[PDF] - Provable Security Authenticated Key Exchange Joint work with PDF Document

SLIDE 1

David Pointcheval LIENS-CNRS Ecole normale supérieure

Provable Security Authenticated Key Exchange

Joint work with Emmanuel Bresson and Olivier Chevassut

Lawrence Berkeley National Lab August 2003

Provable Security - Authenticated Key Exchange - 2 David Pointcheval

Summary Summary

Key Agreement

and PKI-based Authentication

– Security Model – Example

Password-based Authentication

– Security Model – Example

Group Key Agreement

– Security Model – Example

Conclusion

SLIDE 2

Provable Security - Authenticated Key Exchange - 3 David Pointcheval

Summary Summary

Key Agreement

and PKI-based Authentication

– Security Model – Example

Password-based Authentication

– Security Model – Example

Group Key Agreement

– Security Model – Example

Conclusion

Provable Security - Authenticated Key Exchange - 4 David Pointcheval

Authenticated Key Exchange Authenticated Key Exchange

Two parties agree on a common secret key, in order to establish a secret channel (e.g. SSL)

Implicit authentication
nly the intended partners

can compute the session key

Semantic security

– the session key is indistinguishable from a random string – modeled via a Test-query

SLIDE 3

Provable Security - Authenticated Key Exchange - 5 David Pointcheval

Further Properties Further Properties

Mutual authentication

they are both sure to share the secret with the people they think they do

Forward-secrecy

even if a long-term secret data is corrupted, previous shared secrets are still semantically secure

Provable Security - Authenticated Key Exchange - 6 David Pointcheval

Formal Model Formal Model

can ask

– reveal-queries – test-query – execute-queries – send-queries – corrupt-queries

history

B1 Bi Bb A1 Ai Aa 0/1

SLIDE 4

Provable Security - Authenticated Key Exchange - 7 David Pointcheval

Semantic Security Semantic Security

A misuse of the secret data is modeled

by the reveal-query, which is answered by this secret data

For the semantic security, the adversary

asks one test-query which is answered, according to a bit b, by

– b=0: the actual secret data – b=1: a random string

⇒ the adversary has to guess this bit b

Provable Security - Authenticated Key Exchange - 8 David Pointcheval

Security Definitions (AKE) Security Definitions (AKE)

PROTOCOL

« Test » a key sk Flip a coin b sk if b=0, random if b=1 Outputs b’ (guess for b) Public data

. . . . . .

SLIDE 5

Provable Security - Authenticated Key Exchange - 9 David Pointcheval

Passive/Active Passive/Active Adversaries Adversaries

Passive adversary: history built using

the execute-queries → transcripts

Active adversary: entire control of the

network with send-queries:

– to send message to Alice or Bob (in place of Bob or Alice respectively) – to intercept, forward and/or modify messages

Provable Security - Authenticated Key Exchange - 10 David Pointcheval

Forward Secrecy Forward Secrecy

Forward secrecy means that the adversary cannot distinguish a session key established before any corruption of the long-term private keys:

the corrupt-query is answered

by the long-term private key

f the corrupted party
then the test-query must be asked
n a session key established

before any corrupt-query

SLIDE 6

Provable Security - Authenticated Key Exchange - 11 David Pointcheval

Summary Summary

Key Agreement

and PKI-based Authentication

– Security Model – Example

Password-based Authentication

– Security Model – Example

Group Key Agreement

– Security Model – Example

Conclusion

Provable Security - Authenticated Key Exchange - 12 David Pointcheval

Diffie Diffie-

Hellman

Hellman Key Exchange Key Exchange

The most classical key exchange scheme has been proposed by Diffie-Hellman: = <g>, cyclic group of prime order q

Alice chooses a random x∈q,

computes and sends X=gx

Bob chooses a random y∈q,

computes and sends Y=gy

They each can compute the session key

K = Yx = Xy

SLIDE 7

Provable Security - Authenticated Key Exchange - 13 David Pointcheval

Properties Properties

If flows are authenticated,

it is well-known to provide the semantic security of the session key under the Decisional Diffie-Hellman Problem

If one derives the session key as k = H(K),

where H is assumed to behave like a random oracle, semantic security is relative to the Computational Diffie-Hellman Problem

Provable Security - Authenticated Key Exchange - 14 David Pointcheval

Authenticated Key Exchange Authenticated Key Exchange

But there is no explicit authentication ⇒ replay attacks

x∈q, X=gx y∈q, Y=gy K=Xy Alice (Sa, Pa) Bob (Sb, Pb) Bob, X, (Sa,X) Alice, Y, (Sb,X,Y) k=H(Alice, Bob, X, Y, K) K=Yx

