Guomin Yang Temasek Laboratories National University of Singapore HOW TO BUILD A SECURE COMMUNICATION CHANNEL.

Guomin Yang

Temasek Laboratories

National University of Singapore

HOW TO BUILD A SECURE COMMUNICATION CHANNEL

AUTHENTICATED KEY EXCHANGE (AKE)

Security Goals Mutual Authentication Secure Key Establishment User Anonymity (optional)

msg 1

msg 2

msg 3

K K

Alice Bob

DIFFIE-HELLMAN KEY EXCHANGE

Diffie-Hellman Assumption: Given gx and gy, it is computationally infeasible to

compute gxy. What if the adversary can modify the

messages?

X = gx

Y = gy

KA = Yx = gxy KB = Xy = gxy

MAN-IN-THE-MIDDLE ATTACK

The adversary is able to derive both KA and KB

X = gx

Y’ = gy’

KA = Y’x = gxy’ KB = X’y = gx’y

X’ = gx’

Y = gy

E(KA, m) E(KB, m)

Outline

Security Model and Definition Two-party AKE

ISO/IEC SIGMA (H)MQV

AKE under Bad Randomness Secure Roaming

GSM/3GPP Universal AKE

Other AKE Protocols

SECURITY MODEL AND DEFINITION

Adversarial GameThe adversary:

controls all the communications

schedules all the sessions

Adversarial Game

Each party can have multiple and concurrent sessions

Adversarial Game Additional Queries

Session key reveal Corruption Test

Session freshness No session key reveal No Corruption before

session terminates Test session must be

fresh

Adv(A) = Pr [A guesses b correctly] – 1/2

An Authenticated Key Exchange Protocol is Secure if Adv(A) is negligible for any PPT adversary A.

TWO-PARTY AKE PROTOCOLS

A “BAD” SIG-DH PROTOCOL

Idea: use digital signature to do authentication Secure? Eve replaces the last message with

AliceBob

ISO/IEC IS 9798-3

Provably Secure (Canetti-Krawczyk Eurocrypt’01)

Forward Secrecy No User Anonymity

Alice Bob

SIGMA

Basis of IKE (RFC 2409) and IKEv2 (RFC 4306) Digital Signature: DSA MAC: HMAC Provably secure (Canetti-Krawczyk

Crypto’02) User Anonymity

Alice Bob

MQV (IEEE P1363)

Implicit Authentication Explicit Authentication: Use MAC

Alice Bob

PKA = ga PKB = gb

d = 2l+(X mod 2l) e = 2l+(Y mod 2l)

σA = (Y· PKBe)x+da = g(x+da)

(y+eb)

KA = H(σA)

σB = (X· PKAd)y+eb = g(x+da)

(y+eb)

KB = H(σB)

KALISKI’S ATTACK

A, B, X = gx

B, A, Y

M, B, Z

B, M, Y = gy

PKA = ga PKB = gbPKM = gc

randomly choose u, set d = 2l+(X mod 2l), Z = (X· PKA

d · g-u), h = 2l+(Z mod 2l), c = u/h

σB = (Z· PKMh)y+eb = g(x+da)

(y+eb)

KB = H(σB)

σA = (Y· PKBe)x+da = g(x+da)(y+eb)

KA = H(σA)

HMQV

Provably Secure (Krawczyk Crypto’05) Additional features:

resilience to the leakage of DH exponents no group membership testing on X or Y

PKA = ga PKB = gb

d = G(X, B) e = G(Y,A)

σA = (Y· PKBe)x+da = g(x+da)

(y+eb)

KA = H(σA)

σB = (X· PKAd)y+eb = g(x+da)

(y+eb)

KB = H(σB)

AKE UNDER BAD RANDOMNESSCase 1: Reset Attacks

EXAMPLE: SIGMA

Reset Attack (FC’11): Virtual Machine: snapshot and revert/reset

function Reset: randomness reuse DSA: randomness reuse signing key

disclosure

Alice Bob

DSA Param: a large prime p, a prime divisor q of (p-1),

g = h(p-1)/q mod p for arbitrary 1 < h < p-1. SignKey: 0 < x < q PK: gx mod p Sign:

0 < k < q r = (gk mod p) mod q s = (k−1(H(m) + xr)) mod q Return (r, s)

Reset attack: the same k is used s1 = (k−1(H(m1) + xr)) mod q s2 = (k−1(H(m2) + xr)) mod q s1 / s2 = (H(m1) + xr) / (H(m2) + xr) mod q x = (H(m1)s1

−1 – H(m2)s2−1) / (rs2

−1 – rs1−1) mod q

EXAMPLE: HMQV

Reset Attack (Menezes and Ustaoglu, IJACT) Assumption: the HMQV protocol is implemented

in a subgroup (with prime order q) of Zp*, and (p-1)/q has several small (e.g. less than 240) pairwise relatively prime factors t1, t2, ..., tn such that t1· t2··· tn > q.

