Another look at HMQV
نویسنده
چکیده
The HMQV protocols are ‘hashed variants’ of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that the HMQV protocols are insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a victim’s static private key. We propose HMQV-1, patched versions of the HMQV protocols that resists our attacks (but do not have any performance advantages over MQV). We also identify some fallacies in the security proofs for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide.
منابع مشابه
A Reflection on the Security of Two-Party Key Establishment Protocols
Two-party key establishment has been a very fruitful research area in cryptography, with many security models and numerous protocols proposed. In this paper, we take another look at the YAK protocol and the HMQV protocols and present some extended analysis. Motivated by our analysis, we reflect on the security properties that are desired by two-party key establishment protocols, and their forma...
متن کاملOn the Security of the (F)HMQV Protocol
The HMQV protocol is under consideration for IEEE P1363 standardization. We provide a complementary analysis of the HMQV protocol. Namely, we point a Key Compromise Impersonation (KCI) attack showing that the two and three pass HMQV protocols cannot achieve their security goals. Next, we revisit the FHMQV building blocks, design and security arguments; we clarify the security and efficiency sep...
متن کاملOn the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols
HMQV is a hashed variant of the MQV key agreement protocol proposed by Krawczyk at CRYPTO 2005. In this paper, we present some attacks on HMQV and MQV that are successful if public keys are not properly validated. In particular, we present an attack on the twopass HMQV protocol that does not require knowledge of the victim’s ephemeral private keys. The attacks illustrate the importance of perfo...
متن کاملAnother Look at the Hypocrisy of Chaucer’s Pardoner
For us, readers of Chaucer living in an age when appeal to religious passions and sentiments as a means for the realization of worldly objectives by some charlatans has grown significantly, reviewing the theme of religious hypocrisy treated in The Canterbury Tales can be useful in a way that it proves a helpful means for recognizing and dealing with the hypocrites. The Pardoner of the Tales is ...
متن کاملFormally and Practically Relating the CK, CK-HMQV, and eCK Security Models for Authenticated Key Exchange
Many recent protocols for Authenticated Key Exchange have been proven correct in the CK, CK-HMQV, or eCK security models. The exact relation between the security models, and hence between the security guarantees provided by the protocols, is unclear. We show that the CK, CK-HMQV, and eCK security models are formally incomparable for a number of reasons. Second, we show that these models are als...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2005 شماره
صفحات -
تاریخ انتشار 2005