Skip to main content
SpringerLink
Log in

Less is more: relaxed yet composable security notions for key exchange

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Although they do not suffer from clear attacks, various key agreement protocols (for example that used within the TLS protocol) are deemed as insecure by existing security models for key exchange. The reason is that the derived keys are used within the key exchange step, violating the usual key-indistinguishability requirement. In this paper, we propose a new security definition for key exchange protocols that offers two important benefits. Our notion is weaker than the more established ones and thus allows the analysis of a larger class of protocols. Furthermore, security in the sense that we define enjoys rather general composability properties. In addition, our composability properties are derived within game-based formalisms and do not appeal to any simulation-based paradigm. Specifically, we show that for protocols, whose security relies exclusively on some underlying symmetric primitive, can be securely composed with key exchange protocols provided that two main requirements hold: (1) No adversary can break the underlying primitive, even when the primitive uses keys obtained from executions of the key exchange protocol in the presence of the adversary (this is essentially the security requirement that we introduce and formalize in this paper), and (2) the security of the protocol can be reduced to that of the primitive, no matter how the keys for the primitive are distributed. Proving that the two conditions are satisfied, and then applying our generic theorem should be simpler than performing a monolithic analysis of the composed protocol. We exemplify our results in the case of a profile of the TLS protocol.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. In the forward-secure variant, for all tuples \((\mathsf{label},\mathsf{kid},U, V,\mathsf{sid},{\text{ st }_{\text{ exec }}},\kappa ,{\text{ st }_{\text{ key }}})\) with \({\text{ st }_{\text{ exec }}}=\mathsf{running}\)in the list \(\mathcal L _G\), the value \({\text{ st }_{\text{ key }}}\) is set to \(\mathsf{revealed}\).

  2. A signature scheme which is universally unforgeable under chosen message attack [21].

  3. More abstractly, any kind of UNF-CMA certification scheme would work, but we stick to signature-based certificates for sake of concreteness.

References

  1. Barak, B., Lindell, Y., Rabin, T.: Protocol Initialization for the Framework of Universal Composability. ePrint archive: http://eprint.iacr.org/2004/006

  2. Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Advances in Cryptology-EUROCRYPT 2000, LNCS, vol. 1807, pp. 259–274, Springer (2000)

  3. Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Advances in Cryptology-EUROCRYPT 2004, LNCS, vol. 3027, pp. 171–188, Springer (2004)

  4. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Advances in Cryptology-ASIACRYPT 2000, LNCS, vol. 1976, pp. 531–545, Springer (2000)

  5. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Advances in Cryptology-EUROCRYPT 2000, LNCS, vol. 1807, pp. 139–155, Springer (2000)

  6. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Advances in Cryptology, CRYPTO ’93, LNCS, vol. 773, pp. 232–249, Springer (1994)

  7. Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: 27th Symposium on Theory of Computing-STOC 1995, pp. 57–66, ACM (1995)

  8. Blake-Wilson, S., Johnson, D., Menezes, A.J.: Key agreement protocols and their security analysis. In: IMA Cryptography and Coding-IMACC 1997, LNCS, vol. 1355, pp. 30–45, Springer (1997)

  9. Blake-Wilson, S., Menezes, A.J.: Entity authentication and authenticated key transport protocols employing asymmetric techniques. In: IWSP, LNCS, vol. 1361, pp. 137–158, Springer (1998)

  10. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Advances in Cryptology-CRYPTO ’98, LNCS, vol. 1462, pp. 1–12, Springer (1998)

  11. Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.: Composability of Bellare-Rogaway key exchange protocols In: Conference on Computer and Communication Security-CCS 2011, pp. 51–62, ACM (2011)

  12. Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13, 143–202 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  13. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Advances in Cryptology-EUROCRYPT 2001, LNCS, vol. 2045, pp. 453–474, Springer (2001)

  14. Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Advances in Cryptology-EUROCRYPT 2002, LNCS, vol. 2332, pp. 337–351, Springer (2002)

  15. Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Advances in Cryptology-CRYPTO 2002, LNCS, vol. 2442, pp. 143–161, Springer (2002)