SLIDE 8

Provable Security - Authenticated Key Exchange - 15 David Pointcheval

Replay Attack Replay Attack

The adversary intercepts “Bob, X, (Sa,X)” He can initiate a new session with it

Bob believes it comes from Alice

– Bob accepts the key, but does no share it with Alice ⇒ no mutual authentication – The adversary does not know the key either ⇒ still semantic security

x∈q, X=gx y∈q, Y=gy K=Xy Alice (Sa, Pa) Bob (Sb, Pb) Bob, X, (Sa,X) Alice, Y, (Sb,X,Y) k=H(Alice, Bob, X, Y, K) K=Yx

Provable Security - Authenticated Key Exchange - 16 David Pointcheval

Mutual Authentication Mutual Authentication

Adding key confirmation rounds: mutual authentication

[Bellare-Pointcheval-Rogaway Eurocrypt ‘00] x∈q, X=gx y∈q, Y=gy K=Xy k1=H1(Alice,Bob,K) Alice (Sa, Pa) Bob (Sb, Pb) Bob, X, (Sa,X) Alice, Y, (Sb,X,Y), k1 k=H(Alice, Bob, X, Y, K) K=Yx k1 correct? k2=H2(Alice,Bob,K) k2 k2 correct?

SLIDE 9

Provable Security - Authenticated Key Exchange - 17 David Pointcheval

Summary Summary

Key Agreement

and PKI-based Authentication

– Security Model – Example

Password-based Authentication

– Security Model – Example

Group Key Agreement

– Security Model – Example

Conclusion

Provable Security - Authenticated Key Exchange - 18 David Pointcheval

Password Password-

based Authentication

based Authentication

The parties share a low-entropy secret

– a password – exhaustive search is possible (say 220)

Basic attack: on-line exhaustive search

– the adversary guesses a password – tries to play the protocol – failure ⇒ erase the password from the list – restart… after 220 attempts, the adversary wins

SLIDE 10

Provable Security - Authenticated Key Exchange - 19 David Pointcheval

Dictionary Attack Dictionary Attack

The on-line exhaustive search

– cannot be prevented – can be made less serious (delay, limitations, …)

We want it to be the best attack… Off-line exhaustive search:

– passive/active attack – failure ⇒ erase MANY passwords from the list this is called dictionary attack

Provable Security - Authenticated Key Exchange - 20 David Pointcheval

Summary Summary

Key Agreement

and PKI-based Authentication

– Security Model – Example

Password-based Authentication

– Security Model – Example

Group Key Agreement

– Security Model – Example

Conclusion

SLIDE 11

Provable Security - Authenticated Key Exchange - 21 David Pointcheval

Example Example: EKE : EKE

The most famous scheme EKE: Encrypted Key Exchange Must be done carefully

x∈q, X=gx X = π(X’) y∈q, Y=gy K=Xy Alice Bob X’ =π(Bob, X) Y’ = π(Alice,Y) k=H(Alice, Bob, X, Y, K) Password π Y = π(Y’) K=Yx

Provable Security - Authenticated Key Exchange - 22

David Pointcheval

Example Example: EKE : EKE

x∈q, X=gx X = π(X’) y∈q, Y=gy K=Xy Alice Bob X’ =π(Bob, X) Y’ = π(Alice,Y) k=H(Alice, Bob, X, Y, K) Password π Y = π(Y’) K=Yx

Any redundancy is serious: From X’, for any password π

– decrypt X’ – check whether it begins with “Bob”

SLIDE 12

Provable Security - Authenticated Key Exchange - 23 David Pointcheval

EKE - EKE - AuthA AuthA

x∈q, X=gx X = π(X’) y∈q, Y=gy K=Xy Alice Bob Bob, X’ =π(X) Alice, Y’ = π(Y) k=H(Alice, Bob, X, Y, K) Password π Y = π(Y’) K=Yx

Provably secure if is an ideal cipher

[Bresson-Chevassut-Pointcheval ACM CCS ‘03]

EKE

Bellovin-Merritt 1992

x∈q, X=gx X = π(X’) y∈q, Y=gy K=Xy k1=H1(Alice, Bob,K) Alice Bob Bob, X’ =π(X) Alice, Y, k1 k=H(Alice, Bob, X, Y, K) Password π K=Yx k1 correct ?

AuthA

Bellare-Rogaway 2000

Provable Security - Authenticated Key Exchange - 24 David Pointcheval

Improvement Improvement

= an ideal cipher replaced by the One-Time Pad π(m) = (π) ⊕ m

[Bresson-Chevassut-Pointcheval LBNL-53099]

x∈q, X=gx X = X’ / (π) y∈q, Y=gy K=Xy k1=H1(Alice, Bob,K) Alice Bob Bob, X’ =X⋅ (π) Alice, Y, k1 k=H(Alice, Bob, X, Y, K) Password π K=Yx k1 correct ?

