Tři chyby v protokolu IKE (Internet Key Exchange)26.02.2005
Abstract. Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Diffie-Hellman key exchange. However, proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to derive other keys.
This paper presents three flaws in the security analysis and design of the Internet Key Exchange (IKE) protocol, quietly corrected in the draft of IKE version 2. They do not really endanger the use of the current version of IKE, since the security can be proved in the random oracle model. However, in the standard model, there is not yet any formal security proof. The first flaw is common in the theoretical security analysis of several key exchange protocols, and namely SIGMA and JFK, which are both the bases of IKE v2 of the IETF are conserned. It motivates the need of randomness extractors. The other flaws come from mistakes in the specification of IKE, and focus on mismatches between the recent security analysis of HMAC as a good randomness extractor, and its practical use in IKE. Since one problem comes from the probabilistic property of this extractor, we thereafter review some deterministic randomness extractors and suggest the 'Twist-AUgmented' technique, a new extraction method quite well-suited for Diffie-Hellman-like scenarios.