In 2003, Boyd and Mao proposed two deniable authenticated key establishment
protocols using elliptic curve pairings for Internet protocols, one is based on
Diffie-Hellman key exchange and the other is based on Public-Key Encryption
approach. For the use of elliptic curve pairings, they declared that their schemes could
be more efficient than the existing Internet Key Exchange (IKE), nowadays. However
in this paper, we will show that both of Boyd-Mao¡¦s protocols suffer from the
key-Compromise Impersonation attack

Jue-Sam Chou

Ming-De Yang

Yalin Chen

Cryptology ePrint Archive

1Weaknesses of the Boyd-Mao Deniable Authenticated keyEstablishment for Internet ProtocolsJue-Sam Chou1 , Yalin Chen 2 , Ming-De Yang 31Department of Information Management, Nanhua University Chiayi 622 Taiwan, R.O.Cjschou@mail.nhu.edu.twTel: 886+ (0)5+272-1001 ext.562262 Institute of information systems and applications, National Tsing Hua Universityd949702@oz.nthu.edu.twTel: 886+(0)3-57389973 Department of Information Management, Nanhua University Chiayi, 622, Taiwanasurejoker@gmail.comTel: 886+(0)5-2721001 ext.2017AbstractIn 2003, Boyd and Mao proposed two deniable authenticated key establishmentprotocols using elliptic curve pairings for Internet protocols, one is based onDiffie-Hellman key exchange and the other is based on Public-Key Encryptionapproach. For the use of elliptic curve pairings, they declared that their schemes couldbe more efficient than the existing Internet Key Exchange (IKE), nowadays. Howeverin this paper, we will show that both of Boyd-Mao’s protocols suffer from thekey-Compromise Impersonation attack.Keywords: deniable authenticated key establishment, Internet Key Exchange (IKE),key-Compromise Impersonation attack, elliptic curve cryptosystem1. IntroductionDue to the use of Internet for trade and transmission in this era, the securityservices such as authentication, data integrity and confidentiality, etc have becomemore and more important. Therefore, secure communication in the open networkenvironment seems to be an essential requirement for any Internet application [2, 6].One of the basic secure communication technologies is the key establishment protocolthat is known as Internet Key Exchange (IKE). It is the standard of Internet protocolSecurity (IPSec) proposed by the IETF in 1998 [3, 5, 6, 7, 10]. But, people have manycriticisms for this protocol, especially for its complexity [5, 15].In order to overcome such a problem, the elliptic curve cryptography that canreduce the computations and maintain the same security level becomes a better choice[1, 11, 14, 15, 16, 18]. So in recent years, several cryptography schemes [8, 9, 11, 12,13, 14, 15, 16, 17, 18, 19] are designed based on the elliptic curve. One of these2schemes is the deniable authenticated key establishment for Internet protocolsproposed by Boyd and Mao[15]. For the use of the elliptic curve cryptography, theirschemes not only solute the complexity of computation but also become moreefficient than others.However, in this paper, we will point out that Boyd-Mao’s deniable authenticatedkey establishment for Internet protocols can’t resist against the key-CompromiseImpersonation (KCI) attack defined by Wilson and Menezes [4]. The attack meansthat if A’s long-term secret key is compromised and known by an adversary, theadversary can pretend others to communicate with A.The structure of this paper is organized as follows. In Section 2, we will reviewBoyd-Mao’s deniable authenticated key establishment protocols. In Section 3, we willdescribe our attacks on Boyd-Mao’s key establishment protocols. Finally, aconclusion is given in Section 4.2. Review Boyd-Mao’s Deniable Authenticated key Establishment ProtocolsIn this section, we review Boyd-Mao’s deniable authenticated key establishmentprotocols. First, we will introduce pairings on elliptic curves. Next we will introduceMAC based authenticator. At last, we present the Boyd-Mao’s key establishmentprotocols.2.1 Bilinear Weil Pairing:Let G1 be an additive group and G2 be a multiplicative group and each of themhave the same order. Then we assume that there exists an efficient computablebilinear map e, which is defined as 211 GGG:e  and satisfies the followingconditions:1. Bilinear: For any Zba , and 1,, GRQP  , we have    abQ,PebQ,aPe  and  )R,P(e)Q,P(eRQ,Pe  and   )R,Q(e)R,P(eR,QPe  .2. Non-degenerate: For any 1GQ,P  , we have   1Q,Pe  .3. Computability: For any 1GQ,P  , there is an efficient algorithm to compute  2GQ,Pe 2.2 MAC based authenticator:To construct the authenticator, user B first chooses a random number NB andsends it to user A. When A receives NB, he chooses an intended message m and sendsit together with )mN,B(MAC ,BFAB to B, where B is user B’s ID that is public and theMAC key FAB can be non-interactively computed