each participant correctly. S sends message 3 to B, who decrypts it and obtains the new authenticated session key. In step 4, B selects a partial bit stream F A from message 1. As already mentioned in Section 2.1, F A is a bit stream extracted from a message at certain defined locations. Since message 1 has been encrypted for a corresponding session and has a sufficient randomness, the certain partial bit stream of the message can be used as nonce. B XORs nb1 with nb2 and then uses the result as a nonce value for the corresponding session. These are used as nonces between A and B. B encrypts the simply computed F A with nb1 ! nb2 under the new session key as a challenge message. B sends message 4 to A. S’s message for A is sent through B in this step. A gets the new session key as well and confirms whether B has accepted the key. By confirming F A in message 4, A can believe that a fresh new session with B is set up. In step 5, A encrypts the simply computed nonce of B under the new session key and then sends it to B as a response message. By confirming the nonce value nb1 ! nb2, B can also believe that a fresh new session with A is set up.

857

despite of its well-known limitations such as a lack of a well-defined semantics [2]. We decide to utilize GNY logic in which a lot of rules over fifty are included to extend BAN logic and to supply new features [9]. Though GNY’s complex rules seem to make themselves impractical, they could make it easy to understand the protocol once analyzed. However, since the logic model is not helpful in describing guessing attacks and overheads, we use empirical descriptions to verify them. Therefore, we perform guessing attacks on our protocols as described in Section 2.2 and then utilize GNY logic for formal analysis. Efficiency comparisons of our protocol with other related ones are handled in the final subsection. 4.1. Guessing attacks on two-party K1P 4.1.1. Plain off-line attacks An adversary who has prepared for mounting this attack as shown in Section 2.2.1 can try to verify all messages in each protocol, i.e. Eqs. (6)–(8). The adversary has to reconstruct messages using the guessed password and then compare them with the eavesdropped messages for verification. However, each message, except message 1 of Eq. (8), contains two well-chosen random numbers which are unverifiable. Therefore, the adversary cannot draw a comparison at least without 2 lna1l 3 2 lna2l complexity. In message 1 of Eq. (8), a randomly chosen public key is encrypted under the password. Although the adversary can decrypt the message with the guessed password, he or she cannot verify it because it is infeasible to reconstruct message 2 of Eq. (8) under the uncertain key. As a result, the adversary has to search a space which is considerably larger than the password space and the plain off-line guessing attack is impossible. 4.1.2. Advanced off-fine attacks We use the notation K9 to indicate an old compromised key. In Eq. (6) it is inevitable that the old one-time pad is also divulged by disclosure of the session key since K ¼ K9. (na1 ! na2 ! K) ! K9 ¼ na1 ! na2

(10)

But an adversary cannot obtain either na1 or na2 from the one-time pad without 2 lna1l complexity. In Eq. (7) the compromised key is also not helpful in finding two random numbers by the one-way property. In Eq. (8) the adversary cannot reconstruct messages without 2 lnsl complexity. As in the attack above, the adversary still has to search a large space.

4. Analysis of proposed protocols Analysis methods for cryptographic protocols are classified into four classes such as a specification language verification, an expert system modeling, a formal logic modeling and an algebraic system modeling [14]. Among them, BAN-like logics have become the most widely used formal method in the analysis of cryptographic protocols

4.1.3. On-line attacks (with impersonation) In Eq. (6) an adversary generates two random numbers and then encrypts them with the guessed password under S’s public key. Owing to the fail-stop protocol design concept, if the guessed password is not correct, S can detect failures and then stop the protocol in a certain amount of failed guesses. As a result, the adversary cannot iterate to verify

858

T. Kwon, J. Song/Computer Communications 21 (1998) 853–861

the guessed password on-line. Therefore, on-line guessing attack is infeasible. Eq. (7) is similar to Eq. (6). In Eq. (8), although the adversary can proceed to step 2 without being detected, he or she must be detected in step 3 if the guessed password is not correct. 4.1.4. On-line attacks (with message replay) An adversary can replay message 1 without being detected by S in step 1. But, in Eqs. (6)–(8), he or she cannot reply with message 3 by reason that message 3 should contain a new session key and a correct password. Therefore, the adversary cannot cheat the server S.

combining the advanced off-line attack and the replay attack, but the adversary cannot find a new session key as in Eq. (6) because the one-time pad is not used. If the threeparty K1P utilized Eq. (3) instead of Eq. (5), the adversary could make a deceitful session with either of participants as follows. ……… 3:S → B : na1 ! na2 ! K, h(PA ! na1, K, na2), nb1 ! nb2 ! K, h(PB ! nb1, K, nb2) 4: B → A0 : na1 ! na2 ! K, h(PA ! na1, K, na2),

4.1.5. Combination of attacks Though it is possible to combine several kinds of attacks, our protocols are secure against them. First, any on-line attacks are not helpful in mounting the off-line attacks because two random numbers are not disclosed to the adversary. Second, the adversary can try to proceed further by combining the advanced off-line attack and the replay attack. That is, the adversary who has discovered the old one-time pad as described in Eq. (10) may get a new session key in step 2 of Eq. (6) by replaying the old message 1, but it is infeasible to construct message 3 because the adversary cannot find two random numbers.

