Key-agreement protocol

Last updated August 01, 2024

In cryptography, a key-agreement protocol is a protocol whereby two (or more) parties generate a cryptographic key as a function of information provided by each honest party so that no party can predetermine the resulting value. ^[1] In particular, all honest participants influence the outcome. A key-agreement protocol is a specialisation of a key-exchange protocol.^[2]

At the end of the agreement, all parties share the same key. A key-agreement protocol precludes undesired third parties from forcing a key choice on the agreeing parties.A secure key agreement can ensure confidentiality and data integrity ^[3] in communications systems, ranging from simple messaging applications to complex banking transactions.

Secure agreement is defined relative to a security model, for example the Universal Model ^[2]. More generally, when evaluating protocols, it is important to state security goals and the security model^[4]. For example, it may be required for the session key to be authenticated. A protocol can be evaluated for success only in the context of its goals and attack model^[5]. An example of an adversarial model is the Dolev-Yao model.

In many key exchange systems, one party generates the key, and sends that key to the^[6] other party; the other party has no influence on the key.

Exponential key exchange

The first publicly known^[6] public-key agreement protocol that meets the above criteria was the Diffie–Hellman key exchange, in which two parties jointly exponentiate a generator with random numbers, in such a way that an eavesdropper cannot feasibly determine what the resultant value used to produce a shared key is.

Exponential key exchange in and of itself does not specify any prior agreement or subsequent authentication between the participants. It has thus been described as an anonymous key agreement protocol.

Symmetric Key Agreement

Symmetric Key Agreement (SKA) is a method of key-agreement that uses solely symmetric cryptography and cryptographic hash functions as cryptographic primitives. It is related to Symmetric Authenticated Key Exchange ^[7].

SKA may assume the use of initial shared secrets ^[7] or a trusted third party with whom the agreeing parties share a secret is assumed^[8]. If no third party is present, then achieving SKA can be trivial: we assume that two parties share an initial secret and have tautologically achieved SKA.

SKA contrasts with key-agreement protocols that include techniques from asymmetric cryptography. For example, key encapsulation mechanisms.

The initial exchange of a shared key must be done in a manner that is private and integrity-assured. Historically, this was achieved by physical means, such as by using a trusted courier.

An example of a SKA protocol is the Needham-Schroeder Symmetric Key Protocol. It establishes a session key between two parties on the same network, using a server as a trusted third party. The original Needham-Schroeder protocol is vulnerable to a replay attack. Timestamps and nonces are included to fix this attack. It forms the basis for the Kerberos protocol.

Types of Secret Key Agreement

Boyd et al.^[9] classify two-party key agreement protocols according to two criteria as follows:

whether a pre-shared key already exists or not
the method of generating the session key.

The pre-shared key may be shared between the two parties, or each party may share a key with a trusted third party. If there is no secure channel (as may be established via a pre-shared key), it is impossible to create an authenticated session key^[10].

The session key may be generated via: key transport, key agreement and hybrid. If there is no trusted third party, then the cases of key transport and hybrid session key generation are indistinguishable. SKA is concerned with protocols in which the session key is established using only symmetric primitives.

Authentication

Anonymous key exchange, like Diffie–Hellman, does not provide authentication of the parties, and is thus vulnerable to man-in-the-middle attacks.

A wide variety of cryptographic authentication schemes and protocols have been developed to provide authenticated key agreement to prevent man-in-the-middle and related attacks. These methods generally mathematically bind the agreed key to other agreed-upon data, such as the following:

Public/private key pairs
Shared secret keys
Passwords

Public keys

A widely used mechanism for defeating such attacks is the use of digitally signed keys that must be integrity-assured: if Bob's key is signed by a trusted third party vouching for his identity, Alice can have considerable confidence that a signed key she receives is not an attempt to intercept by Eve. When Alice and Bob have a public-key infrastructure, they may digitally sign an agreed Diffie–Hellman key, or exchanged Diffie–Hellman public keys. Such signed keys, sometimes signed by a certificate authority, are one of the primary mechanisms used for secure web traffic (including HTTPS, SSL or Transport Layer Security protocols). Other specific examples are MQV, YAK and the ISAKMP component of the IPsec protocol suite for securing Internet Protocol communications. However, these systems require care in endorsing the match between identity information and public keys by certificate authorities in order to work properly.

Hybrid systems

Hybrid systems use public-key cryptography to exchange secret keys, which are then used in a symmetric-key cryptography systems. Most practical applications of cryptography use a combination of cryptographic functions to implement an overall system that provides all of the four desirable features of secure communications (confidentiality, integrity, authentication, and non-repudiation).

