通用可组合的网关口令认证密钥交换协议  被引量：1

作　　者：胡学先[1,2,3] 张启慧[1] 张振峰[2] 刘凤梅 

机构地区：[1]中国人民解放军信息工程大学,郑州450002 [2]中国科学院软件研究所可信计算与信息保障实验室,北京100190 [3]信息保障技术重点实验室,北京100072

出　　处：《计算机学报》2017年第5期1109-1120,共12页Chinese Journal of Computers

基　　金：国家"九七三"重点基础研究发展规划项目基金(2013CB338003;2012CB315905);国家自然科学基金(61502527;U1536205;61379150;61572485);中国博士后科学基金(2014M552524);信息保障技术重点实验室开放基金(KJ-14-004)资助~~

摘　　要：网关口令认证密钥交换(GPAKE)协议是一类特殊的三方协议,其中客户和认证服务器共享有低熵口令,客户和网关在服务器的协助下生成高熵的会话密钥.由于通信架构更贴近实际,GPAKE协议研究近年来受到了较多的关注.然而,已有GPAKE协议都是在传统"孤立"的安全模型中进行分析和设计的,没有考虑协议的可组合安全,也没有考虑用户将相关口令用于不同协议时的影响.为了保证GPAKE协议在更接近实际应用的复杂环境下的安全性,该文在通用可组合(UC)框架下研究GPAKE协议的安全性定义,给出了GPAKE的理想功能,对会话密钥安全、防止恶意网关猜测客户口令以及保持会话密钥相对于服务器的私密性等安全目标进行了刻画,保证了协议在复杂应用环境中的可组合安全性,还考虑了用户将服从任意分布的、甚至是与其他协议相关的口令用于GPAKE协议的情况.另外,利用UC安全两方PAKE协议、消息认证码为组件,给出了GPAKE协议的一个通用构造,使其能够被实例化得到多个具体的协议,并证明了该通用构造是UC安全的,即能够UC安全实现GPAKE理想功能.Gateway-oriented password-authenticated key exchange(GPAKE)protocol is an important cryptographic primitive executed among a client,agateway and an authentication server,where a password is only shared between the client and the server,but a session key which has high-entropy is exchanged between the client and the gateway.Because of their convenience in practice,GPAKE protocols have attracted much attention in recent years.However,almost all existing GPAKE protocols are analyzed only in ‘stand-alone'security models,in which some basic security goals,such as protocol composability and security when related passwords are used by one user within different protocols,are not considered.To overcome these deficiencies,we consider the security definition of GPAKE in the well-known Universal Composability(UC)framework.We first formulate an ideal functionality within the UC framework for GPAKE protocols,which captures the requirements of semantic security of session keys,resistance to password-guessing attacks mounted by malicious gateway,key privacy with respect to the honest-but-curious server,aswell as protocol composable security. Moreover,since in the formulation of the GPAKE functionality we let the environment choose passwords for all parties,our definition captures the cases that related passwords are used by different parties,or by the same parties for different protocols,even when the passwords are selected from arbitrary probability distribution.In addition,by utilizing cryptographic primitives such as UC secure 2-party protocols and message authentication codes,we put forward a general construction of GPAKE protocol,which can be instantiated to several concrete protocols.We then prove the security of our construction rigorously in the UC framework,i.e.,the construction can securely realize the GPAKE functionality.

关 键 词：可证明安全 通用可组合 口令认证 密钥交换 网关协议 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]