{f (FA ), nb1 ! nb2}K

4.2. Guessing attacks on three-way K1P

4.3. Formal logic verification of K1P

4.2.1. Plain off-line attacks As in the two-party K1P, large operations of 2 lna1l 3 2 lna2l complexity are required for verifying the guessed password. Therefore, this attack is infeasible.

We verify the two-party K1P through GNY logic. We show the verification process without any explanation of the rules and notations. Readers may refer to Ref. [9] for details.

4.2.2. Advanced off-fine attacks As in the two-party K1P, an adversary is able to find only na1 ! na2 and nb1 ! nb2 using K. It requires 2 lna1l operations to find correct random numbers. As we assumed, it is a large space to compute. 4.2.3. On-line attacks (with impersonation) An adversary can try to impersonate either A or B in Eq. (9). But, as in the two-party K1P, S can detect failures and then stop the protocol in a certain amount of failed guesses if the guessed password is not correct. Therefore, on-line guessing attack is infeasible.

40 : A0 : (na1 ! na2 ! K) ! (na1 ! na2) ¼ K 5: A0 → B : {f (nb1 ! nb2)}K By replaying message 1, the adversary A9 who has found the old one-time pad, can get a new session key and then pretend to be A in the example above. But, this attack is infeasible in the three-way K1P because message 3 is encrypted under the conventional cryptosystem. Therefore, things are just the same as mentioned in the two-party K1P.

4.3.1. Idealized protocol and assumption Each message of K1P (Eq. (6)) should be presented in an idealized form through the GNY’s parser algorithm. 1:#SN p A, p { p na1, p na2, p ( p , PA . ! p na1)} þ KS PA

a Al ; A ↔ S K

2: A:N p (na1: ! na2 ! p K) a Sl ; A ↔ S,

(11)

K

p H( , PA . ! na1, K, na2) a Sl ; A ↔ S K

4.2.4. On-line attacks (with message replay) An adversary can replay message 1 or 2 to mount this attack without being detected. But, there is no way to decrypt message 3 or 4. Thus, it is infeasible to cheat the server S on-line. 4.2.5. Combination of attacks First, any on-line attacks are not helpful in mounting the off-line attacks as in the two-party K1P. Second, it is also available for the adversary to proceed by

3: SN p H( , PA . ! na2, K, na1) a Al ; A ↔ S A weak secret P A used for identification purposes is denoted , P A . for applying the GNY’s message interpretation rules. We assume that the following holds at the every beginning of the protocol run: A ] PA , A ] na1, A ] na2 Sl ; B (PA ), Al ; B (na1), Al ; B (na2) Al ; #(PA ), Al ; #(na1), Al ; #(na2),

859

T. Kwon, J. Song/Computer Communications 21 (1998) 853–861 PA

A]K

K

Al ; A ↔ S, Al ; S ⇒ Sl ; p , Al ; S ⇒ A ↔ S A possesses his or her own password and believes it is a secret shared by S. A also owns new random numbers and believes their freshness and recognizability. The jurisdiction of S over a new session key is also believed by A. K

S ] PA , S ] ¹ KS , S ] K, Sl ; A ↔ S

Applying recognizability rule (R1) and assumption (Al ; B (na1 ! na2)), possession rules (P2, P4), Eq. (14) and assumption (A ] (P A ! na1), A ] na2), we can get: A ] (PA ! na1, K, na2)

(15)

A ] H(PA ! na1, K, na2) Applying recognizability rule (R1) and assumption (Al ; B (P A ! na1), Al ; B (na2)), recognizability rule (R5), Eq. (15), freshness rule (F1) and assumption (Al ; #(P A ! na1), Al ; #(na2)), we can get:

Sl ; B (PA ), Sl ; B (K), Sl ; #(PA ), Sl ; #(K) þ KS

(14)

PA

Sl ; # (S), Sl ; → S, Sl ; A ↔ S, Sl ; A ⇒ Al ; p

Al ; #(PA ! na1, K, na2)

S believes that he or she shares A’s password and that K is a suitable key. The fact that S already has K and believes its validity might be included in the final results of the protocol analysis. A ] (na1 ! na2), A ] (PA ! na1)

(16)

Applying freshness rule (F10) and Eq. (15) we obtain: Al ; #(H(PA ! na1, K, na2))

