A Two-Party Password-Authenticated Key Exchange Protocol with Verifier ()
1. Introduction
The two-party password-authenticated key exchange protocol with verifier refers to the user and the server participating in one session protocol to establish a session key with user’s password verifier stored in server’s storage in order to achieve secure data communication over the insecure channel. User’s password is user’s long-term key and it can be used as an effective way to verify the real identity of user unless the password is leaking. Password-authenticated key exchange protocol with verifier is developed on the basis of password-authenticated key exchange protocol, which is aimed at the attacks caused by leaks or theft of user’s plaintext password and it is not safe for server to store user’s password directly, thus changing to store the computation value of user’s password, which is called password verifier. There are many research papers about password-authenticated key exchange protocol until now.
1.1. Relate Work
In 1992, one paper [1] first proposed two-party password-authenticated key exchange protocol and that protocol is based on Diffie-Helman (DH) protocol and can resist online password dictionary attack. Other papers [2] - [16] researched two-party password-authenticated key exchange protocol with verifier protocol. The paper [3] proposed a two-party password-authenticated key exchange protocol with verifier protocol. Paper [4] proposed a revised protocol in paper [3], but the revised protocol is more complicated. One paper [5] proposed a two-party password-authenticated key exchange protocol with verifier and proved the safety of this protocol in standard model. One paper [6] pointed the errors in the process of proving the protocol proposed in paper [5]. As the existing two-party password-based key exchange protocols have shortages when using public key infrastructure and suffer dictionary attack, a two-party password-based key agreement protocol resistant to the dictionary attacks by adding password-authentication services was proposed [7], its security was proved under both the ideal-cipher model and the random-oracle model. In [8], to resist dictionary attacks, a two-party password-based key exchange Protocol was proposed based on DH key exchange and hash function. To overcome the undetectable online dictionary attacks by a malicious gateway, a gateway-oriented password-based authenticated key exchange (GPAKE) was proposed based on chameleon hash function in [9]. In two-party password authenticated key agreement protocols, servers maintain a password or verification table can incur dictionary attack, impersonation attack and the stolen-verifier attack, a protocol for session initiation protocol associated with Voice over Internet Protocol was achieved in [10] without these disadvantages, the proposed protocol had the properties of session key agreement, mutual authentication and password updating function. In 2013, one paper [11] analyzed that two-party password-based key exchange protocol had two families: implicit and explicit key authentications, the paper also indicated the protocol in [7] was an implicit one, as an improvement of [7], the paper proposed an explicit two-party password-based key exchange protocol. For some two-party password authenticated key exchange protocols fail to provide mutual authentication and key confirmation, the authors [12] proposed two improved protocols, one of which can accomplish mutual authentication and key confirmation. In [13], the authors showed that the protocol in [11] can’t resist off-line password guess assault and demonstrated the protocol existed impersonation attack, they also indicated the two-party password authenticated key exchange protocol in [11] lack of forward secrecy, to deal with these security shortages, paper [13] proposed an improved two-party password authenticated key exchange protocol based on the protocol in [11]. Paper [14] explained that most of the two-party password-based key exchange protocols could not provide personalized demand, the authors in paper [14] designed a personalized key exchange protocol, in which users selected the code of mutual session keys under the demand of their own. There are few papers published about explicit authentication in two-party password-based key exchange protocols, paper [15] indicated the explicit authenticated protocol in [11] can lead to disguise attack, paper [15] also indicated the security definition in [11] exist some faults, then paper [15] redefined the security contents in two-party explicit authenticated key exchange protocols and ameliorated the protocol structure in [11]. Paper [16] also proposed an improved protocol based on the protocol in [13].
1.2. Motivations
Nevertheless, we believe that two-party password-authenticated key exchange protocol with verifier is worthy to be studied, from both the practical perspective and the cryptographic design perspective, under this background, this paper also proposed a two-party password-authenticated key exchange protocol and proved its safety. The proposed protocol is suitable in electrical transaction under mobile environment.
