Authenticated Key Exchange

We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses ~a pair of private and public keys while the client has only a weak human-memorizable password as its authentication key. We present and analyze several simple password authentication protocols in this scenario, and show that the security of these protocols can be formally proven based on standard cryptographic assumptions. Remarkably, our analysis shows optimal resistance to off-line password guessing attacks under the choice of suitable public key encryption functions. In addition to user authentication, we describe ways to enhance these protocols to provide two-way authentication, authenticated key exchange, defense against server's compromise, and user anonymity. We complement these results with a proof that strongly indicates that public key techniques are unavoidable for password protocols that resist off-line guessing attacks.As a further contrib...

In the advanced universe of correspondence, each association whenever digitized and the data of the association is likewise on the web or digitized. In such a climate, we need to approve every single client coming for getting to the information or framework. The proposed work, targets giving the appropriate method of approving the client and sharing the information in the middle of the client. To give the better security level or the more protection framework, we proposed the idea of the twofold layer security utilizing the BIO-metric and Image Password. In the proposed work, the clients are enlisted utilizing the Bio-metric unique finger impression yet we have utilizing the idea of the SHA-512 for the detail of the finger impression, the hash code is produced on respect of the finger impression and the powerful concentrate is taken of the SHA hash to be essential for the approval cycle. The second period of the approval contains the determination of the unique pictures and afterward the segment of the powerful portions of the chose pictures, this choice interaction thusly brings about the development of the example. The example is contrasted and the base paper draws near and the outcome are viable when contrasted with the past techniques for the approval. Along with the verification, the utilized of the 4 keys, including the message grouping number, two private keys dependent on arbitrary numbers, picture determination based keys and the mix keys dependent on the SHA concentrate of the finger impression hash, are utilized for the approval of the data move measure, this further extra the security. The example which is produced during the time spent secure access, is then approved utilizing the different devices and results are more noteworthy in contrast with the past strategies. In the present universe of the data trade , we can believe just on the framework one which is safer, the different test outcomes shows that the proposed framework , has every one of those highlights and capacities one those are needed from the safe frameworks..

This version provides more efficient protocol than the preliminary version and includes a concrete analysis of efficiency with the previous results. We would like to thank Berkant Ustaoglu for invaluable comments on the preliminary version of this paper.

To reduce the damage of phishing and spyware attacks, banks, governments, and other security-sensitive industries are deploying one-time password systems, where users have many passwords and use each password only once. If a single password is compromised, it can be only be used to impersonate the user once, limiting the damage caused. However, existing practical approaches to one-time passwords have been susceptible to sophisticated phishing attacks. We give a formal security treatment of this important practical problem. We consider the use of onetime passwords in the context of password-authenticated key exchange (PAKE), which allows for mutual authentication, session key agreement, and resistance to phishing attacks. We describe a security model for the use of one-time passwords, explicitly considering the compromise of past (and future) one-time passwords, and show a general technique for building a secure one-time-PAKE protocol from any secure PAKE protocol. Our techniques also allow for the secure use of pseudorandomly generated and time-dependent passwords.

Let E : y 2 = x 3 +A(T )x+B(T ) be a nontrivial one-parameter family of elliptic curves over Q(T ), with A(T ), B(T ) ∈ Z(T ), and consider the Rosen and Silverman proved a conjecture of Nagao relating the first moment A 1,E (p) to the rank of the family over Q(T ), and Michel proved that if j(T ) is not constant then the second moment is equal to A 2,E (p) = p 2 + O(p 3/2 ). Cohomological arguments show that the lower order terms are of sizes p 3/2 , p, p 1/2 , and 1. In every case we are able to analyze in closed form, the largest lower order term in the second moment expansion that does not average to zero is on average negative, though numerics suggest this may fail for families of moderate rank. We prove this Bias Conjecture for several large classes of families, including families with rank, complex multiplication, and constant j(T )-invariant. We also study the analogous Bias Conjecture for families of Dirichlet characters, holomorphic forms on GL(2)/Q, and their symmetric powers and Rankin-Selberg convolutions. We identify all lower order terms in large classes of families, shedding light on the arithmetic objects controlling these terms. The negative bias in these lower order terms has implications toward the excess rank conjecture and the behavior of zeros near the central point in families of L-functions.

