1 / 21

Key-Exchange Protocol Using Pre-Agreed Session-ID

Key-Exchange Protocol Using Pre-Agreed Session-ID. Kenji Imamoto Kyushu University, JAPAN. Abstract. Any message through Internet or radio communication can be easily eavesdropped on Privacy should be considered (especially, this paper considers identity concealment)

garrison-santana
Télécharger la présentation

Key-Exchange Protocol Using Pre-Agreed Session-ID

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto Kyushu University, JAPAN

  2. Abstract • Any message through Internet or radio communication can be easily eavesdropped on • Privacy should be considered (especially, this paper considers identity concealment) • Introduce Pre-Agreed Session ID (PAS) • Identification which is a disposable unique value used for every session to specify each session and party • Formalize security model for key-exchange protocol • Propose a secure key-exchange protocol using PAS • Argue about the problems which arise when PAS is used

  3. Contents • Introduction • Security Model • PAS Protocol • Proof of PAS Protocol • Variants and Discussions • Conclusion

  4. Introduction • Main focus of our study is … • Key-Exchange Protocol using Pre-shared Key Long-term shared secret Long-term shared secret Short-term secret Protocol Most existing schemes can not prevent • Leakage of Users’ Identities

  5. Threat: Leakage of user’s identity Bob Responder Bob EKB(M) Public Network KB: secret key M: message KB: secret key • We need another identifiable information • Legitimate user can specify his partner • No attacker can specify who is communicating Bob Responder EKB(Bob,M) ? Public Network KB: secret key M: message KB: secret key

  6. Our Solution • Session ID [CK01, CK02] • Purpose: uniquely name sessions • Assumption: unique among all the session ID • Pre-Agreed Session ID (PAS) • Unique session ID agreed between each peer before activation of the session • Uniquely name a session and parties who participate in the session [CK01] R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, EUROCRYPT’2001. [CK02] R. Canetti and H. Krawczyk, “Security Analysis of IKE’s Signature-Based Key-Exchange Protocol”, CRYPTO’2002.

  7. Security Model • Existing Model [CK01] (SK-Security) • Consider the security of session key • Our Model (SK-ID-Security) • Consider the security of not only session key but also users’ identities Extend

  8. Communication Channel • The channel is Broadcast-type • All messages can be sent to a pool of messages • There is no assumption on the logical connection between the address where a message is delivered and the identity behind that address. • Attacker is a (probabilistic) polynomial-time machine with full control of the communication lines between parties • Free to intercept, delay, drop, inject, or change all messages sent over these lines

  9. Attacker’s Access to Secret Information (session expose) • Session state reveal • Session state for an incomplete session (which does not include long-term secret) • Session-key query • Session-key of a completed session • Party corruption • All information in the memory of the party (including session states, session-key, long-term secrets) • Identity reveal • Parties’ identities that activate a session

  10. Basic Idea of SK-ID-Security (1) • Indistinguishability style [CK01] • The success of an attack is measured via its ability to distinguish the real values from independent random values • Freely choose a complete session as test session • Coin toss • Guess the result of coin toss • Query • Response • (real or random) • If head, response is real • If tail, response is random Attacker Oracle

  11. Basic Idea of SK-ID-Security (2) • The attacker succeeds in its attack if • The test session is not exposed • The probability of his correct guess of coin toss is significantly larger than 1/2 • Two games against Test session: • Distinction of session-key (real session key or random value) [CK01] • Distinction of pairs (real party or randomly chosen party) Definition (SK-ID-security) A key-exchange protocol is called SK-ID-secure if for all attackers with the explained capabilities, success probability (in its test-session distinguishing attacks) is not more than 1/2 plus a negligible fraction

  12. Game: Distinction of pairs • Freely choose a complete session as test session • Coin toss • Guess the result of coin toss • Query • Response • (real or random) • If head, response is real • If tail, response is random Attacker Oracle A-C A-D A-E B-C B-D B-E • A, B, C, D, E • A shares PSK with B • C shares PSK with D and E A-B C-E C-D D-E Random Real Random choice from all possible pairs that do not include either of the real parties’ ID

  13. k0=PRFgxy(0) % Session key k1=PRFgxy(1) % k2=PRFPSKij(2) PAS Protocol MAC: Message Authentication Code PRF: Pseudo Random Function • Start message • Response message • Finish message

  14. Proof of PAS Protocol • Main Theorem • Assuming DDH and the security of the underlying cryptographic functions (i.e., MAC and PRF), PAS protocol is SK-ID-secure • Strategy for Proof of Main Theorem • Show that a DDH distinguisher can be built from an attacker that succeeds in distinguishing between a real and a random response to the test-session query

  15. Variants and Discussions (DoS-resilient) User Requests Responder Responder cannot respond. (Even for legitimate users !) Adversary Point Responder needs to distinguish legitimate requests from waste one at low costs

  16. Protection from DoS attack Adversary Responder Requests PASBR, Request • Request needs a valid PAS • Attacker can guess no valid PAS • Protection from DoS attack The cost of checking validity of received PAS is equal to only searching in responder’s PAS list. Bob

  17. Conclusion • Introduce Pre-Agreed Session ID (PAS) • Identification which is a disposable unique value used for every session to specify each session and party • Formalize security model for key-exchange protocol • Propose a secure key-exchange protocol using PAS • Argue about the problems which arise when PAS is used • Synchronization of PAS, DoS attack, PFS

  18. Security problems on RFID tags(short introduction) Sakurai Lab., Kyushu Univ. Junichiro SAITO saito@itslab.csce.kyushu-u.ac.jp

  19. What is a Radio Frequency Identification(RFID) tag? • A small and inexpensive microchip that emits an ID in response to query from a reader • Used as a substitute for a bar code • management of goods and its circulation, theft detection • Little computational power • Easily readable by a reader • Be monitored communication between a RFID tag and a reader →Infringement of privacy

  20. Privacy problems • ID leakage • An adversary can eavesdrop ID information • She can read by using a reader • leakage of information about belongings • ID tracing • If ID information on an RFID tag is fixed, an adversary can trace tag owner's activity • Infringement on location privacy price of the suit ○○ yen in wallet shoe size

  21. Our research themes • Location privacy • We can use re-encryption scheme to change ID information • Yoking proof and grouping proof • We showed a replay attack against Juels's yoking proof • Owner changing • After changing owner, new owner doesn't want that old owner can read the RFID tag We proposed Re-encryption scheme with a check We proposed secure yoking proof by using a time stamp We proposed a key change scheme for changing owner

More Related