Security Analysis of KEA Authenticated Key Exchange Protocol

  • Kristin Lauter
  • Anton Mityagin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)

Abstract

KEA is a Diffie-Hellman based key-exchange protocol developed by NSA which provides mutual authentication for the parties. It became publicly available in 1998 and since then it was neither attacked nor proved to be secure. We analyze the security of KEA and find that the original protocol is susceptible to a class of attacks. On the positive side, we present a simple modification of the protocol which makes KEA secure. We prove that the modified protocol, called KEA+, satisfies the strongest security requirements for authenticated key-exchange and that it retains some security even if a secret key of a party is leaked. Our security proof is in the random oracle model and uses the Gap Diffie-Hellman assumption. Finally, we show how to add a key confirmation feature to KEA+ (we call the version with key confirmation KEA+C) and discuss the security properties of KEA+C.

References

  1. 1.
    Abdalla, M., Chevassut, O., Pointcheval, D.: One-Time Verifier-Based Encrypted Key Exchange. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 47–64. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Palacio, A.: The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure Against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993, vol. 773, pp. 110–125. Springer, Heidelberg (1993)Google Scholar
  5. 5.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key Agreement Protocols and their Security Analysis. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
  6. 6.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: FOCS 2001: Proceedings of the 42nd IEEE symposium on Foundations of Computer Science. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  7. 7.
    Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Examining Indistinguishability-Based Proof Models for Key Establishment Protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005) (to appear)CrossRefGoogle Scholar
  8. 8.
    Jeong, I.R., Katz, J., Lee, D.H.: One-Round Protocols for Two-Party Authenticated Key Exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Krawczyk, H.: SIGMA: The “SIGn-and-MAc” Approach to Authenticated Diffie- Hellman and Its Use in the IKE Protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Krawczyk, H.: HMQV: A High-Performance Secure Diffie-Hellman Protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Jakobsson, M., Pointcheval, D.: Mutual Authentication for Low-Power Mobile Devices. In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, pp. 178–195. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Kudla, C., Paterson, K.G.: Modular Security Proofs for Key Agreement Protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 549–565. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Menezes, A.: Another look at HMQV, IACR Eprint archive (2005), http://eprint.iacr.org/2005/205
  15. 15.
    NIST, SKIPJACK and KEA Algorithm Specification (1998), http://csrc.nist.gov/encryption/skipjack/skipjack.pdf
  16. 16.
    Okamoto, T., Pointcheval, D.: The Gap Problems: A New Class of Problems for the Security of Cryptographic Schemes. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Shoup, V.: On Formal Models for Secure Key Exchange, Theory of Cryptography Library (1999), http://www.shoup.net/papers/skey.ps
  18. 18.
    Tin, Y.S.T., Boyd, C., González Nieto, J.M.: Provably Secure Mobile Key Exchange: Applying the Canetti-Krawczyk Approach. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 166–179. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Kristin Lauter
    • 1
  • Anton Mityagin
    • 2
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.Department of Computer ScienceUniversity of CaliforniaSan DiegoUSA

Personalised recommendations