A New Security Model for Cross-Realm C2C-PAKE Protocol

Size: px

Start display at page:

Download "A New Security Model for Cross-Realm C2C-PAKE Protocol"

Darleen Richard
6 years ago
Views:

1 A New Securty Model for Cross-Realm C2C-PAKE Protocol Fengao Wang 1 Yuqng Zhang Natonal Computer Network Intruson Protecton Center, GSCAS, Beng, Abstract. Cross realm clent-to-clent password authentcated key exchange (C2C-PAKE) schemes are desgned to enable two clents n dfferent realms to agree on a common sesson key usng dfferent passwords. In 2006, Yn-Bao presented the frst provably secure cross-realm C2C-PAKE, whch securty s proven rgorously wthn a formally defned securty model and based on the hardness of some computatonally ntractable assumptons. However, soon after, Phan et al. ponted out that the Yn-Bao scheme was flawed. In ths paper, we frst analyze the necessary securty attrbutes n the cross-realm C2C-PAKE scenaro, and then a new securty model for cross-realm C2C-PAKE s gven. Analogous to the general constructon of 3PAKE protocol for sngle server C2C-PAKE settng, we gve a general constructon of cross-realm C2C-PAKE protocol, whch securty s proved n the new securty model. Key word: Password-authentcated key exchange, cross realm, clent-to-clent, provably secure, securty model. 1 Introducton Usng a human memorable password to acheve authentcaton and agree on a common secret value (a sesson key) over an nsecure open network, s a popular method because of ts easy-to-memorze property. Over the years, there have been great deals of research on effcent and provably secure password-based authentcated key exchange schemes n the two-party or N- party settngs. Most password-authentcated key exchange schemes n the two-party lterature provde an authentcated key exchange between a clent and a server based on pre-shared password. However, wth dversty and rapd Ths work s supported by Natonal Natural Scence Foundaton of Chna ( ) and Natonal 863 program(2007aa01z427,2007aa01z450). 1 Correspondng author.tel: ,fax: E-mal address: wangf@npc.org.cn.

2 2 development of modern communcaton envronments n the felds such as moble networks, home networkng and etc., there s a need to construct a secure end-to-end channel between clents, whch s qute dfferent from the exstng clent-server model. Jn Wook Byun et al. [1] frstly consdered the cross-realm scenaro and dvded clent-to-clent password authentcated key exchange protocols nto two types: sngle-server C2C-PAKE protocol and cross-realm C2C-PAKE protocol. 1.1 Related work and Motvaton In 2002, Byun et al. [1] frst proposed a C2C-PAKE protocol n the crossrealm settng, whch s desgned to enable two clents n dfferent realms to agree on a common sesson key usng dfferent passwords and hence there exsted two servers nvolved. However, ths frst cross-realm scheme has been found to be not secure aganst dctonary attacks from a malcous server n a dfferent realm [2]. In 2004, Wang et al. [3] showed three dctonary attacks on the same protocol, and Km et al.[4] ponted out that the protocol was susceptble to enng-sacco attack and an mproved C2C-PAKE protocol was gven. However, ths mproved scheme was also shown to fall to unknown key share attacks [5] later. Although several countermeasures to resst the attacks on C2C-PAKE protocol have been presented n [2~5], all these proposals and varants were desgned wth heurstc securty analyss, not formally treated. In [6], Abdalla et al. frst addressed the sngle-server C2C- PAKE protocol settng and proposed a generc method to construct provably secure sngle-server C2C-PAKE protocol. To reduce the generc constructon s complexty the frst effcent provably secure sngle-server C2C-PAKE protocol was gven n [7], and later a smlar result about crossrealm C2C-PAKE protocol based on that n [7] was gven [8]. In [8], a formal model as well as the correspondng securty defntons for cross-realm C2C- PAKE protocol was defned for the frst tme. Concurrently, a provably secure cross-realm C2C-PAKE protocol was proposed by Byun et al. [9]. What s nterestng s, [6, 7] and [8, 9] were ponted out to be nsecure at the same tme by Wang et al. [10] and Phan et al. [11] respectvely, and both [10] and [11] were publshed n INOCRYPT As analyzed n [10], [6, 7] fall to undetectably onlne dctonary attacks, and an enhanced proposal were gven by addng the authentcaton securty noton for the treatment of undetectable attacks n 3-party PAKE scenaro. In [11], Phan et al. ponted out that [8, 9] also suffered undetectably onlne dctonary attacks, and an unknown keyshare attack to [8]. As Phan et al. stated n [11], desgnng provably secure protocols s ndeed the rght approach, but defnng an approprate model s not a trval task, because not ncludng some types of queres e.g. the Corrupt

