Draft:Symmetric key agreement

= Symmetric Key Agreement =

Introduction
Symmetric Key Agreement (SKA) is a method for securely agreeing a secret key between two or more parties, using solely symmetric cryptography and cryptographic hash functions as  cryptographic primitives. Key Agreement protocols are synonymous with key exchange protocols and related to Symmetric Authenticated Key Exchange. At the end of the agreement, all parties share the same key. Secure agreement is defined relative to a security model, for example the Universal Model.

SKA may assume the use of initial shared secrets or a trusted third party with whom the agreeing parties share a secret is assumed. If no third party is present, then achieving SKA can be trivial: we assume that two parties share an initial secret and have tautologically achieved SKA.

SKA contrasts with key-agreement protocols that include techniques from asymmetric cryptography. For example, key encapsulation mechanisms.

A secure key agreement can ensure confidentiality and data integrity in communications systems, ranging from simple messaging applications to complex banking transactions. Symmetric-key protocols are needed in various low-resource applications, ranging from Wireless Sensor Networks (WSNs), Radio Frequency Identification (RFID) tags, smart cards, Controller Area Networks (CANs) for vehicular systems, smart home, up to industrial Internet of Things (IoT).

The initial exchange of a shared key must be done in a manner that is private and integrity-assured. Historically, this was achieved by physical means, such as by using a trusted courier.

SKA with N parties
One way to agree keys among a group of $$N$$ parties is for each pair of communicating parties to separately agree a symmetric key. However, this quickly becomes difficult to manage as the number of keys required is $$N(N-1)/2$$. Moreover, there is also the problem of how each pair of parties agrees a symmetric key in the first place, sometimes referred to as the key distribution problem. SKA solves this by introducing a trusted third-party which has a unique shared symmetric key with each party, agreed in advance. This reduces the number of pre-shared keys required to $$N$$.

Types of Secret Key Agreement
Boyd et al. classify two-party key agreement protocols according to two criteria as follows:   whether a pre-shared key already exists or not  the method of generating the session key.  The pre-shared key may be shared between the two parties, or each party may share a key with a trusted third party. If there is no secure channel (as may be established via a pre-shared key), it is impossible to create an authenticated session key.

The session key may be generated via: key transport, key agreement and hybrid. If there is no trusted third party, then the cases of key transport and hybrid session key generation are indistinguishable. SKA is concerned with protocols in which the session key is established using only symmetric primitives.

When evaluating protocols, it is important to state security goals and the security model. For example, it may be required for the session key to be authenticated. A protocol can be evaluated for success only in the context of its goals and attack model. An example of an adversarial model is the Dolev-Yao model.

Let us consider a toy example of SKA: Suppose that Alice and Bob want to share a key using SKA and that they each already have a secure communication channel established with a trusted third party, Tom. Tom can generate a new key and, using the secure communication channels, deliver that key to both Alice and Bob.

This toy example of SKA is very simplistic: for instance, it does not protect against replay attacks. Moreover, Tom knows the secret key agreed between Alice and Bob, and so if Tom at a later date is deemed untrustworthy, Alice and Bob’s shared key is insecure.

The Needham-Schroeder Symmetric Key Protocol
This protocol establishes a session key between two parties on the same network, using a server as a trusted third party. The original Needham-Schroeder protocol is vulnerable to a replay attack. Timestamps and nonces are included to fix this attack. It forms the basis for the Kerberos protocol.

Advantages

 * Efficiency and Speed: Symmetric key algorithms are typically faster and more efficient than their asymmetric counterparts. They require less computational power and processing time.


 * Simplicity: The simplicity of symmetric key cryptography, with its straightforward encryption and decryption process using a single key, makes it easier to implement and manage, especially in systems with limited resources.


 * Strong Security (with proper key management): When implemented correctly with secure key management practices, symmetric key cryptography can provide a high level of security. Algorithms like AES256 are known for their robustness and resistance to various attack vectors, including those posed by quantum computing.


 * Widespread Use, Acceptance, and Standardization: Symmetric key algorithms such as AES are widely accepted and used in numerous applications, from encrypting data on hard drives to securing online transactions, owing to their proven reliability and performance.

Disadvantages

 * Key Distribution Problem: Without the use of public-key cryptography, one may be left with undesirable key-management problems. Historically, the biggest challenge in symmetric cryptography is the secure distribution of the key. Both parties must have access to the secret key, and ensuring this without compromise over an insecure channel is a significant hurdle.


 * Scalability Issues: In scenarios where multiple parties need to communicate securely, symmetric key cryptography becomes less practical. Each pair of users requires a unique key, leading to a combinatorial explosion of keys to manage as the number of users increases.


 * Lack of Non-Repudiation: Symmetric key cryptography inherently lacks non-repudiation, meaning it cannot provide proof of the origin of a message. This is because the same key is used for both encryption and decryption, making it impossible to verify the message's sender uniquely. Using a (usually online) Trusted Third Party, non-repudiation can be provided using symmetric keys.


 * Risk of Key Compromise: Like all security algorithms, symmetric cryptography hinges on the secrecy of the key. If the key is compromised, the security of all encrypted data is at risk. This necessitates rigorous key management and often frequent key changes, adding to the system's complexity.


 * Use of a Trusted Third Party: For scalable SKA, a trusted third party must be used.

Initial Key Distribution for Symmetric Key Agreement
This section details the initial exchange of a shared key necessary for SKA.

Manual Keying
Manual key agreement is a process where the shared secret key used for encryption and decryption is exchanged or agreed upon manually between the communicating parties. This method, while straightforward, is primarily used in situations where automatic or electronic key exchange is not feasible or deemed less secure. In a manual key agreement, the secret key is typically selected and exchanged through direct, secure, face-to-face communication or via a trusted courier. For instance, two individuals might meet in person to agree upon a secret key, or an organization might use secure physical mail to distribute keys to its branches. This key is then used to encrypt and decrypt messages or data shared between these parties. While manual key exchange can significantly reduce the risk of interception during the exchange process, it also comes with challenges like scalability, key distribution logistics, and the risk of compromise during physical transfer. Additionally, maintaining the confidentiality of the key over time requires strict operational security practices. Manual key agreement is often found in more constrained environments or scenarios where digital key exchange mechanisms are not trusted or practical, such as in certain military or diplomatic communications.

Asymmetric cryptography
Key agreement is often achieved through well-established public key protocols like the Diffie-Hellman key exchange. This allows two parties to generate a shared secret key over an unsecured communication channel, The key is then used to encrypt data on the sender's end and decrypt it on the receiver's end, ensuring that only the parties who possess the key can access the information.

Protocols and Standards that permit SKA

 * TLS-PSK (Transport Layer Security with Pre-Shared Keys): An extension of the TLS protocol, TLS-PSK allows the use of pre-shared keys to establish secure communications between client and server. Used in scenarios where certificate-based authentication is not feasible or desired.


 * IPsec with PSK: In IPsec (Internet Protocol Security), pre-shared keys can be used as an authentication method in the IKE (Internet Key Exchange) phase. Commonly used in VPN (Virtual Private Network) configurations for establishing secure tunnels.


 * SSH (Secure Shell) with PSK: SSH supports the use of symmetric key cryptography with pre-shared keys for establishing secure remote connections. PSKs can be used for both session establishment and data encryption.


 * WPA-PSK (Wi-Fi Protected Access Pre-Shared Key): WPA and WPA2 standards support PSK mode, known as WPA-Personal, for securing Wi-Fi networks. PSK mode is widely used in home and small office Wi-Fi networks, where each user enters a shared password to connect.


 * IKEv2 with PSK: IKEv2, the second version of the Internet Key Exchange protocol used in IPsec, supports PSKs for authentication. Preferred in certain VPN implementations for its simplicity and ease of setup compared to certificate-based authentication.


 * EAP-PSK (Extensible Authentication Protocol-Pre-Shared Key): EAP-PSK is an authentication protocol that uses a pre-shared key for authenticating clients in wireless and point-to-point connections. Designed to simplify the authentication process while maintaining security.


 * SRTP (Secure Real-time Transport Protocol) with PSK: SRTP, used for encrypting and authenticating real-time transport protocol (RTP) streams (such as in Voice over IP), can employ PSKs for establishing security parameters.


 * NIST SP 800-71 : Using symmetric key-wrapping schemes and replacing asymmetric digital signature schemes with symmetric-key message authentication schemes is one approach to replacing public key cryptographic key management in the relatively near term.


 * NSA CSfC Symmetric Key Management Requirements : Symmetric Pre-Shared Keys (PSKs) may be used instead of X.509 authentication certificates to provide quantum resistant cryptographic protection of classified information for CSfC solutions.


 * RFC 8784 Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security


 * RFC 9206 Commercial National Security Algorithm (CNSA) Suite Cryptography for Internet Protocol Security (IPsec)


 * Juniper Networks - SRX Series—supporting Post-quantum Preshared Key as defined in the RFC 8784


 * Cisco – quantum-safe encryption using Postquantum Preshared Keys by implementing RFC 8784 applicable to all IKEv2 and IPsec VPNs


 * Hewlett Packard Enterprise Virtual Intranet Access (VIA 4.4) provides secure VPN connectivity to an HPE Aruba Networking via RFC 8784 authentication


 * RFC 9258 Importing External Pre-Shared Keys (PSKs) for TLS 1.3


 * ISO/IEC 11770-2 IT Security techniques - Key management - Part 2: Mechanisms using symmetric techniques

Applications
Symmetric key agreement is widely used in various applications:


 * Secure Web Browsing: When you visit a website with HTTPS, symmetric cryptography is at work, protecting your data as it travels between your browser and the server.


 * Virtual Private Networks (VPNs): VPNs use symmetric encryption to secure data transmitted across unsecured networks, like public Wi-Fi.


 * Encrypted Messaging: Many messaging apps employ symmetric encryption to ensure that only the sender and receiver can read the messages.

Quantum Resistance
Quantum computing poses challenges to cryptography. Symmetric key algorithms like AES256 are considered quantum-resistant due to their inherent structural properties that make them resistant to practical quantum computing attacks. The most efficient known quantum attack against symmetric ciphers, Grover's algorithm, only provides a quadratic speedup. This means that an encryption method with a key of length n bits would, in a quantum scenario, have its effective security reduced to $$n/2$$ bits. Therefore, AES256, which has a 256-bit key, would still offer a substantial 128 bits of security in a post-quantum world, making it a robust choice against the foreseeable capabilities of quantum computing. This level of security is still considered practically unbreakable with current and near-future quantum technology, positioning AES256 and similar symmetric algorithms as strong contenders in the realm of post-quantum cryptography. SKA automatically inherits the quantum resistance of the underlying symmetric key algorithm.