KR100913783B1 - Method of Password-Based Authentication and Key Exchanging - Google Patents

Abstract

According to the present invention, when the Internet key exchange service technology using a password is applied to provide an optimal security service in a network system such as the Internet or a mobile communication system, the present invention can be performed with a smaller amount of operation than a conventional AMP without weakening the security strength between the client and the server. It is an object of the present invention to provide a password-based authentication and key exchange method that can quickly obtain a result of authentication and key exchange, and can reduce power consumption.

In a method for exchanging a key for password authentication between a client and a server through a network, the client randomly generates a random number b regardless of the password π to generate a plurality of (b, m = g ^b mod p) pairs. Compute and store in advance, the server randomly generates a random number c irrespective of the user ID (C) and pre-computes and store a plurality of (c, g ^c mod p) pairs, and the server is a user ID (C A first step of randomly generating a random number y with respect to) and precomputing and storing a plurality of (y, β = ν ^y mod p (β is key material information)) pairs; When the client receives a user ID (C) and a password (π) from the user, selects any one of the pre-calculated number (b, m) and transmits the user ID (C) and m to the server. A second step of doing; The server receiving the user ID (C) and m receives the session key generation coefficient μ using the β of any one of the pre-calculated (y, β = υ ^y mod p), the m, and the random number c, y. After calculating, transmitting a μ and c to the client; After receiving the μ and c, the client extracts the key material information α using the hash values u of the μ, c, b, and user ID, calculates the key exchange element k ₁ using the α, and then Transmitting to a server; The server receiving the k ₁ , after calculating a key exchange element k ₂ , if the result is equal to the k ₁ , transmitting the k ₂ to the client and generating a session key sk _s ; After comparing k ₁ with k ₂ 'and comparing the result with k ₂ , if the result is the same, the client includes a sixth step of generating a session key sk _c .

Description

Method of Password-Based Authentication and Key Exchanging

The present invention relates to a password-based authentication and key exchange method, and more particularly, security between a client and a server when applying an Internet key exchange service technology using a password to provide an optimal security service in a network system such as the Internet or a mobile communication system. The present invention relates to a password-based authentication and key exchange method that can quickly obtain authentication and key exchange results with a smaller amount of operations than a conventional AMP without sacrificing strength.

Passwords are widely used as an authentication method that can be memorized, but they have been known to be weak against dictionary attacks using words that can be easily memorized because of the limitations that people must memorize. Because password-based authentication and key exchange protocols have low entropy for these passwords, methods that require a lot of computation on the server and client sides have been proposed to design secure protocols.

To overcome these shortcomings while maintaining the convenience of the password, an AMP (Authentication and key agreement via Memorable Password) protocol has been proposed to perform secure authentication and key exchange using low-entropy passwords. The AMP protocol completed the protocol using the Diffie-Hellman method based on the Discrete Logarithm Problem.

The AMP protocol is a password-based authentication and key exchange protocol that performs relatively few operations, but for example, the computational power of the mobile terminal (client) in the mobile communication system is small, thereby reducing the computational amount of the mobile terminal even smaller. Therefore, there is a need for a technical method to reduce power consumption.

The present invention has been devised by the above-described technical necessity, and does not weaken the security strength between a client and a server when applying an Internet key exchange service technology using a password to provide an optimal security service in a network system such as the Internet or a mobile communication system. Its purpose is to provide authentication and key exchange results faster than conventional AMPs, and to provide password-based authentication and key exchange methods that reduce power consumption.

