Authenticated Key Agreement without Subgroup Element Verification
|
|
- Melvyn Fletcher
- 5 years ago
- Views:
Transcription
1 Authenticated Key Agreement without Subgroup Element Verification Taekyoung Kwon Sejong University, Seoul , Korea Abstract. In this paper, we rethink the security of authenticated key agreement and design a new protocol from the practical perspective. Our main focus is on reconsidering the need for real-time checking of random exchange to be in a proper subgroup, and discussing the implication of authenticated key agreement not requiring the subgroup element verification in run time. Keywords: Cryptographic Protocols, Authentication, Authenticated Key Agreement, Small Subgroup Attacks. 1 Introduction Key agreement (or key exchange) protocols are necessary when two (or more) communicating parties wish to contribute information for establishing a new secret key. Neither party is allowed to predetermine the key before exchanging the information. Diffie-Hellman key agreement is the best flavor of public-key cryptography that allows basically two communicating parties Alice and Bob, without sharing any secret a priori, to derive the new secret key over a public channel [9]. During the past decades, Diffie-Hellman has been the most influential building block for such various cryptographic protocols from both theoretical and practical perspectives [3, 6, 11, 13, 19]. Let G be a cyclic group with generator g, for example, a multiplicative group Z p where p is a large prime integer. Alice and Bob choose random integers x and y, respectively, where 1 x, y p 2. They exchange X = g x mod p and Y = g y mod p for computing Y x mod p and X y mod p, respectively. Hereafter, let us omit mod p from the expressions that are obvious in Z p. The derived secret is Z = g xy (= (g y ) x = (g x ) y ). We often refer to the Computational Diffie-Hellman (CDH) problem with regard to security of cryptographic protocols from theoretical aspects. The CDH problem is to compute Z = g xy for given X = g x and Y = g y (say without x and y). It is widely recognized that solving CDH is computationally difficult and is at most as hard as computing discrete logarithms in G [13, 19]. Authenticated key agreement protocols may add implicit or explicit key authentication to Diffie-Hellman [2, 4]. For implicit key authentication, each party should be assured that no other party aside from a specifically identified counterpart can possibly learn the secret key. For explicit key authentication, the party
2 2 T. Kwon should additionally be assured that the counterpart may actually possess the secret key through key confirmation. In this paper, we mean by two-pass protocols that implicit key authentication is only provided while we does by three-pass protocols that explicit key authentication is provided for both parties. The rest of this paper is organized as follows: Section 2 describes the motivation of our paper. Section 3 presents the proposed protocol while Section 4 analyzes it. This paper is concluded in Section 5. 2 Motivation 2.1 Small Subgroup Attacks Aside from the theoretical security aspects of Diffie-Hellman, there are many practical concerns about protocol attacks. For example, an active attacker may replace X and Y respectively with X q and Y q where p = Rq + 1 for small R, so that Z is forced to lie in a small order subgroup. The attacker can also replace X and Y with arbitrary small subgroup elements, even if g is set as large prime order q. Most of such attacks can be prevented by authenticating the random exchange [3, 6, 19]. However, it is not enough in many cases. In the key recovery attack, a small subgroup is exploited for finding partial bits of one s secret [11]. Suppose that A = g a and B = g b are respectively the certified public keys of Alice and Bob. Alice may set X = αg x for a small subgroup element α, for example, in the MTI/A0 authenticated key agreement protocol that Alice and Bob should have agreed on K = Y a B x and K = X b A y respectively. Thus Alice can find partial bits β = b mod ord(α) from checking K? = α β K in O(2 ord(α) ) steps, where ord(α) means the order of α [11]. In many protocols, this attack can be prevented by having g of large prime order and checking the random exchange to lie in the large prime order subgroup properly (X q =? 1), while such verification requires additional costs [6, 11]. 2.2 Desirable Properties of Key Agreement Protocols It is essential for secure protocols to withstand both passive attacks and active attacks. Passive attacks are where an adversary attempts to prevent a protocol from achieving its goal by merely observing honest entities carrying out the protocol. Active attacks are where an adversary additionally subverts the communications themselves in any way possible, for example, by injecting, intercepting, replaying, or altering messages. In addition to key authentication and confirmation, there are a number of desirable attributes of key agreement protocols[4]. 1. known session keys A protocol achieves its goal even if an adversary learned some previous session keys. 2. (perfect) forward secrecy The secrecy of previous session keys is not affected even if long-term secrets such as private-keys of one or more entities are compromised.
