Anonymity and one-way authentication in key exchange protocols

Key establishment is a crucial cryptographic primitive for building secure communication channels between two parties in a network. It has been studied extensively in theory and widely deployed in practice. In the research literature a typical protocol in the public-key setting aims for key secrecy and mutual authentication. However, there are many important practical scenarios where mutual authentication is undesirable, such as in anonymity networks like Tor, or is difficult to achieve due to insufficient public-key infrastructure at the user level, as is the case on the Internet today. In this work we are concerned with the scenario where two parties establish a private shared session key, but only one party authenticates to the other; in fact, the unauthenticated party may wish to have strong anonymity guarantees. We present a desirable set of security, authentication, and anonymity goals for this setting and develop a model which captures these properties. Our approach allows for clients to choose among different levels of authentication. We also describe an attack on a previous protocol of Øverlier and Syverson, and present a new, efficient key exchange protocol that provides one-way authentication and anonymity.

[1]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[2]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[3]  Bogdan Warinschi,et al.  A Modular Security Analysis of the TLS Handshake Protocol , 2008, ASIACRYPT.

[4]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[5]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[6]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[7]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[8]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[9]  Paul F. Syverson,et al.  Improving Efficiency and Simplicity of Tor Circuit Establishment and Hidden Services , 2007, Privacy Enhancing Technologies.

[10]  Takeshi Okamoto,et al.  Anonymous Secure Communication in Wireless Mobile Ad-Hoc Networks , 2006, ICUCT.

[11]  Ian Goldberg On the Security of the Tor Authentication Protocol , 2006, Privacy Enhancing Technologies.

[12]  Hugo Krawczyk,et al.  Deniable authentication and key exchange , 2006, CCS '06.

[13]  Kim-Kwang Raymond Choo,et al.  Strongly-Secure Identity-Based Key Agreement and Anonymous Extension , 2007, ISC.

[14]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[15]  Ian Goldberg,et al.  Pairing-Based Onion Routing with Improved Forward Secrecy , 2010, TSEC.

[16]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[17]  Elaine B. Barker,et al.  SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .

[18]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[19]  Elaine B. Barker,et al.  SP 800-56B. Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography , 2009 .

[20]  Hung-Yu Chien ID-Based Key Agreement with Anonymity for Ad Hoc Networks , 2007, EUC.

[21]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[22]  David M'Raïhi,et al.  Batch exponentiation: a fast DLP-based signature generation strategy , 1996, CCS '96.

[23]  Qiang Tang,et al.  Identity-Based Key Agreement with Unilateral Identity Privacy Using Pairings , 2006, ISPEC.

[24]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[25]  Angelos D. Keromytis,et al.  Just fast keying: Key agreement in a hostile internet , 2004, TSEC.

[26]  Rosario Gennaro,et al.  Constructing Certificateless Encryption and ID-Based Encryption from ID-Based Key Agreement , 2010, Pairing.

[27]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[28]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[29]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[30]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[31]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[32]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[33]  Alfred Menezes,et al.  Comparing the pre- and post-specified peer models for key agreement , 2009, Int. J. Appl. Cryptogr..

[34]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.