2. Basic Content
Definition 1:
DL difficult problem: Given G is a cyclic group whose order is prime number p, g is generator of G, given a tuple
, where
, then the process of computing a is difficult.
Definition 2:
DH difficult problem: Given G is a looping group whose order is prime number p, g is generator of G, given a triad tuple
, where
, then computation
is difficult.
3. New Two-Party Password-Authenticated Key Exchange Protocol with Verifier
Our paper proposes a new two-party password-authenticated key exchange protocol with verifier, which has two participants called user and server. The user initiates a session with the server actively. Our new proposed two-party password-authenticated key exchange protocol with verifier is abbreviated as VBTP, so during the subsequent content, VBTP is used to represent our protocol. The session process of VBTP is as follows:
Let G notate a group whose order is prime number p, g is a generator of G, protocol participants are the User U and the Server S, Identity information is
and
. User registered at server and
is the password plaintext of U, anti-collision one-way hash function
and
. In order to resist server leak attack, S store the verifier of password plaintext U. U computes password authentication value
and store V in S through secure channel. Protocol execution process is as Figure 1, specific computation steps are as following:
1) U chooses
randomly, then computes
and
, finally sends
,
and
to S;
2) After receiving the message from U, S randomly chooses
, gets verifier V from password file, computes
and
, the sends
,
and
to U, finally S computes
,
;
3) After receiving S‘s message, U compute
,
, then computes
,
, sends
to S;
4) After receiving
, S computesU’s password plaintext
, then computes
and
, verifies if
or not, if yes, S trusts identity verification of user U, then sends
to U, obviously
;
5) After receiving
, U verifies if
or not, if yes, U trusts identity verification of server S;
6) Finally, U andS compute the same session key
, then
.
4. Security Analysis
A two-party password-authenticated key exchange protocol with verifier has many security requirements, which can be proved by through different methods, our VBTP also needs to be had security analysis. By means of forward security in two-party password-authenticated key exchange, resistance to server’s leakage fake attack, dictionary attack resistance, resistance to man-in-the-middle attack and other security requirements , the security of the our VBTP was proved.
Theorem 1. VBTP has forward security.
Proof: forward security of two-party password-authenticated key exchange protocol with verifier is that during the process of one protocol session, even if the user’s password plaintext leaks to the adversary, the adversary can not explicitly work out the past session key based on the user’s password plaintext before this session, which means there is independence between session key and password plaintext. In our VBTP, if the user’s password plaintext
had been leaked to an adversary A during a mutual session, the adversary A obtained the message
,
and
of another session before this session via wiretapping, A computed V by
, then figured out
,
and
through calculation, but he couldn’t calculate
, according to our Definition 1, gaining
is DL difficult problem or DH difficult problem, but the adversary A couldn’t resolve DL difficult problem or DH difficult problem, so VBTP has forward security.
Theorem 2. VBTP can resist to server’s leakage fake attack.
Proof: server’s leakage fake attack to a two-party password-authenticated key exchange protocol with verifier is that an adversary A gets the user’s password verifier V stored in the server by attack, theft and other attack means, then the adversary Aim personates the user to initiate a protocol session with the server. A two-party password-authenticated key exchange protocol with verifier can resist server’s leakage fake attack is that the server can recognize the identity of fakers, thereby terminate the session. In our VBTP, supposing that an adversary A obtains the user’s password verifier V, in each session, the adversary A knows the value
, but he cannot obtain the user’s password plaintext
, he can choose
or
to figure out
, if he selects
to compute
, he must compute
firstly, so he confronts the DL difficult problem as our Definition 1 says. If the adversary A selects
to obtain
, he should computer
before
, he can compute
through
and compute
by
, the computation process is
,
, finally, the adversary A cannot calculate
, because our Definition 2 has described that computing
is a DH difficult problem. The adversary does not know
, so the message he sends to the server does not contain
, the server can be able to accurately verify the fake identity, thereby preventing fake attack, so that our VBTP can resist server’s leakage fake attacks.
Theorem 3. VBTP can resist all kinds of dictionary attack.
Proof: dictionary attacks to a two-party password-authenticated key exchange protocol with verifier divide into two types: online and offline dictionary attacks.
1) In our VBTP, online dictionary attack against the can be detected by the server. The so-called dictionary attack is that the adversary A randomly selects a password from a record which has a variety of passwords in plaintext to constantly test the user’s real password. It is supposed that the adversary A randomly selects
to log in to the server S to test the match of the user’s password
in plaintext, the adversary A calculates
through
, then calculates
,
and
, the adversary A sends
,
and
to the server, the server calculates
to verify V, then he will find that he cannot verify the user’s identity, concludes that user’s fake identity, so that the server will ask the adversary A to re-login to the server with a new password, after finite logins fails, the server will terminate any session with the adversary A, then the server ascertains that this is an online dictionary attack; 2) Offline dictionary attack to the user. Offline dictionary attack is that the adversary A tries to calculate the user’s password plaintext from the intercepted conversation information, the adversary A could not calculate the user’s password plaintext, this attack is same as Theorem 2, because the adversary to face DL difficult problem or DH difficult problem, so the adversary’s attack is invalid. Above all, VBTP can resist all kinds of dictionary attack.
Theorem 4. VBTP for man-in-the-middle attack is safe.
Proof: Man-in-the-middle attack in our VBTP refers to that there is an adversary A between the user and the server, for the server, the user is counterfeit, while for the user, the server is faked. In fact, the man-in-the-middle attack for a two-party password-authenticated key exchange protocol with verifier is invalid, because in such circumstance, the password verifier is used to prevent the man-in-the-middle attack. In our VBTP, if the adversary does not know the user’s password plaintext, then he cannot impersonate a user to log into the server, similar to attacks with Theorem 2 or 3, the adversary fake action can easily be detected by the server, so the attack cannot succeed. Similarly, if the adversary counterfeits the server to interact with the user, unless the adversary knows the user’s password plaintext, otherwise the attack cannot be successful, in fact, the adversary cannot figure out the user’s password plaintext, so the man-in-the-middle attack fails in our VBTP.
5. Efficiency Comparisons and Discussions
Efficiency of a two-party password-authenticated key exchange protocol with verifier can perform in terms of communication load and computation load. Table 1 is the protocol operational efficiency of the our VBTP compared to protocols of paper [3] and paper [4] which are write as paper [3] and paper [4] respectively. In Table 1, the unit of communication round is step, the unit of random number is individual and others are time. It is showed in Table 1, exponentiations of VBTP is smaller one time than the protocol of paper [3], hash
Table 1. Protocol operational efficiency comparison.
functions of VBTP is same as the protocol of paper [3]. Compared to the protocol of paper [4], communication round of VBTP is one more time and others are not high. The discussion shows that the protocol operational efficiency of our VBTP is high.
6. Conclusion
A two-party password-authenticated key exchange protocol with verifier has various kinds of security attacks, especially the server’s leakage fake attack and dictionary attack, aiming at such attack, a two-party password-authenticated key exchange protocol with verifier abbreviated as VBTP was proposed. Security analysis shows that our VBTP has forward security, resistance to server’s leakage fake attack, offline dictionary attack, online dictionary attack and man-in-the-middle attack. VBTP can be applied to a client/server communications, especially mobile e-commerce environment, the mobile terminal uses a password to login to the server, using a password and password verifier the server can verify the true identity of the user. At the end, efficiency discussion explains our protocol VBTP is low cost.
Acknowledgements
This work is supported by Guangdong Natural Science Foundation of China (No.2017A030307027, 2018A030307032) and Key Platform and Scientific Research Projects of Guangdong Education Department, China (No.2020ZDZX3038).