  16. Canetti, R., Rabin, T.: Universal composition with joint state. In: Advances in Cryptology-CRYPTO 2003, LNCS, vol. 2729, pp. 265–281, Springer (2003)

  17. Datta, A., Derek, A., Mitchell, J., Shmatikov, V., Turuani, M.: Probabilistic polynomial-time semantics for a protocol security logic. In: Automata, Languages and Programming-ICALP 2005, LNCS, vol. 3580, pp. 16–29, Springer (2005)

  18. Datta, A., Derek, A., Mitchell, J.C., Warinschi, B.: Computationally sound compositional logic for key exchange protocols. In: Computer Security Foundations Workshop-CSFW 2005, pp. 321–334, IEEE Computer Society (2006)

  19. Dierks, T., Allen, C.: The TLS Protocol Version 1.2. RFC 4346, April (2006)

  20. Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. In: Advances in Cryptology-CRYPTO 2001, LNCS, vol. 2139, pp. 260–274, Springer (2001)

  21. Goldwasser, S., Micali, S., Rivest, R.: A digiral signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17, 281–308 (1988)

    Google Scholar 

  22. International Civic Aviation Organization. Supplemental Access Control for Machine Readable Travel Documents. Version 1.01. Available at http://www2.icao.int/en/MRTD/Downloads/TechnicalReports/TechnicalReport.pdf. (2010)

  23. Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Advances in Cryptology-CRYPTO 2012, LNCS, vol. 7417, pp. 273–293, Springer (2012)

  24. Kaliski, B.: PKCS #1: RSA Encryption Version 1.5. RFC 2313, October (1998)

  25. Krawczyk, H.: The Order of Encryption and authentication for protecting communications (or: How Secure Is SSL?). In: Advances in Cryptology-CRYPTO 2001, LNCS, vol. 2139, pp. 310–331, Springer (2001)

  26. Küsters, R., Tuengerthal, M.: Composition theorems without pre-established session identifiers. In: Conference on Computer and Communication Security-CCS 2011, pp. 41–50, ACM (2011)

  27. Maurer, U., Tackmann, B.: On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption. In: Conference on Computer and Communication Security-CCS 2010, pp. 505–515, ACM (2010)

  28. Morrissey, P., Smart, N.P., Warinschi, B.: The TLS handshake protocol: a modular analysis. J. Cryptol. 23, 187–223 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  29. Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size boes matter: attacks and proofs for the TLS record protocol. In: Advances in Cryptology-ASIACRYPT 2011, LNCS, vol. 7073, pp. 372–389, Springer (2011)

  30. Shoup, V: On formal models for secure key exchange. IBM Research Report RZ 3120 (1999)

Download references

Acknowledgments

The authors would like to thank the European Commission through the ICT Program under Contract ICT-2007-216676 ECRYPT II for partially funding the work in this paper. The first two authors were also supported by the German Academic Exchange Service DAAD, by CASED (www.cased.de), and the second author by the Emmy Noether Grant Fi 940/2-1 and the Heisenberg grant Fi 940/3-1 of the German Research Foundation DFG. The third author was supported by a Royal Society Wolfson Merit Award and by ERC Advanced Grant ERC-2010-AdG-267188-CRIPTO. The fifth author was supported by an EPSRC Doctoral Training Account award.

Author information

Authors and Affiliations

  1. Department of Computer Science, Darmstadt University of Technology, Hochschulstrasse 10, 64289 , Darmstadt, Germany

    C. Brzuska & M. Fischlin

  2. Department Computer Science, University of Bristol, Woodland Road, Bristol, BS8 1UB, UK

    N. P. Smart, B. Warinschi & S. C. Williams

Authors
  1. C. Brzuska
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. M. Fischlin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. N. P. Smart
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. B. Warinschi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. S. C. Williams
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to N. P. Smart.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Brzuska, C., Fischlin, M., Smart, N.P. et al. Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Secur. 12, 267–297 (2013). https://doi.org/10.1007/s10207-013-0192-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-013-0192-y

Keywords

Search

Navigation