554

IEEE COMMUNICATIONS LETTERS, VOL. 16, NO. 4, APRIL 2012

Cryptanalysis of Two Identity-Based Authenticated Key Agreement Protocols

Kyung-Ah Shim, Member, IEEE

AbstractThe identity-based infrastructure introduced by Shamir allows a users public key to be easily derivable from her known identity information such as an email address or a cellular phone number. Such cryptosystems alleviate the certicate overhead and solve the problems of PKI technology. In this letter, we show that two identity-based authenticated key agreement protocols proposed by H olbl and Welzer are completely broken. Index TermsIdentity-based system, authenticated key agreement protocol, implicit key authentication, man-in-the-middle attack.

I. I NTRODUCTION

KEY establishment protocol allows two or more entities to establish a shared key which can be used for encrypting communications over an insecure network. A two-party key agreement protocol is used to establish a common session key between two entities. Key distribution is the process by which two or more entities establish a shared secret key. The key is subsequently used to achieve some cryptographic goals such as condentiality or data integrity. The Dife-Hellman key agreement protocol [3] is the rst practical solution to the key distribution problem, allowing two parties, never having met in advance or shared keying material to establish a shared secret by exchanging messages over an open channel. However, it suffers from man-in-the-middle attacks because it does not attempt to authenticate the communicating entities. Let A and B be two honest entities, i.e., legitimate entities who execute the steps of a protocol correctly. A key agreement protocol is said to provide implicit key authentication of B to A if entity A is assured that no other entity aside from a specically identied second entity B can possibly learn the value of a particular secret key. A key agreement protocol which provides implicit key authentication to both participating entities is called an authenticated key agreement protocol. There are several approaches to distribute longterm public keys and to provide implicit key authentication: implicit certicated public keys, identity-based and public-key certicates. The identity (ID)-based infrastructure introduced by Shamir [18] allows a users public key to be easily derivable from her known identity information such as an email address or a cellular phone number. Such cryptosystems alleviate the certicate overhead and solve the problems of PKI technology.

The ID-based infrastructure involves users and a Private Key Generator (PKG or KGC) having a master public/secret key pair. The PKG is responsible for generating private keys for users. Since Okamoto [14] and G unther [5] proposed two-party ID-based authenticated key agreement protocols, a number of ID-based authenticated key agreement protocols have been proposed to meet a variety of desirable security and performance requirements [14], [5], [15], [17], [19]. Many of these schemes were subsequently found to be awed and then were modied to resist the new attacks [10], [12], [16], [20]. Recently, H olbl and Welzer [7] proposed two IDbased authenticated key agreement protocols in the two-party setting, which satises all desirable security properties: implicit key authentication, known-key security, forward secrecy, key-compromise impersonation resilience, unknown key-share resilience and key control. In this letter, we show that the protocols are completely broken. The rest of the paper is organized as follows. In Section 2, we review H olbl-Welzers two ID-based authenticated key agreement protocols. In Section 3, we present man-in-themiddle attacks and impersonation attacks on the protocols. Concluding remarks are given in Section 4. -W ELZER S AUTHENTICATED K EY II. R EVIEW OF H OLBL AGREEMENT P ROTOCOLS Here, we review H olbl-Welzers two ID-based authenticated key agreement protocols [7]. The rst protocol is based on Hsieh et al.s protocol [8], which satises key compromise impersonation resilience. The second protocol is an improved version of Tsengs protocol [19]. The protocol consist of three phases: System Setup, Private Key Extraction and Key Agreement. A. H olbl-Welzers Protocol 1

System Setup. In the setup phase, the KGC chooses a large prime integer p, a primitive root g Z p , a one-way function h, a random integer xS Z and computes p yS = g xS (mod p). Afterwards {g, f, p, yS } are made public, while xS is kept secret. Private Key Extraction. For each user, the KGC computes Ii = h(IDi ), where IDi is the identity of user i. Next, a random number ki Z p is chosen and the users public key is computed as ui = g ki (mod p) and the private key as vi = Ii ki + xS ui (mod p 1). For simplicity, we omit the operation mod p. Key Agreement. The key agreement is conducted as follows:

