Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guomin Yang Temasek Laboratories National University of Singapore HOW TO BUILD A SECURE COMMUNICATION CHANNEL.

Published byWilfred Richardson Modified over 8 years ago

Similar presentations

Presentation on theme: "Guomin Yang Temasek Laboratories National University of Singapore HOW TO BUILD A SECURE COMMUNICATION CHANNEL."— Presentation transcript:

1 Guomin Yang Temasek Laboratories National University of Singapore HOW TO BUILD A SECURE COMMUNICATION CHANNEL

2 A UTHENTICATED K EY E XCHANGE (AKE) Security Goals Mutual Authentication Secure Key Establishment User Anonymity (optional) msg 1 msg 2 msg 3 KK AliceBob

3 D IFFIE -H ELLMAN K EY E XCHANGE Diffie-Hellman Assumption: Given g x and g y, it is computationally infeasible to compute g xy. What if the adversary can modify the messages? X = g x Y = g y K A = Y x = g xy K B = X y = g xy

4 M AN -I N -T HE -M IDDLE A TTACK The adversary is able to derive both K A and K B X = g x Y’ = g y’ K A = Y’ x = g xy’ K B = X’ y = g x’y X’ = g x’ Y = g y E(K A, m)E(K B, m)

5 Outline Security Model and Definition Two-party AKE ISO/IEC SIGMA (H)MQV AKE under Bad Randomness Secure Roaming GSM/3GPP Universal AKE Other AKE Protocols

6 SECURITY MODEL AND DEFINITION

7 Adversarial Game The adversary: controls all the communications schedules all the sessions

8 Adversarial Game Each party can have multiple and concurrent sessions

9 Adversarial Game Additional Queries Session key reveal Corruption Test Session freshness No session key reveal No Corruption before session terminates Test session must be fresh Adv(A) = Pr [A guesses b correctly] – 1/2 An Authenticated Key Exchange Protocol is Secure if Adv(A) is negligible for any PPT adversary A.

10 TWO-PARTY AKE PROTOCOLS

11 A “B AD ” S IG -DH P ROTOCOL Idea: use digital signature to do authentication Secure? Eve replaces the last message with Alice Bob

12 ISO/IEC IS 9798-3 Provably Secure (Canetti-Krawczyk Eurocrypt’01) Forward Secrecy No User Anonymity Alice Bob

13 SIGMA Basis of IKE (RFC 2409) and IKEv2 (RFC 4306) Digital Signature: DSA MAC: HMAC Provably secure (Canetti-Krawczyk Crypto’02) User Anonymity Alice Bob

14 MQV (IEEE P1363) Implicit Authentication Explicit Authentication: Use MAC Alice Bob PK A = g a PK B = g b d = 2 l +(X mod 2 l )e = 2 l +(Y mod 2 l ) σ A = (Y· PK B e ) x+da = g (x+da)(y+eb) K A = H(σ A ) σ B = (X· PK A d ) y+eb = g (x+da)(y+eb) K B = H(σ B )

15 K ALISKI ’ S A TTACK A, B, X = g x B, A, Y M, B, Z B, M, Y = g y PK A = g a PK B = g b PK M = g c randomly choose u, set d = 2 l +(X mod 2 l ), Z = (X· PK A d · g -u ), h = 2 l +(Z mod 2 l ), c = u/h σ B = (Z· PK M h ) y+eb = g (x+da)(y+eb) K B = H(σ B ) σ A = (Y· PK B e ) x+da = g (x+da)(y+eb) K A = H(σ A )

16 HMQV Provably Secure (Krawczyk Crypto’05) Additional features: resilience to the leakage of DH exponents no group membership testing on X or Y PK A = g a PK B = g b d = G(X, B)e = G(Y,A) σ A = (Y· PK B e ) x+da = g (x+da)(y+eb) K A = H(σ A ) σ B = (X· PK A d ) y+eb = g (x+da)(y+eb) K B = H(σ B )

17 AKE UNDER BAD RANDOMNESS Case 1: Reset Attacks

18 E XAMPLE : SIGMA Reset Attack (FC’11): Virtual Machine: snapshot and revert/reset function Reset: randomness reuse DSA: randomness reuse  signing key disclosure Alice Bob

19 DSA Param: a large prime p, a prime divisor q of (p-1), g = h (p-1)/q mod p for arbitrary 1 < h < p-1. SignKey : 0 < x < q PK : g x mod p Sign : 0 < k < q r = (g k mod p) mod q s = (k −1 (H(m) + xr)) mod q Return (r, s) Reset attack: the same k is used s 1 = (k −1 (H(m 1 ) + xr)) mod q s 2 = (k −1 (H(m 2 ) + xr)) mod q s 1 / s 2 = (H(m 1 ) + xr) / (H(m 2 ) + xr) mod q x = (H(m 1 )s 1 −1 – H(m 2 )s 2 −1 ) / (rs 2 −1 – rs 1 −1 ) mod q

20 E XAMPLE : HMQV Reset Attack (Menezes and Ustaoglu, IJACT) Assumption: the HMQV protocol is implemented in a subgroup (with prime order q) of Z p *, and (p-1)/q has several small (e.g. less than 2 40 ) pairwise relatively prime factors t 1, t 2,..., t n such that t 1 · t 2 ··· t n > q. PK A = g a PK B = g b d = G(X, B)e = G(Y,A) σ A = (Y· PK B e ) x+da = g (x+da)(y+eb) K A = H(σ A ) σ B = (X· PK A d ) y+eb = g (x+da)(y+eb) K B = H(σ B )

