Results 1  10
of
169
Provable Data Possession at Untrusted Stores
, 2007
"... We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the serv ..."
Abstract

Cited by 302 (9 self)
 Add to MetaCart
We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking supports large data sets in widelydistributed storage systems. We present two provablysecure PDP schemes that are more efficient than previous solutions, even when compared with schemes that achieve weaker guarantees. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation.
Stronger Security of Authenticated Key Exchange
 In Provable Security: First International Conference, ProvSec 2007, volume 4784 of LNCS
, 2007
"... Recent work by Krawczyk [10] and Menezes [14] has highlighted the importance of understanding well the guarantees and limitations of formal security models when using them to prove the security of protocols. In this paper we focus on security models for authenticated key exchange (AKE) protocols. W ..."
Abstract

Cited by 110 (0 self)
 Add to MetaCart
(Show Context)
Recent work by Krawczyk [10] and Menezes [14] has highlighted the importance of understanding well the guarantees and limitations of formal security models when using them to prove the security of protocols. In this paper we focus on security models for authenticated key exchange (AKE) protocols. We observe that there are several classes of attacks on AKE protocols that lie outside the scope of the CanettiKrawczyk model. Some of these additional attacks have already been considered by Krawczyk [10]. In an attempt to bring these attacks within the scope of the security model we extend the CanettiKrawczyk model for AKE security by providing significantly greater powers to the adversary. Our contribution is a more compact, integrated, and comprehensive formulation of the security model. We then introduce a new AKE protocol called NAXOS and prove that it is secure against these stronger adversaries. 1
Efficient identitybased and authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/108
, 2005
"... Several identity based and authenticated key agreement protocols have been proposed in recent years and all of them have been shown to be nonsecure. It remains an open question to design secure identity based and authenticated key agreement protocols. In this paper, we propose an efficient identity ..."
Abstract

Cited by 38 (3 self)
 Add to MetaCart
(Show Context)
Several identity based and authenticated key agreement protocols have been proposed in recent years and all of them have been shown to be nonsecure. It remains an open question to design secure identity based and authenticated key agreement protocols. In this paper, we propose an efficient identitybased and authenticated key agreement protocol IDAK using Weil/Tate pairing. A security model for identity based key agreement protocol is established and the security properties of IDAK are proved in this model with random oracle. In particular, it is shown that the IDAK protocol possesses all characteristics that a secure key agreement should have. 1
Cryptographic Extraction and Key Derivation: The HKDF Scheme
 Proceedings of CRYPTO 2010
"... In spite of the central role of key derivation functions (KDF) in applied cryptography, there has been little formal work addressing the design and analysis of general multipurpose KDFs. In practice, most KDFs (including those widely standardized) follow adhoc approaches that treat cryptographic h ..."
Abstract

