Korean Title: 사전 동의된 세션 아이디을 이용한 키 교환 프로토콜 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN Acknowledgement This research was partly supported from the grant of Secom Science and Technology Foundation, and the 21st Century COE Program 'Reconstruction of Social Infrastructure Related to Information Science and Electrical Engineering'. Also, first author was partly supported from the Ministry of Education, Science, 1 Sports and Culture, Grant-in-Aid for JSPS Fellows, 2004, 06737. Abstract Any message through Internet or radio communication can be easily eavesdropped on Privacy should be considered (especially, this paper considers identity concealment) Introduce Pre-Agreed Session ID (PAS) Identification which is a disposable unique value used for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is used 2 Contents 1. 2. 3. 4. 5. 6. Introduction Security Model PAS Protocol Proof of PAS Protocol Variants and Discussions Conclusion 3 1. Introduction Main focus of our study is … Long-term shared secret Key-Exchange Protocol using Pre-shared Key Short-term secret Long-term shared secret Protocol Most existing schemes can not prevent Leakage of Users’ Identities 4 Threat: Leakage of user’s identity Bob Responder Bob EKB(M) Public Network User’s ID Secret key Alice KA KB Charlie KB: secret key KC K : secret key B We need another identifiable information M: message Legitimate user can specify his partner No attacker can Responder specify who is communicating Bob EKB(Bob,M) Public Network KB: secret key M: message KB: secret key Bob User’s ID Secret key Alice KA Bob KB KC Charlie 5 Our Solution Pre-Agreed Session ID (PAS) Unique session ID agreed between each peer before activation of the session Uniquely name a session and parties who participate in the session Session ID [2, 3] [2] [3] Purpose: uniquely name sessions Assumption: unique among all the session ID R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, EUROCRYPT’2001. R. Canetti and H. Krawczyk, “Security Analysis of IKE’s Signature-Based 6 Key-Exchange Protocol”, CRYPTO’2002. 2. Security Model Existing Model [2] (SK-Security) Consider the security of session key Extend Our Model (SK-ID-Security) Consider the security of not only session key but also users’ identities 7 Communication Channel The channel is Broadcast-type All messages can be sent to a pool of messages There is no assumption on the logical connection between the address where a message is delivered and the identity behind that address. Attacker is a (probabilistic) polynomial-time machine with full control of the communication lines between parties Free to intercept, delay, drop, inject, or change all messages sent over these lines 8 Attacker’s Access to Secret Information (session expose) Session state reveal Session-key query Session-key of a completed session Party corruption Session state for an incomplete session (which does not include long-term secret) All information in the memory of the party (including session states, session-key, long-term secrets) Identity reveal Parties’ identities that activate a session 9 Basic Idea of SK-ID-Security (1) Indistinguishability style [2] The success of an attack is measured via its ability to distinguish the real values from independent random values 1. Freely choose a complete session as test session 3. Coin toss 2. Query 5. Guess the result of coin toss 4. Response (real or random) Oracle If head, response is real If tail, response is random Attacker 10 Basic Idea of SK-ID-Security (2) The attacker succeeds in its attack if The test session is not exposed The probability of his correct guess of coin toss is significantly larger than 1/2 1. 2. Two games against Test session: Distinction of session-key (real session key or random value) [2] Distinction of pairs (real party or randomly chosen party) Definition (SK-ID-security) A key-exchange protocol is called SK-ID-secure if for all attackers with the explained capabilities, success probability (in its test-session 11 distinguishing attacks) is not more than 1/2 plus a negligible fraction Game: Distinction of pairs 1. Freely choose a complete session as test session 5. Guess the result of coin toss 3. Coin toss 2. Query 4. Response (real or random) Oracle A-C B-C A-D B-D A-E B-E D-E If head, response is real If tail, response is random A-B A, B, C, D, E • A shares PSK with B • C shares PSK with D and E C-E C-D Random Attacker Real 12 ID Random choice from all possible pairs that do not include either of the real parties’ 3. PAS Protocol k0=PRFgxy(0) % Session key k1=PRFgxy(1) % PASijm1 k2=PRFPSKij(2) MAC: Message Authentication Code PRF: Pseudo Random Function PSKij PASijm 1. PASij , g Response message 2. PASijm , g y , MACk 2 1, PASijm , Pi , g y , g x , g xy Pi PSKij PASijm Start message m x 3. Finish message PASijm , MACk 2 0, PASijm , Pj , g x , g y , g xy Pj 13 4. Proof of PAS Protocol Main Theorem Assuming DDH and the security of the underlying cryptographic functions (i.e., MAC and PRF), PAS protocol is SK-ID-secure Strategy for Proof of Main Theorem Show that a DDH distinguisher can be built from an attacker that succeeds in distinguishing between a real and a random response to the test-session query 14 5. Variants and Discussions (DoS-resilient) User Responder Responder cannot respond. (Even for legitimate users !) Adversary Point Responder needs to distinguish legitimate requests from waste one at low costs 15 Protection from DoS attack Adversary Responder Bob User’s ID PAS Secret key Alice PASAR KAR Bob PASBR KBR Charlie PASCR KCR Request needs a valid PAS Attacker can guess no valid PAS Protection from DoS attack The cost of checking validity of received PAS is equal 16 to only searching in responder’s PAS list. 6. Conclusion Introduce Pre-Agreed Session ID (PAS) Identification which is a disposable unique value used for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is used Synchronization of PAS, DoS attack, PFS 17
© Copyright 2026 Paperzz