HOW TO BUILD A SECURE
COMMUNICATION
CHANNEL
Guomin Yang
Temasek Laboratories
National University of Singapore
AUTHENTICATED KEY EXCHANGE (AKE)
msg 1
msg 2
msg 3
Alice
K

Security Goals
Mutual Authentication
 Secure Key Establishment
 User Anonymity (optional)

Bob
K
DIFFIE-HELLMAN KEY EXCHANGE
X = gx
Y = gy
KA = Yx = gxy

Diffie-Hellman Assumption:


KB = Xy = gxy
Given gx and gy, it is computationally infeasible to
compute gxy.
What if the adversary can modify the messages?
MAN-IN-THE-MIDDLE ATTACK
X = gx
Y’ = gy’
KA = Y’x = gxy’

X’ = gx’
Y = gy
KB = X’y = gx’y
The adversary is able to derive both KA and KB
E(KA, m)
E(KB, m)
Outline
Security Model and Definition
 Two-party AKE

ISO/IEC
 SIGMA
 (H)MQV

AKE under Bad Randomness
 Secure Roaming

GSM/3GPP
 Universal AKE


Other AKE Protocols
SECURITY MODEL AND DEFINITION
Adversarial Game
The adversary:
controls all the communications
schedules all the sessions
Adversarial Game

Each party can have multiple and concurrent sessions
Adversarial Game

Additional Queries
Session key reveal
 Corruption
 Test


Session freshness
No session key reveal
 No Corruption before
session terminates


Adv(A) = Pr [A guesses b correctly] – 1/2
Test session must be fresh
An Authenticated Key Exchange Protocol is Secure if Adv(A) is
negligible for any PPT adversary A.
TWO-PARTY AKE PROTOCOLS
A “BAD” SIG-DH PROTOCOL
Alice



Idea: use digital signature to do authentication
Secure?
Eve replaces the last message with
Bob
ISO/IEC IS 9798-3
Alice
Bob
Provably Secure (Canetti-Krawczyk Eurocrypt’01)
 Forward Secrecy
 No User Anonymity

SIGMA
Alice
Bob
Basis of IKE (RFC 2409) and IKEv2 (RFC 4306)
 Digital Signature: DSA
 MAC: HMAC
 Provably secure (Canetti-Krawczyk Crypto’02)
 User Anonymity

MQV (IEEE P1363)
PKA = ga
PKB = gb
Alice
Bob
d = 2l+(X mod 2l)
σA = (Y· PKBe)x+da = g(x+da)(y+eb)
KA = H(σA)
e = 2l+(Y mod 2l)
σB = (X· PKAd)y+eb = g(x+da)(y+eb)
KB = H(σB)
Implicit Authentication
 Explicit Authentication: Use MAC

KALISKI’S ATTACK
PKA = ga
PKM = gc
A, B, X = gx
B, A, Y
PKB = gb
M, B, Z
B, M, Y = gy
randomly choose u, set d = 2l+(X mod 2l),
Z = (X· PKAd · g-u), h = 2l+(Z mod 2l), c = u/h
σA = (Y· PKBe)x+da = g(x+da)(y+eb)
KA = H(σA)
σB = (Z· PKMh)y+eb = g(x+da)(y+eb)
KB = H(σB)
HMQV
PKA = ga
PKB = gb
d = G(X, B)
σA = (Y· PKBe)x+da = g(x+da)(y+eb)
KA = H(σA)


e = G(Y,A)
σB = (X· PKAd)y+eb = g(x+da)(y+eb)
KB = H(σB)
Provably Secure (Krawczyk Crypto’05)
Additional features:
resilience to the leakage of DH exponents
 no group membership testing on X or Y

AKE UNDER BAD RANDOMNESS
Case 1: Reset Attacks
EXAMPLE: SIGMA
Alice

Bob
Reset Attack (FC’11):
Virtual Machine: snapshot and revert/reset function
 Reset: randomness reuse
 DSA: randomness reuse  signing key disclosure

DSA




Param: a large prime p, a prime divisor q of (p-1), g =
h(p-1)/q mod p for arbitrary 1 < h < p-1.
SignKey: 0 < x < q
PK: gx mod p
Sign:
0<k<q
 r = (gk mod p) mod q
 s = (k−1(H(m) + xr)) mod q
 Return (r, s)


Reset attack: the same k is used
s1 = (k−1(H(m1) + xr)) mod q
 s2 = (k−1(H(m2) + xr)) mod q
 s1 / s2 = (H(m1) + xr) / (H(m2) + xr) mod q
 x = (H(m1)s1−1 – H(m2)s2−1) / (rs2−1 – rs1−1) mod q