3 3 query, or mproperly defnng the adversaral game may result n a securty proof that fals to capture vald attacks. 1.2 Our Contrbutons As mentoned above, a sutable formal securty model for cross-realm C2C- PAKE protocol s needed after the scheme proven to be secure n Yn-Bao securty model [8] was found to be flawed. Ths paper works out ths problem and a sutable securty model s presented based on the work of [8, 10]. In secton 2, we brefly descrbe the securty model n [10] and [8] frst; Necessary securty attrbutes n a cross-realm C2C-PAKE protocol settng are analyzed, and a new formal securty model for ths scenaro s defned n secton 3; In secton 4, analogous to the general constructon of 3PAKE protocol for sngle server C2C-PAKE settng [10], we gve a general constructon of cross-realm C2C-PAKE protocol, whch securty s proved n the new securty model. Comparson wth the frst formal securty model [8] for cross-realm C2C-PAKE protocol s gven n secton 5, and fnally we conclude the paper n secton 6. 2 Two Formal Securty Model for C2C-PAKE Protocol Before defnng the mproved new securty model for cross-realm C2C-PAKE protocol, we frst provde a bref descrpton to the securty model for sngleserver C2C-PAKE protocol settng n [10] and that for cross-realm C2C- PAKE protocol n [8]. 2.1 Securty Model for Sngle-server C2C-PAKE Protocol [10] As s well recognzed, desgnng provably secure protocols s ndeed the rght approach. Recently, wth the mportance of 3-party PAKE protocols been realzed by protocol researchers, the research nto precse securty defntons and formalzaton are needed and pad more attenton. In [6], Abdalla et al. frst addressed the sngle-server C2C-PAKE protocol settng and proposed a generc method to construct provably secure sngleserver C2C-PAKE protocol. To reduce the generc constructon s complexty the frst effcent provably secure sngle-server C2C-PAKE protocol was gven n [7]. Unfortunately, soon after both of them were ponted out to suffer from undetectable on-lne dctonary attacks [10]. As analyzed n [10], only addng mutual authentcaton between two communcatng partes n the end can not enhance those protocols to resst to undetectable on-lne dctonary

4 4 attacks. The reason s that there are nsde attackers n the 3-party scenaro, who themselves can play the legal role of one of the nvolved clent users and mpersonate the other clent party by guessng the value of ts password. After fnshng the protocol wth the trusted server, nsde attackers can verfy whether a password guess s correct by comparng the sesson keys obtaned from legal and mpersonatng dentfcatons respectvely. So f only communcatng partes authentcate each other, nsde attackers can stll guess the correct password by keepng on-lne nteractng wth the trusted server whch cannot detect such attacks. To solve out ths problem, a new securty noton called authentcaton securty [10] s added as an extenson for the ROR model of sngle-server 3-party PAKE protocols [6]. 2.2 Securty Model for Cross-Realm C2C-PAKE Protocol [8] fferent from sngle-server 3-party PAKE protocol settng, n a cross-realm C2C-PAKE protocol settng two servers are consdered. enote A, B as two clents belongng to two dfferent realms. Clent A shares hs password pw A wth server S 1, and clent B shares hs password pw B wth another server S 2. Addtonally, assume that there s an authentcated prvate channel between server S 1 and server S 2. All clents passwords are chosen from the same small dctonary whose dstrbuton s pw. urng the executon of a protocol n cross-realm settng, an adversary could also nteractve wth protocol partcpants va several oracle queres, whch model adversary s possble attacks n the real executon, and all possble oracle queres are: Execute query, Reveal query, SendClent query, SendServer query and Test query, whch are defned as n a Fnd-Then-Guess model sense n [6]. Furthermore, securty notons as opened, unopened, partnerng and freshness are also defned as that n [6]. However, dfferent from the two-party password-based protocol settng that only off-lne dctonary attack on the password needs to be consdered, n the cross-realm C2C-PAKE protocol settng, besdes the off-lne dctonary attack, clent s nsde attack ( a legal clent may try to learn other clent s password after the executon of the protocol) and server s nsde attack ( a legal server may try to learn the password of the clent not belongng to hs realm) are also necessary to be consdered. Thus, the securty defnton proposed n [8] conssts of the followng four securty requrements: (1) the sesson key cannot be dstngushed from random number by an outsde malcous adversary; (2) the server does not know the sesson key between clents; (3) the clent does not know other clent s password; and (4) clent s passwords are not revealed to other servers except for ther own servers.

