HOW TO BUILD A SECURE COMMUNICATION CHANNEL
description
Transcript of HOW TO BUILD A SECURE COMMUNICATION CHANNEL
![Page 1: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/1.jpg)
Guomin Yang
Temasek Laboratories
National University of Singapore
HOW TO BUILD A SECURE COMMUNICATION CHANNEL
![Page 2: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/2.jpg)
AUTHENTICATED KEY EXCHANGE (AKE)
Security Goals Mutual Authentication Secure Key Establishment User Anonymity (optional)
msg 1
msg 2
msg 3
K K
Alice Bob
![Page 3: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/3.jpg)
DIFFIE-HELLMAN KEY EXCHANGE
Diffie-Hellman Assumption: Given gx and gy, it is computationally infeasible to
compute gxy. What if the adversary can modify the
messages?
X = gx
Y = gy
KA = Yx = gxy KB = Xy = gxy
![Page 4: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/4.jpg)
MAN-IN-THE-MIDDLE ATTACK
The adversary is able to derive both KA and KB
X = gx
Y’ = gy’
KA = Y’x = gxy’ KB = X’y = gx’y
X’ = gx’
Y = gy
E(KA, m) E(KB, m)
![Page 5: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/5.jpg)
Outline
Security Model and Definition Two-party AKE
ISO/IEC SIGMA (H)MQV
AKE under Bad Randomness Secure Roaming
GSM/3GPP Universal AKE
Other AKE Protocols
![Page 6: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/6.jpg)
SECURITY MODEL AND DEFINITION
![Page 7: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/7.jpg)
Adversarial GameThe adversary:
controls all the communications
schedules all the sessions
![Page 8: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/8.jpg)
Adversarial Game
Each party can have multiple and concurrent sessions
![Page 9: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/9.jpg)
Adversarial Game Additional Queries
Session key reveal Corruption Test
Session freshness No session key reveal No Corruption before
session terminates Test session must be
fresh
Adv(A) = Pr [A guesses b correctly] – 1/2
An Authenticated Key Exchange Protocol is Secure if Adv(A) is negligible for any PPT adversary A.
![Page 10: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/10.jpg)
TWO-PARTY AKE PROTOCOLS
![Page 11: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/11.jpg)
A “BAD” SIG-DH PROTOCOL
Idea: use digital signature to do authentication Secure? Eve replaces the last message with
AliceBob
![Page 12: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/12.jpg)
ISO/IEC IS 9798-3
Provably Secure (Canetti-Krawczyk Eurocrypt’01)
Forward Secrecy No User Anonymity
Alice Bob
![Page 13: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/13.jpg)
SIGMA
Basis of IKE (RFC 2409) and IKEv2 (RFC 4306) Digital Signature: DSA MAC: HMAC Provably secure (Canetti-Krawczyk
Crypto’02) User Anonymity
Alice Bob
![Page 14: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/14.jpg)
MQV (IEEE P1363)
Implicit Authentication Explicit Authentication: Use MAC
Alice Bob
PKA = ga PKB = gb
d = 2l+(X mod 2l) e = 2l+(Y mod 2l)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
![Page 15: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/15.jpg)
KALISKI’S ATTACK
A, B, X = gx
B, A, Y
M, B, Z
B, M, Y = gy
PKA = ga PKB = gbPKM = gc
randomly choose u, set d = 2l+(X mod 2l), Z = (X· PKA
d · g-u), h = 2l+(Z mod 2l), c = u/h
σB = (Z· PKMh)y+eb = g(x+da)
(y+eb)
KB = H(σB)
σA = (Y· PKBe)x+da = g(x+da)(y+eb)
KA = H(σA)
![Page 16: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/16.jpg)
HMQV
Provably Secure (Krawczyk Crypto’05) Additional features:
resilience to the leakage of DH exponents no group membership testing on X or Y
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
![Page 17: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/17.jpg)
AKE UNDER BAD RANDOMNESSCase 1: Reset Attacks
![Page 18: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/18.jpg)
EXAMPLE: SIGMA
Reset Attack (FC’11): Virtual Machine: snapshot and revert/reset
function Reset: randomness reuse DSA: randomness reuse signing key
disclosure
Alice Bob
![Page 19: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/19.jpg)
DSA Param: a large prime p, a prime divisor q of (p-1),
g = h(p-1)/q mod p for arbitrary 1 < h < p-1. SignKey: 0 < x < q PK: gx mod p Sign:
0 < k < q r = (gk mod p) mod q s = (k−1(H(m) + xr)) mod q Return (r, s)
Reset attack: the same k is used s1 = (k−1(H(m1) + xr)) mod q s2 = (k−1(H(m2) + xr)) mod q s1 / s2 = (H(m1) + xr) / (H(m2) + xr) mod q x = (H(m1)s1
−1 – H(m2)s2−1) / (rs2
−1 – rs1−1) mod q
![Page 20: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/20.jpg)
EXAMPLE: HMQV
Reset Attack (Menezes and Ustaoglu, IJACT) Assumption: the HMQV protocol is implemented
in a subgroup (with prime order q) of Zp*, and (p-1)/q has several small (e.g. less than 240) pairwise relatively prime factors t1, t2, ..., tn such that t1· t2··· tn > q.
