# ASICS: authenticated key exchange security incorporating certification systems

- 343 Downloads

## Abstract

Most security models for authenticated key exchange (AKE) do not explicitly model the associated *certification system*, which includes the certification authority and its behaviour. However, there are several well-known and realistic attacks on AKE protocols which exploit various forms of malicious key registration and which therefore lie outside the scope of these models. We provide the first systematic analysis of *AKE security incorporating certification systems*. We define a family of security models that, in addition to allowing different sets of standard AKE adversary queries, also permit the adversary to register arbitrary bitstrings as keys. For this model family, we prove generic results that enable the design and verification of protocols that achieve security even if some keys have been produced maliciously. Our approach is applicable to a wide range of models and protocols; as a concrete illustration of its power, we apply it to the CMQV protocol in the natural strengthening of the eCK model to the ASICS setting.

### Keywords

Authenticated key exchange (AKE) Unknown key share (UKS) attacks Certification authority (CA) Invalid public keys PKI### Mathematics Subject Classification

94A60## Notes

### Acknowledgments

C. B. and D. S. were supported by Australian Research Council (ARC) Discovery Project DP130104304. C. C. was supported by ETH Research Grant ETH-30 09-3. K. G. P. and B. P. were supported by a EPSRC Leadership Fellowship EP/H005455/1. This work was partly done while M. F. was at ETH Zurich, supported by ETH Research Grant ETH-30 09-3.

