No abstract
Abstract. Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review AKE protocols from a little bit different point of view, i.e. the relationship between information a client needs to possess (for authentication) and immunity to the respective leakage of stored secrets from a client side and a server side. Since the information leakage would be more conceivable than breaking down the underlying cryptosystems, it is desirable to enhance the immunity to the leakage. First and foremost, we categorize AKE protocols according to how much resilience against the leakage can be provided. Then, we propose new AKE protocols that have immunity to the leakage of stored secrets from a client and a server (or servers), respectively. And we extend our protocols to be possible for updating secret values registered in server(s) or password remembered by a client.
Abstract. At Indocrypt 2005, Viet et al., [22] have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for client's password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n ≤ 2 √ N − 1 − 1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t = 1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [22].Key words: password authentication, key exchange, PAKE, anonymity, provable security At Indocrypt 2008, Yang and Zhang [25] have shown two attacks on the TAP (threshold t ≥ 2) protocol, and then proposed the NAPAKE (i.e., t = 1) and D-NAPAKE (i.e., t ≥ 2) protocols. Here, we add some comments on their paper [25]. PrefaceAbout two attacks on the TAP (t ≥ 2) protocol. In [25], they showed two insider attacks on legitimate clients in the TAP (t ≥ 2) protocol. However, we proved AKE security and unilateral authentication of the TAP (t ≥ 2) protocol against an adversary A / ∈ {C 1 , · · · , C n , S} where C = {C 1 , · · · , C n } is a set of all clients and S is the server (see the security model in Section 4). Of course, we agree that considering insider attacks and finding a solution are one of the research directions in cryptography. In Appendix B, we give a simple countermeasure for the TAP (t ≥ 2) protocol against the two attacks (i.e., impersonation attack and off-line dictionary attack). In fact, we considered keyword search as an application of the TAP (t ≥ 2) protocol and, in such applications, the off-line dictionary attack of legitimate clients is not possible because each share doesn't need to be transmitted to other parties.The D-NAPAKE protocol is not threshold anonymous PAKE! In Appendix C, we show an attack on the D-NAPAKE (i.e., t ≥ 2) protocol of [25] where only one legitimate client can impersonate any subgroup of clients to the server. That actually means that the D-NAPAKE (t ≥ 2) protocol is NOT a threshold anonymous PAKE protocol unlike the author's claim. This is the full version of [20].
This document describes an efficient augmented password-only authentication and key exchange (AugPAKE) protocol where a user remembers a low-entropy password and its verifier is registered in the intended server. In general, the user password is chosen from a small set of dictionary words that allows an attacker to perform exhaustive searches (i.e., off-line dictionary attacks). The AugPAKE protocol described here is secure against passive attacks, active attacks, and off-line dictionary attacks (on the obtained messages with passive/active attacks), and also provides resistance to server compromise (in the context of augmented PAKE security). In addition, this document describes how the AugPAKE protocol is integrated into the Internet Key Exchange Protocol version 2 (IKEv2). Status of This Memo This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation. This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6628.
Abstract-Network mobility introduces far more complexity than host mobility. Therefore, host mobility protocols such as Mobile IPv6 (MIPv6) need to be extended to support this new type of mobility. To address the extensions needed for network mobility, the IETF NEMO working group has recently standardized the network mobility basic support protocol in RFC 3963. However, in this RFC, it is not mentioned how authentication authorization and accounting (AAA) issues are handled in NEMO environment. Also, the use of IPsec to secure NEMO procedures does not provide robustness against leakage of stored secrets. To address this security issue and to achieve AAA with mobility, we propose new handover procedures to be performed by mobile routers and by visiting mobile nodes. This new handover procedure is based on leakage resilient-authenticated key establishment (LR-AKE) protocol. Using analytical models, we evaluate the proposed handover procedure in terms of handover delay which affects the session continuity. Our performance evaluation is based on transmission, queueing and encryption delays over wireless links.Index Terms-Authenticated key exchange, authentication authorization accounting (AAA), handover delay, IP-based mobile networks, leakage resilience, mobile IPv6 (MIPv6), mobile routers, NEMO, session continuity, visiting mobile nodes.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.