1

Key-Exchange Protocol Using Pre-Agreed Session-ID

Kenji Imamoto, Kouichi Sakurai

Kyushu University, JAPAN

This research was partly supported from the grant of Secom Science and Technology Foundation, and the 21st Century COE Program 'Reconstruction of Social Infrastructure Related to Information Science and Electrical Engineering'. Also, first author was partly supported from the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for JSPS Fellows, 2004, 06737.

Acknowledgement

사전 동의된 세션 아이디을 이용한 키 교환 프로토콜Korean Title:

2

Abstract

Any message through Internet or radio communication can be easily eavesdropped on Privacy should be considered (especially, this paper

considers identity concealment)

Introduce Pre-Agreed Session ID (PAS) Identification which is a disposable unique value used

for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is

used

3

Contents

1. Introduction

2. Security Model

3. PAS Protocol

4. Proof of PAS Protocol

5. Variants and Discussions

6. Conclusion

4

1. Introduction

Long-term shared secret

Leakage of Users’ IdentitiesMost existing schemes can not prevent

Main focus of our study is … Key-Exchange Protocol using Pre-shared Key

Long-term shared secret

Protocol

Short-term secret

5

BobEKB

(M)User’s ID Secret key

Alice KA

Bob KB

Charlie KCKB: secret keyM: message

KB: secret key

Public Network

Bob Responder

Threat: Leakage of user’s identity

EKB(Bob,M)User’s ID Secret key

Alice KA

Bob KB

Charlie KCKB: secret keyM: message

KB: secret key

Public Network

Bob Responder

We need another identifiable information Legitimate user can specify his partner No attacker can specify who is communicating

6

[2] R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, EUROCRYPT’2001.

[3] R. Canetti and H. Krawczyk, “Security Analysis of IKE’s Signature-Based Key-Exchange Protocol”, CRYPTO’2002.

Our Solution

Session ID [2, 3] Purpose: uniquely name sessions Assumption: unique among all the session ID

Pre-Agreed Session ID (PAS) Unique session ID agreed between each peer bef

ore activation of the session Uniquely name a session and parties who

participate in the session

7

2. Security Model

Existing Model [2] (SK-Security) Consider the security of session key

Our Model (SK-ID-Security) Consider the security of not only session key but

also users’ identities

Extend

8

Communication Channel

The channel is Broadcast-type All messages can be sent to a pool of messages There is no assumption on the logical connection

between the address where a message is delivered and the identity behind that address.

Attacker is a (probabilistic) polynomial-time machine with full control of the communication lines between parties Free to intercept, delay, drop, inject, or change all

messages sent over these lines

9

Attacker’s Access to Secret Information (session expose)

Session state reveal Session state for an incomplete session (which

does not include long-term secret) Session-key query

Session-key of a completed session Party corruption

All information in the memory of the party (including session states, session-key, long-term secrets)

Identity reveal Parties’ identities that activate a session

10

Basic Idea of SK-ID-Security (1) Indistinguishability style [2]

The success of an attack is measured via its ability to distinguish the real values from independent random values

Oracle Attacker

1. Freely choose a complete session as test session

2. Query

4. Response(real or random)

3. Coin toss

5. Guess the result of coin toss

If head, response is real If tail, response is random

11

Basic Idea of SK-ID-Security (2) The attacker succeeds in its attack if

1. The test session is not exposed

2. The probability of his correct guess of coin toss is significantly larger than 1/2

Definition (SK-ID-security)A key-exchange protocol is called SK-ID-secure if for all attackers with the explained capabilities, success probability (in its test-session distinguishing attacks) is not more than 1/2 plus a negligible fraction

Two games against Test session: Distinction of session-key (real session key or random

value) [2] Distinction of pairs (real party or randomly chosen party)

12

Game: Distinction of pairs

Attacker

1. Freely choose a complete session as test session

2. Query

4. Response(real or random)

3. Coin toss

5. Guess the result of coin toss

If head, response is real If tail, response is random

Random choice from all possible pairs that do not include either of the real parties’ ID

A, B, C, D, E• A shares PSK with B• C shares PSK with D and E

A-BC-D

C-EA-CA-DA-E

B-CB-DB-E

D-E RealRandom

Oracle

13

3. PAS Protocol

1. Start message

2. Response message

3. Finish message

xmij gPAS ,

,, ymij gPAS

xyyxj

mijk

mij gggPPASMACPAS ,,,,,0, 2

xyxyi

mijk gggPPASMAC ,,,,,12

iP jP

k0=PRFgxy(0) % Session key

k1=PRFgxy(1) %

k2=PRFPSKij(2)

1mijPAS

mijPASijPSK

mijPASijPSK

MAC: Message Authentication CodePRF: Pseudo Random Function

14

4. Proof of PAS Protocol

Main Theorem Assuming DDH and the security of the underlying

cryptographic functions (i.e., MAC and PRF), PAS protocol is SK-ID-secure

Strategy for Proof of Main Theorem Show that a DDH distinguisher can be built from

an attacker that succeeds in distinguishing between a real and a random response to the test-session query

15

PointResponder needs to distinguish legitimate requests from waste one at low costs

Responder cannot respond.

(Even for legitimate users !)

Adversary

Responder

User

5. Variants and Discussions (DoS-resilient)

16

Adversary

Responder

Request needs a valid PASAttacker can guess no valid PAS

Protection from DoS attackThe cost of checking validity of received PAS is equal to only searching in responder’s PAS list.

User’s ID PAS Secret key

Alice PASAR KAR

Bob PASBR KBR

Charlie PASCR KCR

Protection from DoS attack

Bob

PASBR, Request

17

6. Conclusion

Introduce Pre-Agreed Session ID (PAS) Identification which is a disposable unique value used

for every session to specify each session and party

Formalize security model for key-exchange protocol

Propose a secure key-exchange protocol using PAS

Argue about the problems which arise when PAS is used Synchronization of PAS, DoS attack, PFS