Lecture Notes in Computer Science
DOI: 10.1007/978-3-540-75670-5_1
|View full text |Cite
|
Sign up to set email alerts
|

Stronger Security of Authenticated Key Exchange

Abstract: Abstract. Recent work by Krawczyk [12] and Menezes [16] has highlighted the importance of understanding well the guarantees and limitations of formal security models when using them to prove the security of protocols. In this paper we focus on security models for authenticated key exchange (AKE) protocols. We observe that there are several classes of attacks on AKE protocols that lie outside the scope of the Canetti-Krawczyk model. Some of these additional attacks have already been considered by Krawczyk [12]… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

3
528
1
4

Publication Types

Select...
3
3
2

Relationship

0
8

Authors

Journals

citations
Cited by 501 publications
(564 citation statements)
references
References 15 publications
3
528
1
4
Order By: Relevance
“…The CK model was used to demonstrate the security of many popular AKE protocols such as the ISO protocol [24,14], the SIGMA protocol [15,27], the HMQV protocol [26] and many more. Recently, LaMacchia et al [29] extended the CK model to a new model (referred to as eCK model). In their model, the adversary is allowed to compromise either the long-live keys or the ephemeral keys (the latter are related to the randomness) of the participants of a protocol session.…”
Section: Related Workmentioning
confidence: 99%
See 2 more Smart Citations
“…The CK model was used to demonstrate the security of many popular AKE protocols such as the ISO protocol [24,14], the SIGMA protocol [15,27], the HMQV protocol [26] and many more. Recently, LaMacchia et al [29] extended the CK model to a new model (referred to as eCK model). In their model, the adversary is allowed to compromise either the long-live keys or the ephemeral keys (the latter are related to the randomness) of the participants of a protocol session.…”
Section: Related Workmentioning
confidence: 99%
“…In their model, the adversary is allowed to compromise either the long-live keys or the ephemeral keys (the latter are related to the randomness) of the participants of a protocol session. There have been many discussions on the strength of the two (CK and eCK) models [29,33,11]. In [11], Boyd et al suggested that these two models are incomparable.…”
Section: Related Workmentioning
confidence: 99%
See 1 more Smart Citation
“…Still later, more fully specified session identifiers that capture similar information to that of BR (e.g. [9]) have been utilized. Due to the simplicity of matching conversations and the natural session-identifier format that they epitomize, they will be employed in this work to capture partnering between sessions.…”
Section: Matching Conversationsmentioning
confidence: 99%
“…On the other hand, the extensions proposed by Krawczyk assumed a weak corruption model in which the adversary is allowed to compromise only the long-term private key of a party by issuing corrupt query. Later, LaMacchia et al [27] extended the CK model and proposed a unified model (called eCK model) which captures most of the desired security properties of key establishment protocols. We now briefly review the eCK model using some well known notations from earlier models.…”
Section: Security Model For Authenticated Key Exchangementioning
confidence: 99%