Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol
نویسنده
چکیده
In the paper “Stronger Security of Authenticated Key Exchange” [1,2], a new security model for authenticated key exchange protocols (eCK) is proposed. The new model is suggested to be at least as strong as previous models for key exchange protocols. The model includes a new notion of an Ephemeral Key Reveal adversary query, which is claimed in e. g. [2–4] to be at least as strong as the Session-state Reveal query. We show that Session-state Reveal is stronger than Ephemeral Key Reveal, implying that the eCK security model is incomparable to the CK model [5, 6]. In particular we show that the proposed NAXOS protocol from [1, 2] does not meet its security requirements if the Session-state Reveal query is allowed in the eCK model. We discuss the implications of our result for some related protocols proven correct in the eCK model, and discuss the interaction between Session-state Reveal and protocol transformations.
منابع مشابه
Session-state Reveal is stronger than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange protocol (extended version)
In the paper “Stronger Security of Authenticated Key Exchange” [1,2], a new security model for authenticated key exchange protocols (eCK) is proposed. The new model is suggested to be at least as strong as previous models for key exchange protocols. The model includes a new notion of an Ephemeral Key Reveal adversary query, which is claimed in e. g. [2–4] to be at least as strong as the Session...
متن کاملTightly-Secure Authenticated Key Exchange without NAXOS' approach based on Decision Linear Problem
Design secure Authenticated Key Exchange (AKE) protocol without NAXOS approach is remaining as an open problem. NAXOS approach [4] is used to hide the secret ephemeral key from an adversary even if the adversary in somehow may obtain the ephemeral secret key. Using NAXOS approach will cause two main drawbacks, (i) leaking of the static secret key which will be used in computing the exponent of ...
متن کاملAdaptively-Secure Authenticated Key Exchange Protocol in Standard Model
Design a Secure Authenticated Key Exchange (AKE) protocol is a wide research area. Many works have been done in this field and remain few open problems. Design an AKE-secure without NAXOS approach is remaining as an open problem. NAXOS approach [18] is used to hide the ephemeral secret key from an adversary even if the adversary in somehow may obtain the ephemeral secret key. Using NAXOS approa...
متن کاملBeyond eCK: Perfect Forward Secrecy under Actor Compromise and Ephemeral-Key Reveal
We show that it is possible to achieve perfect forward secrecy in two-message key exchange (KE) protocols that satisfy even stronger security properties than provided by the extended Canetti-Krawczyk (eCK) security model. In particular, we consider perfect forward secrecy in the presence of adversaries that can reveal the long-term secret keys of the actor of a session and reveal ephemeral secr...
متن کاملSession-StateReveal is stronger than eCKs EphemeralKeyReveal: using automatic analysis to attack the NAXOS protocol
In the paper “Stronger Security of Authenticated Key Exchange” [11, 12], a new security model for authenticated key exchange protocols (eCK) is proposed. The new model is suggested to be at least as strong as previous models for key exchange protocols, such as the CK model [5, 10]. The model includes a new notion of an EphemeralKeyReveal adversary query, which is claimed in e. g. [11, 17, 18] t...
متن کامل