Research on password authenticated key exchange and secure wireless roaming

Abstract

In an open network, an Authenticated Key Exchange (AKE) protocol provides two kinds of services for the two communication parties. First, it allows the two parties to establish a session key which is a pure symmetric key known by each other only. The established key is used for realizing the data confidentiality and data integrity in the following data transmission. Second, it provides a mechanism for the two parties to be convinced that it is communicating with the intended party. According to the different authentication factors, there are several kinds of AKE, such as Password-only AKE (PAKE), symmetric key based AKE, public key based AKE and hybrid AKE. PAKE is widely adopted for many applications due to its high usability, such as applied by ATM and email system. In general, there are two main types of PAKE that single-server scheme and multi-server scheme. Recently, a Password-only Two-Server AKE (PTAKE) scheme was proposed in order to solve the single point of failure problem in the conventional single-server scheme as well as to overcome the disadvantage of the multi-server scheme that the expensive system costs. Although there have been some schemes proposed already, either they cannot achieve the strongest security requirement that the system is secure against o²ine dictionary attacks even if any one of the two servers is corrupted by an active adversary, or their system complexity is much higher than that of single-server schemes. In this thesis, we propose a novel PTAKE. It satis¯es the strongest security requirement mentioned above. And the protocol requires altogether six communication rounds only while maintaining about the same degree of computational complexity as other most e±cient scheme. In the mean time, modular multi-exponentiation is an arithmetic operation that on input integers (x1,...,xl), (e1,...,el) and n, computes Ql i=1 xei i (mod n) for l > 1. In this thesis, we focus on the case that l = 2, that is, given integers A, B, X, Y and N, compute C = AXBY (mod N). The PTAKE mentioned above and many existing schemes require such efficient modular multi-exponentiation operations in order to make them fast in practice as multi-exponentiation is one of the most expensive operations for them. There are many algorithms available for performing this operation. However, the complexity of some algorithms is not quantified. Therefore, we target to look into one of the most updated ones and find out the computational complexity of the algorithm. On the other hand, with the tremendous development of the wireless communications technology, mobility networks and the ubiquitous wireless local area network (WLAN) hot spots have become widely available and interconnected. Wireless roaming services allows people to roam around with their mobile devices without being limited by the geographical area of their own home networks and access into different WLANs to enjoy the services provided by different foreign servers rather than his home server. In order to build a secure channel between the roaming user and the service provider, the Secure Wireless Roaming (SWR) protocol has been proposed, the core function of which is to provide AKE between the two parties. Furthermore, the demand for protecting user privacy (i.e., user anonymity and user untraceability) becomes more urgent today, the SWR with providing user privacy is usually referred to Anonymous SWR. In this thesis, we focus on the proposal of the all-round security requirements for anonymous SWR and the efficient design of protocol with the lower communication and computation costs for the mobile equipments. Besides, a localized anonymous roaming protocol is proposed recently with the motivation of alleviating the communication burden of the servers. However, the biggest problem of such type protocol is the huge costs of the user revocation scheme. It is more challenging to design a secure protocol with the enhanced efficiency. As described above, we focus on the following problems, 1. In this dissertation, we propose a novel PTAKE. It overcomes the disadvantage of the conventional single-server scheme that the single point of failure as well as the disadvantage of the multi-server scheme that the expensive system costs. It not only satisfies the strongest security requirement for PTAKE that the system is secure against o²ine dictionary attacks even if any one of the two servers is corrupted by an active adversary, but also it requires six communication rounds only. Namely, our scheme reduces the number of communication rounds by 40% when compared with other most efficient scheme while maintaining about the same degree of computational complexity. Furthermore, we propose a generic PTAKE with satisfying the lower security level for PTAKE that the system is secure against o²ine dictionary attacks even if the front one of the two servers is corrupted by an active adversary or the backend server is corrupted by a passive adversary. 2. The PTAKE schemes mentioned above and many other existing crypto systems require efficient modular duplex-exponentiation operations in order to make the systems fast in practice as it is the most expensive operations for them. In this dissertation, we target to examine the computational complexity of the famous fast algorithms. Particularly, we provide a formal complexity analysis for WLLC algorithm under Markov probabilistic model, which was claimed to be the fastest algorithm. The complexity analysis and the experimental results show that the actual computational complexity of WLLC algorithm should be 1.556k rather than 1.306k, where k is the larger bit length of the two exponents. It implies that the best modular duplex-exponentiations algorithm based on canonical-sighed-digit technique is still not able to overcome the 1.5k barrier. 3. In order to build a secure channel between the roaming user and the service provider with providing user privacy (i.e., user anonymity and user untraceability), the Anonymous Secure Wireless Roaming protocol has been proposed, the core function of which is to provide AKE between the two parties. In this dissertation, we focus on the proposal of the all-round security requirements for Anonymous SWR which captures the following security properties including mutual authentication between roaming user and foreign server, key establishment and key privacy against backend server, forward secrecy, user anonymity and user untraceability. And we propose a pure symmetric key based Anonymous SWR protocol using the CK modular approach. To best of our knowledge, it seems to be the first pure symmetric key based anonymous SWR. Compared with other existing Anonymous SWR protocols, both of the computation complexity and communication complexity of our protocol are lowest, since it involves only 4 message °ows and no PKI (Public Key Infrastructure) but only highly efficient cryptographic operations are needed which include Message Authentication Code (MAC) and symmetric key encryption. 4. As an important cryptographic tool, group signature has been widely employed by various crypto systems, especially it is employed to construct a localized anonymous roaming protocol as a core building block. Although for this roaming protocol, the communication burden of the servers will be alleviated much, the computational complexity and user revocation complexity will increase quickly due to the usage of group signature. In order to overcome this disadvantage, we propose an efficient group signature with forward secure revocation with satisfying constant signing and verifying complexity as well as constant size in signature public key and signing key.