在進行安全通訊前，通訊雙方必須協商出通訊金鑰，一般會由一組安全性較低的密碼協商出一組安全性較高的通訊金鑰，這種協商的過程稱為PAKE(Password-Authenticated Key Exchange)，其中兩不同區域的使用者協商金鑰的架構稱為C2C-PAKE。由於在無線網路環境中，封包是在開放性空間中傳遞，因此攻擊者可以隨意的對封包進行竊聽、竄改、攔截等…動作，進而進行各種攻擊，因此通訊協定在通訊過程中能不能抵擋攻擊者的惡意攻擊為一十分重要的要素。本文將攻擊者的可能發動的各種攻擊方式做一整理，再將近幾年的C2C協定分析其中的優缺點與其可能會有的漏洞進而進行安全性的加強。
本文提出的協定主要採用Smart Card協定為主架構加以改良，Smart Card協定讓使用者先交換Smart Card資訊，再使用Mod計算上的特性來達成驗證的目的，利用Mod的計算的特性，可以使傳輸中的資訊包含有隨機數，可以有效抵擋離線字典攻擊。改良上使用Ding等人在2009提出的協定在認證上加上使用密碼交換Diffie-Hellman參數的方式，再將認證封包上加上Diffie-Hellman與伺服器之私密金鑰，如此可以達成密碼、Smart Card資訊與伺服器的私密金鑰三方互相保護之成果。
    為了使各協定間能夠公平的評估與比較安全性，因此提出能測試各協定安全性的模組也是必要的。現有的安全性評估模式，大多是將既有的攻擊方式模組化，並且定義攻擊者能力，讓不同安全機制，能夠透過定義好的模組進行安全性評估。本文使用Kazuki提出一種改良性的安全模組做為驗證協定安全性的方式，此改良安全模組可以驗證目前安全模組無法驗證的KCI、LEP與BR，模組的主要不同處在於該模組定義了攻擊者可以取得使用者與伺服器的靜態金鑰(如使用者密碼與伺服器私密金鑰)與暫時的資訊(如生成通訊金鑰前的暫時數據)與可以完全控制某使用者行動的指令，增加這些定義主要是為了確定攻擊者取得使用者之密碼資訊(KCI)以及伺服端之private key(LEP)之後也可以確保協定安全，故使用此模組證明協定之被破解之機率趨近於零後即可證明協定可以抵擋BR、KCI、LEP攻擊。
    另外本文也對各協定的計算成本進行比較，由於要達成較高的安全性所增加的計算會增加其計算的成本，因此有必要對其增加的成本與安全性比較是否合理，本文將協定的計算成本分別進行比較，並將各個改變造成的計算成本改變分別列出以方便了解各個改變造成的成本增加以確認此改變是否合理。
    文中使用此協定套用到部分實際應用上，C2C-PAKE可以應用在任何用戶需要認證後通訊的地方，本文中實際使用在工作站的認證上。

Before conducting secure communications, users must establish a higher security key for communication from memory low security Password security, this process is known as PAKE (Password-Authenticated Key Exchange),
	We list attacker may launch various attacks, We also analysis of nearly years C2C protocol's advantages, disadvantages and  their vulnerability, then we strengthen protocol's security. The proposed protocol mainly based Smart Card Framework Agreement to be improved, Smart Card protocol, Smart Card allows users to exchange information first, then use the mod calculation features to achieve the purpose of verification, use the calculation features of mod that allows transmission The information includes a random number, can resist the off-line dictionary attacks. We add Ding, who propose the protocol in 2009 use the a password on the authentication exchange Diffie-Hellman parameter approach, and then add the Diffie-Hellman and server's private key to authentication package, so you can reach the outcome of password, Smart Card information and server's private key constituents mutual protection.
	This paper use the Kazuki's improving security module to verify the security of protocol, the improving security module can verify that the KCI, LEP attack current security module can not verify, we use this module to prove protocol can resist the BR, KCI, LEP attack.
	This paper also compared the cost of the protocols to demonstrate our protocol increases the scope of reasonable cost.

目錄
目錄	VI
圖表目錄	VIII
第一章 緒論	1
第二章 相關背景與研究	6
2.1常見的攻擊方式	6
2.2C2C協定介紹	9
2.2.1Byun等人的協定	9
2.2.2 Feng等人的協定	11
2.2.3 Wenting等人的協定	13
2.2.4 Shuhua等人的協定	17
2.2.5 Gang等人的協定	19
2.2.6 Ding等人的協定	21
2.3各方法之分析	23
第三章 新的改良型協定	26
第四章 安全性與成本比較	32
4.1安全性證明：	32
4.1.1安全模組	32
4.1.2使用安全模組證明協定之安全	42
4.2安全性及計算成本比較	46
4.2.1 3-party計算次數與傳輸次數比較	46
4.2.2 C2C計算次數與傳輸次數比較	56
第五章 實際應用	68
第六章 結論	71
參考文獻	74

