Information Security and Cryptography Colin Boyd Anish Mathuria Douglas Stebila Protocols for Authentication and Key Establishment Second Edition Information Security and Cryptography SeriesEditors DavidBasin KennyPaterson AdvisoryBoard MichaelBackes GillesBarthe RonaldCramer IvanDamgård AndrewD.Gordon JoshuaD.Guttman Christopher Kruegel UeliMaurer TatsuakiOkamoto Adrian Perrig BartPreneel Moreinformationaboutthisseriesathttp://www.springer.com/series/4752 Colin Boyd • Anish Mathuria • Douglas Stebila Protocols for Authentication and Key Establishment Second Edition Colin Boyd Anish Mathuria Department of Information Security Dhirubhai Ambani Institute and Communication Technology of Information and Communication Norwegian University of Science Technology (DA-IICT) and Technology Gandhinagar, Gujarat, India Trondheim, Norway Douglas Stebila Department of Combinatorics and Optimization University of Waterloo Waterloo, ON, Canada Originally published under: Boyd C. and Mathuria A. ISSN 1619-7100 ISSN 2197-845X (electronic) Information Security and Cryptography ISBN 978-3-662-58145-2 ISBN 978-3-662-58146-9 (eBook) https://doi.org/10.1007/978-3-662-58146-9 © Springer-Verlag GmbH Germany, part of Springer Nature 2003, 2020 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer-Verlag GmbH, DE part of Springer Nature. The registered company address is: Heidelberger Platz 3, 14197 Berlin, Germany Tothememoryofmyfather Thouthyworldlytaskhastdone –CB Tothememoryofmygrandmother –AM Tomyparentsandteachers –DS Preface Thefirsteditionofthisbookwaspublishedin2003.Inevitably,certainpartsofthe book became outdated quickly. At the same time new developments have contin- uedapace,includingnewconcreteprotocols,newunderstandingofprotocolsecurity properties, and new cryptographic primitives and techniques which can be used in protocol design. Work on a new edition began as early as 2010, but even as it was beingwrittenitsscopeexpanded.Weareawarethatsomeimportantprotocolshave beenomitted,andthatthereareemergingareaswhichwillseeconsiderableactivity inthenearfuture(post-quantumsecureprotocolsbeingoneobviousexample).How- ever,westillhopethatwehavebeenabletocapturemostofthemaindevelopments thathaveoccurredsincethefirstedition. Thissecondeditionhasbroadlythesamepurposeandscopeasthefirstedition. We hope to provide a helpful reference for the expert while still being accessible to those newer to the topic, including those trying to obtain a broad overview of the field. In comparison with the first edition, there are three new chapters and all the other chapters (one renamed) have been extensively revised. The new book is around50%largerwitharound225concreteprotocolsdescribedandabibliography withalmosttwiceasmanyreferences.Someoldermaterial,whichwedeemedless relevanttoday,hasbeenremoved. Chapter1 replaces the first two chapters from the first edition. The chapter is in- tended to provide the necessary background on cryptography, attack scenarios andprotocolgoalswithanexpandedcoverage.Theinitialtutorialintroduction hasbeenmovedtoanappendix,whilesomepartsofChapter2fromthefirstedi- tionwereremovedastheyseemednolongerrelevant.Anupdated,butsomewhat shortened,introductiontoprotocolverificationisalsoincluded. Chapter2 isthefirstcompletelynewchapter,describingcomputationalmodelsfor key exchange and authentication. The purpose of this chapter is not to provide a tutorial on how to read, let alone write, computational proofs, but rather to trytohelpreadersunderstandwhatacomputationalproofprovidesandhowto compare the many different computational models in use. In later chapters we VII VIII Preface havefreelymadereferencetothemajorcomputationalmodelswhendiscussing specificprotocolsandtheirsecurity. Chapter3 isanupdatedchaptercoveringprotocolsusingsharedkeycryptography. ThisincludesmajorupdatesonthestatusoftheprotocolsintheISO9798-2and 11770-2standards. Chapter4 isanupdatedchapteronprotocolsusingpublickeycryptography.Again, thisincludesnewdevelopmentsoftheISOstandardprotocols,thistimeforthe 9798-3 and 11770-3 protocols. Coverage of TLS is moved to the new Chap. 6 whichisdevotedtoTLS. Chapter5 onkeyagreementis,asinthefirstedition,thelongestchapter.Thereis anamazingdiversityofideasindesignofkeyagreementprotocols,eveninthe simplestcasecoveredinthischapter,whichislimitedtotwo-partyprotocolsin the public key setting. Even though several older protocols from the first edi- tionhavebeenomitted,therevisedchapterisnowmorethantenpageslonger, illustratingthattherearestillmanynewdevelopmentsoccurring. Chapter6 isacompletelynewchapterontheTLSprotocol.Asthemostprominent keyestablishmentprotocolinusetoday,webelieveitismorethanjustifiableto devoteachaptertoTLS.Thedevelopmentoftheprotocolinthepast10years, culminating in the new TLS 1.3 protocol, provides many lessons for those re- searchingandimplementingkeyestablishmentprotocols. Chapter7 is the third new chapter and is dedicated to ID-based protocols. While itgathersinsomeearlyID-basedprotocolsalreadyincludedinthefirstedition, the coverage of pairing-based protocols forms the bulk of the chapter and is completelynew. Chapter8 isanupdatedchapteronpassword-basedprotocols.Thisisanothertopic wheretherehasbeenagreatdealofresearchactivitysincethefirsteditionlead- ingtoasignificantexpansioninthechapter. Chapter9 is an updated (and renamed) chapter on group key establishment. Al- thoughgroupprotocolshavealonghistorytherehasbeenmuchrecentworkto modernisethetopicwithstrongersecuritypropertiesandformalproofs. AppendixA covers standards for key establishment and authentication protocols fromvariousstandardsbodies,updatedandexpandedfromthefirstedition. AppendixB consists of a tutorial introduction to protocols for authentication and keyestablishment.Thisisunchangedfromthecorrespondingsectioninthefirst edition,apartfromsomesmallnotationalrevisions. Acknowledgements Many people have given their help and advice generously to help us to improve the quality of the book. Different people have reviewed and provided comment on various portions of the book. We thank them all for their generous spirit and are sincerelysorryifwehavemisinterpretedorforgottenanyoftheirhelpfuladvice.This listincludesallthosewhowecanremember;wehopenottohavemissedanyone. Preface IX CraigCostello SigurdEskeland Ha˚konJacobsen TiborJager ChrisMitchell RuxandraOlimid KennethRadke SeongHanShin BerkantUstaoglu In addition, Kazuki Yoneyama provided helpful answers to specific questions. We are solely responsible for all errors of fact, presentation style, or just plain typing errorsthatthisbookmayhave. TheteamatSpringerhavebeenencouragingandhelpfulthroughout.Wewould particularlyliketothankRonanNugentforhisunfailingconfidenceandquickaction on all matters, even as we delayed time and again. Series editor Kenny Paterson providedenthusiasticandencouragingsupport. CB would like to record his personal thanks to his family for bearing with de- nialofserviceduringtheseeminglyinterminablesagaofthesecondedition.When theworkstartedhewaswithQueenslandUniversityofTechnology,particularlythe SchoolofElectricalEngineeringandComputerScience.Morerecentlyhehasbeen attheNorwegianUniversityofScienceandTechnologyinthedepartmentnowcalled Information Security and Communication Technology. Both institutions have pro- videdencouragementandresourcestosupportthiswork. AM would like to express his gratitude to his wife, Hemal, and daughter, Rad- hika, for their unfailing love, support, and patience. His work was carried out at the University of Massachusetts at Dartmouth and more recently at the Dhirubhai AmbaniInstituteofInformationandCommunicationTechnology.Hewouldliketo thankhiscolleaguesatbothoftheseinstitutionsfortheirsupportandencouragement. DS would like to thank CB and AM for inviting him to join them in updating the fine work they did in the first edition. This work has been carried out over his timeattheQueenslandUniversityofTechnology,McMasterUniversity,andnowthe UniversityofWaterloo,andcolleaguesatalloftheseweresupportiveofhisworkon thisproject. ThisbookwastypesetinLATEXonvariousplatforms.Thestylefortheprotocols andattacksisadaptedfromAnselmLingnau’sfloatpackage. Trondheim,Gandhinagar,Waterloo ColinBoyd January2019 AnishMathuria DouglasStebila Contents ListofProtocols .......................................................XXI ListofAttacks .......................................................XXVII 1 IntroductiontoAuthenticationandKeyEstablishment ............. 1 1.1 Introduction ............................................... 1 1.2 ProtocolArchitectures ...................................... 