Leakage-Resilient Authenticated Key Establishment Protocols (original) (raw)
Related papers
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 2005
Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search;
Security of a leakage-resilient protocol for key establishment and mutual authentication
2007
We revisit Shin et al.'s leakage-resilient password-based authenticated key establishment protocol (LR-AKEP) and the security model used to prove the security of LR-AKEP. By refining the Leak oracle in the security model, we show that LR-AKE (1) can, in fact, achieve a stronger notion of leakage-resilience than initially claimed and (2) also achieve an additional feature of traceability, not previously mentioned.
A note on leakage-resilient authenticated key exchange
IEEE Transactions on Wireless Communications, 2000
Fathi et al. recently proposed a leakage-resilient authenticated key exchange protocol for a server-client model in mobility environment over wireless links. In the paper, we address flaws in a hash function used in the protocol. The direct use of the hash function cannot guarantee the security of the protocol. We also point out that a combination of the hash function and the RSA cryptosystem in the protocol may not work securely. To remedy these problems, we improve upon the protocol by modifying the hash function correctly.
Strongly Leakage-Resilient Authenticated Key Exchange
Lecture Notes in Computer Science, 2016
Authenticated Key Exchange (AKE) protocols have been widely deployed in many real-world applications for securing communication channels. In this paper, we make the following contributions. First, we revisit the security modelling of leakage-resilient AKE protocols, and show that the existing models either impose some unnatural restrictions or do not sufficiently capture leakage attacks in reality. We then introduce a new strong yet meaningful security model, named challenge-dependent leakage-resilient eCK (CLR-eCK) model, to capture challenge-dependent leakage attacks on both long-term secret key and ephemeral secret key (i.e., randomness). Second, we propose a general framework for constructing one-round CLR-eCK-secure AKE protocols based on smooth projective hash functions (SPHFs). This framework ensures the session key is private and authentic even if the adversary learns a large fraction of both long-term secret key and ephemeral secret key, and hence provides stronger security guarantee than existing AKE protocols which become insecure if the adversary can perform leakage attacks during the execution of a session. Finally, we also present a practical instantiation of the general framework based on the Decisional Diffie-Hellman assumption without random oracle. Our result shows that the instantiation is efficient in terms of the communication and computation overhead and captures more general leakage attacks.
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 2007
Both mutual authentication and generation of session keys can be accomplished by an authenticated key exchange (AKE) protocol. Let us consider the following situation: (1) a client, who communicates with many different servers, remembers only one password and has insecure devices (e.g., mobile phones or PDAs) with very-restricted computing power and built-in memory capacity; (2) the counterpart servers have enormous computing power, but they are not perfectly secure against various attacks (e.g., virus or hackers); (3) neither PKI (Public Key Infrastructures) nor TRM (Tamper-Resistant Modules) is available. The main goal of this paper is to provide security against the leakage of stored secrets as well as to attain high efficiency on client's side. For those, we propose an efficient and leakage-resilient RSA-based AKE (RSA-AKE) protocol suitable for the above situation whose authenticity is based on password and another secret. In the extended model where an adversary is given access to the stored secret of client, we prove that its security of the RSA-AKE protocol is reduced tightly to the RSA one-wayness in the random oracle model. We also show that the RSA-AKE protocol guarantees several security properties (e.g., security of password, multiple sever scenario with only one password, perfect forward secrecy and anonymity). To our best knowledge, the RSA-AKE protocol is the most efficient, in terms of both computation costs of client and communication costs, over the previous AKE protocols of their kind (using password and RSA). key words: authenticated key exchange, passwords, on-line and off-line dictionary attacks, RSA, leakage of stored secrets, efficiency, perfect forward secrecy
A Leakage-resilient ID-based Authenticated Key Exchange Protocol with a Revocation Mechanism
IEEE Access
Establishing a session key (SSK) is very important for real-world deployment in open networks, which enables secure communication between remote parties. In the past, some authenticated key exchange (AKE) protocols have been proposed to generate a SSK, but the certificate management issue is inhered in the traditional public key infrastructure and must be addressed. To tackle this issue, the identity (ID)-based concept is added to AKE, called ID-AKE. Indeed, the security of the existing AKE/ID-AKE protocols is gaining increasing importance due to some new types of attacks, namely, side-channel attacks. In such attacks, adversaries could obtain secret keys' partial information during the execution of cryptographic protocols (including AKE/ID-AKE). To withstand such attacks, many leakage-resilient ID-AKE (LR-ID-AKE) protocols resisting side-channel attacks have been proposed. However, these existing LR-ID-AKE protocols have no efficient solution to revoke compromised users. In this article, the first LR-ID-AKE protocol with an efficient revocation mechanism, called LR-RID-AKE, is proposed. The proposed protocol is not only as secure as existing LR-ID-AKE protocols but also able to efficiently revoke compromised users from the system. INDEX TERMS Leakage-resilient; authenticated key exchange; revocation; generic bilinear group This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
Weaknesses in a leakage-resilient authenticated key transport protocol
2005
In this paper we demonstrate the existence of a number of weaknesses in a leakage-resilient authenticated key transport protocol due to Shin, Kobara and Imai. The weaknesses imply that the protocol cannot achieve the security goals claimed by its designers. We also propose an enhanced protocol which is immune to some of these vulnerabilities.
