2012/181 MFAKE protocol implementation with real hash functions
Posted by: keh
Date: 15 June 2012 08:28
I read through the paper and a question about the possible implementation of this MFAKE protocol came up.
In the last part of the proposed MFAKE protocol there are three different random oracles queried with the same input, namely (s, k_0). If one were to implement this protocol, one would probably use a single hash function H (e.g. SHA-256) as a replacement to these random oracles. Thus the last two messages would have the same content and this would also be the shared secret key. To me this seems both redundant and somewhat insecure. It also seems like a very unsatisfactory solution to have three different hash functions just in order to implement this protocol.
So my question is this: Would the protocol still be secure, if one were to use random nonces in the last two messages?
Thus for the first message the client would choose a nonce n_1 at random and compute H(n_1, s, k_0) := v_c and then send (v_c, n_1) to server. The server would choose n_2 at random, compute H(n_2,s,k_0):= v_s and send (v_s, n_2) to the client. Then the shared secret key could be H(s,k_0) and this would be different from the two messages used to finalise the authentication part of the protocol.
Or could the parties use their respective identities (C and S in the paper) in the computation in the following way: Client computes H(C,s,k_0) and sends this to the server. The server would compute H(S,s,k_0) and send this to the client. Again the key would be H(s,k_0). Would this design be a secure way to implement the protocol with a single concrete hash function?