Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the.

Similar presentations


Presentation on theme: "1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the."— Presentation transcript:

1 1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the grant of Secom Science and Technology Foundation, and the 21st Century COE Program 'Reconstruction of Social Infrastructure Related to Information Science and Electrical Engineering'. Also, first author was partly supported from the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for JSPS Fellows, 2004, Acknowledgement 사전 동의된 세션 아이디을 이용한 키 교환 프로토콜 Korean Title:

2 2 Abstract Any message through Internet or radio communication can be easily eavesdropped on  Privacy should be considered (especially, this paper considers identity concealment) Introduce Pre-Agreed Session ID (PAS)  Identification which is a disposable unique value used for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is used

3 3 Contents 1. Introduction 2. Security Model 3. PAS Protocol 4. Proof of PAS Protocol 5. Variants and Discussions 6. Conclusion

4 4 1.Introduction Long-term shared secret  Leakage of Users ’ Identities Most existing schemes can not prevent Main focus of our study is …  Key-Exchange Protocol using Pre-shared Key Long-term shared secret Protocol Short-term secret

5 5 Bob E K B (M) User’s IDSecret key Alice KAKA Bob KBKB Charlie KCKC K B : secret key M: message K B : secret key Public Network BobResponder Threat: Leakage of user’s identity E K B ( Bob,M) User’s IDSecret key Alice KAKA Bob KBKB Charlie KCKC K B : secret key M: message K B : secret key Public Network BobResponder We need another identifiable information Legitimate user can specify his partner No attacker can specify who is communicating

6 6 [2] R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, EUROCRYPT’2001. [3] R. Canetti and H. Krawczyk, “Security Analysis of IKE’s Signature-Based Key-Exchange Protocol”, CRYPTO’2002. Our Solution Session ID [2, 3]  Purpose: uniquely name sessions  Assumption: unique among all the session ID Pre-Agreed Session ID (PAS)  Unique session ID agreed between each peer before activation of the session  Uniquely name a session and parties who participate in the session

7 7 2.Security Model Existing Model [2] (SK-Security)  Consider the security of session key Our Model (SK-ID-Security)  Consider the security of not only session key but also users’ identities Extend

8 8 Communication Channel The channel is Broadcast-type  All messages can be sent to a pool of messages  There is no assumption on the logical connection between the address where a message is delivered and the identity behind that address. Attacker is a (probabilistic) polynomial-time machine with full control of the communication lines between parties  Free to intercept, delay, drop, inject, or change all messages sent over these lines

9 9 Attacker’s Access to Secret Information (session expose) Session state reveal  Session state for an incomplete session (which does not include long-term secret) Session-key query  Session-key of a completed session Party corruption  All information in the memory of the party (including session states, session-key, long-term secrets) Identity reveal  Parties’ identities that activate a session

10 10 Basic Idea of SK-ID-Security (1) Indistinguishability style [2] The success of an attack is measured via its ability to distinguish the real values from independent random values Oracle Attacker 1.Freely choose a complete session as test session 2.Query 4.Response (real or random) 3.Coin toss 5.Guess the result of coin toss If head, response is real If tail, response is random

11 11 Basic Idea of SK-ID-Security (2) The attacker succeeds in its attack if 1. The test session is not exposed 2. The probability of his correct guess of coin toss is significantly larger than 1/2 Definition (SK-ID-security) A key-exchange protocol is called SK-ID-secure if for all attackers with the explained capabilities, success probability (in its test-session distinguishing attacks) is not more than 1/2 plus a negligible fraction Two games against Test session: Distinction of session-key (real session key or random value) [2] Distinction of pairs (real party or randomly chosen party)

12 12 Game: Distinction of pairs Attacker 1.Freely choose a complete session as test session 2.Query 4.Response (real or random) 3.Coin toss 5.Guess the result of coin toss If head, response is real If tail, response is random Random choice from all possible pairs that do not include either of the real parties’ ID A, B, C, D, E A shares PSK with B C shares PSK with D and E A-B C-D C-E A-C A-D A-E B-C B-D B-E D-E RealRandom Oracle

13 13 3.PAS Protocol 1. Start message 2. Response message 3. Finish message k 0 =PRF g xy (0) % Session key k 1 =PRF g xy (1) % k 2 =PRF PSK ij (2) MAC: Message Authentication Code PRF: Pseudo Random Function

14 14 4.Proof of PAS Protocol Main Theorem  Assuming DDH and the security of the underlying cryptographic functions (i.e., MAC and PRF), PAS protocol is SK-ID-secure Strategy for Proof of Main Theorem  Show that a DDH distinguisher can be built from an attacker that succeeds in distinguishing between a real and a random response to the test-session query

15 15 Point Responder needs to distinguish legitimate requests from waste one at low costs Responder cannot respond. (Even for legitimate users !) Adversary Responder User 5.Variants and Discussions (DoS-resilient)

16 16 Adversary Responder  Request needs a valid PAS  Attacker can guess no valid PAS Protection from DoS attack The cost of checking validity of received PAS is equal to only searching in responder ’ s PAS list. User’s IDPASSecret key Alice PAS AR K AR Bob PAS BR K BR Charlie PAS CR K CR Protection from DoS attack Bob PAS BR, Request

17 17 6.Conclusion Introduce Pre-Agreed Session ID (PAS)  Identification which is a disposable unique value used for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is used  Synchronization of PAS, DoS attack, PFS


Download ppt "1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the."

Similar presentations


Ads by Google