圖表目錄
圖(1.1)2-PARTY PAKE之架構	2
圖(1.2)3-PARTY PAKE之架構	2
圖(1.3)C2C-PAKE之架構	3
圖(1.4) KERBEROS之架構	4
圖(2.1) BYUN等人的協定	10
圖(2.2) FENG等人的協定	12
圖(2.3A) WENTING等人的協定(REGISTRATION PHASE)	14
圖(2.3B) WENTING等人的協定(LOGIN-AND-AUTHENTICATION PHASE)	15
圖(2.4) SHUHUA等人的協定	18
圖(2.5) GANG等人的協定	20
圖(2.6) DING等人的協定	22
圖(3.1)我們提出之協定	27
圖(3.2)使用FENG等人的方法的協定	30
圖(4.1)AID協定	47
圖(4.2)LTE網路節點換手之架構	48
圖(4.3)3-PARTY架構之改良型協定	50
圖(4.4)AID協定C2C架構	57
圖(4.5)C2C計算次數比較圖	61
圖(4.6)各複雜度比較圖	62
圖(4.7)各協定複雜度比較圖	63
圖(5.1)使用KERBEROS之工作站架構	69

表(2.1)各方法之優缺點比較	24
表(4.1)模組能驗證的攻擊方式比較	42
表(4.2)3-PARTY協定之成本與安全性比較	54
表(4.3)C2C協定之成本與安全性比較	60
表(4.4)C2C協定之成本與安全性簡易比較表	60
表(4.5)各種計算方法之複雜度比較表	62
表(4.6)各協定之複雜度比較表	62

