Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale supérieure Summary Summary • Key Agreement and PKI-based Authentication – Security Model – Example • Password-based Authentication – Security Model – Example • Group Key Agreement – Security Model – Example • Conclusion David Pointcheval Provable Security - Authenticated Key Exchange - 2
Summary Summary • Key Agreement and PKI-based Authentication – Security Model – Example • Password-based Authentication – Security Model – Example • Group Key Agreement – Security Model – Example • Conclusion David Pointcheval Provable Security - Authenticated Key Exchange - 3 Authenticated Key Exchange Authenticated Key Exchange Two parties agree on a common secret key, in order to establish a secret channel ( e.g. SSL) • Implicit authentication only the intended partners can compute the session key • Semantic security – the session key is indistinguishable from a random string – modeled via a Test -query David Pointcheval Provable Security - Authenticated Key Exchange - 4
Further Properties Further Properties • Mutual authentication they are both sure to share the secret with the people they think they do • Forward-secrecy even if a long-term secret data is corrupted, previous shared secrets are still semantically secure David Pointcheval Provable Security - Authenticated Key Exchange - 5 Formal Model Formal Model � can ask history – reveal -queries A 1 B 1 – test -query � – execute -queries A i B i – send -queries – corrupt -queries A a B b 0/1 David Pointcheval Provable Security - Authenticated Key Exchange - 6
Semantic Security Semantic Security • A misuse of the secret data is modeled by the reveal -query, which is answered by this secret data • For the semantic security, the adversary asks one test -query which is answered, according to a bit b , by – b =0 : the actual secret data – b =1 : a random string ⇒ the adversary has to guess this bit b David Pointcheval Provable Security - Authenticated Key Exchange - 7 Security Definitions (AKE) Security Definitions (AKE) Public data PROTOCOL . . . « Test » a key sk Flip a coin b sk if b =0, random if b =1 . . . Outputs b’ ( guess for b ) David Pointcheval Provable Security - Authenticated Key Exchange - 8
Passive/Active Adversaries Adversaries Passive/Active • Passive adversary: history built using the execute -queries → transcripts • Active adversary: entire control of the network with send -queries: – to send message to Alice or Bob (in place of Bob or Alice respectively) – to intercept, forward and/or modify messages David Pointcheval Provable Security - Authenticated Key Exchange - 9 Forward Secrecy Forward Secrecy Forward secrecy means that the adversary cannot distinguish a session key established before any corruption of the long-term private keys: • the corrupt -query is answered by the long-term private key of the corrupted party • then the test -query must be asked on a session key established before any corrupt -query David Pointcheval Provable Security - Authenticated Key Exchange - 10
Summary Summary • Key Agreement and PKI-based Authentication – Security Model – Example • Password-based Authentication – Security Model – Example • Group Key Agreement – Security Model – Example • Conclusion David Pointcheval Provable Security - Authenticated Key Exchange - 11 Diffie- -Hellman Hellman Key Exchange Key Exchange Diffie The most classical key exchange scheme has been proposed by Diffie-Hellman: � = <g> , cyclic group of prime order q • Alice chooses a random x ∈ � q , computes and sends X=g x • Bob chooses a random y ∈ � q , computes and sends Y=g y • They each can compute the session key K = Y x = X y David Pointcheval Provable Security - Authenticated Key Exchange - 12
Properties Properties • If flows are authenticated, it is well-known to provide the semantic security of the session key under the Decisional Diffie-Hellman Problem • If one derives the session key as k = H( K ) , where H is assumed to behave like a random oracle, semantic security is relative to the Computational Diffie-Hellman Problem David Pointcheval Provable Security - Authenticated Key Exchange - 13 Authenticated Key Exchange Authenticated Key Exchange Alice ( S a , P a ) Bob ( S b , P b ) Bob, X , � ( S a ,X ) x ∈ � q , X=g x Alice, Y , � ( S b ,X,Y ) y ∈ � q , Y=g y K=Y x K=X y k= H( Alice , Bob , X , Y , K ) But there is no explicit authentication ⇒ replay attacks David Pointcheval Provable Security - Authenticated Key Exchange - 14
Replay Attack Replay Attack Alice ( S a , P a ) Bob ( S b , P b ) The adversary intercepts Bob, X , � ( S a ,X ) “ Bob, X , � ( S a ,X ) ” x ∈ � q , X=g x y ∈ � q , Alice, Y , � ( S b ,X,Y ) He can initiate Y=g y K=Y x K=X y a new session with it k= H( Alice , Bob , X , Y , K ) Bob believes it comes from Alice – Bob accepts the key, but does no share it with Alice ⇒ no mutual authentication – The adversary does not know the key either ⇒ still semantic security David Pointcheval Provable Security - Authenticated Key Exchange - 15 Mutual Authentication Mutual Authentication Adding key confirmation rounds: mutual authentication [Bellare-Pointcheval-Rogaway Eurocrypt ‘00] Alice ( S a , P a ) Bob ( S b , P b ) Bob, X , � ( S a ,X ) y ∈ � q , Y=g y x ∈ � q , X=g x K=X y Alice, Y , � ( S b ,X,Y ), k 1 K=Y x k 1 =H 1 ( Alice , Bob , K ) k 1 correct? k 2 k 2 =H 2 ( Alice , Bob , K ) k 2 correct? k=H ( Alice , Bob , X , Y , K ) David Pointcheval Provable Security - Authenticated Key Exchange - 16
Summary Summary • Key Agreement and PKI-based Authentication – Security Model – Example • Password-based Authentication – Security Model – Example • Group Key Agreement – Security Model – Example • Conclusion David Pointcheval Provable Security - Authenticated Key Exchange - 17 Password- -based Authentication based Authentication Password The parties share a low-entropy secret – a password exhaustive search is possible (say 2 20 ) – • Basic attack: on-line exhaustive search – the adversary guesses a password – tries to play the protocol failure ⇒ erase the password from the list – – restart… after 2 20 attempts, the adversary wins David Pointcheval Provable Security - Authenticated Key Exchange - 18
Dictionary Attack Dictionary Attack The on-line exhaustive search – cannot be prevented – can be made less serious (delay, limitations, …) We want it to be the best attack… Off-line exhaustive search: – passive/active attack failure ⇒ erase MANY passwords from the list – this is called dictionary attack David Pointcheval Provable Security - Authenticated Key Exchange - 19 Summary Summary • Key Agreement and PKI-based Authentication – Security Model – Example • Password-based Authentication – Security Model – Example • Group Key Agreement – Security Model – Example • Conclusion David Pointcheval Provable Security - Authenticated Key Exchange - 20
Example: EKE : EKE Example The most famous scheme EKE: Encrypted Key Exchange Must be done carefully Password π Bob Alice X’ = �� π (Bob, X ) x ∈ � q , X=g x ������� X = � π ( X’ ) Y’ = � π (Alice ,Y ) Y = � π ( Y’ ) y ∈ � q , Y=g y K=Y x K=X y k= H( Alice , Bob , X , Y , K ) David Pointcheval Provable Security - Authenticated Key Exchange - 21 Example: EKE : EKE Example Password π Alice Bob ������� X’ = �� π (Bob, X ) x ∈ � q , X=g x X = � π ( X’ ) Y’ = � π (Alice ,Y ) Y = � π ( Y’ ) y ∈ � q , Y=g y K=Y x K=X y k= H( Alice , Bob , X , Y , K ) Any redundancy is serious: From X’ , for any password π decrypt X’ – – check whether it begins with “Bob” David Pointcheval Provable Security - Authenticated Key Exchange - 22
EKE - AuthA AuthA EKE - Password π Alice Bob EKE Bob, X’ = �� π ( X ) x ∈ � q , X=g x Bellovin-Merritt 1992 X = � π ( X’ ) Alice , Y’ = � π ( Y ) Y = � π ( Y’ ) y ∈ � q , Y=g y K=Y x K=X y k= H( Alice , Bob , X , Y , K ) Password π Alice Bob AuthA Bob, X’ = �� π ( X ) x ∈ � q , X=g x X = � π ( X’ ) y ∈ � q , Y=g y Bellare-Rogaway 2000 K=X y Alice , Y , k 1 K=Y x k 1 =H 1 ( Alice , k 1 correct ? Bob , K ) k= H( Alice , Bob , X , Y , K ) Provably secure if � is an ideal cipher [Bresson-Chevassut-Pointcheval ACM CCS ‘03] David Pointcheval Provable Security - Authenticated Key Exchange - 23 Improvement Improvement � = an ideal cipher replaced by the One-Time Pad � π ( m ) = � ( π ) ⊕ m [Bresson-Chevassut-Pointcheval LBNL-53099] Password π Bob Alice Bob, X’ = � X ⋅ � ( π ) x ∈ � q , X=g x X = X’ / � ( π ) y ∈ � q , Y=g y K=X y Alice , Y , k 1 K=Y x k 1 =H 1 ( Alice , k 1 correct ? Bob , K ) k= H( Alice , Bob , X , Y , K ) David Pointcheval Provable Security - Authenticated Key Exchange - 24
Recommend
More recommend
