Protocols and security models for authentication and key establishment


Student thesis: Master's Thesis

View graph of relations


  • Wei ZHU

Related Research Unit(s)


Awarding Institution
  • Shek Duncan WONG (Supervisor)
Award date14 Jul 2006


Authentication and key establishment are fundamental building blocks for se- curing communications. Cryptographic algorithms for encryption and integrity cannot perform their functions unless secure keys have been established (key establishment) and the parties know which intended parties share such keys (authentication). An authenticated key establishment protocol is a tuple of several interactive parties. These parties interact with each other in a hostile environment and the objective of the protocol is to establish a random session key among these parties in such a way that no other party can obtain this session key. In addition, each party is sure that it is communicating with the intended parties. If the protocol involves only two parties, we refer to such protocol as an Authenticated Key Exchange (AKE) protocol. In literature, there have been many AKE protocols proposed. However, due to the introduction of some new notions related to authentication (e.g. Key Compromise Impersonation Resilience (KCI Resilience), Deniability) and key establishment (e.g. Forward Secrecy against compromised Key Generation Server (KGS-FS) in ID-based settings) as well as the lack of a formally defined security model specifically for constructing and analyzing such protocols, many of these protocols have shown to be insecure or revised with major later. With the revival of interest in ID-based cryptography and the advancement of wireless communication technology, low-power devices communicating over low bandwidth wireless networks by using ID-based key exchange (KE) proto- cols are experiencing booming demands and almost becoming ubiquitous nowa- days. At the same time, secure communication among these devices and service providers is needed on many commercial applications. This requires secure and efficient ID-based KE protocols which should also be versatile enough in key management and scalability. In order to address the above issues to some extent, the objective of our re- search is on the design and analysis of protocols and security models for authen- tication and key establishment. In this thesis, we first review the background and related work. After that we list several AKE protocols and show that they are vulnerable to several kinds of attacks. In this part, we first present several attacks on two AKE protocols including client impersonation attack, imperson- ation attack and unknown key share attack if the underlying block ciphers of the protocols are operated in some commonly used modes. Then, we describe another attack against an AKE protocol between a sensor node and a secu- rity manager. This attack allows a security manager to learn the long-term secret of a sensor after launching a normal run of the protocol. After that, we show that the person-in-the-middle (PIM) attack can be launched success- fully on two deniable authentication protocols. We also propose the improved approaches which thwart the corresponding attacks. For the first two AKE protocols, the reason why they are flawed is that these protocols do not pro- vide data integrity. We improve them by using message authentication code (MAC) to protect some ciphertext blocks in the original protocols so that the data integrity can be achieved. For another AKE protocol and two deniable au- thentication protocols, problems occur in the protocol design. We present our improved approaches to fix the security flaws and make all the original security properties hold again. In the next part of the thesis, we propose an efficient ID-based KE protocol which is suitable for low-power devices. On security, our ID-based KE protocol supports the KGS-FS property, and it can be shown secure under the well- known security model for authentication and key exchange protocols proposed by Canetti and Krawczyk (CK-model). On performance, our protocol is the first one which does not need any pairing or map-to-point hash operation and it is faster than all comparable protocols. Finally, based on the CK-model, we enhance the model to capture KCI Resilience. Our capturing method is unique and we will show that it is more versatile than all comparable ones. In particular, we capture KCI Resilience for authentication protocols in general rather than restricted to KE protocols, and no more additional proofs are required specifically for KCI security. After that, we further propose an ID-based extension onto our enhanced CK-model. The new extension captures the general setting of ID-based authentication protocols (hence including ID-based KE protocols). The model, when used for analyzing ID-based KE protocols, also captures the property of KGS-FS. To exemplify the use of this new extension, we provide a proof of security for the above ID- based KE protocol and show that it supports both KCI Resilience and KGS-FS. Our enhanced models provide a modular approach to design and analyze KE protocols with most of the security properties captured. In addition, our models are also flexible enough to make some security properties optional.

    Research areas

  • Authentication, Computer network protocols, Public key cryptography, Access control, Computers