Enhancing the Oakley Key Agreement Protocol with Secure Time Information Pawel Szalachowski and Zbigniew Kotulski
Total Page:16
File Type:pdf, Size:1020Kb
Enhancing the Oakley key agreement protocol with secure time information Pawel Szalachowski and Zbigniew Kotulski Institute of Telecommunications, the Faculty of Electronics and Information Technology, Warsaw University of Technology, Warsaw, Poland Email: [email protected], [email protected] Abstract—Message freshness and time synchronization This paper is organized as follows. In Section II are nowadays essential services in secure communica- we present the related work and in Section III we tion. Many network protocols can work correctly only shortly describe the Oakley protocol underlying a when freshness of messages sent between participants is assured and when internal clocks protocol’s parties role of cookies for its functionality. In Section IV are adjusted. In this paper we present a novel, secure we introduce our time refreshment scheme and its and fast procedure which can be used to ensure data implementation in the Oakley protocol. The analysis freshness and clock synchronization between two com- of security and performance of the approach presented municating parties. Next, we show how this solution can is in Section V, while Sections VI and VII describe be used in cryptographic protocols. As an example we apply our approach to the Oakley key determination the applications of the new protocol and conclusions. protocol providing it with time synchronization without any additional communication overhead. II. RELATED WORK Index Terms—freshness, security protocols, time syn- In practical solutions [1] timestamps, counter values chronization, Oakley protocol, cryptographic protocols and pseudo-random numbers are used as freshness identifiers. In case of strong freshness, every time when a synchronization message is being sent, the sender must disclose his time or another value which I. INTRODUCTION he uses to ensure freshness. It is often undesirable in Freshness is the security property of data which is networks with open medium (e.g. in Wireless Sen- very important and desired in network communication. sor Networks, WSNs) or in dynamic networks, like This property guarantees protection from variants of Internet. For example, an attacker knowing time can the replay attack. We distinguish two types of fresh- compromise a pseudorandom number generator (if the ness: weak and strong. Weak freshness provides only time value has been used as a seed, what is a frequent partial ordering of messages. This type does not supply practice). Another case is, e.g., IP Timestamp in Linux any other kind of time information, e.g., a delay. How- implementations. An attacker knows when a computer ever, strong freshness provides total messages ordering had been restarted last time, so he knows if the restart and delay information, so this type of freshness can be occurred after some critical system’s update. Freshness obtained in time synchronization protocols. is so important that many cryptographic protocols The scheme presented in this paper addresses the require assurance of this property. A precise definition freshness issue and it has ability to synchronize time. of freshness and examples of attacks against it can It is very light (sending only one short message be found in [2] where also complexity of checking is required) and it is based on cryptographic hash freshness for many different scenarios is presented. functions, which are fast constructs. Our proposal can Corin in [3] develops and analyses a model for security be applied in many existing communication protocols, protocols that takes time into account. He considers where small modifications can result in significant two aspects of the problem: an influence of time advantages. We show them for a popular key agree- on messages flow (e.g. timeouts, retransmissions) and ment protocol which is Oakley. Our extension of the time information within protocol’s messages (e.g., a Oakley protocol enables, except of standard secret key timestamp). Next method for analyzing the security agreement by two parties, additionally synchronization protocols with time aspects is presented in [4]. This of their clocks in a cryptographically secure way. paper analyses real-time properties of security proto- cols by a Strand Space-based approach. This work is supported by the National Science Center (NCN), Another crucial issue connected with time is time under Grant with decision’s number DEC-2011/01/N/ST7/02995 synchronization. Precise time is necessary in many 669 areas of our every day life. Besides scientific and engi- • Oakley allows two parties to negotiate the meth- neering applications like synchronous measurements, ods of: encryption, key derivation and authenti- all legal and financial transactions, transport, business cation; and other social activities with distributed resources • it allows the two parties to agree a shared secret demand reliable and accurate time. IEEE provides without resource demanding public key encryp- standard for precise clock synchronization in [5]. It is tion; especially important for applications which require the • several options for the key computation are avail- highest trust level (e.g. electronic documents). Barak able; in [6] describes an efficient and fault-tolerant clock • the parties can derive a new key from an existing synchronization method. This is especially important one in a few ways, with aid of the Diffie-Hellman for network communication. The most widespread protocol or without; time synchronization protocol is NTP (The Network • Oakley uses cookies to provide a mechanism Time Protocol) [7], however, there are many different which helps avoiding Denial of Service (DoS) solutions for specific network environments [8], [9]. attacks. This will be present it in details in the For example, the paper [10] presents a scheme of next subsection; synchronization of a time-of-day clock in nodes of a • additionally, the parties can define their own or local area network. In the paper [11] time synchro- select the existing mathematical structures for the nization solution for high latency acoustic networks Diffie-Hellman protocol; is introduced. The paper [12] presents a time syn- • the protocol allows two parties to use features, chronization approach for large decentralized systems. that are best suited to their needs and capabilities; Another example, which is the WSN, is a very hostile As we can see from the above, the Oakley protocol environment for communication protocols. It operates is very powerful and flexible. However, in spite of in an open medium and nodes of the network are that it fulfills its usual duties, it may be enhanced hardware-constraint. In such a case there are many with additional functions. Since, as many other popular opportunities to attack network services. The time cryptographic protocols, it omits strong freshness or synchronization service is also prone to the attacks time synchronization service, it can be extended with in this environment. Vulnerabilities of this service in these security services. sensor networks are presented in [13]. Therefore, these The Oakley protocol defines two parties: Initiator networks especially need secure and very efficient and Responder. This is similar to the Client-Server solutions, such as [14]–[16]. Surveys on time synchro- architecture in messages exchange services. However, nization schemes in the WSNs are presented in [17], in Oakley the parties provide equal contents in the [18]. key negotiated. The protocol offers many scenarios Protocol which connects freshness with time syn- of establishing a new secure communication channel; chronization, but without actual time disclosure, would its versions depend on participants’ preferences and be very interesting and helpful in many applications. capabilities. In spite of that the messages exchanged are different in the protocol’s versions, Oakley includes III. THE OAKLEY PROTOCOL several permanent elements. One of those obligatory Secure key agreement is a very actual and important elements is a cookie, which will be discussed now as task for network communications. The Oakley key an essential part of our freshness scheme. determination protocol [19] is a generic key agreement protocol. It is widespread in Internet communication Cookies because it is often included in the IPsec protocol The Oakley protocol is protected against some sort (more precisely, in the ISAKMP [20]). The goal of of DoS attacks. This is realized by anti-clogging tokens Oakley is establishment of a secret key between two called cookies. The cookies are exchanged between the parties communicating through an insecure channel. It parties in each version of the protocol as messages’ is based on the Diffie-Hellman key agreement protocol headers. Since large integer exponentiation is com- but it has some additional advantages. The Oakley putationally the most expensive step of the protocol, protocol is scalable and secure. Its main features are before the parties start its execution they exchange the presented below: cookies to ensure that they are legitimate and they are • the protocol offers strong authentication methods interested in the protocol’s execution. For both parties for the parties’ identities; the cookies act as participants’ identifiers and they rely • before authentication, two parties do not have on source addresses. to compute the exponentiations shared, so it is Another duty of the cookies is keys naming. In efficient; [19] the cookie of Initiator is denoted by CKY -I • the authentication checks the results of exponen- and analogously, the