Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 - - PowerPoint PPT Presentation

privacy preserving authenticated key exchange and the
SMART_READER_LITE
LIVE PREVIEW

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 - - PowerPoint PPT Presentation

Sep 03, 2023 5 likes •187 views

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk, Sebastian Lauer Ruhr-University Bochum Classical Key Exchange Setting m1 Bob Alice m2 skA skB pkB pkA mq-1 mq derive K derive K 2

slide-1
SLIDE 1

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2

Sven Schäge, Jörg Schwenk, Sebastian Lauer Ruhr-University Bochum

slide-2
SLIDE 2

Classical Key Exchange Setting

Alice Bob

m1 m2

skA pkB skB pkA

mq-1 mq

2 PPAKE - PKC 2020

derive K derive K

slide-3
SLIDE 3

Multi-Homed Servers

Alice Bob

m1 m2

skA pkB0 pkB1 skB0 skB1 pkA

mq-1 mq

3 PPAKE - PKC 2020

derive K derive K

slide-4
SLIDE 4

General Case

Alice Bob

m1 m2

derive K derive K skA0 skA1 pkB0 pkB1 skB0 skB1 pkA0 pkA1

mq-1 mq

4 PPAKE - PKC 2020

slide-5
SLIDE 5

Motivation for PPAKE

  • Privacy
  • Censorship Circumvention
  • PPAKE is not a substitution for TOR!

PPAKE does not hide the endpoint but only the virtual identity

  • n/behind that endpoint.

PPAKE - PKC 2020 5

slide-6
SLIDE 6

Contribution

  • New security model for PPAKE
  • Besides key indistinguishability, additionally captures indistinguishability of used

identities

  • General and strong security notion that requires that privacy is cryptographically

independent of key indistinguishability

  • Proper extension of classical AKE
  • Introduced changes extendable to unilateral authentication, ACCE, explicit

authentication

  • New conceptual feature: Modes
  • Modes model protocol options
  • Formulate expectations of parties on who is responsible for choosing identities
  • Security proof of IPsec with signature-based authentication

PPAKE - PKC 2020 6

slide-7
SLIDE 7

Overview Security Model

A

skA0 skA1 pkB0 pkB1

OA,1 OA,2 OA,q … Public modes: IMA,1|PMA,1 Selector bits: ISBA,1|PSBA,1 kA,1

skB0 skB1 pkA0 pkA1

OB,1 OB,2 OB,q …

B

7 PPAKE - PKC 2020

Public modes: IMA,2|PMA,2 Selector bits: ISBA,2|PSBA,2 kA,2 Public modes: IMA,q|PMA,q Selector bits: ISBA,q|PSBA,q kA,q Public modes: IMB,1|PMB,1 Selector bits: ISBB,1|PSBB,1 kB,1 Public modes: IMB,2|PMB,2 Selector bits: ISBB,2|PSBB,2 kB,2 Public modes: IMB,q|PMB,q Selector bits: ISBB,q|PSBB,q kB,q …

slide-8
SLIDE 8

Overview Security Model

A

skA0 skA1 pkB0 pkB1

OA,1 OA,2 OA,q … Public modes: IMA,1|PMA,1 Selector bits: ISBA,1|PSBA,1 kA,1

skB0 skB1 pkA0 pkA1

OB,1 OB,2 OB,q …

B

8 PPAKE - PKC 2020

Public modes: IMA,2|PMA,2 Selector bits: ISBA,2|PSBA,2 kA,2 Public modes: IMA,q|PMA,q Selector bits: ISBA,q|PSBA,q kA,q Public modes: IMB,1|PMB,1 Selector bits: ISBB,1|PSBB,1 kB,1 Public modes: IMB,2|PMB,2 Selector bits: ISBB,2|PSBB,2 kB,2 Public modes: IMB,q|PMB,q Selector bits: ISBB,q|PSBB,q kB,q

Identity Mode (IM) ∈ {me,partner} Partner Mode (PM) ∈ {me,partner} Identity Selector Bit (ISB) ∈ {0,1} Partner Selector Bit (PSB) ∈ {0,1}

slide-9
SLIDE 9

PPAKE Security Model: Attack Capabilities

  • New Attack Queries to Sessions:
  • Unmask(own/partner)
  • Test(ID,own/partner)->0/1
  • Other (Classical) Attack Queries:
  • Send
  • RevealKey
  • Corrupt
  • Test(Key)

PPAKE - PKC 2020 9

slide-10
SLIDE 10

PPAKE Security Experiment

  • Each party is equipped with two key pairs
  • If mode requires so, each session chooses random identity for itself or

communication partner

  • Attacker always has access to all attack capabilities
  • Adding a new security proof for identity indistinguishability to existing

security analyses is not enough!

  • Old proof may become invalidated when also given access to Unmask query!

PPAKE - PKC 2020 10

slide-11
SLIDE 11

PPAKE Security Guarantees

  • Key indistinguishability for session key of test session - even if identity

is revealed

  • Pre-requisite to show that new PPAKE model is proper extension of classical

AKE model

  • Indistinguishability of identities of test session - even if session key is

revealed

PPAKE - PKC 2020 11

slide-12
SLIDE 12

Applicability to other Security Models

  • Selector bits, modes, Unmask queries and Test(ID) may be used to

extend other security models

  • AKE with explicit authentication
  • Unilateral authentication
  • ACCE->PPACCE

PPAKE - PKC 2020 12

slide-13
SLIDE 13

IPsec with Signature-based Authentication

PPAKE - PKC 2020 13

  • Phase 1:

Anonymous DH Key exchange with fresh nonces. Result: symmetric keys

  • Phase 2:

Use symmetric keys to encrypt all data including authentication step with signatures

slide-14
SLIDE 14

Phase 1

PPAKE - PKC 2020 14

slide-15
SLIDE 15

Phase 2

PPAKE - PKC 2020 15

Option 1: Initiator may specify Responder’s identity Option 2: Responder may specify Responder’s identity

slide-16
SLIDE 16

PPAKE Security Proof

  • Protocol is PPAKE secure assuming security of
  • PRF-ODH assumption
  • Pseudo-Random Functions (PRF)
  • Digital Signature Scheme (SIG)
  • Authenticated Encryption (AE) Scheme
  • Length-hiding to hide identities
  • Signatures should be length-preserving or
  • Use length-hiding authenticated encryption

PPAKE - PKC 2020 16

slide-17
SLIDE 17

Conclusion

  • Model for Privacy-Preserving AKE
  • Emphasizes cryptographic independence of identity indistinguishability and

key indistinguishability

  • Captures options for distinct ways to decide on used identities
  • A set of ingredients to extend existing models to become privacy-preserving
  • Supports comparability of models since new models are proper extensions
  • Proof of IPsec with Signature-based Authentication
  • Take Home Message:

Data that depends on the identity should have same length for all identities

PPAKE - PKC 2020 17

slide-18
SLIDE 18
  • Thank you very much for your attention!

PPAKE - PKC 2020 18