CN101938491A - Password-based three-party key exchange method - Google Patents
Password-based three-party key exchange method Download PDFInfo
- Publication number
- CN101938491A CN101938491A CN2010102862245A CN201010286224A CN101938491A CN 101938491 A CN101938491 A CN 101938491A CN 2010102862245 A CN2010102862245 A CN 2010102862245A CN 201010286224 A CN201010286224 A CN 201010286224A CN 101938491 A CN101938491 A CN 101938491A
- Authority
- CN
- China
- Prior art keywords
- password
- random number
- key
- send
- agreement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The three parts cipher key that the invention discloses a kind of based on password exchanges method, comprising: S verifies the VAS that A is sent: if h (gax, A, B, S) with
Latter half it is equal, and S verifying B send VBS: if h (gby, A, B, S) with
Latter half it is equal, gx in h (gax, A, B, S) and h (gby, A, B, S), gy are respectively adopted
With
First half, then VSA is sent to A, VSB and is sent to B; A verifies the VSA that S is sent: if
Comprising gx, and B verifies the VSA that S is sent: if
Comprising gy, then A, B is calculated separately establishes the unified session key gxy of both sides jointly. This key exchange method can not only effectively resist various attacks, provide perfect forward security, and all improve to some extent on exchange wheel number and call duration time.
Description
Technical field
The present invention relates to field of communication security, be specifically related to a kind of three parts cipher key exchange agreement based on password.
Background technology
Need be on overt channel during secure communication when communicating pair, in order to guarantee the confidentiality of Content of Communication, they need consult a session key and come the data that will transmit are encrypted before communication.Because the IKE based on password only needs communicating pair to share a password that is simple and easy to remember, therefore this agreement has obtained using widely.But because the low entropy of password, make the easier dictionary attack of this agreement.Dictionary attack can be divided into following three classes:
1. the online dictionary attack that detects: the assailant attempts guessing client's password and carrying out the correctness that online communication is verified the password that he guesses, in case assailant's password conjecture failure is easy to be found.
2. onlinely can not detect dictionary attack: the assailant attempts guessing client's password and carries out the correctness that online communication is verified the password that he guesses that assailant's password conjecture failure can not be found yet.Therefore the assailant can implement repeatedly guessing attack in this case.
3. off-line dictionary attack: the assailant guesses client's password and the correctness of checking conjecture password under the situation of off-line.
The IKE based on password of safety should be able to effectively be resisted and onlinely can not detect dictionary attack and off-line dictionary attack.
1992, inventor Bellovin and Merritt at first proposed both sides' cipher key change (2PAKE) agreement based on password, and by the password that communicating pair is shared, this agreement has successfully realized the mutual authentication and the cipher key change of communicating pair.After this, people have proposed a large amount of 2PAKE again.
But, but be not suitable for as P2P, having a large amount of clients to need the system of mutual communication because both sides' IKE is fit to the system of " client--server " pattern.Nineteen ninety-five, inventor Steiner has proposed three parts cipher key exchange (3PAKE) agreement based on password, but engineers and technicians Ding and Horster point out that this agreement can not be resisted onlinely can not detect dictionary attack, simultaneously engineers and technicians Lin points out that this agreement can not resist the off-line dictionary attack equally, and has proposed an improvement agreement based on public-key technology.Calendar year 2001, inventor Lin has proposed a new 3PAKE agreement that does not need public-key technology, but this agreement is carried out two-wheeled than the improvement agreement based on PKI that he proposes previously more.Inventor Sun had proposed a new 3PAKE in 2003, suffered man-in-the-middle attack easily but engineers and technicians Nam points out this agreement very soon.2004, inventor Lee proposed a new 3PAKE agreement and has claimed that this agreement can resist various attack, and perfect forward security is provided.2007, inventor Lu and Cao proposed an advantages of simplicity and high efficiency 3PAKE agreement based on CCDH hypothesis, and claimed that this agreement can resist various attack.But people analyze and find that this agreement can not resist man-in-the-middle attack subsequently, onlinely can not detect dictionary attack, pretend to be attack, and the off-line dictionary attack.
