Stronger Security of Authenticated Key Exchange

LaMacchia, Brian A.; Lauter, Kristin; Mityagin, Anton

doi:10.1007/978-3-540-75670-5_1

Cited by 488 publications

(564 citation statements)

References 15 publications

Supporting

Mentioning

528

Contrasting

Unclassified

Order By: Relevance

“…The CK model was used to demonstrate the security of many popular AKE protocols such as the ISO protocol [24,14], the SIGMA protocol [15,27], the HMQV protocol [26] and many more. Recently, LaMacchia et al [29] extended the CK model to a new model (referred to as eCK model). In their model, the adversary is allowed to compromise either the long-live keys or the ephemeral keys (the latter are related to the randomness) of the participants of a protocol session.…”

Section: Related Workmentioning

confidence: 99%

“…In their model, the adversary is allowed to compromise either the long-live keys or the ephemeral keys (the latter are related to the randomness) of the participants of a protocol session. There have been many discussions on the strength of the two (CK and eCK) models [29,33,11]. In [11], Boyd et al suggested that these two models are incomparable.…”

Section: Related Workmentioning

confidence: 99%

“…Although for AKE protocols resilience to the leakage of ephemeral secret key has been studied by Krawczyk [26] and by LaMacchia et al [29], their work is different from ours: firstly, ephemeral secret key is related but not equivalent to the randomness required by an AKE protocol, in particular, randomness may be required in other parts of the protocol; secondly, in the case of ephemeral secret key leakage, the adversary can only passively learn the ephemeral secret key, but not control its value. Another piece of work that is "somehow" related to ours is the work by Aiello et al [2] in which the JFK (Just Fast Keying) AKE protocol was proposed and discussions about the reuse of Diffie-Hellman (DH) exponents in multiple JFK AKE sessions were made.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Authenticated Key Exchange under Bad Randomness

Yang

Duan

Wong

et al. 2012

Financial Cryptography and Data Security

View full text Add to dashboard Cite

Abstract. We initiate the formal study on authenticated key exchange (AKE) under bad randomness. This could happen when (1) an adversary compromises the randomness source and hence directly controls the randomness of each AKE session; and (2) the randomness repeats in different AKE sessions due to reset attacks. We construct two formal security models, Reset-1 and Reset-2, to capture these two bad randomness situations respectively, and investigate the security of some widely used AKE protocols in these models by showing that they become insecure when the adversary is able to manipulate the randomness. On the positive side, we propose simple but generic methods to make AKE protocols secure in Reset-1 and Reset-2 models. The methods work in a modular way: first, we strengthen a widely used AKE protocol to achieve Reset-2 security, then we show how to transform any Reset-2 secure AKE protocol to a new one which also satisfies Reset-1 security.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Authenticated Key Exchange under Bad Randomness

Yang

Duan

Wong

et al. 2012

Financial Cryptography and Data Security

View full text Add to dashboard Cite

show abstract

“…Still later, more fully specified session identifiers that capture similar information to that of BR (e.g. [9]) have been utilized. Due to the simplicity of matching conversations and the natural session-identifier format that they epitomize, they will be employed in this work to capture partnering between sessions.…”

Section: Matching Conversationsmentioning

confidence: 99%

Computationally Analyzing the ISO 9798–2.4 Authentication Protocol

Hale

Boyd

2014

Security Standardisation Research

View full text Add to dashboard Cite

Abstract. We provide a computational analysis of the ISO 9798-2.4 mutual authentication standard protocol in the model of Bellare and Rogaway. In contrast to typical analyses of standardized protocols, we include the optional data fields specified in the standard by applying the framework of Rogaway and Stegers. To our knowledge this is the first application of the Rogaway-Stegers technique in a standardized protocol. As well as a precise definition of the computational security properties achieved by the protocol, our analysis supplies concrete security requirements for the cryptographic primitive applied, which are absent from the protocol standard. We show that a message authentication code can be used to replace the encryption primitive if desired and that if authenticated encryption is applied it must be strongly unforgeable.

show abstract

“…On the other hand, the extensions proposed by Krawczyk assumed a weak corruption model in which the adversary is allowed to compromise only the long-term private key of a party by issuing corrupt query. Later, LaMacchia et al [27] extended the CK model and proposed a unified model (called eCK model) which captures most of the desired security properties of key establishment protocols. We now briefly review the eCK model using some well known notations from earlier models.…”

Section: Security Model For Authenticated Key Exchangementioning

confidence: 99%

On the Connection Between Signcryption and One-Pass Key Establishment

Gorantla

Boyd

Nieto

Cryptography and Coding

View full text Add to dashboard Cite

Abstract. Key establishment between two parties that uses only one message transmission is referred to as one-pass key establishment (OPKE). OPKE provides the opportunity for very efficient constructions, even though they will typically provide a lower level of security than the corresponding multi-pass variants. In this paper, we explore the intuitive connection between signcryption and OPKE. By establishing a formal relationship between these two primitives, we show that with appropriate security notions, OPKE can be used as a signcryption KEM and vice versa. In order to establish the connection we explore the definitions of security for signcryption (KEM) and give new and generalised definitions. By making our generic constructions concrete we are able to provide new examples of signcryption KEMs and an OPKE protocol.

show abstract

Stronger Security of Authenticated Key Exchange

Cited by 488 publications

References 15 publications

Authenticated Key Exchange under Bad Randomness

Authenticated Key Exchange under Bad Randomness

Computationally Analyzing the ISO 9798–2.4 Authentication Protocol

On the Connection Between Signcryption and One-Pass Key Establishment

Contact Info

Product

Resources

About