Revision and Enhancement of Two Three Party Key Agreement Protocols Vulnerable to KCI Attacks

In two recent papers, Zuowen Tan (Security and Communication Networks) and Chih-ho Chou et al. (Computers and Electronics) published three party key agreement protocols especially convenient for protecting communications in mobile-centric environments such as e-payments, vehicular mobile networks (VMN), RFID applications, etc. For his protocol, Tan provides a formal security proof developed in a model of distributed computing based on the seminal work of Bellare and Rogaway. In this paper, we show that both protocols are vulnerable to KCI attacks. We suggest modiﬁcations to both protocols that ﬁx the vulnerability at the expense of a small decrease in their computational eﬃciency.


Introduction
In two recent papers, Tan [2] and Chou et al. [5] present three party key agreement protocols especially convenient for protecting communications in mobilecentric environments such as e-payments, vehicular mobile networks (VMN), RFID applications, etc.
For his protocol, Tan provides a formal security proof in a model of distributed computing based on the work of Bellare and Rogaway [6,20] and Abdalla et al. [1].
Unfortunately, both protocols are vulnerable to a particular man-in-the-middle attack known as Key Compromise Impersonation (KCI) [12,15]. In such attacks, an adversary that has obtained the private key of party A can impersonate a legitimate peer B; if the attack is successful A will share a session key with the adversary (instead of B). This is a subtle attack that can have drastic consequences since the adversary may obtain personal information from A such as secret keying material (e.g. passwords) or private data (e.g. credit card numbers). With three party protocols the adversary may impersonate a peer (A or B) or the trusted third party (S).
In this paper, we describe successful KCI attacks against the aforementioned protocols and also suggest modifications to fix the vulnerabilities at the expense of a small decrease in their computational efficiency.
The rest of the paper is organized as follows. We describe KCI attacks against the protocols of TAN and CHOU et al. respectively in Sections 2 and 3. In Section 4, we suggest modifications to the above protocols in order to prevent those attacks. Finally, Section 5 contains our concluding remarks.

A KCI attack against Tan's protocol
In this section we review Tan's three-party key agreement protocol and describe how a successful KCI attack can be conducted by an adversary that has compromised the private keying material of an honest party.

Review of the protocol specification
The protocol consists of an initialization phase (wherein A and B register with the trusted server S and obtain an d A = H(ID A ∥x) and d B = H(ID B ∥x) respectively, where x ∈ F q is the master key held by S) and the subsequent authenticated key agreement phase ( Figure 1). System parameters are defined by the following tuple: were (i) p, n are prime numbers; (ii) E(F p ) is an elliptic curve defined by the equation World Journal of Computer Application and Technology 2(2): 48-51, 2014 49 (iii) master key x ∈ R Z * n , the later is the set of residues modulo n; (iv) group G and point P with order n over E(F p ); (v) symmetric encryption/decryption algorithms E k (·), D k (·); (vi) hash function h(·).

Description of the KCI attack scenario
Below we provide a detailed description of a successful KCI attack against Tan's protocol: 1 ) and sends {ID A , request} and {ID A , ID B , e 2 } to B and S respectively to initiate a protocol instance with B;

A KCI attack against Chou et al.'s protocol
In this section we review Chou et al.'s three-party key agreement protocol and describe how a successful KCI attack can be conducted by an adversary.

Review of the protocol specification
This protocol also comprises an initialization phase (wherein users A and B register with the trusted server S and obtain Y A = sk A P K S and Y B = sk B P K S ) and an authenticated key agreement phase ( Figure 2). System parameters are defined by the following tuple: were each parameter is defined as in Section 2.
4. on receipt of C SA , A follows the protocol specification (R A , T S will pass the verification step) and terminates with the session key sk = r

A can establish a communication session with
and thus is easily computed by the adversary.

Revisiting the protocols to eliminate the vulnerability to KCI attacks
In this section we illustrate modifications to the protocols of Tan and Chou et al. that do not allow a malicious party to perform successfull KCI attacks.