Summary of the invention
Problem to be solved by this invention is: how a kind of three parts cipher key exchange method for building up based on password is provided, and this new 3PAKE agreement can be resisted existing various attack, and compares with prior protocols on exchange wheel number and call duration time and improve to some extent.
Technical problem proposed by the invention is to solve like this: a kind of three parts cipher key switching method based on password is provided, it is characterized in that, may further comprise the steps:
The V that S checking A sends
AS: if h (g
Ax, A, B, S) with
Latter half equate and the V that sends of S checking B
BS: if h (g
Bx, A, B, S) with
Latter half equate h (g
Ax, A, B, S) and h (g
By, A, B, S) middle g
x, g
yAdopt respectively
With
First half, then with V
SASend to A, V
SBSend to B;
The V that A checking S sends
SA: if
Comprise g
x, and the V of B checking S transmission
SA: if
Comprise g
y, A then, B calculates respectively and sets up the unified session key g of both sides jointly
Xy=(g
y)
x=(g
x)
y
Wherein: A, B are the session both sides, and S is a third-party server;
Function EK (M) is that expression is carried out symmetric cryptography, pw with key K to M
ABe the password that A and S share, pw
BBe the password that B and S share, Z
pBe the set of mould p residue class, g is Z
pGenerator, p is a big prime number, function h () be one 0,1}
*→ Z
P-1Hash function; Function D
K(M) be that expression is carried out the symmetry deciphering with key K to M; Formula n ∈
RZ
p *Be expression n picked at random from mould p multiplicative group, a, b ∈
RZ
p *Be the random number that S produces, x ∈
RZ
p *Be the random number that A produces, y ∈
RZ
p *It is the random number that B produces.
According to three parts cipher key switching method provided by the present invention, it is characterized in that, also comprise:
S produces random number a and calculates
Send to A, and produce random number b calculating
Send to B;
A receives S
A, produce random number x again calculating and sending send V
AS, B receives S
B, produce random number y again calculating and sending send V
BS
According to three parts cipher key exchange method for building up provided by the present invention, it is characterized in that S obtains A and B like this, comprise following four kinds of modes:
(1) A transmission A and B are to S;
(2) B transmission A and B are to S;
(3) A sends B to S, S identification transmit leg A;
(4) B sends A to S, S identification transmit leg B.
Beneficial effect of the present invention is: based on the agreement of Sun and the agreement of Lee, a new 3PAKE agreement is proposed, this agreement can not only effectively be resisted various attack, and perfect forward security is provided, and all improves to some extent on exchange wheel number and call duration time.Mainly has following feature than prior art: 1. realized each client A, the mutual authentication of B and third-party server S; 2. this agreement can be resisted existing various attack; 3. this agreement is compared with prior protocols on exchange wheel number and call duration time and is improved to some extent.
Description of drawings
Fig. 1 is the three parts cipher key switching method schematic flow sheet that the present invention is based on password.
Embodiment
Below, in conjunction with the accompanying drawings the inventive method is elaborated, wherein symbolization:
A, B represent two clients that need arranging key in the agreement
S represents trusted third party's server
Pw
AThe password that expression A and S share
Pw
BThe password that expression B and S share
Z
pThe set of expression mould p residue class
A ∈
RZ
p *Expression a picked at random from mould p multiplicative group
(G, g, p) expression finite cyclic group G, g is Z
pGenerator, p is a big prime number
H () be one 0,1}
*→ Z
P-1Hash function
E
K(M), D
K(M) represent respectively M to be carried out symmetric cryptography and symmetry deciphering with key K
For for simplicity, in protocol description, omitted " mod p "
The present invention is based on the 3PAKE agreement of the three parts cipher key switching method of password, and, proposed a new three parts cipher key exchange agreement in conjunction with symmetric cryptography based on Sun and Lee.Agreement begins preceding A, and B shares password pw with S respectively
A, pw
BThe concrete steps of New Deal may further comprise the steps as shown in Figure 1:
101) A sends A, and B gives S, shows that A wants to consult a session key by S and B.
102) S receives A, and behind the B, at first S produces random number a, b ∈
RZ
p *, calculate
Then with S
A, S
BSend to A respectively, B.
103) A, B receive S respectively
A, S
BAfter, utilize oneself password pw
A, pw
BDeciphering S
A, S
BObtain
A then, B produces random number x respectively, y ∈
RZ
p *, and calculate
At last respectively with V
AS, V
BSSend
Give S.
104) S receives A, the V that B sends
AS, V
BSAfter, calculate respectively
First half g after obtaining deciphering
x, g
y, utilizing a that oneself preserves then, b calculates h (g
Ax, A, B, S), h (g
By, A, B, S), and whether checking equates that with latter half after the deciphering if equal, S calculates respectively
Then respectively with V
SA, V
SBSend to A, B.
105) A, B receives V
SA, V
SBAfter, utilize the g that preserves respectively
Ax, g
ByTo they deciphering, calculate
Whether contain g in the message after the A checking deciphering
x, whether contain g in the message after the B checking deciphering
yIf checking all contains, A then, B calculating K
AB=(g
y)
x, K
AB=(g
x)
yA, B both sides' session key K=K
AB=K
BA=g
Xy
Further, the inventive method is carried out safety and efficiency analysis:
(1) safety analysis
Suppose that the assailant has eavesdropping, reset that pretend to be, means such as forgery are attacked agreement.The fail safe of New Deal is analyzed in several attacks that we often suffer from prior protocols.
(1) supposes that the assailant has intercepted and captured A, B, S
A, S
B, V
AS, V
BS, V
SA, V
SB, other message have all been carried out symmetric cryptography except identity, and the assailant can't not know to obtain any other Useful Information under the situation of key.
(2) suppose that the assailant attempts to pretend to be A, B, but carry out S pw in second step in agreement
A, pw
BEncrypted g respectively
a, g
bProduced S
A, S
B, the assailant is in that do not know can't be to S under the situation of password
A, S
BDeciphering is so can't obtain g
a, g
bSo the assailant can't produce the message V that is used to pretend to be
AS, V
BS
(3) suppose that the assailant attempts to pretend to be S, but carry out A in the 3rd step in agreement, B uses pw respectively
A, pw
BEncrypted g respectively
x, g
yProduced S
AS, S
BS, the assailant is in that do not know can't be to V under the situation of password
AS, V
BSDeciphering is so can't obtain g
x, g
ySo the assailant can't produce the message V that is used to pretend to be
SA, V
SB
(4) suppose that the assailant attempts to carry out onlinely can not detect guessing attack, the assailant can select possible password pw '
A, pw '
BBut, A, B can be at checking V
SA, V
SBThis password guessing attack of Shi Faxian, S can be at checking V
AS, V
BSThis password guessing attack of Shi Faxian.
(5) suppose that the assailant has obtained password pw
AOr pw
B, the assailant can't calculate former session key K, just must separate a discrete logarithm problem because the assailant wants to obtain former session key, and this problem is the problem that is difficult to resolve of generally acknowledging now.So this agreement has perfect forward security.