(17)

Applying message interpretation rule (I3), assumption (Al ; A ↔PA S) and Eqs. (15) and (16), we can deduce: Al ; Sl,( , PA . ! na1, K, na2)

Al ; B (na1 ! na2), Al ; B (PA ! na1)

Al ; Sl,H( , PA . ! na1, K, na2)

Al ; #(na1 ! na2), Al ; #(PA ! na1) A possesses a one-time pad and a masked password for a corresponding session and believes their freshness and recognizability. 4.3.2. Applying GNY rules On the assumption above, we apply GNY rules to the idealized protocol. Each verification step is described sequentially. 4.3.2.1. Message 1. Applying being-told rule (T1), possession rules (P1, P3, P8) and assumption (S ] ¹ K S), we obtain: S ] na1,

(12)

S ] na2,

(13)

Applying jurisdiction rule (J2), assumption (Al ; S ⇒ Sl ; *), Eq. (17), jurisdiction rule (J3) and assumption (Al ; S ⇒ Sl ; *), we can get: K

Al ; Sl ; A ↔ S Applying jurisdiction rule K (Al ; S ⇒ A ↔ S) we obtain:

4.3.2.3. Message 3. Applying being-told rule (T1), possession rules (P1, P2), assumption (S ] P A), Eq. (13), possession rules (P2, P4), assumption (S ] K) and Eq. (12), we obtain:

Applying recognizability rule (R1) and assumption (Sl ; B (P A)) we can deduce:

S ] H(PA ! na2, K, na1)

Sl ; Al,(na1, na2, , PA . ! na1) Sl ; Al,{na1, na2, , PA . ! na1} þ KS That is, A is authenticated and message 1 is recognized by S.

assumption

K

S ] (PA ! na2, K, na1)

Applying being-told rule (T1), message interpretation rule (F2) and assumption (S ] ¹ KS , S ] PA , þ KS PA Sl ; # (S), Sl ; → S and Sl ; A ↔ S), we obtain:

and

Al ; A ↔ S

S ] PA ! na1:

Sl ; B (na1, na2, PA ! na1):

(J1)

(18)

Applying recognizability rule (R1), assumption (Sl ; B (K)), recognizability rule (R5), Eq. (18), freshness rule (F1) and assumption (Sl ; #(K)), we can deduce: Sl ; #(PA ! na2, K, na1)

(19)

Applying freshness rule (F10) and Eq. (18) we obtain: Sl ; #(H(PA ! na2, K, na1)

(20)

Applying message interpretation rule (I3), assumption PA (S l ; A ↔ S) and Eqs. (18) and (19), we can obtain: Sl ; Al,( , PA . ! na2, K, na1),

4.3.2.2. Message 2. Applying being-told rule (T1), possession rules (P1, P3, P5) and assumption A ] (na1 ! na2)), we can obtain:

Sl ; Al,H( , PA . ! na2, K, na1) Applying jurisdiction rule (J2), assumption (Sl ; A ⇒ Al ;

860

T. Kwon, J. Song/Computer Communications 21 (1998) 853–861

Table 1 Efficiency comparisons of password-based protocols Protocols

The number of The number of random numbers The number of cryptographic operations protocol steps Public key Conventional

Hash

(a) Two-party protocols Two-party K1P

3

Client’s public key K1P

3

Strengthened EKE [1]

5

GLNS nonce direct [10]

5

Gong’s optimal [11]

3

(b) Three-way protcols Three-way K1P

A S A S

2 0 0 1

A–S

1

0

2

A–S

1

1

1

A S A S A S

2 2 1 4 1 2

A–S

1

3

2

A–S

1

5

0

A–S

1

3

0

5

A B S

2 2 0

A–S B–S A–B

1 1 0

1 1 2

1 1 0

GLNS nonce [10]

7

Gong’s optimal [11]

5

A B S A B S

4 4 1 5 5 0

A–S B–S A–B A–S B–S A–B

1 1 0 1 1 0

2 2 2 2 2 2

0 0 0 0 0 0

*), Eq. (20), jurisdiction rule (J3) and assumption (Sl ; A ⇒ Al ; *), we finally obtain: K

