[Resource Topic] 2017/818: No-Match Attacks and Robust Partnering Definitions – Defining Trivial Attacks for Security Protocols is Not Trivial

Welcome to the resource topic for 2017/818

Title:
No-Match Attacks and Robust Partnering Definitions – Defining Trivial Attacks for Security Protocols is Not Trivial

Authors: Yong Li, Sven Schäge

Abstract:

An essential cornerstone of the definition of security for key exchange protocols is the notion of partnering. It defines when two protocol instances can be considered to have communicated with each other and thus share important secret information. In all existing security definitions this serves as an important tool to exclude trivial attacks. The de-facto standard definition of partnering is that of (partial) matching conversations (MC), which essentially states that two processes are partnered if every message sent by the first is actually received by the second and vice versa. We show that proving security under MC-based definitions is error-prone. In particular, we provide several examples of protocols that claim to be secure under a MC-based security definition but where the security proof is actually flawed. To this end, we introduce no-match attacks, a new class of attacks that renders many existing security proofs invalid. Interestingly, no-match attacks do not seem to constitute practical attacks against the protocols in the sense that they compromise the secrecy of confidential parameters in real life applications. However, they propose serious, sometimes unsolvable obstacles to proofs in traditional security models. We show that no-match attacks are often hard to avoid in MC-based security definitions without a) modifications of the original protocol or b) resorting to the use of cryptographic primitives with special properties. Finally, we show several ways to thwart no-match attacks. Most notably and as one of our major contributions, we provide a conceptually new definition of partnering that circumvents the problems of a MC-based partnering notion while preserving all its advantages. Our new notion of partnering not only makes security definitions for key exchange model practice much more closely. In contrast to many other security notions of key exchange it also adheres to the high standards of good cryptographic definitions: it is general, supports cryptographic intuition, allows for efficient falsification, and provides a fundamental composition property that MC-based notions lack.

ePrint: https://eprint.iacr.org/2017/818

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .