UKS (unknown key-share) attacks are common attacks on AKE (Authenticated Key Exchange) protocols. We summarize two common countermeasures against UKS at- tacks on a kind of AKE protocols whose message flows are basic Diffie-Hellman exchanges. The first countermeasure forces the CA to check the possession of private key during registration, which is impractical for the CA. The second countermeasure adds identities in the derivation of the session key, which leads to modification of the protocols which might already be standardized and widely used in practice. By using protection of cryptographic keys pro- vided by hardware security chips, such as TPM or TCM, we propose a new way that requires no check of possession of private key and no addition of identity during the derivation of the session key to prevent UKS attacks. We modify the CK model to adapt protocols using hardware security chip. We then implement a protocol once used in NSA, called KEA and subject to UKS attacks, using TCM chips. Our implementation, called tKEA, without forcing the CA to check during registration and modifying the original KEA, is proven to be secure. To show the generality of our way, we also show that it can prevent UKS attacks on the MQV protocol.
為了持續優化網站功能與使用者體驗,本網站將Cookies分析技術用於網站營運、分析和個人化服務之目的。
若您繼續瀏覽本網站,即表示您同意本網站使用Cookies。