Security review of an authenticated Diffie Hellman

2019-08-02 02:32发布

问题:

EDIT

I'm still hoping for some advice on this, i tried to clarify my intentions...

When i came upon device pairing in my mobile communication framework i studied a lot of papers on this topic and and also got some input from previous questions here. But, i didn't find a ready to implement protocol solution - so i invented a derivate and as i'm no crypto geek i'm not sure about the security caveats of the final solution:

The main questions are

  • Is SHA256 sufficient as a commit function?
  • Is the addition of the shared secret as an authentication info in the commit string safe?
  • What is the overall security of the 1024 bit group DH
  • I assume at most 2^-24 bit probability of succesful MITM attack (because of 24 bit challenge). Is this plausible?
  • What may be the most promising attack (besides ripping the device out off my numb, cold hands)

This is the algorithm sketch

  • For first time pairing, a solution proposed in "Key agreement in peer-to-peer wireless networks" (DH-SC) is implemented. I based it on a commitment derived from:
    • A fix "UUID" for the communicating entity/role (128 bit, sent at protocol start, before commitment)
    • The public DH key (192 bit private key, based on the 1024 bit Oakley group)
    • A 24 bit random challenge
  • Commit is computed using SHA256
    • c = sha256( UUID || DH pub || Chall)
  • Both parties exchange this commitment, open and transfer the plain content of the above values.
    Alice                                   Bob
    ca = commit()                        
                    -------^ ca
                                            cb = commit()
                    cb ^-----------
    open
                    ---^ DH pub a, chall a
                                            open
                    DH pub b, chall b ^---
  • The 24 bit random is displayed to the user for manual authentication
  • DH session key (128 bytes, see above) is computed

  • When the user opts for persistent pairing, the session key is stored with the remote UUID as a shared secret

  • Next time devices connect, commit is computed by additionally hashing the previous DH session key before the random challenge. For sure it is not transfered when opening.

    • c = sha256( UUID || DH pub || DH sess || Chall)
  • Now the user is not bothered authenticating when the local party can derive the same commitment using his own, stored previous DH session key. After succesful connection the new DH session key becomes the new shared secret.

As this does not exactly fit the protocols i found so far (and as such their security proofs), i'd be very interested to get an opinion from some more crypto enabled guys here. BTW. i did read about the "EKE" protocol, but i'm not sure what the extra security level is.

回答1:

"Is SHA256 sufficient as a commit function?"

The use of SHA256 should be just fine. The only issue I have heard of is that it has a hash extension vulnerability. If you produce multiple hashes using the same data don't simply concat more data to the end of the data you already hashed. In your post have have the two hashes "sha256( UUID || DH pub || Chall)" and "sha256( UUID || DH pub || DH sess || Chall)". If that second one was "sha256( UUID || DH pub || Chall || DH sess)" then there would be a relation between the hash values if UUID, DH pub, and Chall were all the same values as before. You should either take care to avoid the hash extension issue or include a salt value into the data to be hashed, either by communicating the salt across the link or having differing vales for each code path.

On a side note: is it really necessary to transmit a Chall when you already have a previous session key saved and don't need to ask the user to manually confirm the challenge code?

"Is the addition of the shared secret as an authentication info in the commit string safe?"

I'm guessing you mean to ask "Is it safe to include secret information in a hash that is to be made public?" If the secret is something that is really hard to guess and would take a really long time to perform a bruteforce attack against, then yes it is safe. If the secret is something easy to guess or has only a few possible values, then no, it's not safe unless you, at the same time, include some hard to guess secret to force a potential eavesdropper to have to guess all such secrets simultaneously. For a large, effectively random number like a DH shared secret then it should be just fine.

"What is the overall security of the 1024 bit group DH"

I'm not sure if DH group 1024 is what you want to use. A key exchange that is considered to be close to being as effective as the SHA256 hash algorithm you're using would be 521 bit ECDH. The cryptographic strength of ECDH is considered to be 1/2, so if you want 256 bit security, you want 521 bit ECDH. Unfortunately, I'm not certain about the security of the many individual 521 bit ECDH groups that have been published.

"I assume at most 2^-24 bit probability of succesful MITM attack (because of 24 bit challenge). Is this plausible?"

There is more than one way perform a MITM attack. Eve will use every resource at her disposal to perform her attacks and if you are not careful she will exploit something you didn't think of. This is why peer review is necessary in cryptography.



回答2:

Simply, if you make your own cryptographic solution, then it's weak.

for the little story, the VISA guys have to start again 4 times before it's became strong enough.

I'm not a security expert, but it was what my crypto teacher told us everytime.



回答3:

I've come up with this possible attack, based on my understanding of the protocol, inspired by Lowe's Attack to Needham-Shroeder Public Key Protocol:

  • Alice wants to reconnect. Calculates its committment ca and sends to Bob. The message is captured by Mallory.
  • Mallory answers. She does not know the shared secret, so she invents one. Calculates cb and sends to Alice.
  • At this step, Alice cannot verify the shared secret yet. So she sends DHpubA and ChallA.
  • Mallory ignores the messages from Alice and disappears.

Now Mallory has a valid DHpubA, ChallA and the corresponding (valid) ca.

  • Mallory sends ca to Bob.
  • Bob answers with cb.
  • Mallory sends a valid set of DhpubA, ChallA
  • Bob sends his DhpubB and ChallB

Since Bob can validate Mallory's messages, she is authenticated as Alice. Obviously Mallory does not know DHprivA, se she cannot calculate the current session key, but nevertheless you have a security flaw since Bob thinks he's talking to Alice.

General advice: avoid implementing you own cryptographic solution and don't trust security reviews from anyone else than an established security firm.

If you feel that your security requirements are not satisfied by standard mainstream crypto, try stating your requirements and asking whether is there a security procotol that matches them.



回答4:

That sounds OK. Not sure what you meant by "fix[ed] UUID"? Could a rogue app access the UUID and session keys: are they stored system-wide or in a service? There is some text in the SDK that suggests that any keystore always waits for user confirmation before returning a key.