• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart
  • DMCA
  • Donate

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations | Disambiguate

P.: Authenticated key exchange secure against dictionary attacks (2000)

by M Bellare, D Pointcheval, Rogaway
Add To MetaCart

Tools

Sorted by:
Results 1 - 10 of 402
Next 10 →

Provably Authenticated Group Diffie-Hellman Key Exchange

by Emmanuel Bresson, Olivier Chevassut, David Pointcheval, J.-J. Quisquater , 2001
"... Group Diffie-Hellman protocols for Authenticated Key Exchange (AKE) are designed to provide a pool of players with a shared secret key which may later be used, for example, to achieve multicast message integrity. Over the years, several schemes have been offered. However, no formal treatment for thi ..."
Abstract - Cited by 135 (16 self) - Add to MetaCart
Group Diffie-Hellman protocols for Authenticated Key Exchange (AKE) are designed to provide a pool of players with a shared secret key which may later be used, for example, to achieve multicast message integrity. Over the years, several schemes have been offered. However, no formal treatment for this cryptographic problem has ever been suggested. In this paper, we present a security model for this problem and use it to precisely define AKE (with "implicit" authentication) as the fundamental goal, and the entity-authentication goal as well. We then define in this model the execution of an authenticated group Diffie-Hellman scheme and prove its security.
(Show Context)

Citation Context

...ted DiffieHellman key exchange. In this model, player instances are modeled as oracles available to the adversary and attacks are modeled by oracle queries. Recently, Bellare, Pointcheval and Rogaway =-=[5]-=- refined this model to use session IDs as an approach to define the partnering. They also extended the model to include forward-secrecy, allow password authentication and deal with dictionary attacks....

Scalable Protocols for Authenticated Group Key Exchange

by Jonathan Katz, Moti Yung - Advances in Cryptology — Crypto 2003, LNCS
"... We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provably-secure solutions do not scale well and, in particular, require O(n) rounds. Our main contri ..."
Abstract - Cited by 134 (2 self) - Add to MetaCart
We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provably-secure solutions do not scale well and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) “full ” modular exponentiations per user. Toward this goal (and adapting work of Bellare, Canetti, and Krawczyk), we first present an efficient compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure — against a passive adversary — a variant of the two-round group key-exchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provably-secure three-round protocol for authenticated group key exchange which also achieves forward secrecy. 1
(Show Context)

Citation Context

...e-conferencing, and also for collaborative (peer-to-peer) applications which are likely to involve a large number of users. The recent foundational papers of Bresson, et al. [16, 14, 15] (building on =-=[9, 10, 7]-=-) were the first to present a formal model of security for group AKE and the first to give rigorous proofs of security for particular protocols. These represent an important initial step, yet much wor...

Secure communications over insecure channels based on short authenticated strings

by Serge Vaudenay - IN ADVANCES IN CRYPTOLOGY (CRYPTO) , 2005
"... We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel use ..."
Abstract - Cited by 117 (2 self) - Add to MetaCart
We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modified, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to public-key infrastructures, since we no longer need any central authority, and to password-based authenticated key exchange, since we no longer need to establish a confidential password. It can be used to establish secure associations in ad-hoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the user-aided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his long-term keys corrupted.
(Show Context)

Citation Context

...other major step was the notion of password-based authenticated key agreement which was first proposed by Bellovin and Merritt [8,9] and whose security was proven by Bellare, Pointcheval, and Rogaway =-=[5]-=- in the random oracle model. Another protocol, provably secure in the standard model, was proposed by Katz, Ostrovsky, and Yung [29]. Here, we assume that a private and authenticated short password wa...

Efficient Password-Authenticated Key Exchange using Human-Memorable Passwords

by Jonathan Katz, Rafail Ostrovsky, Moti Yung , 2001
"... There has been much interest in password-authenticated key-exchange protocols which remain secure even when users choose passwords from a very small space of possible passwords (say, a dictionary of English words). Under this assumption, one must be careful to design protocols which cannot be broken ..."
Abstract - Cited by 114 (12 self) - Add to MetaCart
There has been much interest in password-authenticated key-exchange protocols which remain secure even when users choose passwords from a very small space of possible passwords (say, a dictionary of English words). Under this assumption, one must be careful to design protocols which cannot be broken using off-line dictionary attacks in which an adversary enumerates all possible passwords in an attempt to determine the correct one. Many heuristic protocols have been proposed to solve this important problem. Only recently have formal validations of security (namely, proofs in the idealized random oracle and ideal cipher models) been given for specific constructions [3, 10, 22]. Very recently, a construction based on general assumptions, secure in the standard model with human-memorable passwords, has been proposed by Goldreich and Lindell [17]. Their protocol requires no public parameters; unfortunately, it requires techniques from general multi-party computation which make it impractical. Thus, [17] only proves that solutions are possible “in principal”. The main question left open by their work was finding an efficient solution to this fundamental problem. We show an efficient, 3-round, password-authenticated key exchange protocol with human-memorable passwords which is provably secure under the Decisional Diffie-Hellman assumption, yet requires only (roughly) 8 times more computation than “standard” Diffie-Hellman key exchange [14] (which provides no authentication at all). We assume public parameters available to all parties. We stress that we work in the standard model only, and do not require a “random oracle” assumption.

Stronger Security of Authenticated Key Exchange

by Brian Lamacchia, Kristin Lauter, Anton Mityagin - In Provable Security: First International Conference, ProvSec 2007, volume 4784 of LNCS , 2007
"... Recent work by Krawczyk [10] and Menezes [14] has highlighted the importance of under-standing well the guarantees and limitations of formal security models when using them to prove the security of protocols. In this paper we focus on security models for authenticated key exchange (AKE) protocols. W ..."
Abstract - Cited by 110 (0 self) - Add to MetaCart
Recent work by Krawczyk [10] and Menezes [14] has highlighted the importance of under-standing well the guarantees and limitations of formal security models when using them to prove the security of protocols. In this paper we focus on security models for authenticated key exchange (AKE) protocols. We observe that there are several classes of attacks on AKE protocols that lie outside the scope of the Canetti-Krawczyk model. Some of these additional attacks have already been considered by Krawczyk [10]. In an attempt to bring these attacks within the scope of the security model we extend the Canetti-Krawczyk model for AKE security by providing significantly greater powers to the adversary. Our contribution is a more compact, integrated, and comprehensive formulation of the security model. We then introduce a new AKE protocol called NAXOS and prove that it is secure against these stronger adversaries. 1
(Show Context)

Citation Context

...yk model The Canetti-Krawczyk security model is among a family of security models for authenticated key exchange that includes those of Bellare and Rogaway [3, 5] and Bellare, Pointcheval and Rogaway =-=[2]-=-. We refer the reader to Choo et al. [8] for a concise summary of the differences among these various models. We give a high-level overview of the Canetti-Krawczyk model and introduce some notation wh...

Soundness of formal encryption in the presence of active adversaries

by Daniele Micciancio, Bogdan Warinschi - In Proc. 1st Theory of Cryptography Conference (TCC), volume 2951 of LNCS , 2004
"... Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties ..."
Abstract - Cited by 97 (11 self) - Add to MetaCart
Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a Dolev-Yao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network. 1
(Show Context)

Citation Context

...bit-strings is exactly the execution model used in most computational works about cryptographic protocols, e.g., the treatment of mutual authentication protocols by Bellare et Pointcheval and Rogaway =-=[7, 8, 6]-=-. Our main technical result shows that there is a close correspondence between abstract executions of the protocol in the presence of a Dolev-Yao adversary, and the execution of the implementation of ...

Session-Key Generation using Human Passwords Only

by Oded Goldreich, Yehuda Lindell , 2001
"... We present session-key generation protocols in a model where the legitimate parties share only a human-memorizable password. The security guarantee holds with respect to probabilistic polynomial-time adversaries that control the communication channel (between the parties), and may omit, insert and ..."
Abstract - Cited by 93 (8 self) - Add to MetaCart
We present session-key generation protocols in a model where the legitimate parties share only a human-memorizable password. The security guarantee holds with respect to probabilistic polynomial-time adversaries that control the communication channel (between the parties), and may omit, insert and modify messages at their choice. Loosely speaking, the effect of such an adversary that attacks an execution of our protocol is comparable to an attack in which an adversary is only allowed to make a constant number of queries of the form “is w the password of Party A”. We stress that the result holds also in case the passwords are selected at random from a small dictionary so that it is feasible (for the adversary) to scan the entire directory. We note that prior to our result, it was not clear whether or not such protocols were attainable without the use of random oracles or additional setup assumptions.

GQ and Schnorr identification schemes: Proofs of security against impersonation under active and concurrent attacks

by Mihir Bellare, Adriana Palacio , 2002
"... Abstract. The Guillou-Quisquater (GQ) and Schnorr identification schemes are amongst the most efficient and best-known Fiat-Shamir follow-ons, but the question of whether they can be proven secure against impersonation under active attack has remained open. This paper provides such a proof for GQ ba ..."
Abstract - Cited by 89 (9 self) - Add to MetaCart
Abstract. The Guillou-Quisquater (GQ) and Schnorr identification schemes are amongst the most efficient and best-known Fiat-Shamir follow-ons, but the question of whether they can be proven secure against impersonation under active attack has remained open. This paper provides such a proof for GQ based on the assumed security of RSA under one more inversion, an extension of the usual one-wayness assumption that was introduced in [5]. It also provides such a proof for the Schnorr scheme based on a corresponding discrete-log related assumption. These are the first security proofs for these schemes under assumptions related to the underlying one-way functions. Both results extend to establish security against impersonation under concurrent attack. 1
(Show Context)

Citation Context

...teracting with the verifier in an attempt to make the latter accept. With this, one moves into the domain of authenticated key-exchange protocols which is definitionally more complex (see for example =-=[9, 8, 30, 11]-=-) and where identification without an associated exchange of a session-key is of little practical value. 3 Reset lemma We refer to a three-move protocol of the form depicted in Figure 1 as canonical. ...

Secure remote authentication using biometric data

by Xavier Boyen, Yevgeniy Dodis, Jonathan Katz, Rafail Ostrovsky, Adam Smith - In EUROCRYPT , 2005
"... We show two efficient techniques enabling the use of biometric data to achieve mutual authentication or authenticated key exchange over a completely insecure (i.e., adversarially controlled) channel. In addition to achieving stronger security guarantees than the work of Boyen, we improve upon his so ..."
Abstract - Cited by 86 (13 self) - Add to MetaCart
We show two efficient techniques enabling the use of biometric data to achieve mutual authentication or authenticated key exchange over a completely insecure (i.e., adversarially controlled) channel. In addition to achieving stronger security guarantees than the work of Boyen, we improve upon his solution in a number of other respects: we tolerate a broader class of errors and, in one case, improve upon the parameters of his solution and give a proof of security in the standard model. 1 Using Biometric Data for Secure Authentication Biometric data, as a potential source of high-entropy, secret information, havebeen suggested as a way to enable strong, cryptographically-secure authentication of human users without requiring them to remember or store traditionalcryptographic keys. Before such data can be used in existing cryptographic protocols, however, two issues must be addressed: first, biometric data are not uni-formly distributed and hence do not offer provable security guarantees if used
(Show Context)

Citation Context

... on earlier sketch and fuzzy extractor constructions over any such space (e.g., those constructed in [9] for a variety of metrics). A probability space (Ω, P) is a finite set Ω and a function P : Ω → =-=[0, 1]-=- such that � ω∈Ω P(ω) = 1. A random variable W defined over the probability space (Ω, P) and taking values in a set M is a function W : Ω → M. If (Ω, P) is a probability space over which two random va...

A Framework for Password-Based Authenticated Key Exchange

by Rosario Gennaro, Yehuda Lindell - in Cryptology — Eurocrypt 2003, LNCS , 2003
"... In this paper we present a general framework for password-based authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashi ..."
Abstract - Cited by 81 (2 self) - Add to MetaCart
In this paper we present a general framework for password-based authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashing by Cramer and Shoup. We gain a number of benefits from this abstraction. First, we obtain a modular protocol that can be described using just three highlevel cryptographic tools. This allows a simple and intuitive understanding of its security.
(Show Context)

Citation Context

... work was borne out of an abstraction of the KOY protocol. We note that password-based authenticated key-exchange protocols in the password only setting have been presented in the random oracle model =-=[1, 6]-=-. In this model, all parties are assumed to have oracle access to a totally random (universal) function [2]. The common interpretation of such results is that security is likely to hold even if the ra...

Powered by: Apache Solr
  • About CiteSeerX
  • Submit and Index Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University