Universally Composable Gateway-Oriented Password-Authenticated Key Exchange Protocol

Gateway-oriented password-authenticated key exchange(GPAKE) protocol is an important cryptographic primitive executed among a client, a gateway and an authentication server, where a password is only shared between the client and the server, but a session key which has high-entropy is exchanged between the client and the gateway. Because of their convenience in practice, GPAKE protocols have attracted much attention in recent years. However, almost all existing GPAKE protocols are analyzed only in `stand-alone' security models, in which some basic security goals, such as protocol composability and security when related passwords are used by one user within different protocols, are not considered. To overcome these deficiencies, we consider the security definition of GPAKE in the well-known Universal Composability (UC) framework. We first formulate an ideal functionality within the UC framework for GPAKE protocols, which captures the requirements of semantic security of session keys, resistance to password-guessing attacks mounted by malicious gateway, key privacy with respect to the honest-but-curious server, as well as protocol composable security. Moreover, since in the formulation of the GPAKE functionality we let the environment choose passwords for all parties, our definition captures the cases that related passwords are used by different parties, or by the same parties for different protocols, even when the passwords are selected from arbitrary probability distribution. In addition, by utilizing cryptographic primitives such as UC secure 2-party protocols and message authentication codes, we put forward a general construction of GPAKE protocol, which can be instantiated to several concrete protocols. We then prove the security of our construction rigorously in the UC framework, i.e., the construction can securely realize the GPAKE functionality. © 2017, Science Press. All right reserved.