A Comprehensive Formal Security Analysis and Revision of the Two-phase Key Exchange Primitive of TPM 2.0
Qianying Zhang, Shijun Zhao

TL;DR
This paper provides a formal security analysis of TPM 2.0's two-phase key exchange primitive, identifies limitations, and proposes a revision that enhances its security for practical real-world applications.
Contribution
It introduces the first formal security model for TPM 2.0's key exchange and proposes a revision to overcome practical limitations.
Findings
Original key exchange primitive is secure under certain conditions.
Proposed revision removes impractical limitations.
Revised primitive achieves modern AKE security properties.
Abstract
The Trusted Platform Module (TPM) version 2.0 provides a two-phase key exchange primitive which can be used to implement three widely-standardized authenticated key exchange protocols: the Full Unified Model, the Full MQV, and the SM2 key exchange protocols. However, vulnerabilities have been found in all of these protocols. Fortunately, it seems that the protections offered by TPM chips can mitigate these vulnerabilities. In this paper, we present a security model which captures TPM's protections on keys and protocols' computation environments and in which multiple protocols can be analyzed in a unified way. Based on the unified security model, we give the first formal security analysis of the key exchange primitive of TPM 2.0, and the analysis results show that, with the help of hardware protections of TPM chips, the key exchange primitive indeed satisfies the well-defined security…
| NIST Series | BN Series | SECG Series | SM2 | |||||||||||||||
| P192 | P224 | P256 | P384 | P521 | P192 | P224 | P256 | P384 | P521 | P638 | P192 | P224 | P256 | P384 | P521 | P256 | ||
| NIST | 95.2 | 111.0 | 126.9 | 190.2 | 258.7 | 95.1 | 111.0 | 126.9 | 190.2 | 253.6 | 315.0 | 95.2 | 111.0 | 126.6 | 190.4 | 258.6 | 125.8 | |
| 800-89 | SHA-2 | 95.9 | 112.0 | 127.9 | 191.3 | 259.8 | 96.2 | 112.0 | 128.0 | 191.2 | 254.8 | 316.1 | 96.0 | 11.0 | 127.9 | 191.3 | 259.6 | 126.9 |
| CTW | 97% | 98% | 98% | 99% | 100% | 97% | 98% | 98% | 99% | 99% | 100% | 97% | 98% | 98% | 99% | 100% | 100% | |
| Ratio | SHA-2 | 98% | 98% | 99% | 99% | 100% | 98% | 98% | 99% | 99% | 100% | 100% | 98% | 98% | 99% | 99% | 100% | 100% |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Authentication Protocols Security · Cryptography and Data Security · User Authentication and Security Systems
A Comprehensive Formal Security Analysis and Revision of the Two-phase Key Exchange Primitive of TPM 2.0
Qianying Zhang
College of Information Engineering
Capital Normal University
&Shijun Zhao
Huawei Technologies Co., Ltd.
[email protected] This paper is an extension of the conference version appearing in the Proceedings of the 8th International Conference on Trust and Trustworthy Computing (Trust’15) [1]. This paper presents the details of the proof of the key exchange primitive of the TPM 2.0 specifications, gives concrete suggestions on how to revise the key exchange primitive of TPM 2.0 to make it applicable in real-world networks and achieve a higher level of security, and rigorously analyzes the revised key exchange primitive.(Corresponding author: Shijun Zhao)
Abstract
The Trusted Platform Module (TPM) version 2.0 provides a two-phase key exchange primitive which can be used to implement three widely-standardized authenticated key exchange protocols: the Full Unified Model, the Full MQV, and the SM2 key exchange protocols. However, vulnerabilities have been found in all of these protocols. Fortunately, it seems that the protections offered by TPM chips can mitigate these vulnerabilities. In this paper, we present a security model which captures TPM’s protections on keys and protocols’ computation environments and in which multiple protocols can be analyzed in a unified way. Based on the unified security model, we give the first formal security analysis of the key exchange primitive of TPM 2.0, and the analysis results show that, with the help of hardware protections of TPM chips, the key exchange primitive indeed satisfies the well-defined security property of our security model, but unfortunately under some impractical limiting conditions, which would prevent the application of the key exchange primitive in real-world networks. To make TPM 2.0 applicable to real-world networks, we present a revision of the key exchange primitive of TPM 2.0, which can be secure without the limiting conditions. We give a rigorous analysis of our revision, and the results show that our revision achieves not only the basic security property of modern AKE security models but also some further security properties.
K****eywords Authenticated Key Exchange Security Analysis TPM 2.0
1 Introduction
The TPM, presented by the Trusted Computing Group (TCG), is widely available in modern PCs and laptops, and is used to enhance the security of modern operating systems: the Linux kernel integrity subsystem leverages the TPM to store integrity measurements of software and attest to remote entities; Windows adds many security features based on the TPM, such as trusted boot, full disk encryption (Bitlocker), device attestation, and credential protection; the Chrome OS uses the TPM to prevent firmware rollback attacks and to protect users’ sensitive data and keys. Besides, TPM also presents a promising usage in the Industry 4.0 [2]: it has been widely used as the hardware root of trust for the Industry 4.0 devices and can protect the trustworthiness, identity, and communication of the devices. Take the automotive use case of Industry 4.0 for example, TCG publishes TPM specifications for components of vehicle systems [3, 4]: an Automotive-Rich TPM having rich capabilities can be defined for Head Unit or Gateway components of vehicle systems with powerful processing, networking and applications functionality, and an Automotive-thin TPM having fewer capabilities can be defined for Head Unit or Gateway components with limited resources.
The newest TPM specifications, TPM 2.0 [5, 6], allow each platform to choose the functions needed and the level of security required. This flexibility allows TPM 2.0 to be implemented in different types such as security chips and protected software in a trusted execution environment (TEE) [7], so that TPM chips can be applied to different kinds of platforms from low-end embedded devices to PCs and even servers. In conclusion, the TPM plays an important role in the security of both personal devices and industrial devices.
In this paper, we focus on the secure communication feature of TPM 2.0: the authenticated key exchange (AKE) functionality, which provides secure communication for devices. AKE is an important public key primitive in modern cryptography, which allows two parties to establish a shared secret session key via a public insecure communication while providing mutual authentication. To prevent active attacks, AKE protocols usually use digital signatures or message authentication codes (MAC) to explicitly authenticate the messages exchanged [8, 9, 10, 11]. However, these authentication mechanisms incur significant overhead in both computation and communication. To overcome the disadvantages of the explicitly AKE protocols, the implicitly AKE protocols [12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24] are proposed. This kind of protocols only requires basic Diffie-Hellman exchanges while providing identity authentication by combining the ephemeral keys and long-term keys during the derivation of the session key, and achieves efficiency in both computation and communication.
The TPM 2.0 specifications support three implicitly AKE protocols: the Full Unified Model (UM) [25], Full MQV [13], and SM2 key exchange protocols [22]. All the three protocols have been widely standardized: the Full UM and Full MQV protocols are standardized by ANSI [26, 27], NIST [28], IEEE [29]; the SM2 key exchange protocol is standardized by the Chinese Government State Cryptography Administration [30] and some industrial standards [31]. TPM 2.0 describes implicitly AKE protocols as two-phase key exchange protocols because TPM 2.0 implements them in two phases. In the first phase, the TPM generates an ephemeral DH key and sends its public part to the other party. In the second phase, the TPM generates the unhashed shared secret by combining ephemeral keys and long-term keys, and then the host of the TPM uses the unhashed shared secret to derive a session key. Some works [32, 33, 34] using the TPM to improve the efficiency or security of AKE protocols have been proposed.
We first introduce some notations used in this paper. Let be a finite Abelian group of order , be a subgroup of prime order . Denote by a generator of , by the identity element, by the set of elements of except , and by the cofactor. We use the multiplicative notation for the group operation in . Let denote randomly selecting an integer between and . Note that is an elliptic curve in this work, for all the three protocols are based on elliptic curve cryptography. Let denote the -coordinate of point . The party having as its public key will be denoted by . The Full UM, Full MQV and SM2 key exchange protocols are described in Figure 1. We let denote the security parameter, and and are cryptographic hash functions. The Full UM protocol analyzed in this paper includes the ephemeral public keys exchanged as suggested by [16]. The Full MQV protocol is a variant of the original MQV protocol [13] which does not include parties’ identifiers in the session key derivation.
1.1 Security models for AKE protocols
In the early days, AKE protocols are designed in an ad-hoc manner and cannot provide well-defined security properties. To deal with this problem, some rigorous security models are proposed, and by now, it has become a basic requirement for AKE protocols to achieve the security properties defined by AKE security models. The first security model is proposed by Bellare and Rogaway [35], which is called BR model. The BR model allows the attacker to control all communications between the parties, learn secret state of some party by corrupting him, and obtain the session key of some session by revealing it. However, the BR model does not allow the attacker to get the ephemeral state of some session and the lack of simulating this attack activity prevents BR model to simulate some practical attack situations. To deal with this flaw, the CK model [36] and the eCK model [19] simulate the leakage of ephemeral state of some session by adding the SessionStateReveal and EphemeralKeyReveal queries to the model respectively. The SessionStateReveal query allows the attacker to learn the session private information while the EphemeralKeyReveal query allows the attacker to learn the ephemeral private key – which is stronger is still under discussion. Okamoto [37] claims that EphemeralKeyReveal is stronger than SessionStateReveal; Cremers [38] argues that SessionStateReveal is stronger than EphemeralKeyReveal; Boyd et al. [39] show that the two queries are incomparable, while Ustaoglu [40] shows that the functions of the two queries are essentially the same.
Since the CK model can largely provide no weaker security than the eCK model and the SessionStateReveal query of the CK model models the high risk of the leakage of the secrets in the unprotected memory of the host better than the EphemeralKeyReveal query of the eCK model, we build our security model based on the CK model.
1.2 Weaknesses of the AKE protocols in TPM 2.0
Unfortunately, all the three AKE protocols adopted by TPM 2.0 are not secure. We summarize their weaknesses in the following.
We find that the Full UM protocol is completely insecure if an attacker is able to learn the intermediate information of some session established by with : the attacker transmits an ephemeral key generated by himself to party and receives an ephemeral public key from , then he can compute the session key , i.e., the attacker is able to impersonate to indefinitely.
Kaliski presents an unknown-key share (UKS) attack [41] on the original MQV protocol: the attacker interfaces with the session establishment between two honest parties and such that is convinced that he is sharing a key with , but believes that he is sharing the same session key with . This UKS attack requires to register a specific key with the certificate authority (CA) and send a specific ephemeral public key to . and are so carefully computed by that the session keys of sessions and are identical. The details of the UKS attack are described in A. Although the Full MQV protocol tries to prevent the above UKS attack by including identities in the session key derivation, we find that it still cannot achieve the security defined by modern AKE models if is able to learn the unhashed shared value: performs the same steps above, learns by corrupting the session , then can compute the session key of session , i.e., the corruption of the session helps to compromise another session .
Xu et al. introduce two UKS attacks [22] on the SM2 key exchange protocol in which an honest party is coerced to share a session key with the attacker , but thinks that he is sharing the key with another party . Both attacks require to reveal the unhashed shared of . Besides, the first attack requires to register with the CA a specific key where , and the second attack requires to perform some computations using his private key after obtaining . The details of the two attacks are described in B.
The above attacks show that the three AKE protocols cannot achieve the security property defined by modern AKE security models if the attacker is able to get the unhashed values. Unfortunately, this is exactly how the two-phase key exchange primitive of TPM 2.0 (denoted by ) implements these three AKE protocols: of the Full UM protocol, the unhashed values of the MQV and SM2 key exchange protocols are returned to the host, whose memory is vulnerable to attacks. So it seems that is not secure.
1.3 Motivations and Contributions
Fortunately, protections provided by the TPM improve the security of . First, all long-term keys are generated randomly in the TPM, so attackers cannot make the TPM to generate a specific key such as the carefully computed key required by Kaliski’s UKS attack or required by Xu’s first attack. Second, the TPM only provides well-defined functions through TPM commands [6] in a black-box manner: when a TPM command is invoked, the TPM chip executes the pre-defined computation procedure and returns the computation result. The second feature prevents attackers from using a key to perform computations at will. So it seems that the above two features can prevent Kaliski’s UKS attack and Xu’s attacks. However, in modern cryptography, rigorous proofs of security in modern security models [36, 19] have become a basic requirement for cryptographic protocols to be standardized and are essential tools to guarantee the soundness of cryptographic protocols. As the TPM has been widely applied on kinds of computation platforms, it is important to perform formal analysis about its security mechanisms. This leads to our first motivation:
How to build a security model which can precisely model the TPM’s protections on keys and protocol computation environments and based on which we can perform rigorous security analysis of ?
Although protections provided by the TPM help the MQV and SM2 key exchange protocols to resist current UKS attacks, the and functions used in the MQV and SM2 key exchange protocols respectively make that the two protocols cannot be proven secure. Consider such a group that the representations of its elements satisfy that the least significant bits (LSBs) of the representations of points’ -coordinate are fixed. In this case, an attacker can mount the so-called group representation attacks on the MQV and SM2 key exchange protocols, in which the attacker can impersonate to without knowing the private key of . The group representation attack on MQV is described in C, and a similar attack on the SM2 key exchange protocol can be found in [42]. HMQV, a variant of MQV, prevents this type of attack by replacing with a cryptographic hash function, which enables the protocol to be proven secure in the CK model. Zhao et al. [42] also suggest replacing the function of the SM2 key exchange protocol with a cryptographic hash function. However, group representation attacks are not practical, for it is difficult to find an elliptic curve whose LSBs of the representations of points’ -coordinate are fixed. On the contrary, the outputs of the and functions seem to range in a uniform way over all possible values. This leads to our second motivation:
Can we give a quantitative measure of the amount of randomness (entropy) contained in the output distributions of and on real-world elliptic curves and check whether and provide enough entropy to prevent group representation attacks?
As far as we know, current modern AKE security models only consider how to formally analyze one single protocol, thus all AKE protocols proven secure in the literature are analyzed separately. However, is designed to support three implicitly AKE protocols through unified interfaces, so we cannot use current security models to analyze . Besides, the design of brings the following security problem that should be considered in its analysis. Suppose an honest party tries to establish a secure channel with through MQV and an attacker controls a long-term key of ’s TPM, but the type of the key is SM2. Then the question is whether the session key of is secure if the attacker leverages the SM2 key to complete the session. Apparently, it’s desirable for to guarantee the security of ’s session key. We denote this security property by correspondence property. The requirements for analyzing multi-protocols simultaneously and capturing the correspondence property lead to our third motivation:
Can we build a unified security AKE model, based on which we can give a formal analysis of which supports three AKE protocols?
Unfortunately, even if we prove is secure, only guarantees its security under the following conditions: first, all the entities in the network must use TPM chips to run the AKE protocols and if one entity uses a less secure implementation of protocols such as a software implementation, the compromise of the software implementation will affect the security of other honest entities, such as Kaliski’s and Xu’s UKS attacks mentioned above; second, attackers are assumed to be unable to obtain the information inside the TPM, such as long-term keys. The conditions are due to the fact that the above security model creates all protocol instances based on the TPM and prohibits attackers from obtaining information inside the TPM even they compromise the TPM. However, the above conditions are not practical for real-world networks: first, it is unrealistic to assume that all devices are protected by the TPM, and there may exist some devices whose execution environments are not secure and can be easily compromised; second, it is also unrealistic to assume that no TPM is ever compromised because attackers can launch sophisticated attacks such as invasive attacks, semi-invasive attacks or side-channel attacks to compromise TPM chips. The above unrealistic assumptions lead to our fourth motivation:
How to revise the current version of so that it can be applied in real-world networks where devices may not be protected by TPM chips and TPM chips may be compromised?
Contributions. We summarize the contributions of this paper as follows:
We leverage the min-entropy, a notion in the information theory, to quantitatively evaluate the amount of randomness in the output distributions of and . We evaluate several series of elliptic curves used in practice, covering all elliptic curves adopted by the TPM 2.0 algorithm specification [43]. The evaluation results show that and provide almost the same level of randomness as cryptographic hash functions. 2. 2.
We model the protections provided by the TPM by modeling the interfaces of as oracles, and present a unified AKE security model for , which captures not only the basic security property defined by modern AKE security models but also the correspondence property. 3. 3.
We give a formal analysis of in our new model and prove that is secure under the condition that the unhashed shared secrets are not available to the attacker. This condition can be achieved by slightly modifying the Full UM functionality of TPM 2.0 or properly implementing the host’s software. 4. 4.
The is proven secure under some limiting conditions, resulting in some restrictions on the usage of , so we give suggestions on how to use properly to achieve a secure implementation of AKE protocols. 5. 5.
The limiting conditions required by the current version of are impractical for real-world networks, so we present a revision of to eliminate the limiting conditions and give concrete suggestions on how to revise the current version of TPM 2.0 specifications. 6. 6.
We rigorously analyze our revision of , and the analysis results show that our revision achieves not only the basic security property defined by modern AKE security models but also some further security properties: resistance to key-compromise impersonation (KCI) and weak Perfect Forward Secrecy (PFS).
1.4 Organization
In the rest of this paper, Section 2 gives some preliminaries. Section 3 introduces the two-phase key exchange primitive defined by TPM 2.0 specifications, gives a quantitative measure of several series of elliptic curves used in practice, and presents an informal analysis of . Section 4 presents our unified security model for . Section 5 gives a formal description of . Section 6 proves the unforgeability of the MQV and SM2 key exchange functionalities provided by , and it can simplify our security proof. Section 7 formally analyzes the basic security of in our new model. Section 8 discusses the KCI-resistance and weak PFS properties of . Section 9 gives suggestions on the usage of the current version of . Section 10 presents our revision of . Sections 11 and 12 rigorously analyze our revision of . Section 13 discusses the KCI-resistance and weak PFS properties of our revision. Section 14 concludes this paper.
2 Preliminaries
This section first introduces the notion of min-entropy and two popular methods to calculate the min-entropy, and then introduces the CDH (Computational Diffie-Hellman) and GDH (Gap Diffie-Hellman) assumptions used in this paper.
2.1 Min-entropy
Min-entropy is a notion in information theory, which provides a very strict information-theoretical lower bound (i.e., worst-case) measure of randomness for a random variable. High min-entropy indicates that the distribution of the random variable is close to the uniform distribution. Low min-entropy indicates that there must be a small set of outcomes that has an unusually high probability, and the small set can help an attacker to perform group representation attacks. Take the following two extreme cases for example: if the min-entropy of a random variable is equal to the length of the outcome, the distribution is a uniform distribution, and if the min-entropy of a random variable is zero, the outcomes of the random variable are a fixed value. From the two extreme cases, we can see that the higher the min-entropy is, the harder for the attacker to mount group representation attacks. There are two popular methods to measure the min-entropy of a random variable:
NIST SP 800-90. This method is described in NIST specification 800-90 for binary sources. The definition of min-entropy for one binary bit is: where and , are probabilities that the binary bit outputs zero and one respectively. The min-entropy of an -bit binary string is defined by:
[TABLE] 2. 2.
Context-Tree Weighting compression. Context-Tree Weighting (CTW) [44] is an optimal compression algorithm for stationary sources and is usually used to estimate the min-entropy.
2.2 CDH and GDH Assumptions
The security of modern cryptographic constructions, including the AKE protocols, relies on some widely-believed assumptions, which are mathematical problems that are hard to solve. The rigorous proof of security typically shows how to reduce the security of cryptographic constructions to assumptions. Here we list the assumptions that used in our proof: the CDH and GDH assumptions. The CDH assumption is used in the proof of the unforgeability of MQV and SM2 key exchange functionalities (Section 6), and the GDH assumption is used in the proof of (Section 7) and the revision of (Sections 12 and 13).
