Authenticated Diffie–Hellman key agreement protocol using a single cryptographic assumption L. Harn, W.-J. Hsin and M. Mehta Abstract: In modern communication systems, a popular way of providing authentication in an authenticated Diffie–Hellman key agreement protocol is to sign the result of a one-way hash function (such as MD5) of a Diffie–Hellman public key. The security of such a protocol is based on the weakest of all the cryptographic assumptions of the algorithms involved: Diffie–Hellman key distribution, digital signature and a one-way hash function. If a protocol can be constructed using one cryptographic assumption, it would be at least as secure as that with multiple assumptions. The authors propose three authenticated Diffie–Hellman key-agreement protocols, each of which is based on one cryptographic assumption. In particular, the first protocol is based on a discrete logarithm, the second on an elliptic curve and the third on RSA factoring. The main objective of the paper is to show that the security of a protocol should be assessed at the protocol level as a whole, rather than at the level of individual algorithms that are used to build the protocol. 1 Introduction Authenticated key agreement [Note 1] is a process of verifying the legitimacy of communicating parties and The security of a communication protocol is usually based establishing common secrets among the communicating on one or more assumptions. For example, a key agreement parties for subsequent use (such as data confidentiality and protocol is built on one or more cryptographic assumptions. integrity). Authenticated key agreement is very important A protocol with multiple independent assumptions with a for virtually all secure communication systems such as logic OR relationship (OR-related) is like a house with e-commerce, wireless, wireline and Internet applications. multiple outside doors with different security mechanisms. An authenticated key agreement protocol in general is The more doors a house has, the more ways a thief can constructed using multiple cryptographic algorithms which break into the house, and the weakest security mechanism are based on various cryptographic assumptions. of all is the easiest to overcome. Similarly, the more The most well known assumptions of public-key independent OR-related assumptions a protocol has, the cryptographic algorithms are the computational more ways an attacker can try to attack the protocol and problems of a discrete logarithm (DL) with complexity ð1=3Þ ð2=3Þ the weakest of all is the easiest to try. In other words, when Oðeððln pÞ ðlnðln pÞÞ ÞÞ [1], an elliptic curve (EC) with multiple independent OR-related assumptions are involved, ð1:098þoð1ÞÞn1=3ðln nÞ2=3Þ n the security of a protocol is typically reduced to that of the complexity Oðe Þ,inGFð2 Þ finite fields weakest one. Therefore, for two protocols A and B, where [2], and factoring (RSA) with the same complexity as a DL A is based on multiple independent OR-related crypto- [3]. On the other hand, the security of most well known graphic assumptions and B is based on one of the conventional cryptographic algorithms, such as the one-way assumptions in A, B is at least as secure as A. In this hash functions and block ciphers, is based on the complex- paper, we limit our scope to the area of authenticated key ity of analysing a simple iterated function of multiple agreement protocols and propose three authenticated rounds. These two types of cryptographic assumptions are Diffie–Hellman key agreement protocols, each based on completely different and most of them are even incompa- exactly one cryptographic assumption. Our main objective tible. is to show that when a protocol is built upon several For example, consider the most commonly used algorithms, the security of the protocol should be assessed authenticated Diffie–Hellman key-agreement protocols. In in its entirety, rather than at the level of individual particular, the popular SSL and IPSec standards provide algorithms. such an option. Since the Diffie–Hellman public-key distribution algorithm itself does not provide authentica- tion, the authentication in an authenticated Diffie–Hellman key agreement protocol is usually provided by signing a r IEE, 2005 Diffie–Hellman public key [4, 5]. Thus, it involves at least IEE Proceedings online no. 20041041 three cryptographic algorithms in building this protocol: the doi:10.1049/ip-com:20041041 Paper first received 10th March and in revised form 23rd July 2004 L. Harn and M. Mehta are with the School of Computing and Engineering, Note 1: We use the term ‘authenticated key agreement’ to describe the general University of Missouri - Kansas City, 5100 Rockhill Road, Kansas City, MO idea of key agreement with authentication. The term ‘authentication and key 64110, USA agreement’ (also known as AKA) has been used in 3GPP wireless networks to provide network access security. Our authenticated key agreement can be W.