Security analysis of SM2 key exchange protocol in TPM2.0

The new released trusted platform module (TPM) specification, TPM2.0, adds cryptographic support for key exchange by providing SM2 authenticated key exchange (AKE) application programming interface (API) commands. Xu analyzed the SM2 AKE protocol and found that it was insecure in common computing environment by presenting two types of unknown key share attacks. Here, we present another design weakness of the SM2 AKE protocol, which might cause that the protocol cannot be proven secure in modern security models. We also analyze the security of SM2 AKE protocol in TPM2.0, whose running environment is very different and find that (i) it indeed gets some security improvements through the protection capability provided by the two SM2 AKE commands of TPM2.0 but (ii) it still has some weaknesses, which might lead to unknown key share and key-compromise impersonation attacks because of the bad design of the TPM2.0 application programming interface. We solve the weaknesses of SM2 AKE protocol in TPM2.0 by slightly modifying one SM2 AKE command and finally give a formal proof of our solution in the Canetti and Krawczyk model. Our work shows that TPM2.0 could provide a proven secure SM2 AKE by slightly modifying one command. Copyright (C) 2014 John Wiley & Sons, Ltd.