Definition 1** (CDH Assumption).**
Let be a cyclic group of order with generator . The CDH assumption in states that, given two randomly chosen points and , it is computationally infeasible to compute .
Definition 2** (GDH Assumption).**
Let be a cyclic group generated by an element whose order is . We say that a decision algorithm is a Decisional Diffie-Hellman (DDH) Oracle for and its generator if on input a triple , for , oracle outputs 1 if and only if = CDH(). We say that satisfies the GDH assumption if no feasible algorithm can solve the CDH problem, even if the algorithm is provided with a DDH-oracle for .
3 The TPM Key Exchange Primitive
In the context of , each party consists of a host and a TPM chip. The host and the TPM together can implement the three implicitly AKE protocols supported in the TPM 2.0 specifications. In general, the host runs instances of AKE protocols by exchanging messages between parties and invoking the interfaces of which are implemented as TPM commands, and at last derives session keys for instances from the shared secrets returned by the TPM. In this section, we first show how the AKE protocols can be implemented by the host and , and describe the related TPM commands of , and then give an informal analysis of . In the informal analysis, we present solutions to prevent impersonation attacks on the Full UM protocol, and a quantitative measure of the randomness of the output distributions of and on all the elliptic curves adopted by the TPM 2.0 specifications.
3.1 Introduction of tpm.KE
consists of two phases. In the first phase, the TPM generates an ephemeral key which will be transferred to the other party by the TPM’s host. In the second phase, the TPM generates the unhashed secret value according to the specification of the selected protocol, and the host derives the session key from the unhashed secret value. Before the two phases, the Key Generation procedure should be invoked to generate a long-term key.
- •
Key Generation. The commands and are used to generate long-term keys. They take as input public parameters including an attribute identifying the key exchange scheme for the long-term key. The scheme should be one of the following three: , , and . In this procedure, the TPM performs the following steps: if the command is , it picks a random and computes , and if the command is , it derives from a primary seed using a key derivation function and computes ; finally, it returns and a key handle identifying .
- •
First Phase. The command is used to generate an ephemeral key, and it performs the following steps:
Generate , where is a key derivation function [45], is a secure random value stored inside the TPM, and is a counter. 2. 2.
Set , , and , where is an array of bits used to indicate whether the ephemeral key has been used. 3. 3.
Set mod , and generate . 4. 4.
Return and .
Note that the TPM does not need to store the ephemeral private key as it can be recovered using and .
- •
Second Phase. The command related to this phase is , and it is the main command of . This command takes the following items as input:
A protocol scheme selector.
The key handle identifying the long-term private key .
The counter used to identify the ephemeral key generated in the first phase.
The public key of , with whom wants to establish a session.
The ephemeral public key received from .
The TPM first does the following checks:
- (a)
Whether equals the scheme designated for key in the key generation procedure. 2. (b)
Whether and are on the curve associated with . 3. (c)
Whether . 2. 2.
If the above checks succeed, the TPM recovers and performs the following steps:
- (a)
Compute unhashed values according to the value of :
Case :
set , ;
Case :
set , , where and ;
Case :
set , , where and . 2. (b)
Clear : set to ensure that the ephemeral private key can only be used once. 3. (c)
Return and . 3. 3.
Finally, the host computes the session key leveraging the unhanshed values and returned by the TPM.
3.2 Informal Analysis
In Sections 1.2 and 1.3, we show two weaknesses of which prevent it from achieving the basic security property defined by modern AKE security models. One weakness is that returns of the Full UM protocol to the host whose memory can be compromised, which makes be available to the attacker. The other one is the weakness caused by and , which results in group representation attacks against the MQV and SM2 key exchange protocols.
3.2.1 Analysis of the first weakness
The first weakness prevents the Full UM protocol from being proven secure in the security model, and we give two solutions to overcome the weakness:
Perform the entire session key computation of Full UM in the secure environment of the TPM, i.e., modify the command not to return and but the session key, i.e., . 2. 2.
Protect and from malicious code running on the host as much as possible such as keeping them only available in the kernel mode, and delete and as soon as the session key is derived.
The first solution requires modifying TPM 2.0 specifications, and the second one requires that the software deriving the session key should be implemented properly and included in the Trusted Computing Base (TCB).
3.2.2 Analysis of the second weakness
As it seems that the second weakness only happens in theory, we perform a quantitative measure of the min-entropy contained in the output distributions of and to check whether this weakness can happen in the real world. We measure several series of widely deployed elliptic curves: the NIST series [46], the BN series [47], the SECG series [48], and an SM2 elliptic curve [49]. Our measure totals 17 elliptic curves and covers all elliptic curves adopted by TPM 2.0 [43]. We generate 16384 points for each elliptic curve, apply to the points of the SM2 P256 curve, and apply to the points of the rest curves. We also apply the cryptographic hash function SHA-2 to the generated points of all curves. Then we measure the min-entropy of the output distributions of () and SHA-2 using the methods of NIST SP 800-90 (Formula 1) and CTW compression. The measurement results are summarized in Table 1. Figure 2 shows the development of the min-entropy value calculated using NIST’s method over the number of measurements. To our surprise, the min-entropy of the output distributions of and is very close to the min-entropy of the output distribution of SHA-2: the former is only about 1 bit less than the latter. What’s more, the measurement results indicate that the output distributions of and are close to the uniform distribution. Take the measurement of BN P256 for example, the min-entropy calculated by the NIST’s method is 126.9, very close to the output length of which is +1, and the CTW ratio is 98.1% which is close to 100%. Our measure indicates that the outputs of () on different elliptic curve points are almost independent, and it is infeasible to mount group representation attacks on real-world elliptic curves. So we model and as random oracles in our formal analysis.
4 The Unified Security Model
This section illustrates our unified security model for and the attacker model which captures the capabilities of attackers. The first difference between our unified security model and existing security models, such as BR, CK, and eCK models, is that our model can simulate multiple types of AKE protocols simultaneously. Our model acquires this feature by adding a scheme identifier to the session identifier. The motivation and detailed techniques of this feature will be discussed later. The second difference is that our model models the concrete protections provided by the TPM chip: the attack queries of our model do not allow the attacker to obtain the cryptographic keys protected inside the TPM nor the ephemeral secrets inside the TPM. For instance, when the attacker corrupts a party, unlike existing security models, which allow him to get plaintext of the long-term key, our model only allows him to obtain the black-box access of the TPM commands in respect of the long-term key.
In our security model, each party has a long-term key generated by the TPM and a certificate (issued by a CA) that binds the public part of the long-term key to the identity of the party. The long-term key can be one of the following three types: , , and . A party can be activated to invoke the interfaces of to run an instance of the protocol supported by the long-term key, and an instance of a protocol is called a session. In each session, a party can be activated as the role of initiator or responder who sends an ephemeral public key to its peer party, the ephemeral key is generated by invoking the interface of the first phase of , and a party can complete the session by invoking the interface of the second phase of and computing the session key.
In modern AKE security models, the session identifier is a quadruple , where is the identity of the owner of the session, the peer party, the outgoing messages in the session, and the incoming messages. This kind of security models work well in proving a single protocol, but it is flawed when used to prove because supports more than one scheme (type of protocol) and instances running different schemes might have the same quadruple but should be recognized as different sessions. To deal with this problem, we use a quintuple as the session identifier where denotes the scheme of the session. This kind of session identifier not only distinguishes between different instances of the same scheme but also distinguishes between different schemes. For instance, two instances with different original quadruple , such as the two sessions and having different outgoing messages, are recognized as different sessions. And further more, two instances with same original quadruple but running different schemes, such as the two sessions and , are also recognized as different sessions. In particular, in the case of implicitly AKE protocols where the communication is basic Diffie-Hellman exchanges the session identifier is where is the outgoing DH value and the incoming DH value to the session. The session (if it exists) is said to be matching to the session , and the session where (if it exists) is said to be message-matching to the session .
The in the session identifier brings an issue we must address: how about the security of the session if it has a corrupted message-matching session? Previous AKE security models do not capture this attack because they do not support formal analysis of multiple kinds of protocols in a unified way. However, this attack can happen on because it supports three AKE schemes and the TPM 2.0 specifications do not force the TPM to check the key type of its peer party. We say satisfies correspondence property if it can resist the above attack, i.e., the session is secure if its message-matching session is compromised.
Attacker Model. The model involves multiple honest parties and an attacker connected via an unauthenticated network. The attacker is modeled as a probabilistic Turing machine and has full control of the communications between parties. can intercept and modify messages sent over the network. also schedules all session activations and session-message delivery. In addition, in order to model potential disclosure of secret information, the attacker is allowed to access secret information via the following queries:
- •
SessionStateReveal(s): directly queries at session while still incomplete and learns the session state for . In our analysis, the session state includes the values returned by interfaces of and intermediate information stored and computed in the host.
- •
SessionKeyReveal(s): obtains the session key for the session .
- •
Corruption(): In other AKE security models, this query allows to learn the plaintext of the long-term private key of party . In our model, does not learn anything about the plaintext of the long-term private key but obtains the black-box access of the key via TPM interfaces.
- •
Test(s): Pick . If = 1, provide with the session key; otherwise provide with a random value . This query can only be issued to a session that is “clean". A completed session is “clean" if the session as well as its matching session (if it exists) is not subject to the above three queries. A session is called “exposed" if performs any one of the above three queries to this session.
Note that our model differs from previous AKE security models in that the Corruption query to some party does not provide the attacker with the plaintext of the long-term private key of the party but the black-box access of the long-term key which is randomly generated and protected by the TPM. This difference captures the protections provided by the TPM, which are described in Section 1.3.
The security is defined based on an experiment played by , in which is allowed to activate sessions and perform SessionStateReveal, SessionKeyReveal, and Corruption queries. At some time, performs the Test query to a clean session of its choice and gets the value returned by Test. After that, continues the experiment but is not allowed to expose the test session and its matching session (if it exists). Eventually, outputs a bit as its guess, then halts. wins the game if . The attacker with the above capabilities is called a KE-attacker. The formal security is defined as follows.
