Cryptology ePrint Archive: Report 2020/778

SAKE+: Strengthened Symmetric-Key Authenticated Key Exchange with Perfect Forward Secrecy for IoT

Seyed Farhad Aghili and Amirhossein Adavoudi Jolfaei and Aysajan Abidin

Abstract: Lightweight authenticated key exchange (AKE) protocols based on symmetric-key cryptography are important in securing the Internet of Things (IoT). However, achieving perfect forward secrecy (PFS) is not trivial for AKE based on symmetric-key cryptography, as opposed to AKE based on public-key cryptography. The most recent proposals that provide PFS are SAKE and SAKE-AM. In this paper, we first take a closer look at these protocols and observe that they have some limitations, specially when deployed in the context of (industrial) IoT. Specifically, we show that if SAKE is used to establish parallel sessions between a server and multiple IoT nodes, then SAKE is susceptible to timeful attack. As for SAKE-AM, we show that an adversary can disrupt the availability by replaying messages from previous protocol sessions. We then propose SAKE+ that mitigates the timeful attack and that allows for concurrent execution of the protocol. Since traceability is a barrier for an AKE scheme in (industrial) IoT applications and SAKE-AM does not provide untraceability property, we improve upon SAKE-AM and propose SAKE+-AM that offers untraceability in addition to mitigating the replay attack. Finally, we prove the security and soundness of our schemes, and verify using a formal verification tool ProVerif.

Category / Keywords: cryptographic protocols / Authenticated key exchange, Forward secrecy, IoT, Symmetric-key crypto

Date: received 23 Jun 2020, last revised 14 Jul 2020

Contact author: seyedfarhad aghili at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Note: Minor corrections.

Version: 20200714:112142 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]