ces 29 (2007) 467–470www.elsevier.com/locate/csi

Computer Standards & Interfa

Vulnerabilities of generalized MQV key agreement protocolwithout using one-way hash functions

Kyung-Ah Shim ⁎

Department of Mathematics, Ewha Womans University, 11-1 Daemon-dong, Eudaemon-gu, Seoul, 120-750, Korea

Received 29 December 2005; received in revised form 10 November 2006; accepted 11 November 2006Available online 5 January 2007

Abstract

The MQV protocol is the first authenticated key agreement protocol which uses a digital signature to sign Diffie–Hellman public keys withoutusing any one-way hash functions. Based on the MQV protocol, Harn and Lin proposed an authenticated multiple-key agreement protocol thatenables two parties to establish multiple common secret keys in a single protocol run. But the protocol was subsequently found to be flawed. Tsengproposed a new generalized MQV key agreement protocol without using one-way hash functions to overcome the weaknesses of Harn–Lin'sprotocol. Recently, Shao showed that Teng's protocol is insecure against signature forgery attacks and then proposed an improved authenticatedmultiple-key agreement protocol to resist the attacks. In this paper we show that Shao's protocol is vulnerable to unknown key-share attacks. We alsopoint out its another potential weakness.© 2006 Elsevier B.V. All rights reserved.

Keywords: Cryptography; Authenticated key agreement; Multiple-key agreement protocol; Digital signature; Unknown key-share attack

1. Introduction

Key establishment is the process by which two or moreentities establish a shared secret key. The key is subsequentlyused to achieve some cryptographic goals such as confidentialityor data integrity. The Diffie–Hellman key agreement protocol[5] is the first practical solution to the key distribution problem,allowing two parties, never having met in advance or sharedkeying material to establish a shared secret by exchangingmessages over an open channel. But it suffers from the man-in-the-middle attack because it does not attempt to authenticate thecommunicating entities. To overcome this shortcoming, numer-ous protocols have been proposed [14,4,11,12,9,18]. Many ofthese protocols were subsequently found to be flawed [4,13,17]and then either were modified to resist new attacks or weretotally abandoned. In 1995, Law et al. [11] proposed the MQVkey agreement protocol, which is the first key agreementprotocol that used a signature for Diffie–Hellman public keyswithout using one-way hash functions. But, Kaliski [10] showedthat theMQVprotocol is vulnerable to the on-line unknown key-

⁎ Tel.: +82 2 3277 2292.E-mail address: kashim@ewha.ac.kr.

0920-5489/$ - see front matter © 2006 Elsevier B.V. All rights reserved.doi:10.1016/j.csi.2006.11.002

share attack. Nevertheless, it has been standardized or are in theprocess of being standardized in the international standardsANSI X9.42 [1], ANSI X9.63 [2] and IEEE P1363 [8].

In 1998, Harn–Lin [6] proposed a generalized MQV pro-tocol, i.e., an authenticated multiple-key agreement protocolwhich enables two parties to establish multiple common secretkeys in a single protocol run. Later, Yen–Joye [21] indicated thatthe Harn–Lin protocol is not secure because an attacker cansuccessfully forge a short-term public key pair and pass theverification equation. And they proposed an improved protocolto resist the attack. However, Wu et al. [20] pointed out that theYen–Joye protocol still has the same weakness as does theHarn–Lin protocol. They also proposed a modified protocol toenhance the security. Nevertheless, the protocol violated theoriginal expectation of the Harn–Lin protocol that no one-wayhash functions should be used in the authenticated key agree-ment protocol. In 2001, Harn and Lin [7] also proposed amodified protocol in which they attempted to show that twoattacks on the Harn–Lin protocol [6] can easily be avoided bymodifying the signature signing equation. Subsequently, Yenet al. [22] proposed an improved protocol that is secure againstreplay attacks by using time stamps. Tseng [19] also proposed anew protocol without using one-way hash functions to overcome

468 K.-A. Shim / Computer Standards & Interfaces 29 (2007) 467–470

known weaknesses. Recently, Shao [17] showed that Teng'sprotocol is insecure against signature forgery attacks and thenproposed its improved protocol to resist the attacks. In this paperwe show that Shao's protocol is vulnerable to unknown key-share attacks. We also point out its another potential weakness.

