Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the.

Published byEustace Morrison Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the."— Presentation transcript:

1 1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the grant of Secom Science and Technology Foundation, and the 21st Century COE Program 'Reconstruction of Social Infrastructure Related to Information Science and Electrical Engineering'. Also, first author was partly supported from the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for JSPS Fellows, 2004, 06737. Acknowledgement 사전 동의된 세션 아이디을 이용한 키 교환 프로토콜 Korean Title:

2 2 Abstract Any message through Internet or radio communication can be easily eavesdropped on  Privacy should be considered (especially, this paper considers identity concealment) Introduce Pre-Agreed Session ID (PAS)  Identification which is a disposable unique value used for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is used

3 3 Contents 1. Introduction 2. Security Model 3. PAS Protocol 4. Proof of PAS Protocol 5. Variants and Discussions 6. Conclusion

4 4 1.Introduction Long-term shared secret  Leakage of Users ’ Identities Most existing schemes can not prevent Main focus of our study is …  Key-Exchange Protocol using Pre-shared Key Long-term shared secret Protocol Short-term secret

5 5 Bob E K B (M) User’s IDSecret key Alice KAKA Bob KBKB Charlie KCKC K B : secret key M: message K B : secret key Public Network BobResponder Threat: Leakage of user’s identity E K B ( Bob,M) User’s IDSecret key Alice KAKA Bob KBKB Charlie KCKC K B : secret key M: message K B : secret key Public Network BobResponder We need another identifiable information Legitimate user can specify his partner No attacker can specify who is communicating

6 6 [2] R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, EUROCRYPT’2001. [3] R. Canetti and H. Krawczyk, “Security Analysis of IKE’s Signature-Based Key-Exchange Protocol”, CRYPTO’2002. Our Solution Session ID [2, 3]  Purpose: uniquely name sessions  Assumption: unique among all the session ID Pre-Agreed Session ID (PAS)  Unique session ID agreed between each peer before activation of the session  Uniquely name a session and parties who participate in the session

7 7 2.Security Model Existing Model [2] (SK-Security)  Consider the security of session key Our Model (SK-ID-Security)  Consider the security of not only session key but also users’ identities Extend

8 8 Communication Channel The channel is Broadcast-type  All messages can be sent to a pool of messages  There is no assumption on the logical connection between the address where a message is delivered and the identity behind that address. Attacker is a (probabilistic) polynomial-time machine with full control of the communication lines between parties  Free to intercept, delay, drop, inject, or change all messages sent over these lines

9 9 Attacker’s Access to Secret Information (session expose) Session state reveal  Session state for an incomplete session (which does not include long-term secret) Session-key query  Session-key of a completed session Party corruption  All information in the memory of the party (including session states, session-key, long-term secrets) Identity reveal  Parties’ identities that activate a session

10 10 Basic Idea of SK-ID-Security (1) Indistinguishability style [2] The success of an attack is measured via its ability to distinguish the real values from independent random values Oracle Attacker 1.Freely choose a complete session as test session 2.Query 4.Response (real or random) 3.Coin toss 5.Guess the result of coin toss If head, response is real If tail, response is random

11 11 Basic Idea of SK-ID-Security (2) The attacker succeeds in its attack if 1. The test session is not exposed 2. The probability of his correct guess of coin toss is significantly larger than 1/2 Definition (SK-ID-security) A key-exchange protocol is called SK-ID-secure if for all attackers with the explained capabilities, success probability (in its test-session distinguishing attacks) is not more than 1/2 plus a negligible fraction Two games against Test session: Distinction of session-key (real session key or random value) [2] Distinction of pairs (real party or randomly chosen party)

12 12 Game: Distinction of pairs Attacker 1.Freely choose a complete session as test session 2.Query 4.Response (real or random) 3.Coin toss 5.Guess the result of coin toss If head, response is real If tail, response is random Random choice from all possible pairs that do not include either of the real parties’ ID A, B, C, D, E A shares PSK with B C shares PSK with D and E A-B C-D C-E A-C A-D A-E B-C B-D B-E D-E RealRandom Oracle

13 13 3.PAS Protocol 1. Start message 2. Response message 3. Finish message k 0 =PRF g xy (0) % Session key k 1 =PRF g xy (1) % k 2 =PRF PSK ij (2) MAC: Message Authentication Code PRF: Pseudo Random Function

14 14 4.Proof of PAS Protocol Main Theorem  Assuming DDH and the security of the underlying cryptographic functions (i.e., MAC and PRF), PAS protocol is SK-ID-secure Strategy for Proof of Main Theorem  Show that a DDH distinguisher can be built from an attacker that succeeds in distinguishing between a real and a random response to the test-session query

15 15 Point Responder needs to distinguish legitimate requests from waste one at low costs Responder cannot respond. (Even for legitimate users !) Adversary Responder User 5.Variants and Discussions (DoS-resilient)

16 16 Adversary Responder  Request needs a valid PAS  Attacker can guess no valid PAS Protection from DoS attack The cost of checking validity of received PAS is equal to only searching in responder ’ s PAS list. User’s IDPASSecret key Alice PAS AR K AR Bob PAS BR K BR Charlie PAS CR K CR Protection from DoS attack Bob PAS BR, Request

17 17 6.Conclusion Introduce Pre-Agreed Session ID (PAS)  Identification which is a disposable unique value used for every session to specify each session and party Formalize security model for key-exchange protocol Propose a secure key-exchange protocol using PAS Argue about the problems which arise when PAS is used  Synchronization of PAS, DoS attack, PFS

Download ppt "1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the."

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google