M.S. Dousti FORSAKES: A Forward-Secure AKE Mohammad Sadeq Dousti Weekly Seminars on Discrete Mathematics and Computer Science FORSAKES: A Forward-Secure AKE Based on Symmetric KES 1 / 45
M.S. Dousti FORSAKES: A Forward-Secure AKE 2 / 45 Topics Introduction Diffie–Hellman & PFS Key-Evolving Schemes (KES) Our Security Model Our AKE Definition FORSAKES Protocol Epilogue
M.S. Dousti FORSAKES: A Forward-Secure AKE 3 / 45 Today’s talk is about… Authenticated Key Exchange (AKE) protocols. I I R R Long-Term Key (LTK) Session key ( sk ) Initiator Responder
M.S. Dousti FORSAKES: A Forward-Secure AKE 4 / 45 Security expectations from AKE Informally: I and R must agree on the same session key. No one, without the knowledge of LTK, should be able to participate in the protocol. The session key must be “random looking.” Other properties: PFS, KCI resilience, UKS resilience, …
M.S. Dousti FORSAKES: A Forward-Secure AKE 5 / 45 Security model The so-called “security expectations” constitute a security definition. Security definitions make sense within a security model, designating: The model of computation The model of communication Attack model …
M.S. Dousti FORSAKES: A Forward-Secure AKE 6 / 45 Topics Introduction Diffie–Hellman & PFS Key-Evolving Schemes (KES) Our Security Model Our AKE Definition FORSAKES Protocol Epilogue
M.S. Dousti FORSAKES: A Forward-Secure AKE 7 / 45 Diffie–Hellman (DH) protocol The earliest attempt at asymmetric crypto. Notation: G : a (multiplicative) group of prime order q. g : a generator of G. Consider the following tuples, where a, b, and c are picked randomly from ℤ q : Type 1: ( g, g a, g b, g ab ) Type 2: ( g, g a, g b, g c )
M.S. Dousti FORSAKES: A Forward-Secure AKE 8 / 45 Decisional Diffie–Hellman (DDH) problem DDH problem: Distinguishing between Type 1 and Type 2 tuples. DDH problem seems to be hard in some groups. Let G be a group for which DDH is assumed to hold.
M.S. Dousti FORSAKES: A Forward-Secure AKE 9 / 45 DH flows A A B B gaga gaga gbgb gbgb Pick a randomly from ℤ q. Pick b randomly from ℤ q. G, g sk = g ab
M.S. Dousti FORSAKES: A Forward-Secure AKE 10 / 45 Authenticated DH (ADH-1) DH is a key exchange (KE) protocol. No authentication. Prone to active attacks. A and B can share some LTK K prior to DH flows. Each flow of DH can be authenticated by K.
M.S. Dousti FORSAKES: A Forward-Secure AKE 11 / 45 ADH-1 flows A A B B g a, auth K ( g a ) g b, auth K ( g b ) Pick a randomly from ℤ q. Pick b randomly from ℤ q. G, g, K sk = g ab
M.S. Dousti FORSAKES: A Forward-Secure AKE 12 / 45 Perfect Forward Secrecy (PFS) Also called “forward security.” PFS: If LTK is revealed at time T, all session keys established prior to this time remain secure. ADH-1 satisfies the PFS property. T time LTK is revealed session keys remain secure
M.S. Dousti FORSAKES: A Forward-Secure AKE 13 / 45 ADH-1 deficiency In ADH-1, neither party is assured that the other gets hold of sk. Bad Solution: B uses sk to authenticate 0 || g a || g b. Add a 3 rd flow, where A uses sk to authenticate 1 || g a || g b.
M.S. Dousti FORSAKES: A Forward-Secure AKE 14 / 45 Why bad?! If sk is used to authenticate flows, sk can be distinguished from random! Solution: Use a Key Derivation Function (KDF). Extract two keys from g ab : Integrity key ( ik ), to authenticate flows. Session key ( sk ), to use for sessions.
