Abstract
Key establishment is a crucial cryptographic primitive for building secure communication channels between two parties in a network. It has been studied extensively in theory and widely deployed in practice. In the research literature a typical protocol in the public-key setting aims for key secrecy and mutual authentication. However, there are many important practical scenarios where mutual authentication is undesirable, such as in anonymity networks like Tor, or is difficult to achieve due to insufficient public-key infrastructure at the user level, as is the case on the Internet today. In this work we are concerned with the scenario where two parties establish a private shared session key, but only one party authenticates to the other; in fact, the unauthenticated party may wish to have strong anonymity guarantees. We present a desirable set of security, authentication, and anonymity goals for this setting and develop a model which captures these properties. Our approach allows for clients to choose among different levels of authentication. We also describe an attack on a previous protocol of Øverlier and Syverson, and present a new, efficient key exchange protocol that provides one-way authentication and anonymity.
Similar content being viewed by others
References
Aiello W., Bellovin S.M., Blaze M., Canetti R., Ioannidis J., Keromytis A.D., Reingold O. (2004) Just Fast Keying: key agreement in a hostile Internet. ACM Trans. Inform. Syst. Secur. 7(2): 1–30. doi: 10.1145/996943.996946
Bellare M., Rogaway P.: Entity authentication and key distribution. In: Stinson D.R. (ed.) Advances in Cryptology—Proc. CRYPTO ’93, LNCS, vol. 773, pp. 232–249. Springer (1993). doi:10.1007/3-540-48329-2_21.
Bellare M., Pointcheval D., Rogaway P.: Authenticated key exchange secure against dictionary attacks. In: Preneel B. (ed.) Advances in Cryptology—Proc. EUROCRYPT 2000, LNCS, vol. 1807, pp. 139–155. Springer (2000). doi:10.1007/3-540-45539-6_11.
Bellovin S.M., Merritt M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the 1992 IEEE Computer Society Conference on Research in Security and Privacy. IEEE (1992). doi:10.1109/RISP.1992.213269.
Blake-Wilson S., Johnson D., Menezes A.: Key agreement protocols and their security analysis. In: Darnell M. (ed.) Cryptography and Coding—6th IMA International Conference, LNCS, vol. 1355. Springer (1997). doi:10.1007/BFb0024447.
Canetti R., Krawczyk H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann B. (ed.) Advances in Cryptology—Proc. EUROCRYPT 2001, LNCS, vol. 2045, pp. 453–474. Springer (2001). doi:10.1007/3-540-44987-6_28
Canetti R., Krawczyk H.: Security analysis of IKE’s signature based key-exchange protocol. In: Yung M. (ed.) Advances in Cryptology—Proc. CRYPTO 2002, LNCS, vol. 2442, pp. 27–52. Springer (2002). doi:10.1007/3-540-45708-9_10. Full version available as http://eprint.iacr.org/2002/120.
Cheng Z., Chen L., Comley R., Tang Q.: Identity-based key agreement with unilateral identity privacy using pairings. In: Chen K., Deng R., Lai X., Zhou J. (eds.) Proc. Information Security Practice and Experience (ISPEC) 2006, LNCS, vol. 3903, pp. 202–213. Springer (2006). doi:10.1007/11689522_19.
Chien H.Y.: ID-based key agreement with anonymity for ad hoc networks. In: Huo T.W., Sha E., Guo M., Yang L., Shao Z. (eds.) Proc. Embedded and Ubiquitous Computing (EUC) 2007, LNCS, vol. 4808, pp. 333–345. Springer (2007). doi:10.1007/978-3-540-77092-3_29.
Chow S.S.M., Choo K.K.R.: Strongly-secure identity-based key agreement and anonymous extension. In: Garay J., Lenstra A., Mambo M., Peralta R. (eds.) Proc. 10th International Conference on Information Security Conference (ISC) 2007, LNCS, vol. 4779, pp. 203–220. Springer (2007). doi:10.1007/978-3-540-75496-1_14.
Di Raimondo M., Gennaro R., Krawczyk H.: Deniable authentication and key exchange. In: Wright R., De Capitani de Vimercati S., Shmatikov V. (eds.) Proc. 13th ACM Conference on Computer and Communications Security (CCS), pp. 400–409. ACM (2006). doi:10.1145/1180405.1180454.
Dierks T., Allen C.: The TLS protocol version 1.0 (1999). http://www.ietf.org/rfc/rfc2246.txt. RFC 2246.
Dierks T., Rescorla E.: The Transport Layer Security (TLS) protocol version 1.2 (2008). http://www.ietf.org/rfc/rfc5246.txt. RFC 5246.
Diffie W., Hellman M.E. (1976) New directions in cryptography. IEEE Trans. Inform. Theory 22(6): 644–654
Dingledine R., Mathewson N., Syverson P.: Tor: the second-generation onion router. In: Proc. 13th USENIX Security Symposium. The USENIX Association (2004). http://www.usenix.org/events/sec04/tech/dingledine.html.