3 Authenticated Key Agreement without Subgroup Element Verification 3 3. unknown key-share A party A cannot be coerced into sharing a key with the specified counterpart B without A s knowledge, i.e., when A believes sharing with C B. 4. key-compromise impersonation Suppose A s long-term secret such as privatekey is disclosed. An adversary is able to impersonate A through the disclosed secret. However, this loss must not enable an adversary to impersonate other parties to A. 5. loss of information Compromise of other information that would not ordinarily be available to an adversary does not affect the security of the protocol, for example, by loss of g s As B where s i represents party i s long-term secret. 6. key control Neither party is able to force the session key to a preselected value, for example, a small subgroup confinement[18] and key recovery attack[11]. Desirable performance attributes are low overheads of computation and communication[4]. 3 New Protocol We design a new authenticated key agreement protocol that is secure and efficient without verifying the random exchange to have large prime order. Assume the public keys A = g a and B = g b are certified by an authority, and manipulated with respective identities I A and I B. 1. Alice and Bob exchange X = g x and Y = g y, respectively, where 1 < X, Y < p. 2. They compute K = (Y B e B ) (x+aea)e and K = (XA e A ) (y+beb)e, respectively, where e = h(0, I A, I B, X, Y ), e A = h(1, I A, I B, X, Y ) and e B = h(2, I A, I B, X, Y ) for a strong one-way hash function h(). Note that the bit-length of e A and e B can be adjusted to be shorter. It is obvious that K = K = g (xy+xbe B+aye A +abe A e B )e and they are implicitly authenticated due to A and B. For explicit authentication and key confirmation, we can augment it to three passes that exchange h(3, I B, I A, Y, X, K ) and h(4, I A, I B, X, Y, K) [3]. Note also that the simultaneous exponentiation method [14] can be applied in the way that K = Y (x+ae A)e B (x+ae A)ee B and K = X (y+be B)e A (y+be B)ee A. Let us use specifically when we imply simultaneous exponentiation. 4 Analysis 4.1 Security Analysis It might be easy to observe that our authenticated key agreement protocol satisfies all of the desirable security attributes listed in [3] and [6]. Among them, we first show that our scheme satisfies known-key security and forward secrecy, by making a simple reduction from the standard assumption on CDH.
4 4 T. Kwon Suppose P is a probabilistic polynomial time algorithm that breaks our protocol by answering K correctly to a query X, Y, A, B for A and B, with probability ɛ. Given X and Y, we show that we can compute Z = g xy by using P, with probability ε ɛ in polynomial time. Let r i be chosen at random from [1, p 2]. We input A r 0, B r 1, A, B to P so that P outputs K 1 = (g abr 0r 1 g abr 0e B1 g abr 1e A1 g abe A1e B1 ) e 1 = g abe 1(r 0 r 1 +r 0 e B1 +r 1 e A1 +e A1 e B1 ) for e 1 = h(0, I A, I B, A r0, B r1 ), e A1 = h(1, I A, I B, A r0, B r1 ) and e B1 = h(2, I A, I B, A r0, B r1 ). We then compute C 1 = K {e 1(r 0 +e A1 )(r 1 +e B1 )} 1 1 = g ab. Similarly, we input X r2, B r3, A, B and A r4, Y r5, A, B to P so that P outputs respectively K 2 = (g xbr 2r 3 g xbr 2e B2 g abr 3e A2 g abe A2e B2 ) e 2 = g (xbr 2+abe A2 )(r 3 +e B2 )e 2 and K 3 = g (ayr 5+abe A3 )(r 4 +e B3 )e 3 for e 2 = h(0, I A, I B, X r 2, B r 3 ), e 3 = h(0, I A, I B, A r 4, Y r 5 ), and similarly for e A2, e B2, e A3, and e B3. We then compute C 2 = K {e 2r 2 (r 3 +e B2 )} 1 2 e A2 2 C r 1 1 = g xb and C 3 = K {e 3r 5 (r 4 +e B3 )} 1 3 C r 1 5 e A3 1 = g ay. Finally we input X, Y, A, B to P so that P outputs K = (g xy g xbe B g aye A g abe Ae B ) e. We then compute Z = K e 1 C e Ae B 1 C e B 2 C e A 3 = g xy, so as to solve the CDH problem for given X and Y with probability ε ɛ in polynomial time. Thus we can say our scheme enjoys the benefit of Diffie-Hellman in a way that a compromised session key does not expose other session keys, while a compromised long-term key does not disclose previous session keys as well. Our protocol is secure against the key-compromise impersonation and loss of information attacks due to X b and Y a embedded in K = g (xy+xbe B+aye A +abe A e B )e. For example, an adversary compromising Alice s private key a cannot impersonate Bob to Alice due to the required computation of X b, while loss of either information in K old, A, B, g ab does not affect the secrecy of K new. We examine the unknown key-share attack that allows Malice to make one party believe K to be shared with Malice while it is in fact shared with a different party [3, 6]. A common scenario is that Malice has M = g a certified without knowing the private key a of Alice, and uses it to talk with Bob as Malice while she poses as Bob to Alice simultaneously. Our protocol is secure against this attack because, for e, we have h(i A, I B, X, Y ) h(i M, I B, X, Y ) in computing each K. Note that the closest relative, MQV protocol, is vulnerable to this attack [3, 6]. Finally we show that our scheme is secure against small order subgroup attacks specifically without verifying the random exchange to have large prime order in real time. (1) A middle-person attacker may replace X and Y with X w and Y w, respectively, where w = p 1 r for small factor r of p 1. However, Alice and Bob should respectively have to agree on K = (Y w ) (x+aea)e B (x+ae A)e and K = (X w ) (y+beb)e A (y+beb)e. The attacker cannot guess K without obtaining g ab and so on, while the keys are not eventually agreed, say K K. (2) An inside attacker Alice, without loss of generality, may set X = αg x for a small subgroup element α. She then utilizes a message encrypted under K or key confirmation h(3, I B, I A, Y, X, K ) of Bob for deriving partial bits in O(2 ord(α) ) steps. However, the partial bits might be set as β = (y + be B )e mod ord(α), not for the long-term private key b only, since Bob has obtained
5 Authenticated Key Agreement without Subgroup Element Verification 5 K = α (y+be B)e g (xy+xbe B+aye A +abe A e B )e while K = g (xy+xbe B+aye A +abe A e B )e. It is negligible to derive partial bits of b without knowing y. It is also negligible to set A = αg x intentionally since a certificate authority might have declined it. 4.2 Efficiency Analysis We have removed the obligation for the protocol parties to check the random exchange to have large prime order in real time, since such verification is expensive by requiring one modular exponentiation in G, for example, X q? = 1. This operation is enormous specifically when we set p as a safe prime such that p = 2q + 1 for large prime q. Thus, our protocol might be very efficient as well as secure. The required computations are certificate verification of A and B, and modular exponentiations in G for computing X, K and Y, K in respective sides, while X and Y can be pre-computed. Suppose that A and B are already verified, and X and Y are pre-computed by respective parties. This assumption can be considerable for various practical applications. Both Alice and Bob are then able to conduct authenticated key agreement in real time with only one simultaneous exponentiation in G, when we ignore a singular modular multiplication. Note that the simultaneous exponentiation is only about 25% more costly than a single exponentiation. Though we have chosen Z p or its large prime order subgroup for wide acceptance, it is also considerable to use a different cyclic group G such as an elliptic curve group for more spatial efficiency and easier manipulation with shorter private keys. 5 Conclusion The main goal of this study is to rethink the security of authenticated key agreement against the small subgroup attacks, and to design a new practical protocol that is secure against the related attacks without checking the random exchange to have large prime order. The proposed protocol is eventually close to MQV [3, 6]. However, our protocol is secure against the unknown-key share attack as well as is released from real-time checking of random exchange to have large prime order. We believe these properties must be beneficial to practical use. References 1. M. Abadi and M. Tuttle, A semantics for a logic of authentication, In Proc. of the ACM Symposium on Principles of Distributed Computing, pp , August S. Blake-Wilson, D. Johnson and A. Menezes, Key agreement protocols and their security analysis, In Proc. of IMA International Conference on Cryptography and Coding, December S. Blake-Wilson and A. Menezes, Authenticated Diffie-Hellman key agreement protocols, SAC 98, Lecture Notes in Computer Science, vol. 1556, pp , 1999.
