Authenticated Key Exchange - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Authenticated Key Exchange

Description:

Cryptographic protocols that establish keys for use by other protocols ... Principal: a party wishing to establish shared keys ... – PowerPoint PPT presentation

Number of Views:234
Avg rating:3.0/5.0
Slides: 20
Provided by: maile7
Category:

less

Transcript and Presenter's Notes

Title: Authenticated Key Exchange


1
Authenticated Key Exchange
  • Definitions
  • MAP
  • matching conversations
  • oracles
  • (I)KA
  • AKEP2
  • AKEP2 Security
  • Session Keys
  • Perfect Forward Secrecy
  • Adversary Attacks

Presented By Ashley Bruno Blayne White
2
Key Establishment Protocols
  • Cryptographic protocols that establish keys for
    use by other protocols
  • examples AKEP2, MAP1, Diffie-Hellman,
    Station-to-station

3
Definitions
  • Principal a party wishing to establish shared
    keys
  • Nonce a random or pseudo-random number issued in
    an authentication protocol to ensure that old
    communications cannot be reused in replay attacks

4
Definitions (cont'd)
  • MAC (ie. Message Authentication Code) the result
    of a hash function that combines a message with a
    key
  • Freshness a key is fresh if it can be guaranteed
    to be new (Menezes, van Oorschot and Vanstone,
    1997)

(probably no longer fresh)
5
Oracles
  • An I/O device that responds to every query with
    a random response chosen uniformly from it's
    output domain. if given the same input query, the
    same output response is given.

6
Oracle Freshness
  • An oracle is fresh if
  • It has accepted a session key
  • Its session key has not been given a Reveal query
    (oracle is unopened)
  • There is no opened oracle with whom it has a
    matching conversation that has accepted the
    session key.

7
Mutual Entity Authentication
  • Provides assurance to both entities of the
    identity of the other entity involved
  • If a pair of oracles has matching conversations,
    then both oracles accept.
  • The probability of an oracle accepting when it
    does not have a matching conversation with
    another oracle is negligible.

8
Matching Conversations
  • A conversation consists of all messages sent and
    received by an oracle.
  • Matching Conversations occur when the
    conversations of both parties are the same when
    all messages are faithfully delivered from the
    sender oracle to the receiver oracle, with the
    exception of the last message, since the
    initiator cannot know if this last message was
    received by its partner.

9
(Implicit) Key Authentication
  • Provides assurance that no entity other than a
    specifically identified entity can gain access to
    the key.
  • Independent of the actual possession of such key
    by the second party, or knowledge of such actual
    possession by the first party

10
Perfect Forward Secrecy
It is still desirable to design protocols where
past sessions remain secure. Perfect forward
secrecy compromise of long-term keys does not
compromise past session keys. Forward secrecy
indicates that the secrecy of old keys is carried
forward into the future.
11
Authenticated Key Exchange Protocol 2
  • A three-pass protocol
  • Uses symmetric authentication
  • Uses keyed hash functions instead of encryption
  • Does not rely on a trusted third party (TTP)
  • Provides mutual entity authentication and
    (implicit) key authentication
  • Provides Perfect Forward Secrecy

12
AKEP2
  • A and B are principals
  • A and B share two long term symmetric keys K, K'
  • each protocol run generates fresh nonces na, nb
  • uses a keyed hash function (MAC) hk and a keyed
    one-way function h'k'

13
AKEP2
na
A
B
A sends a challenge nonce to B.
hk(B,A,na,nb), nb
A
B
  • B resonds with hk(B,A,na,nb) and sends it's own
    challenge nonce.
  • k is the shared key k h'k'(nb)

hk(A,nb)
A
B
A responds to the challenge nonce with hk(A,nb)
to B
14
AKEP2 Security
  • The intent is to authenticate the principals
    involved and distribute a session key which will
    consist of a principal's private output
  • At the end of a secure AKE any adversary should
    not be able to distinguish a fresh session key
    from a random element.

15
AKE Security Session Keys
  • The compromise of one of these keys should have
    minimal consequences.
  • It should not subvert subsequent authentication.
  • It should not leak information about other
    session keys.

16
AKEP2 Security
  • Protocol II is secure if it is a secure mutual
    authentication protocol. This requires
  • That two oracles, in the absence of an active
    adversary, always accept
  • The advantage of a probabilistic polynomial
    adversary is negligible.
  • The current security definitions give the
    adversary very strong abilities in corrupting the
    parties, but they limit his ability to utilize
    those powers.

17
Attacks allowed by current definitions
  • Key-compromise impersonation the adversary
    reveals a long-term secret key of a party and
    then impersonates others to this party.
  • An adversary reveals the ephemeral secret key of
    a party who initiates an AKE session and
    impersonates the other participant of this
    session.

18
Attacks allowed (cont'd)
  • Two honest parties execute matching sessions,
    while the adversary reveals ephemeral secret keys
    of both parties and tries to learn the session
    key.
  • Two honest parties execute matching sessions,
    while the adversary reveals long-term keys of
    both parties prior to the session execution and
    tries to learn the session key.

However, all four of these attacks are not
considered violations of protocol security!
19
Authenticated Key Exchange
  • M. Bellare and P. Rogaway.Entity Authentication
    and key distribution Advances in Cryptology -
    Crypto 93 Proceedings, Lecture Notes in Computer
    Science Vol. 773, D. Stinson ed, Springer-Verlag,
    1994.
  • Brian LaMacchia, Kristen Lauter, Anton Mityagin.
    Stronger Security of Authenticated Key Exchange.
Write a Comment
User Comments (0)
About PowerShow.com