## Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol (1999)

### Cached

### Download Links

- [www.mathmagic.cn]
- [cacr.math.uwaterloo.ca]
- DBLP

### Other Repositories/Bibliography

Citations: | 49 - 5 self |

### BibTeX

@MISC{Blake-Wilson99unknownkey-share,

author = {Simon Blake-Wilson and Alfred Menezes},

title = {Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol},

year = {1999}

}

### Years of Citing Articles

### OpenURL

### Abstract

. This paper presents some new unknown key-share attacks on STS-MAC, the version of the STS key agreement protocol which uses a MAC algorithm to provide key confirmation. Various methods are considered for preventing the attacks. 1 Introduction Key establishment is the process by which two (or more) entities establish a shared secret key. The key may subsequently be used to achieve some cryptographic goal, such as confidentiality or data integrity. Ideally, the established key should have precisely the same attributes as a key established face-to-face --- for example, it should be shared by the (two) specified entities, it should be distributed uniformly at random from the key space, and no unauthorized (and computationally bounded) entity should learn anything about the key. Key establishment protocols come in various flavors. In key transport protocols, a key is created by one entity and securely transmitted to the second entity, while in key agreement protocols both parties co...

### Citations

3231 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...S, andgivenA’s signature sA on a message M, can an adversary select a key pair (PE,SE) forS such that sA is also E’s signature on the message M? We demonstrate that, in certain circumstances, the RSA =-=[31]-=-, Rabin [30], ElGamal [12], DSA [1,27], and ECDSA [3] signature schemes all possess this property. In the RSA scheme, it is assumed that each entity is permitted to select its own encryption exponent ... |

2762 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...ine UKS attacks on STS-MAC, the variant of the station-to-station (STS) [11] AKC protocol which uses a MAC to provide key confirmation. For an extensive survey on key establishment, see Chapter 12 of =-=[25]-=-. For a recent survey on authenticated Diffie-Hellman key agreement protocols, see [10]. Formal definitions of authenticated key agreement can be found for the symmetric setting in [7] and for the asy... |

1443 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, P
- 1993
(Show Context)
Citation Context ... B CertA, SA(3,A,B,α rA ,α rB ), MACK ′(SA(3,A,B,α rA ,α rB )) We imagine that this protocol (and also the protocol in item 6 below) can be analyzed by modeling the hash function H as a random oracle =-=[6]-=-. 5. Instead of including the identities of the entities in the signed message, one could include them in the key derivation function, whose purpose is to derive the shared key from the shared secret ... |

1246 | Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- ElGamal, “A
- 1985
(Show Context)
Citation Context ...A on a message M, can an adversary select a key pair (PE,SE) forS such that sA is also E’s signature on the message M? We demonstrate that, in certain circumstances, the RSA [31], Rabin [30], ElGamal =-=[12]-=-, DSA [1,27], and ECDSA [3] signature schemes all possess this property. In the RSA scheme, it is assumed that each entity is permitted to select its own encryption exponent e. In the ElGamal, DSA and... |

877 | A Digital Signature Scheme Secure Against Adaptative ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...te-signature key selection property does not constitute a weakness of the signature scheme — the goal of a signature scheme is to be existentially unforgeable against an adaptive chosenmessage attack =-=[13]-=-. In the following, H denotes a cryptographic hash function such as SHA-1 [28]. 4.1 RSA Key pair: A’s public key is PA =(N, E), where N is a product of two distinct primes P and Q, and1<E<Φ,gcd(E,Φ) =... |

498 | Entity authentication and key distribution
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ... Chapter 12 of [25]. For a recent survey on authenticated Diffie-Hellman key agreement protocols, see [10]. Formal definitions of authenticated key agreement can be found for the symmetric setting in =-=[7]-=- and for the asymmetric setting in [9]. The remainder of this paper is organized as follows. The STS protocol is described in §2. In §3 we present the new on-line UKS attacks on STS-MAC, and consider ... |

330 | An improved algorithm for computing logarithms over GF (p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ... p. 3. Select a prime q such that: (a) pq > N; (b) q − 1issmooth; (c) gcd(p − 1,q− 1) = 2; and (d) s and m are both generators of Z ∗ q . 4. Since p − 1issmooth,E can use the Pohlig-Hellman algorithm =-=[29]-=- to efficiently find an integer x1 such that s x1 ≡ m (mod p). 5. Similarly, since q −1 issmooth,E can efficiently find an integer x2 such that s x2 ≡ m (mod q). 6. Compute n = pq, φ =(p − 1)(q − 1), ... |

310 |
Digitized Signatures and Public-Key Functions As Intractable As Factorization
- Rabin
- 1979
(Show Context)
Citation Context ...’s signature sA on a message M, can an adversary select a key pair (PE,SE) forS such that sA is also E’s signature on the message M? We demonstrate that, in certain circumstances, the RSA [31], Rabin =-=[30]-=-, ElGamal [12], DSA [1,27], and ECDSA [3] signature schemes all possess this property. In the RSA scheme, it is assumed that each entity is permitted to select its own encryption exponent e. In the El... |

280 | Authentication and authenticated key exchange
- Diffie, Oorschot, et al.
- 1992
(Show Context)
Citation Context ...ty E �= A. The significance of UKS attacks on AK and AKC protocols is further discussed in §3. This paper presents some new on-line UKS attacks on STS-MAC, the variant of the station-to-station (STS) =-=[11]-=- AKC protocol which uses a MAC to provide key confirmation. For an extensive survey on key establishment, see Chapter 12 of [25]. For a recent survey on authenticated Diffie-Hellman key agreement prot... |

253 |
Factoring integers with elliptic curves
- Lenstra
- 1987
(Show Context)
Citation Context ...duli are being used, then the probability that the bitlength of the second-largest prime factor of n is ≤ 113 is about 1 2 . Such n can be readily factored with the elliptic curve factoring algorithm =-=[22]-=-. Given the prime factorization of n, E can hope to convince the CA that it knows the corresponding private key (even though one may not exist — n may not be a product of 2 distinct primes), by signin... |

234 | A modular approach to the design and analysis of authentication and key exchange protocols
- BELLARE, CANETTI, et al.
- 1998
(Show Context)
Citation Context ...decryption, not by encryption. One advantage of STS-ENC over STS-MAC is that the former can facilitate the provision of anonymity. Many protocols related to STS have appeared in the literature (e.g., =-=[5]-=-, [14], [18]). It should be noted, however, that these protocols cannot be considered to be minor variants of STS — as this paper shows, the former protocols have some security attributes that are lac... |

164 |
ISO/IEC 7498-1: Information technology – Open Systems Interconnection – Basic Reference Model: The Basic Model. ISO
- ISOIEC
- 1996
(Show Context)
Citation Context ...message fields such as flow numbers, identities, and group elements, are represented using fixed-length encodings and concatenated. Otherwise, some other unique prefix-free encoding such as ASN.1 DER =-=[15,16]-=- should be used.sUnknown Key-Share Attacks on the Station-to-Station (STS) Protocol 161 of how inclusion of flow numbers can help guard against certain attacks on entity authentication mechanisms.) Th... |

147 | Key agreement protocols and their security analysis
- Blake-Wilson, Johnson, et al.
- 1997
(Show Context)
Citation Context ...ey on authenticated Diffie-Hellman key agreement protocols, see [10]. Formal definitions of authenticated key agreement can be found for the symmetric setting in [7] and for the asymmetric setting in =-=[9]-=-. The remainder of this paper is organized as follows. The STS protocol is described in §2. In §3 we present the new on-line UKS attacks on STS-MAC, and consider ways of preventing the attacks. In §4,... |

122 | An efficient protocol for authenticated key agreement. Des
- Law, Menezes, et al.
(Show Context)
Citation Context ...e of private keys during certification. It suggests other methods which may be used to prevent the new attacks. The attacks are similar in spirit to Kaliski’s recent attack [20] on the AK protocol of =-=[21]-=- — however the attacks we present are more damaging because, unlike Kaliski’s attack, they are not prevented by appropriate key confirmation. Finally, in §3.3 we consider possible UKS attacks on STS-E... |

74 | Authenticated Diffie-Hellman Key Agreement
- Blake-Wilson, Menezes
(Show Context)
Citation Context ...ol which uses a MAC to provide key confirmation. For an extensive survey on key establishment, see Chapter 12 of [25]. For a recent survey on authenticated Diffie-Hellman key agreement protocols, see =-=[10]-=-. Formal definitions of authenticated key agreement can be found for the symmetric setting in [7] and for the asymmetric setting in [9]. The remainder of this paper is organized as follows. The STS pr... |

66 |
Information technology — Security techniques — Encryption algorithms — Part 2: Asymmetric Ciphers
- ISOIEC
- 2004
(Show Context)
Citation Context ...TS-MAC, identities of the intended recipients are included in the signatures in ISO-STS-MAC. This was apparently done in order to be conformant with the entity authentication mechanisms in ISO 9798-3 =-=[17]-=-, rather than because of a security concern with STS without the inclusion of identities. Another difference between ISO-STS-MAC and STS-MAC is that in the former the MAC algorithm is applied to the m... |

65 | A key recovery attack on discrete log-based schemes using a prime order subgroup
- Lim, Lee
- 1997
(Show Context)
Citation Context ...lic-key validation [19] of signature keys is a sensible measure to take. (Rationale for performing key validation of public keys for use in Diffie-Hellman-based key agreement protocols is provided in =-=[23]-=-.)sUnknown Key-Share Attacks on the Station-to-Station (STS) Protocol 163 The attack is similar to the attack presented in §3.2, but relies on the following assumption on the signature scheme: E is ab... |

