EP4264875A1 - Verfahren und vorrichtung zur herstellung eines passwortbasierten sicheren kanals - Google Patents

Verfahren und vorrichtung zur herstellung eines passwortbasierten sicheren kanals

Info

Publication number
EP4264875A1
EP4264875A1 EP21783477.9A EP21783477A EP4264875A1 EP 4264875 A1 EP4264875 A1 EP 4264875A1 EP 21783477 A EP21783477 A EP 21783477A EP 4264875 A1 EP4264875 A1 EP 4264875A1
Authority
EP
European Patent Office
Prior art keywords
message
function
devices
generated
random
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP21783477.9A
Other languages
English (en)
French (fr)
Inventor
Yong Li
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of EP4264875A1 publication Critical patent/EP4264875A1/de
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Definitions

  • the present disclosure relates generally to the field of network security systems and more specifically, to a method of establishing a secure channel between devices and a device for establishing the secure channel with another device.
  • a passwordbased authenticated key agreement protocol is used to establish the secure communication channel between resource-constrained devices without using any cryptographic key.
  • the computation and communication complexity of the conventional password-based authenticated key agreement protocol is non-optimal.
  • the conventional passwordbased key agreement protocol provides low level of security, such as no forward secrecy is ensured.
  • a forward secrecy may be defined as a feature of specific key agreement protocols that gives assurance that session keys (i.e., keys generated to ensure secure communication channel) will not be compromised even if a long-term secret used in a session key exchange is compromised.
  • the conventional password-based authenticated key agreement protocol is not preferred for use in the resource-constrained devices, such as in light loT devices in a smart house or with high security requirements.
  • the conventional password-based authenticated key agreement protocol is not preferred for use in the resource-constrained devices, such as in light loT devices in a smart house or with high security requirements.
  • the present disclosure provides a method of establishing a secure channel (or a secure communication channel) between devices and a device for establishing the secure channel with another device.
  • the present disclosure provides a solution to the existing problem of inefficient password-based authentication key agreement protocol for establishing the secure communication channel between resource-constrained devices.
  • An objective of the present disclosure is to provide a solution that overcomes at least partially the problems encountered in the prior art and provides an improved method of establishing a password-based secure channel between devices and a device for establishing the password-based secure channel between with another device in order to maintain authenticity, integrity and confidentiality of a message communicated between the device and the other device.
  • the present disclosure provides a method of establishing a secure channel between devices.
  • the method comprises, at each of two devices, generating a random variable (x, y), calculating a random function (X, Y) based on the random variable, and generating a hash for a predetermined password.
  • the method further comprises generating a message including the hashed password and corresponding function, sending the generated message to the other device, and receiving the message generated by the other device.
  • the method further comprises computing the random function of the other device based on the received message and the hashed password.
  • the method further comprises, computing a transcript, W, based on the ID of both devices, and the generated messages of both devices, and generating, using a crypto hash function, session keys to establish a secure channel between the devices.
  • the method further comprises generating, an integration key, K MAC, using the crypto hash function based on the hashed password and the transcript, and an encoding key, K Enc, for each using the crypto hash function based on a point multiplication of the random variable with the random function of the other device and the transcript.
  • the disclosed method provides a password based authenticated key agreement protocol to establish a highly secure channel between devices.
  • the method utilizes an elliptic curve (EC) group based key exchange and an efficient hash-to-curve function as primary components to construct the password based key agreement protocol.
  • EC elliptic curve
  • the method supports password as a secret for secure communication with message authentication, integrity, and confidentiality.
  • the method possesses an enhanced security including forward secrecy and reduced communication and computational complexity.
  • the method is compatible and easy to implement in resource constrained scenarios such as in light loT devices in a smart house, high security requirement areas, and the like.
  • the random function for each device includes point multiplication of the random variable by a generator, g, of an elliptic curve group, G.
  • the generation of the random function for each device using the point multiplication of the corresponding random variable with the generator (g) of the EC group (G) may result in a reduced computational complexity.
  • the device first generates a first message and sends the first message to the other device, and the other device generates a second message in response to receiving the first message from the device.
