- Email: [email protected]
Vulnerabilities of generalized MQV key agreement protocol without using one-way hash functions
Computer Standards & Interfaces 29 (2007) 467 – 470 www.elsevier.com/locate/csi
Vulnerabilities of generalized MQV key agreement protocol without using one-way hash functions Kyung-Ah Shim ⁎ Department of Mathematics, Ewha Womans University, 11-1 Daemon-dong, Eudaemon-gu, Seoul, 120-750, Korea Received 29 December 2005; received in revised form 10 November 2006; accepted 11 November 2006 Available online 5 January 2007
Abstract The MQV protocol is the first authenticated key agreement protocol which uses a digital signature to sign Diffie–Hellman public keys without using any one-way hash functions. Based on the MQV protocol, Harn and Lin proposed an authenticated multiple-key agreement protocol that enables two parties to establish multiple common secret keys in a single protocol run. But the protocol was subsequently found to be flawed. Tseng proposed a new generalized MQV key agreement protocol without using one-way hash functions to overcome the weaknesses of Harn–Lin's protocol. Recently, Shao showed that Teng's protocol is insecure against signature forgery attacks and then proposed an improved authenticated multiple-key agreement protocol to resist the attacks. In this paper we show that Shao's protocol is vulnerable to unknown key-share attacks. We also point out its another potential weakness. © 2006 Elsevier B.V. All rights reserved. Keywords: Cryptography; Authenticated key agreement; Multiple-key agreement protocol; Digital signature; Unknown key-share attack
1. Introduction Key establishment is the process by which two or more entities establish a shared secret key. The key is subsequently used to achieve some cryptographic goals such as confidentiality or data integrity. The Diffie–Hellman key agreement protocol [5] is the first practical solution to the key distribution problem, allowing two parties, never having met in advance or shared keying material to establish a shared secret by exchanging messages over an open channel. But it suffers from the man-inthe-middle attack because it does not attempt to authenticate the communicating entities. To overcome this shortcoming, numerous protocols have been proposed [14,4,11,12,9,18]. Many of these protocols were subsequently found to be flawed [4,13,17] and then either were modified to resist new attacks or were totally abandoned. In 1995, Law et al. [11] proposed the MQV key agreement protocol, which is the first key agreement protocol that used a signature for Diffie–Hellman public keys without using one-way hash functions. But, Kaliski [10] showed that the MQV protocol is vulnerable to the on-line unknown key⁎ Tel.: +82 2 3277 2292. E-mail address: [email protected]. 0920-5489/$ - see front matter © 2006 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2006.11.002
share attack. Nevertheless, it has been standardized or are in the process of being standardized in the international standards ANSI X9.42 [1], ANSI X9.63 [2] and IEEE P1363 [8]. In 1998, Harn–Lin [6] proposed a generalized MQV protocol, i.e., an authenticated multiple-key agreement protocol which enables two parties to establish multiple common secret keys in a single protocol run. Later, Yen–Joye [21] indicated that the Harn–Lin protocol is not secure because an attacker can successfully forge a short-term public key pair and pass the verification equation. And they proposed an improved protocol to resist the attack. However, Wu et al. [20] pointed out that the Yen–Joye protocol still has the same weakness as does the Harn–Lin protocol. They also proposed a modified protocol to enhance the security. Nevertheless, the protocol violated the original expectation of the Harn–Lin protocol that no one-way hash functions should be used in the authenticated key agreement protocol. In 2001, Harn and Lin [7] also proposed a modified protocol in which they attempted to show that two attacks on the Harn–Lin protocol [6] can easily be avoided by modifying the signature signing equation. Subsequently, Yen et al. [22] proposed an improved protocol that is secure against replay attacks by using time stamps. Tseng [19] also proposed a new protocol without using one-way hash functions to overcome
468
K.-A. Shim / Computer Standards & Interfaces 29 (2007) 467–470
known weaknesses. Recently, Shao [17] showed that Teng's protocol is insecure against signature forgery attacks and then proposed its improved protocol to resist the attacks. In this paper we show that Shao's protocol is vulnerable to unknown keyshare attacks. We also point out its another potential weakness. The remainder of this paper is organized as follows. In Section 2, we review Shao's authenticated multiple-key agreement protocol. In Section 3, we point out its vulnerability against off-line unknown key-share attacks. Section 4 contains its another potential weakness in the case of the compromise of a certain secret information. A concluding remark is given in Section 5.
