1 / 39

HOW TO BUILD A SECURE COMMUNICATION CHANNEL

HOW TO BUILD A SECURE COMMUNICATION CHANNEL. Guomin Yang Temasek Laboratories National University of Singapore. Authenticated Key Exchange (AKE). Security Goals Mutual Authentication Secure Key Establishment User Anonymity (optional). msg 1. msg 2. msg 3. Alice. Bob. K. K.

tosca
Télécharger la présentation

HOW TO BUILD A SECURE COMMUNICATION CHANNEL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HOW TO BUILD A SECURE COMMUNICATION CHANNEL Guomin Yang Temasek Laboratories National University of Singapore

  2. Authenticated Key Exchange (AKE) • Security Goals • Mutual Authentication • Secure Key Establishment • User Anonymity (optional) msg 1 msg 2 msg 3 Alice Bob K K

  3. Diffie-Hellman Key Exchange • Diffie-Hellman Assumption: • Given gx and gy, it is computationally infeasible to compute gxy. • What if the adversary can modify the messages? X = gx Y = gy KA = Yx = gxy KB = Xy = gxy

  4. Man-In-The-Middle Attack • The adversary is able to derive both KA and KB X = gx X’ = gx’ Y’ = gy’ Y = gy KA = Y’x = gxy’ KB = X’y = gx’y E(KA, m) E(KB, m)

  5. Outline Security Model and Definition Two-party AKE ISO/IEC SIGMA (H)MQV AKE under Bad Randomness Secure Roaming GSM/3GPP Universal AKE Other AKE Protocols

  6. SECURITY MODEL AND DEFINITION

  7. Adversarial Game The adversary: controls all the communications schedules all the sessions

  8. Adversarial Game Each party can have multiple and concurrent sessions

  9. Adversarial Game Additional Queries Session key reveal Corruption Test Session freshness No session key reveal No Corruption before session terminates Test session must be fresh Adv(A) = Pr [A guesses b correctly] – 1/2 An Authenticated Key Exchange Protocol is Secure if Adv(A) is negligible for any PPT adversary A.

  10. TWO-PARTY AKE PROTOCOLS

  11. A “Bad” Sig-DH Protocol • Idea: use digital signature to do authentication • Secure? • Eve replaces the last message with Alice Bob

  12. ISO/IEC IS 9798-3 • Provably Secure (Canetti-Krawczyk Eurocrypt’01) • Forward Secrecy • No User Anonymity Alice Bob

  13. SIGMA • Basis of IKE (RFC 2409) and IKEv2 (RFC 4306) • Digital Signature: DSA • MAC: HMAC • Provably secure (Canetti-Krawczyk Crypto’02) • User Anonymity Alice Bob

  14. MQV (IEEE P1363) PKA = ga PKB = gb • Implicit Authentication • Explicit Authentication: Use MAC Alice Bob d = 2l+(X mod 2l) e = 2l+(Y mod 2l) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB)

  15. Kaliski’s Attack PKA = ga PKM = gc PKB = gb A, B, X = gx M, B, Z B, A, Y B, M, Y = gy randomly choose u, set d = 2l+(X mod 2l), Z = (X· PKAd · g-u), h = 2l+(Z mod 2l), c = u/h σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) σB = (Z· PKMh)y+eb = g(x+da)(y+eb) KB = H(σB)

  16. HMQV PKA = ga PKB = gb • Provably Secure (Krawczyk Crypto’05) • Additional features: • resilience to the leakage of DH exponents • no group membership testing on X or Y d = G(X, B) e = G(Y,A) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB)

  17. AKE UNDER BAD RANDOMNESSCase 1: Reset Attacks

  18. Example: SIGMA • Reset Attack (FC’11): • Virtual Machine: snapshot and revert/reset function • Reset: randomness reuse • DSA: randomness reuse  signing key disclosure Alice Bob

  19. DSA • Param: a large prime p, a prime divisor q of (p-1), g = h(p-1)/q mod p for arbitrary 1 < h < p-1. • SignKey: 0 < x < q • PK: gx mod p • Sign: • 0 < k < q • r = (gk mod p) mod q • s = (k−1(H(m) + xr)) mod q • Return (r, s) • Reset attack: the same k is used • s1 = (k−1(H(m1) + xr)) mod q • s2 = (k−1(H(m2) + xr)) mod q • s1 / s2 = (H(m1) + xr) / (H(m2) + xr) mod q • x = (H(m1)s1−1 – H(m2)s2−1) / (rs2−1 – rs1−1) mod q

  20. Example: HMQV PKA = ga PKB = gb • Reset Attack (MenezesandUstaoglu, IJACT) • Assumption:the HMQV protocol is implemented in a subgroup (with prime order q) of Zp*, and (p-1)/q has several small (e.g. less than 240) pairwise relatively prime factors t1, t2, ..., tn such that t1· t2··· tn > q. d = G(X, B) e = G(Y,A) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB)