Cited by 34 (4 self)
 Add to MetaCart
(Show Context)
In spite of the central role of key derivation functions (KDF) in applied cryptography, there has been little formal work addressing the design and analysis of general multipurpose KDFs. In practice, most KDFs (including those widely standardized) follow adhoc approaches that treat cryptographic hash functions as perfectly random functions. In this paper we close some gaps between theory and practice by contributing to the study and engineering of KDFs in several ways. We provide detailed rationale for the design of KDFs based on the extractthenexpand approach; we present the first general and rigorous definition of KDFs and their security which we base on the notion of computational extractors; we specify a concrete fully practical KDF based on the HMAC construction; and we provide an analysis of this construction based on the extraction and pseudorandom properties of HMAC. The resultant KDF design can support a large variety of KDF applications under suitable assumptions on the underlying hash function; particular attention and effort is devoted to minimizing these assumptions as much as possible for each usage scenario. Beyond the theoretical interest in modeling KDFs, this work is intended to address two
On the Security of TLSDHE in the Standard Model
, 2013
"... TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral DiffieHellman ke ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral DiffieHellman key exchange (TLSDHE), which include the cipher suite TLS DHE DSS WITH 3DES EDE CBC SHA mandatory in TLS 1.0 and TLS 1.1. It is impossible to prove security of the TLS Handshake in any classical keyindistinguishabilitybased security model (like e.g. the BellareRogaway or the CanettiKrawczyk model), due to subtle issues with the encryption of the final Finished messages of the TLS Handshake. Therefore we start with proving the security of a truncated version of the TLS Handshake protocol, which has also been considered in previous work on TLS. Then we define the notion of authenticated and confidential channel establishment (ACCE) as a new security model which captures precisely the security properties expected from TLS in practice, and show that the combination of the TLS Handshake protocol with the TLS Record Layer can be proven secure
Another Look at HMQV
 IACR Eprint archive
, 2005
"... Abstract. The HMQV protocols are ‘hashed variants ’ of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The HMQV protocols are ‘hashed variants ’ of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended) CanettiKrawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that the HMQV protocols are insecure by presenting realistic attacks in the CanettiKrawczyk model that recover a victim’s static private key. We propose HMQV1, patched versions of the HMQV protocols that resists our attacks (but do not have any performance advantages over MQV). We also identify some fallacies in the security proofs for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide. 1.
Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS
, 2009
"... LaMacchia, Lauter and Mityagin recently presented a strong security definition for authenticated key agreement strengthening the wellknown CanettiKrawczyk definition. They also described a protocol, called NAXOS, that enjoys a simple security proof in the new model. Compared to MQV and HMQV, NAXOS ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
(Show Context)
LaMacchia, Lauter and Mityagin recently presented a strong security definition for authenticated key agreement strengthening the wellknown CanettiKrawczyk definition. They also described a protocol, called NAXOS, that enjoys a simple security proof in the new model. Compared to MQV and HMQV, NAXOS is less efficient and cannot be readily modified to obtain a onepass protocol. On the other hand MQV does not have a security proof, and the HMQV security proof is extremely complicated. This paper proposes a new authenticated key agreement protocol, called CMQV (‘Combined’ MQV), which incorporates design principles from MQV, HMQV and NAXOS. The new protocol achieves the efficiency of HMQV and admits a natural onepass variant. Moreover, we present a relatively simple and intuitive proof that CMQV is secure in the
Remote Data Checking Using Provable Data Possession
, 2011
"... We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling ran ..."
Abstract

Cited by 30 (2 self)
 Add to MetaCart
We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking is lightweight and supports large data sets in distributed storage systems. The model is also robust in that it incorporates mechanisms for mitigating arbitrary amounts of data corruption. We present two provablysecure PDP schemes that are more efficient than previous solutions. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. We then propose a generic transformation that adds robustness to any remote data checking scheme based on spot checking. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation. Finally, we conduct an indepth experimental evaluation to study the tradeoffs in performance, security, and space overheads when
Security analysis of KEA authenticated key exchange protocol
 In PKC 2006, volume 3958 of LNCS
, 2006
"... Abstract. KEA is a DiffieHellman based keyexchange protocol developed by NSA which provides mutual authentication for the parties. It became publicly available in 1998 and since then it was neither attacked nor proved to be secure. We analyze the security of KEA and find that the original protocol ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
(Show Context)
Abstract. KEA is a DiffieHellman based keyexchange protocol developed by NSA which provides mutual authentication for the parties. It became publicly available in 1998 and since then it was neither attacked nor proved to be secure. We analyze the security of KEA and find that the original protocol is susceptible to a class of attacks. On the positive side, we present a simple modification of the protocol which makes KEA secure. We prove that the modified protocol, called KEA+, satisfies the strongest security requirements for authenticated keyexchange and that it retains some security even if a secret key of a party is leaked. Our security proof is in the random oracle model and uses the Gap DiffieHellman assumption. Finally, we show how to add a key confirmation feature to KEA+ (we call the version with key confirmation KEA+C) and discuss the security properties of KEA+C. 1
Errors in Computational Complexity Proofs for Protocols
, 2005
"... Proofs are invaluable tools in assuring protocol implementers about the security properties of protocols. However, several instances of undetected flaws in the proofs of protocols (resulting in flawed protocols) undermine the credibility of provablysecure protocols. In this work, we examine several ..."
Abstract

Cited by 23 (12 self)
 Add to MetaCart
(Show Context)
Proofs are invaluable tools in assuring protocol implementers about the security properties of protocols. However, several instances of undetected flaws in the proofs of protocols (resulting in flawed protocols) undermine the credibility of provablysecure protocols. In this work, we examine several protocols with claimed proofs of security by Boyd & González Nieto (2003), Jakobsson & Pointcheval (2001), and Wong & Chan (2001), and an authenticator by Bellare, Canetti, & Krawczyk (1998). Using these protocols as case studies, we reveal previously unpublished flaws in these protocols and their proofs. We hope our analysis will enable similar mistakes to be avoided in the future.