(2) efficiency analysis
Carry out efficient contrast, comparing result such as table 1 with Sun agreement and Lee agreement.The contrast content comprises the random number number, exponent arithmetic number of times, asymmetric encryption/decryption number of times, exchange wheel number and time of implementation.Because the amount of calculation of symmetric cryptography and hash function is very little, can ignore compared to asymmetric encryption/decryption and exponent arithmetic, so do not do consideration here yet.Usually we think that the amount of calculation of asymmetric encryption/decryption and exponent arithmetic is suitable, and the amount of calculation and the Lee agreement of New Deal is suitable with the Sun agreement as can be seen by the contrast to them, but the random number number is less than the Sun agreement.S in New Deal
A, S
B, g
x, g
yCan precompute (other two agreements are also done same consideration), so when carrying out New Deal, only need 3 exponent arithmetics (to represent with 3E, E represents asymmetric encryption/decryption number of times and exponent arithmetic number of times) time just can finish, be better than Sun agreement and Lee agreement.And New Deal only need be carried out 4 information exchanges, is better than Sun agreement and Lee agreement on exchange wheel number.
Table 1
At last, agreement of the present invention can be with adopting software and hardware to realize, the random number that each user selects in protocol implementation is necessary safety deletion after agreement finishes, and avoids the possibility of revealing.
Claims (4)
1. the three parts cipher key switching method based on password is characterized in that, may further comprise the steps:
The V that S checking A sends
AS: if h (g
Ax, A, B, S) with
Latter half equate and the V that sends of S checking B
BS: if h (g
Bx, A, B, S) with
Latter half equate h (g
Ax, A, B, S) middle gx adopts
First half, h (g
By, A, B, S) middle g
yAdopt
First half, then with V
SASend to A, V
SBSend to B;
The VSA that A checking S sends: if
Comprise g
x, and the V of B checking S transmission
SA: if
Comprise g
y, A then, B calculates respectively and sets up the unified session key g of both sides jointly
Xy=(g
y)
x=(g
x)
y
Wherein: A, B are the session both sides, and S is a third-party server;
Function E
K(M) be that expression is carried out symmetric cryptography, pw with key K to M
ABe the password that A and S share, pw
BBe the password that B and S share, Z
pBe the set of mould p residue class, g is Z
pGenerator, p is a big prime number, function h () be one 0,1}
*→ Z
P-1Hash function; Function D
K(M) be that expression is carried out the symmetry deciphering with key K to M; Formula n ∈
RZ
p *Be expression n picked at random from mould p multiplicative group, a, b ∈
RZ
p *Be the random number that S produces, x ∈
RZ
p *Be the random number that A produces, y ∈
RZ
p *It is the random number that B produces.
2. key exchange method according to claim 1 is characterized in that, also comprises:
S produces random number a and calculates
Send to A, and produce random number b calculating
Send to B;
A receives S
A, produce random number x again calculating and sending send V
AS, B receives S
B, produce random number y again calculating and sending send V
BS
3. key exchange method according to claim 1 and 2 is characterized in that, also comprises A transmission A and B to S, and perhaps B transmission A and B are to S.
4. key exchange method according to claim 1 and 2 is characterized in that, comprises that also A sends B to S, and perhaps B sends A to S.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2010102862245A CN101938491B (en) | 2010-09-19 | 2010-09-19 | Password-based three-party key exchange method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2010102862245A CN101938491B (en) | 2010-09-19 | 2010-09-19 | Password-based three-party key exchange method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101938491A true CN101938491A (en) | 2011-01-05 |
CN101938491B CN101938491B (en) | 2013-12-11 |
Family
ID=43391621
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2010102862245A Expired - Fee Related CN101938491B (en) | 2010-09-19 | 2010-09-19 | Password-based three-party key exchange method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101938491B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102611749A (en) * | 2012-01-12 | 2012-07-25 | 电子科技大学 | Cloud-storage data safety auditing method |
CN107592197A (en) * | 2017-05-09 | 2018-01-16 | 哈尔滨工业大学深圳研究生院 | Three-side password authentication and key agreement protocol without smart card |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104023044A (en) * | 2014-01-01 | 2014-09-03 | 电子科技大学 | Cloud-storage data lightweight-level public auditing method with privacy protection |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007044952A1 (en) * | 2005-10-14 | 2007-04-19 | Juniper Networks, Inc. | Password-authenticated asymmetric key exchange |
CN101252577A (en) * | 2008-04-17 | 2008-08-27 | 电子科技大学 | Method for generating three parts cipher key negotiation |
CN101282216A (en) * | 2007-04-02 | 2008-10-08 | 中国科学院研究生院 | Method for switching three-partner key with privacy protection based on password authentication |
-
2010
- 2010-09-19 CN CN2010102862245A patent/CN101938491B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007044952A1 (en) * | 2005-10-14 | 2007-04-19 | Juniper Networks, Inc. | Password-authenticated asymmetric key exchange |
CN101282216A (en) * | 2007-04-02 | 2008-10-08 | 中国科学院研究生院 | Method for switching three-partner key with privacy protection based on password authentication |
CN101252577A (en) * | 2008-04-17 | 2008-08-27 | 电子科技大学 | Method for generating three parts cipher key negotiation |
Non-Patent Citations (1)
Title |
---|
许春香 等: "关于S-3PAKE协议的漏洞分析", 《电子科技大学学报》, no. 04, 31 July 2009 (2009-07-31), pages 583 - 587 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102611749A (en) * | 2012-01-12 | 2012-07-25 | 电子科技大学 | Cloud-storage data safety auditing method |
CN102611749B (en) * | 2012-01-12 | 2014-05-28 | 电子科技大学 | Cloud-storage data safety auditing method |
CN107592197A (en) * | 2017-05-09 | 2018-01-16 | 哈尔滨工业大学深圳研究生院 | Three-side password authentication and key agreement protocol without smart card |
Also Published As
Publication number | Publication date |
---|---|
CN101938491B (en) | 2013-12-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | Group-based authentication and key agreement with dynamic policy updating for MTC in LTE-A networks | |
Zhang et al. | Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card | |
Liao et al. | A novel multi-server remote user authentication scheme using self-certified public keys for mobile clients | |
CN102111411A (en) | Method for switching encryption safety data among peer-to-peer user nodes in P2P network | |
Mishra et al. | A pairing-free identity based authentication framework for cloud computing | |
Yuan et al. | EIMAKP: Heterogeneous cross-domain authenticated key agreement protocols in the EIM system | |
Wang et al. | Provably secure and efficient identification and key agreement protocol with user anonymity | |
KR101704540B1 (en) | A method of managing group keys for sharing data between multiple devices in M2M environment | |
Castiglione et al. | An efficient and transparent one-time authentication protocol with non-interactive key scheduling and update | |
Lo et al. | Cryptanalysis of two three-party encrypted key exchange protocols | |
CN101938491B (en) | Password-based three-party key exchange method | |
Liu et al. | pKAS: A Secure Password‐Based Key Agreement Scheme for the Edge Cloud | |
Zhang et al. | Robust and efficient authentication protocol based on elliptic curve cryptography for smart grids | |
Dikii | Authentication algorithm for internet of things networks based on MQTT protocol | |
Hsu et al. | Password authenticated key exchange protocol for multi-server mobile networks based on Chebyshev chaotic map | |
Wu et al. | An improved authentication protocol for session initiation protocol using smart card and elliptic curve cryptography | |
Jiaqing et al. | A secure and efficient anonymous user authentication and key agreement scheme for global mobility networks based on bilinear pairing | |
Zhu et al. | Enhanced authentication protocol for session initiation protocol using smart card | |
Lin et al. | Strongly password-based three-party authenticated key exchange protocol | |
Nik et al. | Mutual SIP authentication scheme based on ECC | |
Zhao et al. | Design and formal verification of a vanet lightweight authentication protocol | |
Zhu et al. | A robust and efficient password-authenticated key agreement scheme without verification table based on elliptic curve cryptosystem | |
Zhu et al. | A secure non-interactive chaotic maps-based deniable authentication scheme with privacy protection in standard model | |
Chen et al. | Improvements on two password-based authentication protocols | |
Shin | Two-factor Authentication LRP-AKE, Revisited |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20131211 Termination date: 20160919 |