A KCI-resilient version of Tan's protocol
It is interesting to notice that Tan's protocol cannot withstand KCI attacks despite the fact that a formal security proof was provided by the author (see Theorems 1, 2 in [2]). The arguments used by the author to support the proof of KCI-resilience (Theorem 2) require that the adversary must be able to forge the transcript e 4 ; however, this assumption misses the point since the adversary does not need to faithfully reproduce the protocol actions of B but must simply generate message transcripts (in this particular case, a Diffie-Hellman ephemeral key R 2 = cP ) that are indistinguishable (for A) from the real ones. In general, for the sake of protocol security analysis one assumes that a man-in-the-middle attacker has total control over the network (i.e. she can insert, delete, modify messages flowing across the network) and is allowed to achieve her goals by arbitrarily diverging from the protocol specification.
To prevent the attack Tan's protocol can be modified as follows: the trusted third party S shall generate keys for each peer D A = d A P, D B = d B P (eventually during the initialization stage) and compute e = With the preceding modifications, Tan's key exchange can now withstand KCI attacks. Indeed, the session key is computed using the method introduced in the MTI/A0 [9] protocol, which is immune from KCI attacks; the adversary must now obtain both the private key d A and the random nonce a to compute the session key of A. A significant difference with the MTI protocol is due to the fact that the keys D A , D B do not necessarily have to be pre-distributed to A, B respectively and therefore do not require public key certificates.
The revised protocol enjoys KCI attack resilience at the expense of an increased computational workload with respect to the original version. In particular, the trusted first party S must now compute two additional scalar multiplications to generate the keys D A , D B . However, for reasons of efficiency the computation can be performed prior to online executions of the protocol. Each peer A, B is required to compute an additional scalar multiplication (aD B , bD A ) at runtime to compute the session key.

A KCI-resilient version of Chou et al.'s protocol
It is worth mentioning that the procotol of Chou et al. is actually a revised version of a flawed protocol previously proposed by Zuowen Tan [3] which was yet another version of the protocol originally published by Yang and Chang [4] (the later also contained a vulnerability to impersonation attacks).
Chou et al.'s protocol can withstand KCI attacks with the following modifications. The trusted third party ID S , T S ) and sends these transcripts to A, B respectively; with respect to the original specification the terms Y B , Y A are included in C SA , C SB respectively. On receipt of C SA , A computes the session key sk = h(r A Y B ∥sk A KB) (similarly for B) where h is an appropriate hash function.
The revised protocol (similarly to Tan's protocol) enjoys KCI attack resilience at the expense of a slightly increased computational workload with respect to the original version. In this case, each peer A, B needs an additional scalar multiplication (r A Y B , r B Y A , ID A , ID B ) at runtime to compute the session key.

Concluding remarks
We have shown that the three party key agreement protocols recently published in the literature by Tan [2] and Chou et al. [5] are not resilient to KCI attacks although their authors claim the contrary.
Designing secure key agreement protocols is far from being a simple task, such protocols involve so many details and complicated interactions between different cryptographic primitives that it is nearly impossible to establish beyond doubt that they are infallible. Indeed, in the history of this subject there is an abundance of protocols that were more or less trivially broken regardless of whether formal or heuristic arguments were provided to support security claims.
One of the main problems with formal security proofs is that few people are capable of verifying them because the maths can be quite sophisticated and may be therefore difficult to understand for the average practitioner.
In the last two decades many formal security models have been proposed (which often differ by a few details) but it still is not quite clear how to "transfer" a security property proved in one model to a different model and to the real world (Choo et al. [14] have examined this issue). Furthermore, provable security of cryptographic primitives is largely based on the use of computational assumptions, these have proliferated in the last decade [16] making it difficult to differentiate between their relative strengths (an interesting classification was proposed by Naor [17]. It is also important to analyse the security of cryptographic protocols not only from an theoretical point of view (e.g. adversary interacts with parties in a black-box mode) but in more realistic models wherein an opponent may physically attack an honest peer (e.g. tampering with devices [18]). In any case, the publication of protocol specifications in specialised literature and conferences is of fundamental importance since the peer review process and the subsequent period of public scrutiny can increase the confidence in the security of the protocol either because vulnerabilities are not discovered or if there are proposals to fix them will be immediately published.
A topic for future research is the development of a concrete implementation of the protocols discussed in this paper to evaluate real world security issues and efficiency. In particular, we plan to develop an implementation with the Java Cryptography Architecture framework [19] which uses a "'provider"'-based approach and contains a set of APIs for various purposes (e.g. encryption, key generation and management, secure random number generation, certificate validation, etc).