2 1.2.1 CryptographicKeys .................................. 2 1.2.2 MethodofSessionKeyGeneration ..................... 3 1.2.3 NumberofParties.................................... 4 1.2.4 Example............................................ 4 1.3 CryptographicTools ........................................ 5 1.3.1 Confidentiality ...................................... 6 1.3.2 DataOriginAuthenticationandDataIntegrity ............ 8 1.3.3 AuthenticatedEncryption ............................. 9 1.3.4 Non-repudiation ..................................... 9 1.3.5 ExamplesofCryptographicAlgorithms ................. 10 1.3.6 SecretSharing....................................... 11 1.3.7 FreshnessMechanisms ............................... 12 1.4 AdversaryCapabilities ...................................... 14 1.4.1 Eavesdropping ...................................... 15 1.4.2 Modification ........................................ 15 1.4.3 Replay ............................................. 16 1.4.4 Preplay............................................. 16 1.4.5 Reflection .......................................... 16 1.4.6 DenialofService .................................... 17 1.4.7 TypingAttacks ...................................... 18 1.4.8 Cryptanalysis ....................................... 20 1.4.9 CertificateManipulation .............................. 20 1.4.10 ProtocolInteraction .................................. 22 1.5 GoalsforAuthenticationandKeyEstablishment ................ 22 1.5.1 ModelsofSecurity................................... 24 XI XII Contents 1.5.2 KeyEstablishmentorAuthentication?................... 24 1.5.3 EntityAuthentication................................. 26 1.5.4 KeyEstablishment ................................... 28 1.5.5 KeyConfirmation.................................... 29 1.5.6 Example:STSProtocol ............................... 31 1.5.7 ForwardSecrecy..................................... 33 1.5.8 WeakForwardSecrecy ............................... 35 1.5.9 KeyCompromiseImpersonation ....................... 36 1.5.10 Deniability.......................................... 37 1.5.11 Anonymity ......................................... 39 1.5.12 ProtocolEfficiency................................... 41 1.6 ToolsforVerificationofProtocols............................. 43 1.6.1 FDR ............................................... 44 1.6.2 NRLAnalyzerandMaude-NPA........................ 47 1.6.3 ProVerif............................................ 48 1.6.4 ScytherandTamarin ................................. 48 1.6.5 ToolsforComputationalModels ....................... 50 1.6.6 ComparisonofTools ................................. 51 1.7 Conclusion................................................ 52 2 ComputationalSecurityModels ................................. 53 2.1 Introduction ............................................... 53 2.1.1 TheSignificanceofaComputationalProofofSecurity..... 54 2.1.2 ElementsofComputationalModels..................... 55 2.2 Bellare–RogawayModel .................................... 58 2.2.1 BR93:TheFirstComputationalModel .................. 58 2.2.2 BR95:Server-BasedProtocols ......................... 65 2.2.3 ThePublicKeySetting:TheBWMandBWJMModels .... 66 2.2.4 BPR00:ForwardSecrecyandPasswords ................ 67 2.2.5 SummarisingtheBRModelVariants.................... 69 2.3 Canetti–KrawczykModel.................................... 69 2.3.1 BCK98Model....................................... 69 2.3.2 CK01Model ........................................ 70 2.3.3 HMQVModel....................................... 75 2.4 eCKModel................................................ 76 2.4.1 MU08Model ....................................... 78 2.4.2 eCK-PFSModel..................................... 78 2.4.3 seCKModel ........................................ 79 2.5 ComparingComputationalModelsforKeyExchange ............ 79 2.5.1 ComparingtheBRandCKModels ..................... 80 2.5.2 ComparingeCKandOtherModels ..................... 81 2.5.3 SessionsandSessionIdentifiers ........................ 82 2.5.4 IncorporatingPublicKeyInfrastructure.................. 83 2.6 Shoup’sSimulationModel................................... 84 2.7 ModelsforEnhancedScenarios............................... 85