The YAK is a public-key authenticated key-agreement protocol, proposed by Feng Hao in 2010. It is considered one of the simplest authenticated key exchange protocols among the related schemes, including MQV, HMQV, Station-to-Station protocol, SSL/TLS etc. The authentication is based on public key pairs. As with other protocols, YAK normally requires a Public Key Infrastructure to distribute authentic public keys to the communicating parties.
Description
Two parties, Alice and Bob, agree on a group with generator of prime order in which the discrete log problem is hard. Typically a Schnorr group is used. In general, YAK can use any prime order group that is suitable for public key cryptography, including elliptic curve cryptography. Let be Alice's long-term public key and be Bob's. The protocol executes in one round: Alice selects and sends out together with a zero-knowledge proof for the proof of the exponent. Similarly, Bob selects and sends out together with a zero-knowledge proof for the proof of the exponent. Here, the notation denotes an element selected randomly with uniform probability. The above communication can be completed in one round as neither party depends on the other. When it finishes, Alice and Bob verify the received zero-knowledge proofs. Alice then computes. Similarly, Bob computes. With the same keying material, Alice and Bob can derive a session key using a cryptographic hash function:.
Security properties
The use of well-established zero-knowledge proof primitives such as Schnorr's scheme greatly simplifies the security proofs. Given that the underlying zero knowledge proof primitive is secure, the YAK protocol is proved to satisfy the following properties.
Private key security – An attacker cannot learn the user's static private key even if he is able to learn all session-specific secrets in any compromised session.
Forward secrecy – Session keys that were securely established in the past uncorrupted sessions will remain incomputable in the future even when both users' static private keys are disclosed.
Session key security – An attacker cannot compute the session key if he impersonates a user but has no access to the user's private key.
In 2015, Toorani claimed that "the YAK protocol lacks joint key control and perfect forward secrecy attributes and is vulnerable to some attacks including unknown key-share and key-replication attacks." The claimed attacks were responded to by Hao. In 2020, Mohammad claimed that the YAK protocol cannot withstand a "new key compromise impersonation attack", in which the attacker is assumed to be able to access the ephemeral secret key of the honest party. It is shown that such an attacker is able to trivially break the session key in YAK. The author further showed that the same attack trivially breaks many other authenticated key exchange protocols including MQV and HMQV. Mohammad proposed "an improved YAK" by modifying the Schnorr signature and dispensing of the mandatory public key validation in YAK for both static and ephemeral keys. Finally, the author presented a formal model to prove the security of the proposed protocol. However, according to the "extreme adversary principle" stated in the original YAK paper, if a powerful attacker is allowed access to ephemeral secrets, he should be allowed to access all session-specific ephemeral secrets rather than any subset. A session key is part of the session-specific secrets. Therefore, if a powerful adversary has the capability to access an ephemeral secret in the user's computer memory, he has the capability to access the session key by definition.