6 6 T. Kwon 4. S. Blake-Wilson and A. Menezes, Unknown key-share attacks on the station-tostation (STS) protocol, PKC 99, Lecture Notes in Computer Science, vol. 1560, Springer-Verlag, pp , C. Boyd and W. Mao, On a limitation of BAN logic, Lecture Notes in Computer Science, vol. 765, Springer-Verlag, pp , C. Boyd and A. Mathuria, Protocols for authentication and key establishment, Springer-Verlag, pp , M. Burrows, M. Abadi, and R. Needham, A logic of authentication, Technical Report SRC RR 39, Digital Equipment Corporation, Systems Research Center, February D. Denning and G. Sacco, Timestamps in key distribution protocols, Communications of the ACM, vol. 24, no. 8, pp , August W. Diffie and M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, vol.22, no.6, pp , November L. Gong, R. Needham, and R. Yahalom, Reasoning about belief in cryptographic protocols, In Proc. of the IEEE Symposium on Research in Security and Privacy, pp , C. Lim, and P. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, CRYPTO 97, LNCS 1294, pp , T. Matsumoto, Y. Takashima, and H. Imai, On seeking smart public-key distribution systems, Trans. of IEICE, E69, pp , U. Maurer, and S. Wolf, Diffie-Hellman oracles, CRYPTO 96, LNCS 1109, pp , A. Menezes, P. van Oorschot and S. Vanstone, Handbook of applied cryptography, CRC Press,Inc., pp , R. Needham and M. Schroeder, Using encryption for authentication in large networks of computers, Communications of the ACM, vol. 21, no. 12, pp , D. Song, Athena: a new efficient automatic checker for security protocol analysis, In Proc. of the IEEE Computer Security Foundation Workshop, pp , P. Syverson and P. van Oorschot, A unified cryptographic protocol logic, NRL Publication , Naval Research Lab, P. van Oorschot, Extending cryptographic logics of belief to key agreement protocols, In Proc. of the ACM Conference on Computer Communications Security, pp , P. Van Oorschot and M. Wiener, On the Diffie-Hellman key agreement with short exponents, EUROCRYPT 96, LNCS 1070, pp , 1996.
Station-to-Station Protocol
Station-to-Station Protocol U V b U = α a U b U b V,y V b V = α a V y V = sig V (U b V b U ) y U = sig U (V b U b V ) y U Lecture 13, Oct. 22, 2003 1 Security Properties of STS the scheme is secure against
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSecurity Analysis of Shim s Authenticated Key Agreement Protocols from Pairings
Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings Hung-Min Sun and Bin-san Hsieh Department of Computer Science, National sing Hua University, Hsinchu, aiwan, R.O.C. hmsun@cs.nthu.edu.tw
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationProtocols for Authenticated Oblivious Transfer
Protocols for Authenticated Oblivious Transfer Mehrad Jaberi, Hamid Mala Department of Computer Engineering University of Isfahan Isfahan, Iran mehrad.jaberi@eng.ui.ac.ir, h.mala@eng.ui.ac.ir Abstract
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationA Limitation of BAN Logic Analysis on a Man-in-the-middle Attack
ISS 1746-7659, England, U Journal of Information and Computing Science Vol. 1, o. 3, 2006, pp. 131-138 Limitation of Logic nalysis on a Man-in-the-middle ttack + Shiping Yang, Xiang Li Computer Software
More informationCategory: Informational March Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME
Network Working Group R. Zuccherato Request for Comments: 2785 Entrust Technologies Category: Informational March 2000 Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement
More informationA Simple User Authentication Scheme for Grid Computing
A Simple User Authentication Scheme for Grid Computing Rongxing Lu, Zhenfu Cao, Zhenchuai Chai, Xiaohui Liang Department of Computer Science and Engineering, Shanghai Jiao Tong University 800 Dongchuan
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More information(In)security of ecient tree-based group key agreement using bilinear map
Loughborough University Institutional Repository (In)security of ecient tree-based group key agreement using bilinear map This item was submitted to Loughborough University's Institutional Repository by
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationA Critical Analysis and Improvement of AACS Drive-Host Authentication
A Critical Analysis and Improvement of AACS Drive-Host Authentication Jiayuan Sui and Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, N2L 3G1, Canada
More informationRobust EC-PAKA Protocol for Wireless Mobile Networks
International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 2531-2537 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust EC-PAKA Protocol for Wireless Mobile Networks
More informationA SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS
A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS Ounasser Abid 1 and Omar Khadir 2 1, 2 Laboratory of Mathematics, Cryptography and Mechanics, FSTM University Hassan II of Casablanca, Morocco
More informationOn Robust Key Agreement Based on Public Key Authentication
On Robust Key Agreement Based on Public Key Authentication (Short Paper) Feng Hao Thales E-Security, Cambridge, UK feng.hao@thales-esecurity.com Abstract. We describe two new attacks on the HMQV protocol.