Manuscript received December 14, 2011. The associate editor coordinating the review of this letter and approving it for publication was J. Wang. The author is with the Division of Fusion and Convergence of Mathematical Sciences, National Institute for Mathematical Sciences, KT Daedoek 2nd Research Center 463-1 Jeonmin-dong, Yuseong-gu, Daejeon, Korea (e-mail: kashim@nims.re.kr). Digital Object Identier 10.1109/LCOMM.2012.022112.112421

1089-7798/12$31.00 c 2012 IEEE

SHIM: CRYPTANALYSIS OF TWO IDENTITY-BASED AUTHENTICATED KEY AGREEMENT PROTOCOLS

555

1) A selects a random number rA Z p , computes tA = g rA and sends {uA , tA , IDA } to B . Similarly, B selects a random number rB Z p , computes tB = g rB and sends {uB , tB , IDB } to A. 2) Next, A computes IB = h(IDB ),
uB kB IB B xA = uI g xS uB = g vB B yS = g

-W ELZER S P ROTOCOLS III. C RYPTANALYSIS OF H OLBL Now, we show that H olbl-Welzers two protocols are vulnerable to man-in-the-middle attacks and impersonation attacks. Man-in-the-middle Attacks on Protocol 1. First, an adversary E eavesdrops on a communication of A and B . When A sends {uA , tA , IDA } to B , E intercepts it and sends {uA , tA , IDA } to B , where tA = g vA and is a random number chosen by E . Similarly, when B sends {uB , tB , IDB } to A, E intercepts it and sends {uB , tB , IDB } to A, where tB = g vB and is a random number chosen by E . After receiving {uB , tB , IDB }, A computes KAB as

and the key KAB = (xA tB )vA +rA = g (rB +vB )(rA +vA ) . Similarly, B computes IA = h(IDA ),
uA vA A xB = uI A yS = g

and the key KBA = (xB tA )vB +rB = g (rA +vA )(rB +vB ) . 3) The shared secret key after a successful run is K = KAB = KBA = g B. H olbl-Welzers Protocol 2
(rA +vA )(rB +vB )

(g vB tB )vA +rA = (g vB g vB )vA +rA = (g )vA +rA . Similarly, after receiving {uA , tA , IDA }, B computes the shared secret KBA as (g vA tA )vB +rB = g vA g vA
vB +rB

= (g )vB +rB .

Finally, E can compute two keys KAB and KBA as KAB = (g vA tA ) = g (vA +rA ) . KBA = (g vB tB ) = g (vB +rB ) . Consequently, E and A have the shared key KAB = g (vA +rA ) , and E and B have the shared key KBA = g (vB +rB ) . In fact, A and B cannot know that they have different shared secret keys because there is no additional key conrmation procedure in the protocol. Therefore, E can decrypt all ciphertexts encrypted KAB (or KBA ) between A and B . Impersonation Attack I on Protocol 1. Suppose that an adversary E wants to impersonate A to B . First, E chooses a random value t Zp . Let t be equal to rA + vA . Note that neither rA nor vA is known to E . However, E can obtain g rA by computing g t (g vA )1 , A where anyone can obtain g vA from known values as uI A uA vA rA yS = g . Next, E sends {uA , tA = g , IDA } to B impersonating A. After receiving the message, B computes the shared secret KBA as (xB tA )vB +rB = (g vA g rA )vB +rB = g (rA +vA )(rB +vB ) .

System Setup. In the setup phase, the KGC chooses a large prime integer p, a primitive root g Z p , a one-way function h, a random integer xS Z and computes p yS = g xS . Afterwards {g, f, p, yS } are made public, while xS is kept secret.

