Post on 25-Dec-2015
Guomin Yang
Temasek Laboratories
National University of Singapore
HOW TO BUILD A SECURE COMMUNICATION CHANNEL
AUTHENTICATED KEY EXCHANGE (AKE)
Security Goals Mutual Authentication Secure Key Establishment User Anonymity (optional)
msg 1
msg 2
msg 3
K K
Alice Bob
DIFFIE-HELLMAN KEY EXCHANGE
Diffie-Hellman Assumption: Given gx and gy, it is computationally infeasible to
compute gxy. What if the adversary can modify the
messages?
X = gx
Y = gy
KA = Yx = gxy KB = Xy = gxy
MAN-IN-THE-MIDDLE ATTACK
The adversary is able to derive both KA and KB
X = gx
Y’ = gy’
KA = Y’x = gxy’ KB = X’y = gx’y
X’ = gx’
Y = gy
E(KA, m) E(KB, m)
Outline
Security Model and Definition Two-party AKE
ISO/IEC SIGMA (H)MQV
AKE under Bad Randomness Secure Roaming
GSM/3GPP Universal AKE
Other AKE Protocols
Adversarial Game Additional Queries
Session key reveal Corruption Test
Session freshness No session key reveal No Corruption before
session terminates Test session must be
fresh
Adv(A) = Pr [A guesses b correctly] – 1/2
An Authenticated Key Exchange Protocol is Secure if Adv(A) is negligible for any PPT adversary A.
A “BAD” SIG-DH PROTOCOL
Idea: use digital signature to do authentication Secure? Eve replaces the last message with
AliceBob
ISO/IEC IS 9798-3
Provably Secure (Canetti-Krawczyk Eurocrypt’01)
Forward Secrecy No User Anonymity
Alice Bob
SIGMA
Basis of IKE (RFC 2409) and IKEv2 (RFC 4306) Digital Signature: DSA MAC: HMAC Provably secure (Canetti-Krawczyk
Crypto’02) User Anonymity
Alice Bob
MQV (IEEE P1363)
Implicit Authentication Explicit Authentication: Use MAC
Alice Bob
PKA = ga PKB = gb
d = 2l+(X mod 2l) e = 2l+(Y mod 2l)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
KALISKI’S ATTACK
A, B, X = gx
B, A, Y
M, B, Z
B, M, Y = gy
PKA = ga PKB = gbPKM = gc
randomly choose u, set d = 2l+(X mod 2l), Z = (X· PKA
d · g-u), h = 2l+(Z mod 2l), c = u/h
σB = (Z· PKMh)y+eb = g(x+da)
(y+eb)
KB = H(σB)
σA = (Y· PKBe)x+da = g(x+da)(y+eb)
KA = H(σA)
HMQV
Provably Secure (Krawczyk Crypto’05) Additional features:
resilience to the leakage of DH exponents no group membership testing on X or Y
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
EXAMPLE: SIGMA
Reset Attack (FC’11): Virtual Machine: snapshot and revert/reset
function Reset: randomness reuse DSA: randomness reuse signing key
disclosure
Alice Bob
DSA Param: a large prime p, a prime divisor q of (p-1),
g = h(p-1)/q mod p for arbitrary 1 < h < p-1. SignKey: 0 < x < q PK: gx mod p Sign:
0 < k < q r = (gk mod p) mod q s = (k−1(H(m) + xr)) mod q Return (r, s)
Reset attack: the same k is used s1 = (k−1(H(m1) + xr)) mod q s2 = (k−1(H(m2) + xr)) mod q s1 / s2 = (H(m1) + xr) / (H(m2) + xr) mod q x = (H(m1)s1
−1 – H(m2)s2−1) / (rs2
−1 – rs1−1) mod q
EXAMPLE: HMQV
Reset Attack (Menezes and Ustaoglu, IJACT) Assumption: the HMQV protocol is implemented
in a subgroup (with prime order q) of Zp*, and (p-1)/q has several small (e.g. less than 240) pairwise relatively prime factors t1, t2, ..., tn such that t1· t2··· tn > q.
