Authenticated Key Exchange
P's session key(not long-term secret key) is effectively a fresh, random key that is known only to Q.
Each user of the system must perform some kind of registration protocol with TTP.
Offline TTP a.k.a CA issues certificates that bind the identity of a user to a public key.
In general, an offline TTP is preferable to an online TTP. The advantage of an online TTP is that such protocols can be built using only symmetric key primitives, without public-key tools.
the key k is shared with an instance of user Q.
this instance of user Q should think he is talking to an instance of user P.
the key k is indistinguishable from a random key even if the adversary sees the session keys.
a combination of identification and anonymous key exchange.
static security: AKE1
the adversary never compromises the long-term secret key of any honest user
key recovery attack
If the signature does not include the ciphertext, an adversary intercepts the message and then re-encrypt other session key.
the very first message from P can be seen by an adversary.
the adversary is able to force a user instance to re-use an old session key
If k is used by a stream cipher: a two time pad attack
identity misbinding attack
violating the authentication property
P thinks he is talking to Q, while Q thinks he is talking to R.
occuring redeem other account
it is important that the participants securely erase all ephemeral data they generated during the protocol
the session key should be vulnerable iff
P is a corrpt user,
P is an honest user, but LTS was compromised at some time in the past
P is an honest user, but the adversary accessed P's HSM during the window of time that Q was running the protocol
insisted that the HSM is just an oracle for a simple function and is completely stateless.
an adversary cannot learn the identity of either one or both the users that are running the AKE protocol
Eavesdropping identity protection
Full identity protection
To attempt to foil this attack, one can use a challenge-response identification protocol.
Not only revealing other sensitive data, but also mounting a MitM attack
challenge-response cannot solve this type of attack.
Let’s talk about PAKE
The distinguishing feature of PAKE protocols is the client will authenticate herself to the server using a password.
we claim that under the CDH assumption for G, and modeling H as a random oracle, then protocol PAKE1 is not vulnerable to a dictionary attack by an eavesdropping adversary.
used to protected by patents.
lack of good PAKE implementations
SRP(Secure Remote Password)
working code in OpenSSL
OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks
who is able to listen to all commpunications