The remainder of this paper is organized as follows. InSection 2, we review Shao's authenticated multiple-key agree-ment protocol. In Section 3, we point out its vulnerability againstoff-line unknown key-share attacks. Section 4 contains its anotherpotential weakness in the case of the compromise of a certainsecret information. A concluding remark is given in Section 5.

2. Review of Shao's authenticated multiple-key agreementprotocol

We first review Shao's protocol [17]. The system authoritypublishes a large prime p and a primitive element gwith order p−1in GF( p). We assume that A and B want to establish four secretkeys in a protocol run. Long-term public/private key pairs forA andB are ( yA, xA) and ( yB, xB), where yA=g

xA mod p and yB=gxB mod

p. We henceforth will omit the operation ‘mod p’. We assume thatlong-term public keys are exchanged via certificates, where CertAdenotes A's public-key certificate, containing a string of informa-tion that uniquely identifies A, her static public key yA and acertifying authority CA's signature over this information. Theprotocol runs as follows:

1. A selects two random integers kA1 and kA2, called short-term secret keys, computes short-term public keys rA1=yB

kA1

and rA2=yBkA2, such that 0b rA1, rA2b ( p−1) /2. Then A

computes rA=gkA1+kA2 and generates its signature sA on {rA1,

rA2} as follows:

sA ¼ xAd rA − ðrA1 þ rA2Þd ðkA1 þ kA2Þ mod p−1:

Next, A sends the authenticated messages {rA1, rA2, sA,CertA} to B.

2. Similarly, B also chooses kB1 and kB2 and computesrB1 = yA

kB1, rB2 = yAkB2, rB= yB

kB1 + kB2 and

sB ¼ xBd rB − ðrB1 þ rB2Þd ðkB1 þ kB2Þ mod p−1:

Then B sends {rB1, rB2, sB, CertB} to A.

3. After receiving the message from B, A computes rB=(rB1·rB2) and verifies B's signature by checking

yrBB ¼ rðrB1þrB2ÞB d gsB :

If its verification holds, A computes four common secretkeys as follows:

K1 ¼ rx−1A kA1B1 ¼ gkA1kB1 ; K2 ¼ r

x−1A kA2B1 ¼ gkA2kB1 ;

K3 ¼ rx−1A kA1B2 ¼ gkA1kB2 ; K4 ¼ r

x−1A kA2B2 ¼ gkA2kB2 :

4. Similarly, B verifies A's signature similarly by checking theverification equation

yrAA ¼ rðrA1þrA2ÞA d gsA :

Finally, B also computes four common secret keys asfollows:

K1 ¼ rx−1B kB1A1 ¼ gkA1kB1 ; K2 ¼ r

x−1B kB1A2 ¼ gkA2kB1 ;

K3 ¼ rx−1B kB2A1 ¼ gkA1kB2 ; K4 ¼ r

x−1B kB2A2 ¼ gkA2kB2 :

3. Unknown key-share attacks on Shao's protocol

In this section, we show that Shao's protocol is insecureagainst unknown key-share attacks. We first describe the defi-nition of unknown key-share attacks.

3.1. Unknown key-share attacks

An unknown key-share attack on an authenticated keyagreement protocol [3,4] is an attack whereby an entity A endsup believing she shares a key with B, and although this is in factthe case, Bmistakenly believes the key is instead shared with anentity E ≠ A. In this scenario, we say that B has been led to falsebeliefs. The unknown key-share (UK-S) attacks can be dividedinto the following types;

• Public key substitution UK-S attacks: An adversary Eregisters A's public key yA as its own, i.e., yA=yE. When Ainitiates a protocol with B, E replaces the identity A andcertificate CertAwith E and CertE. It is known that the STS-MAC and the STS-ENC are vulnerable to these attacks [3].

• On-line UK-S attacks: Requiring on-line CA, an adversarygets its public key certified during a protocol run afterobserving the message transmitted. Attacks on the STS-MAC [3] and the MQV protocol [10] are typical examples.

• (Off-line) UK-S attacks: Without observing the messagetransmitted, an adversary gets its public key to amount theattack before the execution of the protocol.