The object of the present invention as described above,

In a method for exchanging a key for password authentication between a client and a server through a network, the client randomly generates a random number b regardless of the password π to generate a plurality of (b, m = g ^b mod p) pairs. Compute and store in advance, the server randomly generates a random number c irrespective of the user ID (C) and pre-computes and store a plurality of (c, g ^c mod p) pairs, and the server is a user ID (C A first step of randomly generating a random number y with respect to) and precomputing and storing a plurality of (y, β = ν ^y mod p (β is key material information)) pairs; When the client receives a user ID (C) and a password (π) from the user, selects any one of the pre-calculated number (b, m) and transmits the user ID (C) and m to the server. A second step of doing; The server receiving the user ID (C) and m receives the session key generation coefficient μ using the β of any one of the pre-calculated (y, β = υ ^y mod p), the m, and the random number c, y. After calculating, transmitting a μ and c to the client; After receiving the μ and c, the client extracts the key material information α using the hash values u of the μ, c, b, and user ID, calculates the key exchange element k ₁ using the α, and then Transmitting to a server; The server receiving the k ₁ , after calculating a key exchange element k ₂ , if the result is equal to the k ₁ , transmitting the k ₂ to the client and generating a session key sk _s ; After comparing k ₁ with k ₂ 'and comparing the result with k ₂ , if the result is the same, the client may include a sixth step of generating a session key sk _c .

The session key generation coefficient [mu] is generated in the server by the following equation (1).

Equation (1): μ = (mυg ^c ) ^y mod p

Where c and y are random numbers, p is a prime number with p = rq + 1 for any r mutually different from p, and υ is the user's profile stored on the server.

The key material information α is characterized by being generated at the client by the following equation (2).

Equation (2): α = μ ^{u / (b + u + c)} mod p

Where b and c are random numbers, u is a hash value of the user ID, p is a prime number p = rq + 1 for any r that is mutually different from p.

The key exchange element k ₁ is characterized in that it is a hash value including the key generation coefficient μ, the key material information α, the m, and the user ID (C).

The key exchange element k ₂ is characterized in that it is a hash value including the key generation coefficient μ, the key material information β, the m, and the user ID (C).

In the fifth step, if the result values of the key exchange elements k ₁ and k ₂ are not the same, the protocol is suspended.

In the sixth step, if the result values of the key exchange elements k ₂ and k ₂ ^′ are not the same, the protocol is suspended.

In addition, the password-based authentication and key exchange method according to another embodiment of the present invention, in a method for exchanging a key for password authentication between the client and the server over a network, the client is a random number irrespective of the password (π) generating randomly b, extracting key material information m (m = g ^b mod p) using the ^b , and then transmitting a user ID (C) and the m to a server; The server receiving the user ID C and m randomly generates a random number y, extracts key material information β (β = υ ^y mod p) using the y, and randomly uses the hash value of m. extracting c, calculating a session key generation coefficient μ using the m and the random numbers c, y, and then transmitting μ to the client; The client receiving the μ extracts the hash value of m as a random number c, extracts key material information α using the hash value u of the μ, c, b, and user ID, and uses the α to obtain a key. Calculating a switching element k ₁ and transmitting it to the server; The server receiving the k ₁ , after calculating a key exchange element k ₂ , if the result is equal to the k ₁ , transmitting the k ₂ to the client and generating a session key sk _s ; After comparing k ₁ to k ₂ and comparing it to k ₂ , if the result is the same, the client includes a fifth step of generating a session key sk _c .

The session key generation coefficient mu is characterized in that it is generated in the server by the following equation (3).

Equation (1): μ = (mυg ^c ) ^y mod p

Where c is a hash value of m, y is a random number, p is a prime number p = rq + 1 for any r that is mutually different from p, and υ is the user's profile stored on the server.

The key material information α is generated in the client by the following equation (4).

Equation (2): α = μ ^{u / (b + u + c)} mod p

Where b is a random number, c is a hash value of m, u is a hash value of user ID (C), and p is a decimal number with p = rq + 1 for any r that is mutually different from p.

The key exchange element k ₁ is characterized in that it is a hash value including the key generation coefficient μ, the key material information α, the m, and the user ID (C).

The key exchange element k ₂ is characterized in that it is a hash value including the key generation coefficient μ, the key material information β, the m, and the user ID (C).

In the fourth step, if the result values of the key exchange elements k ₁ and k ₂ are not the same, the protocol is suspended.

In the fifth step, if the result values of the key exchange elements k ₂ and k ₂ ^′ are not the same, the protocol is suspended.

According to the password-based authentication and key exchange method according to the present invention, the security between the client and the server when applying the Internet key exchange service technology using a password to provide an optimal security service in a network system such as the Internet or mobile communication system Without compromising strength, authentication and key exchange results can be obtained faster with less computation than traditional AMPs, resulting in reduced power consumption.

