HOW TO BUILD A SECURE COMMUNICATION CHANNEL Guomin Yang Temasek Laboratories National University of Singapore AUTHENTICATED KEY EXCHANGE (AKE) msg 1 msg 2 msg 3 Alice K Security Goals Mutual Authentication Secure Key Establishment User Anonymity (optional) Bob K DIFFIE-HELLMAN KEY EXCHANGE X = gx Y = gy KA = Yx = gxy Diffie-Hellman Assumption: KB = Xy = gxy Given gx and gy, it is computationally infeasible to compute gxy. What if the adversary can modify the messages? MAN-IN-THE-MIDDLE ATTACK X = gx Y’ = gy’ KA = Y’x = gxy’ X’ = gx’ Y = gy KB = X’y = gx’y The adversary is able to derive both KA and KB E(KA, m) E(KB, m) Outline Security Model and Definition Two-party AKE ISO/IEC SIGMA (H)MQV AKE under Bad Randomness Secure Roaming GSM/3GPP Universal AKE Other AKE Protocols SECURITY MODEL AND DEFINITION Adversarial Game The adversary: controls all the communications schedules all the sessions Adversarial Game Each party can have multiple and concurrent sessions Adversarial Game Additional Queries Session key reveal Corruption Test Session freshness No session key reveal No Corruption before session terminates Adv(A) = Pr [A guesses b correctly] – 1/2 Test session must be fresh An Authenticated Key Exchange Protocol is Secure if Adv(A) is negligible for any PPT adversary A. TWO-PARTY AKE PROTOCOLS A “BAD” SIG-DH PROTOCOL Alice Idea: use digital signature to do authentication Secure? Eve replaces the last message with Bob ISO/IEC IS 9798-3 Alice Bob Provably Secure (Canetti-Krawczyk Eurocrypt’01) Forward Secrecy No User Anonymity SIGMA Alice Bob Basis of IKE (RFC 2409) and IKEv2 (RFC 4306) Digital Signature: DSA MAC: HMAC Provably secure (Canetti-Krawczyk Crypto’02) User Anonymity MQV (IEEE P1363) PKA = ga PKB = gb Alice Bob d = 2l+(X mod 2l) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) e = 2l+(Y mod 2l) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB) Implicit Authentication Explicit Authentication: Use MAC KALISKI’S ATTACK PKA = ga PKM = gc A, B, X = gx B, A, Y PKB = gb M, B, Z B, M, Y = gy randomly choose u, set d = 2l+(X mod 2l), Z = (X· PKAd · g-u), h = 2l+(Z mod 2l), c = u/h σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) σB = (Z· PKMh)y+eb = g(x+da)(y+eb) KB = H(σB) HMQV PKA = ga PKB = gb d = G(X, B) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) e = G(Y,A) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB) Provably Secure (Krawczyk Crypto’05) Additional features: resilience to the leakage of DH exponents no group membership testing on X or Y AKE UNDER BAD RANDOMNESS Case 1: Reset Attacks EXAMPLE: SIGMA Alice Bob Reset Attack (FC’11): Virtual Machine: snapshot and revert/reset function Reset: randomness reuse DSA: randomness reuse signing key disclosure DSA Param: a large prime p, a prime divisor q of (p-1), g = h(p-1)/q mod p for arbitrary 1 < h < p-1. SignKey: 0 < x < q PK: gx mod p Sign: 0<k<q r = (gk mod p) mod q s = (k−1(H(m) + xr)) mod q Return (r, s) Reset attack: the same k is used s1 = (k−1(H(m1) + xr)) mod q s2 = (k−1(H(m2) + xr)) mod q s1 / s2 = (H(m1) + xr) / (H(m2) + xr) mod q x = (H(m1)s1−1 – H(m2)s2−1) / (rs2−1 – rs1−1) mod q EXAMPLE: HMQV PKA = ga PKB = gb d = G(X, B) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) e = G(Y,A) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB) Reset Attack (Menezes and Ustaoglu, IJACT) Assumption: the HMQV protocol is implemented in a subgroup (with prime order q) of Zp*, and (p-1)/q has several small (e.g. less than 240) pairwise relatively prime factors t1, t2, ..., tn such that t1· t2··· tn > q. EXAMPLE: HMQV PKA = ga PKB = gb d = G(X, B) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) e = G(Y,A) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB) Reset Attack (Menezes and Ustaoglu, IJACT) The adversary corrupts Bob and obtains b After receiving (A,B,X) from Alice, the adversary selects Y of order t 1, and sends (B,A,Y) to Alice Alice computes σA = (Y· PKBe)x+da = Yx+da· (PKBe)x+da = Yx+da · (X· PKAd)be, KA = H(σA) The adversary reveals KA, and iteratively computes K’ = H(Yc1 · (X· PKAd)be) for c1 = 0, 1, 2, … until K’ = KA. Then c1 = x + da mod t1 EXAMPLE: HMQV PKA = ga PKB = gb d = G(X, B) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) e = G(Y,A) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB) Reset Attack (Menezes and Ustaoglu, IJACT) The adversary resets A, and repeats the above process for t2,··· ,tn and obtains ci = x + da mod ti. Then the adversary computes (x+da mod q) by CRT. The adversary corrupts another party P, and repeats the above attack to get (x+d’a mod q). Given (x+da mod q) and (x+d’a mod q), the adversary computes a. SIGMA WITH DETERMINISTIC DSA Alice Countermeasure (FC’11) Deterministic DSA SignKey’ = (SignKey, K) Randomness = PRF(K, m) for message m Preserves EUF-CMA security Bob EXAMPLE: HMQV PKA = ga PKB = gb d = G(X, B) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) e = G(Y,A) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB) Open problem: is HMQV resettably secure if group membership test on X and Y is compulsory? AKE UNDER BAD RANDOMNESS Case 2: Adversary-Generated Randomness ASSUMPTION The long-term key is secure (PKA,SKA) (PKB,SKB) msg 1 10110… AKE Algo msg 2 msg 3 AKE Algo ··· Reject, ⊥ or Accept, K Reject, ⊥ or Accept, K 00110… EXAMPLE: SIGMA WITH DETERMINISTIC DSA Alice Bob The adversary controls the DH exponents x and y the adversary controls the DH key gxy Countermeasures? To use deterministic DSA, the long-term key contains a PRF key K By the assumption, K is unknown to the adversary Derive x’ = PRFK(x), and use x’ as the DH exponent GENERIC TRANSFORMATION Always include a PRF key K in the long-term key, and use Rand’ = PRFK(Rand) as the randomness for the AKE protocol Theorem (FC’11): if an AKE protocol is secure in Case 1, then the new protocol derived using the above transformation is also secure in Case 2. Additional notes: Forward secrecy: possible in Case 1, but not in Case 2 The converted protocol may lose forward secrecy in Case 1 To preserve forward secrecy in Case 1, {K, PRFK(Rand)} ≈ {K, U}. PRF must be a Randomness Extractor as well Candidate for PRF: HMAC SECURE ROAMING PROTOCOLS SECURE ROAMING Roaming WLAN Telecommunication ATM/Credit Card Home Server (H) Internet A Foreign Server (V) A …… B SECURE ROAMING GSM 3GPP: Server Authentication SECURE ROAMING Deposit-case Attacks (IEEE TWC’07) SECURE ROAMING Deposit-case Attacks (IEEE TWC’07) Attacks against other protocols: more complicated SECURE ROAMING Universal AKE Protocols (IEEE TWC’10) Idea: ID-based Cryptography Home server = Key Generation Center User Authentication: Public Key of the Home Server + Mobile User Identity Advantages: Home Server Foreign server does not need to contact home server of a roaming user Foreign server can use the same protocol and signaling flows to authenticate both local and foreign clients Tools: Identity-based Signature Heterogeneous Signcryption (Comp. J.’11) SKA A Foreign Server SKA A B SECURE ROAMING Heterogeneous Signcryption (Comp. J.’11) Identity-Based Signature + Conventional PKE Avoid pairing operation One-pass Universal AKE protocol OTHER AKE PROTOCOLS MULTI-FACTOR AKE PROTOCOLS (JCSS’08) msg 1 msg 2 msg 3 s#2j!5 + + Something you know Something you have Something you are …… GROUP AKE PROTOCOLS (CANS’10) Security Requirements Authentication Session Key Secrecy Insider Security Forward/Backward Security Contributiveness Robustness THANK YOU EMAIL: TSLYG@NUS.EDU.SG