Design And Analysis Of Authenticated Key Establishment Protocols Based On Cpk Or Password

Authenticated key establishment (AKE) protocol allows users to establish a secure session key on the foundation of identity authentication, which is one of the fundamental building blocks for secure communication. To achieve identity authentication, each user needs to own some secret information, such as high-entropy secret keys or low-entropy passwords. Passwords being drawn from a small set of values can be easily remembered by users, makes the password-based authenticated key exchange (PAKE) protocol challenge many cryptographers'attentions, and also causes the PAKE protocol to be vulnerable to dictionary attacks. Along with the remarkable improvement of the capability of computation and storage, public key technology is being used in the identity authentication of AKE protocol more and more, which also introduces the problem of large-scale key management. Combined public key (CPK) cryptography is an efficient identity-based public key management scheme of china, which does not require certificates to guarantee the authenticity of public key, achieves offline public key authentication and avoids the key escrow problem of identity-based cryptography. Compared to the other schemes, CPK has many advantages. The focus of this thesis is on the design and analysis of three-party PAKE and CPK-based AKE protocols. The main goal is to exert the advantages of CPK and make the new protocols to be competitive with the existing protocols in one or more aspects. Generally the main work consists of the following three parts.1.To address the problem of large-scale end-to-end communication, three-party PAKE protocols are suggested, which provide each user with the capability of communicating securely with many users while only requiring it to share a single password with the server. Due to the high requirement of the ideal model, being inspired by the design thought of two-party PAKE protocols in the standard model, we propose an efficient three-party PAKE protocol (3PAKE-1) in the standard model using secure message authentication code and ElGamal encryption scheme. The proofs of its forward security and key privacy are also given. Next, we present the security analyses of two verifier-based PAKE protocols for three parties in detail and indicate their security holes. Finally, we improve one of them and present the rigorous security proof of the improved protocol (NLWZ). Compared with previous protocols, NLWZ and 3PAKE-1 protocols have some advantages in terms of computation and communication.2.Aiming at the requirements of secure group communication, two efficient one-round group key transfer protocols are first presented based on CPK, which are both authenticated using two factors including a password and a smart card. The temporary keys are protected by the Chinese Remainder Theorem (CRT) in the first protocol, which was provably secure under the CDH assumption. In the second protocol, the temporary keys are generated by the combination of the elements of the secret random number matrix (SRM). The secure renewal process of the SRM is also given. In contrast to the other group key transfer protocols, they are more secure and practical. Next, based on CPK, we propose an efficient two-round group key exchange protocol (GKA) and present its proof of forward secrecy under the CDH assumption. The GKA protocol supports multiple member join/leave operations efficiently and only needs small amount of computation and communication to renew the group key. At the same time, it also assures backward secrecy and forward secrecy. Compared to the other group key exchange protocols, the GKA protocol is more efficient and more suitable for the group with high user dynamics.3.To address the problem of secret information leakage in the process of session, we present an efficient two-party AKE protocol (2-AKE) with strong security using the CPK scheme, which is provably secure in the standard model under the DDH assumption. The 2-AKE protocol can keep the session key secret from the adversary except that one user's ephemeral private key and static private key are all compromised. Next, we improve the GKA protocol to obtain a dynamic group key exchange protocol (SGKA) with strong security and present its detailed security analysis. Compared to the existing protocols, the 2-AKE and SGKA protocol not only assure strong security but also are more efficient.