Hereinafter, with reference to the accompanying drawings will be described an embodiment of the present invention; First, it should be noted that the same components or parts in the drawings represent the same reference numerals as much as possible. In describing the present invention, detailed descriptions of related well-known functions or configurations are omitted in order not to obscure the gist of the present invention.

1 conceptually illustrates a password-based authentication and key exchange method according to the present invention, and FIG. 2 conceptually illustrates a password-based authentication and key exchange method according to another embodiment of the present invention. In the password-based authentication and key exchange method according to the present invention is a table showing the required dictionary and real-time calculation amount of the protocol.

First, the description of the symbols frequently used in the following [Table 1] is disclosed.

TABLE 1

C User ID S server π password k Security parameters for secret key encryption (128, 160 bit, etc.) l Security parameters for public key encryption (3072, 3840 bit, etc.) h _i Random oracle q Prime of size k p a prime number of size p with r = + q and 1 for any r mutually different from p Z _x ^* multiplicative group of x g Generator of q-order subgroup G _q in group Z _p ^* ε Security parameters for elliptic curve based encryption (256, 512 bit, etc.) E Elliptic Curve P One point on E of size ε

Z _p = {0,1,2, ..., p-1}, which is called the full surplus system of law. For a completely surplus element a∈Z _{p of the} method, a set of only the elements with gcd (a, p) = 1 is called Z _p ^* . This property defines Z _p ^* = {0,1,2, ..., p-1} when p is prime.

h _i satisfies the properties h _i : {0,1} ^* -> {0,1} ^k . That is, a bit string of any length (βit string) is made into a bit string of k size. (For reference, {0,1} ⁿ means a bit string of length n)

h _i (M) is defined as h _i (i, M, i), and h () is a safe one-way function such as MD5 or SHA-1. Here, ',' means concatenation between bit strings.

Diffie-Hellman (DH) and Digital Signature Algorithm (DSA) are all weak by sub-exponential algorithms such as Number field sieve. However, in the case of Elliptic Curve Cryptography, the best known algorithm to solve mathematical problems is the Pollard-rho algorithm, which requires exponential time. Therefore, unlike DH and DSA, elliptic curve encryption can provide an equivalent level of security even with a small size key.

The protocol described below can be described again with elliptic curve cryptography, which can provide equivalent security with less computation. To rewrite with elliptic curve cryptography, any number g ^x mod p on Z _p ^* can be rewritten at any point xP on the elliptic curve. At this time, the size of g ^x is l and the size of xP is ε.

Describes the existing AMP protocol configuration.

The user sets his ID (C) and password (π). The server creates a user's profile (account) <C, v>. v = g ^u mod p and u = h ₀ (π, C). The server is difficult to find the user's password, even though u knows υ due to the difficulty of the Discrete Logarithm Problem (DLP).

Referring to the protocol operation, first, the client receives the password (π) from the user ID (C) and then selects a random number b∈ _R Z _p ^* , and m = g ^b mod p and u = h ₁ (π After calculating, C), send C and m to the server.

[1] client → server: C, m

The server checks whether or not m is 1, and if 1 stops the protocol. If then not a first server chooses the random number Z _{R p} ^* and y∈ c∈ _R Z _p ^*, and calculating a ^y mod p υ = β (β = yυ) and ^{μ = (mυg c) y mod} p, Send μ and c to the client.

[2] server → client: μ, c

When μ and c arrive, the client computes α = μ ^{u / (b + u + c)} mod p and calculates k ₁ = h ₁ (C, S, m, μ, α) to send k ₁ to the server. do.

[3] client → server: k ₁

The server calculates k ₁ '= h ₁ (C, S, m, μ, β) and stops the protocol if k ₁ ' is not equal to k ₁ . If the comparison is the same, k ₂ Calculate = h ₂ (C, S, m, μ, β) and send k ₂ to the client and calculate the session key sk _s = h ₃ (C, S, m, μ, β).

[4] server → client: k ₂

The client computes k ₂ '= h ₂ (C, S, m, μ, α) and stops the protocol if k ₂ ' is not equal to k ₂ . If the comparison is the same, the client calculates the session key sk _c = h ₃ (C, S, m, μ, α). Server and client since sk _s = sk _c with the session key.

