A mechanical approach to derive identity-based protocols from Diffie–Hellman-based protocols

doi:10.1016/j.ins.2014.05.041

Information Sciences

Volume 281, 10 October 2014, Pages 182-200

https://doi.org/10.1016/j.ins.2014.05.041 Get rights and content

Abstract

We describe a mechanical approach to derive identity-based (ID-based) protocols from existing Diffie–Hellman-based ones. As case studies, we present the ID-based versions of the Unified Model protocol, UMP-ID, Blake-Wilson et al. (1997)’s protocol, BJM-ID, and Krawczyk (2005)’s HMQV protocol, HMQV-ID. We describe the calculations required to be modified in existing proofs. We conclude with a comparative security and efficiency of the three proposed ID-based protocols (relative to other similar published protocols) and demonstrate that our proposed ID-based protocols are computationally efficient.

Introduction

Key distribution is one of the most fundamental problems in cryptography, and was revolutionized by the introduction of the key exchange protocol by Diffie and Hellman in [20]. The Diffie–Hellman (DH) protocol illustrated that:

arbitrary two parties even with no prior acquaintance and no secure physical/electronic channels can establish a shared secret key (called a session key) simply by exchanging their public keys over an insecure public network as long as integrity of public keys is guaranteed and the underlying computational problem (known as the computational Diffie–Hellman problem) is hard.

We note that the public keys exchanged in the DH protocol are usually ephemeral (short-term) rather than static (long-term) keys, although this (i.e. Whether the keys are ephemeral or static?) was not in the original protocol specification. Perhaps, this was not an issue at that time. While public key cryptography facilitates key distribution over an insecure communication channel, the integrity of public keys is crucial for security against an active adversary – it is well known that the basic (unauthenticated) DH protocol is susceptible to active man-in-the-middle attacks.

Many of the popular key establishment protocols are based on the DH key exchange and are implicitly authenticated via public key certificates¹ [25], [41]. Examples include the MTI protocol [35], the Unified Model protocol (UMP) [2], [8], the MQV protocol [37], [34], and the HMQV protocol [31]. Throughout the paper, we will use the term “DH-based protocols” to refer to these implicitly authenticated DH-based protocols. A key goal of DH-based protocols is to achieve the same level of efficiency as the basic DH protocol, both in terms of communication and computation, when the possible transmission and verification of public key certificates are excluded from consideration. The design and security of DH-based protocols have been extensively studied over the last decades and are now fairly well-understood. For example, some recent DH-based protocols were proven secure in the extended Canetti-Krawczyk (eCK) model [33], [47], [30].

While public key certificates have been widely used to bind public keys to identities, their management has turned out to be more challenging than was initially anticipated. The quest for a solution to this problem has led to the invention of identity-based (ID-based) cryptography [42]. At the price of key escrow, ID-based cryptography eliminates the need for certificates by allowing parties to use their identity as their public key. Typically, we would already know the identity of our communication peer and, thus, do not need a signed certificate for it. This is of great benefit in simplifying the management of public keys [40]. From an ID-based scheme user’s perspective, an obvious benefit is an absence of certificate transmission and verification.

In the past decade, we have witnessed a surge of interest in ID-based cryptography, particularly the use of elliptic curve pairings to realize cryptographic structures that seemed impossible before. To illustrate how elliptic curve pairings can be used to build novel cryptographic schemes with interesting properties, we refer the reader to the work of Al-Riyami [1]. Published schemes include a number of ID-based key establishment protocols using pairing, which we will refer to simply as “ID-based protocols”. Examples include the protocols of Smart [45], Shim [43], Chen and Kudla [14], Choie et al. [16], Xie [51], McCullagh and Barreto [36], Wang et al. [50], and Wang [49].

