International Journal of Computer Applications (0975 8887) Volume 83 No1 !

ecem"er #013

Performance Analysis of Key Establishment Protocols for Secure System

Tej Bahadur Shahi
Tribhuvan University Central Department of Computer science and IT Kathmandu, Nepal

ABSTRACT
Providing security over open and large distributed networks has always been both intriguing and challenging. There is a great chance for malicious individuals to perform disruptive and unethical tasks. Malicious users may attempt to obtain valuable information. So we require insecure network. The secure communication channel should achieve primary security goals like confidentiality, integrity, authentication and non-repudiation and shared session keys are incorporated for the purpose. Therefore, it is of great interest and most challenging to devise effective mechanisms to establish these shared session keys, called key distribution problem. Much work has been done in recent years on mechanisms for key establishment. Many cryptosystems rely on cryptographically secure keys and therefore have to deal with issues like key management. number of key establishment protocols have been proposed by different researchers as solutions to the key distribution problem and password based scheme is one of them. password is shared between the entities in password based schemes. !owever, because users choose small and frequently used words as passwords, these schemes are suffered from password guessing attacks. "specially these schemes are sub#ect to offline dictionary attacks. This work focus on password based key establishment. "ven though there are a lot of password based schemes, the $%!, enhanced $%!, and PPT &" seems to be widely accepted mechanisms. 'n this conte(t, this study includes performance evaluation of the above mentioned protocols.

N a r e n d r a B o h a r a

General Terms
Security, &ey Management, Protocols, cryptosystems, &ey "stablishment, )* +p,.

Keywords
$%!, - PT-! , PP-T &", .S , key establishment protocols.

1. INTRODUCTION
/hen we transmit confidential messages from one user to another over an insecure network, an eavesdropper can be able to record, alter, delete, insert, reorder and reuse past or current messages i.e. one can disclose its secrecy and modify as well. So, an eavesdropper can break the security of the system in different ways. 'f the attacker attempts only to defeat a cryptographic technique by simply recording data and thereafter analy0ing it,then this attack is called passive attack and an active attack involves modification of messages. Therefore the security of the cryptosystem is of great importance and challenging as well. To prevent from such attacks and keep the cryptosystem secure, the system should ensure data confidentiality, data integrity, data origin authentication and non-repudiation 1234. To gain these

Tr ib h u v a security goals, we need to n transmit messages in such a form that an eavesdropper U might not be able to read the ni messages. *or the purpose, v some shared session key is required and incorporated it e rs to keep the system secure. The session keys help to it make the communication y secure because it would vary S with every e(ecution round +session, of protocol in order to an 5secure channel6 over ot make the adversaries unable hi to know the messages in later mi e(changes communications even C though the key in previous a session is compromised. So m session keys are supposed to pu be ephemeral +temporary, ones. The secret key can s
De par tm ent of Inf or ma tion an d
subsequently be used to create a secure communication channel among the entities. The problem of finding effective mechanisms to establish these shared session keys is called key distribution problem. 7arious key establishment protocols are used as solutions to the problem and these are not efficient equally from security and e(ecution time aspects. So finding an efficient protocol is of great interest.

c a ti o n T e c h n ol o g y Ka th ma nd u, Ne pal

C o m m u ni

2. PROBLE !OR ULATION

To achieve data confidentiality in a session established by party A with intended recipient $, one may use a cryptographic algorithm, called symmetric encryption, which given a plainte(t message m, produces a cipher te(t c that A can subsequently send to $ over the network. This cipher te(t has the property that it does not reveal any information about the original plainte(t to anyone e(cept A and $. This property can be achieved since the algorithm requires A and $ to share a piece of secret information, known as a shared session key, that is fresh and unique for each session. Similar reasoning show that the other four goals of secure communications can be accomplished, provided that shared session keys are readily available to each pair of parties. Therefore, it is of great concern to devise effective mechanisms to establish these shared session keys, called key distribution problem. The solution to the problem is to have the two parties share secret information +i.e. password, for key establishment,

without the need for a trusted party, i.e. password based key establishment protocols are solutions to key distribution problem. Therefore, key establishment protocols are procedures to securely establish shared session keys over distributed networks. There are two ma#or techniques of key establishment, key transport and key agreement and our study focuses on key agreement protocols.