See the equation below for equality of session keys.

As can be seen from the above formula, if the server has the correct client's profile <C, υ = g ^u mod p> then α and β are the same, so sk _c = h ₃ (C, S, m, μ, α) = The same session key can be generated with h ₃ (C, S, m, μ, β) = sk _s .

Referring to FIG. 1, the password-based authentication and key exchange method according to the present invention is different from the existing AMP protocol. First, the client randomly generates a random number b regardless of the password (π) and generates a plurality of (b, m = g ^b mod p) pairs are precomputed and stored, and the server randomly generates a random number c irrespective of the user ID (C) and precomputes and stores a plurality of (c, g ^c mod p) pairs. The server randomly generates a random number y in relation to the user ID C, and calculates and stores a plurality of (y, β = υ ^y mod p) pairs in advance.

Then, when the client receives a user ID (C) and a password (π) from the user, select any one of the m (b, m) of the pre-computed number and the user ID (C) to the server After sending m

After receiving the user ID (C) and m, the server calculates μ using any one of the pre-calculated (y, β = υ ^y mod p) and m and the random number c, y, Send μ and c to the client.

If the server generates and uses c randomly, the server can precompute many (c, g ^c mod p) pairs independently of the user. Since in practice you can take and use one of these numerous pairs (c, g ^c mod p), the server only needs to exponentiate y over the product of m, υ, g ^c to generate μ. do.

In addition, the server may pre-calculate the required number of (y, β = υ ^y mod p) pairs for each user, regardless of the m generated in real time on the client.

Thus, the server requires one exponentiation and three hash operations in real time for authentication and key exchange. Hash operations can yield results with very few operations compared to exponential powers.

In addition, the client can pre-calculate as many (b, m = g ^b mod p) pairs as needed (expected) regardless of the password, and can take one of them and send it to the server once the authentication process begins. Thus, in order to calculate α, the client requires one inverse operation and one exponentiation operation, respectively.

These precomputations can be calculated using time when the server and client are not busy, and even when the performance of the device is lowered, for example, by lowering the CPU clock. This also benefits from power consumption.

According to another embodiment of the password-based authentication and key exchange method according to the present invention, it is possible to perform password-based authentication and key exchange using the hashed c (see Fig. 2).

Among the above-mentioned protocols, c may be implemented as a hash form of c rather than a random number. In other words, if c = h ₄ (m) is obtained, it is not necessary to send c together in [2], and c = h ₄ (m) can be obtained directly from the client side. However, if, when the rescued c g ^c in this way, so the must be known in order to obtain the m (c, g ^c mod p) will not be able to release the pair of pre-calculated.

If the server does not have a precomputed pair (c, g ^c mod p), the server can reduce the size of the message by generating c for m. In this case, the client computes c = h ₄ (m) if c does not arrive from the server. This has the disadvantage of not being able to precompute (c, g ^c mod p) pairs, but it does reduce the size of messages sent between the client and server.

As described above with reference to the drawings illustrating a password-based authentication and key exchange method according to the present invention, the present invention is not limited by the embodiments and drawings disclosed herein, but within the technical scope of the present invention Of course, various modifications can be made by those skilled in the art.

1 conceptually illustrates a password based authentication and key exchange method in accordance with the present invention;

2 conceptually illustrates a password-based authentication and key exchange method according to another embodiment of the present invention;

3 is a table showing the required dictionary and real-time calculation amount of the protocol in the password-based authentication and key exchange method according to the present invention.

