S. Blake-Wilson, D. Johnson and A. Menezes. "Key agreement protocols and their security analysis". Cryptography and Coding, Lecture Notes in Computer Science 1355, pp. 30-45, 1997.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....authority. We also shed light on other aspects of the problem, including subtle differences between security against static adversaries and adaptive adversaries, and connections between this security model, and the previously proposed security model of Bellare and Rogaway [6] see also [8, 9]) We also give a brief account of anonymous users. In many situations, one of the two users in a key exchange protocol may not have a certificate. This can happen, for example, in SSL and SSH. Typically, the anonymous user can authenticate himself to the other with the session itself by means of ....

....for authenticated key exchange protocols, again in the symmetric key cryptography setting, where there is an on line key distribution center. Their model captured the types of attacks discussed in [7] Their formal models were subsequently adapted to the public key setting by Blake Wilson, et al. [8, 9]. The definitions of security here seem fairly compelling, but yet, they seem a bit ad hoc and it is not clear what implications these definitions have for higher level protocols that use the session keys. The station to station protocol was introduced in the classic paper of Diffie, et al. ....

[Article contains additional citation context not shown here]

S. Blake-Wilson, D. Johnson, and A. Menesez. Key agreement protocols and their security analysis. In Sixth IMA International Conference on Cryptography and Coding, 1997. On line version: cacr.math.uwaterloo.ca/~sblakewi.

....H(K) A; a; x B; b sB = b bg b ) mod q K = g s A s B g x K = g s A s B sA = x ag x ) mod q Fig. 7. Protocol 7 (One pass MQV) 5 AKC protocols This section discusses AKC protocols and describes a method to derive AKC protocols from AK protocols. The following three pass AKC protocol [13] is derived from the Unified Model AK protocol (Protocol 5) by adding the MACs of the flow number, identities, and the ephemeral public keys. Here, H 1 and H 2 are independent hash functions. In practice, one may choose H 1 (m) H(10; m) and H 2 (m) H(01; m) where H is a cryptographic hash ....

....under the assumption that a pseudorandom function family exists. They then extended the model to handle the three party (Kerberos) case [10] see also Shoup and Rubin [39] for an extension of this work to the smart card world. Blake Wilson and Menezes [14] and Blake Wilson, Johnson and Menezes [13] extended the Bellare Rogaway model to the asymmetric setting, and proposed and proved the security of some authenticated key transport, AK, and AKC protocols (see x7.1) More recently, Bellare, Canetti and Krawczyk [5] provided a systematic method for transforming authentication protocols that ....

[Article contains additional citation context not shown here]

S. Blake-Wilson, D. Johnson and A. Menezes, "Key agreement protocols and their security analysis", Proceedings of the sixth IMA International Conference on Cryptography and Coding, LNCS 1355, 1997, 30-45. A full version of this paper is available at http://www.cacr.math.uwaterloo.ca

....For an extensive survey on key establishment, see Chapter 12 of Menezes, van Oorschot and Vanstone [27] Extreme care must be exercised when separating key confirmation from implicit key authentication. If an AK protocol which does not offer key confirmation is used, then, as pointed out in [10], it is desirable that the agreed key be confirmed prior to cryptographic use. This can be done in a variety of ways. For example, if the key is to be subsequently used to achieve confidentiality, then encryption with the key can begin on some (carefully chosen) known data. Other systems may ....

....moves the burden of key confirmation from the establishment mechanism to the application. In this paper, we propose a new and efficient two pass AK protocol. The protocol is based on Diffie Hellman key agreement [14] and has many of the desirable security and performance attributes discussed in [10] (see x2) Two modifications of this protocol are also presented: a one pass AK protocol suitable for environments where only one entity is on line, and a three pass protocol in which key confirmation is additionally provided. The protocols described in this paper establish a shared secret K ....

[Article contains additional citation context not shown here]

S. Blake-Wilson, D. Johnson and A. Menezes, "Key agreement protocols and their security analysis", Proceedings of the sixth IMA International Conference on u Cryptography and Coding, Lecture Notes in Computer Science, 1355, Springer-Verlag, 1997, 30-45.

No context found.

S. Blake-Wilson, D. Johnson and A. Menezes. "Key agreement protocols and their security analysis". Cryptography and Coding, Lecture Notes in Computer Science 1355, pp. 30-45, 1997.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC