Analysis And Design Of Key Exchange Protocols And Security Models

Authenticated key exchange (AKE) protocols allow two or more parties to generate a common session key in public channel, which will be used for the future secure communications. In 1993, Bellare and Rogaway used provable security method for the first time in the design and analysis of AKE protocols, and presented the first formal security model. Since then, different formal security models have been proposed. With twenty years development, formal security model based on provable security method has become the main method in the research of AKE protocols.In this thesis, we address with the problem of design and analysis of AKE protocols in the random oracle model and formal security models, particularly the AKE protocols in the two-party setting and in the group setting. We have showed the exact relation among some security models and proposed two strong security models. Moreover, we also have designed several new secure AKE protocols based on various security models and various computational difficult assumptions. The main results of the thesis are as follows:1. Several existed security models are compared and three two-party AKE protocols are analyzed. Firstly, we compare the security of eCK2007 model and CK2001 model and show that no one of them is stronger than another. Secondly, we compare the security of MSU2009 model and BCPQ2001 model and show that the security of MSU 2009 model is stronger than the security of BCPQ2001 model. Thirdly, two two-party AKE protocols are analyzed. The results of analysis show that both of them do not meet the eCK2007 model security requirements. Finally, we point out that Vo et al.'s two-party multiple key exchange protocol is vulnerable to the reflection attack. For prventing the reflection attack, we propose an improvement of Vo et al.'s protocol with stronger security.2. The design of two-party AKE protocols in the random oracle model is researched. Firstly, we analyze the security of eCK2007 model and point out a weakness in the eCK2007 model. Further, we propose the meCK2007 model via adding EphemeralHKeyReveal query in the original eCK2007 model, which allows the adversary with stronger power. Finally, we design three two-party AKE protocols in the meCK2007 model. Compared with other similar two-party AKE protocols, our proposed two-party AKE protocols with stronger security keep the same level in terms of computational complexity.3. Group authenticated key exchange (GAKE) protocols for balanced networks are researched. We first analyze the mBD+S protocol proposed by Abdalla et al. in Africacrypt 2010, and show that the mBD+S protocol can not resist ephemeral key compromise attack and malicious insiders attack. Then we propose the emBD+S protocol based on the mBD+S protocol. The emBD+S protocol can resist ephemeral key compromise attack via using a hash function to bind a party's long-term private key and ephemeral key. In addition, the emBD+S protocol also use key confirm method to prevent malicious insiders attack. Finally, we prove the emBD+S protocol is secure in the MA model, which is constructed based on the MSU 2009 model and ACMP 2010 model. 4. GAKE protocols for imbalanced wireless networks are researched. Firstly, we propose a new GAKE protocol for imbalanced wireless networks, which is based on bilinear pairing in the random oracle model. Our GAKE protocol proven secure in the MSU 2009 model can resist ephemeral key compromise attack, and really provides mutual authentication between users with limited computing capability and the powerful node. Secondly, we propose a novel dynamic GAKE protocol for imbalanced wireless networks, which allows user joining/leaving at anytime and provides forward/backward secrecy for dynamic user joining/leaving. Moreover, our dynamic GAKE protocol not only can generate a common group session key among all group users but also allows each pair of group users to use the messages in the group communication for deriving an independent two-party session key on-demand. It means that user invovled in our dynamic GAKE protocol can efficiently compute more session keys. So our dynamic GAKE protocol will be well suited for wireless mobile communications.