1. Introduction
Password-Authenticated Key Exchange (PAKE) is an authenticated key exchange protocol between two or more parties that share only a human-memorable password without depending on any third party and communicating only via an insecure network. Because the password dictionary is sufficiently small, PAKE protocols are designed with the assumption that an attacker can enumerate all the possible passwords off-line within a reasonable time. The intention of PAKE protocols is to prevent off-line guessing attack. They are considered to be safe when an exhaustive search is the only available means of attack.
Simple Password Exponential Key Exchange (SPEKE), proposed by Jablon [
1], and Dragonfly, proposed by Harkins [
2], are well-known PAKE protocols. These protocols are similar to Diffie–Hellman key exchange except that they use a value derived from a shared password as a generator for exponentiation, instead of a fixed value. Such a characteristic makes these protocols seem simpler yet more efficient than other PAKE protocols. However, in 2004, Zhang showed that an active attacker can try multiple passwords in a single attempt by exploiting the exponential equivalence of the passwords in SPEKE [
3]. Furthermore, in 2005, Tang and Mitchell identified other security vulnerabilities such as unknown key-share attack and generic attack as well as the exponential equivalence problem [
4]. Subsequently, in 2014, Hao and Shahandashti showed that SPEKE can suffer from impersonation attack and key-malleability attack [
5] and Clark and Hao showed that Dragonfly can suffer from a small subgroup attack [
6].
The above-mentioned vulnerabilities except the exponential equivalence problem can be addressed in SPEKE by modifying the key confirmation process [
4,
5] and in Dragonfly by checking that the received element is a member of the supergroup [
6]. A possible solution to the exponential equivalence problem is hashing passwords, as in the case of the revised version of SPEKE, which makes it difficult for an attacker to guess the password [
7]. However, this approach does not overcome the essential problem, because the exponential equivalence of passwords persists even after the passwords are hashed. Hao and Ryan claimed that there is no guarantee that an attacker is unable to formulate exponential relationships among hashed passwords; no existing hash function is designed for that purpose [
8].
In this paper, we show that Dragonfly can also suffer from the exponential equivalence problem, and we propose a simple solution that can prevent password-guessing attacks based on the exponential equivalence of passwords in the SPEKE protocol.
2. Review of SPEKE and Dragonfly
2.1. The SPEKE Protocol
Let
p be a safe prime,
, where
q is also a prime. SPEKE is defined over a subgroup of
of prime order
q. Assume that two parties, Alice and Bob, share a common password
π and want to exchange a password-authenticated key. SPEKE defines a function
f to map the password
π to a generator,
i.e.,
in the original SPEKE [
1] or
in the revised version of SPEKE [
7], where
h is a cryptographic hash function (e.g., SHA-256). Let
g denote the generator corresponding to
π,
i.e.,
. The squaring of
π or
ensures that the generator
g does not fall into the small subgroup of order two, which contains
.
SPEKE is exactly the same as Diffie–Hellman key exchange except that it uses a value derived from
π as a generator for exponentiation. The details of fully constrained SPEKE are as follows:
Alice → Bob: Send , where a is randomly selected in .
Alice ← Bob: Send , where b is randomly selected in .
Alice & Bob: Compute and , respectively.
Now, Alice and Bob share the secret .
Alice and Bob confirm that they are sharing the same secret
K. For this purpose, Alice and Bob exchange validation values
,
, and validate them. A hash function is used to generate the values. The details are as follows:
- 4.
Alice ← Bob: Send .
- 5.
Alice: Verify .
- 6.
Alice → Bob: Send .
- 7.
Bob: Verify .
2.2. The Dragonfly Protocol
Although Dragonfly, based on discrete logarithm cryptography, can be implemented either on a finite field or on an elliptic curve, in this paper we deal with the protocol operated on a finite field.
Let
p be a large prime of the form
, where
r and
q relatively prime. Dragonfly is defined over a finite cyclic group
Q, which is a subgroup of
of prime order
q. Assume that two parties, Alice and Bob, share a common password
π and want to exchange a password-authenticated key. Dragonfly defines two functions
f and
to map the identities of the two participants and the shared password
π to a generator,
i.e.,
. The functions can be briefly represented as
and
, respectively. (For more details, see [
2].) Let
g denote the generator,
i.e.,
.
The Dragonfly protocol works as follows:
Alice→Bob: Send and , where and are randomly selected in .
Alice←Bob: Send and , where and are randomly selected in .
Alice & Bob: Compute and , respectively.
Now, Alice and Bob share the secret
.
- 3.
Alice → Bob: Send .
Alice ← Bob: Send .
- 4.
Alice & Bob: Verify and , respectively.
3. Exponential Equivalence in SPEKE and Dragonfly
3.1. Exponential Equivalence in SPEKE
In this subsection, we review the problem identified by Zhang,
i.e., a single on-line attempt can scan through all the exponentially equivalent passwords [
3]. First, if
p is a large safe prime, then for arbitrary given
b, it is extremely difficult to find an integer
x that satisfies the following equation:
However, if mod
p is not present, this equation can be converted into a simple equation that yields
. As such, we can say that two elements,
and
, where
, are exponentially equivalent, and the set of exponentially equivalent elements is identified as the exponential equivalence class. For example, among the numbers less than 100, the exponential equivalence classes are as follows:
Now, let us consider how every element can be examined at once in the SPEKE protocol. Assume that the outputs of the mapping function
f for
j passwords from
to
are exponentially equivalent with a base
m. The actual class in SPEKE is
where the exponent
for each
, is an integer greater than or equal to 1. An active attacker, Eve, masquerading as Alice, generates a random
and sends
to Bob when
mod
p is calculated. Bob generates a random
b and sends
B and
to Eve when
mod
p,
mod
p, and
are calculated. On receiving
B and
from Bob, Eve terminates the protocol and for each
i,
, computes
If
is the same as
received from Bob, then the guessed password
is the same as
π, which means that it is correctly guessed:
To prevent an exponential equivalence attack in SPEKE, Tang and Mitchell suggested that the function
f be modified as
, where
is the smallest integer that makes
g a generator of a multiplicative subgroup of order
q in
. However, there is no difference between the function proposed by Tang and Mitchell and the function
in the revised version of SPEKE [
7] from the viewpoint of preventing an exponential equivalence attack.
Furthermore, exponential equivalence among hash outputs has no effect on the security of hash-based protocols other than SPEKE or Dragonfly, which use a generator derived from hashing a shared password.
3.2. Exponential Equivalence in Dragonfly
In this subsection, we show the exponential equivalence problem in the Dragonfly protocol. A single on-line attempt can scan through all the exponentially equivalent passwords.
Assume that the outputs of the mapping function
f for
j passwords from
to
are exponentially equivalent with a base
m. The actual class in Dragonfly is
where the exponent
for each
, is an integer greater than or equal to 1. An active attacker, Eve, masquerading as Alice, generates two random
and
, and sends
and
to Bob when
and
are calculated. Bob also generates two random
and
, and sends
B and
b to Eve when
and
are calculated. On receiving
and
from Eve, Bob computes
and send
to Eve.
On receiving
B and
from Bob, Eve terminates the protocol and for each
i,
, computes
If
is the same as
received from Bob, then the guessed password
is the same as
π, which means that it is correctly guessed:
4. Prevention of Exponential Equivalence in SPEKE
In this section, we present a simple solution for preventing an attacker from guessing multiple passwords in a single on-line attempt based on exponential equivalence of the passwords in the SPEKE protocol.
Our approach is based on the property that there is no exponentially equivalent element when twice the minimum element is greater than the maximum element within a given set. Similarly, this approach can be applied to SPEKE by modifying the password-mapping function f by prefixing fixed bits to the output of the hash function h.
Theorem 1.
