Security Analysis of KEA Authenticated Key Exchange Protocol

Lauter, Kristin; Mityagin, Anton

doi:10.1007/11745853_25

Cited by 65 publications

(68 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Lauter and Mityagin [33] produced the KEA+ protocol from the KEA protocol and Protocol 4 in [7] by incorporating the identifiers of the user and its peer in the session key computation to prevent UKS attacks; however, a similar UKS attack first identified in the current paper still works on the KEA+ protocol. This attack involves (a) a type of impersonation during key registration [44, p. 3] as it requires the adversary to successfully impersonate a user to the CA who then issues a certificate containing the user's identifier, but the adversary's valid public key, and (b) impersonation of that user during the key exchange phase.…”

Section: Capturing Attacksmentioning

confidence: 99%

ASICS: authenticated key exchange security incorporating certification systems

Boyd

Cremers

Feltz³

et al. 2016

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Abstract. Most security models for authenticated key exchange (AKE) do not explicitly model the associated certification system, which includes the certification authority (CA) and its behaviour. However, there are several well-known and realistic attacks on AKE protocols which exploit various forms of malicious key registration and which therefore lie outside the scope of these models. We provide the first systematic analysis of AKE security incorporating certification systems (ASICS). We define a family of security models that, in addition to allowing different sets of standard AKE adversary queries, also permit the adversary to register arbitrary bitstrings as keys. For this model family we prove generic results that enable the design and verification of protocols that achieve security even if some keys have been produced maliciously. Our approach is applicable to a wide range of models and protocols; as a concrete illustration of its power, we apply it to the CMQV protocol in the natural strengthening of the eCK model to the ASICS setting.

show abstract

Section: Capturing Attacksmentioning

confidence: 99%

ASICS: authenticated key exchange security incorporating certification systems

Boyd

Cremers

Feltz³

et al. 2016

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…Yet attacks reported in [13] and [14] show that in both protocols, an attacker is able to disclose the user's private key. In the second requirement 5 , we use "full" to distinguish it from the "half" forward secrecy, which only allows one user's private key to be revealed (e.g., KEA+ [9]). In the past literature it is common to add "perfect" before "forward secrecy" [7], [9], [11].…”

Section: Security Analysismentioning

confidence: 99%

“…In the second requirement 5 , we use "full" to distinguish it from the "half" forward secrecy, which only allows one user's private key to be revealed (e.g., KEA+ [9]). In the past literature it is common to add "perfect" before "forward secrecy" [7], [9], [11]. However, we drop "perfect" here because it has no concrete meaning [10], [20].…”

Section: Security Analysismentioning

confidence: 99%

On robust key agreement based on public key authentication

Hao

2012

Security Comm. Networks

View full text Add to dashboard Cite

Abstract-This paper discusses public-key authenticated key agreement protocols. First, we critically analyze several authenticated key agreement protocols and uncover various theoretical and practical flaws. In particular, we present two new attacks on the HMQV protocol, which is currently being standardized by IEEE P1363. The first attack presents a counterexample to invalidate the basic authentication in HMQV. The second attack is applicable to almost all past schemes, despite that many of them have formal security proofs. These attacks highlight the difficulty to design a crypto protocol correctly and suggest the caution one should always take.We further point out that many of the design errors are caused by sidestepping an important engineering principle, namely "Do not assume that a message you receive has a particular form (such as g r for known r) unless you can check this". Constructions in the past generally resisted this principle on the grounds of efficiency: checking the knowledge of the exponent is commonly seen as too expensive. In a concrete example, we demonstrate how to effectively integrate the zero-knowledge proof primitive into the protocol design and meanwhile achieve good efficiency. Our new key agreement protocol, YAK, has comparable computational efficiency to the MQV and HMQV protocols with clear advantages on security. Among all the related techniques, our protocol appears to be the simplest so far. We believe simplicity is also an important engineering principle.

show abstract

“…NAXOS builds on earlier ideas from the KEA and KEA+ protocols [15,16]. The purpose of the NAXOS protocol is to establish a shared symmetric key between two parties.…”

Section: H1 H2mentioning

confidence: 99%

“…In [16], the KEA+ protocol is proven correct in the CK model from [5]. KEA+ can be viewed as a predecessor of the NAXOS protocol, and uses a similar setup.…”

Section: The Kea Kea+ and Kea+c Protocolsmentioning

confidence: 99%

Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol

Cremers

2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In the paper "Stronger Security of Authenticated Key Exchange" [1,2], a new security model for authenticated key exchange protocols (eCK) is proposed. The new model is suggested to be at least as strong as previous models for key exchange protocols. The model includes a new notion of an Ephemeral Key Reveal adversary query, which is claimed in e. g. [2][3][4]] to be at least as strong as the Session-state Reveal query. We show that Session-state Reveal is stronger than Ephemeral Key Reveal, implying that the eCK security model is incomparable to the CK model [5,6]. In particular we show that the proposed NAXOS protocol from [1, 2] does not meet its security requirements if the Session-state Reveal query is allowed in the eCK model. We discuss the implications of our result for some related protocols proven correct in the eCK model, and discuss the interaction between Session-state Reveal and protocol transformations.Keywords. Provably-secure, Authenticated Key Exchange, Session-state reveal, Ephemeral Key reveal. IntroductionIn the area of secure key agreement protocols many security models [1,5,[7][8][9][10] and protocols have been proposed. Many of the proposed protocols have been shown to be correct in some particular security model, but have also shown to be incorrect in others. In order to determine the exact properties that are required from such protocols, a single unified security model would be desirable. However, given the recent works such as [8], it seems that a single model is still not agreed upon.In this paper we focus on a specific aspect of security models for key agreement protocols. In particular, we focus on the ability of the adversary to learn the local state of an agent. For example, when an agent chooses a random value, or computes the hash function of a certain input, the constituents of the computation reside temporarily in the local memory of the agent. It may be possible for the adversary to learn such information, even though he cannot learn the longterm private keys of the agent. This corresponds to the situation in which the long-term private keys reside in e. g. a tamper-proof module (TPM) or cryptographic coprocessor, while the remainder of the protocol computations are done in regular (unprotected) memory. The corresponding adversary ability is captured in security models for key agreement protocols by the Session-state Reveal query.A drawback of the Session-state Reveal query in current security models is that the query is often underspecified. For example, in the Canetti-Krawczyk (CK) model [5], Session-state Reveal is defined as giving the adversary the internal state of the Turing machine that executes the protocol. This internal state is not defined within the security model. Effectively, the definition of the internal state is postponed to the proof of a particular protocol.In [1,2] a security model is proposed which is said to be stronger than existing AKE (Authenticated Key Exchange) security models. The model is based on the CK model, and is referred to in [1]...

show abstract

Security Analysis of KEA Authenticated Key Exchange Protocol

Cited by 65 publications

References 15 publications

ASICS: authenticated key exchange security incorporating certification systems

ASICS: authenticated key exchange security incorporating certification systems

On robust key agreement based on public key authentication

Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol

Contact Info

Product

Resources

About