".1 L%&era&'re Re(%ew

&ey agreement protocols have a very long history8 the first well known protocol was %iffie-!ellman proposed in 9:;<. The security of %iffie-!ellman algorithm is based on the difficulty of computing discrete logarithms over a finite field in reasonable time frame. it suffers from man-in-the-middle attacks1 ."*"."=-"4. fter %iffie-!ellman protocol came >?

". RESEARC# ET#ODOLOG$

International Journal of Computer Applications (0975 8887) Volume 83 No1 !ecem"er #013 to e(istence, many other key agreement protocols P"&"P improves on S= P' by reducing the cost have been of primality proposed by various researchers. The concept of test of .S public e(ponents. The protocol passwordP"&"P also authenticated key e(change was first proposed by improves on the interactive protocol by reducing @ellovin the si0e of and Merritt in 9::21?4. 'n their paper, messages communicated between the entities. "ncrypted &ey To further "(change +"&", protocol was proposed as a reduce the computational load on entities, solution for same writers remembering long keys for users. "&" uses private proposed computationally efficient key and public e(change protocol cryptographic techniques and it provides the +called -"&"P,. 'n 9:::, Seo and Sweeney adversary no proposed a sufficient information to verify his guessed simple authenticated key agreement protocol in password and which two therefore it is resistant to online-dictionary attacks. users share a common password % before the $ater on protocol the authors of "&" e(tended their protocol to e(ecution starts and uses the same public values ugmented of & and n as "&" + to detect the attack on the host the original %iffie-!ellman 19:4. 't is the slight "&", where the modification password is stored by avoiding storing the of %iffie-!ellman. 't also protects the man in password in clear middle attack. te(t format. 'nstead of storing passwords in form 'n the %iffie-!ellman key agreement protocol, of plain the system te(ts, these are stored as hash values. uses public values n and & where n is a large "ncrypted &ey prime number "(change protocols easily work with %iffieand & is a generator with order n -9 in '(+n,. 't !ellman key incorporates e(change +%!-"&", 12<4 and the messages that the authentication based on pre-shared password. needs to be fter the e(changed between the encrypted scheme of Seo and Sweeney, a lot of works has parties is first using the been done to shared password and are transmitted. @ut the "&" improve the scheme. 'n 233A, Tseng stated protocols that Seo and do not work with other public-key cryptosystems like the SweeneyBs scheme also suffers .S and "l)amal. 'n 9::<, %avid Cablon proposed attacker can successfully make an honest party SP"&" compute a +Simple Password "ncrypted &ey "(change, 194 wrong session key. Tseng also proposed an as the improved scheme e(tension of "&". @esides preventing password to remedy this vulnerability 1>4. $ater, &u and from /ang also fter a lot of research works in one factor authentication dictionary attack, %!-"&" and SP"&" showed that protocols, TsengBs researchers scheme isfelt that is no more secure than twoprotocols achieve factor authentication protocols. So researchers gave more focus perfect forward secrecy8 it means that the backward replay attack and the modification on two factor authentication protocols. Park and Park *irst 19?4 remaining session attack, and proposed a two factor authenticated key e(change +PP-T &", keys are not compromised even though the further he proposed a modification to eliminate protocol with two factors including a password and a token password is these attacks. +e.g., a smart card with a stored secret key, to make system disclosed. @ellovin and Merritt pointed out in 194 !owever, !sumore 233D showed that mutual & authentication. secure. This scheme provides that the et al. in u .S -based "&" variant is sub#ect to a special scheme is weak to the modification attack, in type of which an ".2 Key Es&a*l%s+men& Pro&o)ols dictionary attack, called e-residue attack. 'n 9::;, adversary fools two communicating parties ".2.1 LD# Pro&o)ol $ucks 124 into sharing a proposed an .S -based passwordwrong session key, and proposed an authenticated key improvement to solve e(change Epen &ey "(change, this weakness 1;4. Then, $ee and $ee found that Fnlike the protocol protocol +called S= P', however, the new protocol which was receiver to select both large and small primes !su et al.Bs P"&"P allows be secure against e- protocol P"&"P, sender scheme has a weakness against the for claimed the .S to public e(ponent e. the 'n the does not need to verify if e is relatively prime to phiG+n,, and residue attack. modification attack of furthermore, sender does have that to test primality +!su of a et al. 233D, and proposed an improved $ater, Macken0ie et al. not 1D4 found the the E&" large public e(ponent protocol is still selected by receiver. Thus, the protocol scheme to repair this security flaw. gain, $ee et al. in 233A sub#ect e-residue 1 Macken0 argued that $ee to the attack. So in > ie et al. and $eeBs 4 i , scheme s also vulne

