Abstract. Although the Yahalom protocol, proposed by Burrows, Abadi, and Needham in 1990, is one of the most prominent key establishment protocols analyzed by researchers from the computer security community (using automated proof tools), a simplified version of the protocol is only recently proven secure by Backes and Pfitzmann (2006) in their cryptographic library framework. We present a protocol for key establishment that is closely based on the Yahalom protocol. We then present a security proof in the Bellare and Rogaway (1993) model and the random oracle model. An extension to our proposed protocol results in an unusual feature, that is session key can be renewed for subsequent communication without the server’s involvement (i.e., re-authentication). We also observe that no partnering mechanism is specified within the Yahalom protocol. We then present a brief discussion on the role and the possible construct of session identifiers as a form of partnering mechanism, which allows the right session key to be identified in concurrent protocol executions. We then recommend that session identifiers should be included within protocol specification rather than consider session identifiers as artefacts in protocol proof. 1

In their recent paper, "Encrypted Key Exchange: Password-based Protocols Secure Against Dictionary Attacks, " Bellovin and Merritt propose a novel and elegant method for safeguarding weak passwords. This paper discusses a possible weakness in the proposed protocol, develops some enhancements and simplifications, and provides a security analysis of the resultant minimal EKE protocol. In addition, the basic 2-party EKE model is extended to the 3-party setting; this yields a protocol with some interesting properties. Most importantly, this paper illustrates, once again, the subtlety associated with designing password-based protocols. 1 Introduction The Encrypted Key Exchange paper [1] (hereafter referred to as simply EKE) presents a novel and elegant method of protecting weak secrets from dictionary attacks. It develops several protocol variants based on different underlying cryptosystems, e.g., RSA, El-Gamal, and Diffie-Hellman. The 'generic' version of EKE is illustrated in Figure 1. ...

This paper describes the complete and up-to-date KryptoKnight protocol family that has been designed and implemented over the last five years at the IBM Research Division. The emphasis is on the new optimized protocol building blocks (earlier versions thereof have been published) and the novel inter-domain protocols. Since KryptoKnight also serves as the foundation for the IBM Network Security Program (NetSP), this paper also reports on the design of the actual working protocols. The central goal of the KryptoKnight project was the construction of fundamental network security functions -- authentication and key distribution -- in a minimal, flexible and scalable manner. Protocol minimality (in terms of resource usage) and flexibility (adaptability to different network connectivity scenarios) are not merely theoretical goals; they have clear advantages in environments where computational resources are limited and connectivity is restricted. KryptoKnight was aimed at such environments: s...

Abstract not found