Results 1 - 10
of
38
Identity-based Key Agreement Protocols from Pairings
, 2006
"... In recent years, a large number of identity-based key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reve ..."
Abstract
-
Cited by 59 (5 self)
- Add to MetaCart
In recent years, a large number of identity-based key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reveal queries, because it requires solving either a computational problem or a decisional problem, both of which are generally believed to be hard (i.e., computationally infeasible). The best solution of security proof published so far uses the gap assumption, which means assuming that the existence of a decisional oracle does not change the hardness of the corresponding computational problem. The disadvantage of using this solution to prove the security for this type of protocols is that such decisional oracles, on which the security proof relies, cannot be performed by any polynomial time algorithm in the real world, because of the hardness of the decisional problem. In this paper we present a method incorporating a built-in decisional function in this type of protocols.
Security of two-party identity-based key agreement
- Vaudenay (Eds.), Progress in Cryptology – Mycrypt 2005, Malaysia, Kuala Lumpur
, 2005
"... This is the author’s version of a work that was submitted/accepted for pub-lication in the following source: ..."
Abstract
-
Cited by 14 (5 self)
- Add to MetaCart
(Show Context)
This is the author’s version of a work that was submitted/accepted for pub-lication in the following source:
On the Indistinguishability-Based Security Model of Key Agreement Protocols - Simple Cases
, 2005
"... Since Bellare and Rogaway's work in 1994, the indistinguishability-based security models of authenticated key agreement protocols in simple cases have been evolving for more than ten years. In this paper, we review and organize the models under a unified framework with some new extensions. B ..."
Abstract
-
Cited by 14 (4 self)
- Add to MetaCart
Since Bellare and Rogaway's work in 1994, the indistinguishability-based security models of authenticated key agreement protocols in simple cases have been evolving for more than ten years. In this paper, we review and organize the models under a unified framework with some new extensions. By providing a new ability (the Coin query) to adversaries and redefining two key security notions, the framework fully exploits an adversary's capacity and can be used to prove all the commonly required security attributes of key agreement protocols with key confirmation. At the same time, the Coin query is also used to define a model which can be used to heuristically evaluate the security of a large category of authenticated protocols without key confirmation. We use the models to analyze a few identity-based authenticated key agreement protocols with pairings.
On Security Proof of McCullagh-Barreto's Key Agreement Protocol and its Variants
- International Journal of Security and Networks
, 2005
"... McCullagh and Barreto presented an identity-based authenticated key agreement protocol in CT-RSA 2005. Their protocol was found to be vulnerable to a key-compromise impersonation attack. In order to recover the weakness, McCullagh and Barreto, and Xie proposed two variants of the protocol respec ..."
Abstract
-
Cited by 14 (4 self)
- Add to MetaCart
(Show Context)
McCullagh and Barreto presented an identity-based authenticated key agreement protocol in CT-RSA 2005. Their protocol was found to be vulnerable to a key-compromise impersonation attack. In order to recover the weakness, McCullagh and Barreto, and Xie proposed two variants of the protocol respectively. In each of these works, a security proof of the proposed protocol was presented. In this paper, we revisit these three security proofs and show that all the reductions in these proofs are invalid, because the property of indistinguishability between their simulation and the real world was not held. As a replacement, we present a new reduction for the McCullagh and Barreto modified protocol in the weaker Bellare-Rogaway key agreement model. Our reduction is based on a new assumption, which is at least as weak as some well-explored assumptions in the literature.
Okamoto-Tanaka revisited: fully authenticated Diffie-Hellman with minimal overhead
- In
"... Abstract. The Diffie-Hellman protocol (DHP) is one of the most studied protocols in cryptography. Much work has been dedicated to armor the original protocol against active attacks while incurring a minimal performance overhead relative to the basic (unauthenticated) DHP. This line of work has resul ..."
Abstract
-
Cited by 14 (0 self)
- Add to MetaCart
(Show Context)
Abstract. The Diffie-Hellman protocol (DHP) is one of the most studied protocols in cryptography. Much work has been dedicated to armor the original protocol against active attacks while incurring a minimal performance overhead relative to the basic (unauthenticated) DHP. This line of work has resulted in some remarkable protocols, e.g., MQV, where the protocol’s communication cost is identical to that of the basic DHP and the computation overhead is small. Unfortunately, MQV and similar 2-message “implicitly authenticated ” protocols do not achieve full security against active attacks since they cannot provide forward secrecy (PFS), a major security goal of DHP, against active attackers. In this paper we investigate the question of whether one can push the limits of authenticated DHPs even further, namely, to achieve communication complexity as in the original DHP (two messages with a single group element per message), maintain low computational overhead, and yet achieve full PFS against active attackers in a provable way. We answer this question in the affirmative by resorting to an old and elegant key agreement protocol: the Okamoto-Tanaka protocol [32]. We present a variant of the protocol (denoted mOT) which achieves the above minimal communication, incurs a computational overhead relative to the basic DHP that is practically negligible, and yet achieves full provable key agreement security, including PFS, against active attackers. Moreover, due to the identity-based properties of mOT, even the sending of certificates (typical for authenticated DHPs) can be avoided in the protocol. As additional contributions, we apply our analysis to prove the security of a recent multi-domain extension of the Okamoto-Tanaka protocol by Schridde et al. and show how to adapt mOT to the (non id-based) certificate-based setting.