M.S. Dousti FORSAKES: A Forward-Secure AKE 15 / 45 ADH-2 flows A A B B g a, auth K ( g a ) g b, auth ik (0 || g a || g b ) G, g, K sk = KDF(0, g ab ) ik = KDF(1, g ab ) sk = KDF(0, g ab ) ik = KDF(1, g ab ) auth ik (1 || g a || g b )
M.S. Dousti FORSAKES: A Forward-Secure AKE 16 / 45 Topics Introduction Diffie–Hellman & PFS Key-Evolving Schemes (KES) Our Security Model Our AKE Definition FORSAKES Protocol Epilogue
M.S. Dousti FORSAKES: A Forward-Secure AKE 17 / 45 Efficiency of DH Best of our knowledge: All provably-secure PFS AKE’s are based on DH. DH is very slow. How to get a fast AKE which satisfies PFS? Key Evolving Schemes (KES): A cryptographic protocol whose LTK’s evolve over time. Idea: R. Canetti, S. Halevi, J. Katz. A Forward- Secure Public-Key Encryption Scheme, J. Cryptology, Ironically, based on DH!
M.S. Dousti FORSAKES: A Forward-Secure AKE 18 / 45 Example usage of KES
M.S. Dousti FORSAKES: A Forward-Secure AKE 19 / 45 Milder form of PFS Lifetime of the system is divided into many time stages. Each stage is τ seconds. Mild PFS: If LTK is revealed in time stage T, all session keys established in time stages 0,…, T 1 remain secure. LTK is revealed session keys remain secure T time T 1T 1 T 1T 1 0
M.S. Dousti FORSAKES: A Forward-Secure AKE 20 / 45 Topics Introduction Diffie–Hellman & PFS Key-Evolving Schemes (KES) Our Security Model Our AKE Definition FORSAKES Protocol Epilogue
M.S. Dousti FORSAKES: A Forward-Secure AKE 21 / 45 Computation & complexity model All parties (including adversary) is modeled as an interactive Turing machine (ITM). Turing machine, equipped with communication tapes. All parties (including adversary) is probabilistic polynomial time (PPT).
M.S. Dousti FORSAKES: A Forward-Secure AKE 22 / 45 Adversarial model Interaction of adversary and parties is modeled by a game between: Adversary (), and A hypothetical entity called the Challenger (). has an interface (like API!), allowing to query it. also has a TimeEvent() interface, which is called every τ seconds by a universal clock.
M.S. Dousti FORSAKES: A Forward-Secure AKE 23 / 45 interface for Register() : Introduce a new party into the system. ShareLTK(x,y) : Share an LTK between the party x and party y. Send(x,s,y,m) : Send message m to session s of party x, claiming this message comes from party y. If session ( x, s ) does not exist, it will be created. The result includes the response of ( x, s ).
M.S. Dousti FORSAKES: A Forward-Secure AKE 24 / 45 interface for – Cont’d ExposeSS(x,s) : Leaks the state of session ( x, s ) to (including sk ). The session ( x, s ) is marked as “exposed.” RevealLTK(x,y) : Reveals the LTK between party x and party y to. Both parties are marked as “corrupt” for each other.
M.S. Dousti FORSAKES: A Forward-Secure AKE 25 / 45 Algorithmic flavor The interface of is algorithmically defined. The algorithms can be incorporated into tools for automatic verification of security protocols.
M.S. Dousti FORSAKES: A Forward-Secure AKE 26 / 45 Topics Introduction Diffie–Hellman & PFS Key-Evolving Schemes (KES) Our Security Model Our AKE Definition FORSAKES Protocol Epilogue
M.S. Dousti FORSAKES: A Forward-Secure AKE 27 / 45 Definition roadmap We now have a security model. Notice that the model says nothing about the AKE security. It’s the role of the security definition! To put forward the definition, we need two central notions: Session partnership Session freshness
M.S. Dousti FORSAKES: A Forward-Secure AKE 28 / 45 Why we need those “central notions”? obviously knows the sk of an exposed session. If corrupts a party, he obviously knows the sk of any session established thereafter. Similar results holds if exposes or corrupts the “partner” of a session/party. We need to define “partner.” We need to define “unfresh” sessions, which are obviously insecure.
M.S. Dousti FORSAKES: A Forward-Secure AKE 29 / 45 Session partnership Two sessions are called partners if: 1.Both sessions output the same non-empty session keys and session identifiers ( sid ). 2.Sessions have different roles (I and R). 3.Sessions recognize the other party as the partner. 4.No other session outputs the same sid. Very hard to satisfy, can be relaxed.
M.S. Dousti FORSAKES: A Forward-Secure AKE 30 / 45 Algorithmic approach…
M.S. Dousti FORSAKES: A Forward-Secure AKE 31 / 45 Session freshness A session is fresh if the following holds: 1.PFS: If the LTK is revealed, it is revealed in a time stage after the time stage when session key is established. 2.Session is not exposed. 3.If partner session exists, conditions 1 & 2 hold for it as well.
