11

Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network

Authors: Z. B. Xu and Z. W. LiSource: The 2nd IEEE International Conference on Information Management and Engineering (ICIME), pp. 272-276, 2010Speaker: Shu-Fen Chiou (邱淑芬 )

2

Introduction

Alice Bob

Key Generation Center(KDC)

Certificate CACertificate CB

Mutual authentication with certificates

•Certificateless Public Key Cryptography

3

Alice

Key Generation CenterMaster-key: s

KGC public key: P0=sP

Partial private keyDA = sQA

Where QA=H1(IDA)

Private keySA = <DA,xA>

Public keyPA = xAP

CL-PKC (Certificateless Public Key Cryptography)

3

Bob

Partial private keyDB = sQB

Where QB=H1(IDB)

Private keySB = <DB,xB>

Public keyPB = xBP

Based on ECC

4

Hybrid P2P network

In the same domain In different domain

5

Requirements Certificateless Implicit key authentication Perfect forward secrecy Known-key secrecy Key-compromise impersonation Unknown key-share resilience Known session-specific temporary

information security No key control

5

6

Proposed scheme

In the same domain

6

77

K1=KA1=e(QB, P0)a

=e(QB, P)sa

=e(sQB, aP) =e(DB, TA)=KB1

P0=sPDA = sQA

DB = sQB

K2=KA2=e(DA, TB) =e(sQA, bP) =e(QA, P)sb

=e(QA, P0)b=KB2

K3=KA3=xA-2MB

=xA-2xB

-1PA

=xA-1xB

-1P =(xA

-1 .xBP).xB-1xB

-1

=xB-2MA=KB3

K4=KA4=aTB=abP=bTA=KB4

K5=KA5=aPB=axBP=xBTA=KB5

K6=KA6=xATB=xAbP=bPA=KB6

b

8

Proposed scheme Across the domain

Alice

P1=s1PDA = s1QA

QA=H1(IDA)SA = <DA,xA>PA = xAPTA=aPMA=xA

-1PB

P2=s2PDB = s2QB

QB=H1(IDB)SB = <DB,xB>PB = xBPTB=bPMB=xb

-1PA

KA1=e(QB, P2)a=e(QB, P)s2a

KA2=e(DA, TB)=e(s1QA, bP)=e(QA, P)s1b

TA, MA

TB, MB

KB1=e(DB, TA) =e(s2QB, aP)=e(QB, P)s2aKB2=e(QA, P1)b=e(QA, P)s1b

K1’=KA1=KB1=e(QB, P)s2a

K2’=KA2=KB2=e(QA, P)s1b

SK=KAB=KBA

=H2(K1’||K2’||K3||K4|| K5||K6||TA||TB)

9

Analysis Implicit key authentication

Eve personate Bob: Eve computes TE=eP and ME=XE

-1PA, Eve cannot compute KA5 or KB5. (DLP problem)

Perfect forward secrecy Eve knows SA, SB, and s. But he needs to solve abP.

(CDH problem) Known-key secrecy

Each run, a, b are random and secret. Even if session has been compromised, Eve cannot compute the past or future session keys.

9

KA5=aPB=axBP=xBTA=KB5

10

Analysis Key-compromise impersonation

Eve replace the Bob’s public key PB=xeP, Eve cannot compute KA1 or KB1.

Eve knows s, but he cannot generate KA5 or KB5. Unknown key-share resilience

Including the identity information, the Eve cannot ask Alice to share a session key to him, while Alice thinks that Eve is Bob.

Known session-specific temporary information security

Eve get the ephemeral keys of Alice and Bob. He cannot compute the partial session key K3.

No key control Since a result of using a randomly selected

ephemeral key in generating the common session key, neither peer can decide the final key.

KA3=xA-2MB

=xA-2xB

-1PA

=xA-1xB

-1P =(xA

-1 .xBP).xB-1xB

-1

=xB-2MA=KB3

11

Comment

Reduce the keys (K1-K6) with session key.

SK=KAB=KBA

=H2(K1||K2||K3||K4||K5||K6||TA||TB)

SK=KAB=KBA

=H2(K1||K2||TA||TB)

12

Discrete Logarith problem (DLP)Given <g,q>, find an element a, such that ga = q

EC Discrete Logarithm problemGiven <P,Q>, find an element a, such that aP = Q

EC Computational Diffie-Hellman (CDH) problemGiven <P,aP,bP>, compute abP

Bilinear Diffie-Hellman (BDH) problemGiven <P,aP,bP,cP>, compute ê(P,P)abc

DLP > CDHP > BDHPexample: ê(abP,cP) = ê(P,cP)ab = ê(P,P)abc

Computational Problems