Let be a function that maps an input of arbitrary length to an output of fixed length ℓ. Let p be a safe prime, where q is also a prime. There is no exponentially equivalent element among all the outputs of over a subgroup of of prime order q satisfyingwhere k is any integer satisfying and . Proof.
From the given condition
, we can derive the following equations.
For a base
c, two successive elements of an exponential equivalence class should be
and
. To ensure that no exponentially equivalent element can be found, the maximum value of
must be less than
c times the minimum value for all
c.
If we divide both sides by
, we get
Since
, if
is satisfied, it is satisfied for all
c:
The modular square is symmetric with respect to half of modulus
p. Therefore, to prevent output duplication, the domain of definition of the modular square, or the range of
, must be included in
Because (
2) and (
4) are the codomain and range of
, respectively, the following equation is established:
From (
3) and (
5), when (
1) is satisfied, no exponentially equivalent element is found in
. ☐
For the 112-bit security level, the sizes of
p,
q and
should be greater than or equal to 2048, 2047 and 224 bits, respectively [
9].
5. Discussion
Our solution for preventing exponential equivalence cannot be applied directly over a subgroup in which modulus p is not a safe prime, such as in Dragonfly. To make a generator of a subgroup, exponentiation with exponent r, i.e., , is needed. Because r is very large, e.g., an 896-bit integer corresponding to a 1024-bit modulus, subsequently most of outputs of will exceed p. We reserve this problem for future research.
6. Conclusions
In this paper, we showed that an active attacker can try multiple passwords in a single attempt by exploiting the exponential equivalence of the passwords in Dragonfly as well as in SPEKE. Furthermore, we proposed and proved a simple solution for preventing this problem in the SPEKE protocol. Our solution can be easily applied to variants of the Diffie-Hellman protocol (e.g., the B-SPEKE protocol) that use a safe prime modulus and do not use a fixed generator.
Acknowledgments
This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT, and Future Planning (2014R1A1A2002775).
Author Contributions
Hanwook Lee conceived the idea and wrote this manuscript. Dongho Won contributed to the direction and content and also revised the manuscript.
Conflicts of Interest
The authors declare no conflict of interest.
References
- Jablon, D. Strong password-only authenticated key exchange. Comput. Commun. Rev. ACM SIGCOMM 1996, 26, 5–26. [Google Scholar]
- Harkins, D. Simultaneous authentication of equals: A secure, password-based key exchange for mesh networks. In Proceedings of the Second International Conference on Sensor Technologies and Applications, Cap Esterel, France, 25–31 August 2008; pp. 839–844.
- Zhang, M. Analysis of the SPEKE password-authenticated key exchange protocol. IEEE Commun. Lett. 2004, 8, 63–65. [Google Scholar]
- Tang, Q.; Mitchell, C.J. On the Security of Some Password-Based Key Agreement Schemes. In Computational Intelligence and Security; Springer Berlin Heidelber: Berlin, Germany, 2005; pp. 149–154. [Google Scholar]
- Hao, F.; Shahandashti, S.F. The SPEKE Protocol Revisited. In Security Standardisation Research; Springer International Publishing: Cham, Switzerland, 2014; pp. 26–38. [Google Scholar]
- Clarke, D.; Hao, F. Cryptanalysis of the Dragonfly key exchange protocol. IET Inf. Secur. 2010, 8, 283–289. [Google Scholar]
- Jablon, D. Extended password key exchange protocols immune to dictionary attack. In Proceedings of the Sixth IEEE Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Cambridge, MA, USA, 18–20 June 1997; pp. 248–255.
- Hao, F.; Ryan, P. J-PAKE: Authenticated key exchange without PKI. In Transactions on computational science XI; Springer Berlin Heidelberg: Berlin, Germany, 2010; pp. 192–206. [Google Scholar]
- Barker, E.; Roginsky, A. NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. Available online: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf (accessed on 1 September 2015).
© 2015 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/4.0/).