Sl ; Al ; A ↔ S

4.3.3. Verification result We have underlined the important results given earlier, and they are summarized as follows. K

K

S ] K, Sl ; A ↔ S, Sl ; Al ; A ↔ S K

K

A ] K, Al ; A ↔ S, Al ; Sl ; A ↔ S Since S generates K, it is clear that S possesses and believes K. A also possesses and believes K through the protocol. S and A ensure that each other believes K, respectively. That is, A and S share the authenticated key, K, and A is authenticated using the shared secret, P A. 4.4. Comparisons of efficiency As we have mentioned so far, most of the classical protocols are vulnerable to password guessing attacks. Some efficient protocols which are resistant to off-line guessing attacks [11,19,20] were found to be vulnerable to undetectable guessing attacks [5], but ours are secure against them. Thus, they are not the points to be considered in our comparison. We compare our protocols, in terms of

efficiency, only with other related protocols which are as secure as ours. As shown in Table 1(a), K1Ps are more efficient than strengthened EKE [1], GLNS nonce direct protocol [10] and Gong’s optimal protocol [11], with regard to the number of protocol steps, random numbers, or cryptographic operations. Strengthened EKE is an enhanced version of the original EKE to defeat Denning–Sacco attack. Gong’s optimal protocol is a revised version of GLNS nonce direct protocol to reduce the number of protocol steps. As shown in Table 1(b), three-way K1P is also more efficient than GLNS nonce protocol and Gong’s optimal protocol.

5. Conclusion In this paper, we have proposed new password-based authentication protocols which are secure and efficient in defeating password guessing attacks. In a security system that allows people to choose their own passwords, those people tend to select passwords that can be easily guessed [6,15]. Therefore, the password-based authentication protocols must protect the shared secret from guessing attacks [10,13]. But, such protocols are more expensive than conventional ones with regard to the computation and communication costs [11,12]. Since we have promoted both security and efficiency in authentication protocols which are resistant to guessing attacks, ours can be used in a

T. Kwon, J. Song/Computer Communications 21 (1998) 853–861

variety area of computer communication allowing users to choose their own passwords. References [1] S. Bellovin, M. Merritt, Augmented encrypted key exchange: a password-based protocols secure against dictionary attacks and password file compromise, in: Proceedings of the 1st ACM Conference on Computer and Communications Security, 1993, pp. 244–250. [2] M. Burrows, M. Abadi, R. Needham, A logic of authentication, ACM Transactions on Computer Systems 8 (1990) 18–36. [3] D. Denning, G. Sacco, Timestamps in key distribution protocols, Communications of ACM 24 (1981) 533–536. [4] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (1976) 644–654. [5] Y. Ding, P. Horster, Undetectable on-line password guessing attacks, ACM Operating Systems Review 29 (1995) 77–86. [6] D.C. Feldmeier, P.R. Karn, UNIX password security—ten years later, in: Proceedings of Crypto’89, published as Lecture Notes in Computer Science, 435 (1989) 44–63. [7] W. Fumy, M. Munzert, A modular approach to key distribution, in: Proceedings of Crypto’90, 1991, pp. 274–283. [8] L. Gong, Verifiable-text attacks in cryptographic protocols, in: Proceedings of IEEE INFOCOM’90, 1990, pp. 686–693. [9] L. Gong, R. Needham, R. Yahalom, Reasoning about belief in cryptographic protocols, in: Proceedings of the IEEE Symposium on Research in Security and Privacy, 1990, pp. 234–248.

861

[10] L. Gong, M. Lomas, R. Needham, J. Saltzer, Protecting poorly chosen secrets from guessing attacks, IEEE Journal on Selected Areas in Communications 11 (1993) 648–656. [11] L. Gong, Optimal authentication protocols resistant to password guessing attacks, in: Proceedings of the 8th IEEE Computer Security Foundations Workshop, 1995, pp. 24–29. [12] T. Kwon, M. Kang, J. Song, An adaptable and reliable authentication protocol for communication networks, in: Proceedings of IEEE INFOCOM’97, 1997, pp. 738–745. [13] M. Lomas, L. Gong, J. Saltzer, R. Needham, Reducing risks from poorly chosen keys, in: Proceedings of the 12th ACM Symposium on Operating System. Principles, ACM Operating Systems Review, 23 (1989) 14–18. [14] C. Meadows, Applying formal methods to the analysis of a key management protocol, Journal of Computer Security 1 (1992) 5–35. [15] R. Morris, K. Thompson, Password security: a case history, Communications of the ACM 22 (1979) 587–594. [16] R. Needham, M. Schroeder, Using encryption for authentication in large networks of computers, Communications of the ACM 21 (1978) 993–999. [17] D. Otway, O. Rees, Efficient and timely mutual authentication, ACM Operating Systems Review 21 (1987) 8–10. [18] B. Schneier, Applied Cryptography, 2nd ed., Wiley, 1996, pp. 234–235. [19] M. Steiner, G. Tsudik, M. Waidner, Refinement and extension of encrypted key exchange, ACM Operating System Review 29 (1995) 22–30. [20] G. Tsudik, E. Van Herreweghen, Some remarks on prothcting weak keys and poorly-chosen secrets from guessing attacks, in: 1993 IEEE Symposium on Reliable Distributed Systems, 1993, pp. 136–142.