authenticated key exchange i. definitions i. map i. matching conversations ii. oracles ii. (i)ka ii....
TRANSCRIPT
Authenticated Key ExchangeI.Definitions
I. MAP
I. matching conversations
II.oracles
II. (I)KA
II.AKEP2
III.AKEP2 Security
I. Session Keys
II. Perfect Forward Secrecy
IV.Adversary Attacks Presented By:Ashley Bruno & Blayne White
Key Establishment Protocols
I. Cryptographic protocols that establish keys for use by other protocols
I. examples: AKEP2, MAP1, Diffie-Hellman, Station-to-station
Definitions
I. Principal: a party wishing to establish shared keys
II.Nonce: a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks
Definitions (cont'd)
III.MAC (ie. Message Authentication Code): the result of a hash function that combines a message with a key
IV.Freshness: a key is fresh if it can be guaranteed to be new (Menezes, van Oorschot and Vanstone, 1997)
(probably no longer fresh)
OraclesI. An I/O device that responds to every query with a random
response chosen uniformly from it's output domain. if given the same input query, the same output response is given.
Oracle Freshness
I.An oracle is fresh if :
I. It has accepted a session key
II. Its session key has not been given a Reveal query (oracle is “unopened”)
III.There is no opened oracle with whom it has a matching conversation that has accepted the session key.
Mutual Entity Authentication
I. Provides assurance to both entities of the identity of the other entity involved
I. If a pair of oracles has matching conversations, then both oracles accept.
II.The probability of an oracle accepting when it does not have a matching conversation with another oracle is negligible.
Matching ConversationsI. A conversation consists of all messages sent and
received by an oracle.
II. Matching Conversations occur when the conversations of both parties are the same when all messages are faithfully delivered from the sender oracle to the receiver oracle, with the exception of the last message, since the initiator cannot know if this last message was received by its partner.
(Implicit) Key Authentication
I. Provides assurance that no entity other than a specifically identified entity can gain access to the key.
II.Independent of the actual possession of such key by the second party, or knowledge of such actual possession by the first party
Perfect Forward Secrecy
It is still desirable to design protocols where pastsessions remain secure.
Perfect forward secrecy: compromise of long-termkeys does not compromise past session keys.“Forward secrecy” indicates that the secrecy of oldkeys is carried forward into the future.
Authenticated Key Exchange Protocol 2
I. A three-pass protocol
II.Uses symmetric authentication
III.Uses keyed hash functions instead of encryption
IV.Does not rely on a trusted third party (TTP)
V.Provides mutual entity authentication and (implicit) key authentication
VI.Provides Perfect Forward Secrecy
AKEP2I. A and B are principals
II.A and B share two long term symmetric keys: K, K'III.each protocol run generates fresh nonces: n
a, n
b
IV.uses a keyed hash function (MAC): hk and a keyed
one-way function: h'k'
AKEP2
A B
A B
A B
A sends a challenge nonce to B.
na
B resonds with hk(B,A,n
a,n
b) and sends it's own challenge nonce.
● k is the shared key; k = h'k'(n
b)
hk(B,A,n
a,n
b), n
b
A responds to the challenge nonce with hk(A,n
b) to B
hk(A,n
b)
AKEP2 Security
I. The intent is to authenticate the principals involved and distribute a session key which will consist of a principal's private output
II.At the end of a secure AKE any adversary should not be able to distinguish a fresh session key from a random element.
AKE Security: Session Keys
I. The compromise of one of these keys should have minimal consequences.
I. It should not subvert subsequent authentication.
II.It should not leak information about other session keys.
AKEP2 SecurityI. Protocol II is secure if it is a secure mutual
authentication protocol. This requires:a)That two oracles, in the absence of an active adversary, always
accept
b)The advantage of a probabilistic polynomial adversary is negligible.
II.The current security definitions give the adversary very strong abilities in corrupting the parties, but they limit his ability to utilize those powers.
Attacks allowed by current definitionsI. Key-compromise impersonation: the adversary reveals a
long-term secret key of a party and then impersonates others to this party.
II.An adversary reveals the ephemeral secret key of a party who initiates an AKE session and impersonates the other participant of this session.
Attacks allowed (cont'd)
III. Two honest parties execute matching sessions, while the adversary reveals ephemeral secret keys of both parties and tries to learn the session key.
IV. Two honest parties execute matching sessions, while the adversary reveals long-term keys of both parties prior to the session execution and tries to learn the session key.
However, all four of these attacks are not considered violations of protocol security!
Authenticated Key Exchange
I.M. Bellare and P. Rogaway.Entity Authentication and key distribution Advances in Cryptology - Crypto 93 Proceedings, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994.
II.Brian LaMacchia, Kristen Lauter, Anton Mityagin. ”Stronger Security of Authenticated Key Exchange.”