7.8.3 Authenticity of public keys

Another way for Mallory to attack the RSA cryptoystem is to tamper with Alice’s public key. More specifically, Mallory might replace Alice’s public key PKAlice = (eA,nA) with her own public key PKM = (eM,nM). If Bob does not notice the exchange, he will encrypt his message in a way that Mallory can decrypt. Therefore it is vital for the security of the RSA cryptosystem (and all other public-key cryptosystems) that the public keys are authentic, which means in this case that the binding between an entity and its public key can be verified by other parties. One way to achieve authenticity for public keys is digital certificates, which are the subject of Chapter 10, Digital Certificates and Certification Authorities.

7.9 Authenticated key agreement

The Diffie-Hellman protocol is a key agreement protocol because it establishes a shared secret between the communicating parties, but it is not an authenticated key agreement protocol. This is illustrated by the MITM attack on Diffie-Hellman we discussed earlier. The MITM attack is possible because Alice and Bob cannot verify each other’s identity.

In 1992, cryptographers Whitfield Diffie, Paul van Oorschot, and Michael J Wiener published a paper describing two-party mutual authentication protocols providing authenticated key agreement, focusing on those using asymmetric techniques [50]. In addition to theoretical fundamentals, they also introduced the now well-known Station-to-Station (STS) protocol, illustrating authenticated key agreement in a simple, elegant manner.

Authenticated key agreement is a cryptographic protocol that allows Alice and Bob to verify each other’s identities and establish a shared secret key in a single protocol run. To put it differently, the goal of an authenticated key agreement protocol is to establish a shared secret key between two communicating parties whose identities have been verified.

We are specifically interested in authenticated key agreement protocols based on public-key cryptography for reasons we elaborate on later in this section. For such protocols, it is typically assumed that the underlying cryptographic primitives such as an encryption algorithm or a hash function are secure.

In addition, the protocol must be secure against active attacker Mallory who is allowed to see all messages sent by Alice and Bob and can delete, manipulate, inject, and redirect messages. Mallory can also reuse message from previous protocol runs and initiate communication with arbitrary parties. In other words, an authenticated key agreement protocol must withstand both passive and active attacks.

Note that a denial of service attack in itself is not considered to break the security of an authenticated key agreement protocol. If Mallory manipulates or injects messages in the communication between Alice and Bob, and the protocol terminates as a result of Alice having seen different messages from those seen by Bob, the protocol is considered to be secure.

Moreover, Mallory’s interference with the communication where she simply intercepts messages from Alice and Bob and then passes them along without manipulating them is not considered an attack.

A good cryptographic practice is to use protocols that are simple, work with a small number of messages, require a small number of fields in each message, and perform a minimum number of cryptographic computations. The reason for this is the observation, backed by numerous scientific publications and security incidents in the wild, that it is extremely easy to make mistakes when designing cryptographic protocols.

In authenticated key agreement protocols, it is highly desirable to combine authentication and key agreement to improve the protocols’ security. If Alice and Bob use a protocol where authentication and key agreement are independent, Mallory can wait until the authentication is successfully completed and then impersonate Bob or Alice during the key agreement phase.

In contrast, when a protocol combines authentication and key agreement, Alice is assured that the secret key she has agreed upon is actually shared with Bob, not Mallory. The same guarantees apply for Bob.

In general, there are several more desirable properties for an authenticated key agreement protocol:

• Perfect forward secrecy ensures that the compromise of long-term secrets does not affect the security of the keys Alice and Bob have established in previous protocol runs
• Direct authentication – the validation of Alice’s and Bob’s identities directly during the protocol, not at the end of the protocol – prevents Mallory from misusing Alice or Bob as a mere signing service who unknowingly signs messages of Mallory’s choice
• Avoiding the use of timestamps relaxes the implementation requirements for both Alice and Bob because there is no need for them to operate local clocks that must be periodically and securely synchronized with a trustworthy time source

In the cryptographic literature, direct authentication is sometimes referred to as explicit key authentication. It combines the assurance that only the identified, legitimate parties Alice and Bob are able to exchange the shared secret key – a property that is also called (implicit) key authentication – with the assurance that Alice and Bob are actually in possession of that particular secret key, a property called key confirmation.