1. Field of the Invention
Methods and apparatuses consistent with the present invention relate to a secret key, and more particularly, to a key agreement protocol, in which a plurality of devices shares a secret key.
2. Description of the Related Art
A key agreement method is a method of discussing a secret key between at least two parties. It is very difficult to generate a secret key without any initial secret information. According to a Diffie-Hellman (DH) key agreement protocol, a public channel can be used in order to transmit secret information. However, the DH key agreement protocol is hard to use due to a meet-in-the-middle attack. Since a secret key is a base for maintaining security during communication, various methods of key agreement have been suggested. Regarding a meet-in-the-middle attack, authenticated key agreement protocols for providing authentication between two session parties have been suggested.
Wilson and Menezes analyzed three authenticated key agreement protocols, which are a Key Exchange Algorithm (KEA) protocol, a united model protocol, and a MQV (Menezes, Qu, Vanstone) protocol, based on the disadvantage of the DH key agreement protocol. The united model protocol and MQV protocol are described in the ANSI X9.42, ANSI X9.63, and IEEE P1363 standards. Using the KEA protocol, forward secrecy of a generated key is not sufficient, and using the united model protocol, a person, who is aware of a secret of a user A, can represent him/herself falsely to be an entity B to the user A. Also, the MQV protocol does not have an unknown key-share attribute.
FIG. 1 is a diagram for describing a conventional MQV protocol.
First, an order q and a primitive root g are defined in a prime p and a finite field Fp. Also, ga denotes a public key of a device A, gb denotes a public key of a device B, a denotes a private key of the device A, and b denotes a private key of the device B.
The device A calculates a temporary public key RA=gx mod p by selecting a predetermined number x, which is smaller than the order q, and transmits the temporary public key RA to the device B. Also, the device B calculates a temporary public key RB=gy mod p by selecting a predetermined number y, which is smaller than the order q, and transmits the temporary public key RB to the device A.
After calculating sA=(x+a RA)mod q, the device A generates a shared key K=(RB(YB) RB)SA. Similarly, after calculating sB=(y+b RB)mod q, the device B generates a shared key K=(RA(YA) RA)SB. Since RA=gx mod p and RB=gy mod p, the shared keys generated by the devices A and B are identical.
In the MQV protocol, an adversary steals RA, which is transmitted to the device B, calculates RE=RA(YA) RAg1, E=(RE)1 mod q, and YE=ge, wherein e is a private key of the adversary, and transmits RE to the device B. Accordingly, the device B transmits RB to the adversary, and the adversary transmits RB to the device A. The devices A and B generate the same session key, but the device B believes that it is sharing the session key with the adversary. Thus, security of the MQV protocol is very weak since the MQV protocol does not have an unknown key-share attribute.
Besides the security problem, the authenticated key agreement protocols described above are based on difficult mathematical problems, and require a lot of calculation expenses in order to generate a final key. Specifically in an environment such as wireless communication, a lightweight key agreement protocol is required, and thus such protocols that require complex calculations are not suitable in a wireless terminal.