Zero Round-Trip Time for the Extended Access Control Protocol

  • Jacqueline Brendel
  • Marc Fischlin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


The Extended Access Control (EAC) protocol allows to create a shared cryptographic key between a client and a server. While originally used in the context of identity card systems and machine readable travel documents, the EAC protocol is increasingly adopted as a universal solution to secure transactions or for attribute-based access control with smart cards. Here we discuss how to enhance the EAC protocol by a so-called zero-round trip time (0RTT) mode. Through this mode the client can, without further interaction, immediately derive a new key from cryptographic material exchanged in previous executions. This makes the 0RTT mode attractive from an efficiency viewpoint such that the upcoming TLS 1.3 standard, for instance, will include its own 0RTT mode. Here we show that also the EAC protocol can be augmented to support a 0RTT mode. Our proposed EAC+0RTT protocol is compliant with the basic EAC protocol and adds the 0RTT mode smoothly on top. We also prove the security of our proposal according to the common security model of Bellare and Rogaway in the multi-stage setting.



We thank the anonymous reviewers for valuable comments. This work has been co-funded by the DFG as part of project D.2 within the RTG 2050 “Privacy and Trust for Mobile Users”, as well as part of project S4 within the CRC 1119 CROSSING.


  1. 1.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (Aug (1994)Google Scholar
  2. 2.
    Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: Domain-specific pseudonymous signatures for the german identity card. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 104–119. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-33383-5_7 CrossRefGoogle Scholar
  3. 3.
    Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: The PACE|AA Protocol for Machine Readable Travel Documents, and Its Security. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 344–358. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32946-3_25 CrossRefGoogle Scholar
  4. 4.
    Bender, J., Fischlin, M., Kügler, D.: Security analysis of the PACE key-agreement protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 33–48. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04474-8_3 CrossRefGoogle Scholar
  5. 5.
    Bender, J., Fischlin, M., Kügler, D.: The PACE\(|\)CA protocol for machine readable travel documents. In: Bloem, R., Lipp, P. (eds.) INTRUST 2013. LNCS, vol. 8292, pp. 17–35. Springer, Cham (2013). doi: 10.1007/978-3-319-03491-1_2 CrossRefGoogle Scholar
  6. 6.
    Brendel, J., Fischlin, M.: Zero Round-Trip Time for the Extended Access Control Protocol. Cryptology ePrint Archive, Report 2017/060 (2017).
  7. 7.
    Brendel, J., Fischlin, M., Günther, F., Janson, C.: PRF-ODH: Relations, Instantiations, and Impossibility Results. Cryptology ePrint Archive, Report 2017/517 (2017).
  8. 8.
    Brzuska, C.: On the foundations of key exchange. Ph.D. thesis, Technische Universität Darmstadt, Darmstadt, Germany (2013).
  9. 9.
    Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.C.: Composability of Bellare-Rogaway key exchange protocols. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM CCS 2011, pp. 51–62. ACM Press, October 2011Google Scholar
  10. 10.
    BSI (Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information Security): Technical Guideline TR-03110: Advanced Security Mechanisms for Machine Readable Travel Documents: Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI. BSI-TR-03110, version 2.0) (2008)Google Scholar
  11. 11.
    Cheng, Y., Chu, J., Radhakrishnan, S., Jain, A.: TCP Fast Open, RFC 7413, Internet Engineering Task Force (IETF), December 2014Google Scholar
  12. 12.
    Cooper, D., Ferraiolo, H., Mehta, K., Francomacaro, S., Chandramouli, R., Mohler, J.: Interfaces for Personal Identity Verification - Part 1: PIV Card Application Namespace, Data Model and Representation, May 2015Google Scholar
  13. 13.
    Coron, J.-S., Gouget, A., Icart, T., Paillier, P.: Supplemental access control (PACE v2): security analysis of PACE integrated mapping. In: Naccache, D. (ed.) Cryptography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 207–232. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28368-0_15 CrossRefGoogle Scholar
  14. 14.
    Dagdelen, Ö., Fischlin, M.: Security analysis of the extended access control protocol for machine readable travel documents. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 54–68. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-18178-8_6 CrossRefGoogle Scholar
  15. 15.
    Dagdelen, Ö., Fischlin, M., Gagliardoni, T., Marson, G.A., Mittelbach, A., Onete, C.: A cryptographic analysis of OPACITY - (extended abstract). In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 345–362. Springer, Heidelberg (2013)Google Scholar
  16. 16.
    Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 1197–1210. ACM Press, October 2015Google Scholar
  17. 17.
    Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1193–1204. ACM Press, November 2014Google Scholar
  18. 18.
    Fischlin, M., Günther, F., Schmidt, B., Warinschi, B.: Key confirmation in key exchange: a formal treatment and implications for TLS 1.3. In: 2016 IEEE Symposium on Security and Privacy, pp. 452–469. IEEE Computer Society Press, May 2016Google Scholar
  19. 19.
    Gilson, B., Baldridge, T.: PKI (CAK) – Enabled PACS with PIV Card: PACS Lessons Learned and Need for Speed, May 2015. Presentation at FIPS 201–2 Supporting Special Publications Workshop.
  20. 20.
    Google: QUIC, a multiplexed stream transport over UDP (2016).
  21. 21.
    Hale, B., Jager, T., Lauer, S., Schwenk, J.: Speeding: on low-latency key exchange. Cryptology ePrint Archive, Report 2015/1214 (2015).
  22. 22.
    Hanzlik, L., Krzywiecki, Ł., Kutyłowski, M.: Simplified PACE\(|\)AA protocol. In: Deng, R.H., Feng, T. (eds.) ISPEC 2013. LNCS, vol. 7863, pp. 218–232. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38033-4_16 CrossRefGoogle Scholar
  23. 23.
    Hanzlik, L., Kutyłowski, M.: Restricted identification secure in the extended Canetti-Krawczyk model. J. Univ. Comput. Sci. 21(3), 419–439 (2015)Google Scholar
  24. 24.
    ICAO: Machine Readable Travel Documents, Part 11, Security Mechanisms for MRTDs. Doc 9303, 7th edn. (2015)Google Scholar
  25. 25.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  26. 26.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013)Google Scholar
  27. 27.
    Kutyłowski, M., Krzywiecki, Ł., Kubiak, P., Koza, M.: Restricted identification scheme and Diffie-Hellman linking problem. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 221–238. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32298-3_15 CrossRefGoogle Scholar
  28. 28.
    Morgner, F., Bastian, P., Fischlin, M.: Attribute-based access control architectures with the eIDAS protocols. In: SSR 2016: Security Standardisation Research. LNCS, vol. 10074, pp. 205-226. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-49100-4_9
  29. 29.
    Morgner, F., Bastian, P., Fischlin, M.: Securing transactions with the eIDAS protocols. In: Foresti, S., Lopez, J. (eds.) WISTP 2016. LNCS, vol. 9895, pp. 3–18. Springer, Cham (2016). doi: 10.1007/978-3-319-45931-8_1 CrossRefGoogle Scholar
  30. 30.
    Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3, draft-ietf-tls-tls13-12.
  31. 31.
    Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3, draft-ietf-tls-tls13-13.
  32. 32.
    Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3 - draft-ietf-tls-tls13-20.
  33. 33.
    Smart Card Alliance: Industry Technical Contributions: OPACITY.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Cryptoplexity, Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations