1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the.

Slides:

Advertisements

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

Advertisements

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

1 The Sybil Attack John R. Douceur Microsoft Research Presented for Cs294-4 by Benjamin Poon.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

8. Data Integrity Techniques

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

Wireless and Security CSCI 5857: Encoding and Encryption.

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.

Chapter 21 Distributed System Security Copyright © 2008.

Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:

V0.0CPSC415 Biometrics and Cryptography1 Placement of Encryption Function Lecture 3.

Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.

Digital Signatures, Message Digest and Authentication Week-9.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 26 Review of Some Mid-Term Problems.

M.S. Dousti FORSAKES: A Forward-Secure AKE Mohammad Sadeq Dousti Weekly Seminars on Discrete Mathematics and Computer Science.

Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,

1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto Kyushu University, JAPAN.

多媒體網路安全實驗室 Anonymous Authentication Systems Based on Private Information Retrieval Date： Reporter: Chien-Wen Huang 出處: Networked Digital Technologies,

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

1/18 Talking to Strangers: Authentication in Ad-Hoc Wireless Networks Dirk Balfanz 외 2 명 in Xerox Palo Alto Research Center Presentation: Lee Youn-ho.

1 Security problems on RFID tags (short introduction) Sakurai Lab., Kyushu Univ. Junichiro SAITO

Authenticated encryption

Modern symmetric-key Encryption

Revisting Unpredictability-Based RFID Privacy Models

Secure Diffie-Hellman Algorithm

Presentation transcript:

1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the grant of Secom Science and Technology Foundation, and the 21st Century COE Program 'Reconstruction of Social Infrastructure Related to Information Science and Electrical Engineering'. Also, first author was partly supported from the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for JSPS Fellows, 2004, Acknowledgement 사전 동의된 세션 아이디을 이용한 키 교환 프로토콜 Korean Title:

2 Abstract Any message through Internet or radio communication can be easily eavesdropped on  Privacy should be considered (especially, this paper considers identity concealment) Introduce Pre-Agreed Session ID (PAS)  Identification which is a disposable unique value used for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is used

3 Contents 1. Introduction 2. Security Model 3. PAS Protocol 4. Proof of PAS Protocol 5. Variants and Discussions 6. Conclusion

4 1.Introduction Long-term shared secret  Leakage of Users ’ Identities Most existing schemes can not prevent Main focus of our study is …  Key-Exchange Protocol using Pre-shared Key Long-term shared secret Protocol Short-term secret

5 Bob E K B (M) User’s IDSecret key Alice KAKA Bob KBKB Charlie KCKC K B : secret key M: message K B : secret key Public Network BobResponder Threat: Leakage of user’s identity E K B ( Bob,M) User’s IDSecret key Alice KAKA Bob KBKB Charlie KCKC K B : secret key M: message K B : secret key Public Network BobResponder We need another identifiable information Legitimate user can specify his partner No attacker can specify who is communicating

6 [2] R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, EUROCRYPT’2001. [3] R. Canetti and H. Krawczyk, “Security Analysis of IKE’s Signature-Based Key-Exchange Protocol”, CRYPTO’2002. Our Solution Session ID [2, 3]  Purpose: uniquely name sessions  Assumption: unique among all the session ID Pre-Agreed Session ID (PAS)  Unique session ID agreed between each peer before activation of the session  Uniquely name a session and parties who participate in the session

7 2.Security Model Existing Model [2] (SK-Security)  Consider the security of session key Our Model (SK-ID-Security)  Consider the security of not only session key but also users’ identities Extend

8 Communication Channel The channel is Broadcast-type  All messages can be sent to a pool of messages  There is no assumption on the logical connection between the address where a message is delivered and the identity behind that address. Attacker is a (probabilistic) polynomial-time machine with full control of the communication lines between parties  Free to intercept, delay, drop, inject, or change all messages sent over these lines

9 Attacker’s Access to Secret Information (session expose) Session state reveal  Session state for an incomplete session (which does not include long-term secret) Session-key query  Session-key of a completed session Party corruption  All information in the memory of the party (including session states, session-key, long-term secrets) Identity reveal  Parties’ identities that activate a session

10 Basic Idea of SK-ID-Security (1) Indistinguishability style [2] The success of an attack is measured via its ability to distinguish the real values from independent random values Oracle Attacker 1.Freely choose a complete session as test session 2.Query 4.Response (real or random) 3.Coin toss 5.Guess the result of coin toss If head, response is real If tail, response is random

11 Basic Idea of SK-ID-Security (2) The attacker succeeds in its attack if 1. The test session is not exposed 2. The probability of his correct guess of coin toss is significantly larger than 1/2 Definition (SK-ID-security) A key-exchange protocol is called SK-ID-secure if for all attackers with the explained capabilities, success probability (in its test-session distinguishing attacks) is not more than 1/2 plus a negligible fraction Two games against Test session: Distinction of session-key (real session key or random value) [2] Distinction of pairs (real party or randomly chosen party)

12 Game: Distinction of pairs Attacker 1.Freely choose a complete session as test session 2.Query 4.Response (real or random) 3.Coin toss 5.Guess the result of coin toss If head, response is real If tail, response is random Random choice from all possible pairs that do not include either of the real parties’ ID A, B, C, D, E A shares PSK with B C shares PSK with D and E A-B C-D C-E A-C A-D A-E B-C B-D B-E D-E RealRandom Oracle

13 3.PAS Protocol 1. Start message 2. Response message 3. Finish message k 0 =PRF g xy (0) % Session key k 1 =PRF g xy (1) % k 2 =PRF PSK ij (2) MAC: Message Authentication Code PRF: Pseudo Random Function

14 4.Proof of PAS Protocol Main Theorem  Assuming DDH and the security of the underlying cryptographic functions (i.e., MAC and PRF), PAS protocol is SK-ID-secure Strategy for Proof of Main Theorem  Show that a DDH distinguisher can be built from an attacker that succeeds in distinguishing between a real and a random response to the test-session query

15 Point Responder needs to distinguish legitimate requests from waste one at low costs Responder cannot respond. (Even for legitimate users !) Adversary Responder User 5.Variants and Discussions (DoS-resilient)

16 Adversary Responder  Request needs a valid PAS  Attacker can guess no valid PAS Protection from DoS attack The cost of checking validity of received PAS is equal to only searching in responder ’ s PAS list. User’s IDPASSecret key Alice PAS AR K AR Bob PAS BR K BR Charlie PAS CR K CR Protection from DoS attack Bob PAS BR, Request

17 6.Conclusion Introduce Pre-Agreed Session ID (PAS)  Identification which is a disposable unique value used for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is used  Synchronization of PAS, DoS attack, PFS