Private Key Extraction. For each user, the KGC computes Ii = h(IDi ), where IDi is the identity of user i. Next, a random number ki Z p is chosen and the users public key is computed as ui = g ki and the private key as vi = ki + xS h(IDi , ui ) (mod p 1). Key Agreement. The key agreement is conducted as follows: 1) A selects a random number rA Z p , computes tA = g rA and sends {uA , tA , IDA } to B . Similarly, B selects a random number rB Z p , computes tB = g rB and sends {uB , tB , IDB } to A. 2) Next, A computes IB = h(IDB ), wA = rA + vA , xA = uB yS and the key KAB = (xA tB )wA = (g vB g rB )wA = g wA wB . Similarly, B computes IA = h(IDA ), wB = rB + vB , xB =
h(ID , u ) u A yS A A h(IDB , uB )

= g kB g xS h(IDB ,

uB )

= g vB

After receiving {uB , tB , IDB }, E can compute the shared secret KAB as (xA tB )t = (g vB g rB )t = g (rA +vA )(rB +vB ) , since t = rA + vA , without the knowledge of As longterm secret key vA . Finally, E succeeds in impersonating A to B as well as the knowledge of the session key K = KAB = KBA .

=g

kA

xS h(IDA , uA )

=g

vA

and the key KBA = (xB tA )wB = (g vA g rA )wB = g wA wB . 2) The shared secret key after a successful run is K = KAB = KBA = g wA wB = g (rA +vA )(rB +vB ) .

Impersonation Attack II on Protocol 2. Suppose that an adversary E wants to impersonate A to B . First, E chooses a random value Zp and computes h(IDA , uA ) 1 vA as g (uA yS ) = g (g vA )1 = tA = g