pro pos ed

a n

.S base d

passwordauthenticated

e(c han ge

called S= P' and provided p o r r sec o a urit o in the cl model. The y f random e S= P' protocol makes compulsory that the public e(ponent e be a prime number larger than the .S modulus n. This ensures that e is relatively prime to phiG+n,. To avoid using this large public e(ponent e, Ihu et al. 12D4 a proposed n 5interactiveJ protocol inter prot se sen idea of 1>4. activ oco nd ds 'n the e l, er to rec enc us rec eiv a number of rypt in eiv er messages ed g erKs public key. *urther in 12>4, /ong et al. revised the interactive protocol to reduce the message si0e involved in the interactive protocol. drawback of the interactive protocols is the large communication overhead involved in the verification of .S public key. To win the drawback of interactive protocol, Mu(iang Ihang proposed .S -based password-authenticated key e(change protocols that can use both large and small primes as .S public e(ponent, and it does not require large communication overhead on communicating parties. *or this purpose, a new protocol was proposed for passwordauthenticated key e(change based on .S . The new protocol is called P"&"P, which involves two entities sharing a short

prot ocol ,

k e y f o r m a a l

attack and proposed an improved scheme. 'n 233A, &won,

!wang,

&i m,

$ e e

showed

that

$e

by $&H, is still vulnerable to a password guessing attack 1:4. 'n 233A, $aih, %ing and !uang proposed a password- based key establishment protocol in which a user and a server authenticate each other and negotiate a session key. 't uses a special function which is a combination of picture function
which is revised

and fun distortio ctio t protect the from n n protocol offline o dictionary attack. 't was followed by "nhanced $%! protocol, includes the identities of participants.

from

an

proposed by Liang, Tang and -hris C. Mitchell in 233A. 't

password and receiver possesses a pair of .S keys, n, e and

d, where ed M 9 +mod phiG+n,,.

Start

Client 'enerate)ran*om(t) t + , -en*to-er.er(I!/ t) Server

' en er at e) ra n* o m( s) -e le ct )s tri n& (r)

Compute C1 0 1p2 (3(r

#s))04(p255r55t)an*

> :

International Journal of Computer Applications (0975 8887) Volume 83 No1 !ecem"er #013 -en*toClient (C1 6 C#) Client 7ecei.e (C1 6 C#) !0 !ecr8pt (C1) 7eco.er r9 from ! C4ec: if C#04(p255r955t) ;4en compute C30 (155p255r955t) else Server 7ecei.e (C3)
C4ec: if C3 0 4 (155p255r55t)

Compute 4 (I!A, & ) -en*toser.er 4 (I!A, " & ) server Ct"

7ecei.e (4 (I!A & ) D"tain)real*entit8 (I!A )
"

"

-en*to-er.er(C3) terminate protocol

If I*entit8 foun* -elect (r) r Client 7ecei.e(r)

Compute f 0 4 f (&(C )< @

s:A 0 4(c & r I!A) EA 0 4 (s:A C ) t & -en*to-er.er(e 6 EA) Server

7ecei.e (e 6 EA)
C4ec: If EA 0 4(s:$
@ @" " @

"

t r) an* e 0

;4en confirm / as a .ali* user< 1lse terminate protocol. If t4e protocol successfull8 en*s - an* / compute t4eir session :e8 as 4 (#55p255r55t)< End ".2.2. En+an)ed LD# Pro&o)ol Start Client = 'enerate)ran*om (t1) t1 + > , t1 Compute m1 0 & mo* p -en*to-er.er(m1) Server
7ecei.e (m1)

f 0 4(C 0 !t f(e) c 0r)& s:an*$04(c && r I!A)

C)

t &
C A) t I!

;4en computes E$ 0 4 (s:$ -en*toclients(E$)

else terminate protocol client 7ecei.e (E$)

C4ec:if E$ 0 4 (s:A C A)

t I! ;4en $ is t4e .ali* ser.er a successful 1n*

"." E,-er%men&a&%on and Analys%s

".".1 E,e)'&%on &%me analys%s
The results shown below were acquired on machines with Microsoft /indows ; operating system, Pentium 2 )!0 processor and D )@ . M. The table 9 shows the average time needed for successful completion of each protocol. ll time measurements are in seconds. To find more accuracy, 23 readings of each protocol e(ecution have been recorded and average value is taken as result. The result shows that the PPtake protocol is 92.<2O better than $%! and ??.>:O better than enhance $%!. The prime numbers selected are of A92 bits. The graph in figure 9 shows the e(ecution time comparison of three protocols for secure communication. Ta*le 1. E,e)'&%on &%me )om-ar%son %n se)onds S.N 9 2 D >
t#t1

'enerate)ran*om(t#) t# + ,an* r is a t# > strin&< Compute m# 0 & mo* p -en*(m#) Client 7ecei.e (m#) 7eco.er(r) from N(r) t1t# Compute C1 0 4 (N(r) 55r55355m155m#55& 55&55I!/55 I!-) -en*to-er.er(C1) Server 7ecei.e (C1)
C4ec: if C104(3(r)55r55355m155m#55& 55&55I!/55I!-) t1t# Compute C#04(?55m155m#55& 55&55I!/55I!-) -en*toClient(C#)
t1t#

else

LD# 99 > A > ; : A A A

;erminate t4e protocol Client 7ecei.e (C#) C4ec:if t1t# C# 0 4 (?55m155m#55& 55&55I!/55I!-) / confirms t4at t4e protocol e@ecution 4as successfull8 en*e* 1lse ;erminate %rotocol If protocol successfull8 en*s / an* - compute A 0 & mo* p as t4e s4are* :e8 material an* computes B 0 4 (A551) as t4e s4are* :e8< 1n*<

En+an)e d LD# : A2 A9 9D ?: >? 92 ?D 9<

PP/ Ta0e : > > > > > > > >

A < ; ?

3.2.3 PP-TAKE Protocol Begin Client Ct

%re)Computec0& in@a*.ance+ ,

@"

