International Journal of Information Security

, Volume 16, Issue 2, pp 151–171 | Cite as

ASICS: authenticated key exchange security incorporating certification systems

  • Colin Boyd
  • Cas Cremers
  • Michèle Feltz
  • Kenneth G. Paterson
  • Bertram Poettering
  • Douglas Stebila
Regular Contribution


Most security models for authenticated key exchange (AKE) do not explicitly model the associated certification system, which includes the certification authority and its behaviour. However, there are several well-known and realistic attacks on AKE protocols which exploit various forms of malicious key registration and which therefore lie outside the scope of these models. We provide the first systematic analysis of AKE security incorporating certification systems. We define a family of security models that, in addition to allowing different sets of standard AKE adversary queries, also permit the adversary to register arbitrary bitstrings as keys. For this model family, we prove generic results that enable the design and verification of protocols that achieve security even if some keys have been produced maliciously. Our approach is applicable to a wide range of models and protocols; as a concrete illustration of its power, we apply it to the CMQV protocol in the natural strengthening of the eCK model to the ASICS setting.


Authenticated key exchange (AKE) Unknown key share (UKS) attacks Certification authority (CA) Invalid public keys PKI 

Mathematics Subject Classification




C. B. and D. S. were supported by Australian Research Council (ARC) Discovery Project DP130104304. C. C. was supported by ETH Research Grant ETH-30 09-3. K. G. P. and B. P. were supported by a EPSRC Leadership Fellowship EP/H005455/1. This work was partly done while M. F. was at ETH Zurich, supported by ETH Research Grant ETH-30 09-3.


  1. 1.
    Adams, C., Farrell, S., Kause, T., Mononen, T.: Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP). RFC 4210 (Proposed Standard)., updated by RFC 6712 (2005)
  2. 2.
    Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management—part 1: general. NIST Special Publication. (2007)
  3. 3.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., Vimercati, S. (eds.) ACM CCS 06, pp. 390–399. ACM Press, Alexandria (2006)Google Scholar
  4. 4.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO’93. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: 27th ACM STOC, pp. 57–66. ACM Press, Las Vegas (1995)Google Scholar
  7. 7.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M. (ed.) 6th IMA International Conference on Cryptography and Coding. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Blake-Wilson, S., Menezes, A.: Entity authentication and authenticated key transport protocols employing asymmetric techniques. In: Christianson, B., Crispo, B., Lomas, T.M.A., Roe, M. (eds.) Proceedings of the 5th International Workshop on Security Protocols, Paris, France, April 7–9, 1997. LNCS, vol. 1361, pp. 137–158. Springer (1998)Google Scholar
  9. 9.
    Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai, H., Zheng, Y. (eds.) PKC’99. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Boldyreva, A., Fischlin, M., Palacio, A., Warinschi, B.: A closer look at PKI: security and efficiency. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 458–475. Springer, Heidelberg (2007)Google Scholar
  11. 11.
    Boyd, C., Cremers, C., Feltz, M., Paterson, K.G., Poettering, B., Stebila, D.: ASICS: Authenticated key exchange security incorporating certification systems. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 381–399. Springer, Heidelberg (2013)Google Scholar
  12. 12.
    CA/Browser Forum: Baseline requirements for the issuance and management of publicly-trusted certificates, v1.1.6. (2013)
  13. 13.
    CA/Browser Forum: Guidelines for the issuance and management of extended validation certificates, v1.4.3. (2013)
  14. 14.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg, Germany (2001)Google Scholar
  15. 15.
    Cash, D., Kiltz, E., Shoup, V.: The twin Diffie–Hellman problem and applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008)Google Scholar
  16. 16.
    Chatterjee, S., Menezes, A., Ustaoglu, B.: Combined security analysis of the one- and three-pass unified model key agreement protocols. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 49–68. Springer, Heidelberg (2010)Google Scholar
  17. 17.
    Choo, K.K.R., Boyd, C., Hitchcock, Y.: Examining indistinguishability-based proof models for key establishment protocols. In: Roy, B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005)Google Scholar
  18. 18.
    Cremers, C.: Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK. In: Cheung, B.S.N., Hui, L.C.K., Sandhu, R.S., Wong, D.S. (eds.) ASIACCS 11, pp. 80–91. ACM Press, Hong Kong, China (2011)Google Scholar
  19. 19.
    Cremers, C.J.F., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 734–751. Springer, Heidelberg (2012)Google Scholar
  20. 20.
    Cremers, C.J.F., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. Des. Codes Cryptogr. 74(1), 183–218 (2015)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Ducklin, P.: The TURKTRUST SSL certificate fiasco—what really happened, and what happens next? (2013)
  22. 22.
    Farshim, P., Warinschi, B.: Certified encryption revisited. In: Preneel, B. (ed.) AFRICACRYPT 09. LNCS, vol. 5580, pp. 179–197. Springer, Heidelberg (2009)Google Scholar
  23. 23.
    FOX IT: Black Tulip: Report of the investigation into the DigiNotar Certificate Authority breach. (2012)
  24. 24.
    Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013)Google Scholar
  25. 25.
    Goldberg, I., Stebila, D., Ustaoglu, B.: Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptogr. 67(2), 245–269 (2013)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefMATHGoogle Scholar
  27. 27.
    Jeong, I.R., Katz, J., Lee, D.H.: One-round protocols for two-party authenticated key exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 04. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004)Google Scholar
  28. 28.
    Kaliski, B.S.: An unknown key-share attack on the MQV key agreement protocol. ACM Trans. Inf. Syst. Secur. 4, 275–288 (2001)CrossRefGoogle Scholar
  29. 29.
    Krawczyk, H.: HMQV: A high-performance secure Diffie–Hellman protocol. Cryptology ePrint Archive, Report 2005/176. (2005)
  30. 30.
    Krawczyk, H.: HMQV: A high-performance secure Diffie–Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)Google Scholar
  31. 31.
    Kudla, C., Paterson, K.G.: Modular security proofs for key agreement protocols. In: Roy, B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 549–565. Springer, Heidelberg (2005)Google Scholar
  32. 32.
    LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)Google Scholar
  33. 33.
    Lauter, K., Mityagin, A.: Security analysis of KEA authenticated key exchange protocol. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 378–394. Springer, Heidelberg (2006)Google Scholar
  34. 34.
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO’97. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)Google Scholar
  35. 35.
    McCurley, K.S.: A key distribution system equivalent to factoring. J Cryptol 1(2), 95–105 (1988)MathSciNetCrossRefMATHGoogle Scholar
  36. 36.
    Menezes, A.: Another look at HMQV. Cryptology ePrint Archive, Report 2005/205. (2005)
  37. 37.
    Menezes, A., Ustaoglu, B.: On the importance of public-key validation in the MQV and HMQV key agreement protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 133–147. Springer, Heidelberg (2006)Google Scholar
  38. 38.
    Menezes, A., Ustaoglu, B.: Security arguments for the UM key agreement protocol in the NIST SP 800–56A standard. In: Abe, M., Gligor, V. (eds.) ASIACCS 08. pp. 261–270. ACM Press, Tokyo, Japan (2008)Google Scholar
  39. 39.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J Cryptol 13(3), 361–396 (2000)CrossRefMATHGoogle Scholar
  40. 40.
    Ristenpart, T., Yilek, S.: The power of proofs-of-possession: securing multiparty signatures against rogue-key attacks. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 228–245. Springer, Heidelberg (2007)Google Scholar
  41. 41.
    Schaad, J.: Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). RFC 4211 (Proposed Standard). (2005)
  42. 42.
    Shmuely, Z.: Composite Diffie–Hellman public-key generating systems are hard to break. Technical Report No. 356, Computer Science Department, Technion-Israel Institute of Technology (1985)Google Scholar
  43. 43.
    Shoup, V.: On formal methods for secure key exchange (version 4) (November 1999), revision of IBM Research Report RZ 3120. (1999)
  44. 44.
    Turner, S.: The application/pkcs10 Media Type. RFC 5967 (Informational). (2010)
  45. 45.
    Turner, P., Polk, W., Barker, E.: ITL Bulletin for July 2012: preparing for and responding to certification authority compromise and fraudulent certificate issuance. (2012)
  46. 46.
    Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptogr. 46(3), 329–342 (2008)MathSciNetCrossRefMATHGoogle Scholar
  47. 47.
    Ustaoglu, B.: Comparing sessionstatereveal and ephemeralkeyreveal for Diffie–Hellman protocols. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 183–197. Springer, Heidelberg (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Colin Boyd
    • 1
  • Cas Cremers
    • 2
  • Michèle Feltz
    • 3
  • Kenneth G. Paterson
    • 4
  • Bertram Poettering
    • 5
  • Douglas Stebila
    • 6
  1. 1.Norwegian University of Science and TechnologyTrondheimNorway
  2. 2.University of OxfordOxfordUK
  3. 3.National Commission for Data ProtectionEsch-sur-AlzetteLuxembourg
  4. 4.Royal HollowayUniversity of LondonEghamUK
  5. 5.Ruhr University BochumBochumGermany
  6. 6.Queensland University of TechnologyBrisbaneAustralia

Personalised recommendations