Fiore D., Gennaro R., Smart N.P.: Constructing certificateless encryption and ID-based encryption from ID-based key agreement. In: Joye M., Miyaji A., Otsuka A. (eds.) Proc. Pairing-Based Cryptography (Pairing) 2010, LNCS, vol. 6487, pp. 167–186. Springer (2010). doi:10.1007/978-3-642-17455-1_11.
Goldberg I.: On the security of the Tor authentication protocol. In: Danezis G., Golle P. (eds.) Privacy Enhancing Technologies (PET) 2006, LNCS, vol. 4258, pp. 316–331. Springer (2006). doi:10.1007/11957454_18
Google: The Official Google Blog—search more securely with encrypted Google web search (2010). http://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html
Kate A., Zaverucha G.M., Goldberg I. (2010) Pairing-based onion routing with improved forward secrecy. ACM Trans. Inform. Syst. Secur. 13(4): 29. doi:10.1145/1880022.1880023
Krawczyk H.: SIGMA: The ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh D. (ed.) Advances in Cryptology—Proc. CRYPTO 2003, LNCS, vol. 2729, pp. 400–425. Springer (2003). doi:10.1007/b11817. Full version available as http://www.ee.technion.ac.il/~hugo/sigma.ps.
Krawczyk H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Cramer R. (ed.) Advances in Cryptology—Proc. CRYPTO 2005, LNCS, vol. 3621, pp. 546–566. Springer (2005). doi:10.1007/11535218_33.
LaMacchia B., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. In: Susilo W., Liu J.K., Mu Y. (eds.) First International Conference on Provable Security (ProvSec) 2007, LNCS, vol. 4784, pp. 1–16. Springer (2007). doi:10.1007/978-3-540-75670-5_1.
Law L., Menezes A.J., Qu M., Solinas J., Vanstone S.: An efficient protocol for authenticated key agreement. Des. Codes Cryptogr. 28, 119–134 (2003). doi:10.1023/A:1022595222606. Previously appeared as http://www.cacr.math.uwaterloo.ca/techreports/1998/corr98-05.pdf.
Menezes A.J., Ustaoglu B.: Comparing the pre- and post-specified peer models for key agreement. Int. J. Appl. Cryptogr. 1(3), 236–250 (2009). doi:10.1504/IJACT.2009.023472.
Menezes A., van Oorschot P.C., Vanstone S.A. (1997) Handbook of Applied Cryptography. CRC Press, Boca Raton, FL, USA
Morrissey P., Smart N.P., Warinschi B.: A modular security analysis of the TLS handshake protocol. In: Pieprzyk J. (ed.) Advances in Cryptology—Proc. ASIACRYPT 2008, LNCS, vol. 5350, pp. 55–73 (2008). doi:10.1007/978-3-540-89255-7_5.
M’Raïhi D., Naccache D.: Batch exponentiations: a fast DLP-based signature generation strategy. In: Gong L., Stern J. (eds.) CCS 1996: Proceedings of the 3rd ACM Conference on Computer and Communications Security, pp. 58–61. ACM (1996). doi:10.1145/238168.238187.
NIST National Institute of Standards and Technology: Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (2007). http://csrc.nist.gov/publications/PubsSPs.html.
NIST National Institute of Standards and Technology: Special Publication 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography (2009). http://csrc.nist.gov/publications/PubsSPs.html.
OpenSSL Project, The: OpenSSL v1.0.0d (2011). http://www.openssl.org/.
Øverlier L., Syverson P.: Improving efficiency and simplicity of Tor circuit establishment and hidden services. In: Privacy Enhancing Technologies, LNCS, vol. 4776, pp. 134–152. Springer (2007). doi:10.1007/978-3-540-75551-7_9.
Pfitzmann A., Hansen M.: A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (2010). http://dud.inf.tu-dresden.de/Anon_Terminology.shtml. V0.34.
Rahman S.M.M., Inomata A., Okamoto T., Mambo M., Okamoto E.: Anonymous secure communication in wireless mobile ad-hoc networks. In: Stajano F., Kim H.J., Chae J.S., Kim S.D. (eds.) Proc. International Converence on Ubiquitous Convergence Technology (ICUCT) 2006, LNCS, vol. 4412, pp. 140–149. Springer (2007). doi:10.1007/978-3-540-71789-8_15.
Shoup V.: On formal models for secure key exchange (version 4) (1999). http://shoup.net/papers/skey.pdf.
Singel R.: Charter to snoop on broadband customers’ web histories for ad networks (2008). http://www.wired.com/threatlevel/2008/05/charter-to-inse/.
Slashdot: ISPs inserting ads into your pages (2007). http://yro.slashdot.org/yro/07/06/23/1233212.shtml.
Tor Project: Homepage (2011). http://www.torproject.org/.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by C. Cid.
Rights and permissions
About this article
Cite this article
Goldberg, I., Stebila, D. & Ustaoglu, B. Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptogr. 67, 245–269 (2013). https://doi.org/10.1007/s10623-011-9604-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-011-9604-z