Geodesic
Forcing future public ephemeral keys to attack authenticated key establishment protocols
Prikladnaâ diskretnaâ matematika, no. 4 (2024), pp. 60-77.

Voir la notice de l'article provenant de la source Math-Net.Ru

This paper studies the security of the authenticated key establishment protocols against the adversary who has the capability to force the participants to use of ephemeral public values. The paper substantiates the relevance of considering this capability, describes, in particular, attacks on the SIGMA, SIGMA-R, STS-MAC, Echinacea-3 protocols and the post-quantum BKM-KK protocol, and discusses the design features of protocols that allow to protect against attacks of this type.
Keywords: cryptography, cryptographic protocol, authenticated key establishment, attack, forcing public ephemeral keys. 
@article{PDM_2024_4_a5,
     author = {E. K. Alekseev and S. N. Kyazhin and S. V. Smyshlyaev},
     title = {Forcing future public ephemeral keys to attack authenticated key establishment protocols},
     journal = {Prikladna\^a diskretna\^a matematika},
     pages = {60--77},
     publisher = {mathdoc},
     number = {4},
     year = {2024},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDM_2024_4_a5/}
}
TY  - JOUR
AU  - E. K. Alekseev
AU  - S. N. Kyazhin
AU  - S. V. Smyshlyaev
TI  - Forcing future public ephemeral keys to attack authenticated key establishment protocols
JO  - Prikladnaâ diskretnaâ matematika
PY  - 2024
SP  - 60
EP  - 77
IS  - 4
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/PDM_2024_4_a5/
LA  - ru
ID  - PDM_2024_4_a5
ER  - 
%0 Journal Article
%A E. K. Alekseev
%A S. N. Kyazhin
%A S. V. Smyshlyaev
%T Forcing future public ephemeral keys to attack authenticated key establishment protocols
%J Prikladnaâ diskretnaâ matematika
%D 2024
%P 60-77
%N 4
%I mathdoc
%U http://geodesic.mathdoc.fr/item/PDM_2024_4_a5/
%G ru
%F PDM_2024_4_a5
E. K. Alekseev; S. N. Kyazhin; S. V. Smyshlyaev. Forcing future public ephemeral keys to attack authenticated key establishment protocols. Prikladnaâ diskretnaâ matematika, no. 4 (2024), pp. 60-77. http://geodesic.mathdoc.fr/item/PDM_2024_4_a5/

[1] Alekseev E. K., What bad things can be done by using cryptoalgorithms incorrectly?, CTCrypt 2019 Symp., 2019 (in Russian) https://ctcrypt.ru/files/files/2019/materials/29_Alekseyev.pdf

[2] Alekseev E. K., Akhmetzyanova L. R., Bozhko A. A., and Griboedova E. S., Theoretical cryptography in the real world, CryptoPro Blog, , 2020 (in Russian) https://cryptopro.ru/blog/2019/11/19/teoreticheskaya-cryptografiya-v-realnykh-usloviyakh

[3] Tsaregorodtsev K. D. and Griboedova E. S., “On the importance of making an adversary model, once again, for the 5G-AKA authentication protocol example”, RusCrypto'2022 Conf., 2022 (in Russian) https://ruscrypto.ru/resource/archive/rc2022/files/02_tsaregorodsev_griboedova.pdf

[4] Degabriele J. P., Paterson K. G., and Watson G. J., “Provable security in the real world”, IEEE Security Privacy, 9:3 (2011), 33–41 | DOI

[5] Alekseev E. K., Akhmetzyanova L. R., Bozhko A. A., et al., “On the adversary capabilities needed to attack a certain class of authenticated key establishment protocols”, RusCrypto'2022 Conf., 2022 (in Russian) https://ruscrypto.ru/resource/archive/rc2022/files/02_alekseyev_akhmetzyanova_kutsenok_kyazhin.pdf | MR

[6] Krawczyk H., “The order of encryption and authentication for protecting communications (or: How secure is SSL?)”, LNCS, 2139, 2001, 310–331 | MR | Zbl

[7] Canvel B., Hiltgen A., Vaudenay S., and Vuagnoux M., “Password interception in a SSL/TLS channel”, LNCS, 2729, 2003, 583–599 | MR | Zbl

[8] Kaufman C., Hoffman P., Nir Y., et al., Internet Key Exchange Protocol Version 2 (IKEv2), RFC 7296, 2014

[9] Sheffer Y. and Fluhrer S., Additional Diffie — Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2), RFC 6989, 2013

[10] Seye P. B. and Sarr A. P., “Enhanced modelling of authenticated key exchange security”, LNCS, 10547, 2017, 36–52

[11] Alekseev E. K., Babueva A. A., and Zazykina O. A., AKE Zoo: 100 Two-Party Protocols (to be continued), Cryptology ePrint Archive, paper 2023/1044, 2023

[12] Huang H. and Cao Z., Authenticated Key Exchange Protocols with Enhanced Freshness Properties, Cryptology ePrint Archive, paper 2009/505, 2009

[13] Krawczyk H., “SIGMA: The ‘SIGn-and-MAc’ approach to authenticated Diffie — Hellman and its use in the IKE protocols”, LNCS, 2729, 2003, 400–425 | MR | Zbl

[14] Jeong I. R., Katz J., and Lee D. H., “One-round protocols for two-party authenticated key exchange”, LNCS, 3089, 2004, 220–232 | Zbl

[15] Jeong I. R., Katz J., and Lee D. H., One-Round Protocols for Two-Party Authenticated Key Exchange, 2008 https://www.cs.umd.edu/ ̃ jkatz/papers/1round_AKE.pdf

[16] Rescorla E., The Transport Layer Security (TLS) Protocol Version 1.3, RFC 8446, 2018 | Zbl

[17] Diffie W., Van Oorschot P. C., and Wiener M. J., “Authentication and authenticated key exchanges”, Des. Codes Cryptogr., 2 (1992), 107–125 | DOI | MR

[18] Information Technology. Information Cryptographic Protection. Public Key Based on the Authenticated Key Agreement Schemes, R 1323565.1.004-2017, Standartinform Publ., M., 2017 (in Russian)

[19] Cremers C. and Feltz M., One-round Strongly Secure Key Exchange with Perfect Forward Secrecy and Deniability, Cryptology ePrint Archive, paper 2011/300, 2011

[20] Song B. and Kim K., “Two-pass authenticated key agreement protocol with key confirmation”, LNCS, 1977, 2000, 237–249 | MR | Zbl

[21] Boyd C., Kock B., and Millerjord L., Modular Design of KEM-Based Authenticated Key Exchange, Cryptology ePrint Archive, paper 2023/167, 2023

[22] Schwabe P., Stebila D., and Wiggers T., “Post-quantum TLS without handshake signatures”, Proc. 2020 ACM SIGSAC Conf. CCS'20, USA, 2020, 1461–1480