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
EXAMPLE: HMQV
Reset Attack (Menezes and Ustaoglu, IJACT) The adversary corrupts Bob and obtains b After receiving (A,B,X) from Alice, the adversary selects Y of order
t1, and sends (B,A,Y) to Alice Alice computes
σA = (Y· PKBe)x+da = Yx+da· (PKB
e)x+da = Yx+da · (X· PKAd)be, KA = H(σA)
The adversary reveals KA, and iteratively computes K’ = H(Yc1 · (X· PKA
d)be) for c1 = 0, 1, 2, … until K’ = KA. Then c1 = x + da mod t1
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
EXAMPLE: HMQV
Reset Attack (Menezes and Ustaoglu, IJACT) The adversary resets A, and repeats the above process
for t2,··· ,tn and obtains ci = x + da mod ti. Then the adversary computes (x+da mod q) by CRT.
The adversary corrupts another party P, and repeats the above attack to get (x+d’a mod q).
Given (x+da mod q) and (x+d’a mod q), the adversary computes a.
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
SIGMA WITH DETERMINISTIC DSA
Countermeasure (FC’11) Deterministic DSA
SignKey’ = (SignKey, K) Randomness = PRF(K, m) for message m Preserves EUF-CMA security
Alice Bob
EXAMPLE: HMQV
Open problem: is HMQV resettably secure if group membership test on X and Y is compulsory?
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
ASSUMPTION
The long-term key is secure
AKE Algo AKE Algo
msg 1
msg 2
msg 3
· · ·
(PKA,SKA)
10110… 00110…
Reject, ⊥ orAccept, K
Reject, ⊥ orAccept, K
(PKB,SKB)
EXAMPLE: SIGMA WITH DETERMINISTIC DSA
The adversary controls the DH exponents x and y the adversary controls the DH key gxy
Countermeasures? To use deterministic DSA, the long-term key contains
a PRF key K By the assumption, K is unknown to the adversary Derive x’ = PRFK(x), and use x’ as the DH exponent
Alice Bob
GENERIC TRANSFORMATION Always include a PRF key K in the long-term
key, and use Rand’ = PRFK(Rand) as the randomness for the AKE protocol
Theorem (FC’11): if an AKE protocol is secure in Case 1, then the new protocol derived using the above transformation is also secure in Case 2.
Additional notes: Forward secrecy: possible in Case 1, but not in Case
2 The converted protocol may lose forward secrecy in
Case 1 To preserve forward secrecy in Case 1,
{K, PRFK(Rand)} ≈ {K, U}. PRF must be a Randomness Extractor as well
Candidate for PRF: HMAC
SECURE ROAMING
Roaming WLAN Telecommunication ATM/Credit Card
……
Internet
A
A B
Foreign Server(V)
Home Server(H)
SECURE ROAMING Universal AKE Protocols (IEEE
TWC’10) Idea: ID-based Cryptography
Home server = Key Generation Center User Authentication: Public Key of the
Home Server + Mobile User Identity Advantages:
Foreign server does not need to contact home server of a roaming user
Foreign server can use the same protocol and signaling flows to authenticate both local and foreign clients
Tools: Identity-based Signature Heterogeneous Signcryption (Comp.
J.’11)
A
A B
Foreign Server
Home Server
SKA
SKA
SECURE ROAMING
Heterogeneous Signcryption (Comp. J.’11) Identity-Based Signature + Conventional PKE Avoid pairing operation
One-pass Universal AKE protocol
MULTI-FACTOR AKE PROTOCOLS (JCSS’08)
Something you know Something you have Something you are ……
s#2j!5
+
msg 1
msg 2
msg 3
+
GROUP AKE PROTOCOLS (CANS’10)
Security Requirements Authentication
Insider Security Session Key Secrecy
Forward/Backward Security Contributiveness Robustness