Definition 3**.**
The advantage of any KE-attacker in the above experiment with is defined as
* = .*
* is called secure if the following properties hold for any KE-attacker .*
When two uncorrupted parties complete matching sessions, they output the same session key, and 2. 2.
If no efficient attacker has more than a negligible advantage in winning the above experiment.
The first condition is a “consistency" requirement for sessions completed by two uncorrupted parties. The second condition is the core property for the security of : it guarantees that exposure of one session does not help the attacker to compromise the security of another session. Note that our security definition of allows the attacker to expose the message-matching session, that is to say, the test session is still secure even if the message-matching session is exposed by the attacker. Thus, our model captures the correspondence property.
The Definition 3 defines the basic security property that a modern AKE protocol should achieve, and it captures the common UKS attacks. We illustrate how the UKS attacks are captured in our security model. In a UKS attack, a party ends up believing he shares a key with party , and ends up mistakenly believing the key is shared with the attacker . Suppose the identifier of ’s session is and that of ’s session is . The two sessions apparently are not either identical or matching, so according to Definition 3, the attacker can expose the session to attack ’s session . The above illustration shows that if a protocol is proven secure under the unified security model, it should resist UKS attacks.
5 Formal Description of
The implementation of in the TPM 2.0 includes two phases. The first phase is to generate an ephemeral key which is transferred to the party which the owner wants to establish a session with, and the first phase is the same to all the three protocols supported by the TPM 2.0 specifications. The second phase provides the key exchange functionalities which generate the unhashed secret values or session keys according to the specification of the protocol. Since parties or the attacker can only use in a black-box manner: they can only use ’ functionalities by invoking its interfaces and do not know the secrets inside the TPM. To model the black-box manner of , we simulate by formalizing its interfaces as a series of oracles which receive inputs and return outputs.
We model the interface of the first phase of by the oracle where is the long-term key of . We model the second phase of as three oracles: the Full UM, MQV, and SM2 key exchange functionalities of are modeled as oracle , oracle , and oracle respectively. and take as input the input of and return the unhashed values. We let directly return the session key but not the unhashed values and , and this modification simulates our solutions to the first weakness of . We now formally describe through the following three session activations.
Initiate: invokes of its TPM to obtain an ephemeral public key and an index identifying the ephemeral private key stored in the TPM, creates a local session which is identified as (an incomplete) session , where is the key exchange scheme supported by the long-term key , and outputs as its outgoing ephemeral public key. 2. 2.
Respond ( is the scheme supported by ): After receiving , performs the following steps:
- (a)
Invoke of its TPM to obtain an ephemeral public key and an index identifying the ephemeral private key stored in the TPM; output as its outgoing ephemeral public key. 2. (b)
With input where is the key handle of , invoke the corresponding oracle according to the value of :
Case : Invoke and set the session key to be the return result of .
Case : Invoke , obtain from the return result, and compute the session key .
Case : Invoke , obtain from the return result, and compute the session key . 3. (c)
Complete the session with identifier . 3. 3.
Complete: checks that it has an open session with identifier , and then performs the following steps:
- (a)
With input where is the key handle of , invoke the corresponding oracle according to the value of :
Case : Invoke and set the session key to be the return result of .
Case : Invoke , obtain from the return result, and compute the session key .
Case : Invoke , obtain from the return result, and compute the session key . 2. (b)
Complete the session with identifier .
6 Unforgeability of MQV and SM2 Key Exchange Functionalities
In this section, we give the formal definitions of MQV and SM2 key exchange functionalities of , denoted by and respectively where is the public key of the party. In Theorem 1 and Theorem 2, we formally prove the unforgeability of and with a constraint on the attacker respectively. Although the unforgeability of and does not directly prove the security analysis of , it acts as a building block in the security of and greatly simplifies our security analysis. In some cases in our security proof in Section 7, we reduce the security of to the unforgeability of or : if the attacker is able to break the security of , we can leverage it to forge the result of or .
Definition 4** (The MQV Functionality of ).**
The functionality () is provided by a party possessing a private/public key pair . A challenger, possessing a private/public key pair , provides with a challenge ( is chosen and kept secret by the challenger). With the pair , first computes an ephemeral private/public key pair and returns where and . The challenger can verify the return result with respect to the challenge by checking whether .
Definition 5** (The SM2 Key Exchange Functionality of ).**
The functionality () is provided by a party possessing a private/public key pair . A challenger, possessing a private/public key pair , provides with a challenge ( is chosen and kept secret by the challenger). With the pair , first computes an ephemeral private/public key pair and returns , where and . The challenger can verify the return result with respect to the challenge by checking whether .
Theorem 1**.**
Under the CDH assumption, with modeled as a random oracle, given a challenge , it is computationally infeasible for an attacker to forge a return result of on behalf of a challenger whose public key is under the constraint that is unknown to the attacker.
The constraint is reasonable because the TPM prevents attackers from obtaining the plaintext of keys in it. We prove Theorem 1 by showing that if an attacker can forge a return result under our constraint, then we can construct a CDH solver which uses as a subroutine.
Proof.
takes as input a pair and , and it simulates as follows:
On receipt of the input , choose randomly. 2. 2.
Let , and set . 3. 3.
Choose randomly, and set . 4. 4.
Return .
If successfully forges a return result on the pair in an experiment, then obtains where and . Note that without the knowledge of the private key of , is unable to compute CDH(). Following the Forking Lemma [50] approach, runs on the same input and the same coin flips but with carefully modified answers to queries. Note that must have queried in its first run because otherwise would be unable to compute . For the second run of , responds to with a value selected uniformly at random. If succeeds in the second run, obtains and can compute CDH. ∎
Theorem 2**.**
Under the CDH assumption, with modeled as a random oracle, given a challenge , it is computationally infeasible for an attacker to forge a return result of on behalf of a challenger whose public key is under the constraint that is unknown to the attacker.
We omit the proof of theorem 2 because it can be easily completed following the proof of theorem 1.
7 Security Analysis of
Although our model is based on the CK model, the security analysis based on our new model differs from that based on the CK model in some aspects. First the Corrupt query in our model does not let the attacker obtain the plaintext of the long-term key but only allows him to get the black-box access of the long-term key. The second difference is about the session state that allows the attacker to get by the SessionStateReveal query. For most security analysis of AKE protocols, the session state is defined by the requirement of the proof. For instance, the security analysis of the HMQV protocol [17] requires that the session state only includes the session key, which means that the SessionStateReveal query and the SessionKeyReveal query are the same. But for the security analysis of , we need to define the session state according to the specifications of : we have to put into session state all the secrets that are processed and stored on the host’s memory which is easily to be tampered with. In the following we define the session state allowed to be revealed by the attacker.
Session State. In order to simulate the protections provided by the TPM, we specify that the state of a session stores the results returned by the TPM and the information stored in the host. For the Full UM scheme, the session state is the session key; for the MQV and SM2 key exchange schemes, the session state is the unhashed values returned by the TPM.
Theorem 3**.**
Under the CDH and GDH assumptions, with hash functions , , , and modeled as random oracles, is secure in the unified model.
Let , and denote the advantage of an algorithm in solving the GDH problem, forging the functionality of , and forging the functionality of . For any attacker against whose security parameter is , and that involves at most parties and activates at most sessions, we construct a GDH solver , a forger , and a forger such that
[TABLE]
Proof.
The proof of the above theorem follows from the definition of secure key exchange protocols outlined in Section 4 and the following two lemmas.
Lemma 4*.*
If two parties and complete matching sessions, then their session keys are the same.
Lemma 5*.*
Under the CDH and GDH assumptions, there is no feasible attacker that succeeds in distinguishing the session key of an unexposed session with non-negligible probability.
Lemma 4 follows immediately from the definition of matching sessions. That is, if completes the session and completes the matching session , it’s easy to verify that ’s session key is the same as ’s according to the specifications of the protocols (Figure 1).
We now prove Lemma 5. Let be an attacker against and the test session. Let denote the event that the random oracles produce collisions, the event that the attacker gets the session key of , the event that someone, either the attacker or some party, queries the random oracle with the same tuple as that of , the event that the attacker himself queries the random oracle with the same tuple as that of , the event that some party queries the random oracle with the same tuple as that of . Observe that , , , and , we may write
[TABLE]
If random oracles produce no collisions, the event means that himself queries the random oracle with the same tuple as that of and gets the session key of . We denote this event by the forging attack. And if random oracles produce no collisions, the event means that gets the session key of but he does not query the random oracle with the tuple of , and that some party establishes a session with the same tuple of . Since himself does not query the tuple of and is not allowed to reveal in the experiment, he must get the session key of by revealing . So the event implies that forces the establishment of another session that has the same session key as the test session and he gets the session key of the test session by revealing , and we denote this event by the key-replication attack. We summarize the two attacks as follows:
Forging attack. At some point queries or on the same tuple as the test session. 2. 2.
Key-replication attack. succeeds in forcing the establishment of another session that has the same session key as the test session.
The rest of this section will prove the infeasibility of forging attack and key-replication attack by showing that if either of the above attacks succeed with non-negligible probability then there exists an attacker against the GDH problem or a forger against the MQV functionality of , or a forger against the SM2 key exchange functionality of , and the latter two forgers are in contradiction to the CDH assumption (Theorem 1 and Theorem 2). The proof of Lemma 5 will be completed after the proof of the infeasibility of forging attack and key-replication attack. ∎
7.1 Infeasibility of Forging Attacks
Consider a successful forging attack performed by . Let be the test session for whose tuple outputs a correct guess. By the convention on session identifiers, we know that the test session is held by , its peer is , was output by , and was the incoming message to . can fall under one of the following three cases:
. 2. 2.
. 3. 3.
.
