2274 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 8, NO. 5, MAY 2009 A Note on Leakage-Resilient Authenticated Key Exchange Ji Young Chun, Jung Yeon Hwang, and Dong Hoon Lee, Member, IEEE Abstract—Fathi et al. recently proposed a leakage-resilient authenticated key exchange protocol for a server-client model in mobility environment over wireless links. In the paper, we address flaws in a hash function used in the protocol. The direct use of the hash function cannot guarantee the security of the protocol. We also point out that a combination of the hash function and the RSA cryptosystem in the protocol may not work securely. To remedy these problems, we improve upon the protocol by modifying the hash function correctly. Index Terms—Password, authentication, key exchange, leakage-resilience, e-residue attack, off-line dictionary attack. I. I NTRODUCTION C OMBINING wireless communication technologies with an appropriate security architecture is one of the most important issues in upcoming network mobility (NEMO) en- vironment. The notion of mobility was bounded only to hosts, but is being extended to an entire network where a mobile node is able to maintain continuous connectivity for its appli- cation even in the visited network. This extension introduces more complicated incorporation of wireless communications including security problems. Especially, to properly handle authentication authorization and accounting (AAA) issues for handover procedures, a reliable communication should be provided between mobile routers and visiting mobile nodes. One of the most fundamental primitives to build a reliable communication is an authenticated key exchange (AKE) pro- tocol. An AKE protocol allows participants over an insecure public network to establish a common secret key which may be used later for a security architecture, assuring key-sharing with intended participants. The most classical way to add authentication to key exchange is to use a signature on keying materials, whose validity is then verified by a corresponding certificate. Unfortunately, this approach using PKI (Public Key Infrastructures) [6] requires complex key management via CRL (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol). One way to avoid such infrastructures is to use passwords for authentication, especially when PKI is not suitable as in NEMO environments or temper-resistant modules for secret key are not available. A password-based AKE (PAKE) pro- tocol allows a client (i.e., a mobile node in NEMO environ- ments) and an authentication server to establish a common Manuscript received May 29, 2008; revised July 16, 2008 and October 27, 2008; accepted January 11, 2009. The associate editor coordinating the review of this letter and approving it for publication was I. Habib. The authors are with the Graduate School of Information Management and Security, CIST, Korea University, Seoul, Korea (e-mail: {jychun, videmot, donghlee}@korea.ac.kr). This work was supported by the Korea Research Foundation Grant funded by the Korean Government(MOEHRD, Basic Research Promotion Fund)(KRF-2008-314-D00412). Digital Object Identifier 10.1109/TWC.2009.080693 secret key through implicit authentication of a pre-shared password. Since a low-entropy password can be easily mem- orized by a human, PAKE protocols have been extensively investigated for practical use [9], [13]–[15]. The devastating threat against the security architecture to support mobile systems is exposure of secret keys. Due to computer viruses, misconfigurations of the related system, and lost/stolen portable devices, the risk of key exposure increases. In order to deal with this threat, one promising solution to the problem of key exposure is to split the key and distribute partial information of the key across possible multiple entities via secret sharing [10]. Combining both secret sharing [3] and proactivity techniques [8] with PAKE, several PAKE protocols have achieved stronger security property, leakage-resilience that the leakage of stored secret from a client or server (not both) does not reveal any useful information on the password [4], [5], [11], [12]. This protocol is called the leakage-resilient authenticated key exchange(LR-AKE) protocol. Recently, Fathi et al. proposed an efficient client-server LR- AKE protocol for NEMO environments [4], [5] to properly handle authentication authorization and accounting (AAA) issues in RFC 3963 standardized by the IETF NEMO working group. In the protocol, clients perform relatively less compu- tation, and hence is well suited to “unbalanced” computational environments such as NEMO environments where a client holds a mobile device with limited resource while a server has relatively powerful computing resources. In the paper, we address serious vulnerabilities in Fathi et al.’s LR-AKE protocol. These security breaches are mainly caused by the incorrect construction of a hash function that is used to verify the server’s public key in the public-key verification phase of the protocol. First, we show that the protocol using the hash function with a small output may be not resilient against leakage of stored secret values. To show this, we concretely present efficient e-residue attacks, particularly cubic-residue attacks [12] on Fathi et al.’s pro- tocol. The attacks enable an adversary to mount an off-line dictionary attack using a secret stored in a user device. In order to guarantee security against the proposed attack in case of large output of the hash function, it should be assumed that the problem to find cubic residues modulo a composite number in a certain range is computationally hard. However, to the best of our knowledge, such an assumption has never been proven true and even not been sufficiently studied. We also point out another weakness for the hash function. Fathi et al.’s protocol uses the RSA signature scheme to alleviate computational burden of user devices. Unfortunately, the hash function in the protocol is not securely associated with the RSA function. In order to remedy all the problems, we present a simple improvement of the protocol by modifying the hash function correctly. 1536-1276/09$25.00 c  2009 IEEE Authorized licensed use limited to: Korea University. Downloaded on July 01,2010 at 02:09:59 UTC from IEEE Xplore. Restrictions apply.