as the session key shared by both A3and B. That is, A can compute FAB as e(sQA, QB) and B can compute FBA(=FAB) ase(QA, sQB). The figure of MAC based authenticator is shown in Fig.1.Fig.1. MAC based authenticator2.3 Boyd-Mao’s key establishment protocolsThe Boyd-Mao’s key establishment protocols can be divided into two portions,one is the key establishment protocol established using Diffie-Hellman key exchange,and the other key is established from public key encryption approach. Each of themcan be stated as follows:2.3.1 Key Establishment Using Diffie-Hellman Key ExchangeIn this scheme, a key exchange between users A and B can be accomplished asfollow:Users A and B each chooses a random number Ra and Rb respectively, then theycompute gRa and gRb individually, where Ra, Rb belongs to Zq and g is a primitive root.In the protocol, users A’s and B’s IDs are IDA and IDB respectively, and FAB denotesthe non-interactively computed MAC key shared by both A and B derived from thebilinear pairing computation. That is, A can compute FAB as e (sQA, QB) and B cancompute FBA ( = FAB) as e(QA, sQB). After that, A and B can begin to exchangeinformation. The steps are as follows:Step1. User A sends tA = gRa to user B. After accepting tA, B will send tB = gRb and)t,t,ID(MAC BABFAB to user A.Step2. When user A receives tB and )t,t,ID(MAC BABFAB , he can verify whether theMAC is authentic. If it is authentic, he will send )t,t,ID(MAC ABAFAB to userB. Then A can compute the final session key RaBAB tZ  shared with B.Step3 After accepting the )t,t,ID(MAC ABAFAB , B will verify whether the MAC isA BChooses a random NBNBChooses an authenticmessage mm, )mN,B(MAC ,BFAB4authentic. If it is authentic, B then computes the session key)tZ(Z RbAABBA  .2.3.2 Key Established from Public Key Encryption ApproachIn this scheme, users A and B each chooses a random number NA and NBrespectively, where NA, NB ]t...1[ . FAB denotes the same value defined in section2.3.1. Then, A and B can begin to exchange information. The steps are as follows:Step1. User B sends NB to user A. After receiving NB, A chooses a session key K andencrypts it using B’s public key denoted as EB(K). Then A sends EB(K), IDA,NA, and )KE,N,ID(MAC BBBFAB to B.Step2. When B receives EB(K), IDA, Na, and )KE,N,ID(MAC BBBFAB , he decryptsEB(K) with his private key to get K and using the MAC key FAB to verifywhether the MAC holds. If it holds, B can confirm he is communicating withA and sends )N,N,ID,ID(MAC BABAK to user A.Step3. After receiving )N,N,ID,ID(MAC BABAK , user A verifies whether the MACholds. If it holds, the MAC is authentic and A can confirm he iscommunicating with the intended person B. Therefore, user A and B canbegin to communicate with each other.3. Our attacksIn this section, we use the four security attributes defined by Wilson andMenezes [4] to analyze Boyd-Mao’s key establishment protocols. After that, we canfind that Boyd-Mao’s key establishment protocols can’t resist against the KCI attack.An adversary can pretend others to communicate with A when he obtains A’slong-term secret key. Now, we show our KCI attacks on the Boyd-Mao’s keyestablishment protocols as follows:3.1 Attack on the Key Establishment Using Diffie-Hellman Key ExchangeWe assume an adversary X who knows user A’s long-term secret key sQA andwants to launch the KCI attack to pretend user B to communicate with A. He can actas follows:Step1. When X intercepts At sent from A intended to B, X can compute the MACkey FAB in the same manner specified in Section 2.3.1 and choose a randomnumber 'R b to compute'RBbg't  . Then he can send 't B and)t,t,ID(MAC 'BABFAB to user A.Step2. After receiving 't B and )t,t,ID(MAC'BABFABfrom X, user A can verify it as5authentic for he also has the MAC key FAB. And because he knows 't B , hecan compute the session key  aRBAB )'t(Z  by Diffie-Hellman keyexchange protocol, where qRa ZR  is selected by A. After that, user A sends)t,t,ID(MAC A'BAFAB back to X.Step3. When X receives )t,t,ID(MAC A'BAFAB , he can also verify it successfully,because 't B is computed by himself. So he can take At and his secretrandom 'R b to compute the session key 'RbAAB tZ  . Accordingly, user Aand X have the same session key and thus can communicate with each other.Because adversary X can send his message using B’s ID, A will believe thathe is communicating with B. So, adversary X can pretend to be user B tocommunicate with A successfully. Therefore, we have a successful KCIattack. The figure of KCI attack on this scheme is shown in Fig.2Fig2. KCI attack on the Key Establishment Using Diffie-Hellman key exchange3.2 Attack on the Key Establishment based on Public Key Encryption ApproachHere, we assume that an adversary X knows user B’s long-term secret key sQB.Under this assumption, when he wants to launch a KCI attack, he