5 5 3 New Securty Model for Cross-Realm C2C-PAKE Protocol As analyzed n [11], the undetectable on-lne dctonary attacks are caused by partes n general not beng able to dstngush between nteractons wth other honest partes or wth the adversary, whch s llustrated n [8].Therefore ncorporatng securty aganst undetectable on-lne dctonary attacks drectly nto the securty model of a PAKE protocol s suggested; Moreover, as n the 3-party PAKE settng, we also have to ncorporate authentcaton securty drectly nto our securty model to resst the undetectable on-lne dctonary attacks n cross-realm C2C-PAKE settng. Furthermore, due to the exstence of malcous clent nsder n a crossrealm C2C-PAKE settng, ncorporate Corrupt queres nto the securty model s necessary. As analyzed n [12], excluson of the Corrupt queres n the C2C-PAKE-YB model [8] gves rse to unknown key-share attacks by a malcous clent nsder, whch cannot be captured by a proof n the securty model. Note that corrupton of a clent s essentally equvalent to havng a malcous clent as an adversary. Although the C2C-PAKE-YB model clams securty aganst the latter case, the former s not consdered. Therefore, we add the Corrupt queres and the securty defnton of mutual authentcaton between clents nto the securty model. As analyzed above, on the bass of guaranteeng semantc securty ths paper extends the C2C-PAKE-YB model [8] by addng the Corrupt queres, mutual authentcaton and the securty aganst undetectable onlne dctonary attacks drectly nto the securty model. 3.1 Communcaton Model We stll adopt the notatons to denote protocol partcpants and clent s nstances that used n [8] here. enote A, B as two clents belongng to two dfferent realms. Clent A shares hs password pw A wth server S 1, and clent B shares hs password pw B wth another server S 2. Addtonally, assume that there s an authentcated prvate channel between server S 1 and server S 2. In practce, ths can be mplemented by a pre-dstrbuted common key shared between S 1 and S 2 or ther publc keys. All clents passwords are chosen from the same small dctonary whose dstrbuton s pw. Each partcpant U s (maybe a clent or a server) -th nstances as U. enote the set of all clents asμ, and denote the set of all servers as S. The cross-realm PAKE protocol s an nteractve protocol among four partcpants nstances: A, B s t, S 1, S2. After the protocol, A and B establsh a sesson key sk. It s assumed that an adversary Α has full control over the communcaton channels except that the channels between servers and can

