Security of STS

Security of STS MADE BY MARTIN CHETIYAR (08).

Introduction In this section, we discuss the security properties of the simplified STS scheme. For future reference, the information exchanged in a session of the scheme is illustrated as follows: aau II II aau) sigu(ID(V) II II aav).

Security Properties of STS The scheme is secure against known session key attacks and provides perfect forward secrecy The scheme is a secure mutual identification scheme (i.e., if the adversary is active during a given flow of the protocol, then no honest participant will "accept" after that time) In addition, the scheme is a secure KAS wrt a passive adversary(i.e , U and V can both compute the same session key, K, and the adversary cannot compute any information about K) if U "accepts", it means that she believes that —she has been communicating with —U and V can compute the same session key, and —no one other than V can compute any information about the session key.

Key Authentication and Key Confirmation Suppose U and V are honest, and they execute an SKDS or KAS . At the end of the session ,U and V should each be able to compute the same session key , K, whose value should be unknown to the adversary. Suppose that U "accepts". The following properties discuss various types of assurance that may be provided to U: Implicit key authentication U is assured that no one other than V can compute K Implicit key confirmation U is assured that V can compute K, and no one other than V can compute K Explicit key confirmation U is assured that V has computed K, and no one other than V can compute K.

Identification and Key Authentication / Confirmation Implicit or explicit key confirmation is not possible without simultaneous mutual identification (entity authentication) Implicit key authentication is possible without identification Of course, mutual identification can be done in the absence of any key distribution or key agreement A KAS (or SKDS) with key confirmation is "secure" if it is secure mutual identification scheme, and the specified type ofkey confirmation is achieved.

A Parallel Session Attack W pretends to be V in a session Sl with U; and W pretends to be U in a session .32 with Cert( V), s v cert( Cert( U), s U then W requests the key K for session S2 , which is allowed in a known session key attack K is also the key for sessionS 1.

The Triangle Attack Cert( U), s U Cert( V), s v Cert( W), s U Cert( V), s'v cert( W), s v Cert( U), s'U.

Further Settings For Two-Party Key Establishment Protocols We have considered two-party key agreement schemes in the public-key setting It is also possible to study key transport schemes ,where one party chooses the session key and "transports" it to the other party (i.e., by encrypting it) KAS and K TS can also be studied in the secret-key setting , where signature schemes are replaced by MACs, and public-key encryption is replaced by secret-key encryption In the public-key setting, identity-based schemes have been devised, in which public keys are derived from users' identities ; this eliminates the need for certificates to authenticate public keys.

•nox >IUOCIL.