Less is more: relaxed yet composable security notions for key exchange

Although they do not suffer from clear attacks, various key agreement protocols (for example that used within the TLS protocol) are deemed as insecure by existing security models for key exchange. The reason is that the derived keys are used within the key exchange step, violating the usual key-indistinguishability requirement. In this paper, we propose a new security definition for key exchange protocols that offers two important benefits. Our notion is weaker than the more established ones and thus allows the analysis of a larger class of protocols. Furthermore, security in the sense that we define enjoys rather general composability properties. In addition, our composability properties are derived within game-based formalisms and do not appeal to any simulation-based paradigm. Specifically, we show that for protocols, whose security relies exclusively on some underlying symmetric primitive, can be securely composed with key exchange protocols provided that two main requirements hold: (1) No adversary can break the underlying primitive, even when the primitive uses keys obtained from executions of the key exchange protocol in the presence of the adversary (this is essentially the security requirement that we introduce and formalize in this paper), and (2) the security of the protocol can be reduced to that of the primitive, no matter how the keys for the primitive are distributed. Proving that the two conditions are satisfied, and then applying our generic theorem should be simpler than performing a monolithic analysis of the composed protocol. We exemplify our results in the case of a profile of the TLS protocol.

[1]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[2]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[3]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[4]  Ueli Maurer,et al.  On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption , 2010, CCS '10.

[5]  Marc Fischlin,et al.  Composability of bellare-rogaway key exchange protocols , 2011, CCS '11.

[6]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[7]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[8]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[9]  Bogdan Warinschi,et al.  The TLS Handshake Protocol: A Modular Analysis , 2010, Journal of Cryptology.

[10]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[11]  Gaven J. Watson Provable Security in Practice: Analysis of SSH and CBC mode with Padding , 2010 .

[12]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[13]  John C. Mitchell,et al.  Computationally sound compositional logic for key exchange protocols , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[14]  Alfred Menezes,et al.  Entity Authentication and Authenticated Key Transport Protocols Employing Asymmetric Techniques , 1997, Security Protocols Workshop.

[15]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[16]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[17]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[18]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[19]  Phillip Rogaway,et al.  Authentication without Elision: Partially Specified Protocols, Associated Data, and Cryptographic Models Described by Code , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[20]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[21]  Burton S. Kaliski,et al.  PKCS #1: RSA Encryption Version 1.5 , 1998, RFC.

[22]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[23]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[24]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[25]  Ralf Küsters,et al.  Composition theorems without pre-established session identifiers , 2011, CCS '11.

[26]  Kenneth G. Paterson,et al.  Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment , 2008, SCN.

[27]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[28]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[29]  Vitaly Shmatikov,et al.  Probabilistic Polynomial-Time Semantics for a Protocol Security Logic , 2005, ICALP.

[30]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[31]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[32]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[33]  Ahmad-Reza Sadeghi,et al.  Universally Composable Security Analysis of TLS , 2008, ProvSec.

[34]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[35]  Amir Herzberg,et al.  The layered games framework for specifications and analysis of security protocols , 2008, Int. J. Appl. Cryptogr..

[36]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[37]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[38]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[39]  Yehuda Lindell,et al.  Protocol Initialization for the Framework of Universal Composability , 2004, IACR Cryptol. ePrint Arch..

[40]  T. Dierks,et al.  The TLS protocol , 1999 .

[41]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.