Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal

Cremers, Cas; Feltz, Michèle

doi:10.1007/s10623-013-9852-1

Cited by 35 publications

(80 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For such AKE protocols, advanced security models have been defined (e.g., Rogaway 1993, 1995;Bellare et al 2000;Bresson and Manulis 2008;Canetti and Krawczyk 2001;Cremers and Feltz 2013;Katz and Yung 2003;Krawczyk 2005a;LaMacchia et al 2007]. We take these models as a starting point for our analysis.…”

Section: Background On Security Models For Authenticated Key Exchangementioning

confidence: 99%

“…NAXOS is resilient to adversaries that are capable of both RNR and SKR. Cremers and Feltz [2013] show that by applying a signature-based transformation, protocols that are secure in an eCK-like model can be made to additionally satisfy a strong notion of perfect-forward secrecy. The SIG(NAXOS) protocol is the result of applying this transformation to the NAXOS protocol.…”

Section: Bkementioning

confidence: 99%

“…Most research on adversary compromise has been performed in the context of key-exchange protocols in the computational setting (e.g., Rogaway 1993, 1995;Bellare et al 2000;Bresson and Manulis 2008;Canetti and Krawczyk 2001;Cremers and Feltz 2013;Katz and Yung 2003;Krawczyk 2005a;LaMacchia et al 2007;Shoup 1999]). In general, any two computational models are incomparable due to (often minor) differences not only in the adversary notions, but also in the definitions of partnership, the execution models, and security property specifics.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Know Your Enemy

Basin

Cremers

2014

ACM Trans. Inf. Syst. Secur.

Self Cite

View full text Add to dashboard Cite

We present a symbolic framework, based on a modular operational semantics, for formalizing different notions of compromise relevant for the design and analysis of cryptographic protocols. The framework's rules can be combined to specify different adversary capabilities, capturing different practically-relevant notions of key and state compromise. The resulting adversary models generalize the models currently used in different domains, such as security models for authenticated key exchange. We extend an existing securityprotocol analysis tool, Scyther, with our adversary models. This extension systematically supports notions such as weak perfect forward secrecy, key compromise impersonation, and adversaries capable of statereveal queries. Furthermore, we introduce the concept of a protocol-security hierarchy, which classifies the relative strength of protocols against different adversaries.In case studies, we use Scyther to analyse protocols and automatically construct protocol-security hierarchies in the context of our adversary models. Our analysis confirms known results and uncovers new attacks. Additionally, our hierarchies refine and correct relationships between protocols previously reported in the cryptographic literature.

show abstract

Section: Background On Security Models For Authenticated Key Exchangementioning

confidence: 99%

Section: Bkementioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Know Your Enemy

Basin

Cremers

2014

ACM Trans. Inf. Syst. Secur.

Self Cite

View full text Add to dashboard Cite

show abstract

“…The ephemeral‐key reveal query was introduced in the extended CK (eCK) model instead of the session‐state reveal query in the original model 10 therefore, many security models have been proposed to clarify what kinds of information could be revealed from session state 11–17 . The continual leakage security models emerged prominently due to side‐channel attacks; therefore, many security models are developed to cope with continually revealing long‐term and short‐term secrets in the case of establishing a session key during the cryptographic protocol run 18–24 …”

Section: Introductionmentioning

confidence: 99%

Cryptanalysis and improvement of the YAK protocol with formal security proof and security verification via Scyther

Mohammad

2020

Int J Communication

View full text Add to dashboard Cite

Hao proposed the YAK as a robust key agreement based on public-key authentication, and the author claimed that the YAK protocol withstands all known attacks and therefore is secure against an extremely strong adversary. However, Toorani showed the security flaws in the YAK protocol. This paper shows that the YAK protocol cannot withstand the known key security attack, and its consequences lead us to introduce a new key compromise impersonation attack, where an adversary is allowed to reveal both the shared static secret key between two-party participation and the ephemeral private key of the initiator party in order to mount this attack. In addition, we present a new security model that covers these attacks against an extremely strong adversary. Moreover, we propose an improved YAK protocol to remedy these attacks and the previous attacks mentioned by Toorani on the YAK protocol, and the proposed protocol uses a verification mechanism in its block design that provides entity authentication and key confirmation. Meanwhile, we show that the proposed protocol is secure in the proposed formal security model under the gap Diffie-Hellman assumption and the random oracle assumption. Moreover, we verify the security of the proposed protocol and YAK protocol by using an automatic verification method such as the Scyther tool, and the verification result shows that the security claims of the proposed protocol are proven, in contrast to those of the YAK protocol, which are not proven. The security and performance comparisons show that the improved YAK protocol outperforms previous related protocols. K E Y W O R D Sauthenticated key agreement, cryptanalysis, eCK, formal security model, key compromise impersonation, known key security, Scyther tool | INTRODUCTIONAs a result of the rapid development in the Internet of Things (IoT)-related applications in daily life, which uses diverse communication devices, securing data has become a more challenging task. Due to a diverse powerful adversary for revealing secret information from a party's participation via the open communication model, many formal security models and automated verification tools have been developed for finding security flaws in proposed new protocols before implementing them in applications. Consequently, secret key distribution and user authentication became the most important security issues in IoT. Nowadays, the security proof and verification process of an Authenticated Key Agreement (AKA) protocol in the formal security model is important for successful IoT applications.Diffie-Hellman (DH) key exchange protocol is a fundamental building block to distribute a shared secret key over an insecure communication model, 1 which is based on the concept of asymmetric cryptography. The shared secret key is used to provide confidentiality, integrity, nonrepudiation, and authenticity for data during transmission over an untrusted communication model. An AKA protocol is based on a public key, wherein the two intended participating parties exchange static and ephemeral ...

show abstract

“…Based on adversarial role either as an active or passive attacker in the session under attack, we have the notions of perfect forward secrecy (PFS) and weak-PFS, respectively. The eCK-PFS security model [27] considers the PFS as a security requirement for AKE protocols. Resilience to the KCI attack is also desirable for AKE protocols and has been added as a required security attribute in the HMQV, eCK, and subsequent security models.…”

Section: Introductionmentioning

confidence: 99%

Security analysis of the IEEE 802.15.6 standard

Toorani

2016

Int J Communication

View full text Add to dashboard Cite

A wireless body area network (WBAN) consists of low-power devices that are capable of sensing, processing, and wireless communication. WBANs can be used in many applications such as military, ubiquitous health care, entertainment, and sport. The IEEE Std 802.15.6-2012 is the latest international standard for WBAN. In this paper, we scrutinize the security structure of the IEEE 802.15.6-2012 standard and perform a security analysis on the cryptographic protocols in the standard. We show that some protocols have subtle security problems and are vulnerable to different attacks. Such vulnerabilities neutralize the security provisions in the standard specifically for medical applications that deal with sensitive information and security problems can be life-threatening.

show abstract

Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal

Cited by 35 publications

References 14 publications

Know Your Enemy

Know Your Enemy

Cryptanalysis and improvement of the YAK protocol with formal security proof and security verification via Scyther

Security analysis of the IEEE 802.15.6 standard

Contact Info

Product

Resources

About