Authenticated Key Agreement without Subgroup Element Verification

Transcription

1 Authenticated Key Agreement without Subgroup Element Verification Taekyoung Kwon Sejong University, Seoul , Korea Abstract. In this paper, we rethink the security of authenticated key agreement and design a new protocol from the practical perspective. Our main focus is on reconsidering the need for real-time checking of random exchange to be in a proper subgroup, and discussing the implication of authenticated key agreement not requiring the subgroup element verification in run time. Keywords: Cryptographic Protocols, Authentication, Authenticated Key Agreement, Small Subgroup Attacks. 1 Introduction Key agreement (or key exchange) protocols are necessary when two (or more) communicating parties wish to contribute information for establishing a new secret key. Neither party is allowed to predetermine the key before exchanging the information. Diffie-Hellman key agreement is the best flavor of public-key cryptography that allows basically two communicating parties Alice and Bob, without sharing any secret a priori, to derive the new secret key over a public channel [9]. During the past decades, Diffie-Hellman has been the most influential building block for such various cryptographic protocols from both theoretical and practical perspectives [3, 6, 11, 13, 19]. Let G be a cyclic group with generator g, for example, a multiplicative group Z p where p is a large prime integer. Alice and Bob choose random integers x and y, respectively, where 1 x, y p 2. They exchange X = g x mod p and Y = g y mod p for computing Y x mod p and X y mod p, respectively. Hereafter, let us omit mod p from the expressions that are obvious in Z p. The derived secret is Z = g xy (= (g y ) x = (g x ) y ). We often refer to the Computational Diffie-Hellman (CDH) problem with regard to security of cryptographic protocols from theoretical aspects. The CDH problem is to compute Z = g xy for given X = g x and Y = g y (say without x and y). It is widely recognized that solving CDH is computationally difficult and is at most as hard as computing discrete logarithms in G [13, 19]. Authenticated key agreement protocols may add implicit or explicit key authentication to Diffie-Hellman [2, 4]. For implicit key authentication, each party should be assured that no other party aside from a specifically identified counterpart can possibly learn the secret key. For explicit key authentication, the party

2 2 T. Kwon should additionally be assured that the counterpart may actually possess the secret key through key confirmation. In this paper, we mean by two-pass protocols that implicit key authentication is only provided while we does by three-pass protocols that explicit key authentication is provided for both parties. The rest of this paper is organized as follows: Section 2 describes the motivation of our paper. Section 3 presents the proposed protocol while Section 4 analyzes it. This paper is concluded in Section 5. 2 Motivation 2.1 Small Subgroup Attacks Aside from the theoretical security aspects of Diffie-Hellman, there are many practical concerns about protocol attacks. For example, an active attacker may replace X and Y respectively with X q and Y q where p = Rq + 1 for small R, so that Z is forced to lie in a small order subgroup. The attacker can also replace X and Y with arbitrary small subgroup elements, even if g is set as large prime order q. Most of such attacks can be prevented by authenticating the random exchange [3, 6, 19]. However, it is not enough in many cases. In the key recovery attack, a small subgroup is exploited for finding partial bits of one s secret [11]. Suppose that A = g a and B = g b are respectively the certified public keys of Alice and Bob. Alice may set X = αg x for a small subgroup element α, for example, in the MTI/A0 authenticated key agreement protocol that Alice and Bob should have agreed on K = Y a B x and K = X b A y respectively. Thus Alice can find partial bits β = b mod ord(α) from checking K? = α β K in O(2 ord(α) ) steps, where ord(α) means the order of α [11]. In many protocols, this attack can be prevented by having g of large prime order and checking the random exchange to lie in the large prime order subgroup properly (X q =? 1), while such verification requires additional costs [6, 11]. 2.2 Desirable Properties of Key Agreement Protocols It is essential for secure protocols to withstand both passive attacks and active attacks. Passive attacks are where an adversary attempts to prevent a protocol from achieving its goal by merely observing honest entities carrying out the protocol. Active attacks are where an adversary additionally subverts the communications themselves in any way possible, for example, by injecting, intercepting, replaying, or altering messages. In addition to key authentication and confirmation, there are a number of desirable attributes of key agreement protocols[4]. 1. known session keys A protocol achieves its goal even if an adversary learned some previous session keys. 2. (perfect) forward secrecy The secrecy of previous session keys is not affected even if long-term secrets such as private-keys of one or more entities are compromised.

3 Authenticated Key Agreement without Subgroup Element Verification 3 3. unknown key-share A party A cannot be coerced into sharing a key with the specified counterpart B without A s knowledge, i.e., when A believes sharing with C B. 4. key-compromise impersonation Suppose A s long-term secret such as privatekey is disclosed. An adversary is able to impersonate A through the disclosed secret. However, this loss must not enable an adversary to impersonate other parties to A. 5. loss of information Compromise of other information that would not ordinarily be available to an adversary does not affect the security of the protocol, for example, by loss of g s As B where s i represents party i s long-term secret. 6. key control Neither party is able to force the session key to a preselected value, for example, a small subgroup confinement[18] and key recovery attack[11]. Desirable performance attributes are low overheads of computation and communication[4]. 3 New Protocol We design a new authenticated key agreement protocol that is secure and efficient without verifying the random exchange to have large prime order. Assume the public keys A = g a and B = g b are certified by an authority, and manipulated with respective identities I A and I B. 1. Alice and Bob exchange X = g x and Y = g y, respectively, where 1 < X, Y < p. 2. They compute K = (Y B e B ) (x+aea)e and K = (XA e A ) (y+beb)e, respectively, where e = h(0, I A, I B, X, Y ), e A = h(1, I A, I B, X, Y ) and e B = h(2, I A, I B, X, Y ) for a strong one-way hash function h(). Note that the bit-length of e A and e B can be adjusted to be shorter. It is obvious that K = K = g (xy+xbe B+aye A +abe A e B )e and they are implicitly authenticated due to A and B. For explicit authentication and key confirmation, we can augment it to three passes that exchange h(3, I B, I A, Y, X, K ) and h(4, I A, I B, X, Y, K) [3]. Note also that the simultaneous exponentiation method [14] can be applied in the way that K = Y (x+ae A)e B (x+ae A)ee B and K = X (y+be B)e A (y+be B)ee A. Let us use specifically when we imply simultaneous exponentiation. 4 Analysis 4.1 Security Analysis It might be easy to observe that our authenticated key agreement protocol satisfies all of the desirable security attributes listed in [3] and [6]. Among them, we first show that our scheme satisfies known-key security and forward secrecy, by making a simple reduction from the standard assumption on CDH.

4 4 T. Kwon Suppose P is a probabilistic polynomial time algorithm that breaks our protocol by answering K correctly to a query X, Y, A, B for A and B, with probability ɛ. Given X and Y, we show that we can compute Z = g xy by using P, with probability ε ɛ in polynomial time. Let r i be chosen at random from [1, p 2]. We input A r 0, B r 1, A, B to P so that P outputs K 1 = (g abr 0r 1 g abr 0e B1 g abr 1e A1 g abe A1e B1 ) e 1 = g abe 1(r 0 r 1 +r 0 e B1 +r 1 e A1 +e A1 e B1 ) for e 1 = h(0, I A, I B, A r0, B r1 ), e A1 = h(1, I A, I B, A r0, B r1 ) and e B1 = h(2, I A, I B, A r0, B r1 ). We then compute C 1 = K {e 1(r 0 +e A1 )(r 1 +e B1 )} 1 1 = g ab. Similarly, we input X r2, B r3, A, B and A r4, Y r5, A, B to P so that P outputs respectively K 2 = (g xbr 2r 3 g xbr 2e B2 g abr 3e A2 g abe A2e B2 ) e 2 = g (xbr 2+abe A2 )(r 3 +e B2 )e 2 and K 3 = g (ayr 5+abe A3 )(r 4 +e B3 )e 3 for e 2 = h(0, I A, I B, X r 2, B r 3 ), e 3 = h(0, I A, I B, A r 4, Y r 5 ), and similarly for e A2, e B2, e A3, and e B3. We then compute C 2 = K {e 2r 2 (r 3 +e B2 )} 1 2 e A2 2 C r 1 1 = g xb and C 3 = K {e 3r 5 (r 4 +e B3 )} 1 3 C r 1 5 e A3 1 = g ay. Finally we input X, Y, A, B to P so that P outputs K = (g xy g xbe B g aye A g abe Ae B ) e. We then compute Z = K e 1 C e Ae B 1 C e B 2 C e A 3 = g xy, so as to solve the CDH problem for given X and Y with probability ε ɛ in polynomial time. Thus we can say our scheme enjoys the benefit of Diffie-Hellman in a way that a compromised session key does not expose other session keys, while a compromised long-term key does not disclose previous session keys as well. Our protocol is secure against the key-compromise impersonation and loss of information attacks due to X b and Y a embedded in K = g (xy+xbe B+aye A +abe A e B )e. For example, an adversary compromising Alice s private key a cannot impersonate Bob to Alice due to the required computation of X b, while loss of either information in K old, A, B, g ab does not affect the secrecy of K new. We examine the unknown key-share attack that allows Malice to make one party believe K to be shared with Malice while it is in fact shared with a different party [3, 6]. A common scenario is that Malice has M = g a certified without knowing the private key a of Alice, and uses it to talk with Bob as Malice while she poses as Bob to Alice simultaneously. Our protocol is secure against this attack because, for e, we have h(i A, I B, X, Y ) h(i M, I B, X, Y ) in computing each K. Note that the closest relative, MQV protocol, is vulnerable to this attack [3, 6]. Finally we show that our scheme is secure against small order subgroup attacks specifically without verifying the random exchange to have large prime order in real time. (1) A middle-person attacker may replace X and Y with X w and Y w, respectively, where w = p 1 r for small factor r of p 1. However, Alice and Bob should respectively have to agree on K = (Y w ) (x+aea)e B (x+ae A)e and K = (X w ) (y+beb)e A (y+beb)e. The attacker cannot guess K without obtaining g ab and so on, while the keys are not eventually agreed, say K K. (2) An inside attacker Alice, without loss of generality, may set X = αg x for a small subgroup element α. She then utilizes a message encrypted under K or key confirmation h(3, I B, I A, Y, X, K ) of Bob for deriving partial bits in O(2 ord(α) ) steps. However, the partial bits might be set as β = (y + be B )e mod ord(α), not for the long-term private key b only, since Bob has obtained

