This preview shows page 1. Sign up to view the full content.
Unformatted text preview: s and sends Alice: EP(grB mod n), EK(RB) (3) Alice decrypts the first half of Bob’s message to obtain grB mod n. Then she calculates K and uses K to decrypt RB. She generates another random string, RA, encrypts both strings with K, and sends Bob the result. EK(RA, RB) (4) Bob decrypts the message to obtain RA and RB. Assuming the RB he received from Alice is the same as the one he sent to Alice in step (2), he encrypts RA with K and sends it to Alice. EK(RA) (5) Alice decrypts the message to maintain RA. Assuming the RA she received from Bob is the same as the one she sent to Bob in step (3), the protocol is complete. Both parties now communicate using K as the session key. Strengthening EKE
Bellovin and Merritt suggest an enhancement of the challenge-and-response portion of the protocol—to prevent a possible attack if a cryptanalyst recovers an old K value. Look at the basic EKE protocol. In step (3), Alice generates another random number, SA, and sends Bob EK(RA, SA) In step (4), Bob generates another random number, SB, and sends Alice EK(RA, RB, SB) Alice and Bob now can both calculate the true session key, SA • SB. This key is used for all future messages between Alice and Bob; K is just used as a key-exchange key. Look at the levels of protection EKE provides. A recovered value of S gives Eve no information about P, because P is never used to encrypt anything that leads directly to S. A cryptanalytic attack on K is also not feasible; K is used only to encrypt random data, and S is never encrypted alone. Augmented EKE
The EKE protocol suffers from one serious disadvantage: It requires that both parties possess the P. Most password-based authentication systems store a one-way hash of the user’s password, not the password itself (see Section 3.2). The Augmented EKE (A-EKE) protocol uses a one-way hash of the user’s password as the superencryption key in the Diffie-Hellman variant of EKE. The user then sends an extra message based on the original password; this message authenticates the newly chosen se...
View Full Document
- Fall '10