Passwords

Password-authenticated key agreement protocols require the separate establishment of a password (which may be smaller than a key) in a manner that is both private and integrity-assured. These are designed to resist man-in-the-middle and other active attacks on the password and the established keys. For example, DH-EKE, SPEKE, and SRP are password-authenticated variations of Diffie–Hellman.

Other tricks

If one has an integrity-assured way to verify a shared key over a public channel, one may engage in a Diffie–Hellman key exchange to derive a short-term shared key, and then subsequently authenticate that the keys match. One way is to use a voice-authenticated read-out of the key, as in PGPfone. Voice authentication, however, presumes that it is infeasible for a man-in-the-middle to spoof one participant's voice to the other in real-time, which may be an undesirable assumption. Such protocols may be designed to work with even a small public value, such as a password. Variations on this theme have been proposed for Bluetooth pairing protocols.

In an attempt to avoid using any additional out-of-band authentication factors, Davies and Price proposed the use of the interlock protocol of Ron Rivest and Adi Shamir, which has been subject to both attack and subsequent refinement.

Related Research Articles

<span class="mw-page-title-main">Diffie–Hellman key exchange</span> Method of exchanging cryptographic keys

Diffie–Hellman (DH) key exchange is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

Key/Config-authentication is used to solve the problem of authenticating the keys of a person that some other person is talking to or trying to talk to. In other words, it is the process of assuring that the key of "person A", held by "person B", does in fact belong to "person A" and vice versa.

Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.

A cryptographic protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used and includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program.

The Secure Remote Password protocol (SRP) is an augmented password-authenticated key exchange (PAKE) protocol, specifically designed to work around existing patents.

Encrypted Key Exchange is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt. Although several of the forms of EKE in this paper were later found to be flawed, the surviving, refined, and enhanced forms of EKE effectively make this the first method to amplify a shared password into a shared key, where the shared key may subsequently be used to provide a zero-knowledge password proof or other functions.

In cryptography, a password-authenticated key agreement (PAK) method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.

In cryptography, the interlock protocol, as described by Ron Rivest and Adi Shamir, is a protocol designed to frustrate eavesdropper attack against two parties that use an anonymous key exchange protocol to secure their conversation. A further paper proposed using it as an authentication protocol, which was subsequently broken.

SPEKE is a cryptographic method for password-authenticated key agreement.

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised, limiting damage. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.

In public-key cryptography, the Station-to-Station (STS) protocol is a cryptographic key agreement scheme. The protocol is based on classic Diffie–Hellman, and provides mutual key and entity authentication. Unlike the classic Diffie–Hellman, which is not secure against a man-in-the-middle attack, this protocol assumes that the parties have signature keys, which are used to sign messages, thereby providing security against man-in-the-middle attacks.

Elliptic-curve Diffie–Hellman (ECDH) is a key agreement protocol that allows two parties, each having an elliptic-curve public–private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or to derive another key. The key, or the derived key, can then be used to encrypt subsequent communications using a symmetric-key cipher. It is a variant of the Diffie–Hellman protocol using elliptic-curve cryptography.

Multimedia Internet KEYing (MIKEY) is a key management protocol that is intended for use with real-time applications. It can specifically be used to set up encryption keys for multimedia sessions that are secured using SRTP, the security protocol commonly used for securing real-time communications such as VoIP.

ZRTP is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over IP (VoIP) phone telephony call based on the Real-time Transport Protocol. It uses Diffie–Hellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption. ZRTP was developed by Phil Zimmermann, with help from Bryce Wilcox-O'Hearn, Colin Plumb, Jon Callas and Alan Johnston and was submitted to the Internet Engineering Task Force (IETF) by Zimmermann, Callas and Johnston on March 5, 2006 and published on April 11, 2011 as RFC 6189.

In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be a PIN code, a password, a passphrase, a big number, or an array of randomly chosen bytes.

Transport Layer Security pre-shared key ciphersuites (TLS-PSK) is a set of cryptographic protocols that provide secure communication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys shared in advance among the communicating parties.

<span class="mw-page-title-main">X.1035</span> ITU-T recommendation

ITU-T Recommendation X.1035 specifies a password-authenticated key agreement protocol that ensures mutual authentication of two parties by using a Diffie–Hellman key exchange to establish a symmetric cryptographic key. The use of Diffie-Hellman exchange ensures perfect forward secrecy—a property of a key establishment protocol that guarantees that compromise of a session key or long-term private key after a given session does not cause the compromise of any earlier session.

In cryptography, Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method.

