# The Fallout of Key Compromise in a Proxy-Mediated Key Agreement Protocol

## Abstract

In this paper, we analyze how key compromise affects the protocol by Nguyen et al. presented at ESORICS 2016, an authenticated key agreement protocol mediated by a proxy entity, restricted to only symmetric encryption primitives and intended for IoT environments. This protocol uses long-term encryption tokens as intermediate values during encryption and decryption procedures, which implies that these can be used to encrypt and decrypt messages without knowing the corresponding secret keys. In our work, we show how key compromise (or even compromise of encryption tokens) allows to break forward security and leads to key compromise impersonation attacks. Moreover, we demonstrate that these problems cannot be solved even if the affected user revokes his compromised secret key and updates it to a new one. The conclusion is that this protocol cannot be used in IoT environments, where key compromise is a realistic risk.

## Notes

### Acknowledgments

This work was partly supported by the Junta de Andalucía through the project FISICCO (P11-TIC-07223) and by the Spanish Ministry of Economy and Competitiveness through the PERSIST project (TIN2013-41739-R). The first author is supported by a contract from the Regional Ministry of Economy and Knowledge of Andalucía.

## References

- 1.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak SHA-3 submission. NIST (Round 3)
**6**(7), 16 (2011, to be submitted)Google Scholar - 2.Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_23 CrossRefGoogle Scholar
- 3.Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer, Heidelberg (2013)zbMATHGoogle Scholar
- 4.Chalkias, K., Baldimtsi, F., Hristu-Varsakelis, D., Stephanides, G.: Two types of key-compromise impersonation attacks against one-pass key establishment protocols. In: Filipe, J., Obaidat, M.S. (eds.) ICETE 2007. CCIS, vol. 23, pp. 227–238. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88653-2_17 CrossRefGoogle Scholar
- 5.Cook, D.L., Keromytis, A.D.: Conversion functions for symmetric key ciphers. J. Inf. Assur. Secur.
**1**(2), 119–128 (2006)MathSciNetGoogle Scholar - 6.Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Commun. ACM
**24**(8), 533–536 (1981)CrossRefGoogle Scholar - 7.Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theor.
**22**(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar - 8.Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theor.
**29**(2), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar - 9.Duong, T., Rizzo, J.: Flickr’s API signature forgery vulnerability (2009)Google Scholar
- 10.Garrison, W.C., Shull, A., Myers, S., Lee, A.J.: On the practicality of cryptographically enforcing dynamic access control policies in the cloud. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 819–838, May 2016Google Scholar
- 11.Krawczyk, D.H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF). RFC. 5869, October 2015Google Scholar
- 12.Liu, Z., Huang, X., Hu, Z., Khan, M.K., Seo, H., Zhou, L.: On emerging family of elliptic curves to secure internet of things: ECC comes of age. IEEE Trans. Dependable Secur. Comput.
**14**(3), 237–248 (2016). doi: 10.1109/TDSC.2016.2577022. ISSN: 1545-5971Google Scholar - 13.Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefzbMATHGoogle Scholar
- 14.Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM
**21**(12), 993–999 (1978)CrossRefzbMATHGoogle Scholar - 15.Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks. IEEE Commun. Mag.
**32**(9), 33–38 (1994)CrossRefGoogle Scholar - 16.Nguyen, K.T., Oualha, N., Laurent, M.: Authenticated key agreement mediated by a proxy re-encryptor for the internet of things. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 339–358. Springer, Cham (2016). doi: 10.1007/978-3-319-45741-3_18 CrossRefGoogle Scholar
- 17.Nuñez, D., Agudo, I., Lopez, J.: A parametric family of attack models for proxy re-encryption. In: Proceedings of the 28th IEEE Computer Security Foundations Symposium, CSF 2015, pp. 290–301. IEEE Computer Society (2015)Google Scholar
- 18.Nuñez, D., Agudo, I., Lopez, J.: Proxy re-encryption: analysis of constructions and its application to secure access delegation. J. Netw. Comput. Appl.
**87**, 193–209 (2017)CrossRefGoogle Scholar - 19.Sakazaki, H., Anzai, K., Hosoya, J.: Study of re-encryption scheme based on symmetric-key cryptography. In: 31st Symposium on Cryptography and Information Security (SCIS 2014) (2014)Google Scholar
- 20.Strangio, M.A.: On the resilience of key agreement protocols to key compromise impersonation. In: Atzeni, A.S., Lioy, A. (eds.) EuroPKI 2006. LNCS, vol. 4043, pp. 233–247. Springer, Heidelberg (2006). doi: 10.1007/11774716_19 CrossRefGoogle Scholar
- 21.Syalim, A., Nishide, T., Sakurai, K.: Realizing proxy re-encryption in the symmetric world. In: Abd Manaf, A., Zeki, A., Zamani, M., Chuprat, S., El-Qawasmeh, E. (eds.) ICIEIS 2011. CCIS, vol. 251, pp. 259–274. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25327-0_23 CrossRefGoogle Scholar
- 22.Tsudik, G.: Message authentication with one-way hash functions. ACM SIGCOMM Comput. Commun. Rev.
**22**(5), 29–38 (1992)CrossRefGoogle Scholar - 23.Watanabe, D., Sakazaki, H., Miyazaki, K.: Representative system and security message transmission using re-encryption scheme based on symmetric-key cryptography. J. Inf. Process.
**25**, 67–74 (2017)Google Scholar - 24.Wikipedia: SpongeBob SquarePants – Wikipedia, the free encyclopedia (2016). https://en.wikipedia.org/wiki/SpongeBob_SquarePants. Accessed 18 Oct 2016