A New Way to Prevent UKS Attacks Using Hardware Security Chips

UKS (unknown key-share) attacks are common attacks on AKE (Authenticated Key Exchange) protocols. We summarize two common countermeasures against UKS attacks on a kind of AKE protocols whose message flows are basic Diffie-Hellman exchanges. The first countermeasure forces the CA to check the possession of private key during registration, which is impractical for the CA. The second countermeasure adds identities in the derivation of the session key, which leads to modification of the protocols which might already be standardized and widely used in practice. By using protection of cryptographic keys provided by hardware security chips, such as TPM or TCM, we propose a new way that requires no check of possession of private key and no addition of identity during the derivation of the session key to prevent UKS attacks. We modify the CK model to adapt protocols using hardware security chip. We then implement a protocol once used in NSA, called KEA and subject to UKS attacks, using TCM chips. Our implementation, called tKEA, without forcing the CA to check during registration and modifying the original KEA, is proven to be secure. To show the generality of our way, we also show that it can prevent UKS attacks on the MQV protocol.