Formally and Practically Relating the CK, CK-HMQV, and eCK Security Models for Authenticated Key Exchange
نویسنده
چکیده
Many recent protocols for Authenticated Key Exchange have been proven correct in the CK, CK-HMQV, or eCK security models. The exact relation between the security models, and hence between the security guarantees provided by the protocols, is unclear. We show that the CK, CK-HMQV, and eCK security models are formally incomparable for a number of reasons. Second, we show that these models are also practically incomparable, by providing for each model attacks on existing protocols that are not considered by the other models. Our analysis exposes many subtleties of these models, some of which can even be generalized to reveal shortcomings in security proofs in related AKE security models.
منابع مشابه
Session-StateReveal is stronger than eCKs EphemeralKeyReveal: using automatic analysis to attack the NAXOS protocol
In the paper “Stronger Security of Authenticated Key Exchange” [11, 12], a new security model for authenticated key exchange protocols (eCK) is proposed. The new model is suggested to be at least as strong as previous models for key exchange protocols, such as the CK model [5, 10]. The model includes a new notion of an EphemeralKeyReveal adversary query, which is claimed in e. g. [11, 17, 18] t...
متن کاملAuthenticated Key Agreement Protocols: Security Models, Analyses, and Designs. (Protocoles d'échanges de clefs authentifiés : modèles de sécurité, analyses et constructions)
An impressive ratio of the previously proposed key agreement protocols turn outto be insecure when regarded with respect to recent security models. The Canetti–Krawczyk(CK) and extended Canetti–Krawczyk (eCK) security models, are widely used to provide secu-rity arguments for key agreement protocols. We point out security shades in the (e)CK models,and some practical attacks unc...
متن کاملStrongly Secure Authenticated Key Exchange from Factoring, Codes, and Lattices
An unresolved problem in research on authenticated key exchange (AKE) is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random oracles. HMQV, a state of the art AKE protocol, achieves both efficiency and the strong security model proposed by Krawczyk (we call it the CK model), which includes resistance...
متن کاملSession-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol
In the paper “Stronger Security of Authenticated Key Exchange” [1,2], a new security model for authenticated key exchange protocols (eCK) is proposed. The new model is suggested to be at least as strong as previous models for key exchange protocols. The model includes a new notion of an Ephemeral Key Reveal adversary query, which is claimed in e. g. [2–4] to be at least as strong as the Session...
متن کاملSession-state Reveal is stronger than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange protocol (extended version)
In the paper “Stronger Security of Authenticated Key Exchange” [1,2], a new security model for authenticated key exchange protocols (eCK) is proposed. The new model is suggested to be at least as strong as previous models for key exchange protocols. The model includes a new notion of an Ephemeral Key Reveal adversary query, which is claimed in e. g. [2–4] to be at least as strong as the Session...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2009 شماره
صفحات -
تاریخ انتشار 2009