ASICS: Authenticated Key Exchange Security Incorporating Certification Systems

Boyd, Colin; Cremers, Cas; Feltz, Michèle; Paterson, Kenneth G.; Poettering, Bertram; Stebila, Douglas

doi:10.1007/978-3-642-40203-6_22

Cited by 20 publications

(4 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that this proposition also is not secure to aKCI attacks. In [40] the authors analyzed security model with the adversary registering arbitrary bit strings as keys. They showed generic results for protocols that achieve security even if some keys have been produced maliciously in this way.…”

Section: Previous Workmentioning

confidence: 99%

Deniable Key Establishment Resistance against eKCI Attacks

Krzywiecki

Wlisłocki

2017

Security and Communication Networks

View full text Add to dashboard Cite

In extended Key Compromise Impersonation (eKCI) attack against authenticated key establishment (AKE) protocols the adversary impersonates one party, having the long term key and the ephemeral key of the other peer party. Such an attack can be mounted against variety of AKE protocols, including 3-pass HMQV. An intuitive countermeasure, based on BLS (Boneh-Lynn-Shacham) signatures, for strengthening HMQV was proposed in literature. The original HMQV protocol fulfills the deniability property: a party can deny its participation in the protocol execution, as the peer party can create a fake protocol transcript indistinguishable from the real one. Unfortunately, the modified BLS based version of HMQV is not deniable. In this paper we propose a method for converting HMQV (and similar AKE protocols) into a protocol resistant to eKCI attacks but without losing the original deniability property. For that purpose, instead of the undeniable BLS, we use a modification of Schnorr authentication protocol, which is deniable and immune to ephemeral key leakages.

show abstract

Section: Previous Workmentioning

confidence: 99%

Deniable Key Establishment Resistance against eKCI Attacks

Krzywiecki

Wlisłocki

2017

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…For key exchange protocols, this approach was pioneered by Bellare, Canetti, and Krawczyk [26] and other transformations have been proposed by Kudla and Paterson [73], Cremers and Feltz [53], and Boyd et al [40]. This kind of result constitutes a natural target for machine-checked proofs, since the cost overhead of building such proof is justified by its multiple applications.…”

Section: Modular Machine-checked Proofsmentioning

confidence: 99%

“…If a protocol Π is secure with respect to an adversary model M, then Π can be transformed into a (more complicated) protocol Π that is secure with respect to a stronger adversary model M . For key exchange, this approach was pioneered by Bellare, Canetti, and Krawczyk [26] and other transformations have been proposed by Kudla and Paterson [73], Cremers and Feltz [53], and Boyd et al [40]. However, existing transformations have several drawbacks, in particular: the transformation in [26] cannot be applied to many protocols of interest; the transformations in [53,40] assume that the initial protocol is already secure in the eCK model; and the transformation in [73] only supports proofs under Gap assumptions, predates the eCK model and is only applicable to weaker security models.…”

Section: Modular Machine-checked Proofs Of One-round Key Exchange Promentioning

confidence: 99%

“…We slightly deviate from the original definition by removing the identities fromh's input (like in MQV) and includingÂ,B, X and Y as input to the key derivation hash. Including additional session data in the hash is considered a prudent engineering principle [40] because it ensures agreement on this data. Second, it allows us to apply our generic proof directly since the resulting protocol satisfies P3.…”

Section: Protocols Without Naxos Trickmentioning

confidence: 99%

See 1 more Smart Citation