網路的認證與保密對網路通訊安全而言是非常重要的議題。為達到使用者身份的認證與資料傳輸的保密之目的，近幾年來已有許多對於認證與金鑰協議 (Authentication and Key Agreement) 之網路通訊研究陸陸續續被提出。從Bellovin 與Merritt在1992年首先提出兩方認證金鑰交換協定後，已有許多安全有效的兩方認證金鑰交換協定已被提出。此外，認證金鑰交換協定之正規安全性證明的提出，使得兩方認證金鑰交換的研究更加成熟。隨著電腦通訊與網路技術的發展，三方與多方通訊也逐漸成為網路安全上的重要研究主題。直接利用既有的兩方認證金鑰交換協定去建構三方或多方通訊認證金鑰交換協定的方法固然可行，但往往使得整個協定的通訊效能大幅度的降低。因此，本論文將著重於三方與多方認證金鑰交換協定的設計，並探討其通訊效能。
三方 (Three-Party，包含一被信任的server以及兩個欲通訊的用戶端clients) 認證金鑰交換 (Authenticated Key Agreement or Authenticated Key Exchange) 之通訊協定為：與server分別共享一把長久的金鑰 (a long-lived key) 以作為身分認證之兩個欲通訊的用戶端，透過server的協助能在不安全的網路上交換保密而且可認證的資訊。在1993年，Gong針對此方面 (三方認證金鑰交換通訊協定) 提出通訊所需之訊息數與回合數的下界 (lower bounds on the numbers of messages and rounds)，並提出通訊次數達到下界的三方認證金鑰交換之通訊協定。然而，Gong所提的通訊所需之下界，並不適用於會議金鑰 (session key) 植基於Diffie-Hellman問題之三方認證金鑰交換通訊協定，由於此種通訊協定，用戶端無須透過server的協助便能直接交換產生會議金鑰的組成因子。因此，通訊所需之訊息數與回合數便能減少。本論文將針對三方認證金鑰交換之通訊協定，提出新的通訊所需之訊息數與回合數的下界，其值皆比Gong所題之下界還低。此外，本論文亦提出三方認證金鑰交換之通訊協定，其通訊所需之訊息數與回合數比Gong所提出的下界還少。更進一步，我們依據Bellare與Rogaway於1995年及Bellare、Pointcheval與Rogaway於2000年所提出之證明安全性的模式，來證明我們所提出的三方認證金鑰交換之通訊協定的安全性。
群體認證金鑰交換之通訊協定 (group authenticated key agreement protocols) 為：一群通訊者彼此身分認證後，產生一把共同的秘密金鑰，藉此金鑰，參與者可於不安全的網路上安全地傳遞訊息。本論文亦針對群體認證金鑰交換，提出一植基於bilinear pairing、高效率且具容錯能力的通訊協定。在所提出的通訊協定中，所有成員僅需要在一次回合 (one round) 中，將用來產生一把共同的秘密金鑰的因子廣播給其他成員後，所有成員便能同時計算出這把共同的秘密金鑰，並且運用bilinear pairing中Gap Diffie-Hellman的特性來有效地偵測並排除有問題的成員。因此，所提出的群體認證金鑰交換之通訊協定具有公平 (fairness) 與容錯 (fault-tolerance) 之特性。
此外，本論文亦討論Boyd 與 Nieto於2003年，所提出的群體認證金鑰交換之通訊協定，該協定在通訊上僅需一次回合，即達通訊回合數之最佳化 (round-optimal)。儘管Boyd 與 Nieto所提出的群體認證金鑰交換之通訊協定已利用Bellare與Rogaway所提出之證明安全性的模式下證明其安全性，然而，此通訊協定在安全上仍有下列缺點：一、惡意的成員偽冒經授權的成員，無法被偵測出來；二、惡意的成員企圖孤立其他部分成員，亦無法被察覺出來。本論文將分析以上所述的缺點，提出改進的群體認證金鑰交換之通訊協定，而此改進通訊協定可以避免原通訊協定所遭受的攻擊。

Network authentication and confidentiality are relevant issues in network communication and security. Numerous communication approaches for authentication and key agreement have been developed in recent years to authenticate users and protect data confidentiality. Since Bellovin and Merritt first proposed two-party authenticated key agreement protocols in 1992, many secure and efficient two-party authentication and key agreement protocols have been presented. In addition, the formal security proofs for authenticated key agreement were provided in recent years such that research on two-party authentication and key agreement was quite advanced. With the development of computer, communications and network technology, three-party and group authenticated key agreement protocols are gradually relevant issues in network communications and security. Three-party and group authenticated key agreement protocols can be built on existing secure and efficient two-party authenticated key agreement protocol. However, this method will increase authenticated key agreement protocols overheads on communications. Therefore, this thesis mainly focuses on designing three-party and group authenticated key agreement protocols and discussing their efficiency in communications.