4. Similarly, B verifies A's signature similarly by checking the verification equation ðr þrA2 Þ
yrAA ¼ rA A1
d g sA :
Finally, B also computes four common secret keys as follows: x−1 kB1
K1 ¼ rA1B
x−1 kB2
K3 ¼ rA1B
x−1 kB1
¼ gkA1 kB1 ;
K2 ¼ rA2B
¼ gkA1 kB2 ;
K4 ¼ rA2B
x−1 kB2
¼ gkA2 kB1 ; ¼ gkA2 kB2 :
3. Unknown key-share attacks on Shao's protocol 2. Review of Shao's authenticated multiple-key agreement protocol We first review Shao's protocol [17]. The system authority publishes a large prime p and a primitive element g with order p − 1 in GF( p). We assume that A and B want to establish four secret keys in a protocol run. Long-term public/private key pairs for A and B are ( yA, xA) and ( yB, xB), where yA =gxA mod p and yB =gxB mod p. We henceforth will omit the operation ‘mod p’. We assume that long-term public keys are exchanged via certificates, where CertA denotes A's public-key certificate, containing a string of information that uniquely identifies A, her static public key yA and a certifying authority CA's signature over this information. The protocol runs as follows: 1. A selects two random integers kA1 and kA2, called shortterm secret keys, computes short-term public keys rA1 = yBkA1 and rA2 = yBkA2, such that 0 b rA1, rA2 b ( p − 1) / 2. Then A computes rA = gkA1 +kA2 and generates its signature sA on {rA1, rA2} as follows: sA ¼ xA d rA − ðrA1 þ rA2 Þd ðkA1 þ kA2 Þ mod p−1: Next, A sends the authenticated messages {rA1, rA2, sA, CertA} to B. 2. Similarly, B also chooses k B1 and k B2 and computes r B1 = y AkB1 , r B2 = y AkB2 , r B = y BkB1 + k B2 and sB ¼ xB d rB − ðrB1 þ rB2 Þd ðkB1 þ kB2 Þ mod p−1: Then B sends {r B1 , r B2 , s B , Cert B } to A. 3. After receiving the message from B, A computes rB = (rB1·rB2) and verifies B's signature by checking ðr þrB2 Þ
yrBB ¼ rB B1
d g sB :
If its verification holds, A computes four common secret keys as follows: x−1 A kA1
K1 ¼ rB1
x−1 kA1
K3 ¼ rB2A
x−1 A kA2
¼ g kA1 kB1 ;
K2 ¼ rB1
¼ g kA1 kB2 ;
K4 ¼ rB2A
x−1 kA2
¼ g kA2 kB1 ; ¼ g kA2 kB2 :
In this section, we show that Shao's protocol is insecure against unknown key-share attacks. We first describe the definition of unknown key-share attacks. 3.1. Unknown key-share attacks An unknown key-share attack on an authenticated key agreement protocol [3,4] is an attack whereby an entity A ends up believing she shares a key with B, and although this is in fact the case, B mistakenly believes the key is instead shared with an entity E ≠ A. In this scenario, we say that B has been led to false beliefs. The unknown key-share (UK-S) attacks can be divided into the following types; • Public key substitution UK-S attacks: An adversary E registers A's public key yA as its own, i.e., yA = yE. When A initiates a protocol with B, E replaces the identity A and certificate CertA with E and CertE. It is known that the STSMAC and the STS-ENC are vulnerable to these attacks [3]. • On-line UK-S attacks: Requiring on-line CA, an adversary gets its public key certified during a protocol run after observing the message transmitted. Attacks on the STSMAC [3] and the MQV protocol [10] are typical examples. • (Off-line) UK-S attacks: Without observing the message transmitted, an adversary gets its public key to amount the attack before the execution of the protocol. 3.2. Off-line unknown key-share attacks on Shao's protocol Now, we show that Shao's protocol is insecure against offline unknown key-share attacks. We assume that an adversary E has her certificate CertE for a long-term public key yE = gxE. Unlike the on-line unknown key-share attack on the MQV protocol [10], this UK-S attack requires no on-line CAs and E knows the long-term private key xE corresponding to yE. The attack on Shao's protocol can be mounted as follows: A Y EðBÞ : rA1 ; rA2 ; sA ; CertA
ð1:1Þ
E Y B : rE1 ; rE2 ; sE ; CertE
ð1:1Þ0
B Y E : rB1 ; rB2 ; sB ; CertB
ð1:2Þ0
EðBÞ Y A : rB1 ; rB2 ; sB ; CertB :
ð1:2Þ
K.-A. Shim / Computer Standards & Interfaces 29 (2007) 467–470
1. When A initiates a protocol run with B sending a message {rA1 = yBkA1, rA2 = yBkA2, sA, CertA}, an adversary E intercepts it. 2. First, E chooses a random k. Let k be kA1 + k′. Note that neither kA1 nor k′ is known to E. However, E can obtain yBk′ by computing yBk·(rA1)− 1 = yBk−kA1· E takes rE1 and rE2 as rA1 and yBk′, respectively. Then E computes rE = gk and her own signature sE ¼ xE d rE −ðrE1 þ rE2 Þd k mod p−1; on frE1 ¼ ykBA1 ; rE2 ¼ ykBVg and sends frE1 ; rE2 ; sE ; CertE g to B: 3. After receiving a message (1.1)′, B thinks that the protocol −1 run is initiated by E. Then B computes rE = (rE1· rE2)xB and verifies E's signature using E's public key yE in CertE. Its verification equation ðr þrE2 Þ
yrEE ¼ rE E1
469
4. Another weakness of Shao's protocol We say that a protocol achieve forward secrecy; if long-term private keys of one or more entities are compromised, the secrecy of previous session keys established by honest entities is not affected. Shao's protocol achieves the forward secrecy. However, we show that it has the following potential weakness; the compromise of long-term private keys and a session key of a protocol run leads to reveal the other three session keys of the protocol run. Suppose that A's long-term private key xA and B's long-term private key xB are compromised to an adversary E. Then E can obtain some equations related to each user's shortterm secret key. Indeed, E who knows xB can compute rA = −1 (rA1·rA2)xB and the following equations; xA d rA −sA ¼ ðrA1 þ rA2 Þd ðkA1 þ kA2 Þ; kA1 þ kA2 ¼ ðxA d rA −sA Þd ðrA1 þ rA2 Þ−1 :
d g sE
always holds since sE is E's valid signature on {rE1, rE2} and k is equal to kA1 + k′. Then B responds by sending a message (1.2)′ to E, which forwards to A.
