雙向身份認證(Mutual Authentication，MA)是資訊安全領域中重要的一環，當雙方建立起他們的連線時，證實對方身分的過程是必要的。對用戶認證機制來說，有以下三種架構存在：以知識基礎(knowledge-based)的認證，標誌基礎(token-based)的認證，和生化基礎(biometric，如指紋或DNA)認證。在這三者中，以知識為基礎的機制通常是使用使用者本身的記憶，基於簡單，便利，適應性，具機動性和較少的硬體要求等等的優勢，它是最廣泛被使用的方法。由於使用者僅需記憶現有的知識，礙於人的記憶有限，因此存在著遭受攻擊者使用字典攻擊的可能性，特別是在公開的環境下，問題變得更加嚴重。而且，密碼的保護是讓密碼認證機制變得更不可靠的另一個問題
在這篇論文中，我們定義在雙向身份認證上的祕密金鑰竊取攻擊：當使用者的密碼被攻擊者取的時，攻擊者不只可以偽裝成使用者登入伺服器；也可以偽裝成伺服器愚弄使用者。所有密碼基礎的雙向身份認證協定皆無法抵擋祕密金鑰竊取攻擊，為了解決這個問題，我們提出一個使用RSA加解密演算法的密碼基礎雙向身份認證協定，並完整地分析協定的安全性並且給予一個較正式的證明。我們也在文章的後面提供更有效率的實作方法。

Entity authentication is one of the most important security functions. It is necessary for verifying the identities of the communicating parties when they initiate their connection. This function is usually provided with a key establishment scheme such as key agreement between the parties. For user authentication, three kinds of approaches exist: knowledge-based authentication, token-based authentication, and biometric authentication. Among them, the knowledge-based scheme is for human memory. Actually, it is the most widely-used method due to such advantages as simplicity, convenience, adaptability, mobility, and less hardware requirement. It requires users only to remember their knowledge such as a password or PIN (Personal Identification Number). Therefore, users are allowed to move conveniently without carrying hardware tokens. However, a complex problem with this password-only authentication is that a human-memorable password has low entropy so that it could be vulnerable to malicious guessing attacks. The problem becomes much more critical in an open distributed environment. Moreover, password file protection is another problem that makes password authentication more unreliable. A cryptographic protocol based on public-key cryptography is the most promising solution to this problem.
We define the term Stolen Secret Key Attack for authentication key exchange (AKE) protocol - when the password of a client is compromised by the adversary; she not only can impersonate the client to login a server, but also masquerade the server to fool the client. All password based AKE protocols suffer from this attack. To solve this problem, we propose a new password-based AKE protocol using RSA and show that it is secure against the stolen secret-key attack. An efficient implementation of RSA will be given at the end of the paper.

[1] R. Anderson and T. Mark A. Lomas, “Fortifying Key Negotiation Schemes with Poorly Chosen Passwords,” Electronics Letters, Vol. 30, No. 13, pp. 1040-1041, July 1994.
[2] R. Anderson and S. Vaudenay, “Minding Your p’s and q’s,” in Proceedings of Advances in Cryptology: Asiacrypt ’96, LNCS, Springer-Verlag, pp. 26-35, 1996.
[3] D. Boneh, “The Decision Deffie-Hellman problem,” in Proceedings of the 3rd Algorithmic Number Theory Symposium, LCNS Vol. 1423, Springer-Verlag, pp. 48-63, 1998.
[4] D. Boneh and G. Durfee, “Cryptanalysis of RSA with Private Key d less than N0.292,” in Proceedings of Advances in Cryptology: Eurocrypt ’99, LNCS Vol. 1592, Springer-Verlag, pp. 1-11, 1999.
[5] M. Bellare, and P. Rogaway, “Entity Authentication and Key Distribution,” in Proceedings of Advances in Cryptology: Crypto ’93, LNCS Vol. 773, Springer-Verlag, pp. 232-249, 1993.
[6] M. Bellare, and P. Rogaway, “Entity Authentication and Key distribution,” full version of [5]. [Online]. Available at http://www-cse.ucsd.edu/users/mihir.
[7] M. Bellare, D. Pointcheval and P. Rogaway, “Authenticated Key Exchange Secure Against Dictionary Attack,” in Proceedings of Advances in Cryptology: Eurocrypt ’00, LNCS Vol. 1807, Springer-Verlag, pp. 139-155, 2000.
[8] M. Bellare and P. Rogaway, “The AuthA Protocol for Password-Based Authenticated Key Exchange,” Submission to the IEEE P1363 Password Authentication Study Group, March 14, 2000. Available at http://grouper.ieee.org/groups/1363/StudyGroup/submissions.html#autha.
[9] M. Blum and S. Micali, “How to generate cryptographically strong sequences of pseudorandom bits,” SIAM Journal on Computing, Vol. 13, No.4, pp. 850-864, November 1984.
[10] M. Boyarsky, “Public-Key Cryptography and Password Protocols: The Multi-User Case,” ACM Conference on Computer and Communication Security, pp. 63-72, 1999.
[11] R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung, “Systematic Design of Two-Party Authentication Protocols,” in Proceedings of Advances in Cryptology: Crypto ’91, pp. 44-61, 1991.
[12] S. M. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-based Protocols Secure Against Dictionary Attacks,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 72-84, May 1992.
[13] S. M. Bellovin and M. Merritt, “Augmented Encrypted Key Exchange: a Password-Based Protocol Secure Against Dictionary Attacks and Password-File Compromise,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 244-250, 1993.
[14] V. Boyko, P. MacKenzie and S. Patel, “Provably secure password authenticated key exchange using Diffie-Hellman,” in Proceedings of Advances in Cryptology: Eurocrypt ’00, LNCS Vol. 1807, Springer-Verlag, pp. 156-171, May 2000.
[15] D. E. Denning and G. M. Sacco, “Timestamps in key distribution protocols,” Communications of the ACM, Vol. 24, No. 8, pp. 533-536, August 1981.
[16] G. Durfee and P. Nguyen, “Cryptanalysis of the RSA Schemes with Short Secret Exponent,” in Proceedings of Advances in Cryptology: Asiacrypt ’00, LNCS Vol. 1976, Springer-Verlag, pp. 14-29, 2000.
[17] W. Diffie and M. E. Hellman, “New Direction in Cryptography,” IEEE Transaction on Information Theory, Vol. 22, No. 6, pp. 644-654, November 1976.
[18] W. Diffie, P.C. van Oorschot, and M. J. Wiener, “Authentication and authenticated key exchanges,” Designs, Codes, and Cryptography, Vol. 2, No. 2, pp. 107-125, 1992.
[19] L. Gong, “Optimal Authentication Protocols Resistant to Password Guessing Attacks,” IEEE Comp. Security Foundation Workshop, pp. 24-29, June 1995.
[20] S. Goldwasser and S. Micali, “Probabilistic encryption,” Journal of Computer and System Sciences, Vol. 28, No. 2, pp. 270-299, April 1984.
[21] S. Goldwasser, S. Micali and R. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SIAM Journal of Computing, Vol. 17, No. 2, pp. 281-308, April 1988.
[22] S. Halevi and H. Krawczyk, “Public-key Cryptography and Password Protocols,” in Proceedings of the 5th ACM Conference on Computer and Communications Security, pp. 122-131, 1998.
[23] B. Jaspan, “Dual-workfactor Encrypted Key Exchange: Efficiently Preventing Password Chaining and Dictionary Attacks,” in Proceedings of the 6th Annual USENIX Security Conference, pp. 43-50, July 1996.
[24] D. P. Jablon, “Strong Password-only Authenticated Key Exchange,” ACM Computer Communication Review, Vol. 26, no. 5, pp. 5-26, October 1996.
[25] D. P. Jablon, “Extended Password Key Exchange Protocols,” in Proceedings of the WETICE Workshop on Enterprise Security, Cambridge, MA, USA, pp. 248-255, June 1997.
[26] H. Krawczyk, “SIGMA: The ‘SIGn-and-Mac’ Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols,” in Proceedings of Advances in Cryptology: Crypto ’03, LNCS Vol. 2729, Springer-Verlag, pp. 400-425, 2003.
[27] T. Kwon and J. Song, “Efficient Key Exchange and Authentication Protocols Protecting Weak Secrets,” IEICE Transactions on fundamentals of Electronics, Communications and Computer Science, Vol. E81-A, No. 1, pp. 156-163, January 1998.
[28] T. Kwon and J. Song, “Secure Agreement Scheme for gxy via Password Authentication,” Electronics Letters, Vol. 35, No. 11, pp. 892-893, May 27, 1999.
[29] T. Kwon, “Authentication and Key Agreement via Memorable Password,” in ISOC Network and Distributed System Security (NDSS) Symposium, San Diego, CA, pp. 73-85, February 2001.
[30] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone, “An efficient protocol for authenticated key agreement,” Technical report CORR 98-05, University of Waterloo, 1998.
[31] S. Luke, “Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys,” in Proceedings of The Security Protocol Workshop ’97, LNCS Vol. 1361, Springer-Verlag, April 7-9, 1997.
[32] T. Mark A. Lomas, L. Gong, J. H. Saltzer, and R. M. Needham, “Reducing Risks from Poorly Chosen Keys,” in Proceedings of the 12th ACM Symposium on Operating System Principles, Vol. 23, No. 5, pp. 14-18, 1989.
[33] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, chapter 12, CRC Press, Boca Raton, FL, October 1996.
[34] P. MacKenzie and R. Swaminathan, “Secure Network Authentication with Password Identification,” Presented to IEEE P1363a Working Group Meeting, August 1999. Available at http://grouper.ieee.org/groups/1363/.
[35] S. Patel, “Number Theoretic Attacks on Secure Password Schemes,” in Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp. 236-247, May 5-7, 1997.
[36] M. Roe, B. Christianson, and D. Wheeler, “Secure Sessions from Weak Secrets,” Technical report from University of Cambridge and University of Hertfordshire, 1998.
[37] H. M. Sun, W. C. Yang, and C. S. Laih, “On the Design of RSA with Short Secret Exponent,” in Proceedings of Advances in Cryptology: Asiacrypt ’99, LNCS Vol. 1916, Springer-Verlag, pp. 150-164, 1999.
[38] H. M. Sun and C. T. Yang, “RSA with Balanced Short Exponents and Its Application to Entity Authentication”, in the 8th International Workshop on Practice and Theory in Public Key Cryptography, PKC 05.
[39] M. Steiner, G. Tsudik, and M. Waidner, “Refinement and Extension of Encrypted Key Exchange,” ACM Operating System Review, Vol. 29, No. 3, pp. 22-30, 1995.
[40] G. Tsudik and E. van Herreweghen, “Some Remarks on Protecting Weak Keys and Poorly Chosen Secrets from Guessing Attacks,” in Proceedings of the 6th IEEE Comp. Security Foundation Workshop, pp.136-142, 1993.
[41] Q. Tang and C. J. Mitchell, “On the security of some password-based key agreement schemes”, Cryptology ePrint Archive, Report 2005/156, 23rd May, 2005.
[42] E. Verheul and H. van Tilborg, “Cryptanalysis of Less Short RSA Secret Exponents,” Applicable Algebra in Engineering, Communication and Computing, Vol. 8, pp. 425-435, 1997.
[43] M. Wiener, “Cryptanalysis of Short RSA Secret Exponents,” IEEE Transactions on Information Theory, Vol. 36, No. 3, pp. 553-558, 1990.
[44] S. B. Wilson, D. Johnson, and A. Menezes, “Key Agreement Protocols and their Security Analysis,” in Proceedings of the 6th IMA International Conference on Cryptology and coding, LNCS Vol. 1355, Springer-Verlag, pp. 30-45, 1997.
[45] T. Wu, “Secure Remote Password Protocol,” in Proceedings of the 1998 Internet Society Symposium on Network and Distributed System Security, pp. 97-111, 1998.
[46] A. C. Yao, “Theory and applications of trapdoor functions,” in Proceedings of the 23rd Annual Symposium on the Foundations of Computer Science, IEEE, pp. 80-91, November 1982.