-J. Hsin is with the Information and Computer Science, Park University, applied to secure two-party communication networks. Additionally, AKA in Parkville, MO 64152, USA the 3GPP wireless domain is symmetric-key based whereas ours is public-key E-mail: [email protected] based. 404 IEE Proc.-Commun., Vol. 152, No. 4, August 2005 Authorized licensed use limited to: University of Missouri. Downloaded on February 10, 2009 at 14:39 from IEEE Xplore. Restrictions apply. Diffie–Hellman key-distribution algorithm, a digital signa- proposed protocols can also prevent the attacks often ture and a one-way hash function. This protocol involves at discussed in literature. least two independent cryptographic assumptions. For The work in the literature closest to what we are example, if the digital signature scheme, such as the digital proposing here is by Harn [16],andHarnandLin[10]. signal algorithm (DSA), is DL-based, the above protocol Harn [16] proposed various digital signature schemes (like the ones in [6, 7]) will have two cryptographic without using one-way functions to sign Diffie–Hellman assumptions: one is the DL and the other is the hash public keys. Harn and Lin [10] proposed a protocol that function; if the digital signature scheme is RSA-based, the utilises the digital signature schemes in [16], but the above protocol will have three cryptographic assumptions, proposed protocol provides only shared-key authentication namely, the DL, the RSA and the hash function. The and is restricted to a DL assumption. In this paper, we base security of the protocol would depend on the weakest our work on [16] and propose three one-assumption cryptographic assumption involved. To further elaborate on protocols that can achieve both user authentication and this example, suppose that in this protocol, Diffie–Hellman shared-key authentication. key distribution is based on a 512-bit DL and the digital signature is based on a 1024-bit RSA. According to [3], 2 User authentication versus shared key authen- RSA factoring has same complexity as a DL. Consequently, tication the 512-bit DL can be considered easier to break as compared to the 1024-bit RSA. An attacker can simply User authentication determines the legitimacy of the derive the session key by solving the DL problem from the intended parties in real time. For example, in a client-server exchanged key information and then use it to decipher the application, a service provider needs to ensure the subsequent exchanged messages between the communicat- legitimacy of a user before providing services to the user. ing parties without having to forge the signatures. Thus, in Similarly, a user needs to make sure that the service general, given M independent OR-related cryptographic provider is genuine so that the user is willing to send its assumptions, where M is a positive integer, a protocol with sensitive information (such as a credit card number) to the only one of the M assumptions is at least as secure as that service provider. with all M assumptions. Since communicating parties need a common key to In the existing literature, to our knowledge, there is no encrypt and decrypt data, shared-key authentication makes single-assumption authenticated Diffie–Hellman key-agree- sure that the shared common key is known only to the ment protocol [8]. The IEEE has standardised the intended parties. authenticated key-distribution protocols in the P1363 In a key-agreement protocol without user authentication, standards [9]. Here, following the classification by the IEEE an attacker can misrepresent the identity of an innocent P1363 standards, we propose three authenticated Diffie– party, leading to attacks such as replay, resource exhaustion Hellman key-agreement protocols, each based on one and unknown key-share. In the following, we discuss each cryptographic assumption. of these attacks. In modern communication protocols, there are two types First, for the replay attack, consider the current Internet of authentication, namely, user authentication and shared- environment, where authentication is based on a trusted key authentication. User authentication is to authenticate a third party certificate authority (CA). As a certificate is communicating user in real time. Shared-key authentication public information, an attacker can get hold of an innocent ensures that a shared key is known only to the legitimate user’s public certificate, and along with previously recorded users. A key-agreement protocol without either user exchanged information between innocent parties, the authentication or shared-key authentication is not secure, attacker can impersonate the innocent user, resulting in a leading to many kinds of attacks. Therefore we need both replay attack. Thus, in a protocol without user authentica- user authentication and shared-key authentication. In tion, even with the use of a certificate, impersonation is particular, we need to efficiently and securely integrate possible. both user authentication and shared-key authentication into Secondly, for the resource-exhaustion attack, consider authenticated key-agreement protocols.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages7 Page
-
File Size-