190 likes | 513 Views
A Diffie-Hellman Key Exchange Protocol without Random Oracles. - 2006.12.21 - Ik Rae Jeong (ETRI) Jeong Ok Kwon (CIST) Dong Hoon Lee (CIST). Again Diffie-Hellman ?. Diffie-Hellman : 90 Diffie-Hellman key : 27 Diffie-Hellman key exchange : 11 Diffie-Hellman key exchange protocol : 1.
E N D
A Diffie-Hellman Key Exchange Protocol without Random Oracles - 2006.12.21 - Ik Rae Jeong (ETRI) Jeong Ok Kwon (CIST) Dong Hoon Lee (CIST)
Again Diffie-Hellman ? • Diffie-Hellman : 90 • Diffie-Hellman key : 27 • Diffie-Hellman key exchange : 11 • Diffie-Hellman key exchange protocol : 1
Contents • Security Notions of Key Exchange • Motivation • Review of Previous Schemes • KAM (our scheme) • Security of KAM
Security Notions of Key Exchange • KI (Key Independence) • security against Denning-Sacco attacks (known key attacks) • for the cases when other session keys are revealed • FS (Forward Secrecy) • for the cases when long-term secrets are revealed • SSR (Session State Reveal) • for the cases when intermediate values (random numbers) are revealed • depends on the analyzed protocol
Motivation • There exist many schemes providing forward secrecy (FS). • There are also schemes providing security against session state reveal (SSR) attacks. • But there exist few schemes providing FS and SSR. • HMQV-C provides FS and SSR securities in the random oracle model.
Our Result • The first key exchange scheme providing forward secrecy and security against session state reveal without random oracles.
Diffie-Hellman Secure in the authentication channel Bob Alice
BCK (STOC98) FS in the standard model Bob Alice
BCK (STOC98) Not secure against SSR attacks Bob Alice
JKL (ACNS04) SSR in the random oracle model Bob Alice
JKL (ACNS04) Not FS Bob Alice
HMQV-C (Crypto05) FS and SSR in the random oracle model Bob Alice
HDH (ABR, CT-RSA01) Indistinguishable
ODH (ABR, CT-RSA01) Indistinguishable
KAM Bob Alice
Security • KAM • reduced to the HDH and ODH assumptions without random oracles
1) Make authenticated channel 2) Send ep-DH values through the authenticated channel 3) Make a session key using ep-DH and long-term DH values Proof Idea of KAM Bob Alice