Security analysis of SM2 key exchange protocol in TPM2.0

The new released trusted platform module TPM specification, TPM2.0, adds cryptographic support for key exchange by providing SM2 authenticated key exchange AKE application programming interface API commands. Xu analyzed the SM2 AKE protocol and found that it was insecure in common computing environment by presenting two types of unknown key share attacks. Here, we present another design weakness of the SM2 AKE protocol, which might cause that the protocol cannot be proven secure in modern security models. We also analyze the security of SM2 AKE protocol in TPM2.0, whose running environment is very different and find that i it indeed gets some security improvements through the protection capability provided by the two SM2 AKE commands of TPM2.0 but ii it still has some weaknesses, which might lead to unknown key share and key-compromise impersonation attacks because of the bad design of the TPM2.0 application programming interface. We solve the weaknesses of SM2 AKE protocol in TPM2.0 by slightly modifying one SM2 AKE command and finally give a formal proof of our solution in the Canetti and Krawczyk model. Our work shows that TPM2.0 could provide a proven secure SM2 AKE by slightly modifying one command. Copyright © 2014 John Wiley & Sons, Ltd.

[1]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[2]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[3]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[4]  Bogdan Warinschi,et al.  Security of the TCG Privacy-CA Solution , 2010, 2010 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

[5]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[6]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[7]  Hideki Imai,et al.  ON SEEKING SMART PUBLIC-KEY-DISTRIBUTION SYSTEMS. , 1986 .

[8]  Li Man-gui Study on Public Key Infrastructure in Support of Public Key Cryptographic Algorithm SM2 based on Elliptic Curves , 2011 .

[9]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[10]  Dengguo Feng,et al.  Comments on the SM2 Key Exchange Protocol , 2011, CANS.

[11]  Berkant Ustaoglu,et al.  Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS , 2008, Des. Codes Cryptogr..

[12]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[13]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[14]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[15]  Elaine B. Barker,et al.  SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .

[16]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..