Presentation is loading. Please wait.

Presentation is loading. Please wait.

M.S. Dousti FORSAKES: A Forward-Secure AKE Mohammad Sadeq Dousti Weekly Seminars on Discrete Mathematics and Computer Science.

Published byCaren Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "M.S. Dousti FORSAKES: A Forward-Secure AKE Mohammad Sadeq Dousti Weekly Seminars on Discrete Mathematics and Computer Science."— Presentation transcript:

1 M.S. Dousti FORSAKES: A Forward-Secure AKE Mohammad Sadeq Dousti http://dnsl.ce.sharif.edu Weekly Seminars on Discrete Mathematics and Computer Science FORSAKES: A Forward-Secure AKE Based on Symmetric KES 1 / 45

2 M.S. Dousti FORSAKES: A Forward-Secure AKE 2 / 45 Topics  Introduction  Diffie–Hellman & PFS  Key-Evolving Schemes (KES)  Our Security Model  Our AKE Definition  FORSAKES Protocol  Epilogue

3 M.S. Dousti FORSAKES: A Forward-Secure AKE 3 / 45 Today’s talk is about…  Authenticated Key Exchange (AKE) protocols. I I R R Long-Term Key (LTK) Session key ( sk ) Initiator Responder

4 M.S. Dousti FORSAKES: A Forward-Secure AKE 4 / 45 Security expectations from AKE  Informally:  I and R must agree on the same session key.  No one, without the knowledge of LTK, should be able to participate in the protocol.  The session key must be “random looking.”  Other properties:  PFS, KCI resilience, UKS resilience, …

5 M.S. Dousti FORSAKES: A Forward-Secure AKE 5 / 45 Security model  The so-called “security expectations” constitute a security definition.  Security definitions make sense within a security model, designating:  The model of computation  The model of communication  Attack model  …

6 M.S. Dousti FORSAKES: A Forward-Secure AKE 6 / 45 Topics  Introduction  Diffie–Hellman & PFS  Key-Evolving Schemes (KES)  Our Security Model  Our AKE Definition  FORSAKES Protocol  Epilogue

7 M.S. Dousti FORSAKES: A Forward-Secure AKE 7 / 45 Diffie–Hellman (DH) protocol  The earliest attempt at asymmetric crypto.  Notation:  G : a (multiplicative) group of prime order q.  g : a generator of G.  Consider the following tuples, where a, b, and c are picked randomly from ℤ q :  Type 1: ( g, g a, g b, g ab )  Type 2: ( g, g a, g b, g c )

8 M.S. Dousti FORSAKES: A Forward-Secure AKE 8 / 45 Decisional Diffie–Hellman (DDH) problem  DDH problem: Distinguishing between Type 1 and Type 2 tuples.  DDH problem seems to be hard in some groups.  Let G be a group for which DDH is assumed to hold.

9 M.S. Dousti FORSAKES: A Forward-Secure AKE 9 / 45 DH flows A A B B gaga gaga gbgb gbgb Pick a randomly from ℤ q. Pick b randomly from ℤ q. G, g sk = g ab

10 M.S. Dousti FORSAKES: A Forward-Secure AKE 10 / 45 Authenticated DH (ADH-1)  DH is a key exchange (KE) protocol.  No authentication.  Prone to active attacks.  A and B can share some LTK K prior to DH flows.  Each flow of DH can be authenticated by K.

11 M.S. Dousti FORSAKES: A Forward-Secure AKE 11 / 45 ADH-1 flows A A B B g a, auth K ( g a ) g b, auth K ( g b ) Pick a randomly from ℤ q. Pick b randomly from ℤ q. G, g, K sk = g ab

12 M.S. Dousti FORSAKES: A Forward-Secure AKE 12 / 45 Perfect Forward Secrecy (PFS)  Also called “forward security.”  PFS: If LTK is revealed at time T, all session keys established prior to this time remain secure.  ADH-1 satisfies the PFS property. T time LTK is revealed session keys remain secure

13 M.S. Dousti FORSAKES: A Forward-Secure AKE 13 / 45 ADH-1 deficiency  In ADH-1, neither party is assured that the other gets hold of sk.  Bad Solution:  B uses sk to authenticate 0 || g a || g b.  Add a 3 rd flow, where A uses sk to authenticate 1 || g a || g b.

14 M.S. Dousti FORSAKES: A Forward-Secure AKE 14 / 45 Why bad?!  If sk is used to authenticate flows,  sk can be distinguished from random!  Solution:  Use a Key Derivation Function (KDF).  Extract two keys from g ab : Integrity key ( ik ), to authenticate flows. Session key ( sk ), to use for sessions.

