In ICA3PP 2009, Xinglan Zhang proposed two one-round
authenticated key exchange protocols and proved their security
in the standard model. In this paper, we analyze these two
protocols and find that both of them exist some flaws

Chuangui Ma

Qingfeng Cheng

Cryptology ePrint Archive

Security Weakness in Two Authenticated KeyExchange ProtocolsQingfeng Cheng, Chuangui MaZhengzhou Information Science and Technology InstituteZhengzhou 450002, P.R.Chinaqingfengc2008@sina.comAbstract. In ICA3PP 2009, Xinglan Zhang proposed two one-roundauthenticated key exchange protocols and proved their security in thestandard model. In this paper, we analyze these two protocols and findthat both of them exist some flaws.Key words: Authenticated key exchange, Key compromise imperson-ation attack, Ephemeral key compromise attack.1 IntroductionAuthenticated key exchange (AKE) protocols enable two party to share commonsession keys in an authentic way. An AKE protocol is called secure if under theallowed adversarial actions it is infeasible for the attacker to distinguish the valueof a key generated by the protocol from an independent random value.In the following, we describe some security properties.– Key compromise impersonation (KCI) resilience: A party’s staticprivate key is disclosed. But the adversary will not enable to masquerade asother legitimate parties to this party.– Ephemeral key compromise (EKC) resilience: The adversary can ob-tain the ephemeral private key of parties. But the session key under attackstill remains secure. It means that the adversary can’t compute the sessionkey.– Key independence (KI): session keys are computationally independentfrom each other.KCI resilience and KI are often seen as two desired security attribute fortwo party authenticated key exchange protocols [1]. Moreover, EKC resilience[2] is also important security attribute. More and more AKE protocols havebeen rigorously analyzed under EKC attack. Recently, Xinglan Zhang proposedtwo one-round authenticated key exchange protocols [3] which are claimed to beprovably secure based on Decisional Diffie-Hellman problem. For simplicity ofdescription, we refer to the two protocols as the P1 and P2 protocols. In thispaper, we will show that they can’t resist KCI and EKC attacks. Especially, theyalso can’t provide KI completely.The rest of this paper is organized as follows. In Section 2, we review boththe P1 and the P2 protocols. In Section 3, we show that both of them sufferfrom KCI attack. Finally, the conclusions will be given in Section 4.2 Review of the P1 and the P2 protocolsLet k be the security parameter, and G is a group of prime order q. Let⊕denotethe operation XOR in the finite field GF (2) and g be a generator of group G.Every party has a public key and a static private key, denoted by pki, ski, wherepki = gski .2.1 Description of the P1 protocolIn this subsection, we briefly review the P1 protocol. Since our attacks are mainlyrelated to the key exchange phase, we omit the initiation phase. For more detailsabout the P1 protocol, refer to [3].In the following description we suppose that two communications parties, Aand B wish to communicate with each other.Step1: Party A chooses rA ∈ {0, 1}k randomly and computes αA = grA ,then sends αA to B.Step2: Upon receiving the message αA, party B chooses rB ∈ {0, 1}k ran-domly and computes αB = grB , then sends αB to A. and computes the sessionkey: KAB = pkskBA⊕αrBA .Step3: Upon receiving the message αB , party A also computes the sessionkey: KAB = pkskAB⊕αrAB .2.2 Description of the P2 protocolIn this subsection, we briefly review the P2 protocol. Since our attacks are mainlyrelated to the key exchange phase, we omit the initiation phase. For more detailsabout the P2 protocol, refer to [3].In the following description we suppose that two communications parties, Aand B wish to communicate with each other.Step1: Party A chooses rA ∈ {0, 1}k randomly and computes αA = grA ,then sends