  • the generation of the second message by the other device in response to receiving the first message from the device may result in a synchronised communication between the device and the other device.
  • the hashed password is generated using a hash-to-curve function, where the curve is an elliptic curve.
  • a computer-readable medium comprising instructions which, when executed by a processor, cause the processor to perform the method.
  • the processor is configured to execute the method hence, achieves all the advantages and technical features of the method.
  • the present disclosure provides a device comprising a network interface, and one or more processors configured to generate a random variable (x, y), calculate a random function (X, Y) based on the random variable and generate a hash for a predetermined password.
  • the device is further configured to generate a first message including the hashed password and corresponding function, and send the generated first message via the network interface to the other device.
  • the device is further configured in response to receiving a second message generated by the other device via the network interface and compute the random function of the other device based on the received second message and the hashed password.
  • the device is further configured to compute a transcript, W, based on the ID of both devices, and the generated messages of both devices.
  • the device is further configured to generate, using a crypto hash function, session keys to establish a secure channel between the devices.
  • the generation of the session keys comprises an integration key, K MAC, generated using the crypto hash function based on the hashed password and the transcript, and an encoding key, K Enc, generated for each using the crypto function based on a point multiplication of the random variable with the random function of the other device and the transcript.
  • the disclosed device achieves all the advantages and technical features of the method of the present disclosure after executing the method.
  • the device further comprises a memory configured to store the crypto hash function.
  • the use of the crypto hash function ensures the security of the session keys including the integration key and the encoding key.
  • FIGs. 1A and IB collectively is a flowchart of a method for establishing a secure channel between devices, in accordance with an embodiment of the present disclosure
  • FIG. 2A is an illustration of a secure communication channel between two devices, in accordance with an embodiment of the present disclosure
  • FIG. 2B is a block diagram that illustrates various exemplary components of a device, in accordance with an embodiment of the present disclosure.
  • an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent.
  • a non-underlined number relates to an item identified by a line linking the nonunderlined number to the item.
  • the non-underlined number is used to identify a general item at which the arrow is pointing.
  • FIGs. 1A and IB collectively is a flowchart of a method for establishing a secure channel between devices, in accordance with an embodiment of the present disclosure.
  • a method 100 for establishing a secure channel between devices includes steps 102 to 116 (steps 102-110 of the method 100 are shown in FIG. 1 A and steps 112-116 are shown in FIG. IB).
  • the method 100 is executed by a device, described in detail, for example, in FIG. 2B.
  • the method 100 is used for establishing a secure channel (namely of a secure communication channel) between devices, such as a first device and a second device.
  • the method 100 is based on an elliptic curve (may also be referred to as an elliptic curve group) based key exchange protocol and an efficient hash-to-curve function to provide a password-based authenticated key agreement protocol with reduced (i.e., optimal) computational and communication complexity.
  • the elliptic curve based key exchange protocol may also be referred to as a passive elliptic- curve Diffie-Hellman (ECDH) protocol.
  • ECDH passive elliptic- curve Diffie-Hellman
  • the method 100 comprises generating at each of two devices, a random variable (x, y).
  • Each of two devices is configured to generate the random variable (x, y).
  • the first device (may also be referred to as a device or a first party) generates the random variable x
  • the second device may also be referred to as another device or a second party) generates the random variable y.
  • a random variable may be defined as a variable whose value depends on one or more outcomes of a random phenomenon.
  • the random variable is an outcome of a coin toss.
  • the method 100 further comprises calculating at each of two devices, a random function (X, Y) based on the random variable.
  • each of two devices is configured to calculate the random function (X, Y) based on the random variable (x, y).
  • the first device is configured to calculate the random function X based on the random variable x.
  • the second device is configured to calculate the random function Y based on the random variable y.
  • a random function may be defined as a function of an arbitrary argument whose values are defined in terms of a certain experiment and may vary with outcomes of the experiment according to a given probability distribution.
  • the random function for each device includes point multiplication of the random variable by a generator, g, of an elliptic curve group, G.
  • the first device is configured to generate the random function X based on point multiplication of the random variable x by the generator, g, according to equation (1) where g is the generator of the elliptic curve (EC) group, G.
  • G may be an EC group with a prime order p.
