220 likes | 973 Views
Authenticated Key Exchange. Definitions MAP matching conversations oracles (I)KA AKEP2 AKEP2 Security Session Keys Perfect Forward Secrecy Adversary Attacks. Presented By: Ashley Bruno & Blayne White. Key Establishment Protocols.
E N D
Authenticated Key Exchange • Definitions • MAP • matching conversations • oracles • (I)KA • AKEP2 • AKEP2 Security • Session Keys • Perfect Forward Secrecy • Adversary Attacks Presented By: Ashley Bruno & Blayne White
Key Establishment Protocols • Cryptographic protocols that establish keys for use by other protocols • examples: AKEP2, MAP1, Diffie-Hellman, Station-to-station
Definitions • Principal: a party wishing to establish shared keys • Nonce: a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks
Definitions (cont'd) • MAC (ie. Message Authentication Code): the result of a hash function that combines a message with a key • Freshness: a key is fresh if it can be guaranteed to be new (Menezes, van Oorschot and Vanstone, 1997) (probably no longer fresh)
Oracles • An I/O device that responds to every query with a random response chosen uniformly from it's output domain. if given the same input query, the same output response is given.
Oracle Freshness • An oracle is fresh if : • It has accepted a session key • Its session key has not been given a Reveal query (oracle is “unopened”) • There is no opened oracle with whom it has a matching conversation that has accepted the session key.
Mutual Entity Authentication • Provides assurance to both entities of the identity of the other entity involved • If a pair of oracles has matching conversations, then both oracles accept. • The probability of an oracle accepting when it does not have a matching conversation with another oracle is negligible.
Matching Conversations • A conversation consists of all messages sent and received by an oracle. • Matching Conversations occur when the conversations of both parties are the same when all messages are faithfully delivered from the sender oracle to the receiver oracle, with the exception of the last message, since the initiator cannot know if this last message was received by its partner.
(Implicit) Key Authentication • Provides assurance that no entity other than a specifically identified entity can gain access to the key. • Independent of the actual possession of such key by the second party, or knowledge of such actual possession by the first party
Perfect Forward Secrecy It is still desirable to design protocols where past sessions remain secure. Perfect forward secrecy: compromise of long-term keys does not compromise past session keys. “Forward secrecy” indicates that the secrecy of old keys is carried forward into the future.
Authenticated Key Exchange Protocol 2 • A three-pass protocol • Uses symmetric authentication • Uses keyed hash functions instead of encryption • Does not rely on atrusted third party (TTP) • Provides mutual entity authentication and (implicit) key authentication • Provides Perfect Forward Secrecy
AKEP2 • A and B are principals • A and B share two long term symmetric keys: K, K' • each protocol run generates fresh nonces: na, nb • uses a keyed hash function (MAC): hk and a keyed one-way function: h'k'
AKEP2 na A B A sends a challenge nonce to B. hk(B,A,na,nb), nb A B • B resonds with hk(B,A,na,nb) and sends it's own challenge nonce. • k is the shared key; k = h'k'(nb) hk(A,nb) A B A responds to the challenge nonce with hk(A,nb) to B
AKEP2 Security • The intent is to authenticate the principals involved and distribute a session key which will consist of a principal's private output • At the end of a secure AKE any adversary should not be able to distinguish a fresh session key from a random element.
AKE Security: Session Keys • The compromise of one of these keys should have minimal consequences. • It should not subvert subsequent authentication. • It should not leak information about other session keys.
AKEP2 Security • Protocol II is secure if it is a secure mutual authentication protocol. This requires: • That two oracles, in the absence of an active adversary, always accept • The advantage of a probabilistic polynomial adversary is negligible. • The current security definitions give the adversary very strong abilities in corrupting the parties, but they limit his ability to utilize those powers.
Attacks allowed by current definitions • Key-compromise impersonation: the adversary reveals a long-term secret key of a party and then impersonates others to this party. • An adversary reveals the ephemeral secret key of a party who initiates an AKE session and impersonates the other participant of this session.
Attacks allowed (cont'd) • Two honest parties execute matching sessions, while the adversary reveals ephemeral secret keys of both parties and tries to learn the session key. • Two honest parties execute matching sessions, while the adversary reveals long-term keys of both parties prior to the session execution and tries to learn the session key. However, all four of these attacks are not considered violations of protocol security!
Authenticated Key Exchange • M. Bellare and P. Rogaway.Entity Authentication and key distribution Advances in Cryptology - Crypto 93 Proceedings, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994. • Brian LaMacchia, Kristen Lauter, Anton Mityagin. ”Stronger Security of Authenticated Key Exchange.”