More informationAn IBE Scheme to Exchange Authenticated Secret Keys
An IBE Scheme to Exchange Authenticated Secret Keys Waldyr Dias Benits Júnior 1, Routo Terada (Advisor) 1 1 Instituto de Matemática e Estatística Universidade de São Paulo R. do Matão, 1010 Cidade Universitária
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationBAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]
Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationKey Establishment. Colin Boyd. May Department of Telematics NTNU
1 / 57 Key Establishment Colin Boyd Department of Telematics NTNU May 2014 2 / 57 Designing a Protocol Outline 1 Designing a Protocol 2 Some Protocol Goals 3 Some Key Agreement Protocols MTI Protocols
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationA SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS
ISSN 1392 124X INFORMATION TECHNOLOGY AND CONTROL, 2012, Vol.41, No.1 A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS Bae-Ling Chen 1, Wen-Chung Kuo 2*, Lih-Chyau Wuu 3 1
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationSecurity properties of two authenticated conference key agreement protocols
Security properties of two authenticated conference key agreement protocols Qiang Tang and Chris J. Mitchell Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang,
More informationA modified eck model with stronger security for tripartite authenticated key exchange
A modified eck model with stronger security for tripartite authenticated key exchange Qingfeng Cheng, Chuangui Ma, Fushan Wei Zhengzhou Information Science and Technology Institute, Zhengzhou, 450002,
More informationSecurity Analysis of the Authentication Modules of Chinese WLAN Standard and Its Implementation Plan*
Security Analysis of the Authentication Modules of Chinese WLAN Standard and Its Implementation Plan* Xinghua Li 1,2, Jianfeng Ma 1, and SangJae Moon 2 1 Key Laboratory of Computer Networks and Information
More informationExtensions of BAN. Overview. BAN Logic by Heather Goldsby Michelle Pirtle
Extensions of BAN by Heather Goldsby Michelle Pirtle Overview BAN Logic Burrows, Abadi, and Needham GNY Gong, Needham, Yahalom RV AT Abadi and Tuttle VO van Oorschot SVO Syverson and van Oorschot Wenbo
More informationKey Management and Distribution
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 10 Key Management; Other Public Key Cryptosystems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan
More informationUsing Commutative Encryption to Share a Secret
Using Commutative Encryption to Share a Secret Saied Hosseini Khayat August 18, 2008 Abstract It is shown how to use commutative encryption to share a secret. Suppose Alice wants to share a secret with
More informationCryptanalysis of Two Password-Authenticated Key Exchange. Protocols between Clients with Different Passwords
International Mathematical Forum, 2, 2007, no. 11, 525-532 Cryptanalysis of Two Password-Authenticated Key Exchange Protocols between Clients with Different Passwords Tianjie Cao and Yongping Zhang School
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationA Simple User Authentication Scheme for Grid Computing
International Journal of Network Security, Vol.7, No.2, PP.202 206, Sept. 2008 202 A Simple User Authentication Scheme for Grid Computing Rongxing Lu, Zhenfu Cao, Zhenchuan Chai, and Xiaohui Liang (Corresponding
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Public Key Cryptography Modular Arithmetic RSA
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
More informationKey Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10
Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If sends a
More informationPublic Key Algorithms
CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and
More informationSecure Key-Evolving Protocols for Discrete Logarithm Schemes
Secure Key-Evolving Protocols for Discrete Logarithm Schemes Cheng-Fen Lu and ShiuhPyng Winston Shieh Computer Science and Information Engineering Department National Chiao Tung University, Taiwan 30050
More informationInter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing
Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing Tsai, Hong-Bin Chiu, Yun-Peng Lei, Chin-Laung Dept. of Electrical Engineering National Taiwan University July 10,
More informationTwo Formal Views of Authenticated Group Diffie-Hellman Key Exchange
Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson 1, O. Chevassut 2,3, O. Pereira 2, D. Pointcheval 1 and J.-J. Quisquater 2 1 Ecole Normale Supérieure, 75230 Paris Cedex 05,
More informationChapter 10 : Private-Key Management and the Public-Key Revolution
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 10 : Private-Key Management and the Public-Key Revolution 1 Chapter 10 Private-Key Management
