Abstract
The Trusted Platform Module (TPM) version 2.0 provides an authenticated key exchange functionality by a single key exchange primitive, which can be called to implement three key exchange protocols (denoted as two-phase key exchange protocols in TPM 2.0): the Full Unified Model, the MQV, and the SM2 key exchange protocols. However, some vulnerabilities have been found in all of these protocols. Fortunately, it seems that protections provided by the TPM can deal with vulnerabilities of these protocols. This paper investigates whether the TPM key exchange primitive provides a secure key exchange functionality under protections of the TPM. We first perform an informal analysis of the TPM key exchange primitive which helps us to model in a precise way. Then we formally analyze the TPM key exchange primitive in a security model for AKE, based on which all the protocols adopted by TPM 2.0 can be analyzed in a unified way. Our analysis indicates under what conditions the TPM 2.0 can provide a provable secure key exchange functionality. In the end, we give suggestions on how to leverage the TPM key exchange primitive properly, and suggestions on how to improve the security of current TPM key exchange primitive to enable its wide use in practice.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The TPM 2.0 specification notes that the Full MQV and SM2 key exchange protocols “may be susceptible to unknown key-share (UKS) attacks” [25].
- 2.
Actually \(\mathsf {TPM2\_Create()}\) returns a key blob encrypted by a storage key, and the \(\mathsf {TPM2\_Load()}\) command loads the key blob and returns the key handle. For simplicity, we let \(\mathsf {TPM2\_Create()}\) directly return the key handle.
- 3.
\(avf'()\) is defined only for SM2 key exchange, and avf() is for MQV.
References
GM/T 0003.5-2012: Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves Part 5: Parameter definition
ISO/IEC 15946–5:2009 Information technology - Security techniques - Cryptographic techniques based on elliptic curves - Part 5: Elliptic curve generation
Aiello, W., Bellovin, S.M., Blaze, M., Canetti, R., Ioannidis, J., Keromytis, A.D., Reingold, O.: Just fast keying: key agreement in a hostile internet. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(2), 242–273 (2004)
Barker, E.B., Johnson, D., Smid, M.E.: NIST SP 800–56A. recommendation for pair-wise key establishment schemes using discrete logarithm cryptography (2007) (revised)
Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)
Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 132–145. ACM (2004)
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)
Canetti, R., Krawczyk, H.: Security Analysis of IKE’s Signature-Based Key-Exchange Protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002)
Chen, L.: Recommendation for key derivation using pseudorandom functions. NIST Spec. Publ. 800, 108 (2008)
Chen, L., Warinschi, B.: Security of the tcg privacy-ca solution. In: 2010 IEEE/IFIP 8th International Conference on Embedded and Ubiquitous Computing (EUC), pp. 609–616. IEEE (2010)
Dierks, T.: The transport layer security (tls) protocol version 1.2. (2008)
FIPS, PUB: 186–2. Digital Signature Standard (DSS). National Institute of Standards and Technology (NIST) (2000)
Gennaro, R., Krawczyk, H., Rabin, T.: Okamoto-Tanaka revisited: fully authenticated Diffie-Hellman with minimal overhead. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 309–328. Springer, Heidelberg (2010)
Jeong, I.R., Katz, J., Lee, D.-H.: One-round protocols for two-party authenticated key exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004)
Kaliski Jr., B.S.: An unknown key-share attack on the MQV key agreement protocol. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 275–288 (2001)
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)
LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)
Lauter, K., Mityagin, A.: Security analysis of KEA authenticated key exchange protocol. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 378–394. Springer, Heidelberg (2006)
Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)
Matsumoto, T., Takashima, Y.: On seeking smart public-key-distribution systems. IEICE Trans. (1976–1990) 69(2), 99–106 (1986)
Menezes, A., Qu, M., Vanstone, S.: Some new key agreement protocols providing mutual implicit authentication. In: Second Workshop on Selected Areas in Cryptography (SAC 1995) (1995)
SEC, Secg. 2: Recommended elliptic curve domain parameters (2000). http://www.secg.org
Skipjack and NIST. KEA algorithm specifications (1998)
TCG: TCG Algorithm Registry Family 2.0, Level 00 Revision 15 January 2014
TCG: Trusted platform module library part 1: Architecture, family 2.0, level 00 revision 07 January 2014
TCG: Trusted Platform Module Library Part 3: Commands Family 2.0, Level 00 Revision 07 January 2014
Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Crypt. 46(3), 329–342 (2008)
Willems, F.M., Shtarkov, Y.M., Tjalkens, T.J.: The context-tree weighting method: basic properties. IEEE Trans. Inf. Theo. 41(3), 653–664 (1995)
Xu, J., Feng, D.: Comments on the SM2 key exchange protocol. In: Lin, D., Tsudik, G., Wang, X. (eds.) CANS 2011. LNCS, vol. 7092, pp. 160–171. Springer, Heidelberg (2011)
Yao, A.C., Zhao, Y.: A new family of implicitly authenticated diffie-hellman protocols. Technical report
Yao, A.C.-C., Zhao, Y.: OAKE: a new family of implicitly authenticated diffie-hellman protocols. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1113–1128. ACM (2013)
Zhao, S., Xi, L., Zhang, Q., Qin, Y., Feng, D.: Security analysis of SM2 key exchange protocol in TPM2. 0. security and communication. Networks 8(3), 383–395 (2015)
Zhao, S., Zhang, Q.: A Unified Security Analysis of Two-phase Key Exchange Protocols in TPM 2.0. http://eprint.iacr.org/2015/611
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhao, S., Zhang, Q. (2015). A Unified Security Analysis of Two-Phase Key Exchange Protocols in TPM 2.0. In: Conti, M., Schunter, M., Askoxylakis, I. (eds) Trust and Trustworthy Computing. Trust 2015. Lecture Notes in Computer Science(), vol 9229. Springer, Cham. https://doi.org/10.1007/978-3-319-22846-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-22846-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22845-7
Online ISBN: 978-3-319-22846-4
eBook Packages: Computer ScienceComputer Science (R0)