Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan."— Presentation transcript:

1 Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan

2 Motivation & purpose Motivation: New protocols are designed rapidly, and they have not been thoroughly analysed. Purpose: Analyse a few protocols and try to find their weaknesses.

3 Why do protocols contain security flaws? New attacks arise. Hard/impossible to consider all possible attack scenarios.

4 Work of this thesis Summarise different attack methods on key agreement protocols Describe design methods of key agreement protocols Analyse five key agreement protocols

5 Attack methods on key agreement protocols Eavesdropping - an adversary captures information that is sent in the protocol Modification - the information sent in the protocol is altered by an adversary Replay - a transmission is recorded, and then later retransmitted Reflection - sending the same message back to the sender in a new protocol run

6 Attack methods on key agreement protocols (cont.) denial of service attacks - the attacker overwhelms the server so that legitimate users will not get a connection with the server typing attack - replacing a message field of one type with a message field of another type cryptanalysis - the study of methods for obtaining the meaning of encrypted information certificate manipulation - modification of the certificate protocol interaction - using a new protocol to interact with a known protocol

7 Design methods ”One-way functions” – functions that are hard to solve without additional information –hash functions –discrete logarithm –elliptic curve discrete logarithm problem –factorisation

8 Design methods (cont.) Schemes used as basis for the protocols: –Diffie-Hellman –Elliptic Curve Cryptography –MQV protocol

9 Analysis of protocols Wanted security features –Known key security –Forward secrecy –Key compromise impersonation –Unknown key-share –Key Control

10 Known key security A protocol run should result in a unique secret session key. If this key is compromised, it should have no impact on other session keys.

11 Forward secrecy Even if long-term private keys are compromised, it should not have any effect on the secrecy of previously established session keys.

12 Key compromise impersonation If entity A's long-term private key are compromised, an adversary is able to impersonate A. But this should not enable him to impersonate other entities to A.

13 Unknown key-share If entity A wants to create a secret key with B, it should not be possible that A is tricked into sharing a key with entity C.

14 Key Control Neither of the entities should be able to force the session key to a value of his choice.

15 Analysis of protocols

16 Outline of analysis presentation Popescu’s protocol – forward secrecy  OK Popescu’s protocol – key compromise impersonation  not met Harn-Hsin-Mehta’s protocol – forward secrecy  not met Harn-Hsin-Mehta’s protocol – key compromise impersonation - OK

17 Popescu’s protocol 1/2

18 Popescu’s protocol 2/2

19 Popescu meets the forward secrecy goal The session key is created by K A = -k A * V B or K B = -k B * V A ( K = k A * k B * P). (k A and k B random secret values). The long term private keys a and b does not affect the session key. Forward secrecy: Even if long-term private keys are compromised, it should not have any effect on the secrecy of previously established session keys.

20 Problem: does not meet the key compromise impersonation goal The authentication of the parties is based on the knowledge of K s = -b * Y A = -a * Y B (a, b private, Y A, Y B public). If an attacker gets hold of the private value a, he can use this information to impersonate A to B. But he can also impersonate B to A. Key Compromise Impersonation: If entity A's long-term private key are compromised, an adversary is able to impersonate A. But this should not enable him to impersonate other entities to A.

21 Harn-Hsin-Mehta’s protocol 1/2

22 Harn-Hsin-Mehta’s protocol 2/2

23 Problem: no forward secrecy Session key from A to B: k AB = (r A ) dB mod n B The value n B is publicly known, and r A is transmitted. The secrecy is only based on d B. If an attacker gets hold of this value, he can compute the session key for messages sent from A to B. Forward secrecy: Even if long-term private keys are compromised, it should not have any effect on the secrecy of previously established session keys.

24 Problem: no forward secrecy (cont.) If the attacker has eavesdropped on previous protocol runs, he may compute all previous session keys as long as the known private key d B has been used to create the session key. Forward secrecy: Even if long-term private keys are compromised, it should not have any effect on the secrecy of previously established session keys.

25 Harn-Hsin-Mehta meets the key compromise impersonation goal We assume an attacker knowing A’s private key d A tries to impersonate B to A. The attacker can compute k’ BA = (R A ) kB mod n A (R A and n A are public values, and he may choose k B freely) But he cannot compute k AB = (r A ) dB mod n B

26 Harn-Hsin-Mehta meets the key compromise impersonation goal The attacker does not know the correct value of k AB, and can not compute a signature that A will accept. Key Compromise Impersonation: If entity A's long-term private key are compromised, an adversary is able to impersonate A. But this should not enable him to impersonate other entities to A.

27 Conclusion 3 of 5 protocols failed to meet all the requirements. All the problems encountered is caused by disclosure of long-term secret keys. The result of the analysis is no proof of how secure a protocol is. But it shows the need for better routines for analysing/securing new protocols.

28 Questions?

Download ppt "Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.

11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Similar presentations

Ads by Google