In cryptography, a key-agreement protocol is a protocol whereby two or more parties that may not yet share a common key can agree on such a key. Preferably, both parties can influence the outcome so that neither party can force the choice of key. An attacker who eavesdrops on all communication between the two parties should learn nothing about the key. Yet, while the attacker who sees the same communication learns nothing or little, the parties themselves can derive a shared key.
Key agreement protocols are useful, e.g., to secure communication, e.g., to encrypt and/or authenticate messages between the parties.
Practical key agreements protocols were introduced in 1976 when Whitfield Diffie and Martin Hellman introduced the notion of public-key cryptography. They proposed a system for key agreement between two parties which makes use of the apparent difficulty of computing logarithms over a finite field GF(q) with q elements. Using the system, two users can agree on a symmetric key. The symmetric key may then be used for say, encrypted communication between the two parties.
The Diffie-Hellman system for key agreement is applicable when the parties do not yet have a shared secret. The Diffie-Hellman key agreement method requires resource-heavy mathematical operations, such as performing exponentiation operations over a finite field. Both the exponent and the field size may be large. This makes key agreement protocols less suitable for low-resource devices. On the other hand key agreement protocols would be very useful in resource-restrained devices. For example, in application areas such as the internet of things, ad-hoc wireless networks, and the like, key agreement could be used to protect links between devices. Another example is communication between a reader and an electronic tag, say a card reader and a smart card, or a tag reader and tag, e.g., an RFID tag or an NFC tag.
Another approach to the problem of setting up secure connections between pairs of network devices in a given communications network is given in C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro and M. Yung, “Perfectly-Secure Key distribution for Dynamic Conferences”, Springer Lecture Notes in Mathematics, Vol. 740, pp. 471-486, 1993 (referred to as ‘Blundo’).
This system assumes a central authority, also referred to as the network authority or as the Trusted Third Party (TTP), that generates a symmetric bivariate polynomial f(x,y), with coefficients in the finite field F with p elements, wherein p is a prime number or a power of a prime number. Each device has an identity number in F and is provided with local key material by the TTP. For a device with identifier η, the local key material is the coefficients of the polynomial f(η,y). If a device η wishes to communicate with device η′, it uses its key material to generate the key K(η, η′)=f(η, η′). As f is symmetric, the same key is generated. The local key material is secret. Knowledge of the local key material would directly compromise the system. In particular it would allow an eavesdropper to obtain the same shared key. The method requires that each device in a network of devices has its own unique identity number and local key material.
A problem of this key sharing scheme occurs if an attacker knows the key material of t+1 or more devices, wherein t is the degree of the bivariate polynomial. The attacker can then reconstruct the polynomial f(x,y). At that moment the security of the system is completely broken. Given the identity numbers of any two devices, the attacker can reconstruct the key shared between this pair of devices.
The Trusted Third Party forms a single point of failure. If the trusted third party is compromised, and its root key material is leaked, the key material of all network devices may be computed. All communication using keys derived, from the local key material, and ultimately from the root key material may be compromised, e.g. encryptions may be broken, authentication may be forged etc.
Indeed, the trusted third party itself could reconstruct the keying material of individual nodes and the key between any pair of nodes from its root key material and the nodes' identities. Thus, the TTP can overhear all communication in the network. This may be an undesirable situation is certain circumstances, as it requires a very high level of trust.