A three-party authenticated key agreement enables each client to securely communicate with another client over an insecure network via a server. In 1993, Gong provided lower bounds on the numbers of messages and rounds for a three-party authenticated key agreement and developed key agreement protocols in order to achieve these lower bounds. However, the lower bounds of communications provided by him are not suitable for three-party authenticated key agreement protocols whose session key security is based on the Diffie-Hellman problem. This is because the clients in these protocols can directly exchange the information for generating the session key without using the server. Thus, the numbers of messages and rounds in communication can be reduced. This study provides new lower bounds for the three-party authenticated key agreement, which are lower than those indicated by Gong. In addition, provably secure three-party authenticated key agreement protocols for realizing the new lower bounds are proposed.
A group authenticated key agreement protocol enables a group of participants to establish a secure common key that can be adopted to encrypt all communications over an insecure channel. This dissertation also proposes a bilinear pairing-based round-efficient and fault-tolerant group key agreement protocol for communication networks. In the proposed protocol, all participants broadcast their components of the common key only once, and can then derive the common key simultaneously. The proposed protocol has fault-tolerance and fairness. All successful participants can certainly obtain a common key, and any failed participant is automatically detected and excluded in the group.
Additionally, this investigation considers the group authenticated key agreement protocol proposed by Boyd and Nieto, which provides round-optimal communication. Although the proposed protocol has been proven secure using Bellare and Rogaway's model, it still suffers several weaknesses, such the inability to identify a malicious participant who impersonates the authorized participant or attempts to isolate some participants. This study investigates these weaknesses, and proposes an improved group authenticated key agreement approach that can avoid the attacks on the original approach.

[1] L. Gong, “Lower bounds on messages and rounds for network authentication Protocols,” Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 26-37, Fairfax, Virginia, November 1993.
[2] L. Gong, “Efficient network authentication protocols: Lower bounds and implementations,” Distributed Computing, vol. 9, no. 3, pp. 131-145, 1995.
[3] L. Gong, M. Lomas, R. Needham and J. Saltzer, “Protecting poorly chosen secrets from guessing attacks,” IEEE Journal on Selected Areas in Communications, vol .11, no. 15, pp. 648-656, 1993.
[4] L. Gong, “Optimal authentication protocols resistant to password guessing attacks,” Proceedings of the 8th IEEE Computer Security Foundation Workshop, pp. 24-29, 1995.
[5] T. Kwon and J. Song, “Authenticated key exchange protocols resistant to password guessing attacks,” IEE Proc.-Commun., vol. 145, no. 5, pp.304-308, 1998.
[6] T. Kwon, M. Kang and J. Song, “An adaptable and reliable authentication protocol for communication networks,” Proc. IEEE INFOCOM 97, Kobe, Japan, pp738-745, 1997.
[7] T. Kwon, M. Kang, S. Jung and J. Song, “An improvement of the password-based authentication protocol (K1P) on security against replay attacks,” IEICE Trans. Commun., vol. E82-B, no. 7, pp.991-997, July 1999.
[8] T. Kwon and J. Song, “Efficient key exchange and authentication protocols protecting weak secrets,” IEICE Trans. Fundamentals, vol. E81-A, no.1, pp.156-163, Jan. 1998.
[9] M. Steniner, G. Tsudik, and M. Waidner, “Refinement and extension of encrypted key exchange,” ACM Operating Syst. Rev., vol. 29, no. 3, pp. 22-30, 1995.
[10] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans. Info. Theory, vol. 22, no. 6, pp. 644-654, 1976.