As we assume that succeeds with non-negligible probability in the forging attack, there is at least one of the above three cases that occurs with non-negligible probability. We assume that operates in an environment that involves at most parties and each party participates in at most sessions. We analyze the three cases separately in the following.
7.1.1 Analysis of Case 1
For this case, we build a GDH solver with the following property: if succeeds with non-negligible probability in this case, then succeeds with non-negligible probability in solving the GDH problem. takes as input a pair , creates an experiment which includes honest parties and the attacker , and is given access to a DDH oracle . randomly selects two parties and from the honest parties and sets their public keys to be and respectively, and all the other parties compute their keys normally. Furthermore, randomly selects an integer . The simulation for ’s environment proceeds as follows:
models for all parties except party following the description in Section 5. sets the type of all long-term keys. If the type of is not , aborts. creates oracles modeling the two-phase key exchange functionalities for each party normally except parties and because it possesses the long-term private keys of all parties except and . , , , and are modeled as random oracles described below. 2. 1.
Initiate: executes the Initiate() activation of the protocol. However, if the session being created is the -th session at , checks whether and . If not, aborts. 3. 2.
Respond: With the exception of and (whose behaviors we explain below), executes the Respond() activation of the protocol. However, if the session being created is the -th session at , checks whether and . If not, aborts. 4. 3.
Complete: With the exception of and (whose behaviors we explain below), executes the Complete() activation of the protocol. However, if the session is the -th session at , completes the session without computing a session key. 5. 4.
With the input , creates the oracle as follows:
- (a)
If , returns a session key to be . is simulated as a random oracle. 2. (b)
If , returns a session key to be where ( is the long-term private key of ) and ( is the ephemeral private key indexed by ). 6. 5.
Now can simulate all the session activations at for with the help of . 7. 6.
creates a Table and models according to the type of :
- (a)
Case : Model following the description in Section 5. 2. (b)
Case :
- i.
Randomly choose . 2. ii.
Set and . 3. iii.
Randomly choose an index , and add a record to . 4. iv.
Return and . 3. (c)
Case :
- i.
Randomly choose . 2. ii.
Set and . 3. iii.
Randomly choose an index , and add a record to . 4. iv.
Return and . 8. 7.
With the input , creates the oracle to model the two-phase key exchange functionality for party according to the type of :
- (a)
Case : is modeled similarly to which is described in step 4. 2. (b)
Case :
- i.
Check whether (1) , (2) and are on the curve associated with , and (3) the last element of the record in indexed by is ‘’. If the above checks succeed, continue, else return an error. 2. ii.
Suppose the record in indexed by is , set where , and set the last element of the record to be . 3. iii.
Return . 3. (c)
Case :
- i.
Check whether (1) , (2) and are on the curve associated with , and (3) the last element of the record in indexed by is ‘’. If the above checks pass, continue, else return an error. 2. ii.
Suppose the record in indexed by is , set where , and set the last element of the record to be . 3. iii.
Return . 9. 8.
simulates all the session activations at for with the help of and the oracle created in step 7. 10. 9.
SessionStateReveal(): returns to the session state of session . However, if is the -th session at , aborts. 11. 10.
SessionKeyReveal(): returns to the session key of . If is the -th session at , aborts. 12. 11.
Corruption(): gives the handle of the long-term key . If tries to corrupt or , aborts. 13. 12.
function for some proceeds as follows:
- (a)
If , , and , then aborts and succeeds by outputting CDH. 2. (b)
If the value of the function on input has been defined previously, return it. 3. (c)
If the value of on input has been defined previously, return it. 4. (d)
Pick a random key , and define . 14. 13.
, , , and are simulated as random oracles in the usual way.
Proof.
The probability that sets the type of to be and selects the -th session of and the peer of the test session is party is at least . Suppose that this indeed the case: the type of is , so does not abort in Step 0; is not allowed to corrupt and , make SessionStateReveal and SessionKeyReveal queries to the -th session of , so does not abort in Step 1, 2, 9, 10, 11. Therefore, simulates ’s environment perfectly. Thus, if wins with non-negligible probability in this case, the success probability of is bounded by
.
∎
7.1.2 Analysis of Case 2
Recall that the test session is denoted by . We divide Case 2 of the forging attack into the following four subcases according to the generation of :
- C1.
was generated by in a session matching the test session, i.e., in session . 2. C2.
was generated by in a session message-matching the test session, i.e., in session with . 3. C3.
was generated by in a session with . 4. C4.
did not appear in any completed sessions activated at , i.e., was never output by as its outgoing ephemeral public key in any sessions, or did output as its outgoing ephemeral public key for some session but it never completed by computing the session key.
If succeeds in Case 2 in its forging attack with non-negligible probability then there is at least one of the above four subcases happens with non-negligible probability in the successful runs of . We proceed to analyze these subcases separately.
Analysis of Subcase C1. For this subcase, we build a GDH solver with the following property: if succeeds with non-negligible probability in this subcase, then succeeds with non-negligible probability in solving the GDH problem. takes as input a pair , creates an experiment which includes honest parties and the attacker , and is given access to a DDH oracle . All parties compute their keys normally. randomly selects two party and and randomly selects two integers . The simulation for ’s environment proceeds as follows:
models for all parties following the description in Section 5. sets the type of all long-term keys. If the type of and is not , aborts. can create oracles modeling the two-phase key exchange functionalities for each party normally as it possesses the long-term private keys of all parties. 2. 1.
Initiate: executes the Initiate() activation of the protocol. However, if the session being created is the -th session at (or the -th session at ), checks whether and (or ). If so, sets the ephemeral public key to be (or ), else aborts. 3. 2.
Respond: executes the Respond() activation of the protocol. However, if the session being created is the -th session at (or the -th session at ), checks whether , (or ), and (or ). If so, sets the ephemeral public key to be (or ), else aborts. 4. 3.
Complete: executes the Complete() activation of the protocol. However, if the session is the -th session at (or the -th session at ), completes the session without computing a session key. 5. 4.
SessionStateReveal(): returns to the session state of session . However, if is the -th session at (or the -th session at ), aborts. 6. 5.
SessionKeyReveal(): returns to the session key of . If is the -th session at (or the -th session at ), aborts. 7. 6.
Corruption(): gives the handle of the long-term key . If tries to corrupt or , aborts. 8. 7.
function for some proceeds as follows:
- (a)
If , , and where and , then aborts and succeeds by outputting CDH(. 2. (b)
If the value of the function on input has been defined previously, return it. 3. (c)
Pick a random key , and define . 9. 8.
, , and are simulated as random oracles in the usual way.
Proof.
The probability that sets the type of and to be and selects the -th session of and the -th session of as the test session and its matching session is at least . Suppose that this is indeed the case: the type of and is , so does not abort in Step 0; is not allowed to corrupt and , make SessionStateReveal and SessionKeyReveal queries to the -th session of or the -th session of , so does not abort in Step 1, 2, 4, 5, 6. Therefore, simulates ’s environment perfectly. Thus, if wins with non-negligible probability in this case, the success probability of is bounded by
.
∎
Analysis of Subcase C2. For this subcase, we show that can break the unforgeability of the MQV functionality proved in theorem 1 if it succeeds with non-negligible probability. We build a simulator which simulates ’s environment. takes as input a challenge , and creates an experiment which includes honest parties and the attacker . All parties compute their keys normally. randomly selects two parties and , and randomly selects two integers . The simulation for ’s environment proceeds as follows:
models for all parties following the description in Section 5. sets the types for all long-term keys. If the type of is not and the type of is , aborts. can create oracles modeling the two-phase key exchange functionalities for each party normally as it possesses the long-term private keys of all parties. 2. 1.
Initiate: executes the Initiate() activation of the protocol. However, if the session being created is the -th session at , checks whether and . If so, sets the ephemeral public key to be , else aborts. If the session being created is the -th session at , checks whether and is . If so, calls to create an ephemeral key, denoted by , and sets the outgoing ephemeral key of this session to be , else aborts. 3. 2.
Respond: executes the Respond() activation of the protocol. However, if the session being created is the -th session at , checks whether , , and . If so, provides with the value , else aborts. If the session being created is the -th session at , checks whether , , and . If so, calls to create an ephemeral key, denoted by , and sets the outgoing ephemeral key of this session to be , else aborts. 4. 3.
Complete: executes the Complete() activation of the protocol. However, if the session is the -th session at , completes the session without computing a session key. 5. 4.
SessionStateReveal(): returns to the session state of session . However, if is the -th session at , aborts. 6. 5.
SessionKeyReveal(): returns to the session key of . If is the -th session at , aborts. 7. 6.
Corruption(): gives the handle of the long-term key . If tries to corrupt or , aborts. 8. 7.
, , , and are simulated as random oracles in the usual way.
Proof.
The probability that sets the type of to be and the type of not to be and selects the -th session of and the -th session of as the test session and its message-matching session is at least . Suppose that this is indeed the case: the type of is and the type of is not , so does not abort in Step 0; is not allowed to corrupt and , make SessionStateReveal and SessionKeyReveal queries to the -th session of , so does not abort in Step 1, 2, 4, 5, 6. Therefore, simulates ’s environment perfectly except with negligible probability. By the assumption, correctly guesses the tuple of the test session where and . We now show that is a valid forgery against on input where is the challenge:
is a valid return result of as . 2. 2.
never returns the result on input under : has never been created by as the type of is not in this subcase. 3. 3.
Since is not allowed to corrupt and , does not know and . So does not know the private key pair . Thus, is under the constraint described in theorem 1.
Finally we get: ( succeeds in forging under ) \geq$$\frac{2}{9(nk)^{2}}Pr(\mathcal{M}). ∎
Analysis of Subcases C3 and C4. For the two subcases, we show that can break the unforgeability of the MQV functionality proved in theorem 1 if it succeeds with non-negligible probability. We build a simulator which simulates ’s environment. takes as input a challenge , and creates an experiment which includes honest parties and the attacker . All parties compute their keys normally. randomly selects two parties and , and randomly selects one integer . The simulation for ’s environment proceeds as follows:
models for all parties following the description in Section 5. sets the type for all long-term keys. If the type of is not , aborts. can create oracles modeling the two-phase key exchange functionalities for each party normally as it possesses the long-term private keys of all the parties. 2. 1.
