2017
DOI: 10.1007/978-3-662-54388-7_12
|View full text |Cite
|
Sign up to set email alerts
|

A Modular Security Analysis of EAP and IEEE 802.11

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
4
0

Year Published

2018
2018
2023
2023

Publication Types

Select...
3
3
1

Relationship

0
7

Authors

Journals

citations
Cited by 9 publications
(4 citation statements)
references
References 22 publications
0
4
0
Order By: Relevance
“…Computational security proofs for real world protocols have a long history (e.g., [11,13,14,16,27,30]). As described earlier, due to the usage of the channel key in the handshake of TLS 1.2, the ACCE model was introduced by Jager et al [23] (which was later also used in [3,6,8,9]) as a proof of key indistinguishability was impossible without considering a modified protocol variant. To further analyze the security of TLS 1.2 without client authentication, Krawczyk et al [27] and Kohlar et al [26] independently proposed a variant of the ACCE model.…”
Section: Related Workmentioning
confidence: 99%
See 1 more Smart Citation
“…Computational security proofs for real world protocols have a long history (e.g., [11,13,14,16,27,30]). As described earlier, due to the usage of the channel key in the handshake of TLS 1.2, the ACCE model was introduced by Jager et al [23] (which was later also used in [3,6,8,9]) as a proof of key indistinguishability was impossible without considering a modified protocol variant. To further analyze the security of TLS 1.2 without client authentication, Krawczyk et al [27] and Kohlar et al [26] independently proposed a variant of the ACCE model.…”
Section: Related Workmentioning
confidence: 99%
“…In case (b), the sender's long-term DH share is encrypted under the current key k and the resulting ciphertext is hashed into h and sent to the partner (lines 12-13). 6 If (c) a DH secret is computed, the current ck together with this DH secret are given as input to an invocation of the KDF (lines 5,9,14). For each encryption during the handshake in which a key k was already computed, a ciphertext under this current key k is derived by encrypting a payload m or (if no payload exists yet) an empty string .…”
Section: Noise Protocol Patternsmentioning
confidence: 99%
“…We also do not consider distinctions between e.g., the User Plane, Control Plane, Radio Resource Control, Access Stratum, and Non-Access Stratum, except where these make a difference to the 5G-AKA protocol's behaviour. We do not model the EAP-AKA protocol (described in [5, §6.1.3.1] and RFC 5448 [10]) as it and the very closely related EAP-AKA protocol have been studied in depth elsewhere [8], [14], [22]. Integrating a model of EAP-AKA into our models of 5G-AKA would be useful future work: analysing their composition would be useful and non-trivial, as EAP-AKA also makes use of the same long-term key K.…”
Section: Modelling Limitationsmentioning
confidence: 99%
“…Other approaches to delegated or proxied AKE protocols exist. Composition-centric approaches, such as those of Brzuska et al [11], [10] and Jacobsen [24] capture the threeparty handshake usually deployed in WLANs (also called the 4-way-handshake protocol). The main goals of that work is to prove that a handshake consisting of three separate executions of different AKE protocols, relying on different credentials, can still yield a secure channel.…”
Section: Prototype Implementationmentioning
confidence: 99%