Strongly leakage resilient authenticated key exchange, revisited
Designs, Codes and Cryptography, 2019
Authenticated Key Exchange (AKE) protocols allow two (or multiple) parties to authenticate each other and agree on a common secret key, which is essential for establishing a secure communication channel over a public network. AKE protocols form a central component in many network security standards such as IPSec, TLS/SSL, and SSH. However, it has been demonstrated that many standardized AKE protocols are vulnerable to side-channel and key leakage attacks. In order to defend against such attacks, leakage resilient (LR-) AKE protocols have been proposed in the literature. Nevertheless, most of the existing LR-AKE protocols only focused on the resistance to long-term key leakage, while in reality leakage of ephemeral secret key (or randomness) can also occur due to various reasons such as the use of poor randomness sources or insecure pseudo-random number generators (PRNGs). In this paper, we revisit the strongly leakage resilient AKE protocol (CT-RSA'16) that aimed to resist challenge-dependent leakage on both long-term and ephemeral secret keys. We show that there is a security issue in the design of the protocol and propose an improved version that can fix the problem. In addition, we extend the protocol to a more general framework that can be efficiently instantiated under various assumptions, including hybrid instantiations that can resist key leakage attacks while preserving session key security against future quantum machines.
Leakage Resilient Authenticated Key Exchange Secure in the Auxiliary Input Model
Lecture Notes in Computer Science, 2013
Authenticated key exchange (AKE) protocols allow two parties communicating over an insecure network to establish a common secret key. They are among the most widely used cryptographic protocols in practice. In order to resist key-leakage attacks, several leakage resilient AKE protocols have been proposed recently in the bounded leakage model. In this paper, we initiate the study on leakage resilient AKE in the auxiliary input model. A promising way to construct such a protocol is to use a digital signature scheme that is entropicallyunforgeable under chosen message and auxiliary input attacks. However, to date we are not aware of any digital signature scheme that can satisfy this requirement. On the other hand, we show that in the random oracle model, it is sufficient to use a digital signature scheme that is secure under random message and auxiliary input attacks in order to build a secure AKE protocol in the auxiliary input model, while the existence of such a digital signature scheme has already been proven. We will also give a comparison between the existing public-key encryption based and digital signature based leakage resilient AKE protocols. We show that the latter can provide a higher level of security than the former.
Leakage resilient eCK-secure key exchange protocol without random oracles
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011
This paper presents the first formalization of partial key leakage security of a two-pass two-party authenticated key exchange (AKE) protocol on the extended Canetti-Krawczyk (eCK) security model. Our formalization, λ-leakage resilient eCK security, is a (stronger) generalization of the eCK security model with enhanced by the notion of λ-leakage resilient security recently introduced by Akavia, Goldwasser and Vaikuntanathan. We present a PKI-based two-pass key exchange protocol with Hash Proof System (HPS), that is λ-leakage resilient eCK secure without random oracles.