References

↑ Menezes, A.; Oorschot, P. van; Vanstone, S. (1997). Handbook of Applied Cryptography (5th ed.). CRC Press. ISBN 0-8493-8523-7.
1 2 Canetti, Ran; Krawczyk, Hugo (6 May 2001). "Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels". Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology. Springer-Verlag: 453–474. ISBN 978-3-540-42070-5.
↑ Bellare, Mihir; Canetti, Ran; Krawczyk, Hugo (23 May 1998). "A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract)". Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98. Association for Computing Machinery. pp. 419–428. doi:10.1145/276698.276854. ISBN 0-89791-962-9.
↑ Gollmann, D. (6 May 1996). "What do we mean by entity authentication?". Proceedings 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society. pp. 46–54. doi:10.1109/SECPRI.1996.502668. ISBN 978-0-8186-7417-4.
↑ Katz, Jonathan; Lindell, Yehuda (2021). Introduction to modern cryptography (Third ed.). Boca Raton London New York: CRC Press Taylor & Francis Group. p. 49. ISBN 978-0815354369.
1 2 See Diffie–Hellman key exchange for a more complete history of both the secret and public development of public-key cryptography.
1 2 Boyd, Colin; Davies, Gareth T.; de Kock, Bor; Gellert, Kai; Jager, Tibor; Millerjord, Lise (2021). "Symmetric Key Exchange with Full Forward Security and Robust Synchronization". Advances in Cryptology – ASIACRYPT 2021. Lecture Notes in Computer Science. Vol. 13093. Springer International Publishing. pp. 681–710. doi:10.1007/978-3-030-92068-5_23. hdl:11250/2989781. ISBN 978-3-030-92067-8.
↑ Pagnia, Henning; Gaertner, Felix (1999). "On the impossibility of fair exchange without a trusted third party". Echnical Report TUD-BS-1999-02: 1–15.
↑ Boyd, Colin; Mathuria, Anish; Stebila, Douglas (2020). Protocols for Authentication and Key Establishment. Information Security and Cryptography. doi:10.1007/978-3-662-58146-9. ISBN 978-3-662-58145-2.
↑ Boyd, C. (June 1993). "Security architectures using formal methods" (PDF). IEEE Journal on Selected Areas in Communications. 11 (5): 694–701. doi:10.1109/49.223872.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Menezes, A.; Oorschot, P. van; Vanstone, S. (1997). Handbook of Applied Cryptography (5th ed.). CRC Press. ISBN 0-8493-8523-7.

[Canetti2001-2] 1 2 Canetti, Ran; Krawczyk, Hugo (6 May 2001). "Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels". Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology. Springer-Verlag: 453–474. ISBN 978-3-540-42070-5.

[3] Bellare, Mihir; Canetti, Ran; Krawczyk, Hugo (23 May 1998). "A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract)". Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98. Association for Computing Machinery. pp. 419–428. doi:10.1145/276698.276854. ISBN 0-89791-962-9.

[4] Gollmann, D. (6 May 1996). "What do we mean by entity authentication?". Proceedings 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society. pp. 46–54. doi:10.1109/SECPRI.1996.502668. ISBN 978-0-8186-7417-4.

[5] Katz, Jonathan; Lindell, Yehuda (2021). Introduction to modern cryptography (Third ed.). Boca Raton London New York: CRC Press Taylor & Francis Group. p. 49. ISBN 978-0815354369.

[:0-6] 1 2 See Diffie–Hellman key exchange for a more complete history of both the secret and public development of public-key cryptography.

[Boyd2021-7] 1 2 Boyd, Colin; Davies, Gareth T.; de Kock, Bor; Gellert, Kai; Jager, Tibor; Millerjord, Lise (2021). "Symmetric Key Exchange with Full Forward Security and Robust Synchronization". Advances in Cryptology – ASIACRYPT 2021. Lecture Notes in Computer Science. Vol. 13093. Springer International Publishing. pp. 681–710. doi:10.1007/978-3-030-92068-5_23. hdl:11250/2989781. ISBN 978-3-030-92067-8.

[8] Pagnia, Henning; Gaertner, Felix (1999). "On the impossibility of fair exchange without a trusted third party". Echnical Report TUD-BS-1999-02: 1–15.

[Boyd2020-9] Boyd, Colin; Mathuria, Anish; Stebila, Douglas (2020). Protocols for Authentication and Key Establishment. Information Security and Cryptography. doi:10.1007/978-3-662-58146-9. ISBN 978-3-662-58145-2.

[10] Boyd, C. (June 1993). "Security architectures using formal methods" (PDF). IEEE Journal on Selected Areas in Communications. 11 (5): 694–701. doi:10.1109/49.223872.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]