6 6 create several concurrent nstances of the protocol. urng the executon of protocol, the nteracton between an adversary and the protocol partcpants occurs only va oracle queres, whch model the adversary capabltes n a real attack. The oracle queres an adversary Α could launch are as follows: 1 2 (1) Execute( U1, S, U 2 ): Ths query models passve attacks, where the attacker gets access to honest executons among the clent 1 2 nstances U1 and U 2 and trusted server nstance S by eavesdroppng. The output of ths query conssts of the message that was exchanged durng the honest executon of the protocol. (2) SendClent(U, m): Ths query models an actve attack aganst clents, n whch the adversary sends a message to the clent nstance U. The output of the query s the message that clent nstance U would generate upon recept of message m. (3) SendServer(S, m): Ths query models an actve attack aganst the server, n whch the adversary sends a message to server nstance S. It outputs the message whch server nstance S would generate upon recept of message m. (4) Reveal(U ): Ths query models the msuse of sesson keys by clents. Only f the sesson key of the clent nstance U s defned, the query s avalable and returns to the adversary the sesson key. (5) Corrupt(U ): Ths query models the attacks resultng n the password pw to be revealed. Adversary Α gets back from ths query pw, but doesn t get any nternal data on a corrupted clent. Ths s weak corrupton model, correspondng to another noton, called strong corrupton model where the nternal data of a corrupted clent also gets revealed on Corrupt(U ) query. (6) Test(U ): Ths query s used to measure the semantc securty of the sesson key of the clent nstance U. If the sesson key s not defned, t returns. Otherwse, t returns ether the sesson key held by the clent nstance U f b=0 or a random number of the same sze f b=1, where b s the hdden bt selected at random pror to the frst call. Partnerng. The defntonal approach of partnerng uses the noton of sesson dentfcatons (sd). Specfcally, two nstancesu1 andu2 are partners f the followng condtons are met: (1) Both U1 and U2 accept; (2) Both U1 and U2 share the same sd; (3) The partner dentfcaton for U1 s U2 and vceversa; and (4) No nstance other than U1 and U2 accepts wth a partner dentfcaton equal to or U. U1 2

7 7 Freshness. An oracleu s fresh (or holds a fresh sesson key) at the end of executon, f and only f (1) 1 U1 has accepted wth or wthout a partner oracle,(2) both andu oracles have not been sent a Reveal query, (3) U2 U1 2 both andu have not been sent a Corrupt query. U Securty efnton Correspondng to the securty defnton gven n [8], we present the securty defnton n our new formal securty model here. A secure cross-realm C2C-PAKE protocol s defned by the followng four requrements: (1) the sesson key cannot be dstngushed from a random number by an adversary (outsde malcous adversary or passve servers); (2) the server does not know the sesson key between clents; (3) the server can dstngush nteractons wth honest user or an adversary; (4) the clent can be sure that he has been talkng to hs ntended partner clent. Semantc Securty n the ROR Model [6] : For any adversary, the advantage for hm of guessng the random bt b used n the Test query s lager than 1/2 wth non-neglgble probablty. Let Succ ake denote the event that the adversary correctly guesses the value of b, and let be user s password ake dctonary. For any adversary, we defne hs advantage Adv as ake ake Adv ( Α ) = 2 Pr[ Succ ] 1 ake ake Adv (, t R) = max { Adv ( Α )} Α where the maxmum s over all adversares wth tme-complexty at most t and usng at most R tmes oracle queres. ake A protocol P s sad to be semantcally secure f the advantage Adv s only neglgbly larger than Oq ( s ) pw, where q s s the number of all send queres, pw s the dstrbuton of the password dctonary. Remark 1. Although corrupt queres are added nto ths securty model, note that corrupton of a clent s essentally equvalent to havng a malcous nsder clent as the adversary and ths doesn t ncrease the advantage of guessng a random bt b. Therefore, we stll consder the semantc securty n the ROR sense, and ths securty noton s dentcal to that defned n [10]. Key Prvacy Aganst Passve Server: We requre that no nformaton about the sesson key s revealed to the server. Note that the server knows all passwords of hs members. So a malcous server s always able to mpersonate one of ts members and exchange a sesson key wth another

