Desired Features and Design Methodologies of Secure Authenticated Key Exchange Protocols in the Public-Key Infrastructure Setting

Abstract

The importance of an authenticated key exchange (AKE) protocol has long been known in the field of cryptography. Two of the questions still being asked today are (1) what properties or features does a secure AKE protocol possess, and (2) How does one, in a step by step fashion, create a secure AKE protocol? This thesis aims to answer these two questions. The thesis contains two parts: one is a survey of previous works on the desired features of the Station-to-Station (STS) protocol, and the other is a study of a previously proposed design methodology in designing secure AKE protocols, as well as contributing an original idea of such methodologies. Descriptions and comparisons of the two design methodologies are included. The thesis surveys the literature and conducts a case study of the STS protocol, analyzes various attacks on STS through some known attacks to it, and extracts the desired properties and features of a secure AKE protocol via the case study. This part of the thesis does not propose any new result, but summarizes a complete list of issues one should take consideration of while designing an AKE protocol. We also show that at the end of this part, a secure version of STS which possesses the desired features of an AKE protocol. The other major part of the thesis surveys one design methodology of creating a secure AKE protocol by Bellare, Canetti, and Krawczyk; it is based on having a secure key exchange protocol then adding (mutual) authentication to it. The thesis then proposes another original design methodology; it starts with a secure mutual authentication protocol, then adds the secure key exchange feature without modifying overheads and number of flows of the original mutual authentication protocol. We show in this part the "secure" AKE protocol developed through these two design approaches is identical to the secure version of STS described in the other part, and thus possesses the desired features of a secure AKE protocol. We also give a proof of security of the secure AKE protocol developed under our design methodology.