The security properties required for key establishment protocols are well studied, and an excellent overview is presented by Blake-Wilson and Menezes [9]. The most basic property is that a passive adversary eavesdropping on the protocol should be unable to obtain the session key. Other desirable properties include:

Known key security.
It is often reasonable to assume that the adversary will be able to obtain session keys from any session different from the one under attack. A protocol has known key security if it is secure under this assumption. This is generally regarded as a standard requirement for key establishment protocols.
Unknown key-share security.
Sometimes the adversary may be unable to obtain any useful information about a session key, but can deceive the protocol principals about the identity of the peer entity. Such an attack was first described by Diffie et al. [21], and can result in principals giving away information to the wrong party or accepting data as coming from the wrong party.
As discussed by Boyd and Mathuria [12, Chapter 5.1.2], a malicious adversary $A$ need not obtain the session key to profit from this attack. Consider the scenario whereby Alice will deliver some information of value (such as e-cash) to Bob. Since Bob believes the session key is shared with $A, A$ can claim this credit deposit as his. Also, $A$ can exploit such an attack in a number of ways if the established session key is subsequently used to provide encryption or integrity [29]. Consequently, security against unknown key-share attacks is regarded as a standard requirement.
Forward secrecy.
When the static key of an entity is compromised, the adversary will be able to masquerade as that entity in any future protocol runs. However, the situation will be even worse if the adversary can also use the compromised static key to obtain session keys that were established before the compromise. Protocols that prevent this are said to provide forward secrecy. Since there is usually a computational cost in providing forward secrecy, it is sometimes sacrificed in the interest of efficiency.
Forward secrecy in the setting of ID-based cryptography is similar as in conventional public key cryptography. However, there is an additional concern since the master key of the key generation center (KGC) is another secret that could become compromised. There could exist a protocol that provides forward secrecy in the usual sense but gives away old session keys if the master key becomes known. We will say that a protocol that retains confidentiality of old session keys even when the master key is known provides KGC forward secrecy (KGC-FS). As the static keys of all users can be easily computed from the master key, it is clear that KGC forward secrecy implies forward secrecy.
Key compromise impersonation resistance.
Another problem that may occur when the static key of an entity A is compromised is that the adversary may be able to masquerade not only as A but also to A as another party B. Such a protocol is said to allow key compromise impersonation. Resistance to such attacks is often seen as desirable.

A survey by Boyd and Choo [11] shows that many existing ID-based protocols have been published without a careful security analysis or a systematic comparison with alternatives, highlighting the need for more rigorously tested ID-based protocols. In addition, their survey suggests some interesting similarities between ID-based protocols and various DH-based protocols. They then conjectured that these similarities may well extend to the security properties of these protocols. Later, Wang [48] suggested a way of deriving ID-based protocols from DH-based protocols. However, the unpublished manuscript omit important information about the resultant ID-based protocols’ security, notably the required modifications to the computational assumptions and the calculations in the security proofs.

In this paper, our main contribution is to present a systematic approach to mechanically derive provably-secure ID-based protocols from their DH-based versions. In our approach, we

1.
first propose ID-based versions of DH-based protocols based on some rules for parameters conversion,
2.
describe the computational assumptions required to be modified due to the parameters conversion, and
3.
describe the calculations required to be modified in comparison to the original proof.

To demonstrate that our approach is independent of the underlying security model (i.e. our approach can be applied to protocols proven secure in different security models), we use three popular protocols—the UMP protocol [2], [8], the BJM protocol [8, protocol 4], and the HMQV protocol [31]—as case studies. UMP was proven secure in a restricted model where the adversary is not allowed to reveal session keys [8]. We provide a proof of security for the ID-based version of UMP, which we denote by $UMP - {ID}_{0}$ , in the same restricted model. We also show that a slight variant of $UMP - {ID}_{0}$ , denoted as UMP-ID, can be proven secure in the model of Bellare and Rogaway (BR) [7] which does not restrict the adversary from revealing session keys. The original BJM protocol does not carry any proof of security but its variant due to Kudla and Paterson [32] was proven secure in a model adapted from the BR model to capture the notion of key compromise impersonation resistance. We prove the security of the ID-based version of BJM, BJM-ID, in the same model as the one used for the BJM variant of Kudla and Paterson. Lastly, the HMQV protocol was proven secure in the model of Canetti and Krawczyk (CK) [13]. As suggested by Choo et al. [18], protocols proven secure in the BR model are not necessarily secure in the CK model but the converse is true; for example, the adversary is allowed to obtain the ephemeral private keys of parties only in the CK model. For the ID-based version of HMQV (HMQV-ID), we provide a proof of forward security in the eCK model [33], which is an extension of the (original) CK model.

The next section presents the mathematical preliminaries and an overview of both the BR and eCK models. In Section 3, we present the mechanics of mapping the protocol parameters and the computational assumptions from DH-based to ID-based protocols. In Sections 4 UMP and its ID-Based versions, 5 BJM protocol and its ID-based version, 6 HMQV protocol and its ID-based version, we present the ID-based versions of UMP, BJM and HMQV, followed by the calculations required to be modified in their existing proofs. We conclude with a comparative security and efficiency of the derived ID-based protocols (relative to other similar published protocols) in Section 7.

Section snippets

Preliminaries

In cryptographic algorithms, the value of k is important since negligibility of functions and complexity of algorithms are often parameterized by k (e.g., the size of cryptographic groups and key lengths within those algorithms). The larger the value of k is, the more computation is required to run an algorithm. The value k relates to the bounds on an adversary’s success probability (i.e., k is often known as the security parameter). All cryptographic algorithms in this paper receive the

System setup

Assume a DH-based protocol, DHP, for which the system parameters are defined as $(G, q, g)$ and the static private/public keys of each $U \in U$ are set to $(u \in_{R} Z_{q}^{*}, g^{u} \in G)$ . Given the protocol DHP, we define the following system parameters for IDP, an ID-based version of DHP:

•
An additive group $G_{1}$ with a generator P of order q, a multiplicative group $G_{2}$ of the same order q, and a bilinear map $\hat{e}$ from $G_{1} \times G_{1}$ to $G_{2}$ .
•
A cryptographic hash function $G : {0, 1}^{*} \to G_{1}$ , which is modeled as a random oracle in our proofs of

UMP and its ID-Based versions

The ‘unified model’ protocol (UMP) is an implicitly-authenticated Diffie–Hellman protocol that has been standardized in IEEE P1363 [24], ANSI X9.63 [4] and ANSI X9.42 [3]. Let A and B be two users who wish to agree on a session key. We assume that A and B have pre-established their static private/public keys $(a, g^{a})$ and $(b, g^{b})$ , respectively. UMP runs as shown in Fig. 1 where (1) g is a generator of a cyclic group $G$ of prime order q and (2) H is a cryptographic hash function mapping arbitrary

BJM protocol and its ID-based version

The BJM protocol was presented in 1997 by Blake-Wilson et al. [8, protocol 4], and runs as shown in Fig. 3 where (1) g is a generator of a cyclic group $G$ of prime order q, (2) $(a, g^{a})$ and $(b, g^{b})$ are pairs of static private/public keys of A and B respectively, and (3) H is a cryptographic hash function mapping arbitrary strings to k-bit session keys. BJM is similar to earlier protocols, like MTI/A0 [35], Goss ([23]) and KEA [38], in the sense that the session key is defined as a function of two

HMQV protocol and its ID-based version

The HMQV protocol of Krawczyk [31] is among the most efficient of all known public-key authenticated Diffie–Hellman protocols. As shown in Fig. 5, HMQV uses two cryptographic hash functions $\overline{H} : {0, 1}^{*} \to {0, 1}^{| q | / 2}$ and $H : {0, 1}^{*} \to {0, 1}^{k}$ , where q is the prime order of the underlying group $G$ and k is the bit length of the session key. It can be easily verified that at the end of HMQV, A and B compute the same session key $H (g^{xy + ady + bex + abde})$ . HMQV was proven secure under the CDH assumption in the CK

Conclusion

We have demonstrated how an ID-based key exchange protocol as well as its security proof can be mechanically derived from an existing DH-based key exchange protocol and its corresponding security proof. As case studies, we derived the ID-based versions of three well-known DH-based protocols (UMP, UMP-ID; BJM, BJM-ID; and HMQV, HMQV-ID) along with the associated security proofs.

Table 3 describes a summary of the computational requirements and the security of two-party, two-message ID-based

Acknowledgements

Part of this research was undertaken when the first author (Kim-Kwang Raymond Choo) was with Queensland University of Technology. This work was supported by Priority Research Centers Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2010-0020210).

References (51)

Y. Choie et al.
Efficient identity-based authenticated key agreement protocol from pairings
J. Appl. Math. Comput.
(2005)
K.G. Paterson et al.
A comparison between traditional public key infrastructures and identity-based cryptography
Inform. Security Tech. Rep.
(2003)
S. Al-Riyami, Cryptographic schemes based on elliptic curve pairings, Ph.D. thesis, Information Security Group,...
R. Ankney, D. Johnson, M. Matyas, The unified model, contribution to X9F1 working group,...
ANSI X9.42, Public key cryptography for the financial services industry: agreement of symmetric keys using discrete...
ANSI X9.63, Public key cryptography for the financial services industry: key agreement and key transport using elliptic...
P. Barreto, H. Kim, B. Lynn, M. Scott, Efficient algorithms for pairing-based cryptosystems, in: Proceedings of the...
M. Bellare
A note on negligible functions
J. Cryptol.
(2002)
M. Bellare, P. Rogaway, Entity authentication and key distribution, in: Proceedings of the 13th Annual International...
S. Blake-Wilson, D. Johnson, A. Menezes, Key agreement protocols and their security analysis, in: Proceedings of the...

S. Blake-Wilson, A. Menezes, Authenticated Diffie–Hellman key agreement protocols, in: Proceedings of the 5th...

D. Boneh et al.

Identity-based encryption from the Weil pairing

SIAM J. Comput.

(2003)

C. Boyd, K.K.R. Choo, Security of two-party identity-based key agreement, in: Proceedings of the 1st International...

C. Boyd et al.

Protocols for Authentication and Key Establishment

(2003)

R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in: Proceedings...

L. Chen, C. Kudla, Identity based authenticated key agreement protocols from pairings, in: Proceedings of the 16th IEEE...

Z. Cheng et al.

On security proof of McCullagh-Barreto’s key agreement protocol and its variants

Int. J. Security Netw.

(2007)

K.K.R. Choo

A proof of revised Yahalom protocol in the Bellare and Rogaway (1993) model

Comput. J.

(2007)

KKR. Choo, C. Boyd, Y. Hitchcock, Examining indistinguishability-based proof models for key establishment protocols,...

KKR. Choo, C. Boyd, Y. Hitchcock, On session key construction in provably secure protocols, in: Proceedings of the 1st...

W. Diffie et al.

New directions in cryptography

IEEE Trans. Inform. Theory

(1976)

W. Diffie et al.

Authentication and authenticated key exchanges

Des. Codes Cryptogr.

(1992)

S. Galbraith, K. Harrison, D. Soldera, Implementing the Tate pairing, in: Proceedings of the 5th International...

K. Goss, Cryptographic method and apparatus for public key exchange with authentication, US Patent 4,956,863,...

IEEE P1363, Standard specifications for public-key cryptography,...

Cited by (28)

