Skip to main content
SpringerLink
Log in

Privacy-Preserving Authenticated Key Exchange: Stronger Privacy and Generic Constructions

  • Conference paper
  • First Online:
Computer Security – ESORICS 2021 (ESORICS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12973))

Included in the following conference series:

Abstract

Authenticated key-exchange (AKE) protocols are an important class of protocols that allow two parties to establish a common session key over an insecure channel such as the Internet to then protect their communication. They are widely deployed in security protocols such as TLS, IPsec and SSH. Besides the confidentiality of the communicated data, an orthogonal but increasingly important goal is the protection of the confidentiality of the identities of the involved parties (aka privacy). For instance, the Encrypted Client Hello (ECH) mechanism for TLS 1.3 has been designed for exactly this reason. Recently, a series of works (Zhao CCS’16, Arfaoui et al. PoPETS’19, Schäge et al. PKC’20) studied privacy guarantees of (existing) AKE protocols by integrating privacy into AKE models. We observe that these so called privacy-preserving AKE (PPAKE) models are typically strongly tailored to the specific setting, i.e., concrete protocols they investigate. Moreover, the privacy guarantees in these models might be too weak (or even are non-existent) when facing active adversaries.

In this work we set the goal to provide a single PPAKE model that captures privacy guarantees against different types of attacks, thereby covering previously proposed notions as well as so far not achieved privacy guarantees. In doing so, we obtain different “degrees” of privacy within a single model, which, in its strongest forms also capture privacy guarantees against powerful active adversaries. We then proceed to investigate (generic) constructions of AKE protocols that provide strong privacy guarantees in our PPAKE model. This includes classical Diffie-Hellman type protocols as well as protocols based on generic building blocks, thus covering post-quantum instantiations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We note that key-exchange protocols that hide the identity of one party even from the peer in the key exchange (e.g., as in [13, 24]) are outside the scope of this work.

  2. 2.

    https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/.

  3. 3.

    This might contain various private and public keys for signatures and encryption.

  4. 4.

    Note that the bookkeeping and consistent answers for matched sessions are required to avoid trivial distinguishers in case of cross tunnel attacks (cf. Sect. 3.3).

  5. 5.

    Clearly, one could however group parties to generate virtual parties with more identities in our model though.

  6. 6.

    Otherwise an adversary obtaining all long-term PKE keys could simply try to test-decrypt. Omitting this countermeasure would require non-standard properties from the PKE, i.e.,. decryptions of ciphertexts under a key can also be decrypted with other keys and yield meaningful messages.

References

  1. Aiello, W., et al.: Just fast keying: key agreement in a hostile internet. ACM Trans. Inf. Syst. Secur. 7(2), 242–273 (2004)

    Article  Google Scholar 

  2. Arfaoui, G., Bultel, X., Fouque, P.A., Nedelcu, A., Onete, C.: The privacy of the TLS 1.3 protocol. PoPETs 2019(4), 190–210 (2019). https://doi.org/10.2478/popets-2019-0065

    Article  Google Scholar 

  3. Barbosa, M., Boldyreva, A., Chen, S., Warinschi, B.: Provable security analysis of FIDO2. Cryptology ePrint Archive, Report 2020/756 (2020). https://eprint.iacr.org/2020/756

  4. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33

    Chapter  MATH  Google Scholar 

  5. Boyd, C., Cremers, C., Feltz, M., Paterson, K.G., Poettering, B., Stebila, D.: ASICS: authenticated key exchange security incorporating certification systems. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 381–399. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_22

    Chapter  MATH  Google Scholar 

  6. Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_10https://eprint.iacr.org/2002/120/

    Chapter  Google Scholar 

  7. Chai, Z., Ghafari, A., Houmansadr, A.: On the importance of encrypted-SNI (ESNI) to censorship circumvention. In: FOCI @ USENIX. USENIX Association (2019)

    Google Scholar 

  8. Cohn-Gordon, K., Cremers, C., Gjøsteen, K., Jacobsen, H., Jager, T.: Highly efficient key exchange protocols with optimal tightness. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 767–797. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_25

    Chapter  Google Scholar 

  9. Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: the second-generation onion router. In: Blaze, M. (ed.) USENIX Security 2004, pp. 303–320. USENIX Association, August 2004

    Google Scholar 

  10. Donenfeld, J.A.: WireGuard: next generation kernel network tunnel. In: NDSS 2017. The Internet Society, Feb/Mar 2017

    Google Scholar 

  11. Dowling, B., Paterson, K.G.: A cryptographic analysis of the WireGuard protocol. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 3–21. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93387-0_1

    Chapter  Google Scholar 

  12. Fan, K., Li, H., Jiang, W., Xiao, C., Yang, Y.: U2F based secure mutual authentication protocol for mobile payment. In: ACM TUR-C, pp. 27:1–27:6. ACM (2017)

    Google Scholar 

  13. Goldberg, I., Stebila, D., Ustaoglu, B.: Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptogr. 67(2), 245–269 (2013)

    Article  MathSciNet  Google Scholar 

  14. Gross, H., Hölbl, M., Slamanig, D., Spreitzer, R.: Privacy-aware authentication in the Internet of Things. In: Reiter, M., Naccache, D. (eds.) CANS 2015. LNCS, vol. 9476, pp. 32–39. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26823-1_3

    Chapter  Google Scholar 

  15. Hoffman, P.E., McManus, P.: DNS queries over HTTPS (DoH). RFC 8484, 1–21 (2018)

    Google Scholar 

  16. Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D.: Generic authenticated key exchange in the quantum random oracle model. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 389–422. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_14

    Chapter  Google Scholar 

  17. Hu, Z., Zhu, L., Heidemann, J.S., Mankin, A., Wessels, D., Hoffman, P.E.: Specification for DNS over transport layer security (TLS). RFC 7858, 1–19 (2016)

    Google Scholar 

  18. Hülsing, A., Ning, K.C., Schwabe, P., Weber, F., Zimmermann, P.R.: Post-quantum WireGuard. Cryptology ePrint Archive, Report 2020/379 (2020). https://eprint.iacr.org/2020/379

  19. Kaufman, C., Hoffman, P.E., Nir, Y., Eronen, P., Kivinen, T.: Internet key exchange protocol version 2 (IKEv2). RFC 7296, 1–142 (2014)

    Google Scholar 

  20. Krawczyk, H.: SKEME: a versatile secure key exchange mechanism for internet. In: NDSS, pp. 114–127. IEEE (1996)

    Google Scholar 

  21. Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24

    Chapter  Google Scholar 

  22. Lauter, K., Mityagin, A.: Security analysis of KEA authenticated key exchange protocol. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 378–394. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_25

    Chapter  MATH  Google Scholar 

  23. Li, Y., Schäge, S.: No-match attacks and robust partnering definitions: defining trivial attacks for security protocols is not trivial. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1343–1360. ACM Press, Oct/Nov 2017. https://doi.org/10.1145/3133956.3134006

  24. Øverlier, L., Syverson, P.: Improving efficiency and simplicity of Tor circuit establishment and hidden services. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 134–152. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75551-7_9

    Chapter  Google Scholar 

  25. Paterson, K.G., Srinivasan, S.: Building key-private public-key encryption schemes. In: Boyd, C., González Nieto, J. (eds.) ACISP 2009. LNCS, vol. 5594, pp. 276–292. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02620-1_20

    Chapter  Google Scholar 

  26. Perrin, T.: The noise protocol framework (2017). https://noiseprotocol.org

  27. Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446, 1–160 (2018)

    Google Scholar 

  28. Rescorla, E., Oku, K., Sullivan, N., Wood, C.A.: TLS encrypted client hello. Internet-Draft draft-ietf-tls-esni-07, Internet Engineering Task Force, June 2020. https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-07. Work in Progress

  29. dos Santos, G.L., Guimaraes, V.T., da Cunha Rodrigues, G., Granville, L.Z., Tarouco, L.M.R.: A DTLS-based security architecture for the internet of things. In: ISCC, pp. 809–815. IEEE (2015)

    Google Scholar 

  30. Schäge, S., Schwenk, J., Lauer, S.: Privacy-preserving authenticated key exchange and the case of IKEv2. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 567–596. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_20

    Chapter  Google Scholar 

  31. Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020, pp. 1461–1480. ACM Press, November 2020. https://doi.org/10.1145/3372297.3423350

  32. Tezcan, C., Vaudenay, S.: On hiding a plaintext length by preencryption. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 345–358. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21554-4_20

    Chapter  Google Scholar 

  33. Wu, D.J., Taly, A., Shankar, A., Boneh, D.: Privacy, discovery, and authentication for the Internet of Things. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 301–319. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_16

    Chapter  Google Scholar 

  34. Zhao, Y.: Identity-concealed authenticated encryption and key exchange. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 1464–1479. ACM Press, October 2016. https://doi.org/10.1145/2976749.2978350

Download references

Acknowledgements

This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreement n\(\circ \)826610 (Comp4Drones) and n\(\circ \)861696 (Labyrinth) and by the Austrian Science Fund (FWF) and netidee SCIENCE under grant agreement P31621-N38 (Profet).

Author information

Authors and Affiliations

  1. AIT Austrian Institute of Technology, Vienna, Austria

    Sebastian Ramacher, Daniel Slamanig & Andreas Weninger

Authors
  1. Sebastian Ramacher
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Slamanig
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andreas Weninger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Slamanig .

Editor information

Editors and Affiliations

  1. Purdue University, West Lafayette, IN, USA

    Elisa Bertino

  2. National Research Center for Applied Cybersecurity ATHENE, Fraunhofer Institute for Secure Information Technology SIT, Darmstadt, Germany

    Haya Shulman

  3. National Research Center for Applied Cybersecurity ATHENE, Technische Universität Darmstadt, Fraunhofer Institute for Secure Information Technology SIT, Darmstadt, Germany

    Michael Waidner

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ramacher, S., Slamanig, D., Weninger, A. (2021). Privacy-Preserving Authenticated Key Exchange: Stronger Privacy and Generic Constructions. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_33

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88428-4_33

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88427-7

  • Online ISBN: 978-3-030-88428-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation