Session Corruption Attack and Improvements on Encryption Based MT-Authenticators

Abstract. Bellare, Canetti and Krawczyk proposed a security model (BCK-model) for authentication and key exchange protocols in 1998. The model not only reasonably captures the power of practical attackers but also provides a modular approach to the design of secure key exchange protocols. One important element in this approach is the MTauthenticator. An MT-authenticator transforms a message transmission protocol for an ideally authenticated network to an equivalent protocol for a real, unauthenticated network such that all attacks that can be launched in the unauthenticated network can also be launched in the authenticated network. In this paper, we show that the proof of the encryption-based MT-authenticator proposed in their paper is flawed, which leads to their encryption-based MT-authenticator insecure. An attack called session corruption attack can be launched successfully against the MT-authenticator in the unauthenticated network but not against the corresponding message transmission protocol in the authenticated network. We also show that another authenticator of this type is also vulnerable to the session corruption attack. To thwart this attack, we propose several improved techniques and two new encryption-based MTauthenticators. Keywords: MT-authenticator, BCK-model, CK-model, Verifiable Encryption