1

Key-Exchange Protocol Using Pre-Agreed Session-ID

Kenji Imamoto

Kyushu University, JAPAN

2

Abstract

• Any message through Internet or radio communication can be easily eavesdropped on– Privacy should be considered (especially, this paper

considers identity concealment)

• Introduce Pre-Agreed Session ID (PAS)– Identification which is a disposable unique value used

for every session to specify each session and party

• Formalize security model for key-exchange protocol• Propose a secure key-exchange protocol using PAS• Argue about the problems which arise when PAS is

used

3

Contents

1. Introduction

2. Security Model

3. PAS Protocol

4. Proof of PAS Protocol

5. Variants and Discussions

6. Conclusion

4

1. Introduction

Long-term shared secret

Leakage of Users’ IdentitiesMost existing schemes can not prevent

• Main focus of our study is …Key-Exchange Protocol using Pre-shared Key

Long-term shared secret

Protocol

Short-term secret

5

BobEKB

(M)User’s ID Secret key

Alice KA

Bob KB

Charlie KCKB: secret keyM: message

KB: secret key

Public Network

Bob Responder

Threat: Leakage of user’s identity

EKB(Bob,M)User’s ID Secret key

Alice KA

Bob KB

Charlie KCKB: secret keyM: message

KB: secret key

Public Network

Bob Responder

• We need another identifiable information• Legitimate user can specify his partner• No attacker can specify who is communicating

6

[CK01] R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, EUROCRYPT’2001.

[CK02] R. Canetti and H. Krawczyk, “Security Analysis of IKE’s Signature-Based Key-Exchange Protocol”, CRYPTO’2002.

Our Solution

• Session ID [CK01, CK02]

– Purpose: uniquely name sessions– Assumption: unique among all the session ID

• Pre-Agreed Session ID (PAS)– Unique session ID agreed between each peer bef

ore activation of the session– Uniquely name a session and parties who

participate in the session

7

2. Security Model

• Existing Model [CK01] (SK-Security)– Consider the security of session key

• Our Model (SK-ID-Security)– Consider the security of not only session key but also

users’ identities

Extend

8

Communication Channel

• The channel is Broadcast-type– All messages can be sent to a pool of messages– There is no assumption on the logical connection

between the address where a message is delivered and the identity behind that address.

• Attacker is a (probabilistic) polynomial-time machine with full control of the communication lines between parties– Free to intercept, delay, drop, inject, or change all

messages sent over these lines

9

Attacker’s Access to Secret Information (session expose)

• Session state reveal– Session state for an incomplete session (which does

not include long-term secret)

• Session-key query– Session-key of a completed session

• Party corruption– All information in the memory of the party (including

session states, session-key, long-term secrets)

• Identity reveal– Parties’ identities that activate a session

10

Basic Idea of SK-ID-Security (1)

• Indistinguishability style [CK01]The success of an attack is measured via its ability t

o distinguish the real values from independent random values

Oracle Attacker

1. Freely choose a complete session as test session

2. Query

4. Response(real or random)

3. Coin toss

5. Guess the result of coin toss

If head, response is real If tail, response is random

11

Basic Idea of SK-ID-Security (2)

• The attacker succeeds in its attack if 1. The test session is not exposed

2. The probability of his correct guess of coin toss is significantly larger than 1/2

Definition (SK-ID-security)A key-exchange protocol is called SK-ID-secure if for all attackers with the explained capabilities, success probability (in its test-session distinguishing attacks) is not more than 1/2 plus a negligible fraction

• Two games against Test session: Distinction of session-key (real session key or random

value) [CK01] Distinction of pairs (real party or randomly chosen party)

12

Game: Distinction of pairs

Attacker

1. Freely choose a complete session as test session

2. Query

4. Response(real or random)

3. Coin toss

5. Guess the result of coin toss

If head, response is real If tail, response is random

Random choice from all possible pairs that do not include either of the real parties’ ID

A, B, C, D, E• A shares PSK with B• C shares PSK with D and E

A-BC-D

C-EA-CA-DA-E

B-CB-DB-E

D-E RealRandom

Oracle

13

3. PAS Protocol

1. Start message

2. Response message

3. Finish message

xmij gPAS ,

,, ymij gPAS

xyyxj

mijk

mij gggPPASMACPAS ,,,,,0, 2

xyxyi

mijk gggPPASMAC ,,,,,12

iP jP

k0=PRFgxy(0) % Session key

k1=PRFgxy(1) %

k2=PRFPSKij(2)

1mijPAS

mijPASijPSK

mijPASijPSK

MAC: Message Authentication CodePRF: Pseudo Random Function

14

4. Proof of PAS Protocol

• Main Theorem– Assuming DDH and the security of the underlying

cryptographic functions (i.e., MAC and PRF), PAS protocol is SK-ID-secure

• Strategy for Proof of Main Theorem– Show that a DDH distinguisher can be built from

an attacker that succeeds in distinguishing between a real and a random response to the test-session query

15

PointResponder needs to distinguish legitimate requests from waste one at low costs

Responder cannot respond.

(Even for legitimate users !)

Adversary

Responder

User

5. Variants and Discussions (DoS-resilient)

16

Adversary

Responder

Request needs a valid PASAttacker can guess no valid PAS

Protection from DoS attackThe cost of checking validity of received PAS is equal to only searching in responder’s PAS list.

User’s ID PAS Secret key

Alice PASAR KAR

Bob PASBR KBR

Charlie PASCR KCR

Protection from DoS attack

Bob

PASBR, Request

17

6. Conclusion

• Introduce Pre-Agreed Session ID (PAS)– Identification which is a disposable unique value used

for every session to specify each session and party

• Formalize security model for key-exchange protocol

• Propose a secure key-exchange protocol using PAS

• Argue about the problems which arise when PAS is used– Synchronization of PAS, DoS attack, PFS

18

Security problems on RFID tags(short introduction)

Sakurai Lab., Kyushu Univ.

Junichiro SAITOsaito@itslab.csce.kyushu-u.ac.jp

19

What is a Radio Frequency Identification （ RFID ） tag?

• A small and inexpensive microchip that emits an ID in response to query from a reader

• Used as a substitute for a bar code management of goods and its circulation, theft detection

• Little computational power• Easily readable by a reader• Be monitored communication between a RFID tag and a

reader

→Infringement of privacy

20

Privacy problems

• ID leakage– An adversary can eavesdrop ID information

– She can read by using a reader

• leakage of information about belongings

• ID tracing– If ID information on an RFID tag is fixed, an adversary can trace

tag owner's activity

• Infringement on location privacy

price of the suit

○○ yen in wallet shoe size

21

Our research themes

• Location privacy– We can use re-encryption scheme to change ID information

• Yoking proof and grouping proof– We showed a replay attack against Juels's yoking proof

• Owner changing– After changing owner, new owner doesn't want that old owner can

read the RFID tag

We proposed Re-encryption scheme with a check

We proposed secure yoking proof by using a time stamp

We proposed a key change scheme for changing owner