>

A 3

International Journal of Computer Applications (0975 8887) Volume 83 No1 !ecem"er #013 93 99 92 9D 9> 9A 9< 9; 9? 9: 23 A(era1e &%me > > > A A > A > > A > 9 9A 9; 992 22 : ; 2; ?: AD 2; > > < A > > > A A ; > En the basis of above facts, there is a chance of offline dictionary attack in $%! as followP The machine checks all possible passwords. *or each guessed
password pwB, the machine+-9,.@ysome compu

pwB

means like software, the machine checks whether is a distorted image or a random pattern. 'f distorted image is obtained, the password is correct. So this requires only search of Q-pw Q. Suppose that machine takes 9 millisecond to check one value of , the total time required to check a password 2D space of si0e 2 2D 9R 2 millisecond 9R 22DS +93D T<3T<3, hrs 2R 2.D hrs So the password can be guessed in only 2.D hrs, which is reasonable amount of time and it shows that $%! protocol suffers from offline password guessing attack. These security vulnerabilities arise because the protection of the secrecy of a password is based on the assumption of machineBs inability to read di appropriate and the - PT-! scheme is better to use only to guarantee the presence of human being +not more than that i.e. not to protect the secrecy of passwords. 'n enhanced $%!, - PT-! scheme has been used only to guarantee the participation of human being in protocol e(ecution.
The enhanced $%! is more secure because it is based on intractability of -omputational %iffie !ellman Problem which (9 (2 states that given two values of g and g , it is hard to recover (9(2 g in reasonable amount of time. So in case of enhance

2.12

"3.1

4.2

3<3<# -ecurit8 Anal8sis

$%!, even an adversary knows the m9 R g mod p and m2 R t2 t2t9 g mod p, he cannot find 0 R g mod p. *or finding m9, an adversary should know either t9 or t2 which is hard due to a
means that %

t9

d T+e se)'r%&y 5'n)&%on 6 i image. 'n $%!, the protection of password is totally s based on the 2 'f t messagethatmore humanthane security of the function . N which password assumesthe o possible to machine, can identify distorted words but it is r identify these words with software with high t success rate. @ut resemble a random image. This means that it is p e to determine whether or not d there are various methods that can identify with high success rate like Mori and Malik which success rate correctgave only?D byiO deciding is a distorted ima m random pattern. a D Thayananthan developed against e0-gimpy image, program g developed . Software can be to distinguish betw e r . a achieved :D O success rate n against e0-gimpy * 19>,224. So d secure. o - PT-! schemes are no more o r m e p ( a a O55l%ne d%)&%onary a&&a)0 t m t p e l r e $et Ua n , a a strings,,UpwisU-the set n password set. /hen aR<2 +characters from a-0, d c -I and 3-:, and nR>, the set of passwords Qo equals 2 4. RESULT AND CONCLUSION 'n addition, there are a number of vulnerabilities regarding *rom the implementation part and analysis part in this chapter, it has been found that that enhanced $%! protocol is secure for $%! protocol based on following factsP generic systems with comparison to $%!. The time
9 . human being is able to recogni0e r from % +N+r , s ,,

A9

m p r e s s i o n a l g o r i t h m t h a t w i l l c o m p r e s s a n i m a g e b u t n o t t h e r a n d o m p >. ! u m a n s r

a t t e r n , w h i c h w i l l b e m u c h s i m p l e r t h a n s t r i n g r e c o g n i t i o n .

e p e a t s o m e p a s s w o r d t h a n o t h e r s , i t m e a n s t h a t Q p w Q

w i l l b e l e s s t h a n 2
2 D

International Journal of Computer Applications (0975 8887) Volume 83 No1 !ecem"er #013 taken by $%!, "nhanced $%!, and PP-T &" protocol for key establishment were found to be A.9A, D:.9 and >.A seconds respectively. So PP-T &" was found to be efficient for handheld devices because it takes less time for key establishment. PP-T &" was found ?.<? times faster than enhanced $%! and 9.93 times faster than $%!. /hen we transmit secret messages from one user to another over an insecure network, an eavesdropper can capture messages unethically resulting into the breakdown of the security of the system. To keep the cryptosystem secure, messages need to be transmitted in encrypted form that an eavesdropper might not be able to read the messages. *or the purpose, some shared session key is required and incorporated it to keep the system secure. !owever the secure distribution of key is most challenging task. &ey establishment protocols have been used as solutions to the key distribution problem. !ere in the study, $%!, "nhanced $%! and PP-T &" protocols were implemented for the purpose. *urthermore, the security of the former two protocols were analy0ed based on various security parameters like security function - PT-! , factors defining offline dictionary attack. gainst the claim of proposers of $%! protocol, this study shows that it still suffers from offline dictionary attack and password can be guessed only in 2.D hours. *urthermore, enhanced $%! has been found more secure than $%! protocol. Studying these protocols on the basis of e(ecution time, PP-T &" protocol has been found ?.<? times faster than enhanced $%! and 9.93 times faster than $%!.