Password protected smart card and memory stick authentication against off-line dictionary attacks. Cryptology ePrint Archive, Report 2012/120
, 2012
"... We study the security requirements for remote authentication with password protected smart card. In recent years, several protocols for password-based authenticated key exchange have been proposed. These protocols are used for the protection of password based authentication between a client and a re ..."
Abstract
-
Cited by 9 (1 self)
- Add to MetaCart
(Show Context)
We study the security requirements for remote authentication with password protected smart card. In recent years, several protocols for password-based authenticated key exchange have been proposed. These protocols are used for the protection of password based authentication between a client and a remote server. In this paper, we will focus on the password based authentication between a smart card owner and smart card via an untrusted card reader. In a typical scenario, a smart card owner inserts the smart card into an untrusted card reader and input the password via the card reader in order for the smart card to carry out the process of authentication with a remote server. In this case, we want to guarantee that the card reader will not be able to impersonate the card owner in future without the smart card itself. Furthermore, the smart card could be stolen. If this happens, we want the assurance that an adversary could not use the smart card to impersonate the card owner even though the sample space of passwords may be small enough to be enumerated by an off-line adversary. 1
Making the Diffie-Hellman Protocol Identity-Based
, 2010
"... This paper presents a new identity based key agreement protocol. In id-based cryptography (introduced by Adi Shamir in [33]) each party uses its own identity as public key and receives his secret key from a master Key Generation Center, whose public parameters are publicly known. The novelty of our ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
This paper presents a new identity based key agreement protocol. In id-based cryptography (introduced by Adi Shamir in [33]) each party uses its own identity as public key and receives his secret key from a master Key Generation Center, whose public parameters are publicly known. The novelty of our protocol is that it can be implemented over any cyclic group of prime order, where the Diffie-Hellman problem is supposed to be hard. It does not require the computation of expensive bilinear maps, or additional assumptions such as factoring or RSA. The protocol is extremely efficient, requiring only twice the amount of bandwith and computation of the unauthenticated basic Diffie-Hellman protocol. The design of our protocol was inspired by MQV (the most efficient authenticated Diffie-Hellman based protocol in the public-key model) and indeed its performance is competitive with respect to MQV (especially when one includes the transmission and verification of certificates in the MQV protocol, which are not required in an id-based scheme). Our protocol requires a single round of communication in which each party sends only 2 group elements: a very short message, especially when the protocol is implemented over elliptic curves. We provide a full proof of security in the Canetti-Krawczyk security model for key exchange, including a proof that our protocol satisfies additional security properties such as forward secrecy, and resistance to reflection and key-compromise impersonation attacks.
Strongly-secure identity-based key agreement and anonymous extension
- In Information Security (ISC), LNCS
, 2007
"... Abstract. We study the provable security of identity-based (ID-based) key agreement protocols. Although several published protocols have been proven secure in the random oracle model, only a weak adversarial model is considered – the adversary is not allowed to ask Session-Key Reveal queries that wi ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
(Show Context)
Abstract. We study the provable security of identity-based (ID-based) key agreement protocols. Although several published protocols have been proven secure in the random oracle model, only a weak adversarial model is considered – the adversary is not allowed to ask Session-Key Reveal queries that will allow the adversary to learn previously established session keys. Recent research efforts devoted to providing a stronger level of security require strong assumptions, such as assuming that the simulator has access to a non-existential computational or decisional oracle. In this work, we propose an ID-based key agreement protocol and prove its security in the widely accepted indistinguishability-based model of Canetti and Krawczyk. In our proof, the simulator does not require access to any non-existential computational or decisional oracle. We then extend our basic protocol to support ad-hoc anonymous key agreement with bilateral privacy. To the best of our knowledge, this is the first protocol of its kind as previously published protocols are for fixed group and provide only unilateral privacy (i.e., only one of the protocol participants enjoy anonymity).
Towards security two-part authenticated key agreement protocols
, 2005
"... We first present a new security 2-AK protocol, which is more secure and more efficient than previously proposed ones. Meanwhile, we point that Xie’s ID-2-AK protocol modified from McCullagh-Barreto in CT-RSA 2005 doesn’t provide protection against KCI attack likewise, and finally utilize the modular ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
We first present a new security 2-AK protocol, which is more secure and more efficient than previously proposed ones. Meanwhile, we point that Xie’s ID-2-AK protocol modified from McCullagh-Barreto in CT-RSA 2005 doesn’t provide protection against KCI attack likewise, and finally utilize the modular arithmetic, first proposed in MQV and also used in Kim, to get a modified new ID-2-AK protocol. On second thoughts, we give another ID-2-AK protocol utilizing the operation of addition in finite field like our forenamed 2-AK protocol. The two ID-2-AK protocols are in possession of all the desired security attributes. We also compare our new protocols with others in terms of computational cost and security properties.
Cryptanalysis of Security Enhancement for a Modified Authenticated Key Agreement Protocol
, 2009
"... Recently, Chang et al. proposed a security enhancement in Ku and Wang’s authenticated key agreement protocol. Two parties employ the pre-shared password to agreement a common session key via insecure network. However, in this article, we will show that Chang et al.’s scheme is suffer from the backwa ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
Recently, Chang et al. proposed a security enhancement in Ku and Wang’s authenticated key agreement protocol. Two parties employ the pre-shared password to agreement a common session key via insecure network. However, in this article, we will show that Chang et al.’s scheme is suffer from the backward replay attack and the off-line password guessing attack.
