Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels
We present a formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links.
We exemplify the usability of our results by applying them to obtain the proof of two classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques.
KeywordsLocal Output Secret Information Secure Channel Perfect Forward Secrecy Corrupted Party
- 2.M. Bellare, R. Canetti and H. Krawczyk, “A modular approach to the design and analysis of authentication and key-exchange protocols”, 30th STOC, 1998.Google Scholar
- 3.M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations Among Notions of Security for Public-Key Encryption Schemes”, Advances in Cryptology-CRYPTO'98 Proceedings, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk, ed., Springer-Verlag, 1998, pp. 26–45.Google Scholar
- 4.M. Bellare, E. Petrank, C. Rackoff and P. Rogaway, “Authenticated key exchange in the public key model,” manuscript 1995-96.Google Scholar
- 6.M. Bellare and P. Rogaway, “Provably secure session key distribution-the three party case,” Annual Symposium on the Theory of Computing (STOC), 1995.Google Scholar
- 7.R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva and M. Yung, “Systematic design of two-party authentication protocols,” IEEE Journal on Selected Areas in Communications (special issue on Secure Communications), 11(5):679–693, June 1993. (Preliminary version: Crypto'91.)Google Scholar
- 8.S. Blake-Wilson, D. Johnson and A. Menezes, “Key exchange protocols and their security analysis,” Proceedings of the sixth IMA International Conference on Cryptography and Coding, 1997.Google Scholar
- 9.S. Blake-Wilson and A. Menezes, “Entity authentication and key transport protocols employing asymmetric techniques”, Security Protocols Workshop, 1997.Google Scholar
- 10.M. Burrows, M. Abadi and R. Needham, “A logic for authentication,” DEC Systems Research Center Technical Report 39, February 1990. Earlier versions in Proceedings of the Second Conference on Theoretical Aspects of Reasoning about Knowledge, 1988, and Proceedings of the Twelfth ACM Symposium on Operating Systems Principles, 1989.Google Scholar
- 11.R. Canetti, “Security and Composition of Multiparty Cryptographic Protocols”, Journal of Cryptology, Vol. 13, No. 1, 2000.Google Scholar
- 12.R. Canetti, “A unified framework for analyzing security of Protocols”, manuscript, 2000. Available at http://eprint.iacr.org/2000/067.
- 13.R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels (Full Version)”, http://eprint.iacr.org/2001.
- 14.R. Canetti and H. Krawczyk, “Proving secure composition of key-exchange protocols with any application”, in preparation.Google Scholar
- 17.O. Goldreich, “Foundations of Cryptography (Fragments of a book)”, Weizmann Inst. of Science, 1995. (Available at http://philby.ucsd.edu/cryptolib.html)
- 19.S. Goldwasser, and L. Levin, “Fair Computation of General Functions in Presence of Immoral Majority”, CRYPTO '90, LNCS 537, Springer-Verlag, 1990.Google Scholar
- 22.C.G. Günther, “An identity-based key-exchange protocol”, Advances in Cryptology-EUROCRYPT'89, Lecture Notes in Computer Science Vol. 434, Springer-Verlag, 1990, pp. 29–37.Google Scholar
- 23.D. Harkins and D. Carrel, ed., “The Internet Key Exchange (IKE)”, RFC 2409, November 1998.Google Scholar
- 24.ISO/IEC IS 9798-3, “Entity authentication mechanisms — Part 3: Entity authentication using asymmetric techniques”, 1993.Google Scholar
- 25.H. Krawczyk, “The order of encryption and authentication for protecting communications (Or: how secure is SSL?)”, manuscript.Google Scholar
- 26.H. Krawczyk, “SKEME: A Versatile Secure Key Exchange Mechanism for Internet,”, Proceedings of the 1996 Internet Society Symposium on Network and Distributed System Security, Feb. 1996, pp. 114–127.Google Scholar
- 27.P. Lincoln, J. Mitchell, M. Mitchell, A. Schedrov, “A Probabilistic Poly-time Framework for Protocol Analysis”, 5th ACMConf. on Computer and System Security, 1998.Google Scholar
- 28.A. Menezes, P. Van Oorschot and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996.Google Scholar
- 29.S. Micali and P. Rogaway, “Secure Computation”, unpublished manuscript, 1992. Preliminary version in CRYPTO 91.Google Scholar
- 31.B. Pfitzmann, M. Schunter and M. Waidner, “Secure Reactive Systems”, IBM Research Report RZ 3206 (#93252), IBM Research, Zurich, May 2000.Google Scholar
- 32.B. Pfitzmann and M. Waidner, “A General Framework for Formal Notions of’ secure’ System”, Hildesheimer Informatik-Berichte 11/94 Institut für Informatik, Universität Hildesheim, April 1994.Google Scholar
- 33.B. Pfitzmann and M. Waidner, “A model for asynchronous reactive systems and its application to secure message transmission”, IBM Research Report RZ 3304 (#93350), IBM Research, Zurich, December 2000.Google Scholar
- 34.V. Shoup, “On Formal Models for Secure Key Exchange”, Theory of Cryptography Library, 1999. Available at: http://philby.ucsd.edu/cryptolib/1999/99-12.html.