Results 1  10
of
53
Entity Authentication and Key Distribution
, 1993
"... Entity authentication and key distribution are central cryptographic problems in distributed computing  but up until now, they have lacked even a meaningful definition. One consequence is that incorrect and inefficient protocols have proliferated. This paper provides the first treatment of these p ..."
Abstract

Cited by 580 (13 self)
 Add to MetaCart
Entity authentication and key distribution are central cryptographic problems in distributed computing  but up until now, they have lacked even a meaningful definition. One consequence is that incorrect and inefficient protocols have proliferated. This paper provides the first treatment of these problems in the complexitytheoretic framework of modern cryptography. Addressed in detail are two problems of the symmetric, twoparty setting: mutual authentication and authenticated key exchange. For each we present a definition, protocol, and proof that the protocol meets its goal, assuming the (minimal) assumption of pseudorandom function. When this assumption is appropriately instantiated, the protocols given are practical and efficient.
Analysis of keyexchange protocols and their use for building secure channels
, 2001
"... Abstract. We present a formalism for the analysis of keyexchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any keyexchange protocol that satisfies the security definition can be composed with ..."
Abstract

Cited by 328 (21 self)
 Add to MetaCart
(Show Context)
Abstract. We present a formalism for the analysis of keyexchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any keyexchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of keyexchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversarycontrolled links. We exemplify the usability of our results by applying them to obtain the proof of two classes of keyexchange protocols, DiffieHellman and keytransport, authenticated via symmetric or asymmetric techniques. 1
A modular approach to the design and analysis of authentication and key exchange protocols
, 1998
"... We present a general framework for constructing and analyzing authentication protocols in realistic models of communication networks. This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key e ..."
Abstract

Cited by 251 (18 self)
 Add to MetaCart
We present a general framework for constructing and analyzing authentication protocols in realistic models of communication networks. This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols. The key element in our approach is a modular treatment of the authentication problem in cryptographic protocols; this applies to the definition of security, to the design of the protocols, and to their analysis. In particular, following this modular approach, we show how to systematically transform solutions that work in a model of idealized authenticated communications into solutions that are secure in the realistic setting of communication channels controlled by an active adversary. Using these principles we construct and prove the security of simple and practical authentication and keyexchange protocols. In particular, we provide a security analysis of some wellknown key exchange protocols (e.g. authenticated DiffieHellman key exchange), and of some of the techniques underlying the design of several authentication protocols that are currently being
The Security of Cipher Block Chaining
, 1994
"... The Cipher Block Chaining  Message Authentication Code (CBC MAC) specifies that a message x = x 1 \Delta \Delta \Delta xm be authenticated among parties who share a secret key a by tagging x with a prefix of f (m) a (x) def = f a (f a (\Delta \Delta \Delta f a (f a (x 1 )\Phix 2 )\Phi \Delta ..."
Abstract

Cited by 179 (29 self)
 Add to MetaCart
The Cipher Block Chaining  Message Authentication Code (CBC MAC) specifies that a message x = x 1 \Delta \Delta \Delta xm be authenticated among parties who share a secret key a by tagging x with a prefix of f (m) a (x) def = f a (f a (\Delta \Delta \Delta f a (f a (x 1 )\Phix 2 )\Phi \Delta \Delta \Delta \Phix m\Gamma1 )\Phix m ) ; where f is some underlying block cipher (eg. f = DES). This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: that cipher block chaining a pseudorandom function gives a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random mlbit to lbit function and the CBC MAC of a random lbit to lbit function. Advanced Networking Laboratory, IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. em...
Key Agreement Protocols and their Security Analysis
, 1997
"... This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (publickey) setting. A formal ..."
Abstract

Cited by 164 (6 self)
 Add to MetaCart
This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (publickey) setting. A formal
Scalable Protocols for Authenticated Group Key Exchange
 Advances in Cryptology — Crypto 2003, LNCS
"... We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provablysecure solutions do not scale well and, in particular, require O(n) rounds. Our main contri ..."
Abstract

Cited by 129 (2 self)
 Add to MetaCart
(Show Context)
We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provablysecure solutions do not scale well and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) “full ” modular exponentiations per user. Toward this goal (and adapting work of Bellare, Canetti, and Krawczyk), we first present an efficient compiler that transforms any group keyexchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure — against a passive adversary — a variant of the tworound group keyexchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provablysecure threeround protocol for authenticated group key exchange which also achieves forward secrecy. 1
Universally Composable Notions of Key Exchange and Secure Channels
, 2002
"... Abstract. Recently, Canetti and Krawczyk (Eurocrypt’2001) formulated a notion of security for keyexchange (ke) protocols, called SKsecurity, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice for proving more general composability p ..."
Abstract

Cited by 127 (12 self)
 Add to MetaCart
Abstract. Recently, Canetti and Krawczyk (Eurocrypt’2001) formulated a notion of security for keyexchange (ke) protocols, called SKsecurity, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice for proving more general composability properties of SKsecure ke protocols. We show that while the notion of SKsecurity is strictly weaker than a fullyidealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols. In particular, SKsecurity guarantees the security of the key for any application that desires to setup secret keys between pairs of parties. We also provide new definitions of securechannels protocols with similarly strong composability properties, and show that SKsecurity suffices for obtaining these definitions. To obtain these results we use the recently proposed framework of “universally composable (UC) security. ” We also use a new tool, called “noninformation oracles, ” which will probably find applications beyond the present case. These tools allow us to bridge between seemingly limited indistinguishabilitybased definitions such as SKsecurity and more powerful, simulationbased definitions, such as UC security, where general composition theorems can be proven. Furthermore, based on such composition theorems we reduce the analysis of a fullfledged multisession keyexchange protocol to the (simpler) analysis of individual, standalone, keyexchange sessions.
Some New Attacks upon Security Protocols
 In: 9th Computer Security Foundations Workshop. IEEE Computer
, 1996
"... ..."
(Show Context)
On Formal Models for Secure Key Exchange
, 1999
"... A new formal security model for session key exchange protocols in the public key setting is proposed, and several efficient protocols are analyzed in this model. The relationship between this new model and previously proposed models is explored, and several interesting, subtle distinctions between s ..."
Abstract

Cited by 89 (2 self)
 Add to MetaCart
A new formal security model for session key exchange protocols in the public key setting is proposed, and several efficient protocols are analyzed in this model. The relationship between this new model and previously proposed models is explored, and several interesting, subtle distinctions between static and adaptive adversaries are explored. We also give a brief account of anonymous users.