In the last episode of the authenticated Diffie-Hellman Key Exchange series, we've thwarted Susan's plot to long-term impersonate Alice in case of the leakage of Alice's ephemeral key $a$ by adding an element of freshness to $\operatorname{sig_{Alice}}(g^a)$. We've ended up with the Basic Authenticated Diffie-Hellman Key Exchange (BADH) protocol:

1. Alice $\rightarrow$ Bob: $(\mathit{I_{Alice}}, g^a)$
2. Alice $\leftarrow$ Bob: $(\mathit{I_{Bob}}, g^b, \operatorname{sig_{Bob}}(g^a, g^b))$
3. Alice $\rightarrow$ Bob: $\operatorname{sig_{Alice}}(g^a, g^b)$

Unfortunately, BADH is vulnerable to another class of attack: Unknown Key Share Attack (UKS), a.k.a Identity Misbinding Attack[DVW92, K18].

### The Identity Misbinding Attack

Alice has a cheking account with Bob, a big bank. She wants to deposit $1000 to her account. This is what happens most of the time: 1. Alice $\rightarrow$ Bob: $(\mathit{I_{Alice}}, g^a)$ 2. Alice $\leftarrow$ Bob: $(\mathit{I_{Bob}}, g^b, \operatorname{sig_{Bob}}(g^a, g^b))$ 3. Alice $\rightarrow$ Bob: $\operatorname{sig_{Alice}}(g^a, g^b)$ 4. Alice $\rightarrow$ Bob: $\operatorname{Enc}(k_{g^{ab}}, \textrm{Deposit 1000})$ Bob deduces from the session key $k_{g^{ab}}$ that the$1000 are to be deposited to Alice's account.

Enters Eve. Eve also has an account with Bob, but next time Alice makes a deposit to her account, Eve wants to divert the funds to her own account. So she intercepts the next Alice-Bob session like this:

1. Alice $\rightarrow$ Eve: $(\mathit{I_{Alice}}, g^a)$
2. Eve $\rightarrow$ Bob: $(\mathit{I_{Eve}}, g^a)$
3. Eve $\leftarrow$ Bob: $(\mathit{I_{Bob}}, g^b, \operatorname{sig_{Bob}}(g^a, g^b))$
4. Alice $\leftarrow$ Eve:  $(\mathit{I_{Bob}}, g^b, \operatorname{sig_{Bob}}(g^a, g^b))$
5. Alice $\rightarrow$ Eve: $\operatorname{sig_{Alice}}(g^a, g^b)$
6. Eve $\rightarrow$ Bob: $\operatorname{sig_{Eve}}(g^a, g^b)$
7. Alice $\rightarrow$ Eve: $\operatorname{Enc}(k_{g^{ab}}, \textrm{Deposit 1000})$
8. Eve $\rightarrow$ Bob: $\operatorname{Enc}(k_{g^{ab}}, \textrm{Deposit 1000})$

Here is what happens in plain terms:

1. Alice initiates the BADH handshake with Bob, but Eve intercepts the message.
2. Eve forwards Alice's handshake message to Bob, but replaces $\mathit{I_{Alice}}$ with her ID $\mathit{I_{Eve}}$. She also keeps a copy of $g^a$ for later.
3. Bob thinks that Eve wants to BADH-handshake (because of the $\mathit{I_{Eve}}$ in the handshake message), so he replies accordingly. Note though that the public key that Eve offered is Alice's $g^a$ and not her own $g^e$.
4. Eve forwards Bob's reply to Alice, unchanged.
5. Alice completes the BADH handshake, but Eve intercept that message again.
6. Eve replaces once again $\mathit{I_{Alice}}$ with her identity $\mathit{I_{Eve}}$ in the final handshake message of Alice, and then forwards that to Bob. Note that Eve has all the ingredients to create $\operatorname{sig_{Eve}}(g^a, g^b)$ from scratch: she got $g^a$ in step 1, and $g^b$ in step 3. On the other hand, she dropped Alice's signature which is not needed anymore.

### UKS: The "differential cryptanalysis of KE protocols"

According to Hugo Krawczyk, Unknown Key Share attacks are to the world of Key Exchange protocols the equivalent of differential cryptanalysis to the world of symmetric block ciphers. Both class of attacks are extremely powerful and managed to break a lot of established protocols that were deemed secure.

### A cure against UKS?

So how do we fix BADH? Is there a cure against UKS? Hang on til the next article.