
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

RSABased PasswordAuthenticated Key Exchange, Revisited
SeongHan SHIN Kazukuni KOBARA Hideki IMAI
Publication
IEICE TRANSACTIONS on Information and Systems
Vol.E91D
No.5
pp.14241438 Publication Date: 2008/05/01
Online ISSN: 17451361
DOI: 10.1093/ietisy/e91d.5.1424
Print ISSN: 09168532 Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security) Category: Key Management Keyword: password authentication, key exchange, RSA, online/offline attacks, eresidue attacks, provable security,
Full Text: PDF(408KB) >>Buy this Article
Summary:
The RSAbased PasswordAuthenticated Key Exchange (PAKE) protocols have been proposed to realize both mutual authentication and generation of secure session keys where a client is sharing his/her password only with a server and the latter should generate its RSA public/private key pair (e,n),(d,n) every time due to the lack of PKI (PublicKey Infrastructures). One of the ways to avoid a special kind of offline (so called eresidue) attacks in the RSAbased PAKE protocols is to deploy a challenge/response method by which a client verifies the relative primality of e and φ(n) interactively with a server. However, this kind of RSAbased PAKE protocols did not give any proof of the underlying challenge/response method and therefore could not specify the exact complexity of their protocols since there exists another security parameter, needed in the challenge/response method. In this paper, we first present an RSAbased PAKE (RSAPAKE) protocol that can deploy two different challenge/response methods (denoted by Challenge/Response Method1 and Challenge/Response Method2). The main contributions of this work include: (1) Based on the number theory, we prove that the Challenge/Response Method1 and the Challenge/Response Method2 are secure against eresidue attacks for any odd prime e; (2) With the security parameter for the online attacks, we show that the RSAPAKE protocol is provably secure in the random oracle model where all of the offline attacks are not more efficient than online dictionary attacks; and (3) By considering the Hamming weight of e and its complexity in the RSAPAKE protocol, we search for primes to be recommended for a practical use. We also compare the RSAPAKE protocol with the previous ones mainly in terms of computation and communication complexities.