Claims (14)

In a method for exchanging a key for password authentication between a client and a server over a network, The client randomly generates a random number b regardless of the password π and precomputes and stores a plurality of (b, m = g ^b mod p) pairs, and the server generates a random number c regardless of the user ID (C). Randomly generate and store a plurality of (c, g ^c mod p) pairs in advance, and the server randomly generates a random number y in relation to the user ID (C) to generate a plurality of (y, β = υ). a first step of precomputing and storing a pair of ^y mod p (β is key material information); When the client receives a user ID (C) and a password (π) from the user, selects any one of the pre-calculated number (b, m) and transmits the user ID (C) and m to the server. A second step of doing; The server receiving the user ID (C) and m receives the session key generation coefficient μ using the β of any one of the pre-calculated (y, β = υ ^y mod p), the m, and the random number c, y. After calculating, transmitting a μ and c to the client; After receiving the μ and c, the client extracts the key material information α using the hash values u of the μ, c, b, and user ID, calculates the key exchange element k ₁ using the α, and then Transmitting to a server; The server receiving the k ₁ , after calculating a key exchange element k ₂ , if the result is equal to the k ₁ , transmitting the k ₂ to the client and generating a session key sk _s ; Comparing the k ₂ with k ₁ as k ₂ ′, and if the result is the same, the client generates a session key sk _c ; Password-based authentication and key exchange method comprising a. The method according to claim 1, The session key generation factor [mu] is generated at the server by the following equation (1). Equation (1): μ = (mυg ^c ) ^y mod p (Where c and y are random numbers, p is a prime number with p = rq + 1 for any r mutually different from p, and υ is the user's profile stored on the server) The method according to claim 1, And the key material information α is generated at the client by the following equation (2). Equation (2): α = μ ^{u / (b + u + c)} mod p (Where b and c are random numbers, u is the hash value of the user ID, p is a decimal number with p = rq + 1 for any r that is disjoint from p) The method according to claim 1, And said key exchange element k ₁ is a hash value comprising said key generation coefficient [mu], said key material information [alpha], said m and user ID (C). The method according to claim 1, And the key exchange element k ₂ is a hash value including the key generation coefficient μ, the key material information β, the m, and a user ID (C). The method according to claim 1, And disabling the protocol if the result values of the key exchange elements k ₁ and k ₂ are not equal in the fifth step. The method according to claim 1, And disabling the protocol if the result values of the key exchange elements k ₂ and k ₂ ^′ are not equal in the sixth step. In a method for exchanging a key for password authentication between a client and a server over a network, The client randomly generates a random number b irrespective of the password π, extracts the key material information m (m = g ^b mod p) using the b, and then stores the user ID C and the server m. Transmitting to the first step; The server receiving the user ID C and m randomly generates a random number y, extracts the key material information β (β = υ ^y mod p) using the ^y , and extracts the hash value of m. A second step of extracting a random number c, calculating a session key generation coefficient μ using the m and the random numbers c, y, and then transmitting μ to the client; The client receiving the μ extracts the hash value of m as a random number c, extracts key material information α using the hash value u of the μ, c, b, and user ID, and uses the α to obtain a key. Calculating a switching element k ₁ and transmitting it to the server; The server receiving the k ₁ , after calculating a key exchange element k ₂ , if the result is equal to the k ₁ , transmitting the k ₂ to the client and generating a session key sk _s ; After comparison with the k ₂ in the k ₁ to k ₂ ', the result is the same if the client a fifth step of generating the session key sk _c Password-based authentication and key exchange method comprising a. The method according to claim 8, The session key generation factor [mu] is generated in a server by the following equation (3). Equation (3): μ = (mυg ^c ) ^y mod p Where c is a hash value of m, y is a random number, p is a decimal number with p = rq + 1 for any r that is mutually different from p, and υ is the user's profile stored on the server. The method according to claim 8, And the key material information α is generated at the client by the following equation (4). Equation (4): α = μ ^{u / (b + u + c)} mod p (Where b is a random number, c is a hash value of m, u is a hash value of the user ID, p is a decimal number with p = rq + 1 for any r that is mutually independent of p) The method according to claim 8, And said key exchange element k ₁ is a hash value comprising said key generation coefficient [mu], said key material information [alpha], said m and user ID (C). The method according to claim 8, And the key exchange element k ₂ is a hash value including the key generation coefficient μ, the key material information β, the m, and a user ID (C). The method according to claim 8, And disabling the protocol if the result values of the key exchange elements k ₁ and k ₂ are not equal in the fourth step. The method according to claim 8, And disabling the protocol if the result values of the key exchange elements k ₂ and k ₂ ^′ are not equal in the fifth step.

Images