Authenticated Key Agreement Protocols: Security Models, Analyses, and Designs. (Protocoles d'échanges de clefs authentifiés : modèles de sécurité, analyses et constructions)

An impressive ratio of the previously proposed key agreement protocols turn outto be insecure when regarded with respect to recent security models. The Canetti–Krawczyk(CK) and extended Canetti–Krawczyk (eCK) security models, are widely used to provide secu-rity arguments for key agreement protocols. We point out security shades in the (e)CK models,and some practical attacks unconsidered in (e)CK–security arguments. We propose a strongsecurity model which encompasses the eCK one. We propose a complementary analysis of theExponential Challenge Response (XRC) and Dual Exponential Challenge Response (DCR)signature schemes, which are the building blocks of the HMQV protocol. On the basis of thisanalysis we show how impersonation and man in the middle attacks can be performed againstthe (C, H)MQV(–C) protocols when some session specific information leakages happen. Wedefine the Full Exponential Challenge Response (FXRC) and Full Dual Exponential ChallengeResponse (FDCR) signature schemes; using these schemes we propose the Fully Hashed MQVprotocol and the Strengthened MQV protocol, which preserve the remarkable performance ofthe (H)MQV protocols and resist the attacks we present. The SMQV and FHMQV proto-cols are particularly suited for distributed implementations wherein a tamper–proof device isused to store long–lived keys, while session keys are used on an untrusted host machine. Insuch settings, the non–idle time computation effort of the device reduces to few non–costlyoperations. The SMQV and FHMQV protocols meet our security definition under the GapDiffie–Hellman assumption and the Random Oracle model.