Results 1  10
of
48
Analysis of keyexchange protocols and their use for building secure channels
, 2001
"... Abstract. We present a formalism for the analysis of keyexchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any keyexchange protocol that satisfies the security definition can be composed with ..."
Abstract

Cited by 261 (16 self)
 Add to MetaCart
Abstract. We present a formalism for the analysis of keyexchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any keyexchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of keyexchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversarycontrolled links. We exemplify the usability of our results by applying them to obtain the proof of two classes of keyexchange protocols, DiffieHellman and keytransport, authenticated via symmetric or asymmetric techniques. 1
The Elliptic Curve Digital Signature Algorithm (ECDSA)
, 1999
"... The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideratio ..."
Abstract

Cited by 102 (5 self)
 Add to MetaCart
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponentialtime algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strengthperkeybit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.
Authenticated Group Key Agreement and Friends
, 1998
"... Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing and replicated servers are just a few examples. Given the openness of today's networks, communication among group members must be secure and, at the same time, efficient. This paper ..."
Abstract

Cited by 87 (7 self)
 Add to MetaCart
Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing and replicated servers are just a few examples. Given the openness of today's networks, communication among group members must be secure and, at the same time, efficient. This paper studies the problem of authenticated key agreement in dynamic peer groups with the emphasis on efficient and provably secure key authentication, key confirmation and integrity. It begins by considering 2party authenticated key agreement and extends the results to Group DiffieHellman key agreement. In the process, some new security properties (unique to groups) are discussed. 1 Introduction This paper is concerned with security services in the context of dynamic peer groups (DPGs). Such groups are common in many network protocol layers and in many areas of modern computing and the solution to their security needs, in particular key management, are still open research challenges [19]. Exa...
Authenticated DiffieHellman Key Agreement Protocols
, 1998
"... This paper surveys recent work on the design and analysis of key agreement protocols that are based on the intractability of the DiffieHellman problem. The focus is on protocols that have been standardized, or are in the process of being standardized, by organizations such as ANSI, IEEE, ISO/IEC, a ..."
Abstract

Cited by 67 (1 self)
 Add to MetaCart
This paper surveys recent work on the design and analysis of key agreement protocols that are based on the intractability of the DiffieHellman problem. The focus is on protocols that have been standardized, or are in the process of being standardized, by organizations such as ANSI, IEEE, ISO/IEC, and NIST. The practical and provable security aspects of these protocols are discussed.
Unknown KeyShare Attacks on the StationToStation (STS) Protocol
, 1999
"... Abstract. This paper presents some new unknown keyshare attacks on STSMAC, the version of the STS key agreement protocol which uses a MAC algorithm to provide key confirmation. Various methods are considered for preventing the attacks. 1 ..."
Abstract

Cited by 45 (4 self)
 Add to MetaCart
Abstract. This paper presents some new unknown keyshare attacks on STSMAC, the version of the STS key agreement protocol which uses a MAC algorithm to provide key confirmation. Various methods are considered for preventing the attacks. 1
Identitybased Key Agreement Protocols from Pairings
, 2006
"... In recent years, a large number of identitybased key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reve ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
In recent years, a large number of identitybased key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reveal queries, because it requires solving either a computational problem or a decisional problem, both of which are generally believed to be hard (i.e., computationally infeasible). The best solution of security proof published so far uses the gap assumption, which means assuming that the existence of a decisional oracle does not change the hardness of the corresponding computational problem. The disadvantage of using this solution to prove the security for this type of protocols is that such decisional oracles, on which the security proof relies, cannot be performed by any polynomial time algorithm in the real world, because of the hardness of the decisional problem. In this paper we present a method incorporating a builtin decisional function in this type of protocols.
Tripartite Authenticated Key Agreement Protocols from Pairings
, 2002
"... Joux's protocol [29] is a one round, tripartite key agreement protocol that is more bandwidthefficient than any previous threeparty key agreement protocol. But it is insecure, suffering from a simple maninthemiddle attack. This paper shows how to make Joux's protocol secure, presenting several ..."
Abstract

Cited by 36 (1 self)
 Add to MetaCart
Joux's protocol [29] is a one round, tripartite key agreement protocol that is more bandwidthefficient than any previous threeparty key agreement protocol. But it is insecure, suffering from a simple maninthemiddle attack. This paper shows how to make Joux's protocol secure, presenting several tripartite, authenticated key agreement protocols that still require only one round of communication and no signature computations. A passoptimal authenticated and key confirmed tripartite protocol that generalises the stationtostation protocol is also presented. The security properties of the new protocols are studied using provable security methods and heuristic approaches. Applications for the protocols are also discussed.
Authentication and Key Agreement via Memorable Password
, 2001
"... This paper presents a new password authentication and key agreement protocol called AMP in a provable manner. The intrinsic problem with password authentication is a password, associated with each user, has low entropy so that (1) the password is hard to transmit securely over an insecure channel an ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
This paper presents a new password authentication and key agreement protocol called AMP in a provable manner. The intrinsic problem with password authentication is a password, associated with each user, has low entropy so that (1) the password is hard to transmit securely over an insecure channel and (2) the password file is hard to protect. Our solution to this complex problem is the amplified password proof idea along with the amplified password file. A party commits the high entropy information and amplifies her password with that information in the amplified password proof. She never shows any information except that she knows it for her proof. Our amplified password proof idea is similar to the zeroknowledge proof in that sense. A server stores amplified verifiers in the amplified password file that is secure against a server file compromise and a dictionary attack. AMP mainly provides the passwordverifier based authentication and the DiffieHellman based key agreement, securely and efficiently. AMP is simple and actually the most efficient protocol among the related protocols. 1.
Secure PasswordBased Cipher Suite for TLS
 PROCEEDINGS OF NETWORK AND DISTRIBUTED SYSTEMS SECURITY SYMPOSIUM
, 2001
"... SSL is the defacto standard today for securing endtoend transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of passwordbased keyexchange protocols can overcome some of
these probl ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
SSL is the defacto standard today for securing endtoend transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of passwordbased keyexchange protocols can overcome some of
these problems. We propose the integration of such a protocol (DHEKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certicates stored on the users computer. Additionally, its integration in TLS is as minimal and
nonintrusive as possible.
Secure Hashed DiffieHellman over NonDDH Groups
, 2004
"... We show that in applications that use the DiffieHellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DHbased encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional DiffieHellman assumption h ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
We show that in applications that use the DiffieHellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DHbased encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional DiffieHellman assumption holds) can be relaxed to only requiring that the DH group contains a large enough DDH subgroup. In particular, this implies the security of (hashed) DieHellman over nonprime order groups such as Z*_p. Moreover, our results show that one can work directly p without requiring any knowledge of the prime factorization of p1 and without even having to find a generator of Z*_p. These results are obtained via a general characterization of DDH groups in terms of their DDH subgroups, and a relaxation (called tDDH) of the DDH assumption via computational entropy. We also show that, under the shortexponent discretelog assumption, the security of the hashed DieHellman transform is preserved when replacing full exponents with short exponents.