Abstract
Wireless-channel key exchange (WiKE) protocols that leverage Physical Layer Security (PLS) techniques could become an alternative solution for secure communication establishment, such as vehicular ad-hoc networks, wireless IoT networks, or cross-layer protocols.
In this paper, we provide a novel abstraction of WiKE protocols and present the first game-based security model for WiKE. Our result enables the analysis of security guarantees offered by these cross-layer protocols and allows the study of WiKE’s compositional aspects. Further, we address the potential problem of the slow-rate secret-key generation in WiKE due to inadequate environmental conditions that might render WiKE protocols impractical or undesirably slow. We explore a solution to such a problem by bootstrapping a low-entropy key coming as the output of WiKE using a Password Authenticated Key Exchange (PAKE). On top of the new security definition for WiKE and those which are well-established for PAKE, we build a compositional WiKE-then-PAKE model and define the minimum security requirements for the safe sequential composition of the two primitives in a black-box manner. Finally, we show the pitfalls of previous ad-hoc attempts to combine WiKE and PAKE.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is a simplification, as it assumes that each probe is done once during the channel’s coherence time-period. The problem is that it is usually difficult to estimate the exact coherence time period in the channel. However, this issue is typically addressed in the later WiKE phases.
- 2.
In practical terms, this distance must be at least 6.25 cm for a wireless transmission occurring at 2.4 GHz.
- 3.
Note that \(\textsf{CGen}\) also includes part of \((\textsf{PGen}\) that is responsible for public parameter generation, but without password generation algorithm.
- 4.
This is a small manageable inconvenience that would not exist if one-time PAKE primitive is used.
- 5.
Note that in the FtG model [6], should a \(\textsf{Send}\) query result in a party instance accepting, this event is made visible to the adversary. However, in the original protocol from Zhang et al. [41], in the key confirmation round, instead of rejecting unsuccessful session, the protocol samples new non-matching random keys and continues. It’s unclear when the protocol accepts and why would a party terminate with a non-matching key, which is bound to fail when used in any meaningful way. Therefore, we modify the protocol to reject when the key confirmation round fails.
References
Abdalla, M., Barbosa, M., Bradley, T., Jarecki, S., Katz, J., Xu, J.: Universally composable relaxed password authenticated key exchange. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 278–307. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_10
Abdalla, M., Benhamouda, F., MacKenzie, P.: Security of the J-PAKE password authenticated key exchange protocol. In: S &P 2015, pp. 571–587. IEEE Computer Society (2015)
Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_6
Abdalla, M., Haase, B., Hesse, J.: Security analysis of CPace. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 711–741. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_24
Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_14
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: S &P 1992, pp. 72–84. IEEE Computer Society (1992)
Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., Stebila, D.: Hybrid key encapsulation mechanisms and authenticated key exchange. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 206–226. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_12
Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision Diffie-Hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_7
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_12
Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.C.: Composability of Bellare-Rogaway key exchange protocols. In: CCS 2011, pp. 51–62. ACM (2011)
Cachin, C., Maurer, U.M.: Linking information reconciliation and privacy amplification. J. Cryptol. 10(2), 97–110 (1997)
Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_24
Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_22
Csiszar, I., Korner, J.: Broadcast channels with confidential messages. IEEE Trans. Inf. Theory 24(3), 339–348 (1978)
Dodis, Y., Wichs, D.: Non-malleable extractors and symmetric key cryptography from weak secrets. In: STOC 2009, pp. 601–610. ACM (2009)
Dowling, B., Hansen, T.B., Paterson, K.G.: Many a mickle makes a muckle: a framework for provably quantum-secure hybrid key exchange. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 483–502. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_26
Dupont, P.-A., Hesse, J., Pointcheval, D., Reyzin, L., Yakoubov, S.: Fuzzy password-authenticated key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 393–424. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_13
Hamamreh, J.M., Furqan, H.M., Arslan, H.: Classifications and applications of physical layer security techniques for confidentiality: a comprehensive survey. IEEE Commun. Surv. Tutor. 21(2), 1773–1828 (2019)