SLIDE 13

Provable Security - Authenticated Key Exchange - 25 David Pointcheval

Summary Summary

Key Agreement

and PKI-based Authentication

– Security Model – Example

Password-based Authentication

– Security Model – Example

Group Key Agreement

– Security Model – Example

Conclusion

Provable Security - Authenticated Key Exchange - 26 David Pointcheval

Model of Communication Model of Communication

A set of n players, modeled by oracles
A multicast group consisting of a set of players

pkA, skA pkB, skB pkD, skD pkC, skC

Multicast group with sk

SLIDE 14

Provable Security - Authenticated Key Exchange - 27 David Pointcheval

Modeling the Adversary Modeling the Adversary

– reveal: obtain an instance’s session key – corrupt: obtain an instance’s secret key – execute: obtain honest executions of the protocol – send: send messages to instances

corrupt send execute reveal

pkA, skA pkB, skB pkD, skD pkC, skC

Provable Security - Authenticated Key Exchange - 28 David Pointcheval

Summary Summary

Key Agreement

and PKI-based Authentication

– Security Model – Example

Password-based Authentication

– Security Model – Example

Group Key Agreement

– Security Model – Example

Conclusion

SLIDE 15

Provable Security - Authenticated Key Exchange - 29 David Pointcheval

Group Group Key Exchange Key Exchange

Generalization of the 2-party DH,

the session key is k = H(g x1 x2 … xn)

Ring-based algorithm

– up-flow: the contributions of each instance are gathered – down-flow: the last instance broadcasts the result – end: instances compute the session key from the broadcast

Provable Security - Authenticated Key Exchange - 30 David Pointcheval

The Algorithm The Algorithm

[g , gx1] [gx2, gx1, gx1x2 ] [gx2x3 , k = H(g x1 x2 x3)

x1 x2 x3 – Up-flow: Ui raises received values to the power xi – Down-flow: Un broadcasts (except gx1x2…xn) Everything is authenticated (Signature/MAC)

gx1x3 ]

SLIDE 16

Provable Security - Authenticated Key Exchange - 31 David Pointcheval

Group CDH Group CDH

The CDH generalized to the multi-party case

– given the values g∏xi for some choice

f proper subset of {1, …, n}

– one has to compute the value gx1..xn

Example (n=3 and I={1,2,3})

– given the set of the blue values – compute the red value

The GCDH ⇔ DDH and CDH

[Bresson-Chevassut-Pointcheval SAC ‘02]

g, gx1 gx1, gx2 , gx1x2 gx1x3, gx2x3 , gx1x2x3

Provable Security - Authenticated Key Exchange - 32 David Pointcheval

Security Result Security Result

Theorem (in the random oracle model)

Advake(T,n,qs,qe) ≤ 2qs

n qh · Succgcdh(n,T)

+ 2n · Succsign(qs,T)

[Bresson-Chevassut-Pointcheval-Quisquater ACM-CCS ‘01]

Bad reduction:
ne has to guess the attacked session

⇒ factor qsn Random Self-Reducibility

Advake(T,n,qs,qe) ≤ 2 qh · Succgcdh(n,T + n qs) + 2n · Succsign(qs,T)

SLIDE 17

Provable Security - Authenticated Key Exchange - 33 David Pointcheval

Dynamic Dynamic Case Case

When a party leaves or joins the group,

the protocol has to be run again ⇒ costly when the network is not very reliable

One can exploit the secret already shared

⇒ dynamic case

[Bresson-Chevassut-Pointcheval Asiacrypt ‘01]

Provable Security - Authenticated Key Exchange - 34 David Pointcheval

Security Result Security Result

Group of n people
Tested group of size s
Number of dynamic modifications

(setup, join, remove): Q

Time: T

Advake(A) ≤ 2 Q · Cn

s · qh · Succgcdh(s,T)

+ 2n ·Succsign(qs,T)

SLIDE 18

Provable Security - Authenticated Key Exchange - 35 David Pointcheval

Summary Summary

Key Agreement

and PKI-based Authentication

– Security Model – Example

Password-based Authentication

– Security Model – Example

Group Key Agreement

– Security Model – Example

Conclusion

Provable Security - Authenticated Key Exchange - 36 David Pointcheval

Conclusion Conclusion

Provably secure (Group) AKE
But still not “practical security”

for group AKE

Various authentication modes

Password-based – efficient – practical security – user-friendly ⇒ very promising