Key-agreement protocol

In cryptography, a key-agreement protocol is a protocol whereby two (or more) parties generate a cryptographic key as a function of information provided by each honest party so that no party can predetermine the resulting value.[1] In particular, all honest participants influence the outcome. A key-agreement protocol is a specialisation of a key-exchange protocol.[2]

At the end of the agreement, all parties share the same key. A key-agreement protocol precludes undesired third parties from forcing a key choice on the agreeing parties. A secure key agreement can ensure confidentiality and data integrity[3] in communications systems, ranging from simple messaging applications to complex banking transactions.

Secure agreement is defined relative to a security model, for example the Universal Model.[2] More generally, when evaluating protocols, it is important to state security goals and the security model.[4] For example, it may be required for the session key to be authenticated. A protocol can be evaluated for success only in the context of its goals and attack model.[5] An example of an adversarial model is the Dolev-Yao model.

In many key exchange systems, one party generates the key, and sends that key to the other party;[6] the other party has no influence on the key.

Exponential key exchange

The first publicly known[6] public-key agreement protocol that meets the above criteria was the Diffie–Hellman key exchange, in which two parties jointly exponentiate a generator with random numbers, in such a way that an eavesdropper cannot feasibly determine what the resultant value used to produce a shared key is.

Exponential key exchange in and of itself does not specify any prior agreement or subsequent authentication between the participants. It has thus been described as an anonymous key agreement protocol.

Symmetric Key Agreement

Symmetric Key Agreement (SKA) is a method of key-agreement that uses solely symmetric cryptography and cryptographic hash functions as cryptographic primitives. It is related to Symmetric Authenticated Key Exchange.[7]

SKA may assume the use of initial shared secrets[7] or a trusted third party with whom the agreeing parties share a secret is assumed.[8] If no third party is present, then achieving SKA can be trivial: we assume that two parties share an initial secret and have tautologically achieved SKA.

SKA contrasts with key-agreement protocols that include techniques from asymmetric cryptography. For example, key encapsulation mechanisms.

The initial exchange of a shared key must be done in a manner that is private and integrity-assured. Historically, this was achieved by physical means, such as by using a trusted courier.

An example of a SKA protocol is the Needham-Schroeder Symmetric Key Protocol. It establishes a session key between two parties on the same network, using a server as a trusted third party. The original Needham-Schroeder protocol is vulnerable to a replay attack. Timestamps and nonces are included to fix this attack. It forms the basis for the Kerberos protocol.

Types of Secret Key Agreement

Boyd et al.[9] classify two-party key agreement protocols according to two criteria as follows:

  1. whether a pre-shared key already exists or not
  2. the method of generating the session key.

The pre-shared key may be shared between the two parties, or each party may share a key with a trusted third party. If there is no secure channel (as may be established via a pre-shared key), it is impossible to create an authenticated session key.[10]

The session key may be generated via: key transport, key agreement and hybrid. If there is no trusted third party, then the cases of key transport and hybrid session key generation are indistinguishable. SKA is concerned with protocols in which the session key is established using only symmetric primitives.

Authentication

Main article: Authenticated key agreement

Anonymous key exchange, like Diffie–Hellman, does not provide authentication of the parties, and is thus vulnerable to man-in-the-middle attacks.

A wide variety of cryptographic authentication schemes and protocols have been developed to provide authenticated key agreement to prevent man-in-the-middle and related attacks. These methods generally mathematically bind the agreed key to other agreed-upon data, such as the following:

  • Public/private key pairs
  • Shared secret keys
  • Passwords

Public keys

A widely used mechanism for defeating such attacks is the use of digitally signed keys that must be integrity-assured: if Bob's key is signed by a trusted third party vouching for his identity, Alice can have considerable confidence that a signed key she receives is not an attempt to intercept by Eve. When Alice and Bob have a public-key infrastructure, they may digitally sign an agreed Diffie–Hellman key, or exchanged Diffie–Hellman public keys. Such signed keys, sometimes signed by a certificate authority, are one of the primary mechanisms used for secure web traffic (including HTTPS, SSL or Transport Layer Security protocols). Other specific examples are MQV, YAK and the ISAKMP component of the IPsec protocol suite for securing Internet Protocol communications. However, these systems require care in endorsing the match between identity information and public keys by certificate authorities in order to work properly.

Hybrid systems

Hybrid systems use public-key cryptography to exchange secret keys, which are then used in a symmetric-key cryptography systems. Most practical applications of cryptography use a combination of cryptographic functions to implement an overall system that provides all of the four desirable features of secure communications (confidentiality, integrity, authentication, and non-repudiation).

Passwords

Password-authenticated key agreement protocols require the separate establishment of a password (which may be smaller than a key) in a manner that is both private and integrity-assured. These are designed to resist man-in-the-middle and other active attacks on the password and the established keys. For example, DH-EKE, SPEKE, and SRP are password-authenticated variations of Diffie–Hellman.

Other tricks

If one has an integrity-assured way to verify a shared key over a public channel, one may engage in a Diffie–Hellman key exchange to derive a short-term shared key, and then subsequently authenticate that the keys match. One way is to use a voice-authenticated read-out of the key, as in PGPfone. Voice authentication, however, presumes that it is infeasible for a man-in-the-middle to spoof one participant's voice to the other in real-time, which may be an undesirable assumption. Such protocols may be designed to work with even a small public value, such as a password. Variations on this theme have been proposed for Bluetooth pairing protocols.

In an attempt to avoid using any additional out-of-band authentication factors, Davies and Price proposed the use of the interlock protocol of Ron Rivest and Adi Shamir, which has been subject to both attack and subsequent refinement.

See also

References

  1. ^ Menezes, A.; Oorschot, P. van; Vanstone, S. (1997). Handbook of Applied Cryptography (5th ed.). CRC Press. ISBN 0-8493-8523-7.
  2. ^ a b Canetti, Ran; Krawczyk, Hugo (6 May 2001). "Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels". Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology. Springer-Verlag: 453–474. ISBN 978-3-540-42070-5.
  3. ^ Bellare, Mihir; Canetti, Ran; Krawczyk, Hugo (23 May 1998). "A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract)". Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98. Association for Computing Machinery. pp. 419–428. doi:10.1145/276698.276854. ISBN 0-89791-962-9.
  4. ^ Gollmann, D. (6 May 1996). "What do we mean by entity authentication?". Proceedings 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society. pp. 46–54. doi:10.1109/SECPRI.1996.502668. ISBN 978-0-8186-7417-4.
  5. ^ Katz, Jonathan; Lindell, Yehuda (2021). Introduction to modern cryptography (Third ed.). Boca Raton London New York: CRC Press Taylor & Francis Group. p. 49. ISBN 978-0815354369.
  6. ^ a b See Diffie–Hellman key exchange for a more complete history of both the secret and public development of public-key cryptography.
  7. ^ a b Boyd, Colin; Davies, Gareth T.; de Kock, Bor; Gellert, Kai; Jager, Tibor; Millerjord, Lise (2021). "Symmetric Key Exchange with Full Forward Security and Robust Synchronization". Advances in Cryptology – ASIACRYPT 2021. Lecture Notes in Computer Science. Vol. 13093. Springer International Publishing. pp. 681–710. doi:10.1007/978-3-030-92068-5_23. hdl:11250/2989781. ISBN 978-3-030-92067-8.
  8. ^ Pagnia, Henning; Gaertner, Felix (1999). "On the impossibility of fair exchange without a trusted third party". Echnical Report TUD-BS-1999-02: 1–15.
  9. ^ Boyd, Colin; Mathuria, Anish; Stebila, Douglas (2020). Protocols for Authentication and Key Establishment. Information Security and Cryptography. doi:10.1007/978-3-662-58146-9. ISBN 978-3-662-58145-2.
  10. ^ Boyd, C. (June 1993). "Security architectures using formal methods" (PDF). IEEE Journal on Selected Areas in Communications. 11 (5): 694–701. doi:10.1109/49.223872.