αA to B.Step2: Upon receiving the message αA, party B chooses rB ∈ {0, 1}k ran-domly and computes αB = grB , then sends αB to A. and computes the sessionkey: KAB = pkrBA⊕αskBA⊕αrBA .Step3: Upon receiving the message αB , party A also computes the sessionkey: KAB = pkrAB⊕αskAB⊕αrAA .3 KCI Attack on the P1 and the P2 Protocols3.1 KCI Attack on the P1 ProtocolIn this subsection, we will show that the P1 protocol can be intruded by us-ing KCI attack. Assume that the adversary E has the knowledge of party A’sstatic private key skA and he intends to launch the attack against party A bypretending party B. The adversary E can carry out his KCI attack as follows:Step1: Party A chooses rA ∈ {0, 1}k randomly and computes αA = grA ,then sends αA to B.Step2: Upon intercepting the message αA, the adversary E chooses rE ∈{0, 1}k randomly, computes αE = grE , then E impersonates party B, sendsαE = grE to party A and computes the session key:K∗AB = pkskBA⊕αrEA = pkskAB⊕αrEA .Step3: Upon receiving the message αE = grE , party A computes the sessionkey:K∗AB = pkskAB⊕αrAE = pkskAB⊕αrEA .So we have successfully launched the KCI attack to party A, who is theinitiator. Similarly we can also launch the KCI attack to party B, who is theresponder. The details are omitted.3.2 EKC Attack on the P1 ProtocolIn this subsection, we will present EKC attack on the P1 protocol. Since thesession key is KAB = pkskBA⊕αrBA , so if the adversary E gets the ephemeralprivate key rB , he will mount the attack, the details of which will be introducedin next subsection. So we can conclude that the P1 protocol can’t resist EKCattack.3.3 Analysis of the P1 Protocol’ KIXinglan Zhang shows that the P1 protocol provides KI if the adversary can notlearn the session key which is not established successfully. In this subsection, wewill show that session keys generated by the P1 protocol are related to each otheronly if the adversary can get some session ephemeral private key. Assume thatthe adversary E has the knowledge of party A’s session key K1AB and ephemeralprivate key r1A. The adversary E can carry out this attack as follows:Step1: The adversary E can use r1A and K1AB to get the value pkskAB .K1AB⊕αr1AB = pkskAB⊕αr1AB⊕αr1AB = pkskABStep2: The adversary E can impersonate party B to cheat party A. Theadversary E chooses rE ∈ {0, 1}k randomly, computes αE = grE , then E imper-sonates party B, sends αB∗ = grE to party A.Step3: Upon receiving the message αB∗ , party A chooses rA ∈ {0, 1}k ran-domly and computes αA = grA , then sends αA to B. and computes the sessionkey:KAB = pkskBA⊕αrAB∗ = pkskBA⊕grErA .Step4: Upon intercepting the message αA, the adversary E computes thesession key:KAB∗ = pkskBA⊕αrEA = pkskAB⊕grArE .It is easy to see that the adversary E has succeeded in impersonating partyB to party A. Especially, he does not need to learn party A’s static private key.3.4 EKC Attack on the P2 ProtocolIn this subsection, we will present EKC attack on the P2 protocol. Since thesession key is KAB = pkrBA⊕αskBA⊕αrBA and αA = grA , so if the adversary Egets the ephemeral private key rA and rB , he can compute the session key. Sowe can conclude that the P2 protocol can’t resist EKC attack.4 ConclusionIn this paper, we have demonstrated certain security vulnerabilities in two au-thenticated key exchange protocols.References1. Krawczyk, H.: HMQV: A High-Performance Secure Diffie-Hellman Protocol, In:CRYPTO 2005. Lecture Notes in Computer Science 3621, 2005, pp. 546-566. Fullversion available at http://eprint.iacr.org/2005/176.2. LaMacchia, B., Lauter,K., Mityagin, A.: Stronger Security of Authenticated KeyExchange, In: ProvSec 2007, Lecture Notes in Computer Science 4784, 2007, pp.1-16.3. Xinglan Zhang.: Authenticated Key Exchange Protocol in One-Round. In: ICA3PP2009, Lecture Notes in Computer Science 5574, 2009, pp. 226-233.

Security Weakness in Two Authenticated Key Exchange Protocols

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive