authenticated key exchange l.
Skip this Video
Loading SlideShow in 5 Seconds..
Authenticated Key Exchange PowerPoint Presentation
Download Presentation
Authenticated Key Exchange

Loading in 2 Seconds...

play fullscreen
1 / 19

Authenticated Key Exchange - PowerPoint PPT Presentation

  • Uploaded on

Authenticated Key Exchange. Definitions MAP matching conversations oracles (I)KA AKEP2 AKEP2 Security Session Keys Perfect Forward Secrecy Adversary Attacks. Presented By: Ashley Bruno & Blayne White. Key Establishment Protocols.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Authenticated Key Exchange

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
authenticated key exchange
Authenticated Key Exchange
  • Definitions
    • MAP
      • matching conversations
      • oracles
    • (I)KA
  • AKEP2
  • AKEP2 Security
    • Session Keys
    • Perfect Forward Secrecy
  • Adversary Attacks

Presented By:

Ashley Bruno & Blayne White

key establishment protocols
Key Establishment Protocols
  • Cryptographic protocols that establish keys for use by other protocols
    • examples: AKEP2, MAP1, Diffie-Hellman, Station-to-station
  • Principal: a party wishing to establish shared keys
  • Nonce: a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks
definitions cont d
Definitions (cont'd)
  • MAC (ie. Message Authentication Code): the result of a hash function that combines a message with a key
  • Freshness: a key is fresh if it can be guaranteed to be new (Menezes, van Oorschot and Vanstone, 1997)

(probably no longer fresh)

  • An I/O device that responds to every query with a random response chosen uniformly from it's output domain. if given the same input query, the same output response is given.
oracle freshness
Oracle Freshness
  • An oracle is fresh if :
    • It has accepted a session key
    • Its session key has not been given a Reveal query (oracle is “unopened”)
    • There is no opened oracle with whom it has a matching conversation that has accepted the session key.
mutual entity authentication
Mutual Entity Authentication
  • Provides assurance to both entities of the identity of the other entity involved
    • If a pair of oracles has matching conversations, then both oracles accept.
    • The probability of an oracle accepting when it does not have a matching conversation with another oracle is negligible.
matching conversations
Matching Conversations
  • A conversation consists of all messages sent and received by an oracle.
  • Matching Conversations occur when the conversations of both parties are the same when all messages are faithfully delivered from the sender oracle to the receiver oracle, with the exception of the last message, since the initiator cannot know if this last message was received by its partner.
implicit key authentication
(Implicit) Key Authentication
  • Provides assurance that no entity other than a specifically identified entity can gain access to the key.
  • Independent of the actual possession of such key by the second party, or knowledge of such actual possession by the first party
perfect forward secrecy
Perfect Forward Secrecy

It is still desirable to design protocols where past

sessions remain secure.

Perfect forward secrecy: compromise of long-term

keys does not compromise past session keys.

“Forward secrecy” indicates that the secrecy of old

keys is carried forward into the future.

authenticated key exchange protocol 2
Authenticated Key Exchange Protocol 2
  • A three-pass protocol
  • Uses symmetric authentication
  • Uses keyed hash functions instead of encryption
  • Does not rely on atrusted third party (TTP)
  • Provides mutual entity authentication and (implicit) key authentication
  • Provides Perfect Forward Secrecy
  • A and B are principals
  • A and B share two long term symmetric keys: K, K'
  • each protocol run generates fresh nonces: na, nb
  • uses a keyed hash function (MAC): hk and a keyed one-way function: h'k'




A sends a challenge nonce to B.

hk(B,A,na,nb), nb



  • B resonds with hk(B,A,na,nb) and sends it's own challenge nonce.
          • k is the shared key; k = h'k'(nb)




A responds to the challenge nonce with hk(A,nb) to B

akep2 security
AKEP2 Security
  • The intent is to authenticate the principals involved and distribute a session key which will consist of a principal's private output
  • At the end of a secure AKE any adversary should not be able to distinguish a fresh session key from a random element.
ake security session keys
AKE Security: Session Keys
  • The compromise of one of these keys should have minimal consequences.
    • It should not subvert subsequent authentication.
    • It should not leak information about other session keys.
akep2 security16
AKEP2 Security
  • Protocol II is secure if it is a secure mutual authentication protocol. This requires:
      • That two oracles, in the absence of an active adversary, always accept
      • The advantage of a probabilistic polynomial adversary is negligible.
  • The current security definitions give the adversary very strong abilities in corrupting the parties, but they limit his ability to utilize those powers.
attacks allowed by current definitions
Attacks allowed by current definitions
  • Key-compromise impersonation: the adversary reveals a long-term secret key of a party and then impersonates others to this party.
  • An adversary reveals the ephemeral secret key of a party who initiates an AKE session and impersonates the other participant of this session.
attacks allowed cont d
Attacks allowed (cont'd)
  • Two honest parties execute matching sessions, while the adversary reveals ephemeral secret keys of both parties and tries to learn the session key.
  • Two honest parties execute matching sessions, while the adversary reveals long-term keys of both parties prior to the session execution and tries to learn the session key.

However, all four of these attacks are not considered violations of protocol security!

authenticated key exchange19
Authenticated Key Exchange
  • M. Bellare and P. Rogaway.Entity Authentication and key distribution Advances in Cryptology - Crypto 93 Proceedings, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994.
  • Brian LaMacchia, Kristen Lauter, Anton Mityagin. ”Stronger Security of Authenticated Key Exchange.”