Information Technology Reference
In-Depth Information
Step 1
. The Key server computes
s
= (
g
k
)
-1
mod
L
. Then the server chooses a random
number
a
, such that
a
<
x
i
, for every
x
i
, and multicasts
a·s
and
h
(
a
), where
h
(
a
) is the
output of a hash operation not specified in [1].
Step 2
. Every member
i
receives the authentication message and computes the value
h
(
a·s·r
mod
x
i
) which should be equal to the value
h
(
a
) received if
x
i
is a factor of
L
.
5 Breaking the Authentication Protocol
As it is described in section 3, the main weakness of the key refreshment scheme
proposed in [1] resides on the fact that any user could impersonate the server, generat-
ing forged refreshment messages, from the knowledge of a multiple of
L
.
The protocol described in previous section tries to avoid this situation. However,
the same weakness described in section 3, allows the members to break the authenti-
cation protocol in such a way that they could generate forged refreshment that will be
considered as authentic by the recipients.
The procedure to break the protocol is the following.
Step 1
. Let us consider that the member
h
wants to impersonate the Key server. The
member
h
knows a multiple of
L
, computed as it is described in section 3. He gener-
ates new values for the system parameters, that is, m', p', g',
δ
' and k'. Then, he com-
putes
u
',
v
' applying the extended Euclidean algorithm to
' and the multiple of
L
,
v·L
.
In this point, the member
h
begins with the authentication protocol described in sec-
tion 4 using
v·L
instead of
L
, that is, he generates
s
' = (
g
'
k
'
)
-1
mod
vL
, and chosses
a
' at
random. Then, he sends the forged refreshment (
m
',
g
',
u
') and the authentication mes-
sage (
a'·s'
, h(
a
')).
δ
' =
u
'
-1
mod
x
i
, and the
refreshed key
r
' =
g
'
δ'
mod
m
'. Then, in order to authenticate the refreshment, he com-
putes
h
(
a
'·
s
'·
r
' mod
x
i
). As one can easily observe,
h
(
a
'·
s
'·
r
' mod
x
i
) =
h
(
a
) since the
system parameters have been selected in the same way as the server does, and
x
i
is a
factor of
L
, and a factor of any multiple of
L
.
Step 2
. The member i receives the message and computes
δ
6 Zero-Knowledge Protocol
In [1], a zero-knowledge protocol is proposed to verify that the information is distrib-
uted over legal peers. In other words, the aim of the protocol is to verify that a given
peer
j
holds a valid ticket
x
j
. It is supposed that the two peers involved in this protocol
have previously obtain key r using the key refreshment scheme described in section 2.
The protocol is as follows:
Step 1
.
Peer
i
chooses a random integer
r
such that 1 <
r
<
m
and sends it to the
Key server.
Step 2
.
The Key server computes
inv
=
r
-1
mod
L
and sends it to
i
.
Step 3
.
Peer
i
sends (
inv
,
g
xi
mod
m
) to peer
j
.
Step 4
. Peer
j
calculates
r
j
=
inv
-1
mod
x
j
, β
j
=
r
j
·(
g
xi
)
xj
mod
m
and sends (β
j
,
g
xj
) to
peer
i
.
Step 5
.
Peer
i
computes β
i
=
r
·(
g
xj
)
xi
, which should be equal to β
j
.
Search WWH ::
Custom Search