  • the generator, g may also be referred to as a generator of base point (may also be represented as G).
  • G (+, .) represents a point addition and a point multiplication, respectively.
  • the second device is configured to generate the random function Y based on point multiplication of the random variable y by the generator, g, according to equation (2)
  • the elliptic curve may be used in elliptic curve cryptography (ECC) technique, which may be defined as a public key encryption technique based on elliptic curve that can be used to create up to some extent faster, smaller, and efficient cryptographic keys.
  • ECC elliptic curve cryptography
  • the elliptic curve cryptography technique may be configured to generate keys using properties of an elliptic curve equation instead of a typical method of generation as a product of very large prime numbers.
  • the method 100 further comprises generating at each of two devices, a hash for a predetermined password.
  • Each of two devices such as the first device and the second device, is configured to have the predetermined password (also represented as PW).
  • the predetermined password may also be referred to as a shared password.
  • each of two devices is configured to generate the hash for the predetermined password.
  • each of two devices is configured to apply a hash function on the predetermined password (i.e., the shared password) and generate a hashed password.
  • the hashed password is generated using a hash-to-curve function, where the curve is an elliptic curve.
  • the hashed password is generated using the hash-to-curve function, where the curve is the elliptic curve.
  • each of two devices is configured to apply the hash-to-curve function on the predetermined password and generate the hashed password as “Hash-To-Curve (PW)”.
  • the hash-to-curve function may be represented as “hash-to-curve: ⁇ 0,1 J 1 — Q in G”.
  • a hash-to-curve function may be defined as a secure cryptographic hash function that maps bit strings of information to one or more points on an elliptic curve. Moreover, the use of the hash-to-curve function ensures the secure communication channel with enhanced security.
  • the method 100 further comprises generating at each of two devices, a message including the hashed password and corresponding function.
  • each of two devices is configured to generate the message that includes the hashed password and the corresponding random function.
  • the first device is configured to generate the message (e.g., A) using the hashed password and the random function X according to equation (3)
  • the second device is configured to generate the message (e.g., B) using the hashed password and the random function Y according to equation (4)
  • the method 100 further comprises sending at each of two devices, the generated message to another device, and receiving the message generated by the other device.
  • the first device may be configured to send the generated message (e.g., A) to the second device and the second device may be configured to receive the generated message (e.g., A) sent by the first device.
  • the second device may be configured to send the generated message (e.g., B) to the first device and the first device may be configured to receive the generated message (e.g., B) sent by the second device.
  • the device first generates a first message and sends the first message to the other device, and the other device generates a second message in response to receiving the first message from the device.
  • the first device or the device is configured to generate the first message (e.g., A) according to the equation (3) and send the first message (e.g., A) to the second device (or the other device).
  • the second device is configured to receive the first message (e.g., A) sent by the first device and generate the second message (e.g., B) according to equation (4) in response to receiving the first message (e.g., A) from the first device.
  • the second device is configured to send the second message (e.g., B) to the first device and the first device is configured to receive the second message (e.g., B).
  • the method 100 further comprises computing at each of two devices, the random function of the other device based on the received message and the hashed password.
  • the first device is configured to receive the message (e.g., B) from the second device, and check whether the message (e.g., B) received is a valid elliptic curve (EC) element or not. If the received message (e.g., B) is not the valid EC element then, the first device is configured to abort the message (e.g., B). If the received message (e.g., B) is a valid EC element then, the first device is configured to calculate the random function (i.e., Y) of the second device according to equation (5)
  • the second device is configured to receive the message (e.g., A) from the first device and check whether the received message (e.g., A) from the first device is a valid EC element or not. If the received message (e.g., A) is not the valid EC element then, the second device is configured to abort message (e.g., A). If the message (e.g., A) is a valid EC element then, the second device is configured to calculate the random function (i.e., X) of the first device according to equation (6)
  • the method 100 further comprises computing at each of two devices, a transcript, W, based on the ID of both devices, and the generated messages of both devices.
  • the first device is configured to compute the transcript (W) based on identification of both the devices that is the first device and the second device and the generated messages (e.g., A and B) according to equation (7)