5 Authenticated Key Agreement without Subgroup Element Verification 5 K = α (y+be B)e g (xy+xbe B+aye A +abe A e B )e while K = g (xy+xbe B+aye A +abe A e B )e. It is negligible to derive partial bits of b without knowing y. It is also negligible to set A = αg x intentionally since a certificate authority might have declined it. 4.2 Efficiency Analysis We have removed the obligation for the protocol parties to check the random exchange to have large prime order in real time, since such verification is expensive by requiring one modular exponentiation in G, for example, X q? = 1. This operation is enormous specifically when we set p as a safe prime such that p = 2q + 1 for large prime q. Thus, our protocol might be very efficient as well as secure. The required computations are certificate verification of A and B, and modular exponentiations in G for computing X, K and Y, K in respective sides, while X and Y can be pre-computed. Suppose that A and B are already verified, and X and Y are pre-computed by respective parties. This assumption can be considerable for various practical applications. Both Alice and Bob are then able to conduct authenticated key agreement in real time with only one simultaneous exponentiation in G, when we ignore a singular modular multiplication. Note that the simultaneous exponentiation is only about 25% more costly than a single exponentiation. Though we have chosen Z p or its large prime order subgroup for wide acceptance, it is also considerable to use a different cyclic group G such as an elliptic curve group for more spatial efficiency and easier manipulation with shorter private keys. 5 Conclusion The main goal of this study is to rethink the security of authenticated key agreement against the small subgroup attacks, and to design a new practical protocol that is secure against the related attacks without checking the random exchange to have large prime order. The proposed protocol is eventually close to MQV [3, 6]. However, our protocol is secure against the unknown-key share attack as well as is released from real-time checking of random exchange to have large prime order. We believe these properties must be beneficial to practical use. References 1. M. Abadi and M. Tuttle, A semantics for a logic of authentication, In Proc. of the ACM Symposium on Principles of Distributed Computing, pp , August S. Blake-Wilson, D. Johnson and A. Menezes, Key agreement protocols and their security analysis, In Proc. of IMA International Conference on Cryptography and Coding, December S. Blake-Wilson and A. Menezes, Authenticated Diffie-Hellman key agreement protocols, SAC 98, Lecture Notes in Computer Science, vol. 1556, pp , 1999.

6 6 T. Kwon 4. S. Blake-Wilson and A. Menezes, Unknown key-share attacks on the station-tostation (STS) protocol, PKC 99, Lecture Notes in Computer Science, vol. 1560, Springer-Verlag, pp , C. Boyd and W. Mao, On a limitation of BAN logic, Lecture Notes in Computer Science, vol. 765, Springer-Verlag, pp , C. Boyd and A. Mathuria, Protocols for authentication and key establishment, Springer-Verlag, pp , M. Burrows, M. Abadi, and R. Needham, A logic of authentication, Technical Report SRC RR 39, Digital Equipment Corporation, Systems Research Center, February D. Denning and G. Sacco, Timestamps in key distribution protocols, Communications of the ACM, vol. 24, no. 8, pp , August W. Diffie and M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, vol.22, no.6, pp , November L. Gong, R. Needham, and R. Yahalom, Reasoning about belief in cryptographic protocols, In Proc. of the IEEE Symposium on Research in Security and Privacy, pp , C. Lim, and P. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, CRYPTO 97, LNCS 1294, pp , T. Matsumoto, Y. Takashima, and H. Imai, On seeking smart public-key distribution systems, Trans. of IEICE, E69, pp , U. Maurer, and S. Wolf, Diffie-Hellman oracles, CRYPTO 96, LNCS 1109, pp , A. Menezes, P. van Oorschot and S. Vanstone, Handbook of applied cryptography, CRC Press,Inc., pp , R. Needham and M. Schroeder, Using encryption for authentication in large networks of computers, Communications of the ACM, vol. 21, no. 12, pp , D. Song, Athena: a new efficient automatic checker for security protocol analysis, In Proc. of the IEEE Computer Security Foundation Workshop, pp , P. Syverson and P. van Oorschot, A unified cryptographic protocol logic, NRL Publication , Naval Research Lab, P. van Oorschot, Extending cryptographic logics of belief to key agreement protocols, In Proc. of the ACM Conference on Computer Communications Security, pp , P. Van Oorschot and M. Wiener, On the Diffie-Hellman key agreement with short exponents, EUROCRYPT 96, LNCS 1070, pp , 1996.