M.S. Dousti FORSAKES: A Forward-Secure AKE 32 / 45 Security definition: Idea picks a fresh session of its choice. tosses a coin b : Heads: returns the session key (ℓ bits). Tails: returns a random ℓ-bit string. continues querying interface. announces its guess of b. announces as the winner IFF its guess is correct, and the session is still fresh.
M.S. Dousti FORSAKES: A Forward-Secure AKE 33 / 45 Endowing with new interface Test(x,s) : Adversary specifies that ( x,s ) is the target session of choice. If ( x,s ) is fresh, returns an ℓ-bit string. Guess(b’) : Adversary announces its guess as b. wins IFF b=b and ( x,s ) is still fresh,.
M.S. Dousti FORSAKES: A Forward-Secure AKE 34 / 45 Security definition Define the advantage of as “the probability of winning the game, minus ½.” An AKE protocol is called secure if: For all c ∈ ℕ, any PPT adversary, and all sufficiently large n ∈ ℕ : The advantage of is less than n c. For all c ∈ ℕ, any PPT adversary, and all sufficiently large n ∈ ℕ : The advantage of is less than n c.
M.S. Dousti FORSAKES: A Forward-Secure AKE 35 / 45 Topics Introduction Diffie–Hellman & PFS Key-Evolving Schemes (KES) Our Security Model Our AKE Definition FORSAKES Protocol Epilogue
M.S. Dousti FORSAKES: A Forward-Secure AKE 36 / 45 About FORSAKES FORSAKES: Forward-Secure AKE based on KES FORSAKES is described in the Random Oracle (RO) model. Consider RO, denoted, as an ideal (totally random) hash function. In FORSAKES case, RO only simplifies the proofs, and can be replaced by PRFs.
M.S. Dousti FORSAKES: A Forward-Secure AKE 37 / 45 FORSAKES: The 10,000-foot view
M.S. Dousti FORSAKES: A Forward-Secure AKE 38 / 45 Main properties of FORSAKES Updating LTK: K new = ( K old ). “I” uses a nonce n I as part of Msg 1. “R” uses a nonce n R as part of Msg 2. Session ID: sid = n I || n R. Session key: sk = (0 || sid || K ). Integrity key: ik = (1 || sid || K ). Auth j = (Msg j || ik ) for j ∈ {2, 3}.
M.S. Dousti FORSAKES: A Forward-Secure AKE 39 / 45 FORSAKES messages Msg 1 = 1 || ID I || ID R || T || n I. Msg 2 = 2 || ID R || ID I || T || n I || n R. Msg 3 = 3 || ID I || ID R || T || n I || n R. FORSAKES parties perform quite a few “syntactical” checks on incoming messages before responding to them.
M.S. Dousti FORSAKES: A Forward-Secure AKE 40 / 45 Topics Introduction Diffie–Hellman & PFS Key-Evolving Schemes (KES) Our Security Model Our AKE Definition FORSAKES Protocol Epilogue
M.S. Dousti FORSAKES: A Forward-Secure AKE 41 / 45 FORSAKES is a secure AKE We proved that according to the mentioned model/definition, FORSAKES is a secure AKE. The full proof is 15 pages. It gives a relationship between the advantage of any (even infinitely powerful ) and the number of queries it makes. The advantage is negligible when the number of queries is sub-exponential.
M.S. Dousti FORSAKES: A Forward-Secure AKE 42 / 45 FORSAKES in practice Theoretically, RO should be replaced with PRFs. In practice, simple hash functions would suffice. In particular, we suggest HMAC. Depending on the environment, the stage lifespan can be between tens of seconds to many days (less secure).
M.S. Dousti FORSAKES: A Forward-Secure AKE 43 / 45 Future directions Consider a model where the adversary can issue a Desync(x,y) query. De-synchronize the LTK between two parties. Protocol should provide a re-synchronization mechanism. Consider another model, where LTK’s are one- time: Once used, they can never be used again.
M.S. Dousti FORSAKES: A Forward-Secure AKE 44 / 45 References See the following paper and references therein: M.S. Dousti and R. Jalili. FORSAKES: A Forward-Secure Authenticated Key Exchange Protocol based on Symmetric Key-Evolving Schemes, Advances in Mathematics of Communications, 2015.
M.S. Dousti FORSAKES: A Forward-Secure AKE 45 / 45