Table Of ContentInformation Security and Cryptography
Colin Boyd
Anish Mathuria
Douglas Stebila
Protocols
for Authentication
and Key
Establishment
Second Edition
Information Security and Cryptography
SeriesEditors
DavidBasin
KennyPaterson
AdvisoryBoard
MichaelBackes
GillesBarthe
RonaldCramer
IvanDamgård
AndrewD.Gordon
JoshuaD.Guttman
Christopher Kruegel
UeliMaurer
TatsuakiOkamoto
Adrian Perrig
BartPreneel
Moreinformationaboutthisseriesathttp://www.springer.com/series/4752
Colin Boyd • Anish Mathuria • Douglas Stebila
Protocols for Authentication
and Key Establishment
Second Edition
Colin Boyd Anish Mathuria
Department of Information Security Dhirubhai Ambani Institute
and Communication Technology of Information and Communication
Norwegian University of Science Technology (DA-IICT)
and Technology Gandhinagar, Gujarat, India
Trondheim, Norway
Douglas Stebila
Department of Combinatorics
and Optimization
University of Waterloo
Waterloo, ON, Canada
Originally published under: Boyd C. and Mathuria A.
ISSN 1619-7100 ISSN 2197-845X (electronic)
Information Security and Cryptography
ISBN 978-3-662-58145-2 ISBN 978-3-662-58146-9 (eBook)
https://doi.org/10.1007/978-3-662-58146-9
© Springer-Verlag GmbH Germany, part of Springer Nature 2003, 2020
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, express or implied, with respect to the material contained herein or for any errors
or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims
in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer-Verlag GmbH, DE part of Springer
Nature.
The registered company address is: Heidelberger Platz 3, 14197 Berlin, Germany
Tothememoryofmyfather
Thouthyworldlytaskhastdone
–CB
Tothememoryofmygrandmother
–AM
Tomyparentsandteachers
–DS
Preface
Thefirsteditionofthisbookwaspublishedin2003.Inevitably,certainpartsofthe
book became outdated quickly. At the same time new developments have contin-
uedapace,includingnewconcreteprotocols,newunderstandingofprotocolsecurity
properties, and new cryptographic primitives and techniques which can be used in
protocol design. Work on a new edition began as early as 2010, but even as it was
beingwrittenitsscopeexpanded.Weareawarethatsomeimportantprotocolshave
beenomitted,andthatthereareemergingareaswhichwillseeconsiderableactivity
inthenearfuture(post-quantumsecureprotocolsbeingoneobviousexample).How-
ever,westillhopethatwehavebeenabletocapturemostofthemaindevelopments
thathaveoccurredsincethefirstedition.
Thissecondeditionhasbroadlythesamepurposeandscopeasthefirstedition.
We hope to provide a helpful reference for the expert while still being accessible
to those newer to the topic, including those trying to obtain a broad overview of
the field. In comparison with the first edition, there are three new chapters and all
the other chapters (one renamed) have been extensively revised. The new book is
around50%largerwitharound225concreteprotocolsdescribedandabibliography
withalmosttwiceasmanyreferences.Someoldermaterial,whichwedeemedless
relevanttoday,hasbeenremoved.
Chapter1 replaces the first two chapters from the first edition. The chapter is in-
tended to provide the necessary background on cryptography, attack scenarios
andprotocolgoalswithanexpandedcoverage.Theinitialtutorialintroduction
hasbeenmovedtoanappendix,whilesomepartsofChapter2fromthefirstedi-
tionwereremovedastheyseemednolongerrelevant.Anupdated,butsomewhat
shortened,introductiontoprotocolverificationisalsoincluded.
Chapter2 isthefirstcompletelynewchapter,describingcomputationalmodelsfor
key exchange and authentication. The purpose of this chapter is not to provide
a tutorial on how to read, let alone write, computational proofs, but rather to
trytohelpreadersunderstandwhatacomputationalproofprovidesandhowto
compare the many different computational models in use. In later chapters we
VII
VIII Preface
havefreelymadereferencetothemajorcomputationalmodelswhendiscussing
specificprotocolsandtheirsecurity.
Chapter3 isanupdatedchaptercoveringprotocolsusingsharedkeycryptography.
ThisincludesmajorupdatesonthestatusoftheprotocolsintheISO9798-2and
11770-2standards.
