On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols

Menezes, Alfred; Ustaoğlu, Berkant

doi:10.1007/11941378_11

Cited by 48 publications

(40 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This can be achieved by checking that E is member of the supergroup, that E is not the identity element and that E q is equal to the identity element. The importance of this check -known as the public key validation -in key exchange protocols has been highlighted by Menezes and Ustagolu [4]. However, to validate a public key will require a full exponentiation over the finite group, which will significantly decrease the protocol efficiency and make it less appealing than its competitors.…”

Section: Preventing Small Subgroup Attacks On the Dragonfly Protocolmentioning

confidence: 99%

Cryptanalysis of the Dragonfly key exchange protocol

Clarke¹,

Hao²

2014

IET Information Security

View full text Add to dashboard Cite

Dragonfly is a password authenticated key exchange protocol that has been submitted to the Internet Engineering Task Force as a candidate standard for general internet use. We analyzed the security of this protocol and devised an attack that is capable of extracting both the session key and password from an honest party. This attack was then implemented and experiments were performed to determine the time-scale required to successfully complete the attack.

show abstract

Section: Preventing Small Subgroup Attacks On the Dragonfly Protocolmentioning

confidence: 99%

Cryptanalysis of the Dragonfly key exchange protocol

Clarke¹,

Hao²

2014

IET Information Security

View full text Add to dashboard Cite

show abstract

“…For example, both the SIG-DH [11] and (original) HMQV [7] protocols have been formally proven secure in the CK model. Yet attacks reported in [13] and [14] show that in both protocols, an attacker is able to disclose the user's private key. In the second requirement 5 , we use "full" to distinguish it from the "half" forward secrecy, which only allows one user's private key to be revealed (e.g., KEA+ [9]).…”

Section: Security Analysismentioning

confidence: 99%

On robust key agreement based on public key authentication

Hao

2012

Security Comm. Networks

View full text Add to dashboard Cite

Abstract-This paper discusses public-key authenticated key agreement protocols. First, we critically analyze several authenticated key agreement protocols and uncover various theoretical and practical flaws. In particular, we present two new attacks on the HMQV protocol, which is currently being standardized by IEEE P1363. The first attack presents a counterexample to invalidate the basic authentication in HMQV. The second attack is applicable to almost all past schemes, despite that many of them have formal security proofs. These attacks highlight the difficulty to design a crypto protocol correctly and suggest the caution one should always take.We further point out that many of the design errors are caused by sidestepping an important engineering principle, namely "Do not assume that a message you receive has a particular form (such as g r for known r) unless you can check this". Constructions in the past generally resisted this principle on the grounds of efficiency: checking the knowledge of the exponent is commonly seen as too expensive. In a concrete example, we demonstrate how to effectively integrate the zero-knowledge proof primitive into the protocol design and meanwhile achieve good efficiency. Our new key agreement protocol, YAK, has comparable computational efficiency to the MQV and HMQV protocols with clear advantages on security. Among all the related techniques, our protocol appears to be the simplest so far. We believe simplicity is also an important engineering principle.

show abstract

“…The protocol P claimed secure in the pre model, and not executable in the post model (unless "modified in a fundamental way") [24, section 3.1], is insecure in the pre model, if the considered security model is strong enough. 8 Ephemeral key validation is voluntarily omitted in the HMQV design [14], but the HMQV protocol is known to be insecure if ephemeral keys are not validated [23]. 9 We are aware of [16], which shows that under the RO model and the CDH assumption, the MQV variant wherein d and e are computed asH(X) andH(Y ), is secure in a model of their own design.…”

Section: Remarkmentioning

confidence: 99%

A New Security Model for Authenticated Key Agreement

Sarr

Elbaz-Vincent

Bajard

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The Canetti-Krawczyk (CK) and extended Canetti-Krawczyk (eCK) security models, are widely used to provide security arguments for key agreement protocols. We discuss security shades in the (e)CK models, and some practical attacks unconsidered in (e)CK-security arguments. We propose a strong security model which encompasses the eCK one. We also propose a new protocol, called Strengthened MQV (SMQV), which in addition to provide the same efficiency as the (H)MQV protocols, is particularly suited for distributed implementations wherein a tamper-proof device is used to store long-lived keys, while session keys are used on an untrusted host machine. The SMQV protocol meets our security definition under the Gap DiffieHellman assumption and the Random Oracle model.

show abstract

On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols

Cited by 48 publications

References 18 publications

Cryptanalysis of the Dragonfly key exchange protocol

Cryptanalysis of the Dragonfly key exchange protocol

On robust key agreement based on public key authentication

A New Security Model for Authenticated Key Agreement

Contact Info

Product

Resources

About