8 8 clent by actve attack. As a result, we cannot requre a malcous server cannot learn the sesson key. The passve server S could query two oracles: Execute and Test. Let Succ denote the event that S correctly guess the value of the random bt b used n the Test query. Let s the user s password dctonary. For any passve server S, we defne hs advantage Adv ( S) as Adv ( S ) = 2 Pr[ Succ ] 1 Adv (, t R) = max { Adv ( S )} S where the specfcaton of the maxmum s as that n securty noton 1. A protocol P s key prvate aganst passve server f the advantage neglgble. Adv s Authentcaton Securty [10] : To resst the undetectable on-lne dctonary attacks to 3-party PAKE protocol, unlateral authentcaton from the clent to the trusted server s ndspensable, wheren the adversary may be an nsde auth( C S ) attacker and mpersonates another clent user. Let Succ denote the event that an adversary Α successfully mpersonates a clent nstance durng executng the protocol P whle the trusted server does not detect t. For any adversary Α, we defne hs advantage auth ( C S Adv ) ( Α) as auth ( C S ) ( ) ( ) Pr[ auth C Adv S Α = Succ ] auth( C S) auth( C S) Adv (, t R) = max{ Adv ( Α )} where the specfcaton of the maxmum s as above. s the user s password dctonary. We say P satsfes clent-to-server authentcaton securty auth( C S ) f Adv (, t R) s neglgble n the securty parameter. Mutual Authentcaton Between Two Clents: It s necessary for two correspondng partes to authentcate each other over an nsecure network n the help of the trusted servers n a cross-realm C2C-PAKE protocol settng. Α Let No Matchng ( k) be the event that an oracle U1 (or U2 ) has accepted but there s no oracle U2 (or U1 ) who has a matchng conversaton wth S2 (or S 1 ). We say P s a secure mutual authentcaton protocol, f for any polynomal adversary Α, t satsfes: (1) If U1 and S1, U2 and S2 have a matchng conversaton respectvely, both andu accept; U1 2 Α

9 B 9 Α (2) The probablty that No Matchng ( k) occurs s neglgble. 4 Generc Constructon of Cross-Realm C2C-PAKE Protocol To our knowledge, htherto, all the proposals for cross-realm C2C-PAKE protocols have been found to be flawed, so a secure scheme for cross-realm C2C-PAKE settng s needed. As analyzed above, authentcaton securty from the clent to server s ndspensable n a 3PAKE protocol. The new generc constructon of 3PAKE protocol for sngle-server settng [10] enlghtened us to extend t to a generc constructon of 3PAKE protocol for cross-realm settng, namely ENGPAKE n ths paper. We assume that there s an authentcated prvate communcaton channel between the trusted servers. Moreover, we attach the message for constructng sesson keys between clents to the last round of the 2PAKE protocol between clent and sever, whch reduces the number of communcaton rounds. See Fg.1 for more detals. Fg. 1. ENGPAKE:extended new generc constructon of 3PAKE for cross-realm settng. Assume that user A n the realm of S 1 and user B n the realm of S 2 want to establsh a secure sesson key wth the cooperaton of servers S 1 and S 2, whose passwords pw A and pw B are stored n S 1 and S 2 respectvely. User A and user B frst run a 2PAKE protocol wth server S 1 and S 2 respectvely, and two secure hgh-entropy sesson keys sk A and sk B are establshed. The 2PAKE protocol used here can be any semantc secure 2-PAKE protocol. Furthermore, f the authentcaton message from clent to server n 2PAKE protocol s not omtted, we attach the message for constructng sesson key between clents to t. Take the communcaton between clent A and server S1 for example, on recevng the authentcaton message from clent A, server S 1 frst verfes the authentcaton messages from A usng the sesson key sk A, f t r s nvald, S 1 aborts; Otherwse, S 1 sends <g, A, B> to server S2. Analogously, t r f S 2 has authentcated clent B, t send <g, B, A> to S1, compute g, r MAC(g,sk B, A, B) and send t to B. After recevng <g t, B, A>, S 1 frst checks

