Security review of an authenticated Diffie Hellman variant
Posted
by
mtraut
on Stack Overflow
See other posts from Stack Overflow
or by mtraut
Published on 2010-12-29T09:40:00Z
Indexed on
2011/01/01
19:54 UTC
Read the original article
Hit count: 204
EDIT
I'm still hoping for some advice on this, i tried to clarify my intentions...
When i came upon device pairing in my mobile communication framework i studied a lot of papers on this topic and and also got some input from previous questions here. But, i didn't find a ready to implement protocol solution - so i invented a derivate and as i'm no crypto geek i'm not sure about the security caveats of the final solution:
The main questions are
- Is SHA256 sufficient as a commit function?
- Is the addition of the shared secret as an authentication info in the commit string safe?
- What is the overall security of the 1024 bit group DH
- I assume at most 2^-24 bit probability of succesful MITM attack (because of 24 bit challenge). Is this plausible?
- What may be the most promising attack (besides ripping the device out off my numb, cold hands)
This is the algorithm sketch
- For first time pairing, a solution proposed in "Key agreement in peer-to-peer wireless networks" (DH-SC) is implemented. I based it on a commitment derived from:
- A fix "UUID" for the communicating entity/role (128 bit, sent at protocol start, before commitment)
- The public DH key (192 bit private key, based on the 1024 bit Oakley group)
- A 24 bit random challenge
- Commit is computed using SHA256
- c = sha256( UUID || DH pub || Chall)
- Both parties exchange this commitment, open and transfer the plain content of the above values.
- The 24 bit random is displayed to the user for manual authentication
DH session key (128 bytes, see above) is computed
When the user opts for persistent pairing, the session key is stored with the remote UUID as a shared secret
Next time devices connect, commit is computed by additionally hashing the previous DH session key before the random challenge. For sure it is not transfered when opening.
- c = sha256( UUID || DH pub || DH sess || Chall)
Now the user is not bothered authenticating when the local party can derive the same commitment using his own, stored previous DH session key. After succesful connection the new DH session key becomes the new shared secret.
As this does not exactly fit the protocols i found so far (and as such their security proofs), i'd be very interested to get an opinion from some more crypto enabled guys here. BTW. i did read about the "EKE" protocol, but i'm not sure what the extra security level is.
© Stack Overflow or respective owner