More informationExtended Diffie-Hellman Technique to Generate Multiple Shared Keys at a Time with Reduced KEOs and its Polynomial Time Complexity
ISSN (Online): 1694-0784 ISSN (Print): 1694-0814 Extended Diffie-Hellman Technique to Generate Multiple Shared Keys at a Time with Reduced KEOs and its Polynomial Time Complexity 26 Nistala V.E.S. Murthy
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationDiffie-Hellman Protocol as a Symmetric Cryptosystem
IJCSNS International Journal of Computer Science and Network Security, VOL.18 No.7, July 2018 33 Diffie-Hellman Protocol as a Symmetric Cryptosystem Karel Burda, Brno University of Technology, Brno, Czech
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationOn Robust Key Agreement Based on Public Key Authentication
1 On Robust Key Agreement Based on Public Key Authentication Feng Hao School of Computing Science Newcastle University, UK feng.hao@ncl.ac.uk Abstract This paper discusses public-key authenticated key
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationON REUSING EPHEMERAL KEYS IN DIFFIE-HELLMAN KEY AGREEMENT PROTOCOLS
ON REUSING EPHEMERAL KEYS IN DIFFIE-HELLMAN KEY AGREEMENT PROTOCOLS ALFRED MENEZES AND BERKANT USTAOGLU Abstract. A party may choose to reuse ephemeral public keys in a Diffie-Hellman key agreement protocol
More informationSpeed-ups of Elliptic Curve-Based
Speed-ups of Elliptic Curve-Based Schemes René Struik independent e-mail: rstruik.ext@gmail.com IETF-78 Maastricht The Netherlands July 25-30, 2010 Results based on work conducted at Certicom Research
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 10 Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would
More informationAn improved pairing-free identity-based authenticated key agreement protocol based on ECC
Available online at www.sciencedirect.com Procedia Engineering 30 (2012) 499 507 International Conference on Communication Technology and System Design 2011 An improved pairing-free identity-based authenticated
More informationAn Enhanced Certificateless Authenticated Key Agreement Protocol
An Enhanced Certificateless Authenticated Key Agreement Protocol Razieh Mokhtarnameh, Sin Ban Ho, Nithiapidary Muthuvelu Faculty of Information Technology, Multimedia University, 63100, Cyberjaya, Malaysia
More informationModelling the Security of Key Exchange
Modelling the Security of Key Exchange Colin Boyd including joint work with Janaka Alawatugoda, Juan Gonzalez Nieto Department of Telematics, NTNU Workshop on Tools and Techniques for Security Analysis
More informationCryptographic Systems
CPSC 426/526 Cryptographic Systems Ennan Zhai Computer Science Department Yale University Recall: Lec-10 In lec-10, we learned: - Consistency models - Two-phase commit - Consensus - Paxos Lecture Roadmap
More informationICS 180 May 4th, Guest Lecturer: Einar Mykletun
ICS 180 May 4th, 2004 Guest Lecturer: Einar Mykletun 1 Symmetric Key Crypto 2 Symmetric Key Two users who wish to communicate share a secret key Properties High encryption speed Limited applications: encryption
More informationMessage authentication
Message authentication -- Reminder on hash unctions -- MAC unctions hash based block cipher based -- Digital signatures (c) Levente Buttyán (buttyan@crysys.hu) Hash unctions a hash unction is a unction
More informationREMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM
REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM Zhaohui Cheng, Richard Comley Luminita Vasiu School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, United Kingdom
More informationComputer Security 3e. Dieter Gollmann. Chapter 15: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 15: 1 Chapter 15: Key Establishment Chapter 15: 2 Introduction Crypto transforms (communications) security problems into key
More informationAuthenticated Key Agreement Without Using One-way Hash Functions Based on The Elliptic Curve Discrete Logarithm Problem
Authenticated Key Agreement Without Using One-way Hash Functions Based on The Elliptic Curve Discrete Logarithm Problem Li-Chin Huang and Min-Shiang Hwang 1 Department of Computer Science and Engineering,
More informationPassword-based authentication and key distribution protocols with perfect forward secrecy
Journal of Computer and System Sciences 72 (2006) 1002 1011 www.elsevier.com/locate/jcss Password-based authentication and key distribution protocols with perfect forward secrecy Hung-Min Sun a,, Her-Tyan
More informationVerification of Security Protocols
Verification of Security Protocols Chapter 12: The JFK Protocol and an Analysis in Applied Pi Christian Haack June 16, 2008 Exam When? Monday, 30/06, 14:00. Where? TUE, Matrix 1.44. Scheduled for 3 hours,
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationThis is an author produced version of Security Analysis of Integrated Diffie-Hellman Digital Signature Algorithm Protocols.
