Bridging Theory and Practice in Key Exchange Protocols
Lead Research Organisation:
Newcastle University
Department Name: Computing Sciences
Abstract
Key exchange protocols address a crucial problem in security: how to securely distribute cryptographic keys to remote users. Since the seminal paper by Diffie and Hellman in 1976, this subject has been extensively studied for over thirty years.
Yet, designing a secure key exchange protocol is notoriously difficult. Many proposed schemes have been found with security flaws, including those specified in the international standards. Heuristic designs based on ad-hoc arguments rather than rigorous security proofs are commonly seen as bad practice. However, several "provably secure" key exchange protocols also turn out to be insecure.
So far, almost all key exchange protocols in the past have sidestepped an important engineering principle, namely the sixth principle -- i.e., "Do not assume that a message you receive has a particular form unless you can check this" (Anderson & Needham, 1995).
The importance of the sixth principle has been widely acknowledged by the security community for many years, but in reality, key exchange protocol designers have generally abandoned this prudent principle on the grounds of efficiency -- following the sixth principle would require using Zero Knowledge Proof (ZKP), which is considered too computationally expensive. However, discarding ZKP has the serious consequence of degrading the security, as evident by many reported attacks in the past. All these indicate a gap in the field.
In the project, we propose to bridge the gap by combing the sixth principle and the Public Key Juggling (PKJ) technique. The PKJ technique has proved useful in tacking several important security problems in the past. It can be integrated with the sixth principle in a perfect match: the former serves to optimize the protocol efficiency while the latter underpins the protocol robustness.
In the proposed research, we will apply the sixth principle and the juggling technique to design new key exchange protocols that are robust and efficient. We will develop new formal models to capture the sixth principle, which has been largely neglected by existing model specifications. Finally, we will aim to promote robust and efficient key exchange protocols to the international standards. In particular, our J-PAKE key exchange protocol has stood years of cryptanalysis and has been deployed in practical applications. Its standardization is a natural step forward and will benefit the security industry in general.
Yet, designing a secure key exchange protocol is notoriously difficult. Many proposed schemes have been found with security flaws, including those specified in the international standards. Heuristic designs based on ad-hoc arguments rather than rigorous security proofs are commonly seen as bad practice. However, several "provably secure" key exchange protocols also turn out to be insecure.
So far, almost all key exchange protocols in the past have sidestepped an important engineering principle, namely the sixth principle -- i.e., "Do not assume that a message you receive has a particular form unless you can check this" (Anderson & Needham, 1995).
The importance of the sixth principle has been widely acknowledged by the security community for many years, but in reality, key exchange protocol designers have generally abandoned this prudent principle on the grounds of efficiency -- following the sixth principle would require using Zero Knowledge Proof (ZKP), which is considered too computationally expensive. However, discarding ZKP has the serious consequence of degrading the security, as evident by many reported attacks in the past. All these indicate a gap in the field.
In the project, we propose to bridge the gap by combing the sixth principle and the Public Key Juggling (PKJ) technique. The PKJ technique has proved useful in tacking several important security problems in the past. It can be integrated with the sixth principle in a perfect match: the former serves to optimize the protocol efficiency while the latter underpins the protocol robustness.
In the proposed research, we will apply the sixth principle and the juggling technique to design new key exchange protocols that are robust and efficient. We will develop new formal models to capture the sixth principle, which has been largely neglected by existing model specifications. Finally, we will aim to promote robust and efficient key exchange protocols to the international standards. In particular, our J-PAKE key exchange protocol has stood years of cryptanalysis and has been deployed in practical applications. Its standardization is a natural step forward and will benefit the security industry in general.
Planned Impact
Besides the academic impact, the project can also have a significant impact on society and industry. The following are the potential beneficiaries.
1. Security industry;
2. End users of security systems;
3. Open source developers.
First, the security industry will likely benefit most from our work. At the moment, there is an acute lack of standard Password Authenticated Key Exchange (PAKE) protocol that is robust, efficient and free. The proposed standardization of the J-PAKE algorithm in this project will benefit the security industry in general.
Second, end users will benefit from more robust key exchange protocols in protecting their secret data. This can be especially evident in life-critical scenarios such as military personnel at the battle field using key exchange protocols to establish the secure communication between each other.
Third, open source developers will benefit from our developing new key exchange protocols and prototypes. In the past, we have contributed to the open source development by providing free prototypes of the invented protocols. In the future research, we plan to do the same.
1. Security industry;
2. End users of security systems;
3. Open source developers.
First, the security industry will likely benefit most from our work. At the moment, there is an acute lack of standard Password Authenticated Key Exchange (PAKE) protocol that is robust, efficient and free. The proposed standardization of the J-PAKE algorithm in this project will benefit the security industry in general.
Second, end users will benefit from more robust key exchange protocols in protecting their secret data. This can be especially evident in life-critical scenarios such as military personnel at the battle field using key exchange protocols to establish the secure communication between each other.
Third, open source developers will benefit from our developing new key exchange protocols and prototypes. In the past, we have contributed to the open source development by providing free prototypes of the invented protocols. In the future research, we plan to do the same.
People |
ORCID iD |
Feng Hao (Principal Investigator) |
Publications
Clarke D
(2014)
Cryptanalysis of the Dragonfly key exchange protocol
in IET Information Security
Hao F
(2016)
Deleting Secret Data with Public Verifiability
in IEEE Transactions on Dependable and Secure Computing
Hao F
(2014)
On robust key agreement based on public key authentication On robust key agreement based on public key authentication
in Security and Communication Networks
Hao F
(2015)
The Fairy-Ring Dance
McCorry P
(2015)
Security Standardisation Research
Description | 1. We have found that existing formal models in key exchange have several deficiencies. In particular, the incompatibility with the use of non-interactive zero-knowledge proofs is one key reason why ZKP was not used in previous key exchange protocols despite the importance of ZKP in general two/multi-party secure computation protocols. In the area of PAKE, this issue is addressed by Abdalla et al in IEEE S&P 2015, who proposed a new formal model for PAKE, and they applied the new model to prove security of J-PAKE. 2. We have found two security flaws of SPEKE, a password authenticated key exchange protocol that has been used in the Blackberry secure messaging application and standardised in ISO/IEC 11770-4. The issues identified have been acknowledged by the technical committee of ISO/IEC SC 27. Accordingly, we proposed countermeasures, which have been incorporated into the last ISO/IEC 11770-4:2017 revision. 3. We have found that there is a strong demand for PAKE in the field of IoT as the public key infrastructure is not feasible for IoT. With the support from this grant, we have got J-PAKE standardised in ISO/IEC 11770-4 and IETF RFC. The standardisation of J-PAKE has encouraged the industrial adoption of J-PAKE in browser sync and IoT applications as evident in its wide usage in real-world commercial products. |
Exploitation Route | 1. The issues that we highlight in formal modelling of key exchange have been acknowledged by the community. Researchers start to accept the importance of using zero-knowledge proofs in key exchange protocols. In particular, Abdalla et al modified one mainstream model for PAKE and applied the modified model to prove security of J-PAKE. We expect other researchers will follow this line of research and apply the results to other types of key exchange protocols such as PKI-based authenticated key exchange. 2. The revised SPEKE addresses the weaknesses that we identified in the project. We expect the revised SPEKE will be built into real-world products as it's been standardised in the latest revision of ISO/IEC 11770-4 in 2017. 3. With the standardisation of J-PAKE in the SO/IEC standard and IETF RFC, we expect it to be more widely used in IoT applications. |
Sectors | Aerospace Defence and Marine Digital/Communication/Information Technologies (including Software) Security and Diplomacy Transport |
Description | The Bouncycastle library is a widely distributed and adopted software package for implementing cryptographic functions in Java and C# programs. As of Feb, 2013, J-PAKE, which is a password-based key exchange protocol developed by the holder of this grant and his colleague, had been included into the new release of the Bouncycastle library (version 1.48). This inclusion is fairly recent, but the impact will likely become significant since Bouncycastle has been so widely used and that the use of J-PAKE to build secure communication is so foundational for many applications. In 2015, J-PAKE was adopted by Thread (an industrial working group including Google Nest, Samsung, ARM, Freescale, Silicon Labs, Big Ass Fans and Yale) as one of the standard key agreement methods for IoT applications. In 2017, J-PAKE has been formally published as an international standard in ISO/IEC 111770-4, and also as an RFC in IETF. As of Jan 2019, J-PAKE has been integrated into a range of widely used IoT products, including Google Nest, ARM mbed, NXP IoT gateway etc. |
