nach oben

International Journal of Information Security

Erschienen in:

01.08.2013 | Regular Contribution

Less is more: relaxed yet composable security notions for key exchange

verfasst von: C. Brzuska, M. Fischlin, N. P. Smart, B. Warinschi, S. C. Williams

Erschienen in: International Journal of Information Security | Ausgabe 4/2013

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Although they do not suffer from clear attacks, various key agreement protocols (for example that used within the TLS protocol) are deemed as insecure by existing security models for key exchange. The reason is that the derived keys are used within the key exchange step, violating the usual key-indistinguishability requirement. In this paper, we propose a new security definition for key exchange protocols that offers two important benefits. Our notion is weaker than the more established ones and thus allows the analysis of a larger class of protocols. Furthermore, security in the sense that we define enjoys rather general composability properties. In addition, our composability properties are derived within game-based formalisms and do not appeal to any simulation-based paradigm. Specifically, we show that for protocols, whose security relies exclusively on some underlying symmetric primitive, can be securely composed with key exchange protocols provided that two main requirements hold: (1) No adversary can break the underlying primitive, even when the primitive uses keys obtained from executions of the key exchange protocol in the presence of the adversary (this is essentially the security requirement that we introduce and formalize in this paper), and (2) the security of the protocol can be reduced to that of the primitive, no matter how the keys for the primitive are distributed. Proving that the two conditions are satisfied, and then applying our generic theorem should be simpler than performing a monolithic analysis of the composed protocol. We exemplify our results in the case of a profile of the TLS protocol.

Vorheriger Artikel Adaptive CCA broadcast encryption with constant-size secret keys and ciphertexts

Nächster Artikel An optimistic fair exchange protocol with active intermediaries

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

In the forward-secure variant, for all tuples \((\mathsf{label},\mathsf{kid},U, V,\mathsf{sid},{\text{ st }_{\text{ exec }}},\kappa ,{\text{ st }_{\text{ key }}})\) with \({\text{ st }_{\text{ exec }}}=\mathsf{running}\)in the list \(\mathcal L _G\), the value \({\text{ st }_{\text{ key }}}\) is set to \(\mathsf{revealed}\).

A signature scheme which is universally unforgeable under chosen message attack [21].

More abstractly, any kind of UNF-CMA certification scheme would work, but we stick to signature-based certificates for sake of concreteness.

Barak, B., Lindell, Y., Rabin, T.: Protocol Initialization for the Framework of Universal Composability. ePrint archive: http://eprint.iacr.org/2004/006

Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Advances in Cryptology-EUROCRYPT 2000, LNCS, vol. 1807, pp. 259–274, Springer (2000)

Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Advances in Cryptology-EUROCRYPT 2004, LNCS, vol. 3027, pp. 171–188, Springer (2004)

Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Advances in Cryptology-ASIACRYPT 2000, LNCS, vol. 1976, pp. 531–545, Springer (2000)

Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Advances in Cryptology-EUROCRYPT 2000, LNCS, vol. 1807, pp. 139–155, Springer (2000)

Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Advances in Cryptology, CRYPTO ’93, LNCS, vol. 773, pp. 232–249, Springer (1994)

Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: 27th Symposium on Theory of Computing-STOC 1995, pp. 57–66, ACM (1995)

Blake-Wilson, S., Johnson, D., Menezes, A.J.: Key agreement protocols and their security analysis. In: IMA Cryptography and Coding-IMACC 1997, LNCS, vol. 1355, pp. 30–45, Springer (1997)

Blake-Wilson, S., Menezes, A.J.: Entity authentication and authenticated key transport protocols employing asymmetric techniques. In: IWSP, LNCS, vol. 1361, pp. 137–158, Springer (1998)

10.

Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Advances in Cryptology-CRYPTO ’98, LNCS, vol. 1462, pp. 1–12, Springer (1998)

11.

Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.: Composability of Bellare-Rogaway key exchange protocols In: Conference on Computer and Communication Security-CCS 2011, pp. 51–62, ACM (2011)

12.

Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13, 143–202 (2000)MathSciNetMATHCrossRef

13.

Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Advances in Cryptology-EUROCRYPT 2001, LNCS, vol. 2045, pp. 453–474, Springer (2001)

14.

Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Advances in Cryptology-EUROCRYPT 2002, LNCS, vol. 2332, pp. 337–351, Springer (2002)

15.

Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Advances in Cryptology-CRYPTO 2002, LNCS, vol. 2442, pp. 143–161, Springer (2002)

16.

Canetti, R., Rabin, T.: Universal composition with joint state. In: Advances in Cryptology-CRYPTO 2003, LNCS, vol. 2729, pp. 265–281, Springer (2003)

17.

Datta, A., Derek, A., Mitchell, J., Shmatikov, V., Turuani, M.: Probabilistic polynomial-time semantics for a protocol security logic. In: Automata, Languages and Programming-ICALP 2005, LNCS, vol. 3580, pp. 16–29, Springer (2005)

18.

Datta, A., Derek, A., Mitchell, J.C., Warinschi, B.: Computationally sound compositional logic for key exchange protocols. In: Computer Security Foundations Workshop-CSFW 2005, pp. 321–334, IEEE Computer Society (2006)

19.

Dierks, T., Allen, C.: The TLS Protocol Version 1.2. RFC 4346, April (2006)

20.

Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. In: Advances in Cryptology-CRYPTO 2001, LNCS, vol. 2139, pp. 260–274, Springer (2001)

21.

Goldwasser, S., Micali, S., Rivest, R.: A digiral signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17, 281–308 (1988)

22.

International Civic Aviation Organization. Supplemental Access Control for Machine Readable Travel Documents. Version 1.01. Available at http://www2.icao.int/en/MRTD/Downloads/TechnicalReports/TechnicalReport.pdf. (2010)

23.

Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Advances in Cryptology-CRYPTO 2012, LNCS, vol. 7417, pp. 273–293, Springer (2012)

24.

Kaliski, B.: PKCS #1: RSA Encryption Version 1.5. RFC 2313, October (1998)

25.

Krawczyk, H.: The Order of Encryption and authentication for protecting communications (or: How Secure Is SSL?). In: Advances in Cryptology-CRYPTO 2001, LNCS, vol. 2139, pp. 310–331, Springer (2001)

26.

Küsters, R., Tuengerthal, M.: Composition theorems without pre-established session identifiers. In: Conference on Computer and Communication Security-CCS 2011, pp. 41–50, ACM (2011)

27.

Maurer, U., Tackmann, B.: On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption. In: Conference on Computer and Communication Security-CCS 2010, pp. 505–515, ACM (2010)

28.

Morrissey, P., Smart, N.P., Warinschi, B.: The TLS handshake protocol: a modular analysis. J. Cryptol. 23, 187–223 (2010)MathSciNetMATHCrossRef

29.

Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size boes matter: attacks and proofs for the TLS record protocol. In: Advances in Cryptology-ASIACRYPT 2011, LNCS, vol. 7073, pp. 372–389, Springer (2011)

30.

Shoup, V: On formal models for secure key exchange. IBM Research Report RZ 3120 (1999)

Titel: Less is more: relaxed yet composable security notions for key exchange
verfasst von: C. Brzuska
M. Fischlin
N. P. Smart
B. Warinschi
S. C. Williams
Publikationsdatum: 01.08.2013
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 4/2013
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-013-0192-y

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2013

A shuffle to achieve high efficiency through pre-computation and batch verification

An optimistic fair exchange protocol with active intermediaries

Security policies enforcement using finite and pushdown edit automata

Adaptive CCA broadcast encryption with constant-size secret keys and ciphertexts