9. RE!ERENCES 194 Stallings /illiam -ryptography 124 1D4 1>4 1A4 1<4 1;4

and =etwork Security Principles and practices, *ourth "dition, 233:. Cablon %avid P., Strong password-only authenticated key e(change, -M, 9::<. Ihu *., /ong %., -han and He .., More efficient password authenticated key e(change based on .S Springer-7erlag, 233D. loul9 *adi, Iahidi9 Syed, "l-!a## /asim, Multifactor uthentication using Mobile Phones , 'nternational Cournal of Mathematics and -omputer Science, 233:. @ellovin and Merritt, "ncrypted &ey "(changeP password based protocols secure against dictionary attacks, '""", 9::2. Tseng, H.M., /eakness in simple authenticated key agreement scheme, "lectronics $etters D< +9, pp. >?V>:, 233A. /u Shuhua and Ihu Huefei, 'mproved Two-*actor uthenticated &ey "(change Protocol, The 'nternational rab Cournal of 'nformation Technology, 7ol. ?, =o. >, Ectober 2399. Seo %ong hwi, Sweeney P., Simple authenticated key agreement algorithm, "lectronics $etters, 9:::.

1?4

2. !UTURE 7ORK
&ey management is interesting research field of cryptography and a lot of research work is in progress in key management. .egarding to the thesis topic, the results were based on the security function te(t - PT-! . The study is limited to distortion free, sound free - PT-! . So this study may be prolonged for the visual - PT-! incorporating distortion and audio - PT-! as well. This study is restricted to multiplicative cyclic group, so it may be e(tended in the group of a point of an elliptic curve. n efficient protocol has been suggested in terms of e(ecution time only, it may be continued to find efficient protocol on the basis of communication time, computation time, occupation of bandwidth +i.e. in terms of number of data units transmitted, etc.

1:4

@ellovin and Merritt, "ncrypted &ey "(changeP password based protocols secure against dictionary attacks, '""", 9::2. !su -.$., /u T.S., /u T.-., Mitchell -., 'mprovement of modified authenticated key agreement scheme, pplied Mathematics -omputation 9>2, pp. D3AVD3?, 233D. &won C.E., !wang C.H., &im -., $ee %.!., -ryptanalysis of $eeV&imVHoo password based key agreement scheme, pplied Mathematics and -omputation 9<?, pp. ?A?V?<A, 233A.
uthenticated pplications, -anadian Cournal on =etwork W 'nformation Security, -anada, 7ol.9, =o.2, pp.A9A, March 2393.

1934

1994

8. ACKNO7LEDGE ENT
uthors would like to thanks %r. Tank =ath %hamala, Professor of mathematics and former head of department, central department of computer science and information technology and sst. Prof. Cagadish @hatt for their supervision during the completion of this work.

1924Session Pilla &... -handrashekhar and Sebastian M. P., n &ey "stablishment Protocol for !igh Security 19D4 19>4

Mori ). and Malik C., .ecogni0ing ob#ects in adversarial clutterP @reaking a visual - PT-! , '""" -omputer Society, 233D. Thayananthan ., Stenger @., Torr P., and -ipolla .., Shape conte(t and chamfer matching in cluttered scenes, '""" -omputer Society, 233D.

IJCA : www.ijcaonline.org A2

TM