We study the problem of Key Exchange (KE), where authentication is two-factor and based on both electronically stored long keys and human-supplied credentials (passwords or biometrics). The latter credential has low entropy and may be adversarily mistyped. Our main contribution is the first formal treatment of mistyping in this setting. Ensuring security in presence of mistyping is subtle. We show mistypingrelated limitations of previous KE definitions and constructions (of Boyen et al. [7, 6, 10] and Kolesnikov and Rackoff [16]). We concentrate on the practical two-factor authenticated KE setting where servers exchange keys with clients, who use short passwords (memorized) and long cryptographic keys (stored on a card). Our work is thus a natural generalization of Halevi-Krawczyk [15] and Kolesnikov-Rackoff [16]. We discuss the challenges that arise due to mistyping. We propose the first KE definitions in this setting, and formally discuss their guarantees. We present efficient KE protocols and prove their security.

Although postquantum cryptography is of growing practical concern, not many works have been devoted to implementation security issues related to postquantum schemes. In this paper, we look in particular at fault attacks against implementations of lattice-based signatures and key exchange protocols. For signature schemes, we are interested both in Fiat-Shamir type constructions (particularly BLISS, but also GLP, PASSSign, and Ring-TESLA) and in hash-and-sign schemes (particularly the GPV-based scheme of Ducas-Prest-Lyubashevsky). For key exchange protocols, we study the implementations of NewHope, Frodo, and Kyber. These schemes form a representative sample of modern, practical latticebased signatures and key exchange protocols, and achieve a high level of efficiency in both software and hardware. We present several fault attacks against those schemes that recover the entire key recovery with only a few faulty executions (sometimes only one), show that those attacks can be mounted in practice based on concrete experiments in hardware, and discuss possible countermeasures against them.

This paper brings the password-based authenticated key exchange (PAKE) problem closer to practice. It takes into account the presence of firewalls when clients communicate with authentication servers. An authentication server can indeed be seen as two distinct entities, namely a gateway (which is the direct interlocutor of the client) and a back-end server (which is the only one able to check the identity of the client). The goal in this setting is to achieve both transparency and security for the client. And to achieve these goals, the most appropriate choices seem to be to keep the client's password private-even from the back-end server-and to use thresholdbased cryptography. In this paper, we present the Threshold Password-based Authenticated Key Exchange (GTPAKE) system: GTPAKE uses a pair of public/private keys and, unlike traditional threshold-based constructions, shares only the private key among the servers. The system does no require any certification-except during the registration and update of clients' passwords-since clients do not use the public-key to authenticate to the gateway. Clients only need to have their password in hand. In addition to client security, this paper also presents highly-desirable security properties such as server password protection against dishonest gateways and key privacy against curious authentication servers.

Current security model in Global System for Mobile Communications (GSM) predominantly use symmetric key cryptography. The rapid advancement of Internet technology facilitates online trading, banking, downloading, emailing using resource-constrained handheld devices such as personal digital assistants and cell phones. However, these applications require more security than the present GSM supports. Consequently, a careful design of GSM security using both symmetric and asymmetric key cryptography would make GSM security more adaptable in security intensive applications. This paper presents a secure and efficient protocol for GSM security using identity based cryptography. The salient features of the proposed protocol are (i) authenticated key exchange; (ii) mutual authentication amongst communicating entities; and (iii) user anonymity. The security analysis of the protocol shows its strength against some known threats observed in conventional GSM security.