Sector | Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
Impact Types | Societal Economic |
Description | Collaboration with HP on key exchange research and ISO/IEC standardization |
Organisation | Hewlett Packard Ltd |
Department | Hewlett Packard Laboratories, Bristol |
Country | United Kingdom |
Sector | Private |
PI Contribution | Supported by the EPSRC First Grant on key exchange protocols, we started collaborating with Dr Liqun Chen from HP Labs, UK on key exchange research. We designed two group key exchange protocols and managed to get J-PAKE (which was designed by the PI and his colleague in 2008) adopted by the ISO/IEC 11770-4 standard. |
Collaborator Contribution | Dr Liqun Chen from HP Labs has extensive experience and knowledge about the standardization of key exchange protocols in the ISO/IEC standards. Her contribution is vital for the inclusion of J-PAKE into ISO/IEC 11770-4. |
Impact | 1. A joint paper involving the PI and Liquen Chen and other colleagues. The paper is currently under review Feng Hao, Xun Yi, Liqun Chen, Siamak Shahandashti, "The Fairy-Ring Dance: Password Authenticated Key Exchange in a Group," under review, 2014. 2. A working draft of including J-PAKE into ISO/IEC 11770-4. This is an ongoing work with the PI being the editor (with assistance from Liqun Chen who is Chair of ISO/IEC SC 27 Technical Committee) |
Start Year | 2014 |
Description | Collaboration with RMIT and Purdue University on key exchange research |
Organisation | Purdue University |
Country | United States |
Sector | Academic/University |
PI Contribution | Supported by the EPSRC First Grant on key exchange protocols, we started research collaboration with Prof Xun Yi from RMIT, Australia and Prof Elisa Bertino from Purdue University, USA, on key exchange. We provided our expertise on key exchange protocols into the joint design of a new Identity-based key exchange protocol that was accepted and published by a major conference in the field (ESORICS'14). |
Collaborator Contribution | Prof Xun Yi and Prof Elisa Bertino are experts on identity-based cryptography. The joint collaboration nicely combines the key exchange expertise from Newcastle University and the expertise in identity-based cryptography from RMIT and Purdue University. |
Impact | 1) A joint paper with names of three of us: Xun Yi, Feng Hao, Elisa Bertino, "ID-Based Two-Server Password-Authenticated Key Exchange," Proceedings of European Symposium on Research in Computer Security (ESORICS), LNCS 8713, pp. 257-276, 2014. 2) a special issue for the Journal of Information Security and Applications with three of us being editors (on-going, expected to be published in 2015) http://www.journals.elsevier.com/journal-of-information-security-and-applications/call-for-papers/special-issues-on-security-and-privacy-in-cloud-computing/ |
Start Year | 2014 |
Description | Collaboration with RMIT and Purdue University on key exchange research |
Organisation | RMIT University |
Country | Australia |
Sector | Academic/University |
PI Contribution | Supported by the EPSRC First Grant on key exchange protocols, we started research collaboration with Prof Xun Yi from RMIT, Australia and Prof Elisa Bertino from Purdue University, USA, on key exchange. We provided our expertise on key exchange protocols into the joint design of a new Identity-based key exchange protocol that was accepted and published by a major conference in the field (ESORICS'14). |
Collaborator Contribution | Prof Xun Yi and Prof Elisa Bertino are experts on identity-based cryptography. The joint collaboration nicely combines the key exchange expertise from Newcastle University and the expertise in identity-based cryptography from RMIT and Purdue University. |
Impact | 1) A joint paper with names of three of us: Xun Yi, Feng Hao, Elisa Bertino, "ID-Based Two-Server Password-Authenticated Key Exchange," Proceedings of European Symposium on Research in Computer Security (ESORICS), LNCS 8713, pp. 257-276, 2014. 2) a special issue for the Journal of Information Security and Applications with three of us being editors (on-going, expected to be published in 2015) http://www.journals.elsevier.com/journal-of-information-security-and-applications/call-for-papers/special-issues-on-security-and-privacy-in-cloud-computing/ |
Start Year | 2014 |