Hao, F., van Oorschot, P.C.: SoK: password-authenticated key exchange - theory, practice, standardization and real-world lessons. In: ASIA CCS 2022, pp. 697–711. ACM (2022)
Jakes, W.C.: Microwave Mobile Communications. Wiley/IEEE Press (1994)
Jana, S., Premnath, S.N., Clark, M., Kasera, S.K., Patwari, N., Krishnamurthy, S.V.: On the effectiveness of secret key extraction from wireless signal strength in real environments. In: MOBICOM 2009, pp. 321–332. ACM (2009)
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15
Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_29
Mathur, S., Trappe, W., Mandayam, N.B., Ye, C., Reznik, A.: Radio-telepathy: extracting a secret key from an unauthenticated wireless channel. In: MOBICOM 2008, pp. 128–139. ACM (2008)
Maurer, U., Wolf, S.: Information-theoretic key agreement: from weak to strong secrecy for free. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 351–368. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_24
Maurer, U.M., Wolf, S.: Secret-key agreement over unauthenticated public channels - III: privacy amplification. IEEE Trans. Inf. Theory 49(4), 839–851 (2003)
Maurer, U.: Secret key agreement by public discussion from common information. IEEE Trans. Inf. Theory 39(3), 733–742 (1993)
Mosca, M., Stebila, D., Ustaoğlu, B.: Quantum key distribution in the classical authenticated key exchange framework. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 136–154. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_9
Mukherjee, A., Fakoorian, S.A.A., Huang, J., Swindlehurst, A.L.: Principles of physical layer security in multiuser wireless networks: a survey. IEEE Commun. Surv. Tutor. 16(3), 1550–1573 (2014)
Paterson, K.G., Stebila, D.: One-time-password-authenticated key exchange. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 264–281. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14081-5_17
Qu, Z., Zhao, S., Xu, J., Lu, Z., Liu, Y.: How to test the randomness from the wireless channel for security? IEEE Trans. Inf. Forensics Secur. 16, 3753–3766 (2021)
Renner, R., Wolf, S.: Simple and tight bounds for information reconciliation and privacy amplification. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 199–216. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_11
Skrobot, M., Lancrenon, J.: On composability of game-based password authenticated key exchange. In: Euro S &P, pp. 443–457 (2018)
Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)
Wyner, A.D.: The wire-tap channel. Bell Syst. Tech. J. 54(8), 1355–1387 (1975)
Xiao, L., Greenstein, L.J., Mandayam, N.B., Trappe, W.: Using the physical layer for wireless authentication in time-variant channels. IEEE Trans. Wirel. Commun. 7(7), 2571–2579 (2008)
Ye, C., Mathur, S., Reznik, A., Shah, Y., Trappe, W., Mandayam, N.B.: Information-theoretically secret key generation for fading wireless channels. IEEE Trans. Inf. Forensics Secur. 5(2), 240–254 (2010)
Zhang, J., Duong, T.Q., Marshall, A., Woods, R.F.: Key generation from wireless channels: a review. IEEE Access 4, 614–626 (2016)
Zhang, Y., Xiang, Y., Wu, W., Alelaiwi, A.: A variant of password authenticated key exchange protocol. Futur. Gener. Comput. Syst. 78, 699–711 (2018)
Acknowledgements
We thank the anonymous reviewers of CT-RSA 2023 for their careful reading of our manuscript and their many insightful comments and suggestions. Afonso Arriaga and Marjan Škrobot were supported by the Luxembourg National Research Fund (FNR), under the CORE Junior project (C21/IS/16236053/FuturePass).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Security Model for PAKE
Security Model for PAKE
Today, the Real-or-Random (RoR) model from [3] and the Universally Composable PAKE model from [14] are considered state-of-the-art models rigorously capturing PAKE security requirements. In this paper, we will use a variant of the RoR definition from [3], where \(\textsf{Reveal}\) is added. \(\textsf{Reveal}\) query was available in the original Find-then-Guess model and removed later from the RoR because it can be simulated via \(\textsf{Test}\) oracle, which in the RoR model can be queried multiple times. However, having a \(\textsf{Reveal}\) oracle facilitates proof reductions that rely on the security of PAKE and was later adopted by multiple authors [2, 35].
1.1 PAKE Protocol
We represent PAKE protocol as a pair of algorithms \((\textsf{PGen},\textsf{P})\). \(\textsf{PGen}\) is a password generation algorithm, while \(\textsf{P}\) defines the execution of the PAKE protocol. \(\textsf{PGen}\) samples passwords uniformly at random from the dictionary \(\mathbb {D}_{pw}\). We assume that \(\textsf{P}\) describes several sub-algorithms, one of which is responsible for the generation of public parameters, common to all principals.
1.2 Real-or-Random Security Model for PAKE
Let us denote a game that represents the RoR security model \(G^{pake}\). For such a game, there exists a challenger \(\mathcal {C}^{pake}\) that will keep the appropriate secret information away from an adversary \(\mathcal {A}\) while administrating the security experiment. We denote the security parameter by \(\lambda \in \mathbb {N}\).
