I.
Definitions
Authenticated Key Exchange
I. MAP
I. matching conversations
II.oracles
II. (I)KA
II.
AKEP2
III.
AKEP2 Security
I. Session Keys
II. Perfect Forward Secrecy
IV.
Adversary Attacks
Presented By:
Ashley Bruno & Blayne White
Key Establishment Protocols
I.
Cryptographic protocols that establish keys for
use by other protocols
I.
examples: AKEP2, MAP1, Diffie-Hellman, Stationto-station
Definitions
I. Principal: a party wishing to establish shared keys
II.Nonce: a random or pseudo-random number issued in
an authentication protocol to ensure that old
communications cannot be reused in replay attacks
Definitions (cont'd)
III.MAC (ie. Message Authentication Code): the result of
a hash function that combines a message with a key
IV.Freshness: a key is fresh if it can be guaranteed to be
new (Menezes, van Oorschot and Vanstone, 1997)
(probably no longer fresh)
Oracles
I.
An I/O device that responds to every query with a random
response chosen uniformly from it's output domain. if given the
same input query, the same output response is given.
Oracle Freshness
An oracle is fresh if :
I.
I.
II.
III.
It has accepted a session key
Its session key has not been given a Reveal
query (oracle is “unopened”)
There is no opened oracle with whom it has a
matching conversation that has accepted the
session key.
Mutual Entity Authentication
I. Provides assurance to both entities of the identity
of the other entity involved
I. If a pair of oracles has matching conversations, then
both oracles accept.
II.The probability of an oracle accepting when it does
not have a matching conversation with another oracle
is negligible.
Matching Conversations
I. A conversation consists of all messages sent and
received by an oracle.
II. Matching Conversations occur when the conversations
of both parties are the same when all messages are
faithfully delivered from the sender oracle to the receiver
oracle, with the exception of the last message, since the
initiator cannot know if this last message was received
by its partner.
(Implicit) Key Authentication
I. Provides assurance that no entity other than a
specifically identified entity can gain access to
the key.
II.Independent of the actual possession of such key
by the second party, or knowledge of such actual
possession by the first party
Perfect Forward Secrecy
It is still desirable to design protocols where past
sessions remain secure.
Perfect forward secrecy: compromise of long-term
keys does not compromise past session keys.
“Forward secrecy” indicates that the secrecy of old
keys is carried forward into the future.
Authenticated Key Exchange Protocol 2
I. A three-pass protocol
II.Uses symmetric authentication
III.Uses keyed hash functions instead of encryption
IV.Does not rely on a trusted third party (TTP)
V.Provides mutual entity authentication and
(implicit) key authentication
VI.Provides Perfect Forward Secrecy
AKEP2
I. A and B are principals
II.A and B share two long term symmetric keys: K, K'
III.each protocol run generates fresh nonces: na, nb
IV.uses a keyed hash function (MAC): hk and a keyed
one-way function: h'k'
AKEP2
A
na
B
A sends a challenge nonce to B.
A
hk(B,A,na,nb), nb
B
B resonds with hk(B,A,na,nb) and sends it's own challenge nonce.
● k is the shared key; k = h' (n )
k' b
A
hk(A,nb)
B
A responds to the challenge nonce with hk(A,nb) to B
AKEP2 Security
I. The intent is to authenticate the principals
involved and distribute a session key which will
consist of a principal's private output
II.At the end of a secure AKE any adversary should
not be able to distinguish a fresh session key from
a random element.
AKE Security: Session Keys
I. The compromise of one of these keys should have
minimal consequences.
I. It should not subvert subsequent authentication.
II.It should not leak information about other session
keys.
AKEP2 Security
I. Protocol II is secure if it is a secure mutual
authentication protocol. This requires:
a)That two oracles, in the absence of an active adversary, always
accept
b)The advantage of a probabilistic polynomial adversary is
negligible.
II.The current security definitions give the adversary
very strong abilities in corrupting the parties, but they
limit his ability to utilize those powers.
Attacks allowed by current definitions
I. Key-compromise impersonation: the adversary reveals a
long-term secret key of a party and then impersonates
others to this party.
II.An adversary reveals the ephemeral secret key of a party
who initiates an AKE session and impersonates the other
participant of this session.
Attacks allowed (cont'd)
III. Two honest parties execute matching sessions, while
the adversary reveals ephemeral secret keys of both
parties and tries to learn the session key.
IV. Two honest parties execute matching sessions, while
the adversary reveals long-term keys of both parties prior
to the session execution and tries to learn the session key.
However, all four of these attacks are not considered violations of protocol
security!
Authenticated Key Exchange
M. Bellare and P. Rogaway.Entity
Authentication and key distribution Advances in
Cryptology - Crypto 93 Proceedings, Lecture
Notes in Computer Science Vol. 773, D. Stinson
ed, Springer-Verlag, 1994.
I.
Brian LaMacchia, Kristen Lauter, Anton
Mityagin. ”Stronger Security of Authenticated
Key Exchange.”
II.