can compute theMAC key FAB to pretend user A to communicate with B. We delineate it as follows:Step1. After intercepting NB sent by B, X will choose a random key 'K as theshared session key and encrypts it using B’s public key denoted as  'KE B .He also chooses a random number 'N A . After that, he sends IDA, 'N A , 'KE B and the computed  )KE,N,ID(MAC 'BBBFAB to B.A BtAarA gt XIntercepts tAChooses 'R b'RBbg't Verify MAC)t,t,ID(MAC A'BAFABVerify MAC'RAABbtZ 'RBABatZ )t,t,ID(MAC 'BABFAB6Step2. After receiving the  'KE B , IDA, 'N A , and  )KE,N,ID(MAC 'BBBFAB , B willdecrypt  'KE B to get 'K using his private key and verify to see if )KE,N,ID(MAC 'BBBFAB is authentic. Obviously, B will verify it successfullyfor he also has the same MAC key FAB as X does. After that B will send theauthenticator encrypted with the session key K’selected by X and send)N,'N,ID,ID(MAC BABA'K to user X. Then X can also verify it successfullyfor 'K is selected by himself.Step3. Then users B and X will have the same session key 'K , and thus cancommunicate with each other. Because X sends his information using A’s ID,B will believe that he is communicating with A. So X can pretend user A tocommunicate with B successfully. Therefore, we also have a successful KCIattack. The figure of KCI attack on this scheme is shown in Fig.3Fig3. KCI attack on the Key Establishment based on Public Key Encryption4. ConclusionIn this paper, we have pointed out the weaknesses existed in Boyd-Mao’sDeniable Authenticated key Establishment Protocols that it can’t resist the KCI attack.Therefore, Boyd-Mao’s Deniable Authenticated key Establishment Protocols are notsecure enough and need our further work to improve the security of the Internet KeyExchange (IKE) protocol. How to design a more secure and efficient IKE still remainsan open problem.Reference[1] A.J. Menezes and T. Okamoto, “Reducing elliptic curve logarithms to a FiniteA BXNB ]t...1[NB)'K(E B , IDA,'AN )KE,N,ID(FMAC 'BBBABFABChooses 'K , 'AN)N,N,IDID(MAC BAB,AKVerify MACIntercepts NBDecrypt to obtain'K and verify MAC7Field,”IEEE Transaction on Information Theory, 39(5)(1993)1639-1646.[2] M. Bellare and P. Rogaway,“Provably secure session key distribution -the threeparty case, ”In Proceedings of the 27th ACM Symposium on the Theory ofComputing, (1995).[3] D. Harkins and D. Carrel,“The Internet Key Exchange (IKE),”Internet RFC2409, (1998).[4] S. B. Wilson, and A. Menezes,“Authenticated Diffie-Hellman key agreementprotocols”, Proceedings of the 5th Annual Workshop on Selected Areas inCryptography (SAC ’98), Lecture Notes in Computer Science, (1999) (339-361)[5] M.S. Borella, “Methods and protocols for secure key negotiation using IKE, ”IEEE Network, (2000), 18-29.[6] J. Zhou, “Further analysis of the Internet key exchange protocol, ”ComputerCommunications, (23)(2000)1606-1612.[7] R. Perlman and C. Kaufman,“Key exchange in IPSec: Analysis of IKE,”IEEEInternet Computing, (2000)50-56.[8] R. Sakai and K. Ohgishiand, “Cryptosystems based on pairing, ”In The 2000Sympoium on Cryptography and Information Security, Okinawa, Japan,(2000).[9] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,”In Cryptology-CRYPTO 2001, 21st Annual International Cryptology Conference,volume 2139 of LNCS,(2001) 213-229.[10] R. Canetti and H. Krawczy,“Security analysis of IKE's signature-based keyexchange protocol,”In Advances in Cryptology ,(2002).[11] Z.F. Zhang and J. XU,“Attack on an Identification Scheme Based on GapDiffie-Hellman Problem,”Cryptology ePrint Archive: Report,(153)(2003).[12] Z. Chen,“Security analysis on Nalla-Reddy’s ID-based tripartite authenticate keyagreement protocols,”Cryptology ePrint Archive: Listing,(2003).[13] F. Zhang and. S.N. Reihaneh, “ID-Based Chameleon Hashes from BilinerPairings,”Cryptology ePrint Archive: Report,(128)(2003).[14] H.M. Sun and B.T. Hsieh, “Security Analysis of Shim’s Authenticated KeyAgreement Protocols from Pairings, ”Cryptology ePrint Archive: Report,(113)(2003)[15] G. Boyd and W. Mao, “Deniable Authenticated Key Establishment for InternetProtocols,”Security Protocols workshop of Cambridge, UK,(2003) 255-271.[16] H.S. Lee, “A self-pairing map and its applications to cryptography, ”AppliedMathematics and Computation, (151)(2004) 671-678.[17] R. Lu and Z. Cao, “A new deniable authentication protocol from bilinearpairings,”Applied Mathematics and Computation, (2004).[18] I. Duursma and H.S. Lee, “A group key agreement protocol from pairings,”8Applied Mathematics and Computation, (2004).[19] Y.J. Choie and E.J. Jeong,“Efficient identity-based authenticated key agreementprotocol from pairings, ”Applied Mathematics and Computation, (162)(2005)179-188

Weaknesses of the Boyd-Mao Deniable Authenticated key Establishment for Internet Protocols

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive