一個可證明且伺服器端驅動的密碼認證金鑰交換機制

Abstract

基於密碼的認證金鑰交換機制僅需要使用者記憶一組安全度低的密碼即可完成運作，其方便性及彈性被廣泛應用在客戶/伺服器的架上。其中在非對稱性的協定中，伺服器端儲存使用者密碼的相對應轉換值，而非直接儲存明文的密碼，如此一來，即使伺服器遭到入侵也不會立即洩漏出使用者的密碼。近年來，許多基於密碼的金鑰交換協定被提來，這些協定大部分都是由客戶端先發出訊息傳送至伺服器端，在這篇論文中，我們提出由伺服器端先發送訊息給客戶端的協定。在這樣的架下，當同時有許多客戶與伺服器連線時，伺服器端可以控制流量，避免計算資源被大量消耗。更進一步我們也正規的證明了我們所提出的協定在random oracle model下是安全的，同時我們利用了CDH以及S-CDH兩個困難的問題在我們的證明中。

Since it is convenient for users to memorize a low-entropy password, the password-based authentication key exchange (PAKE) protocols have been an active research topic on the client/server-based communication. Especially, the asymmetric protocols which the server stores the password images are resistant to the leak of passwords when the server becomes compromised. Many elegant protocols are proposed in the past. However, most of them will ?rst send the short-term information to the server from client. In this paper, we propose a provable server-triggering password-based authenticated key exchange protocol(ST-PAKE). We focus on the framework that the server generates the short-term information ?rst and then sends it to the client. This idea has some advantage for communication. For example, when there are a large number of clients connecting to the server, the server can select which client to communicate according to the order of preference. Also, we confront a kind of o?-line dictionary attack. We call it active dictionary attack. This attack can be successfully mounted if the protocol is not well-design. We modify our ST-PAKE protocol to the ST-PAKE-A, which is designed to resist to the active dictionary attack. Moreover, our scheme is provably forward secrecy and resilient to the server compromise. We provide a formal security proof of our scheme under the CDH assumption and the S-CDH assumption in the random oracle model.