On the Security of the (F)HMQV Protocol
نویسندگان
چکیده
The HMQV protocol is under consideration for IEEE P1363 standardization. We provide a complementary analysis of the HMQV protocol. Namely, we point a Key Compromise Impersonation (KCI) attack showing that the two and three pass HMQV protocols cannot achieve their security goals. Next, we revisit the FHMQV building blocks, design and security arguments; we clarify the security and efficiency separation between HMQV and FHMQV, showing the advantages of FHMQV over HMQV.
منابع مشابه
Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS
LaMacchia, Lauter and Mityagin recently presented a strong security definition for authenticated key agreement strengthening the well-known Canetti-Krawczyk definition. They also described a protocol, called NAXOS, that enjoys a simple security proof in the new model. Compared to MQV and HMQV, NAXOS is less efficient and cannot be readily modified to obtain a one-pass protocol. On the other han...
متن کاملHMQV in IEEE P1363
This constribution contains a proposal for including HMQV as a key agreement primitive in IEEE P1363. It includes an informal description of the protocol and a discussion of its security and performance properties (in particular as they compare to MQV), as well as a detailed formal specification for inclusion in the coming revision of the P1363 standard. The HMQV primitive is a variant of the M...
متن کاملAnother look at HMQV
The HMQV protocols are ‘hashed variants’ of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations. In this paper w...
متن کاملAn Efficient Authenticated Key Exchange Protocol with a Tight Security Reduction
In this paper, we present a new authenticated key exchange(AKE) protocol, called NETS, and prove its security in the extended Canetti-Krawczyk model under the random oracle assumption and the gap Diffie-Hellman(GDH) assumption. Our protocol enjoys a simple and tight security reduction compared to those of HMQV and CMQV without using the Forking Lemma. Each session of the NETS protocol requires ...
متن کاملOn the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols
HMQV is a hashed variant of the MQV key agreement protocol proposed by Krawczyk at CRYPTO 2005. In this paper, we present some attacks on HMQV and MQV that are successful if public keys are not properly validated. In particular, we present an attack on the twopass HMQV protocol that does not require knowledge of the victim’s ephemeral private keys. The attacks illustrate the importance of perfo...
متن کامل