This is an author produced version of Security nalysis of Integrated Diffie-Hellman Digital Signature lgorithm Protocols. White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/119028/
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationPassword Authenticated Key Exchange by Juggling
A key exchange protocol without PKI Feng Hao Centre for Computational Science University College London Security Protocols Workshop 08 Outline 1 Introduction 2 Related work 3 Our Solution 4 Evaluation
More informationGroup Key Establishment Protocols
Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania Outline 1. Context and Motivation 2. Classifications
More informationBilateral Unknown Key-Share Attacks in Key Agreement Protocols
Bilateral Unknown Key-Share Attacks in Key Agreement Protocols Liqun Chen Hewlett-Packard Laboratories Filton Road, Bristol BS34 8QZ, UK liqun.chen@hp.com Qiang Tang Département d Informatique, École Normale
More informationOn the Difficulty of Protecting Private Keys in Software Environments
On the Difficulty of Protecting Private Keys in Software Environments Taekyoung Kwon Sejong University, Seoul 143-747, Korea tkwon@sejong.ac.kr Abstract. This paper makes simple observation on security
More informationPublic Key Cryptography
Public Key Cryptography Giuseppe F. Italiano Universita` di Roma Tor Vergata italiano@disp.uniroma2.it Motivation Until early 70s, cryptography was mostly owned by government and military Symmetric cryptography
More informationAuthentication in Distributed Systems
Authentication in Distributed Systems Introduction Crypto transforms (communications) security problems into key management problems. To use encryption, digital signatures, or MACs, the parties involved
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationUnderstanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography
Understanding Cryptography by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 9 Elliptic Curve Cryptography ver. February 2nd, 2015 These slides were prepared by Tim Güneysu, Christof Paar
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationAuthentication Part IV NOTE: Part IV includes all of Part III!
Authentication Part IV NOTE: Part IV includes all of Part III! ECE 3894 Hardware-Oriented Security and Trust Spring 2018 Assoc. Prof. Vincent John Mooney III Georgia Institute of Technology NOTE: THE FOLLOWING
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationPAijpam.eu A STUDY ON DIFFIE-HELLMAN KEY EXCHANGE PROTOCOLS Manoj Ranjan Mishra 1, Jayaprakash Kar 2
International Journal of Pure and Applied Mathematics Volume 114 No. 2 2017, 179-189 ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu doi: 10.12732/ijpam.v114i2.2
More informationOn the Security of an Efficient Group Key Agreement Scheme for MANETs
On the Security of an Efficient Group Key Agreement Scheme for MANETs Purushothama B R 1,, Nishat Koti Department of Computer Science and Engineering National Institute of Technology Goa Farmagudi, Ponda-403401,
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationHow to Break and Repair Leighton and Micali s Key Agreement Protocol
How to Break and Repair Leighton and Micali s Key Agreement Protocol Yuliang Zheng Department of Computer Science, University of Wollongong Wollongong, NSW 2522, AUSTRALIA yuliang@cs.uow.edu.au Abstract.
More informationSecurity of the Lin-Lai smart card based user authentication scheme
Security of the Lin-Lai smart card based user authentication scheme Chris J. Mitchell and Qiang Tang Technical Report RHUL MA 2005 1 27 January 2005 Royal Holloway University of London Department of Mathematics
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationCryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology
Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationOverview. Public Key Algorithms I
Public Key Algorithms I Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601-04/ Louisiana State
More information