authenticated key exchange i. definitions i. map i. matching conversations ii. oracles ii. (i)ka ii....
TRANSCRIPT
![Page 1: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/1.jpg)
Authenticated Key ExchangeI.Definitions
I. MAP
I. matching conversations
II.oracles
II. (I)KA
II.AKEP2
III.AKEP2 Security
I. Session Keys
II. Perfect Forward Secrecy
IV.Adversary Attacks Presented By:Ashley Bruno & Blayne White
![Page 2: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/2.jpg)
Key Establishment Protocols
I. Cryptographic protocols that establish keys for use by other protocols
I. examples: AKEP2, MAP1, Diffie-Hellman, Station-to-station
![Page 3: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/3.jpg)
Definitions
I. Principal: a party wishing to establish shared keys
II.Nonce: a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks
![Page 4: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/4.jpg)
Definitions (cont'd)
III.MAC (ie. Message Authentication Code): the result of a hash function that combines a message with a key
IV.Freshness: a key is fresh if it can be guaranteed to be new (Menezes, van Oorschot and Vanstone, 1997)
(probably no longer fresh)
![Page 5: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/5.jpg)
OraclesI. An I/O device that responds to every query with a random
response chosen uniformly from it's output domain. if given the same input query, the same output response is given.
![Page 6: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/6.jpg)
Oracle Freshness
I.An oracle is fresh if :
I. It has accepted a session key
II. Its session key has not been given a Reveal query (oracle is “unopened”)
III.There is no opened oracle with whom it has a matching conversation that has accepted the session key.
![Page 7: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/7.jpg)
Mutual Entity Authentication
I. Provides assurance to both entities of the identity of the other entity involved
I. If a pair of oracles has matching conversations, then both oracles accept.
II.The probability of an oracle accepting when it does not have a matching conversation with another oracle is negligible.
![Page 8: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/8.jpg)
Matching ConversationsI. A conversation consists of all messages sent and
received by an oracle.
II. Matching Conversations occur when the conversations of both parties are the same when all messages are faithfully delivered from the sender oracle to the receiver oracle, with the exception of the last message, since the initiator cannot know if this last message was received by its partner.
![Page 9: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/9.jpg)
(Implicit) Key Authentication
I. Provides assurance that no entity other than a specifically identified entity can gain access to the key.
II.Independent of the actual possession of such key by the second party, or knowledge of such actual possession by the first party
![Page 10: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/10.jpg)
Perfect Forward Secrecy
It is still desirable to design protocols where pastsessions remain secure.
Perfect forward secrecy: compromise of long-termkeys does not compromise past session keys.“Forward secrecy” indicates that the secrecy of oldkeys is carried forward into the future.
![Page 11: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/11.jpg)
Authenticated Key Exchange Protocol 2
I. A three-pass protocol
II.Uses symmetric authentication
III.Uses keyed hash functions instead of encryption
IV.Does not rely on a trusted third party (TTP)
V.Provides mutual entity authentication and (implicit) key authentication
VI.Provides Perfect Forward Secrecy
![Page 12: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/12.jpg)
AKEP2I. A and B are principals
II.A and B share two long term symmetric keys: K, K'III.each protocol run generates fresh nonces: n
a, n
b
IV.uses a keyed hash function (MAC): hk and a keyed
one-way function: h'k'
![Page 13: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/13.jpg)
AKEP2
A B
A B
A B
A sends a challenge nonce to B.
na
B resonds with hk(B,A,n
a,n
b) and sends it's own challenge nonce.
● k is the shared key; k = h'k'(n
b)
hk(B,A,n
a,n
b), n
b
A responds to the challenge nonce with hk(A,n
b) to B
hk(A,n
b)
![Page 14: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/14.jpg)
AKEP2 Security
I. The intent is to authenticate the principals involved and distribute a session key which will consist of a principal's private output
II.At the end of a secure AKE any adversary should not be able to distinguish a fresh session key from a random element.
![Page 15: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/15.jpg)
AKE Security: Session Keys
I. The compromise of one of these keys should have minimal consequences.
I. It should not subvert subsequent authentication.
II.It should not leak information about other session keys.
![Page 16: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/16.jpg)
AKEP2 SecurityI. Protocol II is secure if it is a secure mutual
authentication protocol. This requires:a)That two oracles, in the absence of an active adversary, always
accept
b)The advantage of a probabilistic polynomial adversary is negligible.
II.The current security definitions give the adversary very strong abilities in corrupting the parties, but they limit his ability to utilize those powers.
![Page 17: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/17.jpg)
Attacks allowed by current definitionsI. Key-compromise impersonation: the adversary reveals a
long-term secret key of a party and then impersonates others to this party.
II.An adversary reveals the ephemeral secret key of a party who initiates an AKE session and impersonates the other participant of this session.
![Page 18: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/18.jpg)
Attacks allowed (cont'd)
III. Two honest parties execute matching sessions, while the adversary reveals ephemeral secret keys of both parties and tries to learn the session key.
IV. Two honest parties execute matching sessions, while the adversary reveals long-term keys of both parties prior to the session execution and tries to learn the session key.
However, all four of these attacks are not considered violations of protocol security!
![Page 19: Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfc41a28abf838ca5eef/html5/thumbnails/19.jpg)
Authenticated Key Exchange
I.M. Bellare and P. Rogaway.Entity Authentication and key distribution Advances in Cryptology - Crypto 93 Proceedings, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994.
II.Brian LaMacchia, Kristen Lauter, Anton Mityagin. ”Stronger Security of Authenticated Key Exchange.”