Professional Documents
Culture Documents
2.
More generally:
n
Sessions:
Adversary:
Monitors/controls/modifies
traffic (m-i-t-m)
May
May
Wish list:
Intuitive (beware!)
Reject bad
attackers)
Accept
Ensure
Usability:
is non-trivial
In this talk
SIGMA Protocol
6
A, g
B, gy
Authenticated Diffie-Hellman
A
A, gx, SIGA(gx)
B, gy, SIGB(gy)
A, gx
B, gy, SIGB(gx,gy)
SIGA(gy,gx)
Peers DH value acts as anti-replay nonce (I prefer explicit nonces)
A: Shared K=gxy with B (KB)
A, gx
B, gy, SIGB(gx,gy)
SIGA(gy,gx)
Any
E, gx
B, gy, SIGB(gx,gy)
SIGE(gy,gx)
Notes
The above attack was discovered by Diffievan Oorschot-Wiener [DVW92]; its the
differential cryptanalysis of KE protocols
a reminder of the crucial consistency property
11
A, g
B, gy, SIGB(gx,gy,A)
SIGA(gy,gx,B)
Thwarts the identity-misbinding attack by including the
identity of the peer under the signature
12
A, gx
B, gy, SIGB(gx,gy,E)
E, gx
B, gy, SIGB(gx,gy,E)
14
On KE Analysis Work
Logic-based
On KE Analysis: Bellare-Rogaway93
Authentication
On KE Analysis: Bellare-Canetti-K98
AM-to-UM compilers
good tuning of the definition turned out to be tricky [CK02] (but the
authentication techniques very useful!)
17
On KE Analysis: Canetti-K01
Requires
Definition
(e.g., a
enc and
SK-Security: KE protocol
SK-Security: Attacker
Schedules
May
May
2.
21
SK-security results
A variety of protocols have been proven SKsecure (both DH and key-transport) : e.g., ISO,
SKEME, SIGMA, IKE, and pre-shared
authenticated protocols
Two
(PFS
modeled through session-expiration; expired sessions are NOT
exposed even if attacker corrupts the sessions owner)
22
Well
True
non-
Authenticators
[BCK98]
Recall:
UM
(Unauthenticated-links Model):
realistic attack model as described before
AM
A signature-based authenticator
Single message authenticator: A
A
msg
A, msg
B:
B
B, nonce
A, SIGA(nonce,msg,B)
Compiler from AM to UM: apply the above authenticator
.
to each protocols
message
25
A, gx
B, gy
A, gx
B, gyB(gx,gy,A)
B, gy, SIG
msg=gy
nonce=gx
A, SIGA(gy,gx,B)
Authenticator applied to gy is a slightly different variant:
first A sends nonce (gx), then B sends message (gy) with signature
Other Authenticators
possible
Either
the design is not decomposable into a basic AMsecure protocol and an authenticator applied to it
or desirable
The
29
Conclusions
Many
Final Conclusion
!!ThAnKs
31