Chapter4 isanupdatedchapteronprotocolsusingpublickeycryptography.Again,
thisincludesnewdevelopmentsoftheISOstandardprotocols,thistimeforthe
9798-3 and 11770-3 protocols. Coverage of TLS is moved to the new Chap. 6
whichisdevotedtoTLS.
Chapter5 onkeyagreementis,asinthefirstedition,thelongestchapter.Thereis
anamazingdiversityofideasindesignofkeyagreementprotocols,eveninthe
simplestcasecoveredinthischapter,whichislimitedtotwo-partyprotocolsin
the public key setting. Even though several older protocols from the first edi-
tionhavebeenomitted,therevisedchapterisnowmorethantenpageslonger,
illustratingthattherearestillmanynewdevelopmentsoccurring.
Chapter6 isacompletelynewchapterontheTLSprotocol.Asthemostprominent
keyestablishmentprotocolinusetoday,webelieveitismorethanjustifiableto
devoteachaptertoTLS.Thedevelopmentoftheprotocolinthepast10years,
culminating in the new TLS 1.3 protocol, provides many lessons for those re-
searchingandimplementingkeyestablishmentprotocols.
Chapter7 is the third new chapter and is dedicated to ID-based protocols. While
itgathersinsomeearlyID-basedprotocolsalreadyincludedinthefirstedition,
the coverage of pairing-based protocols forms the bulk of the chapter and is
completelynew.
Chapter8 isanupdatedchapteronpassword-basedprotocols.Thisisanothertopic
wheretherehasbeenagreatdealofresearchactivitysincethefirsteditionlead-
ingtoasignificantexpansioninthechapter.
Chapter9 is an updated (and renamed) chapter on group key establishment. Al-
thoughgroupprotocolshavealonghistorytherehasbeenmuchrecentworkto
modernisethetopicwithstrongersecuritypropertiesandformalproofs.
AppendixA covers standards for key establishment and authentication protocols
fromvariousstandardsbodies,updatedandexpandedfromthefirstedition.
AppendixB consists of a tutorial introduction to protocols for authentication and
keyestablishment.Thisisunchangedfromthecorrespondingsectioninthefirst
edition,apartfromsomesmallnotationalrevisions.
Acknowledgements
Many people have given their help and advice generously to help us to improve
the quality of the book. Different people have reviewed and provided comment on
various portions of the book. We thank them all for their generous spirit and are
sincerelysorryifwehavemisinterpretedorforgottenanyoftheirhelpfuladvice.This
listincludesallthosewhowecanremember;wehopenottohavemissedanyone.
Preface IX
CraigCostello SigurdEskeland Ha˚konJacobsen
TiborJager ChrisMitchell RuxandraOlimid
KennethRadke SeongHanShin BerkantUstaoglu
In addition, Kazuki Yoneyama provided helpful answers to specific questions. We
are solely responsible for all errors of fact, presentation style, or just plain typing
errorsthatthisbookmayhave.
TheteamatSpringerhavebeenencouragingandhelpfulthroughout.Wewould
particularlyliketothankRonanNugentforhisunfailingconfidenceandquickaction
on all matters, even as we delayed time and again. Series editor Kenny Paterson
providedenthusiasticandencouragingsupport.
CB would like to record his personal thanks to his family for bearing with de-
nialofserviceduringtheseeminglyinterminablesagaofthesecondedition.When
theworkstartedhewaswithQueenslandUniversityofTechnology,particularlythe
SchoolofElectricalEngineeringandComputerScience.Morerecentlyhehasbeen
attheNorwegianUniversityofScienceandTechnologyinthedepartmentnowcalled
Information Security and Communication Technology. Both institutions have pro-
videdencouragementandresourcestosupportthiswork.
AM would like to express his gratitude to his wife, Hemal, and daughter, Rad-
hika, for their unfailing love, support, and patience. His work was carried out at
the University of Massachusetts at Dartmouth and more recently at the Dhirubhai
AmbaniInstituteofInformationandCommunicationTechnology.Hewouldliketo
thankhiscolleaguesatbothoftheseinstitutionsfortheirsupportandencouragement.
DS would like to thank CB and AM for inviting him to join them in updating
the fine work they did in the first edition. This work has been carried out over his
timeattheQueenslandUniversityofTechnology,McMasterUniversity,andnowthe
UniversityofWaterloo,andcolleaguesatalloftheseweresupportiveofhisworkon
thisproject.