21 E XAMPLE : HMQV Reset Attack (Menezes and Ustaoglu, IJACT) The adversary corrupts Bob and obtains b After receiving (A,B,X) from Alice, the adversary selects Y of order t 1, and sends (B,A,Y) to Alice Alice computes σ A = (Y· PK B e ) x+da = Y x+da · (PK B e ) x+da = Y x+da · (X· PK A d ) be, K A = H(σ A ) The adversary reveals K A, and iteratively computes K’ = H(Y c 1 · (X· PK A d ) be ) for c 1 = 0, 1, 2, … until K’ = K A. Then c 1 = x + da mod t 1 PK A = g a PK B = g b d = G(X, B)e = G(Y,A) σ A = (Y· PK B e ) x+da = g (x+da)(y+eb) K A = H(σ A ) σ B = (X· PK A d ) y+eb = g (x+da)(y+eb) K B = H(σ B )

22 E XAMPLE : HMQV Reset Attack (Menezes and Ustaoglu, IJACT) The adversary resets A, and repeats the above process for t 2,···,t n and obtains c i = x + da mod t i. Then the adversary computes (x+da mod q) by CRT. The adversary corrupts another party P, and repeats the above attack to get (x+d’a mod q). Given (x+da mod q) and (x+d’a mod q), the adversary computes a. PK A = g a PK B = g b d = G(X, B)e = G(Y,A) σ A = (Y· PK B e ) x+da = g (x+da)(y+eb) K A = H(σ A ) σ B = (X· PK A d ) y+eb = g (x+da)(y+eb) K B = H(σ B )

23 SIGMA WITH D ETERMINISTIC DSA Countermeasure (FC’11) Deterministic DSA SignKey’ = (SignKey, K) Randomness = PRF(K, m) for message m Preserves EUF-CMA security Alice Bob

24 E XAMPLE : HMQV Open problem: is HMQV resettably secure if group membership test on X and Y is compulsory? PK A = g a PK B = g b d = G(X, B)e = G(Y,A) σ A = (Y· PK B e ) x+da = g (x+da)(y+eb) K A = H(σ A ) σ B = (X· PK A d ) y+eb = g (x+da)(y+eb) K B = H(σ B )

25 AKE UNDER BAD RANDOMNESS Case 2: Adversary-Generated Randomness

26 A SSUMPTION The long-term key is secure AKE Algo msg 1 msg 2 msg 3 · · · (PK A,SK A ) 10110…00110… Reject, ⊥ or Accept, K Reject, ⊥ or Accept, K (PK B,SK B )

27 E XAMPLE : SIGMA WITH D ETERMINISTIC DSA The adversary controls the DH exponents x and y  the adversary controls the DH key g xy Countermeasures? To use deterministic DSA, the long-term key contains a PRF key K By the assumption, K is unknown to the adversary Derive x’ = PRF K (x), and use x’ as the DH exponent Alice Bob

28 G ENERIC T RANSFORMATION Always include a PRF key K in the long-term key, and use Rand’ = PRF K (Rand) as the randomness for the AKE protocol Theorem (FC’11): if an AKE protocol is secure in Case 1, then the new protocol derived using the above transformation is also secure in Case 2. Additional notes: Forward secrecy: possible in Case 1, but not in Case 2 The converted protocol may lose forward secrecy in Case 1 To preserve forward secrecy in Case 1, {K, PRF K (Rand)} ≈ {K, U}.  PRF must be a Randomness Extractor as well Candidate for PRF: HMAC

29 SECURE ROAMING PROTOCOLS

30 S ECURE R OAMING Roaming WLAN Telecommunication ATM/Credit Card ……

31 S ECURE R OAMING GSM 3GPP: Server Authentication

32 S ECURE R OAMING Deposit-case Attacks (IEEE TWC’07)

33 S ECURE R OAMING Deposit-case Attacks (IEEE TWC’07) Attacks against other protocols: more complicated

34 S ECURE R OAMING Universal AKE Protocols (IEEE TWC’10) Idea: ID-based Cryptography Home server = Key Generation Center User Authentication: Public Key of the Home Server + Mobile User Identity Advantages: Foreign server does not need to contact home server of a roaming user Foreign server can use the same protocol and signaling flows to authenticate both local and foreign clients Tools: Identity-based Signature Heterogeneous Signcryption (Comp. J.’11)

35 S ECURE R OAMING Heterogeneous Signcryption (Comp. J.’11) Identity-Based Signature + Conventional PKE Avoid pairing operation One-pass Universal AKE protocol

36 OTHER AKE PROTOCOLS

37 M ULTI -F ACTOR AKE P ROTOCOLS (JCSS’08) Something you know Something you have Something you are …… s#2j!5 + msg 1 msg 2 msg 3 +

38 G ROUP AKE P ROTOCOLS (CANS’10) Security Requirements Authentication Insider Security Session Key Secrecy Forward/Backward Security Contributiveness Robustness

39 THANK YOU EMAIL: TSLYG@NUS.EDU.SG

Download ppt "Guomin Yang Temasek Laboratories National University of Singapore HOW TO BUILD A SECURE COMMUNICATION CHANNEL."

Similar presentations

1 MQV and HMQV in IEEE P1363 William Whyte, Hugo Krawczyk, Alfred Menezes.

1 MQV and HMQV in IEEE P1363 William Whyte, Hugo Krawczyk, Alfred Menezes.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.

1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
Identity Based Encryption

Identity Based Encryption
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 Intro To Encryption Exercise 11. 2 Problem Alice and Bob wish to play the game Paper, Rock and Scissors. What may be the problems with the game? The.

1 Intro To Encryption Exercise Problem Alice and Bob wish to play the game Paper, Rock and Scissors. What may be the problems with the game? The.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Similar presentations

Ads by Google