[1]M. Bellare, and P. Rogaway, “Entity authentication and key distribution,” LNCS 773, pp.232-249, Aug. 22-26, 1994.
[2]M. Bellare, and P. Rogaway, “Provably secure session key distribution - the three party case,” In 28th Annual ACM Symp. on Theory of Computing, pp.57-66, May 22-24, 1996
[3]M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” LNCS 1807, pp. 139-155, May 14-18, 2000.
[4]M. Abdalla, P.-A. Fouque, D. Pointcheval. “Password-Based Authenticated Key Exchange inthe Three-Party Setting. ” In Public Key Cryptography’05, Les Diablerets, Switzerland, LectureNotes in Computer Science 3386, pp. 65–84, Springer-Verlag, 2005.
[5]J.W. Byun, I.R. Jeong, D.H. Lee, and C.S. Park, “Password-Authenticated Key Exchange between Clients with Different Passwords,”. Information and Communications Security 2002, LNCS 2513, pp.134-146, 2002.
[6] Feng, D.G., Xu, J.: A New Client-to-Client Password-Authenticated Key Agreement Protocol. In: Chee, Y.M., Li, C., Ling, S., Wang, H., Xing, C. (eds.) Proc.IWCC 2009. LNCS, vol. 5557, pp. 63–76. Springer, Heidelberg (2009)
[7] Y. Gang, F. Dengguo, and H. Xiaoxi, “ Improved Client-to-Client Password-Authenticated Key Exchange Protocol,” Proc. of 2nd int’l conf. on Availability, Reliability and Security, pp.564-574, 2007.
[8] Wenting Jin,and Jing Xu,” An Efficient and Provably Secure Cross-Realm Client-to-Client Password-Authenticated Key Agreement Protocol with Smart Cards” Lecture Notes in Computer Science Volume,Cryptology and Network Security 5888/2009
[9] Shuhua Wu,and Yuefei Zhu,"Client-to-client Password-Based Authenticated Key Establishment in a Cross-Realm Setting"Journal of Networks, Vol 4, No 7 (2009), 649-656, Sep 2009
[10]Canetti R and Krawczyk H. “Analysis of key-exchange protocols and their use for building secure channels. ” In Advances in Cryptology-EUROCRYPT 2001 Proceeding, Berlin: Springer-Verlag, 2001: 453-474.
[11]Krawczyk H. “HMQV: A high-performance secure diffiehellman protocol[C]. ” Advances in Cryptology- CRYPTO’05, 2005, LNCS 3621: 546-566.
[12]Kazuki Yoneyama,"Efficient and Strongly Secure Password-Based Server Aided Key Exchange"INDOCRYPT 2008, LNCS 5365, pp. 172–184, 2008.
[13]S. Wu and Y. Zhu. Password-Based Authenticated Key Establishment for Wireless Group Communications in an Adhoc Mode,International Journal of Communication Networks and Distributed Systems, Vol.1 Nos.4/5/6, Nov.2008, pp.398-413.
[14] Byun, J.W., Lee, D.H., Lim, J.I.: EC2C-PAKA: An efficient client-to-client passwordauthenticated key agreement. Information Science 177, 3995–4013 (2007)
[15] Ding X,and Ma C”Cryptoanalysis and Improvements of Cross-Realm C2C-PAKE Protocol” WASE International Conference on Information Engineering 2009 Pages: 193-196  
[16] Shu Jian,Xun Chun-xiang,"Efficient Password-Based Authenticated Key Exchange Protocol under Standard Model"Journal of Electronics & Information Technology Vol.31No.11(Nov..2009)
[17] Ren Yong-jun,Wang Jian-dong,Zhuang Yi ,” Enhanced Identity-Based Authenticated Key Agreement Protocols in the Standard Model” Journal of Electronics & Information Technology Vol.31No.8(Aug..2009)
[18] Wang Sheng-bao, Cao Zhen-fu, and Dong Xiao-lei. Provably secure identity-based authenticated key agreement protocols in the standard model[J]. Chinese Journal of Computers,2007,30(10):1842-1852.
[19] Olivier Chevassut, Joseph R. Milner, and David Pointcheva “Security Proof for Password Authentication in TLS-Verifier-based Three-Party Group Diffie-Hellman” Lawrence Berkeley National Laboratory: Lawrence Berkeley National Laboratory. LBNL Paper LBNL-1443E.
[20] Hung-Yu Chien1,and Tzong-Chen Wu, “Provably Secure Password-Based Three-Party Key Exchange With Optimal Message Steps” The Computer Journal Advance Access originally published online on December 24, 2008
[21] Yoon, E.J., Yoo, K.Y.: A secure password-authenticated key exchange between clients with different passwords. In: Zhou, X., Li, J., Shen, H.T., Kitsuregawa, M., Zhang, Y. (eds.) APWeb 2006. LNCS, vol. 3841, pp. 659–663. Springer, Heidelberg(2006)
[22] E Dongna, Q Cheng, C Ma ,”Password Authenticated Key Exchange Based on RSA in the Three-Party Settings” ProvSec 2009, LNCS 5848, pp. 168–182, 2009.
[23] J Bender, M Fischlin, D Kügler ,”Security Analysis of the PACE Key-Agreement Protocol” Conference on Information Security, 2009 LNCS 5735, pp. 33–48, 2009.
[24] TF Lee, T Hwang ,”Simple password-based three-party authenticated key exchange without server public keys” Information Sciences 180 (2010) 1702–1714
[25] MH Zheng, HH Zhou, J Li, GH Cui ,”Efficient and provably secure password-based group key agreement protocol” Computer Standards & Interfaces 31 (2009) 948–953
[26] S Wu,Y Zhu, “Efficient Hybrid Password-Based Authenticated Group Key Exchange” APWeb/WAIM 2009, LNCS 5446, pp. 562–567, 2009.
[27] S Wu, Y Zhu ,”Efficient Solution to Password-based Key Exchange for Large Groups” JOURNAL OF NETWORKS, VOL. 4, NO. 2, APRIL 2009
[28] X Yi, R Tso, E Okamoto ,”ID-Based Group Password-Authenticated Key Exchange” IWSEC 2009, LNCS 5824, pp. 192–211, 2009.
[29] G. Horng, An efficient and secure protocol for multi-party key establishment, The Computer Journal 44 (5) (2001) 464–470.
[30] Cox, James O.,Mott, James M., ”System and method for secure initial program load for diskless workstations” United States Patent 5349643,1994
[31] Hamann, E.M., Henn, H., Schack, T. and Seliger, F. (2000),“Securing e-business applications using smart cards”,IBM Systems Journal, Vol. 40 No. 3,pp. 635-48.
[32]D. Jablon, “Strong password-only authenticated key exchange”, Computer Communication Review, Vol.26, No.5, pp.5-26, 1996.
[33]Taddei.A,Dalmiani.S,Vellani.A,Rocca.E,Piccini.G,Carducci.T,Gori.A,Borghini.R,Marcheschi.P,Mazzarisi.A,Salvatori.C,and Macerata.A,"Data Integration in Cardiac Surgery Health Care Institution: Experience at G. Pasquinucci Heart Hospital"Computers in Cardiology, 2008 , pp.287 - 290,14-17 Sept. 2008
[34] William P. Wardlow. “The RSA public key cryptosystem.”Coding Theory and Cryptography. Springer, 1991., pages 101~124.
[35] J. Daemen and V. Rijmen. “The Design of Rijndael: AES—The Advanced Encryption Standard”. Springer–Verlag, 2002.
[36] X. Wang, Y. Yin, H. Yu,"Finding collisions in the Full SHA-1,"Advances in Cryptology--Crypto 2005, Lecture Notes in computer Science 3621, Springer Verlag, 17-36.
[37] T. Coffee,"Best Kept Secrets: Elliptic Curves and Modern Cryptosystems."MIT 18.704 Fall 2004
[38] D. Boneh."The decision Diffie-Hellman problem."In Algorithmic Number Theory (ANTS-III), vol. 1423 of LNCS, pp. 48–63, Springer-Verlag, 1998.
[39] R.L.Rivest,"RFC 1321: The md5 message-digest algorithm." Technical report, Internet Activities Board, April 1992.