  • the transcript (W) may usually be defined as a written or typed or printed copy of a dictated or a recorded material.
  • the second device is configured to compute the transcript (W) based on identification of both the devices that is the first device and the second device and the generated messages (e.g., A and B) according to equation (8)
  • each of the two devices such as the first device and the second device is configured to compute the transcript (W) based on the Identity (IDs) and generated messages (e.g., A and B) of both devices.
  • the method 100 further comprises generating at each of two devices, using a crypto hash function, session keys to establish a secure channel between the devices.
  • each of two devices is further configured to generate the session keys by use of the crypto hash function, in order to establish the secure channel between the first device and the second device.
  • the session keys may be defined as encryption and decryption keys that is randomly generated to ensure the security of a communications channel between a user and a computer or between two computers or between two users. The session keys are used only for one session of communication and then, the session keys are discarded, and further new session keys are randomly generated for next session of communication.
  • the crypto hash function (may also be represented as H) may be defined as a secure hash function that maps data of variable length to a fixed size length.
  • the crypto hash function takes an input message of a variable length and generates an output message of a fixed size length.
  • the crypto hash function (or the cryptographic hash function) combines the message passing capability of the hash function with security properties and ensures randomness of the session keys.
  • the cryptographic hash function is used in message authentication codes (MAC), digital signatures, information security.
  • the step 116 further comprises steps 116A and 116B.
  • the step 116 comprises generating, an integration key, K_MAC, using the crypto hash function based on the hashed password and the transcript.
  • K_MAC an integration key
  • Each of two devices is configured to generate the integration key (K MAC) using the crypto hash function (i.e., H) based on the hashed password and the transcript (W).
  • the first device is configured to generate the integration key (K MAC) using the crypto hash function (i.e., H) based on the hashed password (i.e., Hash-To-Curve (PW)) and the transcript (W).
  • the step 116 further comprises generating for each, an encoding key, K Enc, using the crypto hash function based on a point multiplication of the random variable with the random function of the other device and the transcript.
  • K MAC integration key
  • each of two devices is further configured to generate the encoding key (K Enc) using the crypto hash function (i.e., H) based on the point multiplication of the random variable with the random function of the other device and the transcript (W).
  • the first device is configured to generate the encoding key (K Enc) using the crypto hash function (i.e., H) based on the point multiplication of the random variable (i.e., x) with the random function (i.e., Y) of the second device and the transcript (W). Therefore, generation of the session keys, that is the integration key (K MAC) and the encoding key (K Enc) by the first device can be represented according to equation (9).
  • K_Enc ⁇ ⁇ K_MAC H( x. Y ⁇ ⁇ HashToCurve (PW), W) (9)
  • K_Enc ⁇ ⁇ K_MAC H y.X ⁇ ⁇ HashToCurve PW), W) (10)
  • the session keys including the integration key (K MAC) and the encoding key (K Enc) are generated for establishing the secure communication channel between the first device and the second device.
  • the method 100 manifests reduced computational and communication complexity.
  • the method 100 includes base point multiplication, point multiplication and the hash-to-curve function. Therefore, the ratio of the base point multiplication to the point multiplication to the hash-to-curve function is 3.2: 1 :6.4.
  • the method 100 is further compared with the conventional method of TBPEKE under same security level, and the computing complexity is calculated as i+i+
  • the method 100 provides a password based authenticated key agreement protocol to establish the secure channel (or the secure communication channel) between two devices that is the first device and the second device.
  • the method 100 is based on elliptic curve (EC) based key exchange and a highly efficient hash-to-curve function.
  • the security of the secure channel is ensured by use of the session keys including the encoding key (K enc) and the integration key (K MAC). Further security of the session keys is improved by use of the cryptographic hash function (i.e., H), the secured hash-to-curve function and the passive elliptic-curve Diffie- Hellman, EC-DH, (may also be named as an elliptic curve, EC) key exchange.
  • H cryptographic hash function
  • H the secured hash-to-curve function
  • the passive elliptic-curve Diffie- Hellman EC-DH
  • the Passive EC- DH key exchange and the cryptographic hash function ensure the randomness of the session keys.
  • the cryptographic hash function By virtue of the cryptographic hash function, the hash-to-curve function and the passive EC-DH key exchange, active attackers cannot extract plaintext of the session keys without negligible probability. Therefore, the method 100 supports an enhanced security including forward secrecy. Furthermore, the method 100 provides an efficient password based key agreement solution with reduced communication and computational complexity. Additionally, the method 100 is compatible and easy to implement in resource constrained scenarios such as in light loT devices in a smart house, as well as in high security requirement areas, and the like.