Similarly, E can obtain the value kB1 + kB2 from xB and the ephemeral public keys rB1 and rB2. From these values, E can compute the following equations: x −1ðk B1 þk B2 Þ
¼ ðgkA1 ÞkB1 þkB2 ¼ g kA1 kB1 þkA1 kB2
ð1Þ
x −1ðk A1 þk A2 Þ
¼ ðgkB1 ÞkA1 þkB1 ¼ g kA1 kB1 þkA2 kB1
ð2Þ
x −1ðk A1 þk A2 Þ
¼ ðgkB2 ÞkA1 þkA2 ¼ g kA1 kB2 þkA2 kB2
ð3Þ
rA1B 4. Finally, after verifying B's signature, A computes four session keys kA1 K1 ¼ rB1 ¼ g kA1 kB1 ;
kA2 K2 ¼ rB1 ¼ gkA2 kB1 ;
kA1 K3 ¼ rB2 ¼ g kA1 kB2 ;
kA2 K4 ¼ rB2 ¼ gkA2 kB2 :
Also, B computes the session keys kB1 K1 ¼ rE1 ¼ akA1 kB1 ; kB2 K3 ¼ rE1 ¼ g k kV B2 ;
kB1 K2 ¼ rE2 ¼ g kA2 kB1 ; kB2 K4 ¼ rE2 ¼ gk kV B2 :
Consequently, A and B share the same two keys, K1 and K2, of four session keys, and A thinks that the session keys are shared with B, while B mistakenly believes that he shares the keys with E. Thus, the UK-S attack on two keys of four session keys is successfully mounted. If A and B use two session keys for subsequent communications, serious consequences stated in [3] will be happened. This attack uses that user's signature on {rA1 = yBkA1, rA2 = yBkA2} contains a factor of the form (kA1 + kA2). This property allows an adversary to generate g k′ related to rA1 without knowledge of k′. Its weakness against off-line UK-S attacks is due to the fact that (i) anyone, who does not know the short-term secret key kA1 corresponding to rA1 = yBkA1 , can generate her own signature on the message containing rA1, and (ii) the lack of explicitness in cryptographic messages, i.e., signed messages of the protocol, do not include specific information to confirm that the sender is identical the genuine communicating entity.
rB1A rB2A
These relationships lead to serious consequences in the case of the compromise of additional secret information. If one session key of the past session (say such a session key K1 = gkA1 kB1) is compromised then the other three session keys, K2, K3 and K4 are also revealed; E can recover K2 = gkA2 kB1 from the Eq. (2) by calculating (2) × K 1− 1 = gkA2 kB1; K3 = gkA1 kB2 from the Eq. (1) by calculating (1) × K 1− 1 = gkA1 kB2; and K4 = gkA2 kB2 from the Eq. (3) by calculating (3) × K 3− 1 = gkA2 kB2. Like this, although the session key computation of the protocol is independent of user's long-term private key, the relationships between the long-term private key for signing and ephemeral private key for session key computation may compromise a certain security attribute. Thus, the signature scheme should be designed so as not to reveal the relationship between long-term private key (signing key) and ephemeral private key to adversaries. In general, we note the compromise of long-term secret keys does not necessarily mean that they are obtained via an inversion of the long-term public key. Long-term secrets are in practice vulnerable secrets in the system; in a typical setting, they are stored on disk, perhaps protected by a password. Since users must store their secret keys for use in key computation, the secret keys may also be obtained through lack of suitable physical measures. An adversary is also able to obtain the session key used in any sufficiently old previous run of the protocol. In some environments (e.g., due to implementation and engineering decisions), the probability of compromise of
470
K.-A. Shim / Computer Standards & Interfaces 29 (2007) 467–470
session keys may be greater than that of long-term keys. In particular, when using cryptographic techniques of only moderate strength, the possibility exists that over time extensive cryptanalytic effort may uncover past session keys. Such partial information can come from many sources, for example, side channel analysis or a poor implementation. In fact, welldesigned implementations of key distribute systems will prevent session keys being disclosed or lost. However, in real systems, one should be worry, particularly with poor implementations, or with applications in which the session keys are eventually disclosed. Thus, assumptions on the compromise of some secret information are plausible. These properties may be attractive for the robustness of the security in most commercial applications where customers does not always protect their key sufficiently. Consequently, a secure protocol design will minimize the effects of such events. 5. Conclusion We have shown that Shao's protocol is insecure against offline unknown key-share attacks. The on-line unknown keyshare attack on the MQV protocol due to Kaliski [10] requires an unusual assumption on the existence of on-line CA and it can be prevented by requiring that entities prove to the Certification Authority (CA) possession of the secret keys corresponding to their public keys during the certification process. But the offline unknown key-share attack presented in this paper requires no on-line CAs and it cannot be prevented the CA's checking process above. As in [3], including identities of participating entities in the key derivation function to derive session keys from shared secrets can prevent all kinds of unknown key-share attacks. But this method is not so desirable because it requires an additional one-way hash function. To prevent these unknown key-share attacks without using hash functions, a signature scheme adapted to the protocol should be satisfied that only one who knows both short-term secret keys, kA1, kA2 as well as her long-term private key xA, can generate her own signature on k A1 k A2 short-term secret keys {yB1 , yB2 }. In fact, when we analyze the security of a protocol, we should consider not only the protocol itself but also the adapted cryptographic primitives such as a digital signature scheme. Because, cryptographic primitives may be secure alone, but may lose its security when they are adapted to a certain protocol. In this point of view, in Shao's protocol, the exact security of the adapted signature scheme did not considered previously, for example, existential unforgeability against an adaptively chosen-message attack in the DSA [15] and the Schnorr signature scheme [16]. At the end, we showed that the compromise of long-term private keys and a session key of a protocol run leads to reveal the other three session keys of the protocol run. References [1] ANSI X 9.42, Agreement of Symmetric Algorithm Keys Using Diffie– Hellman, Working Draft, , May 1998. [2] ANSI X 9.63, Elliptic Curve Key Agreement and Key Transport Protocols, Working Draft, , July 1998.
[3] S. Blake-Wilson, D. Johnson, A. Menezes, Unknown key-share attacks on the station-to-station (STS) protocol, Proc. of PKC 99, LNCS 1560, 1999, pp. 154–170. [4] S. Blake-Wilson, A. Menezes, Authenticated Diffie–Hellman key agreement protocols, Proc. of SAC'98, LNCS 1556, Springer-Verlag, 1999, pp. 339–361. [5] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) (1976) 644–654. [6] L. Harn, H.Y. Lin, An authenticated key agreement without using one-way hash functions, Proc. 8th. Nat. Conf. Information Security, Kaoshiung, Tiwan, May 1998, pp. 155–160. [7] L. Harn, H.Y. Lin, Authenticated key agreement without using one-way hash functions, Electronics Letters 37 (10) (2001) 629–630. [8] IEEE P1363, Standards Specifications for Public-Key Cryptosystems, Working Draft, , July 1998. [9] M. Just, S. Vaudenay, Authenticated multi-party key agreement, advances in cryptology, Proceedings of Asiacrypt 96, Lecture Notes in Computer Science, vol. 537, Springer-Verlag, New York, 1997, pp. 36–49. [10] B. Kaliski, Contribution to ANSI X9F1 and IEEE P1363 Working Groups, June, 1998. [11] L. Law, A. Menezes, M. Qu, J. Solinas, S. Vanstone, An efficient protocol for authenticated key agreement, Designs, Codes and Cryptography 28 (2) (2003) 119–134. [12] S. Lee, J. Lim, J. Kim, An efficient and Secure Key Agreement, Contribution to IEEE P1363a Working Group, 1999. [13] C. Lim, P. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, Advaced in cryptology; Crypto 97, LNCS 1294, Springer-Verlag, 1997, pp. 249–263. [14] T. Mastumoto, Y. Takashima, H. Imai, On seeking smart public-key distribution systems, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Science E69 (1986) 99–106. [15] National Institute of Standards and Technology, Digital Signature Standard, FIPS Publication 186-2, February 2000 available at http://csrc. nist.gov/fips. [16] C.P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology 4 (3) (1991) 161–174. [17] Z. Shao, Security of robust generalized MQV key agreement protocol without using one-way hash functions, Computer Standards and Interfaces 25 (5) (2003) 431–436. [18] B. Song, K. Kim, Two-pass authenticated key agreement protocol with key confirmation, progress in cryptology, Proceedings of Indocrypt 00, Lecture Notes in Computer Science, 1977, Springer-Verlag, New York, 2000, pp. 237–249. [19] Y.M. Tseng, Robust generalized MQV key agreement protocol without using one-way hash functions, Computer Standards and Interfaces 24 (3) (2002) 241–246. [20] T.S. Wu, W.H. He, C.L. Hsu, Security of authenticated multiple-key agreement protocols, Electronics Letters 35 (5) (1999) 391–392. [21] S.M. Yen, M. Joye, Improved authenticated multiple-key agreement protocol, Electronics Letters 34 (18) (1998) 18–19. [22] S.M. Yen, H.M. Sun, T. Hwang, Improved authenticated multiple-key agreement protocol, Proc. 11th. Nat. Conf. Information Security, 2001, pp. 229–231. Kyung-Ah Shim received her M.S. and Ph.D degrees in Mathematics from the Ewha Womans University in 1994 and 1999, respectively. From 2000 to 2004, she worked as a senior researcher in the Korea Information Security Agency. Currently, she is a Research Professor at the Department of Mathematics of the Ewha Womans University. Her research activities are mainly focused on cryptography and information security.