### References

- 1.Adams, C., Farrell, S., Kause, T., Mononen, T.: Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP). RFC 4210 (Proposed Standard). http://www.ietf.org/rfc/rfc4210.txt, updated by RFC 6712 (2005)
- 2.Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management—part 1: general. NIST Special Publication. http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf (2007)
- 3.Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., Vimercati, S. (eds.) ACM CCS 06, pp. 390–399. ACM Press, Alexandria (2006)Google Scholar
- 4.Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)Google Scholar
- 5.Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO’93. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
- 6.Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: 27th ACM STOC, pp. 57–66. ACM Press, Las Vegas (1995)Google Scholar
- 7.Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M. (ed.) 6th IMA International Conference on Cryptography and Coding. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
- 8.Blake-Wilson, S., Menezes, A.: Entity authentication and authenticated key transport protocols employing asymmetric techniques. In: Christianson, B., Crispo, B., Lomas, T.M.A., Roe, M. (eds.) Proceedings of the 5th International Workshop on Security Protocols, Paris, France, April 7–9, 1997. LNCS, vol. 1361, pp. 137–158. Springer (1998)Google Scholar
- 9.Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai, H., Zheng, Y. (eds.) PKC’99. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)Google Scholar
- 10.Boldyreva, A., Fischlin, M., Palacio, A., Warinschi, B.: A closer look at PKI: security and efficiency. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 458–475. Springer, Heidelberg (2007)Google Scholar
- 11.Boyd, C., Cremers, C., Feltz, M., Paterson, K.G., Poettering, B., Stebila, D.: ASICS: Authenticated key exchange security incorporating certification systems. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 381–399. Springer, Heidelberg (2013)Google Scholar
- 12.CA/Browser Forum: Baseline requirements for the issuance and management of publicly-trusted certificates, v1.1.6. https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_6.pdf (2013)
- 13.CA/Browser Forum: Guidelines for the issuance and management of extended validation certificates, v1.4.3. https://cabforum.org/wp-content/uploads/Guidelines_v1_4_3.pdf (2013)
- 14.Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg, Germany (2001)Google Scholar
- 15.Cash, D., Kiltz, E., Shoup, V.: The twin Diffie–Hellman problem and applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008)Google Scholar
- 16.Chatterjee, S., Menezes, A., Ustaoglu, B.: Combined security analysis of the one- and three-pass unified model key agreement protocols. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 49–68. Springer, Heidelberg (2010)Google Scholar
- 17.Choo, K.K.R., Boyd, C., Hitchcock, Y.: Examining indistinguishability-based proof models for key establishment protocols. In: Roy, B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005)Google Scholar
- 18.Cremers, C.: Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK. In: Cheung, B.S.N., Hui, L.C.K., Sandhu, R.S., Wong, D.S. (eds.) ASIACCS 11, pp. 80–91. ACM Press, Hong Kong, China (2011)Google Scholar
- 19.Cremers, C.J.F., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 734–751. Springer, Heidelberg (2012)Google Scholar
- 20.Cremers, C.J.F., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. Des. Codes Cryptogr.
**74**(1), 183–218 (2015)MathSciNetCrossRefMATHGoogle Scholar - 21.Ducklin, P.: The TURKTRUST SSL certificate fiasco—what really happened, and what happens next?http://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next/ (2013)
- 22.Farshim, P., Warinschi, B.: Certified encryption revisited. In: Preneel, B. (ed.) AFRICACRYPT 09. LNCS, vol. 5580, pp. 179–197. Springer, Heidelberg (2009)Google Scholar
- 23.FOX IT: Black Tulip: Report of the investigation into the DigiNotar Certificate Authority breach. http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2012/08/13/black-tulip-update/black-tulip-update.pdf (2012)
- 24.Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013)Google Scholar
- 25.Goldberg, I., Stebila, D., Ustaoglu, B.: Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptogr.
**67**(2), 245–269 (2013)MathSciNetCrossRefMATHGoogle Scholar - 26.Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci.
**28**(2), 270–299 (1984)MathSciNetCrossRefMATHGoogle Scholar - 27.Jeong, I.R., Katz, J., Lee, D.H.: One-round protocols for two-party authenticated key exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 04. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004)Google Scholar
- 28.Kaliski, B.S.: An unknown key-share attack on the MQV key agreement protocol. ACM Trans. Inf. Syst. Secur.
**4**, 275–288 (2001)CrossRefGoogle Scholar - 29.Krawczyk, H.: HMQV: A high-performance secure Diffie–Hellman protocol. Cryptology ePrint Archive, Report 2005/176. http://eprint.iacr.org/2005/176 (2005)
- 30.Krawczyk, H.: HMQV: A high-performance secure Diffie–Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)Google Scholar
- 31.Kudla, C., Paterson, K.G.: Modular security proofs for key agreement protocols. In: Roy, B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 549–565. Springer, Heidelberg (2005)Google Scholar
- 32.LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)Google Scholar
- 33.Lauter, K., Mityagin, A.: Security analysis of KEA authenticated key exchange protocol. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 378–394. Springer, Heidelberg (2006)Google Scholar
- 34.Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO’97. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)Google Scholar
- 35.McCurley, K.S.: A key distribution system equivalent to factoring. J Cryptol
**1**(2), 95–105 (1988)MathSciNetCrossRefMATHGoogle Scholar - 36.Menezes, A.: Another look at HMQV. Cryptology ePrint Archive, Report 2005/205. http://eprint.iacr.org/2005/205 (2005)
- 37.Menezes, A., Ustaoglu, B.: On the importance of public-key validation in the MQV and HMQV key agreement protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 133–147. Springer, Heidelberg (2006)Google Scholar
- 38.Menezes, A., Ustaoglu, B.: Security arguments for the UM key agreement protocol in the NIST SP 800–56A standard. In: Abe, M., Gligor, V. (eds.) ASIACCS 08. pp. 261–270. ACM Press, Tokyo, Japan (2008)Google Scholar
- 39.Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J Cryptol
**13**(3), 361–396 (2000)CrossRefMATHGoogle Scholar - 40.Ristenpart, T., Yilek, S.: The power of proofs-of-possession: securing multiparty signatures against rogue-key attacks. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 228–245. Springer, Heidelberg (2007)Google Scholar
- 41.Schaad, J.: Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). RFC 4211 (Proposed Standard). http://www.ietf.org/rfc/rfc4211.txt (2005)
- 42.Shmuely, Z.: Composite Diffie–Hellman public-key generating systems are hard to break. Technical Report No. 356, Computer Science Department, Technion-Israel Institute of Technology (1985)Google Scholar
- 43.Shoup, V.: On formal methods for secure key exchange (version 4) (November 1999), revision of IBM Research Report RZ 3120. http://www.shoup.net/papers/skey.pdf (1999)
- 44.Turner, S.: The application/pkcs10 Media Type. RFC 5967 (Informational). http://www.ietf.org/rfc/rfc5967.txt (2010)
- 45.Turner, P., Polk, W., Barker, E.: ITL Bulletin for July 2012: preparing for and responding to certification authority compromise and fraudulent certificate issuance. http://csrc.nist.gov/publications/nistbul/july-2012_itl-bulletin.pdf (2012)
- 46.Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptogr.
**46**(3), 329–342 (2008)MathSciNetCrossRefMATHGoogle Scholar - 47.Ustaoglu, B.: Comparing sessionstatereveal and ephemeralkeyreveal for Diffie–Hellman protocols. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 183–197. Springer, Heidelberg (2009)Google Scholar