3.2. Off-line unknown key-share attacks on Shao's protocol

Now, we show that Shao's protocol is insecure against off-line unknown key-share attacks. We assume that an adversary Ehas her certificate CertE for a long-term public key yE=g

xE.Unlike the on-line unknown key-share attack on the MQVprotocol [10], this UK-S attack requires no on-line CAs and Eknows the long-term private key xE corresponding to yE. Theattack on Shao's protocol can be mounted as follows:

A Y EðBÞ : rA1; rA2; sA; CertA ð1:1Þ

E Y B : rE1; rE2; sE; CertE ð1:1Þ0

B Y E : rB1; rB2; sB; CertB ð1:2Þ0

EðBÞ Y A : rB1; rB2; sB; CertB: ð1:2Þ

469K.-A. Shim / Computer Standards & Interfaces 29 (2007) 467–470

1. When A initiates a protocol run with B sending a message{rA1=yB

kA1, rA2=yB

kA2, sA, CertA}, an adversary E intercepts it.2. First, E chooses a random k. Let k be kA1+k′. Note that

neither kA1 nor k′ is known to E. However, E can obtain yBk ′

by computing yBk ·(rA1)

−1 =yBk−kA1· E takes rE1 and rE2 as rA1

and yBk ′, respectively. Then E computes rE=g

k and her ownsignature

sE ¼ xEd rE−ðrE1 þ rE2Þd k mod p−1;

on frE1 ¼ ykA1B ; rE2 ¼ ykBVgand sends frE1; rE2; sE;CertEg to B:

3. After receiving a message (1.1)′, B thinks that the protocolrun is initiated by E. Then B computes rE=(rE1·rE2)

xB−1

andverifies E's signature using E's public key yE in CertE. Itsverification equation

yrEE ¼ rðrE1þrE2ÞE d gsE

always holds since sE is E's valid signature on {rE1, rE2} andk is equal to kA1+k′. Then B responds by sending a message(1.2)′ to E, which forwards to A.

4. Finally, after verifying B's signature, A computes foursession keys

K1 ¼ rkA1B1 ¼ gkA1kB1 ; K2 ¼ rkA2B1 ¼ gkA2kB1 ;

K3 ¼ rkA1B2 ¼ gkA1kB2 ; K4 ¼ rkA2B2 ¼ gkA2kB2 :

Also, B computes the session keys

K1 ¼ rkB1E1 ¼ akA1kB1 ; K2 ¼ rkB1E2 ¼ gkA2kB1 ;

K3 ¼ rkB2E1 ¼ gk VkB2 ; K4 ¼ rkB2E2 ¼ gk VkB2 :

Consequently, A and B share the same two keys, K1 and K2,of four session keys, and A thinks that the session keys are sharedwith B, while B mistakenly believes that he shares the keys withE. Thus, the UK-S attack on two keys of four session keys issuccessfully mounted. If A and B use two session keys forsubsequent communications, serious consequences stated in [3]will be happened.

This attack uses that user's signature on {rA1=yBkA1, rA2=yB

kA2}contains a factor of the form (kA1+ kA2). This property allowsan adversary to generate gk′ related to rA1 without knowledgeof k′. Its weakness against off-line UK-S attacks is due tothe fact that (i) anyone, who does not know the short-termsecret key kA1 corresponding to rA1= yB

kA1, can generate herown signature on the message containing rA1, and (ii) thelack of explicitness in cryptographic messages, i.e., signedmessages of the protocol, do not include specific informationto confirm that the sender is identical the genuinecommunicating entity.

4. Another weakness of Shao's protocol

We say that a protocol achieve forward secrecy; if long-termprivate keys of one or more entities are compromised, thesecrecy of previous session keys established by honest entitiesis not affected. Shao's protocol achieves the forward secrecy.However, we show that it has the following potential weakness;the compromise of long-term private keys and a session key of aprotocol run leads to reveal the other three session keys of theprotocol run. Suppose that A's long-term private key xA and B'slong-term private key xB are compromised to an adversary E.Then E can obtain some equations related to each user's short-term secret key. Indeed, E who knows xB can compute rA=(rA1·rA2)

xB−1

and the following equations;

xAd rA−sA ¼ ðrA1 þ rA2Þd ðkA1 þ kA2Þ;

kA1 þ kA2 ¼ ðxAd rA−sAÞd ðrA1 þ rA2Þ−1:

Similarly, E can obtain the value kB1+kB2 from xB and theephemeral public keys rB1 and rB2. From these values, E cancompute the following equations:

rxB−1ðkB1þkB2Þ

A1 ¼ ðgkA1ÞkB1þkB2 ¼ gkA1kB1þkA1kB2 ð1Þ

rxA−1ðkA1þkA2Þ

B1 ¼ ðgkB1ÞkA1þkB1 ¼ gkA1kB1þkA2kB1 ð2Þ

rxA−1ðkA1þkA2Þ

B2 ¼ ðgkB2ÞkA1þkA2 ¼ gkA1kB2þkA2kB2 ð3ÞThese relationships lead to serious consequences in the case

of the compromise of additional secret information. If one ses-sion key of the past session (say such a session keyK1=g

kA1kB1) iscompromised then the other three session keys, K2, K3 and K4

are also revealed; E can recover K2=gkA2kB1 from the Eq. (2) by

calculating (2)×K1−1 =gkA2kB1; K3=g

kA1kB2 from the Eq. (1) bycalculating (1)×K1

−1 =gkA1kB2; andK4=gkA2kB2 from the Eq. (3) by

calculating (3)×K3−1 =gkA2kB2.

Like this, although the session key computation of theprotocol is independent of user's long-term private key, therelationships between the long-term private key for signing andephemeral private key for session key computation maycompromise a certain security attribute. Thus, the signaturescheme should be designed so as not to reveal the relationshipbetween long-term private key (signing key) and ephemeralprivate key to adversaries.

In general, we note the compromise of long-term secret keysdoes not necessarily mean that they are obtained via aninversion of the long-term public key. Long-term secrets are inpractice vulnerable secrets in the system; in a typical setting,they are stored on disk, perhaps protected by a password. Sinceusers must store their secret keys for use in key computation, thesecret keys may also be obtained through lack of suitablephysical measures. An adversary is also able to obtain thesession key used in any sufficiently old previous run of theprotocol. In some environments (e.g., due to implementationand engineering decisions), the probability of compromise of

470 K.-A. Shim / Computer Standards & Interfaces 29 (2007) 467–470

session keys may be greater than that of long-term keys. Inparticular, when using cryptographic techniques of onlymoderate strength, the possibility exists that over time extensivecryptanalytic effort may uncover past session keys. Such partialinformation can come from many sources, for example, sidechannel analysis or a poor implementation. In fact, well-designed implementations of key distribute systems will preventsession keys being disclosed or lost. However, in real systems,one should be worry, particularly with poor implementations, orwith applications in which the session keys are eventuallydisclosed. Thus, assumptions on the compromise of some secretinformation are plausible. These properties may be attractive forthe robustness of the security in most commercial applicationswhere customers does not always protect their key sufficiently.Consequently, a secure protocol design will minimize theeffects of such events.

5. Conclusion

We have shown that Shao's protocol is insecure against off-line unknown key-share attacks. The on-line unknown key-share attack on the MQV protocol due to Kaliski [10] requiresan unusual assumption on the existence of on-line CA and it canbe prevented by requiring that entities prove to the CertificationAuthority (CA) possession of the secret keys corresponding totheir public keys during the certification process. But the off-line unknown key-share attack presented in this paper requiresno on-line CAs and it cannot be prevented the CA's checkingprocess above. As in [3], including identities of participatingentities in the key derivation function to derive session keysfrom shared secrets can prevent all kinds of unknown key-shareattacks. But this method is not so desirable because it requiresan additional one-way hash function. To prevent these unknownkey-share attacks without using hash functions, a signaturescheme adapted to the protocol should be satisfied that only onewho knows both short-term secret keys, kA1, kA2 as well as herlong-term private key xA, can generate her own signature onshort-term secret keys {yB1

k A1

, yB2k A2

}. In fact, when we analyze thesecurity of a protocol, we should consider not only the protocolitself but also the adapted cryptographic primitives such as adigital signature scheme. Because, cryptographic primitivesmay be secure alone, but may lose its security when they areadapted to a certain protocol. In this point of view, in Shao'sprotocol, the exact security of the adapted signature scheme didnot considered previously, for example, existential unforge-ability against an adaptively chosen-message attack in the DSA[15] and the Schnorr signature scheme [16]. At the end, weshowed that the compromise of long-term private keys and asession key of a protocol run leads to reveal the other threesession keys of the protocol run.