Vulnerabilities of generalized MQV key agreement protocol without using one-way hash functions Kyung-Ah Shim ⁎ Department of Mathematics, Ewha Womans University, 11-1 Daemon-dong, Eudaemon-gu, Seoul, 120-750, Korea Received 29 December 2005; received in revised form 10 November 2006; accepted 11 November 2006 Available online 5 January 2007
Abstract The MQV protocol is the first authenticated key agreement protocol which uses a digital signature to sign Diffie–Hellman public keys without using any one-way hash functions. Based on the MQV protocol, Harn and Lin proposed an authenticated multiple-key agreement protocol that enables two parties to establish multiple common secret keys in a single protocol run. But the protocol was subsequently found to be flawed. Tseng proposed a new generalized MQV key agreement protocol without using one-way hash functions to overcome the weaknesses of Harn–Lin's protocol. Recently, Shao showed that Teng's protocol is insecure against signature forgery attacks and then proposed an improved authenticated multiple-key agreement protocol to resist the attacks. In this paper we show that Shao's protocol is vulnerable to unknown key-share attacks. We also point out its another potential weakness. © 2006 Elsevier B.V. All rights reserved. Keywords: Cryptography; Authenticated key agreement; Multiple-key agreement protocol; Digital signature; Unknown key-share attack
1. Introduction Key establishment is the process by which two or more entities establish a shared secret key. The key is subsequently used to achieve some cryptographic goals such as confidentiality or data integrity. The Diffie–Hellman key agreement protocol [5] is the first practical solution to the key distribution problem, allowing two parties, never having met in advance or shared keying material to establish a shared secret by exchanging messages over an open channel. But it suffers from the man-inthe-middle attack because it does not attempt to authenticate the communicating entities. To overcome this shortcoming, numerous protocols have been proposed [14,4,11,12,9,18]. Many of these protocols were subsequently found to be flawed [4,13,17] and then either were modified to resist new attacks or were totally abandoned. In 1995, Law et al. [11] proposed the MQV key agreement protocol, which is the first key agreement protocol that used a signature for Diffie–Hellman public keys without using one-way hash functions. But, Kaliski [10] showed that the MQV protocol is vulnerable to the on-line unknown key⁎ Tel.: +82 2 3277 2292. E-mail address: [email protected]. 0920-5489/$ - see front matter © 2006 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2006.11.002
share attack. Nevertheless, it has been standardized or are in the process of being standardized in the international standards ANSI X9.42 [1], ANSI X9.63 [2] and IEEE P1363 [8]. In 1998, Harn–Lin [6] proposed a generalized MQV protocol, i.e., an authenticated multiple-key agreement protocol which enables two parties to establish multiple common secret keys in a single protocol run. Later, Yen–Joye [21] indicated that the Harn–Lin protocol is not secure because an attacker can successfully forge a short-term public key pair and pass the verification equation. And they proposed an improved protocol to resist the attack. However, Wu et al. [20] pointed out that the Yen–Joye protocol still has the same weakness as does the Harn–Lin protocol. They also proposed a modified protocol to enhance the security. Nevertheless, the protocol violated the original expectation of the Harn–Lin protocol that no one-way hash functions should be used in the authenticated key agreement protocol. In 2001, Harn and Lin [7] also proposed a modified protocol in which they attempted to show that two attacks on the Harn–Lin protocol [6] can easily be avoided by modifying the signature signing equation. Subsequently, Yen et al. [22] proposed an improved protocol that is secure against replay attacks by using time stamps. Tseng [19] also proposed a new protocol without using one-way hash functions to overcome
468
K.-A. Shim / Computer Standards & Interfaces 29 (2007) 467–470
known weaknesses. Recently, Shao [17] showed that Teng's protocol is insecure against signature forgery attacks and then proposed its improved protocol to resist the attacks. In this paper we show that Shao's protocol is vulnerable to unknown keyshare attacks. We also point out its another potential weakness. The remainder of this paper is organized as follows. In Section 2, we review Shao's authenticated multiple-key agreement protocol. In Section 3, we point out its vulnerability against off-line unknown key-share attacks. Section 4 contains its another potential weakness in the case of the compromise of a certain secret information. A concluding remark is given in Section 5.