  • steps 102 to 116 are only illustrative and other alternatives can also be provided where one or more steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein.
  • FIG. 2A is an illustration of a secure communication channel between two devices, in accordance with an embodiment of the present disclosure.
  • FIG. 2A is described in conjunction with elements from FIGs. 1A and IB.
  • FIG. 2A there is shown an implementation scenario 200A that includes a device 202 and another device 204.
  • the device 202 and the other device 204 are connected to each other via a secure channel 206.
  • Each of the device 202 and the other device 204 may include suitable logic, circuity, interfaces, or codes that is configured to execute a password based authenticated key agreement protocol to establish the secure channel 206 (or the secure communication channel) between themselves. Alternatively stated, each of the device 202 and the other device 204 is configured to execute the method 100 (of FIGs. 1A and IB).
  • the device 202 may also be referred to as a first device or a first party and the other device 204 may also be referred to as a second device or a second party. Examples of each of the device 202 and the other device 204 may include, but are not limited to, a user, a computer, a server, an loT device, a smart phone, a wireless sensor or actuator, and the like.
  • the secure channel 206 is a communication channel used for transmitting messages between two devices such as the device 202 and the other device 204.
  • the secure channel 206 includes a medium (either wired or wireless or optical) through which the various control units or components, such as the device 202, and the other device 204 communicates with each other.
  • Examples of the secure channel 206 may include, but are not limited to, a Wireless Fidelity (Wi-Fi) communication channel, a Local Area Network (LAN) communication channel, a wireless personal area network (WPAN) communication channel, a Wireless Local Area Network (WLAN) communication channel, a cloud network communication channel, a Long-Term Evolution (LTE) network communication channel, and/or the Internet.
  • Wi-Fi Wireless Fidelity
  • LAN Local Area Network
  • WLAN wireless personal area network
  • WLAN Wireless Local Area Network
  • cloud network communication channel a cloud network communication channel
  • LTE Long-Term Evolution
  • FIG. 2B is a block diagram that illustrates various exemplary components of a device, in accordance with an embodiment of the present disclosure.
  • FIG. 2B is described in conjunction with elements from FIGs. 1 A, IB, and 2 A.
  • FIG. 2B there is shown a block diagram 200B of the device 202 (of FIG. 2A).
  • the device 202 includes one or more processors 208, a memory 210, and a network interface 212.
  • the memory 210 is configured to store a crypto hash function 210A.
  • the other device 204 includes one or more processors, a memory, and a network interface. Therefore, the other device 204 is not described in detail, for sake of brevity.
  • the one or more processors 208 include suitable logic, circuitry, interfaces, or code that is configured to execute the instructions stored in the memory 210.
  • the one or more processors 208 may be a general-purpose processor.
  • Other examples of the one or more processors 208 may include, but are not limited to, a central processing unit (CPU), a digital signal processor (DSP), a microprocessor, a microcontroller, a complex instruction set computing (CISC) processor, an application-specific integrated circuit (ASIC) processor, a reduced instruction set (RISC) processor, a very long instruction word (VLIW) processor, a state machine, a data processing unit, and other processors or control circuitry.
  • CPU central processing unit
  • DSP digital signal processor
  • CISC complex instruction set computing
  • ASIC application-specific integrated circuit
  • RISC reduced instruction set
  • VLIW very long instruction word
  • the memory 210 includes suitable logic, circuitry, interfaces, or code that is configured to store data and the instructions executable by the one or more processors 208. Examples of implementation of the memory 210 may include, but are not limited to, an Electrically Erasable Programmable Read-Only Memory (EEPROM), Random Access Memory (RAM), Read Only Memory (ROM), Hard Disk Drive (HDD), Flash memory, Solid-State Drive (SSD), or CPU cache memory.
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • RAM Random Access Memory
  • ROM Read Only Memory
  • HDD Hard Disk Drive
  • Flash memory Solid-State Drive
  • SSD Solid-State Drive
  • CPU cache memory may store an operating system, or a crypto hash function 210A or other program products (including one or more operation algorithms) to operate the device 202.
  • the memory 210 stores the crypto (or cryptographic) hash function 210A and hence, manifests the features of collision resistance, pre-image resistance and second pre-image resistance.
  • the crypto hash function 210A combines the message passing capability of a hash function with security properties. Therefore, the crypto hash function 210A is used in message authentication codes (MAC), digital signatures, information security analysis, and the like.
  • MAC message authentication codes
  • the network interface 212 includes suitable logic, circuitry, interfaces, or code that is configured to communicate with each of the memory 210, and the one or more processors 208.
