Cryptology ePrint Archive: Report 2017/818

No-Match Attacks and Robust Partnering Definitions – Defining Trivial Attacks for Security Protocols is Not Trivial

Yong Li and Sven Schäge

Abstract: An essential cornerstone of the definition of security for key exchange protocols is the notion of partnering. It defines when two protocol instances can be considered to have communicated with each other and thus share important secret information. In all existing security definitions this serves as an important tool to exclude trivial attacks. The de-facto standard definition of partnering is that of (partial) matching conversations (MC), which essentially states that two processes are partnered if every message sent by the first is actually received by the second and vice versa. We show that proving security under MC-based definitions is error-prone. In particular, we provide several examples of protocols that claim to be secure under a MC-based security definition but where the security proof is actually flawed. To this end, we introduce no-match attacks, a new class of attacks that renders many existing security proofs invalid. Interestingly, no-match attacks do not seem to constitute practical attacks against the protocols in the sense that they compromise the secrecy of confidential parameters in real life applications. However, they propose serious, sometimes unsolvable obstacles to proofs in traditional security models. We show that no-match attacks are often hard to avoid in MC-based security definitions without a) modifications of the original protocol or b) resorting to the use of cryptographic primitives with special properties. Finally, we show several ways to thwart no-match attacks. Most notably and as one of our major contributions, we provide a conceptually new definition of partnering that circumvents the problems of a MC-based partnering notion while preserving all its advantages. Our new notion of partnering not only makes security definitions for key exchange model practice much more closely. In contrast to many other security notions of key exchange it also adheres to the high standards of good cryptographic definitions: it is general, supports cryptographic intuition, allows for efficient falsification, and provides a fundamental composition property that MC-based notions lack.

Category / Keywords: cryptographic protocols / protocols, definitions, partnering, no-match, original key

Original Publication (with minor differences): CCS'17

Date: received 28 Aug 2017

Contact author: sven schaege at rub de

Available format(s): PDF | BibTeX Citation

Version: 20170831:182045 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]