4. Similarly, B verifies A's signature similarly by checking the verification equation ðr þrA2 Þ
yrAA ¼ rA A1
d g sA :
Finally, B also computes four common secret keys as follows: x−1 kB1
K1 ¼ rA1B
x−1 kB2
K3 ¼ rA1B
x−1 kB1
¼ gkA1 kB1 ;
K2 ¼ rA2B
¼ gkA1 kB2 ;
K4 ¼ rA2B
x−1 kB2
¼ gkA2 kB1 ; ¼ gkA2 kB2 :
3. Unknown key-share attacks on Shao's protocol 2. Review of Shao's authenticated multiple-key agreement protocol We first review Shao's protocol [17]. The system authority publishes a large prime p and a primitive element g with order p − 1 in GF( p). We assume that A and B want to establish four secret keys in a protocol run. Long-term public/private key pairs for A and B are ( yA, xA) and ( yB, xB), where yA =gxA mod p and yB =gxB mod p. We henceforth will omit the operation ‘mod p’. We assume that long-term public keys are exchanged via certificates, where CertA denotes A's public-key certificate, containing a string of information that uniquely identifies A, her static public key yA and a certifying authority CA's signature over this information. The protocol runs as follows: 1. A selects two random integers kA1 and kA2, called shortterm secret keys, computes short-term public keys rA1 = yBkA1 and rA2 = yBkA2, such that 0 b rA1, rA2 b ( p − 1) / 2. Then A computes rA = gkA1 +kA2 and generates its signature sA on {rA1, rA2} as follows: sA ¼ xA d rA − ðrA1 þ rA2 Þd ðkA1 þ kA2 Þ mod p−1: Next, A sends the authenticated messages {rA1, rA2, sA, CertA} to B. 2. Similarly, B also chooses k B1 and k B2 and computes r B1 = y AkB1 , r B2 = y AkB2 , r B = y BkB1 + k B2 and sB ¼ xB d rB − ðrB1 þ rB2 Þd ðkB1 þ kB2 Þ mod p−1: Then B sends {r B1 , r B2 , s B , Cert B } to A. 3. After receiving the message from B, A computes rB = (rB1·rB2) and verifies B's signature by checking ðr þrB2 Þ
yrBB ¼ rB B1
d g sB :
If its verification holds, A computes four common secret keys as follows: x−1 A kA1
K1 ¼ rB1
x−1 kA1
K3 ¼ rB2A
x−1 A kA2
¼ g kA1 kB1 ;
K2 ¼ rB1
¼ g kA1 kB2 ;
K4 ¼ rB2A
x−1 kA2
¼ g kA2 kB1 ; ¼ g kA2 kB2 :
In this section, we show that Shao's protocol is insecure against unknown key-share attacks. We first describe the definition of unknown key-share attacks. 3.1. Unknown key-share attacks An unknown key-share attack on an authenticated key agreement protocol [3,4] is an attack whereby an entity A ends up believing she shares a key with B, and although this is in fact the case, B mistakenly believes the key is instead shared with an entity E ≠ A. In this scenario, we say that B has been led to false beliefs. The unknown key-share (UK-S) attacks can be divided into the following types; • Public key substitution UK-S attacks: An adversary E registers A's public key yA as its own, i.e., yA = yE. When A initiates a protocol with B, E replaces the identity A and certificate CertA with E and CertE. It is known that the STSMAC and the STS-ENC are vulnerable to these attacks [3]. • On-line UK-S attacks: Requiring on-line CA, an adversary gets its public key certified during a protocol run after observing the message transmitted. Attacks on the STSMAC [3] and the MQV protocol [10] are typical examples. • (Off-line) UK-S attacks: Without observing the message transmitted, an adversary gets its public key to amount the attack before the execution of the protocol. 3.2. Off-line unknown key-share attacks on Shao's protocol Now, we show that Shao's protocol is insecure against offline unknown key-share attacks. We assume that an adversary E has her certificate CertE for a long-term public key yE = gxE. Unlike the on-line unknown key-share attack on the MQV protocol [10], this UK-S attack requires no on-line CAs and E knows the long-term private key xE corresponding to yE. The attack on Shao's protocol can be mounted as follows: A Y EðBÞ : rA1 ; rA2 ; sA ; CertA
ð1:1Þ
E Y B : rE1 ; rE2 ; sE ; CertE
ð1:1Þ0
B Y E : rB1 ; rB2 ; sB ; CertB
ð1:2Þ0
EðBÞ Y A : rB1 ; rB2 ; sB ; CertB :
ð1:2Þ
K.-A. Shim / Computer Standards & Interfaces 29 (2007) 467–470
1. When A initiates a protocol run with B sending a message {rA1 = yBkA1, rA2 = yBkA2, sA, CertA}, an adversary E intercepts it. 2. First, E chooses a random k. Let k be kA1 + k′. Note that neither kA1 nor k′ is known to E. However, E can obtain yBk′ by computing yBk·(rA1)− 1 = yBk−kA1· E takes rE1 and rE2 as rA1 and yBk′, respectively. Then E computes rE = gk and her own signature sE ¼ xE d rE −ðrE1 þ rE2 Þd k mod p−1; on frE1 ¼ ykBA1 ; rE2 ¼ ykBVg and sends frE1 ; rE2 ; sE ; CertE g to B: 3. After receiving a message (1.1)′, B thinks that the protocol −1 run is initiated by E. Then B computes rE = (rE1· rE2)xB and verifies E's signature using E's public key yE in CertE. Its verification equation ðr þrE2 Þ
yrEE ¼ rE E1
469
4. Another weakness of Shao's protocol We say that a protocol achieve forward secrecy; if long-term private keys of one or more entities are compromised, the secrecy of previous session keys established by honest entities is not affected. Shao's protocol achieves the forward secrecy. However, we show that it has the following potential weakness; the compromise of long-term private keys and a session key of a protocol run leads to reveal the other three session keys of the protocol run. Suppose that A's long-term private key xA and B's long-term private key xB are compromised to an adversary E. Then E can obtain some equations related to each user's shortterm secret key. Indeed, E who knows xB can compute rA = −1 (rA1·rA2)xB and the following equations; xA d rA −sA ¼ ðrA1 þ rA2 Þd ðkA1 þ kA2 Þ; kA1 þ kA2 ¼ ðxA d rA −sA Þd ðrA1 þ rA2 Þ−1 :
d g sE
always holds since sE is E's valid signature on {rE1, rE2} and k is equal to kA1 + k′. Then B responds by sending a message (1.2)′ to E, which forwards to A.