47 |
P.: The exact security of digital signatures-how to sign with RSA
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ... To sign a message M, A computes m = H(M) and s = m D mod N. A’s signature on M is s. Here, H may also incorporate a message formatting procedure such as the ones specified in the ANSI X9.31 [2], FDH =-=[8]-=- and PSS [8] variants of RSA. Signature verification: Given an authentic copy of A’s public key, one can verify A’s signature s on M by computing m = H(M), and verifying that s E ≡ m (mod N). Adversar... |

41 |
Some new key agreement protocols providing mutual implicit authentication
- Menezes, Qu, et al.
- 1995
(Show Context)
Citation Context ...key confirmation has not yet been provided). The remainder of this section discusses UKS attacks on STS-MAC and STSENC. §3.1 describes well-known public key substitution UKS attacks (for example, see =-=[24,25]-=-). These attacks can be prevented if a CA checks possession of private keys during the certification process. §3.2 presents new on-line UKS attacks on STS-MAC that are not prevented simply by checking... |

29 | Extending cryptographic logics of belief to key agreement protocols (extended abstract
- Oorschot
- 1993
(Show Context)
Citation Context ...he finite multiplicative group G. rA A’s ephemeral Diffie-Hellman private key; 1 ≤ rA ≤ n − 1. K Ephemeral Diffie-Hellman shared secret; K = αrArB . The two STS variants are presented below (see also =-=[11,25,32]-=-). In both descriptions, A is called the initiator, while B is called the responder. STS-MAC Protocol. The STS-MAC protocol is depicted below. Initiator A selects a random secret integer rA, 1≤ rA ≤ n... |

29 | Information technology – Security techniques – Key management – Part 4: Mechanisms based on weak secrets - ISOIEC |

15 |
The Elliptic Curve Digital Signature Algorithm
- 62
- 1998
(Show Context)
Citation Context ...ersary select a key pair (PE,SE) forS such that sA is also E’s signature on the message M? We demonstrate that, in certain circumstances, the RSA [31], Rabin [30], ElGamal [12], DSA [1,27], and ECDSA =-=[3]-=- signature schemes all possess this property. In the RSA scheme, it is assumed that each entity is permitted to select its own encryption exponent e. In the ElGamal, DSA and ECDSA schemes, it is assum... |

11 |
Elliptic Curve Key Agreement and Key Transport Protocols
- 63
- 1999
(Show Context)
Citation Context ...ttack on an AK protocol (which does not provide key confirmation). As stated in [9], keys established using AK protocols should be confirmed prior to cryptographic use. Indeed, some standards such as =-=[4]-=- take the conservative approach of mandating key confirmation of keys agreed in an AK protocol. If appropriate key confirmation is subsequently provided, then the attempt at a UKS attack will be detec... |

10 |
Digital Signatures using Reversible Public Key Cryptography for the Financial Services Industry (rDSA
- 31
- 1998
(Show Context)
Citation Context ...neration: To sign a message M, A computes m = H(M) and s = m D mod N. A’s signature on M is s. Here, H may also incorporate a message formatting procedure such as the ones specified in the ANSI X9.31 =-=[2]-=-, FDH [8] and PSS [8] variants of RSA. Signature verification: Given an authentic copy of A’s public key, one can verify A’s signature s on M by computing m = H(M), and verifying that s E ≡ m (mod N).... |

8 | Standardizing Authentication Protocols Based on Public Key Techniques
- Mitchell, Thomas
- 1993
(Show Context)
Citation Context ...w number 1 in the messages being signed prevents the on-line UKS attacks. Inclusion of the flow number and the identity of the message sender may help guard against attacks yet to be discovered. (See =-=[26]-=- for an example 1 In this paper, we assume that message fields such as flow numbers, identities, and group elements, are represented using fixed-length encodings and concatenated. Otherwise, some othe... |

3 |
Contribution to ANSI X9F1 working group
- Johnson
- 1997
(Show Context)
Citation Context ...ecification of the underlying symmetric-key encryption and signature schemes, together with a statement of the security properties they are assumed to possess; and 2. Performing public-key validation =-=[19]-=- of signature keys is a sensible measure to take. (Rationale for performing key validation of public keys for use in Diffie-Hellman-based key agreement protocols is provided in [23].)sUnknown Key-Shar... |

3 |
Contribution to ANSI X9F1 and IEEE P1363 working groups
- Kaliski
- 1998
(Show Context)
Citation Context ...simply by checking knowledge of private keys during certification. It suggests other methods which may be used to prevent the new attacks. The attacks are similar in spirit to Kaliski’s recent attack =-=[20]-=- on the AK protocol of [21] — however the attacks we present are more damaging because, unlike Kaliski’s attack, they are not prevented by appropriate key confirmation. Finally, in §3.3 we consider po... |