1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu...
-
Upload
eustace-morrison -
Category
Documents
-
view
215 -
download
1
Transcript of 1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu...
1
Key-Exchange Protocol Using Pre-Agreed Session-ID
Kenji Imamoto, Kouichi Sakurai
Kyushu University, JAPAN
This research was partly supported from the grant of Secom Science and Technology Foundation, and the 21st Century COE Program 'Reconstruction of Social Infrastructure Related to Information Science and Electrical Engineering'. Also, first author was partly supported from the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for JSPS Fellows, 2004, 06737.
Acknowledgement
사전 동의된 세션 아이디을 이용한 키 교환 프로토콜Korean Title:
2
Abstract
Any message through Internet or radio communication can be easily eavesdropped on Privacy should be considered (especially, this paper
considers identity concealment)
Introduce Pre-Agreed Session ID (PAS) Identification which is a disposable unique value used
for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is
used
3
Contents
1. Introduction
2. Security Model
3. PAS Protocol
4. Proof of PAS Protocol
5. Variants and Discussions
6. Conclusion
4
1. Introduction
Long-term shared secret
Leakage of Users’ IdentitiesMost existing schemes can not prevent
Main focus of our study is … Key-Exchange Protocol using Pre-shared Key
Long-term shared secret
Protocol
Short-term secret
5
BobEKB
(M)User’s ID Secret key
Alice KA
Bob KB
Charlie KCKB: secret keyM: message
KB: secret key
Public Network
Bob Responder
Threat: Leakage of user’s identity
EKB(Bob,M)User’s ID Secret key
Alice KA
Bob KB
Charlie KCKB: secret keyM: message
KB: secret key
Public Network
Bob Responder
We need another identifiable information Legitimate user can specify his partner No attacker can specify who is communicating
6
[2] R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, EUROCRYPT’2001.
[3] R. Canetti and H. Krawczyk, “Security Analysis of IKE’s Signature-Based Key-Exchange Protocol”, CRYPTO’2002.
Our Solution
Session ID [2, 3] Purpose: uniquely name sessions Assumption: unique among all the session ID
Pre-Agreed Session ID (PAS) Unique session ID agreed between each peer bef
ore activation of the session Uniquely name a session and parties who
participate in the session
7
2. Security Model
Existing Model [2] (SK-Security) Consider the security of session key
Our Model (SK-ID-Security) Consider the security of not only session key but
also users’ identities
Extend
8
Communication Channel
The channel is Broadcast-type All messages can be sent to a pool of messages There is no assumption on the logical connection
between the address where a message is delivered and the identity behind that address.
Attacker is a (probabilistic) polynomial-time machine with full control of the communication lines between parties Free to intercept, delay, drop, inject, or change all
messages sent over these lines
9
Attacker’s Access to Secret Information (session expose)
Session state reveal Session state for an incomplete session (which
does not include long-term secret) Session-key query
Session-key of a completed session Party corruption
All information in the memory of the party (including session states, session-key, long-term secrets)
Identity reveal Parties’ identities that activate a session
10
Basic Idea of SK-ID-Security (1) Indistinguishability style [2]
The success of an attack is measured via its ability to distinguish the real values from independent random values
Oracle Attacker
1. Freely choose a complete session as test session
2. Query
4. Response(real or random)
3. Coin toss
5. Guess the result of coin toss
If head, response is real If tail, response is random
11
Basic Idea of SK-ID-Security (2) The attacker succeeds in its attack if
1. The test session is not exposed
2. The probability of his correct guess of coin toss is significantly larger than 1/2
Definition (SK-ID-security)A key-exchange protocol is called SK-ID-secure if for all attackers with the explained capabilities, success probability (in its test-session distinguishing attacks) is not more than 1/2 plus a negligible fraction
Two games against Test session: Distinction of session-key (real session key or random
value) [2] Distinction of pairs (real party or randomly chosen party)
12
Game: Distinction of pairs
Attacker
1. Freely choose a complete session as test session
2. Query
4. Response(real or random)
3. Coin toss
5. Guess the result of coin toss
If head, response is real If tail, response is random
Random choice from all possible pairs that do not include either of the real parties’ ID
A, B, C, D, E• A shares PSK with B• C shares PSK with D and E
A-BC-D
C-EA-CA-DA-E
B-CB-DB-E
D-E RealRandom
Oracle
13
3. PAS Protocol
1. Start message
2. Response message
3. Finish message
xmij gPAS ,
,, ymij gPAS
xyyxj
mijk
mij gggPPASMACPAS ,,,,,0, 2
xyxyi
mijk gggPPASMAC ,,,,,12
iP jP
k0=PRFgxy(0) % Session key
k1=PRFgxy(1) %
k2=PRFPSKij(2)
1mijPAS
mijPASijPSK
mijPASijPSK
MAC: Message Authentication CodePRF: Pseudo Random Function
14
4. Proof of PAS Protocol
Main Theorem Assuming DDH and the security of the underlying
cryptographic functions (i.e., MAC and PRF), PAS protocol is SK-ID-secure
Strategy for Proof of Main Theorem Show that a DDH distinguisher can be built from
an attacker that succeeds in distinguishing between a real and a random response to the test-session query
15
PointResponder needs to distinguish legitimate requests from waste one at low costs
Responder cannot respond.
(Even for legitimate users !)
Adversary
Responder
User
5. Variants and Discussions (DoS-resilient)
16
Adversary
Responder
Request needs a valid PASAttacker can guess no valid PAS
Protection from DoS attackThe cost of checking validity of received PAS is equal to only searching in responder’s PAS list.
User’s ID PAS Secret key
Alice PASAR KAR
Bob PASBR KBR
Charlie PASCR KCR
Protection from DoS attack
Bob
PASBR, Request
17
6. Conclusion
Introduce Pre-Agreed Session ID (PAS) Identification which is a disposable unique value used
for every session to specify each session and party
Formalize security model for key-exchange protocol
Propose a secure key-exchange protocol using PAS
Argue about the problems which arise when PAS is used Synchronization of PAS, DoS attack, PFS