556

IEEE COMMUNICATIONS LETTERS, VOL. 16, NO. 4, APRIL 2012

[1] L. Chen, Z. Cheng, and N. P. Smart, Identity-based key agreement protocols from pairings, Intl J. Inf. Security, vol. 6, no. 4, pp. 213 241, 2007. KBA = (xB tA )vB +rB = (g vA g vA )vB +rB = g (vB +rB ) .[2] K.-K. R. Choo, Revisit of McCullagh-Barreto two-party ID-based authenticated key agreement protocols, Intl J. Network Security, vol. 1, After receiving {uB , tB , IDB }, E can compute the no. 3, pp. 154160. [3] W. Dife and M. E. Hellman, New directions in cryptography, IEEE shared secret Trans. Inf. Theory, vol. 22, pp. 644654, 1976. KAB = (xA tB ) = (g vB g rB ) = g (vB +rB ) = KBA [4] M. Gorantla, C. Boyd, and J. G. Nieto, ID-based one-pass authenticated key establishment, in Proc. 2008 Australasian Conference on Informawithout the knowledge of As long-term secret key vA . tion Security, pp. 3946. unther, An identity-based key-exchange protocol, Advances in Finally, E succeeds to impersonate A to B as well as the [5] C. G. G Cryptology-Eurocrypt04, LNCS 434, Springer-Verlag (1990), pp. 2937. knowledge of the session key K = KAB = KBA . [6] H. Guo, Z. Li, Y. Mu, and X. Zhang, Provably secure identitybased authenticated key agreement protocols with malicious private key generators, Information Sciences, vol. 181, no. 3, pp. 628647, 2011. The above two attacks are based on the same idea: the olbl and T. Welzer, Two improved two-party identity-based authenadversary is able to generate tA removing As public key so [7] M. H ticated key agreement protocols, Computer Standards & Interfaces, vol. that the corresponding private key is meaningless. The same 31, no. 6, pp. 10561060, 2009. attacks can be applied the other protocol. These results show [8] B. T. Hsieh, H. M. Sun, T. Hwang, and C. T. Lin, An improvement of Saeednias identity-based key exchange protocol, in Proc. 2002 that the protocols are completely broken. Information Security Conference, pp. 4143. [9] IEEE P1363.3 Identity-Based Public Key Cryptography, Draft D3, IV. C ONCLUSION http://grouper.ieee.org/groups/1363/IBC/index.html, 2006 We have shown that H olbl-Welzers two ID-based authen- [10] S. Kim, M. Mambo, T. Okamoto, H. Shizuya, M. Tada, and D. Won, On the security of the Okamoto-Tanaka ID-based key exchange ticated key agreement protocols are completely broken. Our protocol against active attacks, IEICE Trans. Fundamentals of Electron., results demonstrate that no more ID-based authenticated key Commun. and Computer Sciences, vol. E84a, no. 1, pp. 231238, 2001. agreement protocols should be constructed with such ad- [11] M.-H. Lim, S. Lee, and S. Moon, Cryptanalysis of Tso et al.s ID-based tripartite authenticated key agreement protocol, Information Systems hoc methods. Recently, the provable security approach is Security, LNCS 4812, Springer-Verlag (2007), pp. 6476. considered by almost all cryptographers to be indispensable [12] M. Mambo and H. Shizuya, A note on the complexity of breaking technique when they propose a new protocol and then analyze Okamoto-Tanaka IDbased key exchange scheme, IEICE Trans. Fundait. There have been proposed several ID-based authenticated mentals of Electron., Commun. and Computer Sciences, vol. E82a, no. 1, pp. 7780, 1999. key agreement protocols with provable security in formal se[13] N. McCullagh and P. S. L. M. Barreto, A new two-party identitybased curity models [1], [22], [6], [9], [4], [23]. Some of them satisfy authenticated key agreement, CT-RSA05, LNCS 3376, Springer-Verlag all the desirable security properties: implicit key authentica(2005), pp. 262274. tion, known-key security, forward secrecy, key-compromise [14] E. Okamoto, Key distribution-systems based on identication information, Theory and Applications of Cryptographic Techniques on Advances impersonation resilience, unknown key-share resilience and in Cryptology, LNCS 293, Springer-Verlag (1988), pp. 194202. key control. However, having a formal security model and [15] E. Okamoto and K. Tanaka, Key distribution system based on idena provably secure protocol in that model is no panacea since tication information, IEEE J. Sel. Areas Commun., vol. 7, no. 4, pp. 481485, 1989. the security proof only works within the model of the security. [16] S. Saeednia, Improvement of Gunthers identity-based key exchange It turned out that several proven secure authenticated key protocol, Electron. Lett., vol. 36, no. 18, pp. 15351536, 2000. agreement protocols still had security aws [2], [21], [11], [17] S. Saeednia and R. Safavi-Naini, A new identity-based key exchange protocol minimizing computation and communication, International [13] because of the adaption of insufcient security model Workshop on Information Security, LNCS 1396, Springer-Verlag (1998), which do not entirely capture all the attacks that might be pp. 328334. considered realistic. Their proofs based on the intractability [18] A. Shamir, Identity-based cryptosystems and signature schemes, Adof the computational hard problems such as Computational vances in Cryptology-Crypto04, LNCS 196, Springer-Verlag (1984), pp. 4753. Dife- Hellman problem and Bilinear Dife-Hellman prob[19] Y. M. Tseng, An efcient two-party identity-based key exchange lem seem to be routine and similar. In fact, they may not protocol, Informatica, vol. 18, no. 1, pp. 125136, 2007. cover various attacks due to algebraic relationships between [20] Y. M. Tseng, J. K. Jan, and C. H. Wang, Cryptanalysis and improvement of an identity based key exchange protocol, J. Computers, vol. 14, elements in the underlying group. Therefore, formal security no. 3, pp. 1722, 2002. model should contains several type of granular security to [21] R. Tso, T. Okamoto, T. Takagi, and E. Okamoto, An ID-based nonintermodulate adversaries power and to guarantee security against active tripartite key agreement protocol with k-resilience, in Proc. 2005 the possibility of potential attacks including various algebraic International Conference on Communications and Computer Networks, pp. 3842. attacks. [22] S. Wang, Z. Cao, K. R. Choo, and L. Wang, An improved identity-based key agreement protocol and its security proof, Information Sciences, vol. ACKNOWLEDGEMENT 179, no. 3, pp. 307318, 2009. This work was supported by the National Institute for Math- [23] R. W. Zhu, G. Yang, and D. S. Wong, An efcient identity-based key exchange protocol with KGS forward secrecy for low-power devices, ematical Sciences grant funded by the Korean Government Theoretical Computer Science, vol. 378, no. 2, pp. 198207, 2007.

g vA . Next, E sends {uA , tA = g vA , IDA } to B impersonating A. After receiving the message, B computes the shared secret

R EFERENCES

(No. B21203).