Participants and Passwords. For the two-party PAKE scenario, each principal U, identified by a string, comes either from a client set \( \mathbb {C}\) or a server set \(\mathbb {S}\), which are finite, disjoint, nonempty sets. We denote the union of \(\mathbb {C}\) and \(\mathbb {S}\) sets as \(\mathbb {I}_{pake}\). As usual, we assume that each client \(C \in \mathbb {C}\) possesses a password \(C.\textsf{pw}\), while each server \(S \in \mathbb {S}\) holds a vector of the passwords of all clients \(S.\textsf{PW} := {\langle C.\textsf{pw} \rangle }_{C \in \mathbb {C}}\). We assume that these passwords are sampled independently and uniformly from \(\mathbb {D}_{pw}\) at the start of \(G^{ror}\).
Protocol Execution. The protocol \(\textsf{P}\) is a PPT algorithm that describes the reaction of principals to incoming messages. In our model, we allow each principal to run an unlimited number of instances to model real-world parallel executions of \(\textsf{P}\). We denote \(U^i\) the i-th instance of principal U. In places that matters, we will denote initiator instances \(C^i\) and responder instances \(S^j\).
Full Network Adversary. When analyzing the security of \(\textsf{P}\), we assume that our adversary \(\mathcal {A}\) has complete network control. \(\mathcal {A}\) has access to principals’ instances via \(\textsf{Execute}\)(\(C^i, S^j\)), \(\textsf{Send}\)(\(U^i, M\)), \(\textsf{Reveal}\)(\(U^i\)), and \(\textsf{Test}\)(\(U^i\)) queries provided by \(\mathcal {C}^{pake}\). These are standard RoR PAKE model queries as described in [3, 6] that \(\mathcal {A}\) may ask multiple times (even \(\textsf{Test}\) queries).
Initialization and Internal State. The challenger \(\mathcal {C}^{pake}\) maintains execution state and game state in order to run a sound simulation. In an initialization phase, public parameters and the internal state are fixed. The appropriate sub-algorithm of \(\textsf{P}\), called \(\textsf{PGen}\), is run to generate the system’s public parameters. From the adversary’s perspective, an instance \(C^i\) comes into being after \(\textsf{Send}\)(\(C^i\), S) query is asked. For each client a secret \(C.\textsf{pw}\) is drawn uniformly and independently at random from a finite set \(\mathbb {D}_{pw}\) of size \(|\mathbb {D}_{pw}|\).
Partnering. We say that instance \(C^i\) is a partner instance to \(S^j\) and vice versa if: (1) C is a client and S is a server or vice versa, (2) \(\textsf{sid} := C^i.\textsf{sid} = S^j.\textsf{sid} \ne \bot \), (3) \(C^i.\textsf{pid} = S\) and \(S^j.\textsf{pid} = C\), (4) \(C^i.\textsf{key} = S^j.\textsf{key}\), and (5) no other instance has a non-\(\bot \) session identity equal to \(\textsf{sid}\).
Freshness. An instance becomes fresh once it accepts (with or without a partner). An instance \(U^i\) then becomes unfresh if any of the following events occurs: (1) \(\textsf{Reveal}\)(\(U^i\)) query is asked, (2) if \(\textsf{Reveal}\)(\(V^j\)) query is asked and \(V^j\) is \(U^i\)’s partner instance.
PAKE Security. Now we can formally define RoR PAKE advantage of \(\mathcal {A}\) against \(\textsf{P}\). At some point in time, \(\mathcal {A}\) will end \(G^{pake}\) and outputs a bit \(b'\). We say that \(\mathcal {A}\) wins and breaks the RoR security of \(\textsf{P}\) if \(b' = b\) (b being the hidden bit selected at the beginning of \(G^{pake}\). The probability of this event is denoted by \(\textsf{Pr}[b'= b]\). The pake-advantage of \(\mathcal {A}\) in breaking \(\textsf{P}\) is defined as
Finally, we say that \(\textsf{P}\) is pake-secure if there exists a positive constant B such that for every PPT adversary \(\mathcal {A}\) it holds that
where \(n_{se}\) is an upper bound on the number of \(\textsf{Send}\) queries \(\mathcal {A}\) makes, \(|\mathbb {D}_{pw}|\) is the cardinality of \(\mathbb {D}_{pw}\), and function \(\epsilon \) is negligible in the security parameter \(\lambda \). Moreover, passwords are assigned uniformly at random to clients.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Arriaga, A., Šala, P., Škrobot, M. (2023). Wireless-Channel Key Exchange. In: Rosulek, M. (eds) Topics in Cryptology – CT-RSA 2023. CT-RSA 2023. Lecture Notes in Computer Science, vol 13871. Springer, Cham. https://doi.org/10.1007/978-3-031-30872-7_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-30872-7_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30871-0
Online ISBN: 978-3-031-30872-7
eBook Packages: Computer ScienceComputer Science (R0)