15 M.S. Dousti FORSAKES: A Forward-Secure AKE 15 / 45 ADH-2 flows A A B B g a, auth K ( g a ) g b, auth ik (0 || g a || g b ) G, g, K sk = KDF(0, g ab ) ik = KDF(1, g ab ) sk = KDF(0, g ab ) ik = KDF(1, g ab ) auth ik (1 || g a || g b )

16 M.S. Dousti FORSAKES: A Forward-Secure AKE 16 / 45 Topics  Introduction  Diffie–Hellman & PFS  Key-Evolving Schemes (KES)  Our Security Model  Our AKE Definition  FORSAKES Protocol  Epilogue

17 M.S. Dousti FORSAKES: A Forward-Secure AKE 17 / 45 Efficiency of DH  Best of our knowledge: All provably-secure PFS AKE’s are based on DH. DH is very slow.  How to get a fast AKE which satisfies PFS?  Key Evolving Schemes (KES): A cryptographic protocol whose LTK’s evolve over time.  Idea: R. Canetti, S. Halevi, J. Katz. A Forward- Secure Public-Key Encryption Scheme, J. Cryptology, 2007. Ironically, based on DH!

18 M.S. Dousti FORSAKES: A Forward-Secure AKE 18 / 45 Example usage of KES

19 M.S. Dousti FORSAKES: A Forward-Secure AKE 19 / 45 Milder form of PFS  Lifetime of the system is divided into many time stages. Each stage is τ seconds.  Mild PFS: If LTK is revealed in time stage T, all session keys established in time stages 0,…, T  1 remain secure. LTK is revealed session keys remain secure T time T 1T 1 T 1T 1 0 

20 M.S. Dousti FORSAKES: A Forward-Secure AKE 20 / 45 Topics  Introduction  Diffie–Hellman & PFS  Key-Evolving Schemes (KES)  Our Security Model  Our AKE Definition  FORSAKES Protocol  Epilogue

21 M.S. Dousti FORSAKES: A Forward-Secure AKE 21 / 45 Computation & complexity model  All parties (including adversary) is modeled as an interactive Turing machine (ITM).  Turing machine, equipped with communication tapes.  All parties (including adversary) is probabilistic polynomial time (PPT).

22 M.S. Dousti FORSAKES: A Forward-Secure AKE 22 / 45 Adversarial model  Interaction of adversary and parties is modeled by a game between:  Adversary (), and  A hypothetical entity called the Challenger ().  has an interface (like API!), allowing to query it.  also has a TimeEvent() interface, which is called every τ seconds by a universal clock.

23 M.S. Dousti FORSAKES: A Forward-Secure AKE 23 / 45 interface for  Register() : Introduce a new party into the system.  ShareLTK(x,y) : Share an LTK between the party x and party y.  Send(x,s,y,m) : Send message m to session s of party x, claiming this message comes from party y.  If session ( x, s ) does not exist, it will be created.  The result includes the response of ( x, s ).

24 M.S. Dousti FORSAKES: A Forward-Secure AKE 24 / 45 interface for – Cont’d  ExposeSS(x,s) : Leaks the state of session ( x, s ) to (including sk ).  The session ( x, s ) is marked as “exposed.”  RevealLTK(x,y) : Reveals the LTK between party x and party y to.  Both parties are marked as “corrupt” for each other.

25 M.S. Dousti FORSAKES: A Forward-Secure AKE 25 / 45 Algorithmic flavor  The interface of is algorithmically defined.  The algorithms can be incorporated into tools for automatic verification of security protocols.

26 M.S. Dousti FORSAKES: A Forward-Secure AKE 26 / 45 Topics  Introduction  Diffie–Hellman & PFS  Key-Evolving Schemes (KES)  Our Security Model  Our AKE Definition  FORSAKES Protocol  Epilogue

27 M.S. Dousti FORSAKES: A Forward-Secure AKE 27 / 45 Definition roadmap  We now have a security model.  Notice that the model says nothing about the AKE security.  It’s the role of the security definition!  To put forward the definition, we need two central notions:  Session partnership  Session freshness

28 M.S. Dousti FORSAKES: A Forward-Secure AKE 28 / 45 Why we need those “central notions”?  obviously knows the sk of an exposed session.  If corrupts a party, he obviously knows the sk of any session established thereafter.  Similar results holds if exposes or corrupts the “partner” of a session/party.  We need to define “partner.”  We need to define “unfresh” sessions, which are obviously insecure.

29 M.S. Dousti FORSAKES: A Forward-Secure AKE 29 / 45 Session partnership  Two sessions are called partners if: 1.Both sessions output the same non-empty session keys and session identifiers ( sid ). 2.Sessions have different roles (I and R). 3.Sessions recognize the other party as the partner. 4.No other session outputs the same sid.  Very hard to satisfy, can be relaxed.

30 M.S. Dousti FORSAKES: A Forward-Secure AKE 30 / 45 Algorithmic approach…

31 M.S. Dousti FORSAKES: A Forward-Secure AKE 31 / 45 Session freshness  A session is fresh if the following holds: 1.PFS: If the LTK is revealed, it is revealed in a time stage after the time stage when session key is established. 2.Session is not exposed. 3.If partner session exists, conditions 1 & 2 hold for it as well.