EXAMPLE: HMQV
PKA = ga
PKB = gb
d = G(X, B)
σA = (Y· PKBe)x+da = g(x+da)(y+eb)
KA = H(σA)

e = G(Y,A)
σB = (X· PKAd)y+eb = g(x+da)(y+eb)
KB = H(σB)
Reset Attack (Menezes and Ustaoglu, IJACT)
 Assumption: the HMQV protocol is implemented in a
subgroup (with prime order q) of Zp*, and (p-1)/q
has several small (e.g. less than 240) pairwise
relatively prime factors t1, t2, ..., tn such that t1·
t2··· tn > q.
EXAMPLE: HMQV
PKA = ga
PKB = gb
d = G(X, B)
σA = (Y· PKBe)x+da = g(x+da)(y+eb)
KA = H(σA)

e = G(Y,A)
σB = (X· PKAd)y+eb = g(x+da)(y+eb)
KB = H(σB)
Reset Attack (Menezes and Ustaoglu, IJACT)
The adversary corrupts Bob and obtains b
 After receiving (A,B,X) from Alice, the adversary selects Y of order t 1,
and sends (B,A,Y) to Alice
 Alice computes
σA = (Y· PKBe)x+da = Yx+da· (PKBe)x+da = Yx+da · (X· PKAd)be, KA = H(σA)
 The adversary reveals KA, and iteratively computes K’ = H(Yc1 · (X·
PKAd)be) for c1 = 0, 1, 2, … until K’ = KA. Then c1 = x + da mod t1

EXAMPLE: HMQV
PKA = ga
PKB = gb
d = G(X, B)
σA = (Y· PKBe)x+da = g(x+da)(y+eb)
KA = H(σA)

e = G(Y,A)
σB = (X· PKAd)y+eb = g(x+da)(y+eb)
KB = H(σB)
Reset Attack (Menezes and Ustaoglu, IJACT)
The adversary resets A, and repeats the above process for
t2,··· ,tn and obtains ci = x + da mod ti. Then the adversary
computes (x+da mod q) by CRT.
 The adversary corrupts another party P, and repeats the
above attack to get (x+d’a mod q).
 Given (x+da mod q) and (x+d’a mod q), the adversary
computes a.

SIGMA WITH DETERMINISTIC DSA
Alice

Countermeasure (FC’11)

Deterministic DSA
SignKey’ = (SignKey, K)
 Randomness = PRF(K, m) for message m
 Preserves EUF-CMA security

Bob
EXAMPLE: HMQV
PKA = ga
PKB = gb
d = G(X, B)
σA = (Y· PKBe)x+da = g(x+da)(y+eb)
KA = H(σA)

e = G(Y,A)
σB = (X· PKAd)y+eb = g(x+da)(y+eb)
KB = H(σB)
Open problem: is HMQV resettably secure if group
membership test on X and Y is compulsory?
AKE UNDER BAD RANDOMNESS
Case 2: Adversary-Generated Randomness
ASSUMPTION

The long-term key is secure
(PKA,SKA)
(PKB,SKB)
msg 1
10110…
AKE Algo
msg 2
msg 3
AKE Algo
···
Reject, ⊥
or
Accept, K
Reject, ⊥
or
Accept, K
00110…
EXAMPLE: SIGMA WITH DETERMINISTIC DSA
Alice





Bob
The adversary controls the DH exponents x and y
 the adversary controls the DH key gxy
Countermeasures?
To use deterministic DSA, the long-term key contains a
PRF key K
By the assumption, K is unknown to the adversary
Derive x’ = PRFK(x), and use x’ as the DH exponent
GENERIC TRANSFORMATION
Always include a PRF key K in the long-term
key, and use Rand’ = PRFK(Rand) as the
randomness for the AKE protocol
 Theorem (FC’11): if an AKE protocol is secure in
Case 1, then the new protocol derived using the
above transformation is also secure in Case 2.
 Additional notes:

Forward secrecy: possible in Case 1, but not in Case 2
 The converted protocol may lose forward secrecy in
Case 1
 To preserve forward secrecy in Case 1,
{K, PRFK(Rand)} ≈ {K, U}.
 PRF must be a Randomness Extractor as well
 Candidate for PRF: HMAC

SECURE ROAMING PROTOCOLS
SECURE ROAMING

Roaming
WLAN
 Telecommunication
 ATM/Credit Card

Home Server
(H)
Internet
A
Foreign Server
(V)
A

……
B
SECURE ROAMING

GSM

3GPP: Server Authentication
SECURE ROAMING

Deposit-case Attacks (IEEE TWC’07)
SECURE ROAMING

Deposit-case Attacks (IEEE TWC’07)

Attacks against other protocols: more complicated
SECURE ROAMING

Universal AKE Protocols (IEEE
TWC’10)

Idea: ID-based Cryptography



Home server = Key Generation Center
User Authentication: Public Key of the
Home Server + Mobile User Identity
Advantages:



Home Server
Foreign server does not need to contact
home server of a roaming user
Foreign server can use the same protocol
and signaling flows to authenticate both
local and foreign clients
Tools:


Identity-based Signature
Heterogeneous Signcryption (Comp. J.’11)
SKA
A
Foreign Server
SKA
A
B
SECURE ROAMING

Heterogeneous Signcryption (Comp. J.’11)
Identity-Based Signature + Conventional PKE
 Avoid pairing operation


One-pass Universal AKE protocol
OTHER AKE PROTOCOLS
MULTI-FACTOR AKE PROTOCOLS (JCSS’08)
msg 1
msg 2
msg 3
s#2j!5 +
+
Something you know
 Something you have
 Something you are
 ……

GROUP AKE PROTOCOLS (CANS’10)

Security Requirements

Authentication


Session Key Secrecy



Insider Security
Forward/Backward Security
Contributiveness
Robustness
THANK YOU
EMAIL: TSLYG@NUS.EDU.SG