10 10 the denttes of clent A and B, then compute g t, MAC(g t,sk A, B, A) and send t to A. In ths manner, user A and user B establsh a sesson key n an authentcated way fnally wth the help of the trusted servers n each realm. 4.1 Assumptons Obvously, the two cryptographc prmtves, H assumpton and Message authentcaton code, used as buldng blocks n our scheme are dentcal to that n NGPAKE [10], snce only communcatons between trusted servers are added va authentcated prvate channel. For smplcty, we don t repeat the notons here, refer to [6] for more detals. 4.2 Securty of ENGPAKE We prove the securty of our scheme by showng that all securty requrements defned n subsecton 3.2 are met. Semantc Securty n the ROR Model and Authentcaton Securty: The communcaton channel between servers s authentcated and prvate, so the communcaton between servers s secure aganst any outsde adversary. From ths vewpont, server S 1 and S 2 can be treated as a sngle server when consderng outsde adversary, and therefore our scheme ENGPAKE s dentcal to NGPAKE for sngle-server settng [10], whch semantc securty was proven rgorously and authentcaton securty from clent to server was guaranteed. Thus, ENGPAKE s also semantcally secure aganst outsde adversary n the ROR model and provdng authentcaton securty from clent to server. Key Prvacy Aganst Passve Server: Snce the sub-protocol executed by both clents n the last stage of the scheme for constructng sesson key s substantally an authentcated ffe-hellmam key exchange as n NGPAKE, t s apparent that key prvacy aganst passve server s met. For smplcty, we don t provde ts proof here. Mutual Authentcaton Between clents: we prove the securty of ths securty requrement through the followng theorem. Theorem 1. ENGPAKE s a secure mutual authentcaton protocol between clents, assumng that the MAC algorthm and the 2PAKE protocol between clent and server are secure. Proof: The frst condton n the defnton of mutual authentcaton between clents s easly verfed; t merely equals to say that when the messages are fathfully relayed to each other, each party accepts. In addton, the sesson

11 B 11 key sk A and sk B unquely bnd the values of g and g to these partcular matchng sessons and dfferentate them from the messages that the partes may exchange n other sessons. As far as the second condton s concerned, t s proved by the followng lemma. Lemma1. v euf cma MAC (, t 2, 0)). Α ror ake A A A Pr[ No Matchng ( k)] < 2( Adv ( t, q, q + q, q ) + q Ad r 2 PAKE, exe exe send send ake The proof of ths lemma can be easly derved from the proof of the authentcaton securty n the Theorem 1 n [10]; therefore, we don t bother to repeat t here due to the hgh complexty of the proof process. # t 5 Comparsons and scusson C2C-PAKE-YB model s the frst formal securty model for cross-realm C2C- PAKE protocol settng. However, because of no consderaton of authentcaton securty from clent to server and mutual authentcaton between the clents, the protocol proved to be secure n ths model was later founded to be nsecure aganst undetectable on-lne dctonary attacks and unknown key-share attacks. Our newly defned securty model for cross-realm C2C-PAKE protocol overcomes these problems by addng the corrupt queres capabltes for adversary and defnng authentcaton securty from clent to server and mutual authentcaton between clents. Relatons between the securty defnton n our model and that n C2C-PAKE-YB model are analyzed as follows: (1) Semantc Securty. In our model, semantc securty s defned n the ROR model, whch s stronger than that defned n C2C-PAKE-YB model n FTG sense. The relaton between ROR model and FTG model was dscussed n [6]. (2) Key prvacy. Ths s dentcal to that defned n C2C-PAKE-YB model, assumng that the servers are passve. (3) Authentcaton Securty. As analyzed above, to resst undetectable onlne dctonary attacks, authentcaton securty from clent to server s ndspensable n 3-party PAKE protocol. Moreover, a cross-realm C2C-PAKE protocol whch has ths securty attrbute can not only protect the password from outsde adversary but also from the malcous clent and server. (4) Mutual Authentcaton between clents. Mutual authentcaton between clents guarantees that two correspondng partes can be sure of whom they have been talkng to at the end of a protocol executon. Obvously, ths property s necessary n cross-realm C2C-PAKE protocol settng because of

