三方金鑰交換協定其環境為每位通訊者透過一個可信賴的伺服器共享一組密鑰,使用此組密鑰達成彼此之間的身分驗證。近年來,許多的學者紛紛提出三方驗證金鑰交換協定,大致上可分為兩種類型。其一,通訊方與伺服器共享一組密鑰,伺服器透過密鑰驗證通訊方身分,進而完成金鑰交換。其二,通訊方使用伺服器的公鑰對欲傳送的訊息做加密,即可確保傳送訊息的機密性。 在第一種類型中,較為著名的協定為Steiner 等人在1995年所提出的三方驗證金鑰交換協定,但其協定安全性卻不足;到了2010年還是有學者提出改善的方案。而第二種類型中,通訊方必須保有伺服器的公鑰對其傳輸的資料進行加密,相對的也增加通訊方的計算成本。因此許多學者也紛紛提出不需要伺服器公鑰的三方金鑰交換協定。 有鑑於此,在本篇論文中,我們將設計兩組三方驗證金鑰交換協定,皆不需使用伺服器的公鑰進行金鑰交換。第一組協定中,其安全性上可抵擋多種類型攻擊,並與其它三方金鑰交換協定比較起來,更具有效率;並且在延伸出一個通訊者註冊時,不需建置安全通道。在第二組協定中,其特色為伺服器將不存放通訊者的任何資料,並且能驗證通訊者的身分,防範攻擊者對驗證表的窺視;在安全性上,則能夠抵擋多種類型攻擊。
In a three-party key agreement protocol, the communicating parties share a key through a trusted server, which is used to authenticate the identity of both parties. In recent years, many studies have suggested that three-party authenticated key exchange agreements could be broadly classified into two categories. In the first category, the communicating parties share a key, which the server uses to verify the identities of the communicating parties. In the second category, the communicating parties use the server''s public key to encrypt the messages they send, thereby ensuring confidentiality. The more well known of the protocols fits into the first category, which was originally proposed by Steiner et al. in 1995. The security of this protocol, however, is somewhat lacking, and scholars have continually proposed suggestions for its improvement, even as recently as 2010. The second type requires communicating parties to encrypt transmitted data using the server''s public key, but this process increases the costs incurred by all parties involved. A number of researchers have therefore proposed three-party key agreement protocols that do not require public server keys. To address these problems, we propose two three-party key agreement protocols that do not require the use of public server keys for authentication. Our first protocol is able to withstand multiple forms of attack, despite offering increased computational efficiency beyond that of other three-party key agreement protocols. In addition, communicating parties can enjoy the benefits of full security coverage without having to establish a secure channel. In our second protocol, the server does not have to store any information from the communicating parties to verify their identities. From the standpoint of security, such a system would help prevent attackers from gaining access to verification charts, thereby ensuring resistance to a wide variety of threats.