ThisbookwastypesetinLATEXonvariousplatforms.Thestylefortheprotocols
andattacksisadaptedfromAnselmLingnau’sfloatpackage.
Trondheim,Gandhinagar,Waterloo ColinBoyd
January2019 AnishMathuria
DouglasStebila
Contents
ListofProtocols .......................................................XXI
ListofAttacks .......................................................XXVII
1 IntroductiontoAuthenticationandKeyEstablishment ............. 1
1.1 Introduction ............................................... 1
1.2 ProtocolArchitectures ...................................... 2
1.2.1 CryptographicKeys .................................. 2
1.2.2 MethodofSessionKeyGeneration ..................... 3
1.2.3 NumberofParties.................................... 4
1.2.4 Example............................................ 4
1.3 CryptographicTools ........................................ 5
1.3.1 Confidentiality ...................................... 6
1.3.2 DataOriginAuthenticationandDataIntegrity ............ 8
1.3.3 AuthenticatedEncryption ............................. 9
1.3.4 Non-repudiation ..................................... 9
1.3.5 ExamplesofCryptographicAlgorithms ................. 10
1.3.6 SecretSharing....................................... 11
1.3.7 FreshnessMechanisms ............................... 12
1.4 AdversaryCapabilities ...................................... 14
1.4.1 Eavesdropping ...................................... 15
1.4.2 Modification ........................................ 15
1.4.3 Replay ............................................. 16
1.4.4 Preplay............................................. 16
1.4.5 Reflection .......................................... 16
1.4.6 DenialofService .................................... 17
1.4.7 TypingAttacks ...................................... 18
1.4.8 Cryptanalysis ....................................... 20
1.4.9 CertificateManipulation .............................. 20
1.4.10 ProtocolInteraction .................................. 22
1.5 GoalsforAuthenticationandKeyEstablishment ................ 22
1.5.1 ModelsofSecurity................................... 24
XI
XII Contents
1.5.2 KeyEstablishmentorAuthentication?................... 24
1.5.3 EntityAuthentication................................. 26
1.5.4 KeyEstablishment ................................... 28
1.5.5 KeyConfirmation.................................... 29
1.5.6 Example:STSProtocol ............................... 31
1.5.7 ForwardSecrecy..................................... 33
1.5.8 WeakForwardSecrecy ............................... 35
1.5.9 KeyCompromiseImpersonation ....................... 36
1.5.10 Deniability.......................................... 37
1.5.11 Anonymity ......................................... 39
1.5.12 ProtocolEfficiency................................... 41
1.6 ToolsforVerificationofProtocols............................. 43
1.6.1 FDR ............................................... 44
1.6.2 NRLAnalyzerandMaude-NPA........................ 47
1.6.3 ProVerif............................................ 48
1.6.4 ScytherandTamarin ................................. 48
1.6.5 ToolsforComputationalModels ....................... 50
1.6.6 ComparisonofTools ................................. 51
1.7 Conclusion................................................ 52
2 ComputationalSecurityModels ................................. 53
2.1 Introduction ............................................... 53
2.1.1 TheSignificanceofaComputationalProofofSecurity..... 54
2.1.2 ElementsofComputationalModels..................... 55
2.2 Bellare–RogawayModel .................................... 58
2.2.1 BR93:TheFirstComputationalModel .................. 58
2.2.2 BR95:Server-BasedProtocols ......................... 65
2.2.3 ThePublicKeySetting:TheBWMandBWJMModels .... 66
2.2.4 BPR00:ForwardSecrecyandPasswords ................ 67
2.2.5 SummarisingtheBRModelVariants.................... 69
2.3 Canetti–KrawczykModel.................................... 69
2.3.1 BCK98Model....................................... 69
2.3.2 CK01Model ........................................ 70
2.3.3 HMQVModel....................................... 75
2.4 eCKModel................................................ 76
2.4.1 MU08Model ....................................... 78
2.4.2 eCK-PFSModel..................................... 78
2.4.3 seCKModel ........................................ 79
2.5 ComparingComputationalModelsforKeyExchange ............ 79
2.5.1 ComparingtheBRandCKModels ..................... 80
2.5.2 ComparingeCKandOtherModels ..................... 81
2.5.3 SessionsandSessionIdentifiers ........................ 82
2.5.4 IncorporatingPublicKeyInfrastructure.................. 83
2.6 Shoup’sSimulationModel................................... 84
2.7 ModelsforEnhancedScenarios............................... 85