12 12 the exstence of malcous nsder clent. Obvously, these are the advantages that our securty model over the Yn- Bao securty model. Furthermore, the generc constructon of 3-PAKE for cross-realm settng nherts the excellent propertes from NGPAKE n [10], and t s more effcent than NGPAKE n the authentcaton stage when the last message for authentcaton from clent to server n 2PAKE protocol s not omtted. All exstng protocols for cross-realm PAKE are summarzed n the followng table. Table 1. Comparson wth Exstng protocols for cross-realm PAKE. Attacks Off-lne dctonary attack Undetectable on-lne Clent s nsde attack Server s nsde attack Exstng protocols dctonary attack C2C-PAK-BJLP[1] R R S S C2C-PAKE-WWX[3] R R S R C2C-PAKE-KKW[4] S R S S EC2C-PAKE[9] R S S S C2C-PAKE-YB[8] R S S R Our generc protocol R R R R Where R denotes resst, S denotes suffer here. 6 Conclusons Ths paper frst ntroduces the securty model of 3-PAKE for sngle-server settng and cross-realm settng wth two servers nvolved. Through analyss, we summarze the securty attrbutes needed by 3-PAKE protocol for crossrealm settng and present wth a sutable securty model for ths scenaro. Protocols proven secure n ths model have the securty attrbutes of authentcaton securty from clent to server and mutual authentcaton between clents, whch can effectvely avods protocols sufferng from several attacks, such as on-lne dctonary attacks (both detectable and undetectable on-lne dctonary attacks) and unknown key-share attacks. Furthermore, we extend the generc constructon of 3-PAKE for sngle-server settng [10] to a generc constructon of 3-PAKE protocol for cross-realm settng, the securty of whch s proved n the new securty model. Fnally, the advantages of ths newly defned securty model over the Yn-Bao model are dscussed and comparson wth Exstng protocols for cross-realm PAKE s gven.

13 13 Reference [1] J. Byun, I. Jeong,. Hoon Lee, and C. Park. Password-authentcated key exchange between clents wth dfferent passwords. In ICICS 2002, LNCS 2513, pp Sprnger, [2] L. chen. A weakness of the password-authentcated key agreement between clents wth dfferent passwords scheme. ISO/IEC JTC 1/SC27 N3716. [3] S. Wang, J. Wang, and M. Xu. Weakness of a password-authentcated key exchange protocol between clents wth dfferent passwords. In Proceedngs of ACNS 2004, LNCS Vol.3089, pp , Sprnger-Verlag, [4] J. Km, S. Km, J. Kwak, and.won. Cryptanalyss and mprovements of password authentcated key exchange scheme between clents wth dfferent passwords. In Proceedngs of ICCSA 2004, LNCS Vol. 3044, pp , Sprnger-Verlag, [5] R.C.-W. Phan and B. Go, Cryptanalyss of an Improved Clent-to-Clent Password-Authentcated Key Exchange (C2C-PAKE) Scheme. In Proceedngs of ACNS 2005, LNCS Vol.3531, pp.33-39, Sprnger-Verlag, [6] M. Abdalla, P.-A. Fouque,. Pontcheval. Password-based authentcated key exchange n the three-party settng. In S. Vaudenay, edtor, Publc Key Cryptography-PKC 2005, Vol 3386, LNCS, pp.65-84, [7] M. Abdalla,. Pontcheval. Interactve dffe-hellman assumptons wth applcatons to password-based authentcaton. In Fnancal Cryptography and ata Securty-FC 2002, Vol 3570, LNCS, pp , [8] Y. Yn and L. Bao. Secure Cross-Realm C2C-PAKE Protocol. Proc. ACISP 06, LNCS 4058, pp , [9] J. W. Byun,.H. Lee, and J. Lm. Effcent and Provably Secure Clent-to- Clent Password-Based Key Exchange Protocol. Proc. APWeb 06, LNCS 3841, pp , [10] W. WeJa, H. Le. Effcent and provably secure generc constructon of three-party password-based authentcated key exchange protocols. Progress n Cryptology - INOCRYPT 06, LNCS 4329, pp , [11] R. C.-W. Phan, B. Go. Cryptanalyss of two provably secure C2C-PAKE protocols. Progress n Cryptology - INOCRYPT 06, LNCS 4329, pp , [12] K.-K.R. Choo, C. Boyd, and Y. Htchcock. Examnng Indstngushablty- Based Proof Models for Key Establshment Protocols. Advances n Cryptology-Asacrypt 05, LNCS 3788, pp , [13] M. Bellare and P. Rogaway. Entty authentcaton and key dstrbuton. Advances n Cryptology-CRYPTO 93, LNCS 773, pp , 1993.

Related-Mode Attacks on CTR Encryption Mode

Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 282 Related-Mode Attacks on CTR Encrypton Mode Dayn Wang, Dongda Ln, and Wenlng Wu (Correspondng author: Dayn Wang) Key Laboratory