  • the network interface 212 is configured to receive a message generated by the device 202 and transmit the generated message to the other device 204.
  • the network interface 212 is configured to receive a message from the other device 204 and transmit the generated message to the device 202. Examples of the network interface 212 may include, but are not limited to, a data terminal, a transceiver, a facsimile machine, a virtual server, and the like.
  • the present disclosure provides a device 202 comprising the network interface 212, and one or more processors 208.
  • the device 202 is configured to generate a random variable (x, y), and calculate a random function (X, Y) based on the random variable.
  • the one or more processors 208 of the device 202 is configured to generate the random variable (x, y). More specifically, the one or more processors 208 of the device 202 is configured to generate the random variable x. Thereafter, the one or more processors 208 of the device 202 is further configured to generate the random function X based on the random variable x according to the equation (1), which have been shown in FIG. 1 A.
  • the other device 204 is configured to generate the random variable y and the random function Y based on the random variable y according to the equation (2), which have been shown in FIG. 1 A.
  • the random function for each device includes point multiplication of the random variable by a generator, g, of an elliptic curve group, G.
  • the device 202 is configured to generate the random function X using the point multiplication of the random variable x by the generator, g, of the elliptic curve group, G, according to the equation (1), which have been shown in FIG. 1 A.
  • the other device 204 is configured to generate the random function Y using the point multiplication of the random variable y by the generator, g, of the elliptic curve group, G, according to the equation (2), which have been shown in FIG. 1 A.
  • the device 202 is further configured to generate a hash for a predetermined password. After generation of the random function X based on the random variable x, the device 202 is further configured to generate the hash for the predetermined password (e.g., PW). Similarly, the other device 204 is configured to generate the hash for the predetermined password (e.g., PW). Alternatively stated, each of the device 202 and the other device 204 is configured to apply the hash on the predetermined password (e.g., PW) and generate a hashed password.
  • the predetermined password e.g., PW
  • the hashed password is generated using a hash-to-curve function, where the curve is an elliptic curve.
  • the device 202 is further configured to generate the hashed password using the hash-to-curve function, where the curve is an elliptic curve (EC).
  • EC elliptic curve
  • the generation of the hashed password using the hash-to-curve function and the predetermined password at each of the device 202 and the other device 204, is described in detail, for example, in FIG. 1 A.
  • the hash-to-curve function is a part of ECDH protocol applied on the elliptic curve group to establish the secure channel 206 between the device 202 and the other device 204.
  • the device 202 is further configured to generate a first message including the hashed password and corresponding function, and send the generated first message via the network interface 212 to the other device 204.
  • the device 202 After generation of the hashed password, the device 202 is configured to generate the first message (e.g., A) using the hashed password and the random function X, according to the equation (3), which have been shown in FIG. 1 A.
  • the device 202 is further configured to send the generated first message (e.g., A) to the other device 204 through the network interface 212.
  • the one or more processors 208 is configured to generate the first message and send the first message to the other device 204, and the other device 204 is configured to generate a second message in response to receiving the first message from the device 202.
  • the one or more processors 208 of the device 202 is configured to generate the first message (e.g., A) and send the generated first message (e.g., A) to the other device 204. Therefore, the other device 204 is configured to receive the generated first message (e.g., A) sent from the device 202 through the network interface 212.
  • the other device 204 is configured to generate the second message (e.g., B) according to the equation (4), in response to receiving the generated first message (e.g., A) from the device 202.
  • the other device 204 is further configured to send the generated second message (e.g., B) to the device 202.
  • the device 202 is further configured in response to receiving the second message generated by the other device 204 via the network interface 212.
  • the device 202 is further configured to receive the generated second message (e.g., B) from the other device 204 through the network interface 212.
  • the device 202 is further configured to compute the random function of the other device 204 based on the received second message and the hashed password.
  • the one or more processors 208 of the device 202 is further configured to compute the random function Y of the other device 204 using the received second message (e.g., B) and the hashed password, according to the equation (5), described in detail, for example, in FIG. IB.
  • the device 202 is further configured to compute a transcript, W, based on the ID of both devices, and the generated messages of both devices.
