Two Types of Key-Compromise Impersonation Attacks against One-Pass Key Establishment Protocols

Key establishment protocols are among the most important security mechanisms via which two or more parties can encrypt their communications over an insecure network. This paper is concerned with the vulnerability of onepass two-party key establishment protocols to key-compromise impersonation (K-CI) attacks. The latter may occur once an adversary has obtained the longterm private key of an honest party, and represent a serious — but often underestimated — threat, because a successful impersonation attack may result in far greater harm than the reading of past and future conversations. Our aim is to describe two main classes of K-CI attacks that can be mounted against all of the best-known one-pass protocols, including MQV and HMQV. We show that one of the attacks described can be somewhat avoided (though not completely eliminated) through the combined use of digital signatures and time-stamps; however, there still remains a class of K-CI threats for which there is no obvious solution.