Similarly, E can obtain the value kB1 + kB2 from xB and the ephemeral public keys rB1 and rB2. From these values, E can compute the following equations: x −1ðk B1 þk B2 Þ
¼ ðgkA1 ÞkB1 þkB2 ¼ g kA1 kB1 þkA1 kB2
ð1Þ
x −1ðk A1 þk A2 Þ
¼ ðgkB1 ÞkA1 þkB1 ¼ g kA1 kB1 þkA2 kB1
ð2Þ
x −1ðk A1 þk A2 Þ
¼ ðgkB2 ÞkA1 þkA2 ¼ g kA1 kB2 þkA2 kB2
ð3Þ
rA1B 4. Finally, after verifying B's signature, A computes four session keys kA1 K1 ¼ rB1 ¼ g kA1 kB1 ;
kA2 K2 ¼ rB1 ¼ gkA2 kB1 ;
kA1 K3 ¼ rB2 ¼ g kA1 kB2 ;
kA2 K4 ¼ rB2 ¼ gkA2 kB2 :
Also, B computes the session keys kB1 K1 ¼ rE1 ¼ akA1 kB1 ; kB2 K3 ¼ rE1 ¼ g k kV B2 ;
kB1 K2 ¼ rE2 ¼ g kA2 kB1 ; kB2 K4 ¼ rE2 ¼ gk kV B2 :
Consequently, A and B share the same two keys, K1 and K2, of four session keys, and A thinks that the session keys are shared with B, while B mistakenly believes that he shares the keys with E. Thus, the UK-S attack on two keys of four session keys is successfully mounted. If A and B use two session keys for subsequent communications, serious consequences stated in [3] will be happened. This attack uses that user's signature on {rA1 = yBkA1, rA2 = yBkA2} contains a factor of the form (kA1 + kA2). This property allows an adversary to generate g k′ related to rA1 without knowledge of k′. Its weakness against off-line UK-S attacks is due to the fact that (i) anyone, who does not know the short-term secret key kA1 corresponding to rA1 = yBkA1 , can generate her own signature on the message containing rA1, and (ii) the lack of explicitness in cryptographic messages, i.e., signed messages of the protocol, do not include specific information to confirm that the sender is identical the genuine communicating entity.
rB1A rB2A
These relationships lead to serious consequences in the case of the compromise of additional secret information. If one session key of the past session (say such a session key K1 = gkA1 kB1) is compromised then the other three session keys, K2, K3 and K4 are also revealed; E can recover K2 = gkA2 kB1 from the Eq. (2) by calculating (2) × K 1− 1 = gkA2 kB1; K3 = gkA1 kB2 from the Eq. (1) by calculating (1) × K 1− 1 = gkA1 kB2; and K4 = gkA2 kB2 from the Eq. (3) by calculating (3) × K 3− 1 = gkA2 kB2. Like this, although the session key computation of the protocol is independent of user's long-term private key, the relationships between the long-term private key for signing and ephemeral private key for session key computation may compromise a certain security attribute. Thus, the signature scheme should be designed so as not to reveal the relationship between long-term private key (signing key) and ephemeral private key to adversaries. In general, we note the compromise of long-term secret keys does not necessarily mean that they are obtained via an inversion of the long-term public key. Long-term secrets are in practice vulnerable secrets in the system; in a typical setting, they are stored on disk, perhaps protected by a password. Since users must store their secret keys for use in key computation, the secret keys may also be obtained through lack of suitable physical measures. An adversary is also able to obtain the session key used in any sufficiently old previous run of the protocol. In some environments (e.g., due to implementation and engineering decisions), the probability of compromise of
470
K.-A. Shim / Computer Standards & Interfaces 29 (2007) 467–470
session keys may be greater than that of long-term keys. In particular, when using cryptographic techniques of only moderate strength, the possibility exists that over time extensive cryptanalytic effort may uncover past session keys. Such partial information can come from many sources, for example, side channel analysis or a poor implementation. In fact, welldesigned implementations of key distribute systems will prevent session keys being disclosed or lost. However, in real systems, one should be worry, particularly with poor implementations, or with applications in which the session keys are eventually disclosed. Thus, assumptions on the compromise of some secret information are plausible. These properties may be attractive for the robustness of the security in most commercial applications where customers does not always protect their key sufficiently. Consequently, a secure protocol design will minimize the effects of such events. 