[11] C.-L. Lin, H.-M. Sun and T. Hwang, “Three-party encrypted key exchange: Attacks and a solution,” ACM Operating Syst. Rev., vol. 34, no. 4, pp. 12-20, 2000.
[12] C.-L. Lin, H.-M. Sun, M. Steiner, and T. Hwang, “Three-party encrypted key exchange without server public-keys,” IEEE Commun. Letters, vol. 5, no. 12, pp. 497-499, 2001.
[13] T.-F. Lee, T. Hwang, and C.-L. Lin, “Enhanced three-party encrypted key exchange without server public keys,” Computers & Security, vol. 23, no. 7, pp. 571-577, October, 2004.
[14] R. Lu and Z. Cao, “Simple three-party key exchange protocol,” Computers & Security, vol. 26, no. 1, pp. 94-97, 2007.
[15] M. Abdalla, and D. Pointcheval, “Simple password-based authenticated key protocols,” Topics in Cryptology - CT-RSA 2005, Lecture Notes in Computer Science vol. 3376, pp. 191-208, Springer-Verlag, 2005.
[16] H.-R. Chung and W.-C. Ku, “Impersonation attacks on a simple three-party key exchange protocol,” 17th Information Security Conference, June 7-8, 2007.
[17] H.-R. Chung and W.-C. Ku, “Three weakness in a simple three-party key exchange protocol,” Information Sciences, vol. 178, pp. 220-229, 2008.
[18] S. M. Bellovin and M. Merrit, “Encrypted key exchanged: Password-based protocols secure against dictionary attacks,” Proc, IEEE Symp. On Research in Security and Privacy, pp. 72-84, 1992.
[19] B. C. Neuman and T. Ts’o’, “Kerberos: An authentication service for computer networks,” IEEE Commun. Mag., vol.32, no. 9, pp. 33-38, 1994.
[20] R. Molva, G. Tsudik, E. Van Herreweghen, and S. Zatti, “KryptoKnight authentication and key distribution system,” Proc. 1992 Eur. Symp. on Research in Computer Security－ESORICS, 1992, pp. 1-16.
[21] R. Morris and K. Thompson, “Password security: A case history,” Commun. ACM, pp. 594-597, 1979.
[22] H.-A. Wen, T.-F. Lee, and Hwang, T., “Provably secure three-party password-based authenticated key exchange protocol using Weil pairing,” IEE Proc.- Commun. Vol. 152, no. 2, pp. 138-143, 2005.
[23] J. Nam, J. Paik, U.M. Kim, and D. Won, “Security weakness in a three-party pairing-based protocol for password authenticated key exchange,” Information Sciences, vol. 177, no. 6, pp. 1364-1375, 2007.
[24] C.-C. Change and Y.-F. Chang, “A novel three-party encrypted key exchange protocol,” Computer Standards & Interfaces, vol. 26, no. 5, pp. 471-476, September 2004.
[25] S. Berkovits, “How to broadcast a secret,” Proc. of Advances in Cryptology – Eurocrypt ‘91, pp.535-541, 1991.
[26] C. C. Chang, T. C. Wu and C. P. Chen, “The design of a conference key distribution system,” Proc. of Advances in Cryptology – Asiacrypt '92, pp.459-466, 1992.
[27] K. Koyama, “Secure conference key distribution schemes for conspiracy attack,” Proc. Advances in Cryptology – Eurocrypt '92, pp.449-453, 1993.
[28] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro and M. Tung, “Perfectly-secure key distribution for dynamic conferences,” Proc. of Advances in Cryptology –Crypto '92, pp.471-486, 1993.
[29] C. C. Chang and C. H. Lin, “How to converse securely in a conference,” Proc. IEEE 30th Ann. Int’l Carnahan Conf., pp.42-45, 1996.
[30] A. Perrig, D. Song and J.D. Tygar, “ELK, A new protocol for efficient large-group key distribution,” Proceedings of IEEE Security and Privacy Symposium, S&P2001, May 2001.
[31] A. Perrig and J. D. Tygar, “Secure broadcast communications in wired and wireless networks,” Kluwer Academic Publishers, Boston, Hardbound, November 2002.