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
![Page 21: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/21.jpg)
EXAMPLE: HMQV
Reset Attack (Menezes and Ustaoglu, IJACT) The adversary corrupts Bob and obtains b After receiving (A,B,X) from Alice, the adversary selects Y of order
t1, and sends (B,A,Y) to Alice Alice computes
σA = (Y· PKBe)x+da = Yx+da· (PKB
e)x+da = Yx+da · (X· PKAd)be, KA = H(σA)
The adversary reveals KA, and iteratively computes K’ = H(Yc1 · (X· PKA
d)be) for c1 = 0, 1, 2, … until K’ = KA. Then c1 = x + da mod t1
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
![Page 22: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/22.jpg)
EXAMPLE: HMQV
Reset Attack (Menezes and Ustaoglu, IJACT) The adversary resets A, and repeats the above process
for t2,··· ,tn and obtains ci = x + da mod ti. Then the adversary computes (x+da mod q) by CRT.
The adversary corrupts another party P, and repeats the above attack to get (x+d’a mod q).
Given (x+da mod q) and (x+d’a mod q), the adversary computes a.
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
![Page 23: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/23.jpg)
SIGMA WITH DETERMINISTIC DSA
Countermeasure (FC’11) Deterministic DSA
SignKey’ = (SignKey, K) Randomness = PRF(K, m) for message m Preserves EUF-CMA security
Alice Bob
![Page 24: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/24.jpg)
EXAMPLE: HMQV
Open problem: is HMQV resettably secure if group membership test on X and Y is compulsory?
PKA = ga PKB = gb
d = G(X, B) e = G(Y,A)
σA = (Y· PKBe)x+da = g(x+da)
(y+eb)
KA = H(σA)
σB = (X· PKAd)y+eb = g(x+da)
(y+eb)
KB = H(σB)
![Page 25: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/25.jpg)
AKE UNDER BAD RANDOMNESSCase 2: Adversary-Generated
Randomness
![Page 26: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/26.jpg)
ASSUMPTION
The long-term key is secure
AKE Algo AKE Algo
msg 1
msg 2
msg 3
· · ·
(PKA,SKA)
10110… 00110…
Reject, ⊥ orAccept, K
Reject, ⊥ orAccept, K
(PKB,SKB)
![Page 27: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/27.jpg)
EXAMPLE: SIGMA WITH DETERMINISTIC DSA
The adversary controls the DH exponents x and y the adversary controls the DH key gxy
Countermeasures? To use deterministic DSA, the long-term key contains
a PRF key K By the assumption, K is unknown to the adversary Derive x’ = PRFK(x), and use x’ as the DH exponent
Alice Bob
![Page 28: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/28.jpg)
GENERIC TRANSFORMATION Always include a PRF key K in the long-term
key, and use Rand’ = PRFK(Rand) as the randomness for the AKE protocol
Theorem (FC’11): if an AKE protocol is secure in Case 1, then the new protocol derived using the above transformation is also secure in Case 2.
Additional notes: Forward secrecy: possible in Case 1, but not in Case
2 The converted protocol may lose forward secrecy in
Case 1 To preserve forward secrecy in Case 1,
{K, PRFK(Rand)} ≈ {K, U}. PRF must be a Randomness Extractor as well
Candidate for PRF: HMAC
![Page 29: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/29.jpg)
SECURE ROAMING PROTOCOLS
![Page 30: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/30.jpg)
SECURE ROAMING
Roaming WLAN Telecommunication ATM/Credit Card
……
Internet
A
A B
Foreign Server(V)
Home Server(H)
![Page 31: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/31.jpg)
SECURE ROAMING
GSM
3GPP: Server Authentication
![Page 32: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/32.jpg)
SECURE ROAMING
Deposit-case Attacks (IEEE TWC’07)
![Page 33: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/33.jpg)
SECURE ROAMING Deposit-case Attacks (IEEE TWC’07)
Attacks against other protocols: more complicated
![Page 34: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/34.jpg)
SECURE ROAMING Universal AKE Protocols (IEEE
TWC’10) Idea: ID-based Cryptography
Home server = Key Generation Center User Authentication: Public Key of the
Home Server + Mobile User Identity Advantages:
Foreign server does not need to contact home server of a roaming user
Foreign server can use the same protocol and signaling flows to authenticate both local and foreign clients
Tools: Identity-based Signature Heterogeneous Signcryption (Comp.
J.’11)
A
A B
Foreign Server
Home Server
SKA
SKA
![Page 35: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/35.jpg)
SECURE ROAMING
Heterogeneous Signcryption (Comp. J.’11) Identity-Based Signature + Conventional PKE Avoid pairing operation
One-pass Universal AKE protocol
![Page 36: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/36.jpg)
OTHER AKE PROTOCOLS
![Page 37: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/37.jpg)
MULTI-FACTOR AKE PROTOCOLS (JCSS’08)
Something you know Something you have Something you are ……
s#2j!5
+
msg 1
msg 2
msg 3
+
![Page 38: HOW TO BUILD A SECURE COMMUNICATION CHANNEL](https://reader035.fdocuments.in/reader035/viewer/2022062222/568149c5550346895db6f6fa/html5/thumbnails/38.jpg)
GROUP AKE PROTOCOLS (CANS’10)
Security Requirements Authentication
Insider Security Session Key Secrecy
Forward/Backward Security Contributiveness Robustness