Analysis And Design Of Authenticated Key Agreement Protocols

Key agreement is an important mechanism that helps communicating en-tities establish a session key over an open network system. This session keyprovides a secure channel for the subsequent applications. The advantages ofkey agreement protocols are simplicity and fairness and each participant neednot trust other ones. With these merits, key agreement protocols have been wellstudied by scholars and been used in many industry-oriented applications.The goal of key agreement is to establish the secure session keys in thetrustless communication environment. In such environment, a variety of attacksdecides the di?culty of the protocol analysis and design. At present, provablesecurity theory is a useful measure to ensure the conditional security of key agree-ment protocol. Security proofs in computational (game-based) security modelsare mostly of reductionist nature and carried out by contradiction, i.e., the successprobability of an adversary in breaking a security requirement of the construc-tion is usually reduced to the probability of breaking one or more cryptographicproblems which are believed to be intractable.In this thesis, we address on the analysis and design of authenticated keyagreement protocols. We research on the design of the secure protocols, analysisof current protocols and the improvement on the security models of the two-party,there-party and multi-party settings and have the following results.1) We summarize some basic principles of the secure protocol design andpoint out that the reasonable security goals is of prime importance to securityof protocols. We also generalize the primary security goals which the secure keyagreement protocols should achieve.2) We design two novel two-party authenticated key agreement (2AKA) pro-tocols and prove they are secure in eCK model. eCK model provides the strongest de?nition of security compared with existed models for 2AKA protocols. Com-pared with recent 2AKA protocols which are proven to be secure in CK model oreCK model, the security of our protocols is based on the CDH assumption whichis weaker than the DDH assumption and the GDH assumption.3) Password-based authenticated key agreement (PAKA) protocol is a valu-able variant of AKA protocol. Among the security models for 3PAKA protocols,3eCK model provides the strongest de?nition of security at present which is pro-posed by Yoneyama from Japan in INDOCRYPT 2008. We propose a provablysecure 3PAKA protocol based on the CDH assumption in 3eCK model. As faras we know, our protocol is the ?rst provably secure 3PAKA protocol based onthe CDH assumption with average computational cost and the ?rst provably se-cure 3PAKA protocol using the trapdoor test method proposed in EUROCRYPT2008 in the proof, using this method, we can construct an e?cient decision oraclefor the CDH problem without the corresponding discrete logarithm.4) GBG model provides the strongest de?nition of security compared withthe previous security models for group key agreement (GKA) protocols. However,ephemeral key leakage attack resistance has been left outside the scope of theGBG model. In this thesis, we demonstrate an ephemeral key leakage on anexisting GKA protocol which has been shown secure in the GBG model. Wethen extend the GBG model by allowing the adversary greater attack powers ofleaking ephemeral keys in GKA protocol session. We also apply the well knownNAXOS trick to propose an improvement to an existing GKA protocol, which canresist the ephemeral key leakage attack. The security of the improved protocolhas been argued under our new model.5) We analyze the 2AKA protocol in the high-bandwidth digital contentprotection (HDCP) speci?cation and discover it fails to prevent against the UKSattack and the impersonation attack. Moreover, this protocol does not demon-strate the forward secrecy and the key con?rmation properties. Based on these?ndings, we propose a carefully designed variant. The new protocol satis?esall the security goals not contained in the original AKA protocol with a slightincrease on the computational cost.6) In 2008, T. Chen et al. proposed a novel 3PAKA protocol named CLCprotocol. In this protocol, the trusted server does not need to store the security- sensitive table, which reduces the risk of compromising server; CLC protocol hasa less number of communicating rounds (three rounds only) than that of sametype other schemes, so it is more e?cient in bandwidth utilization. Unfortunately,we ?nd that if an adversary gets the authentication values VA and VB, it willmake the man-in-the-middle attack feasible. We describe the man-in-the-middleattack using the values VA and VB and present a modi?ed 3PAKA protocol.Our protocol can resist attacks available, including man-in-the-middle attack wemount on CLC protocol. The participants are allowed to choose their passwordsby themselves in our protocol, this merit avoids the problem of the server beingcontrolled in initialization phase.7) An e?cient group key agreement protocol capable of fault-tolerance isproposed. The new protocol is not only resistant to DoS attacks, replay attacks,man-in-the-middle attacks and common modulus attacks but also achieves for-ward secrecy. In order to scale our protocol to a large-scale network, we constructa simple clustering-based framework for our protocol.