Yvonne Hitchcock

Errors in computational complexity proofs for protocols

Proofs are invaluable tools in assuring protocol implementers about the security properties of protocols. However, several instances of undetected flaws in the proofs of protocols (resulting in flawed protocols) undermine the credibility of provably-secure protocols. In this work, we examine several protocols with claimed proofs of security by Boyd & Gonzalez Nieto (2003), Jakobsson & Pointcheval (2001), and Wong & Chan (2001), and an authenticator by Bellare, Canetti, & Krawczyk (1998). Using these protocols as case studies, we reveal previously unpublished flaws in these protocols and their proofs. We hope our analysis will enable similar mistakes to be avoided in the future.

On session identifiers in provably secure protocols: the Bellare-Rogaway three-party key distribution protocol revisited

We examine the role of session identifiers (SIDs) in security proofs for key establishment protocols. After reviewing the practical importance of SIDs we use as a case study the three-party server-based key distribution (3PKD) protocol of Bellare and Rogaway, proven secure in 1995. We show incidentally that the partnership function used in the existing security proof is flawed. There seems to be no way to define a SID for the 3PKD protocol that will preserve the proof of security. A small change to the protocol allows a natural definition for a SID and we prove that the new protocol is secure using this SID to define partnering.

On session key construction in provably-secure key establishment protocols

We examine the role of session key construction in provably-secure key establishment protocols. We revisit an ID-based key establishment protocol due to Chen & Kudla (2003) and an ID-based protocol 2P-IDAKA due to McCullagh & Barreto (2005). Both protocols carry proofs of security in a weaker variant of the Bellare & Rogaway (1993) model where the adversary is not allowed to make any Reveal query. We advocate the importance of such a (Reveal) query as it captures the known-key security requirement. We then demonstrate that a small change to the way that session keys are constructed in both protocols results in these protocols being secure without restricting the adversary from asking the Reveal queries in most situations. We point out some errors in the existing proof for protocol 2P-IDAKA, and provide proof sketches for the improved Chen & Kudla’s protocol. We conclude with a brief discussion on ways to construct session keys in key establishment protocols.

The importance of proofs of security for key establishment protocols

Despite the importance of proofs in assuring protocol implementers about the security properties of key establishment protocols, many protocol designers fail to provide any proof of security. Flaws detected long after the publication and/or implementation of protocols will erode the credibility of key establishment protocols. We revisit recent work of Choo, Boyd, Hitchcock, Maitland where they utilize the Bellare, Pointcheval, Rogaway (Authenticated key exchange secure against dictionary attacks, in: B. Preneel (Ed.), Advances in Cryptology - Eurocrypt 2000, Springer-Verlag, LNCS 1807/2000, pp. 139-155, 2000) computational complexity proof model in a machine specification and analysis (using an automated model checker - SHVT) for provably secure key establishment protocol analysis. We then examine several key establishment protocols without proofs of security, namely: protocols due to J.-K. Jan, Y.-H. Chen (A new efficient MAKEP for wireless communications, in: 18th International Conference on Advanced Information Networking and Applications - AINA 2004, IEEE Computer Society, pp. 347-350, 2004), W.-H. Yang, J.-C. Shen, S.-P. Shieh (Designing authentication protocols against guessing attacks. Technical Report 2(3), Institute of Information & Computing Machinery, Taiwan, 1999. http://www.iicm.org.tw/communication/c2_3/page07.doc), Y.-S. Kim, E.-N. Huh, J. Hwang, B.-W. Lee (An efficient key agreement protocol for secure authentication, in: A. Lagana, M.L. Gavrilova, V. Kumar, Y. Mun, C.J.K. Tan, O. Gervasi (Eds.), International Conference On Computational Science And Its Applications - ICCSA 2004, Springer-Verlag, LNCS 3043/2004, pp. 746-754, 2004), C.-L. Lin, H.-M. Sun, T. Hwang. (Three-party encrypted key exchange: attacks and a solution, in: A CM SIGOPS Operating Systems Review, pp. 12-20, 2000), and H.-T. Yeh, H.-M. Sun (Simple authenticated key agreement protocol resistant to password guessing attacks, in: A CM SIGOPS Operating Systems Review, 36(4), pp. 14-22, 2002). Using these protocols as case studies, we demonstrate previously unpublished flaws in these protocols. We may speculate that such errors could have been found by protocol designers if proofs of security were to be constructed, and hope this work will encourage future protocol designers to provide proofs of security.

Security requirements for key establishment proof models: revisiting Bellare–Rogaway and Jeong–Katz–Lee protocols

We observe that the definitions of security in the computational complexity proof models of Bellare & Rogaway (1993) and Canetti & Krawczyk (2001) require two partners in the presence of a malicious adversary to accept the same session key, which we term a key sharing requirement. We then revisit the Bellare–Rogaway three-party key distribution (3PKD) protocol and the Jeong–Katz–Lee two-party authenticated key exchange protocol

A New Elliptic Curve Scalar Multiplication Algorithm to Resist Simple Power Analysis

\mathcal{TS}2

A Password-Based Authenticator: Security Proof and Applications

, which carry claimed proofs of security in the Canetti & Krawczyk (2001) model and the Bellare & Rogaway (1993) model respectively. We reveal previously unpublished flaws in these protocols where we demonstrate that both protocols fail to satisfy the definition of security in the respective models. We present a new 3PKD protocol as an improvement with a proof of security in the Canetti & Krawczyk (2001) model and a simple fix to the specification of protocol

Tripartite key exchange in the canetti-krawczyk proof model

\mathcal{TS}2

Modular proofs for key exchange: rigorous optimizations in the Canetti–Krawczyk model

. We also identify several variants of the key sharing requirement and present a brief discussion.

Complementing Computational Protocol Analysis with Formal Specifications

Elliptic curve cryptosystems (ECCs) are becoming more popular because of the reduced number of key bits required in comparison to other cryptosystems (e.g. a 160 bit ECC has roughly the same security as 1024 bit RSA). ECCs are especially suited to smart cards because of the limited memory and computational power available on these devices. However, the side-channel attacks which have recently been proposed can obtain information about the cryptosystem by measuring side-channel information such as power consumption and processing time. This information may be used to break implementations that have not incorporated defences against these attacks. This paper presents a new defence against Simple Power Analysis (SPA). This new defence is based on the NAF (non-adjacent form) representation of a scalar and requires 44% fewer additions and 11% extra doublings than the commonly recommended defence of performing a point addition in every loop of the binary scalar multiplication algorithm.