  • the one or more processors 208 of the device 202 is further configured to compute the transcript (W) based on identification of both the devices that is the device 202 and the other device 204, and the generated messages that is the first message (e.g., A) and the second message (e.g., B) according to equation (7), described in detail, for example, in FIG. IB.
  • the device 202 is further configured to generate, using a crypto hash function 210A, session keys to establish the secure channel 206 between the devices.
  • the one or more processors 208 of the device 202 is further configured to generate the session keys by use of the crypto hash function 210A.
  • the session keys are generated in order to establish the secure channel 206 between the device 202 and the other device 204.
  • the crypto hash function 210A i.e., H
  • the session keys manifest key indistinguishability.
  • the device 202 is further configured to generate, an integration key (K MAC), using the crypto hash function 210A based on the hashed password and the transcript (W).
  • the one or more processors 208 of the device 202 is configured to generate the integration key (K MAC) using the crypto hash function 210A (i.e., H) based on the hashed password (i.e., Hash-To-Curve (PW)) and the transcript (W).
  • the device 202 is further configured to generate for each, an encoding key (K Enc), using the crypto hash function 210A based on a point multiplication of the random variable with the random function of the other device 204 and the transcript (W).
  • the one or more processors 208 of the device 202 is further configured to generate the encoding key (K Enc) using the crypto hash function 210A (i.e., H) based on the point multiplication of the random variable (i.e., x) with the random function (i.e., Y) of the other device 204 and the transcript (W).
  • the generation of the session keys including the integration key (K MAC) and the encoding key (K Enc) by the one or more processors 208 of the device 202 according to the equation (9) is described in detail, for example, in FIG. IB.
  • the crypto hash function 210A i.e., H
  • the passive EC-DH key exchange protocol and the crypto hash function 210A ensures the randomness of the session keys. Therefore, an active attacker may only get a cipher-text of the session keys’ related information that is the first message (e.g., A) and the second message (e.g., B).
  • the crypto hash function 210A i.e., H
  • the hash-to-curve function and the passive EC-DH key exchange protocol are cryptographic algorithms and protocol
  • the active attacker cannot extract the plain text of the session keys without a negligible probability.
  • a reduction algorithm can be designed in order to break the cryptographic algorithms.
  • the method 100 (of FIGs. 1 A and IB) executed by the device 202 and the other device 204 manifests an enhanced security hence, there will be no such attacker for the method 100.
  • the device 202 further comprises a memory 210 configured to store the crypto hash function 210A.
  • the crypto hash function 210A i.e., H
  • the crypto hash function 210A is used in generation of the session keys such as the integration key (K MAC) and the encoding key (K Enc) for establishment of the secure channel 206 between the device 202 and the other device 204.
  • a computer-readable medium comprising instructions which, when executed by a processor, cause the processor to perform the method 100.
  • the processor (or the one or more processors 208) of the device 202 is configured to execute the method 100 (of FIGs. 1A and IB).
  • the device 202 is configured to use a password based authenticated key agreement protocol to establish the secure channel 206 (or the secure communication channel) with the other device 204.
  • the password based authenticated key agreement protocol is based on elliptic curve (EC) based key exchange and a highly efficient hash-to-curve function.
  • the security of the secure channel 206 is ensured by use of the session keys including the encoding key (K enc) and the integration key (K MAC).
  • the crypto hash function 210A i.e., H
  • the secured hash-to-curve function and the passive elliptic-curve Diffie-Hellman, EC-DH may also be named as elliptic curve, EC
  • the Passive EC-DH key exchange and the crypto hash function 210A ensure the randomness of the session keys.
  • the crypto hash function 210A the hash-to-curve function and the passive EC-DH key exchange, active attackers cannot extract plaintext of the session keys without negligible probability. Therefore, the device 202 manifests an enhanced security including forward secrecy.
  • the device 202 manifests an efficient password based key agreement solution with reduced communication and computation complexity. Additionally, the device 202 is compatible and easy to use in resource constrained scenarios such as in light loT devices in smart house, as well as in high security requirement areas, and the like. Modifications to embodiments of the present disclosure described in the foregoing are possible without departing from the scope of the present disclosure as defined by the accompanying claims. Expressions such as “including”, “comprising”, “incorporating”, “have”, “is” used to describe and claim the present disclosure are intended to be construed in a non-exclusive manner, namely allowing for items, components or elements not explicitly described also to be present. Reference to the singular is also to be construed to relate to the plural.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
EP21783477.9A 2021-09-24 2021-09-24 Verfahren und vorrichtung zur herstellung eines passwortbasierten sicheren kanals Pending EP4264875A1 (de)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/076391 WO2023046294A1 (en) 2021-09-24 2021-09-24 Method and device for establishing password based secure channel

Publications (1)

Publication Number Publication Date
EP4264875A1 true EP4264875A1 (de) 2023-10-25

Family

ID=78032436

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21783477.9A Pending EP4264875A1 (de) 2021-09-24 2021-09-24 Verfahren und vorrichtung zur herstellung eines passwortbasierten sicheren kanals

Country Status (2)

Country Link
EP (1) EP4264875A1 (de)
WO (1) WO2023046294A1 (de)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7076656B2 (en) * 2001-04-05 2006-07-11 Lucent Technologies Inc. Methods and apparatus for providing efficient password-authenticated key exchange
US20100199095A1 (en) * 2009-01-30 2010-08-05 Texas Instruments Inc. Password-Authenticated Association Based on Public Key Scrambling
KR102549272B1 (ko) * 2016-05-17 2023-06-30 한국전자통신연구원 패스워드와 id 기반 서명을 이용한 인증 키 합의 방법 및 장치
US10681038B1 (en) * 2016-10-26 2020-06-09 Marvell Asia Pte, Ltd. Systems and methods for efficient password based public key authentication

Also Published As

Publication number Publication date
WO2023046294A1 (en) 2023-03-30

Similar Documents

Publication Publication Date Title
US9853816B2 (en) Credential validation
US11882218B2 (en) Matching system, method, apparatus, and program
US9800411B1 (en) Using a secret generator in an elliptic curve cryptography (ECC) digital signature scheme
Jirwan et al. Review and analysis of cryptography techniques
US11991274B2 (en) Authenticated lattice-based key agreement or key encapsulation
KR20170129549A (ko) 패스워드와 id 기반 서명을 이용한 인증 키 합의 방법 및 장치
Chikouche et al. A privacy-preserving code-based authentication protocol for Internet of Things
JP7091322B2 (ja) 複合デジタル署名
US11516658B2 (en) Efficient and secure distributed signing protocol for mobile devices in wireless networks
Giri et al. Efficient biometric and password based mutual authentication for consumer USB mass storage devices
EP3673610B1 (de) Computerimplementiertes system und verfahren zur hochsicheren, hochschnellen verschlüsselung und übertragung von daten
US9923720B2 (en) Network device configured to derive a shared key
KR100989185B1 (ko) Rsa기반 패스워드 인증을 통한 세션키 분배방법
US11528127B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
Giri et al. A novel and efficient session spanning biometric and password based three-factor authentication protocol for consumer USB mass storage devices
Lin et al. Authenticated quantum dialogue based on Bell states
Kwon et al. Efficient verifier-based password-authenticated key exchange in the three-party setting
Garg et al. ECC-based secure and lightweight authentication protocol for mobile environment
EP4264875A1 (de) Verfahren und vorrichtung zur herstellung eines passwortbasierten sicheren kanals
JP5932709B2 (ja) 送信側装置および受信側装置
US11228589B2 (en) System and method for efficient and secure communications between devices
US20240356730A1 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
Zhang et al. CCMbAS: A Provably Secure CCM‐Based Authentication Scheme for Mobile Internet
Saqib et al. Computer and Information Sciences
Ali et al. IOOSC-U2G: An Identity-Based Online/Offline Signcryption Scheme for Unmanned Aerial Vehicle to Ground Station Communication

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

17P Request for examination filed

Effective date: 20231002

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR