Authenticated Key Exchange

1
Authenticated Key Exchange

1. Definitions
2. MAP
3. matching conversations
4. oracles
5. (I)KA
6. AKEP2
7. AKEP2 Security
8. Session Keys
9. Perfect Forward Secrecy
10. Adversary Attacks

Presented By Ashley Bruno Blayne White
2
Key Establishment Protocols

1. Cryptographic protocols that establish keys for
   use by other protocols
2. examples AKEP2, MAP1, Diffie-Hellman,
   Station-to-station

3
Definitions

1. Principal a party wishing to establish shared
   keys
2. Nonce a random or pseudo-random number issued in
   an authentication protocol to ensure that old
   communications cannot be reused in replay attacks

4
Definitions (cont'd)

1. MAC (ie. Message Authentication Code) the result
   of a hash function that combines a message with a
   key
2. Freshness a key is fresh if it can be guaranteed
   to be new (Menezes, van Oorschot and Vanstone,
   1997)

(probably no longer fresh)
5
Oracles

1. An I/O device that responds to every query with
   a random response chosen uniformly from it's
   output domain. if given the same input query, the
   same output response is given.

6
Oracle Freshness

1. An oracle is fresh if
2. It has accepted a session key
3. Its session key has not been given a Reveal query
   (oracle is unopened)
4. There is no opened oracle with whom it has a
   matching conversation that has accepted the
   session key.

7
Mutual Entity Authentication

1. Provides assurance to both entities of the
   identity of the other entity involved
2. If a pair of oracles has matching conversations,
   then both oracles accept.
3. The probability of an oracle accepting when it
   does not have a matching conversation with
   another oracle is negligible.

8
Matching Conversations

1. A conversation consists of all messages sent and
   received by an oracle.
2. Matching Conversations occur when the
   conversations of both parties are the same when
   all messages are faithfully delivered from the
   sender oracle to the receiver oracle, with the
   exception of the last message, since the
   initiator cannot know if this last message was
   received by its partner.

9
(Implicit) Key Authentication

1. Provides assurance that no entity other than a
   specifically identified entity can gain access to
   the key.
2. Independent of the actual possession of such key
   by the second party, or knowledge of such actual
   possession by the first party

10
Perfect Forward Secrecy
It is still desirable to design protocols where
past sessions remain secure. Perfect forward
secrecy compromise of long-term keys does not
compromise past session keys. Forward secrecy
indicates that the secrecy of old keys is carried
forward into the future.
11
Authenticated Key Exchange Protocol 2

1. A three-pass protocol
2. Uses symmetric authentication
3. Uses keyed hash functions instead of encryption
4. Does not rely on a trusted third party (TTP)
5. Provides mutual entity authentication and
   (implicit) key authentication
6. Provides Perfect Forward Secrecy

12
AKEP2

1. A and B are principals
2. A and B share two long term symmetric keys K, K'
3. each protocol run generates fresh nonces na, nb
4. uses a keyed hash function (MAC) hk and a keyed
   one-way function h'k'

13
AKEP2
na
A
B
A sends a challenge nonce to B.
hk(B,A,na,nb), nb
A
B

• B resonds with hk(B,A,na,nb) and sends it's own
  challenge nonce.
• k is the shared key k h'k'(nb)

hk(A,nb)
A
B
A responds to the challenge nonce with hk(A,nb)
to B
14
AKEP2 Security

1. The intent is to authenticate the principals
   involved and distribute a session key which will
   consist of a principal's private output
2. At the end of a secure AKE any adversary should
   not be able to distinguish a fresh session key
   from a random element.

15
AKE Security Session Keys

1. The compromise of one of these keys should have
   minimal consequences.
2. It should not subvert subsequent authentication.
3. It should not leak information about other
   session keys.

16
AKEP2 Security

• Protocol II is secure if it is a secure mutual
  authentication protocol. This requires
• That two oracles, in the absence of an active
  adversary, always accept
• The advantage of a probabilistic polynomial
  adversary is negligible.
• The current security definitions give the
  adversary very strong abilities in corrupting the
  parties, but they limit his ability to utilize
  those powers.

17
Attacks allowed by current definitions

1. Key-compromise impersonation the adversary
   reveals a long-term secret key of a party and
   then impersonates others to this party.
2. An adversary reveals the ephemeral secret key of
   a party who initiates an AKE session and
   impersonates the other participant of this
   session.

18
Attacks allowed (cont'd)

1. Two honest parties execute matching sessions,
   while the adversary reveals ephemeral secret keys
   of both parties and tries to learn the session
   key.
2. Two honest parties execute matching sessions,
   while the adversary reveals long-term keys of
   both parties prior to the session execution and
   tries to learn the session key.

However, all four of these attacks are not
considered violations of protocol security!
19
Authenticated Key Exchange

1. M. Bellare and P. Rogaway.Entity Authentication
   and key distribution Advances in Cryptology -
   Crypto 93 Proceedings, Lecture Notes in Computer
   Science Vol. 773, D. Stinson ed, Springer-Verlag,
   1994.
2. Brian LaMacchia, Kristen Lauter, Anton Mityagin.
   Stronger Security of Authenticated Key Exchange.