An unknown key-share attack on the MQV key agreement protocol

Kaliski, Burt

doi:10.1145/501978.501981

Cited by 114 publications

(88 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In the Reset-1 model, the adversary directly picks random coins for the AKE participants, while in the Reset-2 model, the adversary does not pick random coins directly but can reset a participant so that the same random coins will be used in multiple AKE sessions. In addition, to capture Kaliski's online Unknown Key Share (UKS) attacks [12], our models allow the adversary to register malicious users with public keys of its own choice.…”

Section: Introductionmentioning

confidence: 99%

Authenticated Key Exchange under Bad Randomness

Yang

Duan

Wong

et al. 2012

Financial Cryptography and Data Security

View full text Add to dashboard Cite

Abstract. We initiate the formal study on authenticated key exchange (AKE) under bad randomness. This could happen when (1) an adversary compromises the randomness source and hence directly controls the randomness of each AKE session; and (2) the randomness repeats in different AKE sessions due to reset attacks. We construct two formal security models, Reset-1 and Reset-2, to capture these two bad randomness situations respectively, and investigate the security of some widely used AKE protocols in these models by showing that they become insecure when the adversary is able to manipulate the randomness. On the positive side, we propose simple but generic methods to make AKE protocols secure in Reset-1 and Reset-2 models. The methods work in a modular way: first, we strengthen a widely used AKE protocol to achieve Reset-2 security, then we show how to transform any Reset-2 secure AKE protocol to a new one which also satisfies Reset-1 security.

show abstract

Section: Introductionmentioning

confidence: 99%

Authenticated Key Exchange under Bad Randomness

Yang

Duan

Wong

et al. 2012

Financial Cryptography and Data Security

View full text Add to dashboard Cite

show abstract

“…The additional non-compromise assumption is about a , the long term secret of the principal E that B thinks he is communicating with [7,18,32]. MQV satisfies only this weaker form [27]. We focus on the stronger property here.…”

Section: Example 20mentioning

confidence: 99%

“…Moreover, important protocols, such as the implicitly authenticated key-agreement protocol MQV [7], appear to be out of reach of known symbolic techniques. Indeed, for these protocols, computational techniques have led to arduous proofs after which controversy remains [27,29,30,33]. In this paper, we develop algebraic ideas that allow us to give rigorous proofs of security goals such as authentication and confidentiality in a symbolic model.…”

mentioning

confidence: 99%

An Algebra for Symbolic Diffie-Hellman Protocol Analysis

Dougherty

Guttman

2013

Trustworthy Global Computing

View full text Add to dashboard Cite

Abstract. We study the algebra underlying symbolic protocol analysis for protocols using Diffie-Hellman operations. Diffie-Hellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted previous symbolic approaches. We define an algebra that validates precisely the equations that hold almost always as the order of the cyclic group varies. We realize this algebra as the set of normal forms of a particular rewriting theory. The normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by UM, a protocol using Diffie-Hellman for implicit authentication. , appear to be out of reach of known symbolic techniques. Indeed, for these protocols, computational techniques have led to arduous proofs after which controversy remains [27,29,30,33]. In this paper, we develop algebraic ideas that allow us to give rigorous proofs of security goals such as authentication and confidentiality in a symbolic model. Moreover, our techniques also help identify the security goals that the protocol does not achieve.DH protocols work in a cyclic group of prime order q, which we will write multiplicatively, using an agreed-upon generator g. For a particular session, A and B choose random values x, y respectively, raising a base g to these scalar powers:

show abstract

“…It can be seen that h(z) = h 1 (z)/h 2 (z), where h 1 , h 2 ∈ F p [z] and deg(h 1 ) = 288. 10 If the polynomial h 1 has a root z in F p , then the associated point T is guaranteed to have order 16 in E (F p ). Since X can be chosen uniformly at random from E(F p ), it is reasonable to make the heuristic assumption that h 1 is a "random" degree-288 polynomial over F p .…”

Section: Theorem 1 Consider the Division Polynomialsmentioning

confidence: 99%

“…In [19] it was shown that the one-pass HMQV protocol succumbs to a Kaliskistyle unknown-key share attack [10] even if public keys are (fully) validated. The attack is 'on-line' in the sense that the adversary needs to have her static public key certified during the attack.…”

Section: Almost Validationmentioning

confidence: 99%

On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols

Menezes

Ustaoğlu

2006

Progress in Cryptology - INDOCRYPT 2006

View full text Add to dashboard Cite

Abstract. HMQV is a hashed variant of the MQV key agreement protocol proposed by Krawczyk at CRYPTO 2005. In this paper, we present some attacks on HMQV and MQV that are successful if public keys are not properly validated. In particular, we present an attack on the twopass HMQV protocol that does not require knowledge of the victim's ephemeral private keys. The attacks illustrate the importance of performing some form of public-key validation in Diffie-Hellman key agreement protocols, and furthermore highlight the dangers of relying on security proofs for discrete-logarithm protocols where a concrete representation for the underlying group is not specified.

show abstract

An unknown key-share attack on the MQV key agreement protocol

Cited by 114 publications

References 17 publications

Authenticated Key Exchange under Bad Randomness

Authenticated Key Exchange under Bad Randomness

An Algebra for Symbolic Diffie-Hellman Protocol Analysis

On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols

Contact Info

Product

Resources

About