Initiate: executes the Initiate() activation of the protocol. However, if the session being created is the -th session at , checks whether and . If so, sets the ephemeral public key to be , else aborts. 3. 2.
Respond: executes the Respond() activation of the protocol. However, if the session being created is the -th session at , checks whether and . If so, provides with the value , else aborts. 4. 3.
Complete: executes the Complete() activation of the protocol. However, if the session is the -th session at , completes the session without computing a session key. 5. 4.
SessionStateReveal(): returns to the session state of session . However, if is the -th session at , aborts. 6. 5.
SessionKeyReveal(): returns to the session key of . If is the -th session at , aborts. 7. 6.
Corruption(): gives the handle of the long-term key . If tries to corrupt or , aborts. 8. 7.
, , , and are simulated as random oracles in the usual way.
Proof.
The probability that sets the type of to be and selects the -th session of as the test session is at least . Suppose that this is indeed the case: the type of is , so does not abort in Step 0; is not allowed to corrupt and , make SessionStateReveal and SessionKeyReveal queries to the -th session of , so does not abort in Step 1, 2, 4, 5, 6. Therefore, simulates ’s environment perfectly. By the assumption, correctly guesses the tuple of the test session where and . We now show that is a valid forgery against on input where is the challenge:
is a valid return result of as . 2. 2.
We now show that never returns the result on input under :
- (a)
If the type of is or , has never been created by . 2. (b)
If the type of is , must create in step 0. However, if ever returned the result for some on input , must have a session identified by , which is exactly the matching session of the test session. This contradicts that the test session has no matching session in these two subcases. 3. 3.
Since is not allowed to corrupt and , does not know and . So does not know the private key pair . Thus, is under the constraint described in theorem 1.
Finally we get: ( succeeds in forging under ) \geq$$\frac{1}{3n^{2}k}Pr(\mathcal{M}). ∎
7.1.3 Analysis of Case 3
The analysis of Case 3 is similar to Case 2. It is easy to get a full proof by following the analysis in Section 7.1.2, so we omit the analysis of Case 3.
7.2 Infeasibility of Key-replication Attacks
If successfully launches a key-replication attack against the test session , he succeeds in establishing a session , which is different than and (the matching session of ) but has the same key as the test session . The of must fall under one of the following three cases. By demonstrating that key-replication attacks are impossible in any of the three cases, we prove that cannot launch key-replication attacks.
. 2. 2.
. 3. 3.
.
7.2.1 Analysis of Case 1
In this case, the session key of the test session is the value of the random oracle on . As the session key of the MQV or SM2 key exchange protocol is the value of the random oracle on some 3-tuple , the session must belong to a party whose long-term key is the type of . So the session identifier of must be or where , i.e., is the test session or its matching session, which contradicts that is different from and the matching session of .
7.2.2 Analysis of Cases 2 and 3
We show that a key-replication attack is impossible by showing that a successful attacker would contradict the GDH assumption or break the unforgeability of MQV functionality or SM2 key exchange functionality.
Since has the same session key as the test session , must have the same as the test session. In all the subcases of Case 2 in Section 7.1.2, all the simulators (, , and ) provide with the session state of all exposed sessions. Therefore, can obtain the 3-tuple of by exposing (this is allowed in the security model as is not the matching session of ). This means that is able to launch forging attacks. However, we have shown that if succeeds in a forging attack: would succeed in solving the GDH problem, and under and , there would exist an attacker breaking the unforgeability of the MQV functionality of . By applying the above argument and replacing the unforgeability of the MQV functionality of with the unforgeability of the SM2 key exchange functionality of , we directly get the analysis of Case 3.
8 Further Security Properties of
Besides the basic security property defined by modern security models, it is desirable for AKE protocols to achieve the following two security properties. The key-compromise impersonation (KCI) resistance property: the knowledge of a party’s long-term private key does not enable the attacker to impersonate other uncorrupted parties to the party. The Perfect Forward Secrecy (PFS) property: the expired session keys established before the compromise of the long-term key cannot be recovered.
From the UKS attacks against MQV and SM2 key exchange protocols (A and B) we know that if the attacker is allowed to obtain the plaintext of the long-term key when he corrupts the corresponding party, these protocols will be unable to satisfy the basic security property defined by modern AKE security models. So the current version of can only achieve the security property defined by the security model in case that the attacker cannot obtain the plaintext of long-term keys (even he corrupts the parties). Since can only be proven secure in situations where the plaintext of long-term keys cannot be revealed to the attacker, which does not satisfy the definitions of KCI-resistance and wPFS properties, it cannot provide the KCI-resistance and wPFS properties. But can satisfy weak forms of the two properties: (1) constrained KCI-resistance; that is, the control of a party’s long-term key handle does not enable the attacker to impersonate other uncontrolled parties to the party; and (2) the constrained PFS property; that is, the expired session keys established before the attacker controls the handle of the long-term key cannot be recovered. To prove the above weak forms of the two properties, all needed is to note that the proof of in Section 7 still holds if we allow the attacker to corrupt and which are the related parties of the test session, i.e., all the simulators do not abort when and are corrupted. The proof remains valid since the abort operations are never used in the proof.
9 Suggestions on Usage of the Current Version of
Although we formally prove that satisfies the basic security property defined by modern AKE models, this is achieved under the following conditions: first, all the long-term keys must be generated by the TPM, and the attacker cannot register arbitrary keys; second, the attacker cannot obtain the plaintext of the long-term key even he corrupts the party; third, the attacker cannot obtain the unhashed value of the Full UM protocol. These constraints require that engineers should deploy properly, otherwise would be unable to provide secure communications. In order to help engineers to use securely, we give the following suggestions:
For a network that plans to use to protect its communications, we suggest that all devices in the network should be equipped with the TPM and the CA should only issue certificates for keys that are generated by the TPM. This requires the CA to check the validity of the TPM, and this can be done by leveraging the Privacy CA protocol [51] or the direct anonymous attestation (DAA) protocol [52] if higher anonymity is required. 2. 2.
The network administrator should guarantee that all TPM chips are well protected against sophisticated physical attacks which can obtain the secrets inside the TPM, and the administrator should know that if one TPM chip is physically broken, the whole network may no longer be secure. 3. 3.
The software running on the host which derives the session key from the return results of the TPM should be well protected. For example, run the software in the secure execution environment provided by the Intel SGX [53, 54] or ARM TrustZone [7] technologies and delete the return results of the TPM (especially of the Full UM protocol) immediately after the session key is derived.
10 Revision of
A real-world network may contain various kinds of devices, and it is common that some devices are protected by the TPM and the others are not. Moreover, there exist physical attacks that can access all keys inside the TPM [55]. So it is hard for real-world networks to satisfy the conditions required to ensure ’s security. Therefore, the current version of puts a significant limitation on its application on real-world networks.
In order to make more applicable to real-world networks, we suggest revising TPM 2.0 specifications as follows: perform the session key derivation in the TPM rather than on the host, i.e., perform and in the TPM. The revision only adds a hash computation to the TPM, which is negligible compared to the elliptic curve scalar multiplication. This revision is inspired by the HMQV protocol, the first proven secure implicitly AKE protocol, which requires that its unhashed value should be stored in the same secure environment as the long-term key and only the session key is output outside of the environment. We give concrete suggestions on how to revise TPM 2.0 specifications: the only change is to revise TPM2_ZGen_2Phase() command in the TPM 2.0 Command specification [6]. The command is revised to derive the session key inside the TPM and return the session key, while the original command returns the unhashed values and . Figure 3 describes the changes to the input and response of the TPM2_ZGen_2Phase() command.
- •
Changes of input: add the identities of the owner and peer of the session.
- •
Changes of response: not return the unhashed values but the session key.
11 Preparation for the Security Analysis of the Revision
In this section, we do the preparation work for the security analysis of the revision of (denoted by ), including the formal description of , the session state, and the attacker model.
11.1 Formal Description of
The first phase of is the same as , so we use the same to model the interface of the first phase of . As the TPM returns the session key in the second phase of , we modify the oracles and to return the session key. We get the formal description of by using the modified oracles and to replace the original oracles of the formal description of in Section 5.
As our formal analysis of contains parties that are not equipped with the TPM, we need to describe how the protocols are implemented in these parties. These parties also use the Initiate, Respond and Complete activations to construct protocol sessions. The three activations for these parties differ from the activations for in that they do not leverage the interfaces of the TPM, i.e., , , , and , but run following the specifications of the protocols.
11.2 Session State
The session state includes the information returned by the TPM. As the ephemeral key and unhashed values (such as and ) are stored inside the TPM, we specify that the session state only includes the session key.
11.3 Attacker Model for
The attacker model for is used to capture realistic attack capabilities in real-world networks, which are much stronger than the attack capabilities captured by the model for . In particular, the model for allows the attacker to register arbitrary keys to the CA and obtain the plaintext of a long-term key by corrupting the party. To capture the above stronger attack capabilities, we add the EstablishParty query to the model for (Section 4) and modify the SessionStateReveal and Corruption queries.
- •
EstablishParty(): this query is newly added to the model to allow the attacker to register a static public key on behalf of party .
- •
SessionStateReveal(s): directly queries at session while still incomplete and learns the session state for . The session state only includes the session key, while the session state in the model for includes the unhashed values.
- •
Corruption(): this query allows to learn the plaintext of the long-term private key of party , while this query in the model for only allows the attacker to obtain the black-box access of the long-term key.
12 Security Analysis of
In order to make our analysis be close to real-world networks as much as possible, we do not make any assumption whether the parties in the network are equipped with the TPM, including the owner and the peer of the test session.
Theorem 6**.**
Under the GDH assumption, with hash functions , , , and modeled as random oracles, is secure in the unified model.
The proof of the above theorem follows from the definition of secure key exchange protocols and the following two lemmas.
Lemma 7*.*
If two parties and complete matching sessions, their session keys are the same.
Lemma 8*.*
Under the GDH assumption, there is no feasible attacker that succeeds in distinguishing the session key of an unexposed session with non-negligible probability.
The proof of Lemma 7 is the same as Lemma 4, and we focus on the proof of Lemma 8. Let be any attacker against . can launch the forging attack or key-replication attack to distinguish the session key of the test session from a random value. We will show that if either of the attacks succeed with non-negligible probability, there exists a solver succeeding in solving the GDH problem with non-negligible probability.
12.1 Infeasibility of Forging Attacks
Let be the test session for whose tuple outputs a correct guess. can fall under one of the following three cases:
. 2. 2.
. 3. 3.
.
As succeeds with non-negligible probability in the forging attack, there is at least one of the above three cases that occurs with non-negligible probability. We assume that operates in an environment that involves at most parties and each party participates in at most sessions. We analyze the three cases separately in the following.
12.1.1 Analysis of Case 1
For this case, we build a GDH solver . It takes as input a pair , creates an experiment which includes honest parties and the attacker , and is given access to a DDH oracle . randomly decides whether each party is protected by the TPM or not, randomly selects two parties and from the honest parties and sets their public keys to be and respectively. All the other parties compute their keys normally. Furthermore, randomly selects an integer . The simulation for ’s environment proceeds as follows.
models following the description in Section 5 for all parties protected by the TPM. sets the types of all long-term keys. If the type of is not , aborts. creates oracles modeling the two-phase key exchange functionalities for parties protected by the TPM normally except parties and . The procedures of and are described below. and are simulated as random oracles in the usual way. 2. 1.
Initiate: executes the Initiate() activation of the protocol. However, if the session being created is the -th session at , checks whether and . If not, aborts. 3. 2.
Respond: With the exception of and (whose behaviors we explain below), executes the Respond() activation of the protocol. However, if the session being created is the -th session at , checks whether and . If not, aborts. 4. 3.
Complete: With the exception of and (whose behaviors we explain below), executes the Complete() activation of the protocol. However, if the session is the -th session at , completes the session without computing a session key. 5. 4.
Establish: creates the party whose public key is and marks as corrupted. 6. 5.
If is protected by the TPM, with the input , creates the oracle as follows: compute the session key . is simulated as a random oracle. 7. 6.
Respond:
- (a)
If is protected by the TPM, simulates this session activation with the help of and . 2. (b)
If is not protected by the TPM, generates an ephemeral key pair , outputs , and computes the session key . 8. 7.
Complete:
- (a)
If is protected by the TPM, simulates this session activation with the help of and . 2. (b)
If is not protected by the TPM, computes the session key . 9. 8.
If is protected by the TPM, with the input , creates the oracle modeling the two-phase key exchange functionality for party : recover the ephemeral key pair by , and compute the session key . 10. 9.
Respond:
- (a)
If is protected by the TPM, simulates this session activation with the help of and the oracle for (Step 8). 2. (b)
If is not protected by the TPM, simulates this session activation as follows: generate an ephemeral key pair , output , and compute the session key . 11. 10.
Complete:
- (a)
If is protected by the TPM, simulates this session activation with the help of and the oracle for (Step 8). 2. (b)
If is not protected by the TPM, sets the session key to be . 12. 11.
SessionStateReveal(): returns to the session state of session . However, if is the -th session at , aborts. 13. 12.
SessionKeyReveal(): returns to the session key of . If is the -th session at , aborts. 14. 13.
Corruption(): gives the long-term key pair of . If tries to corrupt or , aborts. 15. 14.
function for some proceeds as follows:
- (a)
If , , and , aborts and succeeds by outputting CDH. 2. (b)
If the value of the function on input has been defined previously, return it. 3. (c)
If the value of on input has been defined previously, return it. 4. (d)
Pick a random key , and define . 16. 15.
function for some proceeds as follows:
- (a)
If the value of the function on input has been defined previously, return it. 2. (b)
If not defined, go over all the previous calls to and for each previous call of the form proceed as follows according to the type of .
- i.
Case : check if where and ; if the condition holds, return . 2. ii.
Case : check if where and ; if the condition holds, return . 3. (c)
If no previous calls of that form are found, pick a random key and define . 17. 16.
function proceeds as follows:
- (a)
If the value of the function on that input has been defined previously, return it. 2. (b)
If not defined, proceed as follows according to the type of .
- i.
Case : go over all the previous calls to and for each previous call of the form check if ; if the condition holds, return . 2. ii.
Case : go over all the previous calls to and for each previous call of the form check if where and ; if the condition holds, return . 3. iii.
Case : go over all the previous calls to and for each previous call of the form check if where and ; if the condition holds, return . 3. (c)
If not found, pick a random key , define .
Proof.
The probability that sets the type of to be and selects the -th session at and the peer of the test session is party is at least . Suppose that this indeed the case: the type of is , so does not abort in Step 0; is not allowed to corrupt and , make SessionStateReveal and SessionKeyReveal queries to the -th session at , so does not abort in Step 1, 2, 11, 12, 13. Therefore, simulates ’s environment perfectly. Thus, if wins with non-negligible probability in this case, the success probability of is bounded by
.
∎
12.1.2 Analysis of Case 2
We build a GDH solver for this case. takes as input a pair , creates an experiment which includes honest parties and the attacker , and is given access to a DDH oracle . randomly decides whether each party is protected by the TPM or not, randomly selects a party and sets its public key to be . All the other parties compute their keys normally. Furthermore, randomly selects an integer . The simulation for ’s environment proceeds as follows.
models following the description in Section 5 for all parties protected by the TPM. sets the types of all long-term keys. If the type of is not , aborts. creates oracles modeling the two-phase key exchange functionalities for parties protected by the TPM normally except . The procedures of and are described below. and are simulated as random oracles in the usual way. 2. 1.
Initiate: executes the Initiate() activation of the protocol. However, if the session being created is the -th session at , checks whether and . If so, sets the ephemeral public key to be , else aborts. 3. 2.
Respond: With the exception of (whose behaviors we explain below), executes the Respond() activation of the protocol. However, if the session being created is the -th session at , checks whether and . If so, sets the ephemeral public key to be and does not compute the session key, else aborts. 4. 3.
Complete: With the exception of , executes the Complete() activation of the protocol. However, if the session is the -th session at , completes the session without computing a session key. 5. 4.
Establish: creates the party whose public key is , and marks as corrupted. 6. 5.
If is protected by the TPM, with the input , creates the oracle modeling the two-phase key exchange functionality for party : recover the ephemeral key pair by , and compute the session key . 7. 6.
Respond:
- (a)
If is protected by the TPM, simulates this session activation with the help of and the oracle for (Step 5). 2. (b)
If is not protected by the TPM, simulates this session activation as follows: generate an ephemeral key pair , output , and compute the session key . 8. 7.
Complete:
- (a)
If is protected by the TPM, simulates this session activation with the help of and the oracle for (Step 5). 2. (b)
If is not protected by the TPM, sets the session key to be . 9. 8.
SessionStateReveal(): returns to the session state of session . However, if is the -th session at or the matching session of it (if such a session exists), aborts. 10. 9.
SessionKeyReveal(): returns to the session key of . If is the -th session at or the matching session of it (if such a session exists), aborts. 11. 10.
Corruption(): gives the long-term key pair of . If tries to corrupt or , aborts. 12. 11.
function for some proceeds as follows:
- (a)
If the value of the function on input has been defined previously, return it. 2. (b)
If the value of on input has been defined previously, return it. 3. (c)
Pick a random key , and define . 13. 12.
function for some proceeds as follows:
- (a)
If the value of the function on input has been defined previously, return it. 2. (b)
If not defined, go over all the previous calls to and for each previous call of the form proceed as follows according to the type of .
- i.
Case : check if where and ; if the condition holds, return . 2. ii.
Case : check if where and ; if the condition holds, return . 3. (c)
If not found, pick a random key and define . 14. 13.
function proceeds as follows:
- (a)
If the value of the function on that input has been defined previously, return it. 2. (b)
If not defined, proceed as follows according to the type of .
- i.
Case : go over all the previous calls to and for each previous call of the form check if ; if the condition holds, return . 2. ii.
Case : go over all the previous calls to and for each previous call of the form check if where and ; if the condition holds, return . 3. iii.
Case : go over all the previous calls to and for each previous call of the form check if where and ; if the condition holds, return . 3. (c)
If not found, pick a random key and define .
Proof.
The probability that sets the type of to be and selects the -th session at as the test session is at least . Suppose that this is indeed the case: the type of is , so does not abort in Step 0; is not allowed to corrupt and , make SessionStateReveal and SessionKeyReveal queries to the -th session at or its matching session (if such a session exists), so does not abort in Step 1, 2, 8, 9, 10. Therefore, simulates ’s environment perfectly. If wins the forging attack, he computes the 3-tuple . Without the knowledge of the private key of , is unable to compute . computes where and .
Following the Forking Lemma [50] approach, runs on the same input and same coin flips but with carefully modified answers to the queries. Note that must have queried in its first run because otherwise would be unable to compute of the test session. For the second run of , responds to with a value selected uniformly at random. If succeeds in the second run, computes . And thereafter computes . Thus, if wins with non-negligible probability in this case, the success probability of is bounded by:
where is a constant arising from the use of the Forking Lemma. ∎
12.1.3 Analysis of Case 3
The analysis of Case 3 is similar to Case 2. It is easy to get a full proof by following the analysis in Section 12.1.2, so we omit the analysis of Case 3.
12.2 Infeasibility of Key-replication Attacks
If successfully launches a key-replication attack against the test session , he succeeds in establishing a session , which is different than and (the matching session of ) but has the same key as the test session . The of must fall under one of the following three cases. By demonstrating that key-replication attacks are impossible in any of the three cases, we prove that cannot launch key-replication attacks.
. 2. 2.
. 3. 3.
.