32 M.S. Dousti FORSAKES: A Forward-Secure AKE 32 / 45 Security definition: Idea  picks a fresh session of its choice.  tosses a coin b :  Heads: returns the session key (ℓ bits).  Tails: returns a random ℓ-bit string.  continues querying interface.  announces its guess of b.  announces as the winner IFF its guess is correct, and the session is still fresh.

33 M.S. Dousti FORSAKES: A Forward-Secure AKE 33 / 45 Endowing with new interface  Test(x,s) : Adversary specifies that ( x,s ) is the target session of choice.  If ( x,s ) is fresh, returns an ℓ-bit string.  Guess(b’) : Adversary announces its guess as b.  wins IFF b=b and ( x,s ) is still fresh,.

34 M.S. Dousti FORSAKES: A Forward-Secure AKE 34 / 45 Security definition  Define the advantage of as “the probability of winning the game, minus ½.”  An AKE protocol is called secure if: For all c ∈ ℕ, any PPT adversary, and all sufficiently large n ∈ ℕ : The advantage of is less than n  c. For all c ∈ ℕ, any PPT adversary, and all sufficiently large n ∈ ℕ : The advantage of is less than n  c.

35 M.S. Dousti FORSAKES: A Forward-Secure AKE 35 / 45 Topics  Introduction  Diffie–Hellman & PFS  Key-Evolving Schemes (KES)  Our Security Model  Our AKE Definition  FORSAKES Protocol  Epilogue

36 M.S. Dousti FORSAKES: A Forward-Secure AKE 36 / 45 About FORSAKES  FORSAKES: Forward-Secure AKE based on KES  FORSAKES is described in the Random Oracle (RO) model.  Consider RO, denoted, as an ideal (totally random) hash function.  In FORSAKES case, RO only simplifies the proofs, and can be replaced by PRFs.

37 M.S. Dousti FORSAKES: A Forward-Secure AKE 37 / 45 FORSAKES: The 10,000-foot view

38 M.S. Dousti FORSAKES: A Forward-Secure AKE 38 / 45 Main properties of FORSAKES  Updating LTK: K new = ( K old ).  “I” uses a nonce n I as part of Msg 1.  “R” uses a nonce n R as part of Msg 2.  Session ID: sid = n I || n R.  Session key: sk = (0 || sid || K ).  Integrity key: ik = (1 || sid || K ).  Auth j = (Msg j || ik ) for j ∈ {2, 3}.

39 M.S. Dousti FORSAKES: A Forward-Secure AKE 39 / 45 FORSAKES messages  Msg 1 = 1 || ID I || ID R || T || n I.  Msg 2 = 2 || ID R || ID I || T || n I || n R.  Msg 3 = 3 || ID I || ID R || T || n I || n R.  FORSAKES parties perform quite a few “syntactical” checks on incoming messages before responding to them.

40 M.S. Dousti FORSAKES: A Forward-Secure AKE 40 / 45 Topics  Introduction  Diffie–Hellman & PFS  Key-Evolving Schemes (KES)  Our Security Model  Our AKE Definition  FORSAKES Protocol  Epilogue

41 M.S. Dousti FORSAKES: A Forward-Secure AKE 41 / 45 FORSAKES is a secure AKE  We proved that according to the mentioned model/definition, FORSAKES is a secure AKE.  The full proof is 15 pages.  It gives a relationship between the advantage of any (even infinitely powerful ) and the number of queries it makes.  The advantage is negligible when the number of queries is sub-exponential.

42 M.S. Dousti FORSAKES: A Forward-Secure AKE 42 / 45 FORSAKES in practice  Theoretically, RO should be replaced with PRFs.  In practice, simple hash functions would suffice.  In particular, we suggest HMAC.  Depending on the environment, the stage lifespan can be between tens of seconds to many days (less secure).

43 M.S. Dousti FORSAKES: A Forward-Secure AKE 43 / 45 Future directions  Consider a model where the adversary can issue a Desync(x,y) query.  De-synchronize the LTK between two parties.  Protocol should provide a re-synchronization mechanism.  Consider another model, where LTK’s are one- time: Once used, they can never be used again.

44 M.S. Dousti FORSAKES: A Forward-Secure AKE 44 / 45 References See the following paper and references therein:  M.S. Dousti and R. Jalili. FORSAKES: A Forward-Secure Authenticated Key Exchange Protocol based on Symmetric Key-Evolving Schemes, Advances in Mathematics of Communications, 2015.

45 M.S. Dousti FORSAKES: A Forward-Secure AKE 45 / 45

Download ppt "M.S. Dousti FORSAKES: A Forward-Secure AKE Mohammad Sadeq Dousti Weekly Seminars on Discrete Mathematics and Computer Science."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the.

1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Perfect and Statistical Secrecy, probabilistic algorithms, Definitions of Easy and Hard, 1-Way FN -- formal definition.

Perfect and Statistical Secrecy, probabilistic algorithms, Definitions of Easy and Hard, 1-Way FN -- formal definition.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google