References

[1] ANSI X 9.42, Agreement of Symmetric Algorithm Keys Using Diffie–Hellman, Working Draft, , May 1998.

[2] ANSI X 9.63, Elliptic Curve Key Agreement and Key Transport Protocols,Working Draft, , July 1998.

[3] S. Blake-Wilson, D. Johnson, A. Menezes, Unknown key-share attacks onthe station-to-station (STS) protocol, Proc. of PKC 99, LNCS 1560, 1999,pp. 154–170.

[4] S. Blake-Wilson, A. Menezes, Authenticated Diffie–Hellman keyagreement protocols, Proc. of SAC'98, LNCS 1556, Springer-Verlag,1999, pp. 339–361.

[5] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transac-tions on Information Theory 22 (6) (1976) 644–654.

[6] L. Harn, H.Y. Lin, An authenticated key agreement without using one-wayhash functions, Proc. 8th. Nat. Conf. Information Security, Kaoshiung,Tiwan, May 1998, pp. 155–160.

[7] L. Harn, H.Y. Lin, Authenticated key agreement without using one-wayhash functions, Electronics Letters 37 (10) (2001) 629–630.

[8] IEEE P1363, Standards Specifications for Public-Key Cryptosystems,Working Draft, , July 1998.

[9] M. Just, S. Vaudenay, Authenticated multi-party key agreement, advancesin cryptology, Proceedings of Asiacrypt 96, Lecture Notes in ComputerScience, vol. 537, Springer-Verlag, New York, 1997, pp. 36–49.

[10] B. Kaliski, Contribution to ANSI X9F1 and IEEE P1363 Working Groups,June, 1998.

[11] L. Law, A. Menezes, M. Qu, J. Solinas, S. Vanstone, An efficient protocolfor authenticated key agreement, Designs, Codes and Cryptography 28 (2)(2003) 119–134.

[12] S. Lee, J. Lim, J. Kim, An efficient and Secure Key Agreement, Con-tribution to IEEE P1363a Working Group, 1999.

[13] C. Lim, P. Lee, A key recovery attack on discrete log-based schemes usinga prime order subgroup, Advaced in cryptology; Crypto 97, LNCS 1294,Springer-Verlag, 1997, pp. 249–263.

[14] T. Mastumoto, Y. Takashima, H. Imai, On seeking smart public-keydistribution systems, IEICE Transactions on Fundamentals of Electronics,Communications and Computer Science E69 (1986) 99–106.

[15] National Institute of Standards and Technology, Digital SignatureStandard, FIPS Publication 186-2, February 2000 available at http://csrc.nist.gov/fips.

[16] C.P. Schnorr, Efficient signature generation by smart cards, Journal ofCryptology 4 (3) (1991) 161–174.

[17] Z. Shao, Security of robust generalized MQV key agreement protocolwithout using one-way hash functions, Computer Standards and Interfaces25 (5) (2003) 431–436.

[18] B. Song, K. Kim, Two-pass authenticated key agreement protocol withkey confirmation, progress in cryptology, Proceedings of Indocrypt 00,Lecture Notes in Computer Science, 1977, Springer-Verlag, New York,2000, pp. 237–249.

[19] Y.M. Tseng, Robust generalized MQV key agreement protocol withoutusing one-way hash functions, Computer Standards and Interfaces 24 (3)(2002) 241–246.

[20] T.S. Wu, W.H. He, C.L. Hsu, Security of authenticated multiple-keyagreement protocols, Electronics Letters 35 (5) (1999) 391–392.

[21] S.M. Yen, M. Joye, Improved authenticated multiple-key agreementprotocol, Electronics Letters 34 (18) (1998) 18–19.

[22] S.M. Yen, H.M. Sun, T. Hwang, Improved authenticated multiple-keyagreement protocol, Proc. 11th. Nat. Conf. Information Security, 2001,pp. 229–231.

Kyung-Ah Shim received her M.S. and Ph.D degrees inMathematics from the Ewha Womans University in1994 and 1999, respectively. From 2000 to 2004, sheworked as a senior researcher in the Korea Information

Security Agency. Currently, she is a Research Professorat the Department of Mathematics of the EwhaWomansUniversity. Her research activities are mainly focusedon cryptography and information security.