Score:0

Password Authenticated Key Exchange Protocol

ru flag

This problem appeared in a past exam paper.

In PAKE (password authenticated key exchange) protocols, $A$ and $B$ authenticate each other by knowledge of a shared password that is too weak to allow an attacker to try out repeated guesses to try to find it by knowing how a single message of the protocol was constructed. There is no cryptographic signature or alternative shared secret or trusted third party they can use. Such a protocol typically works as follows:

• Phase 1: $A$ and $B$ exchange data that they have created for this session and values they have computed from this and their own assumed value for the password $p_{AB}$. Note that if they are A and B, they will both know the same $p_{AB}$ but if one or both of them are spoofing the values they assume will probably be different. From these computations they both obtain a key $k_A$ or $k_B$, which will be the same if their password values were the same.

• Phase 2: They compare $k_A$ and $k_B$ by an exchange of messages which allow them to see if they agree, but do not reveal $k_A$ or $k_B$ to the world, and do not allow either party to think they agree when they do not.

Why should $A$ not send, as part of this protocol, $hash(p_{AB}, N)$, where $N$ is a nonce known to $B$ until she is sure that $B$ is not an impostor and actually knows $p_{AB}$? Extend this to general guidance about what messages of the form hash($X$) should not be sent from $A$ to $B$ where $X$ involves $p_{AB}$ in its construction.

Now think about implementing Phase 2 only. How could you use hashing to achieve the objective of Phase 2, in such a way that if $A$ or $B$ has actually been talking to an impostor with a different password in Phase 1, the impostor cannot manipulate the messages to make her or him think the protocol has completed successfully.

My attempt:

a) $A$ should not send, $hash(p_{AB}, N)$ as an Impostor $I_B$ can reuse the same nonce and send the $hash(p_{AB}, N)$ back to A, pretending to know the password $p_{AB}$

b) $X$ should not be $p_{AB}$ (on it's own). It should also contains some sort of identification for each user, unique to what the other user sends ie. if Alice sends $hash(X_1)$ and Bob sends $hash(X_2)$, $X_1 \neq X_2$. Is this enough? I can't think of anything else.

c) For implementing phase 2, make Alice send $hash(E_{k_A}(Alice|k_A))$ and Bob send $hash(E_{k_B}(Bob|k_B))$. Where $E_k$ is an encryption function, encrypted using key $k$. Is this correct?

us flag
What is your question? Do you want us to grade this practice exam for you?
ru flag
I was unsure about pretty much all of this question, and included my attempt for it as well.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.