  21. Example: HMQV PKA = ga PKB = gb • Reset Attack (MenezesandUstaoglu, IJACT) • The adversary corrupts Bob and obtains b • After receiving (A,B,X) from Alice, the adversary selects Y of order t1, and sends (B,A,Y) to Alice • Alice computes σA = (Y· PKBe)x+da = Yx+da· (PKBe)x+da = Yx+da · (X· PKAd)be, KA = H(σA) • The adversary reveals KA, and iteratively computes K’ = H(Yc1 · (X· PKAd)be) for c1 = 0, 1, 2, … until K’ = KA. Then c1 = x + da mod t1 d = G(X, B) e = G(Y,A) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB)

  22. Example: HMQV PKA = ga PKB = gb • Reset Attack (MenezesandUstaoglu, IJACT) • The adversary resets A, and repeats the above process for t2,··· ,tn and obtains ci = x + da mod ti. Then the adversary computes (x+da mod q) by CRT. • The adversary corrupts another party P, and repeats the above attack to get (x+d’a mod q). • Given (x+da mod q) and (x+d’a mod q), the adversary computes a. d = G(X, B) e = G(Y,A) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB)

  23. SIGMA with Deterministic DSA Alice Bob • Countermeasure (FC’11) • Deterministic DSA • SignKey’ = (SignKey, K) • Randomness = PRF(K, m) for message m • Preserves EUF-CMA security

  24. Example: HMQV PKA = ga PKB = gb • Open problem: is HMQV resettably secure if group membership test on X and Y is compulsory? d = G(X, B) e = G(Y,A) σA = (Y· PKBe)x+da = g(x+da)(y+eb) KA = H(σA) σB = (X· PKAd)y+eb = g(x+da)(y+eb) KB = H(σB)

  25. AKE UNDER BAD RANDOMNESSCase 2: Adversary-Generated Randomness

  26. Assumption • The long-term key is secure (PKA,SKA) (PKB,SKB) msg 1 AKE Algo AKE Algo msg 2 10110… 00110… msg 3 · · · Reject, ⊥ or Accept, K Reject, ⊥ or Accept, K

  27. Example: SIGMA with Deterministic DSA • The adversary controls the DH exponents x and y the adversary controls the DH key gxy • Countermeasures? • To use deterministic DSA, the long-term key contains a PRF key K • By the assumption, K is unknown to the adversary • Derive x’ = PRFK(x), and use x’ as the DH exponent Alice Bob

  28. Generic Transformation • Always include a PRF key K in the long-term key, and use Rand’ = PRFK(Rand) as the randomness for the AKE protocol • Theorem (FC’11): if an AKE protocol is secure in Case 1, then the new protocol derived using the above transformation is also secure in Case 2. • Additional notes: • Forward secrecy: possible in Case 1, but not in Case 2 • The converted protocol may lose forward secrecy in Case 1 • To preserve forward secrecy in Case 1, {K, PRFK(Rand)} ≈ {K, U}. PRF must be a Randomness Extractor as well • Candidate for PRF: HMAC

  29. SECURE ROAMING PROTOCOLS

  30. Secure Roaming • Roaming • WLAN • Telecommunication • ATM/Credit Card • ……

  31. Secure Roaming • GSM • 3GPP: Server Authentication

  32. Secure Roaming • Deposit-case Attacks (IEEE TWC’07)

  33. Secure Roaming • Deposit-case Attacks (IEEE TWC’07) • Attacks against other protocols: more complicated

  34. Secure Roaming • Universal AKE Protocols (IEEE TWC’10) • Idea: ID-based Cryptography • Home server = Key Generation Center • User Authentication: Public Key of the Home Server + Mobile User Identity • Advantages: • Foreign server does not need to contact home server of a roaming user • Foreign server can use the same protocol and signaling flows to authenticate both local and foreign clients • Tools: • Identity-based Signature • Heterogeneous Signcryption (Comp. J.’11)

  35. Secure Roaming • Heterogeneous Signcryption (Comp. J.’11) • Identity-Based Signature + Conventional PKE • Avoid pairing operation • One-pass Universal AKE protocol

  36. OTHER AKE PROTOCOLS

  37. Multi-Factor AKE Protocols (JCSS’08) • Something you know • Something you have • Something you are • …… msg 1 msg 2 msg 3 s#2j!5 + +

  38. Group AKE Protocols (CANS’10) • Security Requirements • Authentication • Insider Security • Session Key Secrecy • Forward/Backward Security • Contributiveness • Robustness

  39. THANK YOUEMAIL: TSLYG@NUS.EDU.SG

More Related