12.2.1 Analysis of Case 1
The analysis of this case is the same as the analysis in Section 7.2.1 for .
12.2.2 Analysis of Case 2
We prove that key-replication attacks are impossible in this case by showing that a successful key-replication attack would allow the attacker to launch forging attacks, contradicting the GDH assumption. We build a GDH solver for this case. takes as input a pair , simulates a similar environment for as does (Section 12.1.2) except the simulation of session activations at and the SessionStateReveal query.
- •
If is protected by the TPM, models and as follows:
- –
creates a Table and models as follows.
Randomly choose . 2. 2.
Set and . 3. 3.
Randomly choose an index , and add a record to . 4. 4.
Return and .
- –
With the input , models as follows:
Check whether (1) , (2) and are on the curve associated with , and (3) the last element of the record in indexed by is ‘’. If the above checks succeed, continue, else return an error. 2. 2.
Suppose the entry in indexed by is , set where , and set the last element of the entry to be . 3. 3.
Compute the session key , and return .
- •
Initiate:
- –
If is protected by the TPM, simulates this session activation with the help of .
- –
If is not protected by the TPM, simulates this session activation as follows with the help of a Table :
Randomly choose . 2. 2.
Set and . 3. 3.
Add an entry to . 4. 4.
Output .
- •
Respond:
If is protected by the TPM, simulates this session activation with the help of and . 2. 2.
If is not protected by the TPM, simulates this session activation as follows:
- (a)
Randomly choose . 2. (b)
Set and . 3. (c)
Compute where . 4. (d)
Output , and compute the session key .
- •
Complete:
If is protected by the TPM, simulates this session activation with the help of and . 2. 2.
If is not protected by the TPM, proceeds as follows:
- (a)
Check whether (1) , (2) and are on the curve associated with , and (3) the last element of the record in indexed by is ‘’. If the above checks succeed, continue, else return an error. 2. (b)
Suppose the entry in indexed by is , set where , set the last element of the entry to be , and compute the session key .
- •
SessionStateReveal: returns the session key of . Besides, also returns the 3-tuple . The reason that can return the 3-tuple of to is that in the above simulation of session activations at , we compute the 3-tuple of each session, and for other parties, is also able to compute the 3-tuple of each session.
Proof.
As provides with the 3-tuple of all exposed sessions, can query to obtain the 3-tuple of which equals of the test session . This means that successfully gets the 3-tuple of the test session without exposing or its matching session, namely, can launch the forging attack. We have proved that if can launch forging attacks, we can build a GDH solver . So can leverage to solve the CDH problem: . ∎
12.2.3 Analysis of Case 3
The analysis of Case 3 is similar to Case 2, and it can be easily completed following the analysis of Case 2.
13 Further Security Properties of
In this section, we analyze the KCI-resistance and weak PFS (wPFS) security properties of .
13.1 Resistance to KCI Attacks
The KCI-resistance property means that even if the attacker has obtained the long-term key of party , he cannot impersonate other parties to . We show that the Full UM protocol cannot achieve this security property by the following attack: generates an ephemeral key pair and initiates a session with as the identity of ; after receiving , generates its ephemeral key pair and computes its session key ; can also compute the session key of : . We now prove that the MQV and SM2 key exchange protocols of can achieve the KCI-resistance property.
Lemma 9*.*
Under the GDH assumption, the MQV and SM2 key exchange protocols of resist KCI attacks.
Proof.
Lemma 9 can be easily proved by slightly modifying the proof of MQV and SM2 key exchange protocols in Section 12. The only change to the proof in Section 12 is that all GDH solvers used to prove the security of MQV and SM2 key exchange protocols do not abort when corrupts . The proof remains valid because the above abort operations are not used in the proof (we add the abort of GDH solvers when is corrupted for compliance with the notion of the session exposure in the security model). ∎
13.2 Weak Perfect Forward Secrecy
Hrawczyk has proved that the implicitly AKE protocols cannot achieve the full PFS property and can only achieve weak PFS [17]: only the session keys that are established without the active involvement of the attacker enjoy PFS property.
Lemma 10*.*
Under the CDH assumption, provides weak PFS.
Proof.
Here we only outline the idea of the proof of Lemma 10, and the full proof can be completed following the proof in Section 12. We construct a CDH solver if successfully breaks the weak PFS security property. Let and be the inputs to , and the goal of is to compute . simulates the environment for as follows: it sets all parties’ long-term keys and chooses a random guess for the test session of the distinguishing game. We call the guessed session the g-session, denote the owner and the peer of the test session by and respectively, and denote their long-term private keys by and , respectively. sets the incoming and outgoing messages in the g-session to be and . If does choose the g-session as the test session and wins the distinguish game, he must compute the tuple of the test session in his run. We proceed to show that no matter what the type of is, can compute , i.e., .
Case : equals where . 2. 2.
Case : equals where ; since knows and , he can compute . 3. 3.
Case : equals where ; since knows and , he can compute .
∎
14 Conclusion
In this paper, we present a formal analysis of the secure communication interfaces of TPM 2.0 in a unified way. We construct a security model which takes account of the protections of the TPM on keys and protocols’ computation environments and eliminates group representation attacks existing in theory by measuring the entropy of the output of the and functions. The analysis results show that the current version of the key exchange primitive in TPM 2.0 can achieve the basic security property of modern security models, but its security is achieved under some impractical conditions: all devices in the network should be protected by the TPM, and security measures should be deployed to prevent sophisticated physical attacks, which can be used by attackers to obtain keys inside the TPM. Besides, the analysis results also show that the current version of the key exchange primitive in TPM 2.0 cannot achieve other security properties, such as KCI-resistance and weak PFS properties. We also give suggestions to engineers on how to use the key exchange primitive of TPM to implement key exchange protocols securely.
To eliminate the impractical conditions required by the TPM 2.0, we revise the key exchange primitive of TPM 2.0 and give a rigorous analysis of the revision. The analysis results show that our revision helps the key exchange primitive of TPM 2.0 not only enjoy the essential security property defined by modern AKE models in real-world networks but also achieve additional security properties: the MQV and SM2 key exchange protocols of TPM 2.0 enjoy the KCI-resistance property, and all the three protocols of TPM 2.0 enjoy the weak PFS property. Our revision only needs to modify one TPM command, and we give concrete suggestions on how to revise the TPM 2.0 specifications.
Acknowledgement
This work was supported by the National Natural Science Foundation of China (61802375, 61602325, 61876111, 61877040), the Project of Beijing Municipal Education Commission (KM20190028005), and the Open Research Fund of State Key Laboratory of Computer Architecture, ICT, CAS (CARCH201920).
Appendix A Kaliski’s UKS attack
We describe Kaliski’s UKS attack here to show how the attacker successfully mounts the attack by cleverly computing its long-term private key and the ephemeral public key .
sends an ephemeral public key to . 2. 2.
intercepts . 3. 3.
registers to the CA a key where is cleverly computed by the following steps:
- (a)
Choose ; 2. (b)
Compute , , , and . 4. 4.
sends to as the identity of . 5. 5.
relays the ephemeral key from to .
Note that , and therefore the keys computed in sessions and are identical.
Appendix B Xu’s attacks
Here we describe Xu’s two attacks on the SM2 key exchange protocol to show that in the first attack the attacker, needs to register a specific long-term public key, and in the second attack, needs to use the private key of to perform some computations.
B.1 Attack I
selects , and registers a carefully computed public key .
sends an ephemeral public key to . 2. 2.
intercepts and sends it to as the identity of . 3. 3.
sends its ephemeral public key to , and computes where and . 4. 4.
forwards to as the identity of . computes . 5. 5.
corrupts of session , and then can compute of session : , and further derives the session key of .
Note that the above attack shows that the corruption of session does affect the security of session , so the SM2 key exchange protocol cannot achieve the security defined by modern AKE security models.
B.2 Attack II
first registers a legal key .
sends an ephemeral public key to . 2. 2.
intercepts and sends () to as the identity of . 3. 3.
sends an ephemeral public key to and computes where and . 4. 4.
forwards it to . computes where and . 5. 5.
corrupts of session , computes of session : , and further derives the session key of .
Appendix C Group Representation Attack on MQV
For the benefit of the reader, we present the group representation attack on MQV here. Consider such a group that the representations of its elements satisfy that the LSBs of the representation of points’ -coordinate are fixed. We use to denote the fixed value. In this case, the value of MQV becomes . The attacker can launch the following attack:
randomly chooses and computes . 2. 2.
sends to as the identity of . 3. 3.
responds with , computes , and computes its session key . 4. 4.
can also compute the session key .
The above attack shows that can impersonate without knowing the private key of because of the special representations of the group elements.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] S. Zhao, Q. Zhang, A Unified Security Analysis of Two-phase Key Exchange Protocols in TPM 2.0, in: International Conference on Trust and Trustworthy Computing, Springer, 2015, pp. 40–57.
- 2[2] TCG, TPM Demonstrated as Key Element of Industries 4.0 at German IT Summit, https://trustedcomputinggroup.org/tpm-demonstrated-key-element-industries-4-0-german-summit (2015).
- 3[3] TCG, TCG TPM 2.0 Automotive Thin Profile - For TPM Family 2.0, Level 0 Revision 15 (2018).
- 4[4] TCG, Protection Profile Automotive - Thin Specific TPM for TCG TPM 2.0 Automotive Thin Profile Family 2.0 Level 0 (2018).
- 5[5] TCG, Trusted Platform Module Library Part 1: Architecture, Family 2.0, Level 00 Revision 01.38 (2016).
- 6[6] TCG, Trusted Platform Module Library Part 3: Commands Family 2.0, Level 00 Revision 01.38 (2016).
- 7[7] ARM, Security Technology - Building a Secure System using Trustzone Technology, ARM Technical White Paper (2009).
- 8[8] S. Blake-Wilson, A. Menezes, Unknown key-share attacks on the station-to-station (sts) protocol, in: Public Key Cryptography, Springer, 1999, pp. 154–170.