5. Conclusion We have shown that Shao's protocol is insecure against offline unknown key-share attacks. The on-line unknown keyshare attack on the MQV protocol due to Kaliski [10] requires an unusual assumption on the existence of on-line CA and it can be prevented by requiring that entities prove to the Certification Authority (CA) possession of the secret keys corresponding to their public keys during the certification process. But the offline unknown key-share attack presented in this paper requires no on-line CAs and it cannot be prevented the CA's checking process above. As in [3], including identities of participating entities in the key derivation function to derive session keys from shared secrets can prevent all kinds of unknown key-share attacks. But this method is not so desirable because it requires an additional one-way hash function. To prevent these unknown key-share attacks without using hash functions, a signature scheme adapted to the protocol should be satisfied that only one who knows both short-term secret keys, kA1, kA2 as well as her long-term private key xA, can generate her own signature on k A1 k A2 short-term secret keys {yB1 , yB2 }. In fact, when we analyze the security of a protocol, we should consider not only the protocol itself but also the adapted cryptographic primitives such as a digital signature scheme. Because, cryptographic primitives may be secure alone, but may lose its security when they are adapted to a certain protocol. In this point of view, in Shao's protocol, the exact security of the adapted signature scheme did not considered previously, for example, existential unforgeability against an adaptively chosen-message attack in the DSA [15] and the Schnorr signature scheme [16]. At the end, we showed that the compromise of long-term private keys and a session key of a protocol run leads to reveal the other three session keys of the protocol run. References [1] ANSI X 9.42, Agreement of Symmetric Algorithm Keys Using Diffie– Hellman, Working Draft, , May 1998. [2] ANSI X 9.63, Elliptic Curve Key Agreement and Key Transport Protocols, Working Draft, , July 1998.
[3] S. Blake-Wilson, D. Johnson, A. Menezes, Unknown key-share attacks on the station-to-station (STS) protocol, Proc. of PKC 99, LNCS 1560, 1999, pp. 154–170. [4] S. Blake-Wilson, A. Menezes, Authenticated Diffie–Hellman key agreement protocols, Proc. of SAC'98, LNCS 1556, Springer-Verlag, 1999, pp. 339–361. [5] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) (1976) 644–654. [6] L. Harn, H.Y. Lin, An authenticated key agreement without using one-way hash functions, Proc. 8th. Nat. Conf. Information Security, Kaoshiung, Tiwan, May 1998, pp. 155–160. [7] L. Harn, H.Y. Lin, Authenticated key agreement without using one-way hash functions, Electronics Letters 37 (10) (2001) 629–630. [8] IEEE P1363, Standards Specifications for Public-Key Cryptosystems, Working Draft, , July 1998. [9] M. Just, S. Vaudenay, Authenticated multi-party key agreement, advances in cryptology, Proceedings of Asiacrypt 96, Lecture Notes in Computer Science, vol. 537, Springer-Verlag, New York, 1997, pp. 36–49. [10] B. Kaliski, Contribution to ANSI X9F1 and IEEE P1363 Working Groups, June, 1998. [11] L. Law, A. Menezes, M. Qu, J. Solinas, S. Vanstone, An efficient protocol for authenticated key agreement, Designs, Codes and Cryptography 28 (2) (2003) 119–134. [12] S. Lee, J. Lim, J. Kim, An efficient and Secure Key Agreement, Contribution to IEEE P1363a Working Group, 1999. [13] C. Lim, P. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, Advaced in cryptology; Crypto 97, LNCS 1294, Springer-Verlag, 1997, pp. 249–263. [14] T. Mastumoto, Y. Takashima, H. Imai, On seeking smart public-key distribution systems, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Science E69 (1986) 99–106. [15] National Institute of Standards and Technology, Digital Signature Standard, FIPS Publication 186-2, February 2000 available at http://csrc. nist.gov/fips. [16] C.P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology 4 (3) (1991) 161–174. [17] Z. Shao, Security of robust generalized MQV key agreement protocol without using one-way hash functions, Computer Standards and Interfaces 25 (5) (2003) 431–436. [18] B. Song, K. Kim, Two-pass authenticated key agreement protocol with key confirmation, progress in cryptology, Proceedings of Indocrypt 00, Lecture Notes in Computer Science, 1977, Springer-Verlag, New York, 2000, pp. 237–249. [19] Y.M. Tseng, Robust generalized MQV key agreement protocol without using one-way hash functions, Computer Standards and Interfaces 24 (3) (2002) 241–246. [20] T.S. Wu, W.H. He, C.L. Hsu, Security of authenticated multiple-key agreement protocols, Electronics Letters 35 (5) (1999) 391–392. [21] S.M. Yen, M. Joye, Improved authenticated multiple-key agreement protocol, Electronics Letters 34 (18) (1998) 18–19. [22] S.M. Yen, H.M. Sun, T. Hwang, Improved authenticated multiple-key agreement protocol, Proc. 11th. Nat. Conf. Information Security, 2001, pp. 229–231. Kyung-Ah Shim received her M.S. and Ph.D degrees in Mathematics from the Ewha Womans University in 1994 and 1999, respectively. From 2000 to 2004, she worked as a senior researcher in the Korea Information Security Agency. Currently, she is a Research Professor at the Department of Mathematics of the Ewha Womans University. Her research activities are mainly focused on cryptography and information security.