Abstract
This paper shows several security weaknesses of a Multi-Factor Authenticated Key Exchange (MK-AKE) protocol, proposed by Pointcheval and Zimmer at ACNS’08. The Pointcheval-Zimmer scheme was designed to combine three authentication factors in one system, including a password, a secure token (that stores a private key) and biometrics. In a formal model, Pointcheval and Zimmer formally proved that an attacker had to break all three factors to win. However, the formal model only considers the threat that an attacker may impersonate the client; it however does not discuss what will happen if the attacker impersonates the server. We fill the gap by analyzing the case of the server impersonation, which is a realistic threat in practice. We assume that an attacker has already compromised the password, and we then present two further attacks: in the first attack, an attacker is able to steal a fresh biometric sample from the victim without being noticed; in the second attack, he can discover the victim’s private key based on the Chinese Remainder theorem. Both attacks have been experimentally verified. In summary, an attacker actually only needs to compromise a single password factor in order to break the entire system. We also discuss the deficiencies in the Pointcheval-Zimmer formal model and countermeasures to our attacks.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Anderson, R.J., Needham, R.: Robustness Principles for Public Key Protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 236–247. Springer, Heidelberg (1995)
Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley (2008)
Boyen, X., Dodis, Y., Katz, J., Ostrovsky, R., Smith, A.: Secure Remote Authentication Using Biometric Data. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 147–163. Springer, Heidelberg (2005); Lee, J.K., Ryu, S.R.: Fingerprint-based Remote User Authentication Scheme Using Smart Cards. Electronics Leters 38(12), 554–555 (2005)
Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer (2003)
Boyen, X.: Reusable Cryptographic Fuzzy Extractors. In: ACM CCS 2004, pp. 82–91 (2004)
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)
Hao, F.: On Robust Key Agreement Based on Public Key Authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 383–390. Springer, Heidelberg (2010)
Hao, F., Anderson, R., Daugman, J.: Combining crypto with biometrics effectively. IEEE Transactions on Computers 55(9), 1081–1088 (2006)
Krawczyk, H.: HMQV: A High-Performance Secure Diffie-Hellman Protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)
Hwang, M., Chong, S., Chen, T.: DoS-Resistant ID-Based Password Authentication Scheme Using Smart Cards. Computer Journal of Systems and Software 7(50), 147–150 (2009)
Lee, Y., Kim, S., Won, D.: Enhancement of Two-Factor Authenticated Key Exchange Protocols in Public Wireless LANs. Computers and Electrical Engineering 36(1), 213–223 (2010)
Lian, I.E., Lee, C.C., Hwang, M.S.: A Password Authentication Scheme Over Insecure Networks. Journal of Computer System Sciences 72, 727–740 (2006)
Li, C.T., Hwang, M.S.: An Efficient Biometrics-Based Remote User Authentication Scheme Using Smart Cards. Journal of Network and Computer Applications 33(1), 1–5 (2010)
Li, X., Niu, J.W., Ma, J., Wang, W.D.: Cryptanalysis and Improvement of a Biometrics-Based Remote User Authentication Scheme Using Smart Cards. Journal of Network and Computer Applications 34(1), 73–79 (2011)
Liu, Y., Wei, F., Ma, C.: Multi-Factor Authenticated Key Exchange Protocol in the Three-Party Setting. In: Lai, X., Yung, M., Lin, D. (eds.) Inscrypt 2010. LNCS, vol. 6584, pp. 255–267. Springer, Heidelberg (2011)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press (1996)
Menezes, A., Ustaoglu, B.: On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 133–147. Springer, Heidelberg (2006)
Pointcheval, D., Zimmer, S.: Multi-factor Authenticated Key Exchange. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 277–295. Springer, Heidelberg (2008)
Song, R.: Advanced Smart Card Based Password Authentication Protocol. Computer Standards & Interfaces 32, 321–325 (2010)
Tapiador, J.E., Hernandez-Castro, J.C., Peris-Lopez, P., Clark, J.A.: Cryptanalysis of Song’s Advanced Smart Card Based Password Authentication Protocol (2011), Technical report available at http://arxiv.org/pdf/1111.2744
Wu, S., Zhu, Y.: Improved Two-Factor Authenticated Key Exchange Protocol. The International Arab Journal of Information Technology 8(4), 430–439 (2011)
Xiang, T., Wong, K., Liao, X.: Cryptanalysis of A Password Authentication Scheme Over Insecure Networks. Journal of Computer System Sciences 74, 657–661 (2008)
Xu, J., Zhu, W.T., Feng, D.G.: An Improved Smart Card Based Password Authentication Scheme with Provable Security. Computer Standards & Interfaces 31, 723–728 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hao, F., Clarke, D. (2012). Security Analysis of a Multi-factor Authenticated Key Exchange Protocol. In: Bao, F., Samarati, P., Zhou, J. (eds) Applied Cryptography and Network Security. ACNS 2012. Lecture Notes in Computer Science, vol 7341. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31284-7_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-31284-7_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31283-0
Online ISBN: 978-3-642-31284-7
eBook Packages: Computer ScienceComputer Science (R0)