Cryptography Reference
In-Depth Information
Passive adversary (also called “benign” in [
36
]). This attacker obtains all messages sent
during executions of the key exchange protocol, but does not modify or delete any
messages. This attacker is also called an eavesdropper.
Weak
3
active adversary. This attacker obtains all messages sent during executions of the
key exchange protocol and can modify or delete messages. This attacker can also initiate
protocol executions with any player.
Active adversary. This is as above, but the attacker is allowed to corrupt any honest player
who has completed an execution of the protocol and thus obtain the agreed key.
There are two possible goals of an adversary:
To obtain the shared session key.
To distinguish the session key from a random key. To make this notion more precise
consider a game between an adversary and a challenger. The challenger performs one
or more executions of the key exchange protocol and obtains a key
K
. The challenger
also chooses uniformly at random a key
K
from the space of possible session keys. The
challenger gives the adversary either
K
or
K
(with probability 1
/
2). The adversary has
to decide whether the received key is
K
or not. This is called
real or random security
.
The Diffie-Hellman key exchange protocol is vulnerable to a person-in-the-middle
attack. Unlike similar attacks on public key encryption, the attacker in this case does not
need to replace any users' public keys.
Imagine that an adversary Eve can intercept all communication between Alice and Bob.
When Alice sends
c
1
=
g
a
to Bob, Eve stores
c
1
and sends
g
e
to Bob, for some random
integer
e
known to Eve. Similarly, when Bob sends
c
2
=
g
b
to Alice, Eve stores
c
2
and
sends
g
e
to Alice. Alice computes the key
g
ae
and Bob computes the key
g
be
. Eve can
compute both keys. If Alice later sends an encrypted message to Bob using the key
g
ae
then
Eve can decrypt it, read it, re-encrypt using the key
g
be
and forward to Bob. Hence, Alice
and Bob might never learn that their security has been compromised.
One way to overcome person-in-the-middle attacks is for Alice to send a digital signature
on her value
g
a
(and similarly for Bob). As long as Alice and Bob each hold authentic
copies of the other's public keys then this attack fails. Note that this solution does not
prevent all attacks on the Diffie-Hellman key exchange protocol.
Another solution is given by authenticated key exchange protocols such as STS, KEA,
MTI, MQV, etc. (see Chapter 11 of Stinson [
532
] and the references listed earlier).
We illustrate the basic idea behind most protocols of this type using the
MTI/A0
protocol
: Alice and Bob have public keys
h
A
=
g
b
. We assume that Alice
and Bob have authentic copies of each others public keys. They perform Diffie-Hellman
key exchange in the usual way (Alice sends
g
x
and Bob sends
g
y
). Then the value agreed
by both players is
g
a
and
h
B
=
g
ay
+
bx
.
3
This use of the word “weak” is non-standard.
