User-mediated authentication protocols and unforgeability in key collision
- PDF / 705,750 Bytes
- 13 Pages / 595.276 x 790.866 pts Page_size
- 52 Downloads / 244 Views
REGULAR CONTRIBUTION
User-mediated authentication protocols and unforgeability in key collision Britta Hale1
© This is a U.S. Government work and not under copyright protection in the US; foreign copyright protection may apply 2019
Abstract User interaction constitutes a largely unexplored field in protocol analysis, even in instances where the user takes an active role as a trusted third party, such as in the Internet of Things (IoT) device initialization protocols. Initializing the formal modeling of 3-party authentication protocols where one party is a physical user, this research introduces the 3-party possession usermediated authentication (3-PUMA) model. The 3-PUMA model addresses active user participation in a protocol which is designed to authenticate possession of a fixed data string—such as in IoT device commissioning. Using the 3-PUMA model, we provide a computational analysis of the ISO/IEC 9798-6:2010 standard’s Mechanism 7a authentication protocol which includes a user interface and interaction as well as a device-to-device channel. Furthermore, we introduce existential unforgeability under key collision attacks (EUF-KCA) and provide a corresponding security experiment. We show that the security of ISO/IEC 9798-6:2010 Mechanism 7a relies upon EUF-KCA MAC security. Since it is unknown whether any standardized MAC algorithm achieves EUF-KCA security, this research demonstrates a potential vulnerability in the standard. Keywords Authentication Protocols · Key distribution · User Interface · MAC Security · Key Collision Attacks
1 Introduction While work has been carried out on modeling of 3-party— and more generally multi-party—key exchange protocols [9,16,17,26,35], 3-party authentication protocols are largely ignored. Analyses of many 3-party key exchange protocols handle the user as an out-of-band (OOB) information exchange [17,35]. Indeed, this follows from standard practice where security is only considered device-to-device and identification of a device’s user is considered irrelevant or external to the cryptographic model. However, in a user-mediated protocol, the user is an active participant relaying and confirming information and even generating nonces or keys, instead of a simple possessor of a device. It is thus possible to consider a user-to-device “channel,” e.g., a device keypad or display, as well as adversarial behavior on this channel. For example, Approved for public release; distribution is unlimited. The views expressed in this document are those of the author and do not reflect the official policy or position of the Department of Defense or the US Government.
B 1
Britta Hale [email protected] Naval Postgraduate School (NPS), Monterey, CA, USA
an adversary may have a priori access to a device and may therefore be able to manipulate inputs/outputs. ISO/IEC 9798–6:2010 Mechanism 7a Analysis One such user-mediated protocol is ISO/ IEC 9798–6:2010 Mechanism 7a [23] (abbreviated Mechanism 7a) a authentication protocol, originally published in [21]. Unlike previously analyzed ISO/I
Data Loading...
