Datenbestand vom 21. September 2020
Tel: 089 / 66060798
Mo - Fr, 9 - 12 Uhr
Fax: 089 / 66060799
aktualisiert am 21. September 2020
978-3-86853-778-9, Reihe Informatik
Klaas Ole Kürtz
Secure Two-Round Message Exchange
189 Seiten, Dissertation Universität Kiel (2010), Hardcover, B5
In this thesis we analyzed ways to secure two-round message exchange protocols. We defined three protocols that have not been specified in detail before (but variants of which are widely used in practice). Using two different approaches, we proved the security of those protocols, taking into account common protocol elements such as timestamps and nonces, but also specifics of the setting of web services such as signed parts or different roles of servers and clients.
Although protocols like these are reckoned secure in practical applications, this work is the first that allows sound cryptographic security proofs of protocols in the tworound setting, faithfully including characteristical aspects of two-round protocols. Nevertheless, we still abstracted from many implementational details (see [BG05] for an overview of some examples), and we used the random oracle model for the analysis of our password-based protocol.
We first discussed specifics of the two-round setting as well as notions of authentication and put “message exchange authentication” in the context of message and entity authentication. Although the notion of message exchange authentication fits naturally in this context, to the best of our knowledge, it has not been studied before.
Then, we tailored the Bellare–Rogaway framework to model important specifics of the two-round protocol setting we wanted to analyze. The resulting security definition is self-contained in that understanding it does not require previous knowledge of any framework. We were then able to perform a concrete trace-based security analysis.
However, analyzing all three of our protocols in this style would have led to three different models (or a significantly more complex integrated model) for the three different security goals. In addition, the modeling of matching conversations is too strict in some situations (we already had to relax it using the notion of equivalent messages).
Simulation-based security clearly has the advantage that it leads to an easier statement of different security goals than an individual, trace-based definition, given that the reader is familiar with simulation-based security and the complex details of the IITM framework to understand all communication steps.
Moreover, the simulation-based approach allowed us to treat protocols for different tasks in a single model, as partially demonstrated by our parameterized ideal functionality. The security properties obtained by such an analysis are quite strong and hold (via composition) in an arbitrary context. The IITM framework (and related frameworks) is designed to support modular protocol analysis, which we were able to utilize for digital signatures and encryption.