PKA = ga PKB = gb

d = G(X, B) e = G(Y,A)

σA = (Y· PKBe)x+da = g(x+da)

(y+eb)

KA = H(σA)

σB = (X· PKAd)y+eb = g(x+da)

(y+eb)

KB = H(σB)

EXAMPLE: HMQV

Reset Attack (Menezes and Ustaoglu, IJACT) The adversary corrupts Bob and obtains b After receiving (A,B,X) from Alice, the adversary selects Y of order

t1, and sends (B,A,Y) to Alice Alice computes

σA = (Y· PKBe)x+da = Yx+da· (PKB

e)x+da = Yx+da · (X· PKAd)be, KA = H(σA)

The adversary reveals KA, and iteratively computes K’ = H(Yc1 · (X· PKA

d)be) for c1 = 0, 1, 2, … until K’ = KA. Then c1 = x + da mod t1

PKA = ga PKB = gb

d = G(X, B) e = G(Y,A)

σA = (Y· PKBe)x+da = g(x+da)

(y+eb)

KA = H(σA)

σB = (X· PKAd)y+eb = g(x+da)

(y+eb)

KB = H(σB)

EXAMPLE: HMQV

Reset Attack (Menezes and Ustaoglu, IJACT) The adversary resets A, and repeats the above process

for t2,··· ,tn and obtains ci = x + da mod ti. Then the adversary computes (x+da mod q) by CRT.

The adversary corrupts another party P, and repeats the above attack to get (x+d’a mod q).

Given (x+da mod q) and (x+d’a mod q), the adversary computes a.

PKA = ga PKB = gb

d = G(X, B) e = G(Y,A)

σA = (Y· PKBe)x+da = g(x+da)

(y+eb)

KA = H(σA)

σB = (X· PKAd)y+eb = g(x+da)

(y+eb)

KB = H(σB)

SIGMA WITH DETERMINISTIC DSA

Countermeasure (FC’11) Deterministic DSA

SignKey’ = (SignKey, K) Randomness = PRF(K, m) for message m Preserves EUF-CMA security

Alice Bob

EXAMPLE: HMQV

Open problem: is HMQV resettably secure if group membership test on X and Y is compulsory?

PKA = ga PKB = gb

d = G(X, B) e = G(Y,A)

σA = (Y· PKBe)x+da = g(x+da)

(y+eb)

KA = H(σA)

σB = (X· PKAd)y+eb = g(x+da)

(y+eb)

KB = H(σB)

AKE UNDER BAD RANDOMNESSCase 2: Adversary-Generated

Randomness

ASSUMPTION

The long-term key is secure

AKE Algo AKE Algo

msg 1

msg 2

msg 3

· · ·

(PKA,SKA)

10110… 00110…

Reject, ⊥ orAccept, K

Reject, ⊥ orAccept, K

(PKB,SKB)

EXAMPLE: SIGMA WITH DETERMINISTIC DSA

The adversary controls the DH exponents x and y the adversary controls the DH key gxy

Countermeasures? To use deterministic DSA, the long-term key contains

a PRF key K By the assumption, K is unknown to the adversary Derive x’ = PRFK(x), and use x’ as the DH exponent

Alice Bob

GENERIC TRANSFORMATION Always include a PRF key K in the long-term

key, and use Rand’ = PRFK(Rand) as the randomness for the AKE protocol

Theorem (FC’11): if an AKE protocol is secure in Case 1, then the new protocol derived using the above transformation is also secure in Case 2.

Additional notes: Forward secrecy: possible in Case 1, but not in Case

2 The converted protocol may lose forward secrecy in

Case 1 To preserve forward secrecy in Case 1,

{K, PRFK(Rand)} ≈ {K, U}. PRF must be a Randomness Extractor as well

Candidate for PRF: HMAC

SECURE ROAMING PROTOCOLS

SECURE ROAMING

Roaming WLAN Telecommunication ATM/Credit Card

……

Internet

A

A B

Foreign Server(V)

Home Server(H)

SECURE ROAMING

GSM

3GPP: Server Authentication

SECURE ROAMING

Deposit-case Attacks (IEEE TWC’07)

SECURE ROAMING Deposit-case Attacks (IEEE TWC’07)

Attacks against other protocols: more complicated

SECURE ROAMING Universal AKE Protocols (IEEE

TWC’10) Idea: ID-based Cryptography

Home server = Key Generation Center User Authentication: Public Key of the

Home Server + Mobile User Identity Advantages:

Foreign server does not need to contact home server of a roaming user

Foreign server can use the same protocol and signaling flows to authenticate both local and foreign clients

Tools: Identity-based Signature Heterogeneous Signcryption (Comp.

J.’11)

A

A B

Foreign Server

Home Server

SKA

SKA

SECURE ROAMING

Heterogeneous Signcryption (Comp. J.’11) Identity-Based Signature + Conventional PKE Avoid pairing operation

One-pass Universal AKE protocol

OTHER AKE PROTOCOLS

MULTI-FACTOR AKE PROTOCOLS (JCSS’08)

Something you know Something you have Something you are ……

s#2j!5

+

msg 1

msg 2

msg 3

+

GROUP AKE PROTOCOLS (CANS’10)

Security Requirements Authentication

Insider Security Session Key Secrecy

Forward/Backward Security Contributiveness Robustness

THANK YOU

EMAIL: [email protected]