Secure Communications over Insecure Channels Based on Short Authenticated Strings

We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modified, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to public-key infrastructures, since we no longer need any central authority, and to password-based authenticated key exchange, since we no longer need to establish a confidential password. It can be used to establish secure associations in ad-hoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the user-aided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his long-term keys corrupted. 1 On Building Secure Communications One of the key issue of modern cryptography is the problem of establishing a secure peer-to-peer communication over an insecure channel. Assuming that we can establish a private and authenticated key, standard tunneling techniques can achieve it. In the seminal work of Merkle [32] and Diffie and Hellman [18], the private and authenticated key establishment problem was reduced to establishing a communication in which messages are authenticated. Public key cryptosystems such as RSA [39] further reduce to the establishment of an authenticated public key. Note that the seed authentication is also a limiting factor for quantum cryptography [10]. Another major step was the notion of password-based authenticated key agreement which was first proposed by Bellovin and Merritt [8,9] and whose security was proven by Bellare, Pointcheval, and Rogaway [5] in the random oracle model. Another protocol, provably secure in the standard model, was proposed by Katz, Ostrovsky, and Yung [29]. Here, we assume that a private and authenticated short password was set up prior to the protocol. The key agreement protocol is such that no offline dictionary attack is feasible against the password so that the threat model restricts to online passwordguessing attacks which are easily detectable.1 When compared to the above approach, we thus reduce the size of the initial key, but we require its confidentiality again. 1 See Chapter 7 of [12] for a survey on password-based authenticated key agreement. 3-party models offer other solutions. The Needham-Schroeder model [34] assumes that everyone has a private authenticated key with a Trusted Third Party (TTP). Kerberos [30] is a popular application. The authenticated (only) key model is achieved with the notion of certificate by a Certificate Authority (CA). TLS [19] typically uses X.509 [27] certificates. Note that TLS authenticates the server to the client (which is enough to open a secure tunnel), but that the client authentication is typically based on a (short) password through the tunnel. Finally, fully password-based 3-party authenticated key agreement was studied by Abdalla, Fouque, and Pointcheval [3]. Ah-hoc networks cannot assume the availability of a central third party and setting up a secure network is a real challenge. Networks which are not attended by a human operator (e.g. sensor networks) can use a pragmatic solution such as the “resurrecting duckling” paradigm of Stajano and Anderson [40]. Smaller networks which are attended by a human operator such as networks of personal mobile devices (laptops, cell phones, PDAs, headsets, ...) can use the human operator as a third party, but must minimize his job. A familiar example is the Bluetooth [2] pairing: the operator picks a random PIN code and types it on devices to be associated, and a pairing protocol is run through a wireless link to establish a 128-bit private authenticated key. Operatorto-device transmissions is assumed to be secure (i.e. confidential and authenticated). However, as shown by Jakobsson and Wetzel [28], the standard Bluetooth pairing protocol is insecure unless we assume that either the radio communications in the pairing protocol are confidential as well, or the PIN code is long enough.