Secure authentication framework for cloud-based toll payment message dissemination over ubiquitous VANETs
2018, Pervasive and Mobile Computing
Citation Excerpt :
Table 4 shows the general comparative evaluation of our proposed scheme with other related research studies in terms of cloud-based centralized infrastructure, partial key authentication, user-OBU authentication, put-on key authentication, encryption/decryption and signature verification setup. Our proposed scheme is much more flexible and extensible as compare to the other schemes of NCL-PKC [47], Lite-CA PKC [53] and ID-based PKC [48,50,51]. Fig. 2, shows the overall decryption time of three different platforms with and without delegation towards the cloud-enabled environment.
The privacy and security issues of information message dissemination have been well researched in typical VANETs. However, cloud computing paradigm is merely utilized for secure information message dissemination over VANETs. In this paper, we propose a secure authentication framework for cloud-based toll payment message dissemination over ubiquitous VANETs, which primarily deal with two types of information messages that is general purpose and special purpose information messages. General purpose information messages include infotainment, traffic congestion, location-based services and emergency services. While the special purpose information messages include toll tax and revenue collection services. Moreover, our secure authentication framework (CCES-PKC) integrates the novel cloud-based pairing-free certificate-less encryption, secure authentication control, signature-based information encryption, decryption through cloud verification and signature authentication along with batch auditing. The certificate overhead management is passed over to the cloud infrastructure for fine-grained information message dissemination by enabling verification, integrity and confidentiality. Performance assessments including efficiency, security and experimental analysis emphasize that the proposed scheme is remarkably appropriate for secure toll payment information message dissemination.
A matrix-based cross-layer key establishment protocol for smart homes
2018, Information Sciences
Wireless communications in smart homes are vulnerable to many adversarial attacks such as eavesdropping. To secure the communications, secret session keys need to be established between home appliances. In existing symmetric key establishment protocols, it is assumed that devices are pre-loaded with secrets. In practice, however, home appliances are manufactured by different companies. As a result, it is not a practical assumption that the appliances are pre-loaded with certain secrets when they leave companies. Motivated by these observations, this paper presents a matrix-based cross-layer key establishment protocol without the secret sharing assumption. Specifically, in our protocol, home appliances extract master keys (shared with the home gateway) at the physical layer using the wireless fading channels. Then, the home gateway distributes key seeds for home appliances by making use of the extracted master keys. Completing these operations, any two appliances can directly establish a secret session key at higher layers. Additionally, we prove the security of the proposed protocol and analyse the performance of it by comparing the new protocol with other closely related protocols. The comparison shows that appliances in our protocol can establish secret session keys when they do not pre-share any secrets, and it is achieved without introducing significant energy consumptions.
An untraceable and anonymous password authentication protocol for heterogeneous wireless sensor networks
2018, Journal of Network and Computer Applications
Citation Excerpt :
Therefore, provide secure data communication in such a setting is an active research area. One “classical” solution is user authentication and session key agreement scheme (Choo, 2009; Choo et al., 2014). Turkanovi et al. (2014), Farash et al. (2016) and Chang and Le, (2016) proposed three authentication protocols based on the architecture described in Fig. 1.
Ensuring secure access to sensitive information in a wireless sensor networks (WSNs) remains a topic of ongoing research challenge, partly due to the wide range of potential attacks and attack vectors. In this paper, we reveal a previously unpublished vulnerability in the authentication scheme for ad hoc WSN of Chang et al.'s. Specifically, we reveal that the authentication phase of the scheme does not defend against various known attacks. We then propose a robust authentication scheme for WSNs, designed to provide security against known active and passive attacks. We then evaluate the performance of the proposed scheme using AVISPA.
A foggy research future: Advances and future opportunities in fog computing research
2018, Future Generation Computer Systems
A variant of password authenticated key exchange protocol
2018, Future Generation Computer Systems
Password authenticated key exchange (PAKE) protocols are designed for a pair of users to establish a secret session key over a public and unreliable network. In existing PAKE protocols, it is assumed that short passwords are pre-shared between users. This assumption, however, would be impractical in certain applications. For instance, in the Internet of Things and Fog computing, billions of devices will be wirelessly connected. In practice, the devices are produced by different factories, and it is not practical to assume that these devices are pre-loaded with passwords when they leave factories. As a result, existing PAKE protocols cannot be directly employed in these applications. Moreover, it is investigated that devices can extract secrets using the wireless fading channel. However, the key extraction rate at the physical layer is slow. Motivated by these observations, this paper presents a variant of password authenticated key exchange (vPAKE) protocol without the password sharing assumption. To obtain the passwords, wireless devices, such as mobile phones, tablets, and laptops, are used to extract short secrets at the physical layer. Using the extracted secrets, users can establish a secret key at higher layers. The performance analysis shows that comparing with other PAKE protocols (which are proved secure in the standard model), the communication and computation consumptions of our protocol are significantly reduced. Additionally, the proposed protocol is proved secure in the standard model.
An efficient provably-secure identity-based authentication scheme using bilinear pairings for Ad hoc network
2017, Journal of Information Security and Applications
Citation Excerpt :
However, due to the characteristics of open link and dynamic topology, ad hoc networks are prone to spoofing, eavesdropping, impersonation and denial-of-service(Dos) attacks [9,10]. Thus, there is a need to ensure that entities (e.g. devices and users) can share and disseminate information securely, such as through the use of (mutual) authentication and key agreement schemes [7,11–13]. Generally, authentication of identity and message resource is the first defense and security protection in most wireless network systems.
Designing an efficient and secure authentication scheme to ensure secure communication between parties in an ad hoc network remains challenging. Recently in 2017, Shaghayegh and Mehdi proposed an identity-based authentication scheme using bilinear pairings for Ad hoc networks. The scheme is claimed to be secure against a number of known attacks and provides non-repudiation property not found in most other authentication protocols. However, we demonstrate that their scheme is vulnerable to man-in-the-middle and forgery attacks, two previously unknown flaws. We then propose an improved mutual authentication scheme based on identity-based encryption (IBE) for Ad hoc networks. Our security analysis and experimental results demonstrate that the proposed scheme is secure and highly efficient.

View all citing articles on Scopus

View full text