[32] T. C. Wu, “Conference key distribution system with user anonymity based on algebraic approach,” IEE Proc.: Computers and Digital Techniques, vol. 144, no. 2, pp. 145-148 1997.
[33] A. Perrig, Y. Kim and G. Tsudik, “Communication-efficient group key agreement,” International Federation for Information Processing IFIP SEC 2001.
[34] A. Perrig, “Tree-based group key agreement, “ ACM Transactions on Information and System Security (TISSEC), vol. 7, issue 1, February 2004.
[35] Y. Kim, A. Perrig and G. Tsudik, “Group key agreement efficient in communication, “ IEEE Trans. Computers, vol. 53, no. 7, pp.905-921, July 2004.
[36] B. Klein, M.Otten and T. Beth, “Conference key distribution protocols in distributed systems,” Proc. Codes and Ciphers-Cryptography and Coding IV, pp. 225-242, 1995.
[37] Y. Kim, A. Perrig and G. Tsudik, “Simple and fault-tolerant key agreement for dynamic collaborative groups,”Proceedings of the 7th ACM Conference on Computer and Communications Security (SIGSAC), Athens, Greece, pp. 235-244, 2000.
[38] M. Burmester and Y. Desmedt, “A secure and efficient conference key distribution system,” Proc. of Advances in Cryptology – Eurocrypt '94, pp.275-286, 1995.
[39] W. G. Tzeng and Z. J. Tzeng, “Round-efficient conference key agreement protocols with provable security,” Proc. of Advances in Cryptology – Asiacrypt 2000, pp.614-627, 2001.
[40] W. G. Tzeng, “A secure fault-tolerant conference-key agreement protocol,” IEEE Trans. Computers, vol. 51, no. 4, pp.373-379, 2002.
[41] W. Stallings, Cryptography and Network Security: Principles and Practice, Second Edition. Upper Saddle River, NJ: Prentice Hall, 1999.
[42] A. Joux, “A one round protocol for tripartite Diffie-Hellman,” Algorithmic Number Theory Symposium, pp.385-394, 2000.
[43] D. Boneh. and M. Franklin, “Identity-based encryption from the Weil pairing,” Advances in cryptology-CRYPTO 2001, pp.213-229, 2001.
[44] J. C. Cha and J. H. Cheon, “An identity-based signature from Gap Diffie-Hellman groups,” Proc. of PKC ‘03, pp. 18-30, 2003.
[45] D. Boneh, B. Lynn and H. Shacham, “Short signatures from the Weil pairing,” Proc. of Advances in Cryptology – Asiacrypt 2001, pp.514-532, 2001.
[46] M. Bellare and P. Rogaway, “Provably secure session key distribution - the three party case,” Proc. 27th ACM Symposium on the Theory of Computing, pp.57-66, 1995.
[47] M. Bellare, D. Pointcheval and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” Proc. of Advances in Cryptology – Eurocrypt 2000, pp.122-138, 2000.
[48] M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols,” First ACM Conference on Computer and Communications Security, pp.62-73, 1993.
[49 ] M. Steniner, P. Buhler, T. Eirich and M. Waidner, “Secure password-based cipher suite for TLS,” ACM Trans. Inform. Syst. Security, vol. 4, no. 2, 2001.
[50] T.-F. Lee, H.-A. Wen and T. Hwang, “A Weil Pairing-based Round-Efficient and Fault-Tolerant Group Key Agreement Protocol for Sensor Networks”, Wiley-IEEE Press Monograph - Sensor Network Operations, pp. 571-579, May, 2006.
[51] C. Boyd and J. M. G. Nieto, “Round-optimal contributory conference key agreement, ” Public Key Cryptography - PKC 2003, LNCS 2567, pp.161-174, 2003.
[52] M. Bellare and P. Rogaway, “Provably secure session key distribution - the three party case,” Proceedings of the 27th ACM Symposium on the Theory of Computing, pp.162-169, 1995.
[53] M. Bellare and P. Rogaway, “Entity authentication and key distribution,” Advances in Cryptology - CRYPTO'93, pp.232-249, 1993.
[54] T.-F. Lee, and T. Hwang, "Improvement of the Round-Optimal Conference Key Agreement Protocol of Boyd and Nieto ", 16th Information Security Conference, June 8-9, 2006.