Research On Security Model And Design Of Gateway-Oriented Password-Authenticated Key Exchange Protocols

Gateway-oriented password-based authenticated key exchange (GPAKE) protocols allow a client and a gateway to establish a common session key with the help of an authentication server. The client and the server initially share a low-entropy password for authentication, but the gateway is responsible for the connection and data transmission of the client, so the session key is shared between the gateway and the client. The model of GPAKE protocol is particularly suitable for mobile internet application scenarios, such as roaming service, mobile payment and mobile bank. In 2005, Abdalla et al. put forward the notion of GPAKE protocols for the first time. Since then, GPAKE protocols attract widely interests from cryptographers and enterprises due to the usefulness and practical aspects. The research on GPAKE protocol has become a particular hot research direction of PAKE protocols. Over the years, the security model and protocol design for GPAKE becomes more and more mature. Nevertheless, with the rapid development of network technology and value-added business, research on the design of GPAKE protocols is still be of practical and application importance.In this thesis, we aim at studying the security model and the design of the GPAKE protocols systematically. We research on how to propose the security models with stronger security for GPAKE by perfecting the security goals. We then propose several efficient and strongly secure GPAKE protocols using different cryptosystems and a generic framework for GPAKE protocols. We also research the client anonymity in GPAKE protocols to protect the privacy of the clients.The main results of the thesis are as follows:1. Existing GPAKE protocols are analyzed and improved. We point out that the anonymous GPAKE protocol designed by Abdalla et al. in 2008 is vulnerable to undetectable on-line dictionary attacks. We also show that the optimized GPAKE protocol O-GPAKE presented by Yoon et al. in 2010 has computation redundancy and incorrect design principle problems. In order to solve these problems, we design two GPAKE protocols using the Diffie-Hellman key exchange and the RSA cryptosystem, respectively. We then formally prove that our protocols can resist undetectable on-line dictionary attacks. Compared with related schemes, our protocols can achieve mutual authentication and are more efficient.2. The design of GPAKE with client anonymity is researched. The design of anonymous GPAKE protocols is a difficult task because it needs pay attention to the client privacy and protocol efficiency at the same time. The work of anonymous GPAKE protocols is far from maturity. Based on the design principles of anonymous 2-party PAKE protocols and private information retrieval protocols, we propose two efficient and strongly secure anonymous GPAKE protocols, which achieve user anonymity and resistance against undetectable on-line dictionary attacks. In this way, we show that the GPAKE protocols could achieve both client anonymity and resistance to undetectable on-line dictionary attacks at the same time.3. The GPAKE protocols in the standard model are presented. Firstly, we propose the first GPAKE protocol S-GPAKE in the standard model by extending 2-party PAKE protocols in the standard model to the gateway-oriented setting. Then we present a generic framework for GPAKE in the standard model using generic building blocks, such as public-key encryption schemes and smooth projective hash functions. The generic framework, which is an abstraction and generalization of the S-GPAKE protocol in the standard model, uses modular design and proof approach. We can derive various efficient GPAKE protocols which can be proven secure in the standard model under the DDH assumption, the Quadratic residuosity assumption and the N-residuosity assumption.4. We study how to propose the security models with stronger security for GPAKE protocols. The existing security models for GPAKE protocols are not strong enough to capture some new kind of attacks, such as the undetectable on-line dictionary attack, the ephemeral key leakage resilience and the password compromise impersonation attack. To achieve stronger security for GPAKE protocols, we first assume a symmetric setting, in which the client and the server share a password for authentication and the authenticated channel between the gateway and the server is established by a symmetric secret key. We present a new security model in the symmetric setting which captures forward security and resistance to undetectable on-line dictionary attacks; Secondly, we assume an asymmetric setting, in which the authenticated channel between the gateway and the server is established by asymmetric keys and the client also knows the encryption public key of the server besides the shared password. We put forward a stronger security model in the asymmetric setting which captures ephemeral key leakage resilience and the password compromise impersonation attack.