This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Terminalstrong evidence of terminal’s presencethe chip can send an x chosen by a third party andthen returns a terminal’s signature of x .the certificates are transmitted in clear, an observergets information who it talking with the terminal
Goalmake interaction between the chip and the terminalanonymous for an observer,preserve simplicity,provable key security and provable anonymity.
AnonymousMutual
Authentication
Hanzlik,Kluczniak,Krzywiecki,Kutylowski
AMA - Protocol Description
Alice BobxA - private, xB - private,yA = gxA , cert(yA) yB = gxB , cert(yB)random a at random chose b at random
hA := H(a) hB := H(b)
cA := ghAcA−→ cB := ghB
cB←−K := chA
B K := chAB
KA := H(K , 1), KA := H(K , 1),KB := H(K , 2) KB := H(K , 2)K ′
A := H(K , 3), K ′A := H(K , 3),
K ′B := H(K , 4) K ′
B := H(K , 4)
rA := H(cxAB ,K ′
A)EncKA
(cert(yA),rA)−−−−−−−−−−−→ check cert(yA)
rA 6= H(yhBA ,K ′
A)EncKB
(cert(yB),rB)←−−−−−−−−−−− rB := H(cxB
A ,K ′B)
check cert(yB)rB 6= H(yB ,K ′
B)Ksession := H(K , 5) Ksession := H(K , 5)
AnonymousMutual
Authentication
Hanzlik,Kluczniak,Krzywiecki,Kutylowski
AMA - Protocol Description
Alice Bob
xA - private, xB - private,yA = gxA , cert(yA) yB = gxB , cert(yB)random a at random chose b at random
hA := H(a) hB := H(b)
cA := ghAcA−→ cB := ghB
cB←−K := chA
B K := chAB
KA := H(K , 1), KA := H(K , 1),KB := H(K , 2) KB := H(K , 2)K ′
random a at random chose b at randomhA := H(a) hB := H(b)cA := ghA cA−→ cB := ghB
cB←−K := chA
B K := chAB
KA := H(K , 1), KA := H(K , 1),KB := H(K , 2) KB := H(K , 2)K ′
A := H(K , 3), K ′A := H(K , 3),
K ′B := H(K , 4) K ′
B := H(K , 4)
rA := H(cxAB ,K ′
A)EncKA
(cert(yA),rA)−−−−−−−−−−−→ check cert(yA)
rA 6= H(yhBA ,K ′
A)EncKB
(cert(yB),rB)←−−−−−−−−−−− rB := H(cxB
A ,K ′B)
check cert(yB)rB 6= H(yB ,K ′
B)Ksession := H(K , 5) Ksession := H(K , 5)
AnonymousMutual
Authentication
Hanzlik,Kluczniak,Krzywiecki,Kutylowski
AMA - Protocol Description
Alice BobxA - private, xB - private,yA = gxA , cert(yA) yB = gxB , cert(yB)random a at random chose b at randomhA := H(a) hB := H(b)
cA := ghAcA−→ cB := ghB
cB←−K := chA
B K := chAB
KA := H(K , 1), KA := H(K , 1),KB := H(K , 2) KB := H(K , 2)K ′
A := H(K , 3), K ′A := H(K , 3),
K ′B := H(K , 4) K ′
B := H(K , 4)rA := H(cxA
B ,K ′A)
EncKA(cert(yA),rA)
−−−−−−−−−−−→ check cert(yA)
rA 6= H(yhBA ,K ′
A)EncKB
(cert(yB),rB)←−−−−−−−−−−− rB := H(cxB
A ,K ′B)
check cert(yB)rB 6= H(yB ,K ′
B)Ksession := H(K , 5) Ksession := H(K , 5)
AnonymousMutual
Authentication
Hanzlik,Kluczniak,Krzywiecki,Kutylowski
AMA - Protocol Description
Alice BobxA - private, xB - private,yA = gxA , cert(yA) yB = gxB , cert(yB)random a at random chose b at random
hA := H(a) hB := H(b)
cA := ghAcA−→ cB := ghB
cB←−K := chA
B K := chAB
KA := H(K , 1), KA := H(K , 1),KB := H(K , 2) KB := H(K , 2)K ′
A := H(K , 3), K ′A := H(K , 3),
K ′B := H(K , 4) K ′
B := H(K , 4)rA := H(cxA
B ,K ′A)
EncKA(cert(yA),rA)
−−−−−−−−−−−→check cert(yA)
rA 6= H(yhBA ,K ′
A)EncKB
(cert(yB),rB)←−−−−−−−−−−− rB := H(cxB
A ,K ′B)
check cert(yB)rB 6= H(yB ,K ′
B)Ksession := H(K , 5) Ksession := H(K , 5)
AnonymousMutual
Authentication
Hanzlik,Kluczniak,Krzywiecki,Kutylowski
AMA - Protocol Description
Alice BobxA - private, xB - private,yA = gxA , cert(yA) yB = gxB , cert(yB)random a at random chose b at random
hA := H(a) hB := H(b)
cA := ghAcA−→ cB := ghB
cB←−K := chA
B K := chAB
KA := H(K , 1), KA := H(K , 1),KB := H(K , 2) KB := H(K , 2)K ′
A := H(K , 3), K ′A := H(K , 3),
K ′B := H(K , 4) K ′
B := H(K , 4)
rA := H(cxAB ,K ′
A)EncKA
(cert(yA),rA)−−−−−−−−−−−→ check cert(yA)
rA 6= H(yhBA ,K ′
A)EncKB
(cert(yB),rB)←−−−−−−−−−−− rB := H(cxB
A ,K ′B)
check cert(yB)
rB 6= H(yB ,K ′B)
Ksession := H(K , 5) Ksession := H(K , 5)
AnonymousMutual
Authentication
Hanzlik,Kluczniak,Krzywiecki,Kutylowski
Privacy
Transcript indistiguishabilityA communication transcript is undistinguishable fromrandom values.Certificates are hidden from an eavesdropper, he doesnot know the identity of the communicating parties.It is still true if an adversary gets a batch ofcommunication transcripts.
SimultabilityHolding only the certificate (public key) of a user, wecan generate the transcript with the same probabilitydistribution.A communication transcript cannot be used as a proof,for third parties, that a particular user has participatedin the communication.
AnonymousMutual
Authentication
Hanzlik,Kluczniak,Krzywiecki,Kutylowski
Security
Long-term secret key leakageIf the long term secret keys of both parties leak, then apassive adversary still has negligible advantage to learn thesecret key.
Ephemeral key leakageIf the ephemeral keys of both parties leak, then an activeadversary still has negligible advantage to learn the secretkey.
Anonymous Mutual Authentication (AMA)Symmetric.Secure in Real-or-Random model.Simultable.Identities of protocol participants are hidden fromeavesdroppers.As efficient as EAC.
AnonymousMutual
Authentication
Hanzlik,Kluczniak,Krzywiecki,Kutylowski
The End
Thanks for your attention.
Acknowledgment. We thank Gemalto company for thetechnical support.