Authenticated Key Exchange (AKE) protocols enable two parties to establish a shared, cryptographically strong key over an insecure network using various authentication means, such as cryptographic keys, short (i.e., lowentropy) secret keys or credentials. In this paper, we provide a general framework, that encompasses several previous AKE primitives such as (Verifier-based) Password-Authenticated Key Exchange or Secret Handshakes, we call LAKE for Language-Authenticated Key Exchange. We first model this general primitive in the Universal Composability (UC) setting. Thereafter, we show that the Gennaro-Lindell approach can efficiently address this goal. But we need smooth projective hash functions on new languages, whose efficient implementations are of independent interest. We indeed provide such hash functions for languages defined by combinations of linear pairing product equations. Combined with an efficient commitment scheme, that is derived from the highly-efficient UC-secure Lindell's commitment, we obtain a very practical realization of Secret Handshakes, but also Credential-Authenticated Key Exchange protocols. All the protocols are UC-secure, in the standard model with a common reference string, under the classical Decisional Linear assumption. Motivation. PAKE, for Password-Authenticated Key Exchange, was formalized by Bellovin and Merritt [BM92] and followed by many proposals based on different cryptographic assumptions (see [ACP09,CCGS10] and references therein). It allows users to generate a strong cryptographic key based on a shared "human-memorable" (i.e. low-entropy) password without requiring a public-key infrastructure. In this setting, an adversary controlling all communication in the network should not be able to mount an off-line dictionary attack. The concept of Secret Handshakes has been introduced in 2003 by Balfanz, Durfee, Shankar, Smetters, Staddon and Wong [BDS + 03] (see also [JL09, AKB07]). It allows two members of the same group to identify each other secretly, in the sense that each party reveals his affiliation to the other only if they are members of the same group. At the end of the protocol, the parties can set up an ephemeral session key for securing further communication between them and an outsider is unable to determine if the handshake succeeded. In case of failure, the players do not learn any information about the other party's affiliation. More recently, Credential-Authenticated Key Exchange (CAKE) was presented by Camenisch, Casati, Groß and Shoup [CCGS10]. In this primitive, a common key is established if and only if a specific relation is satisfied between credentials hold by the two players. This primitive includes variants of PAKE and Secret Handshakes, and namely Verifier-based PAKE, where the client owns a password pw and the server knows a one-way transformation v of the password only. It prevents massive password recovering in case of server corruption. The two players eventually agree on a common high entropy secret if and only if pw and v match together, and off-line dictionary attacks are prevented for third-party players. Our Results. We propose a new primitive that encompasses most of the previous notions of authenticated key exchange. It is closely related to CAKE and we call it LAKE, for Language-Authenticated Key-Exchange, since parties establish a common key if and only if they hold credentials that belong to specific (and possibly independent) languages. The definition of the primitive is more practice-oriented than the definition of CAKE

Abstract. Password-Authenticated Key Exchange (PAKE) has received deep attention in the last few years, with a recent strong improvement by Katz-Vaikuntanathan, and their one-round protocol: the two players just have to send simultaneous flows to each other, that depend on their own passwords only, to agree on a shared high entropy secret key. We follow their work with a further study of their new Smooth-Projective Hash Function framework, and namely we introduce new efficient instantiations on IND-CCA ciphertexts. ...

This note reports major previously unpublished security vulnerabilities in the password-only authenticated three-party key exchange protocol due to Lee and Hwang (Information Sciences, 180, 1702-1714, 2010): (1) the Lee-Hwang protocol is susceptible to a man-in-the-middle attack and thus fails to achieve implicit key authentication; (2) the protocol cannot protect clients' passwords against an offline dictionary attack; and (3) the indistinguishability-based security of the protocol can be easily broken even in the presence of a passive adversary.

We present the first provably-secure three-party password-only authenticated key exchange (PAKE) protocol that can run in only two communication rounds. Our protocol is generic in the sense that it can be constructed from any two-party PAKE protocol. The protocol is proven secure in a variant of the widely-accepted model of Bellare, Pointcheval and Rogaway (2000) without any idealized assumptions on the cryptographic primitives used. We also investigate the security of the two-round, three-party PAKE protocol of Wang, Hu and Li (2010) and demonstrate that this protocol cannot achieve implicit key authentication in the presence of an active adversary.

Group key exchange protocols allow a group of parties communicating over a public network to come up with a common secret key called a session key. Due to their critical role in building secure multicast channels, a number of group key exchange protocols have been suggested over the years for a variety of settings. Among these is the so-called NEKED protocol proposed by Byun et al. for password-authenticated group key exchange in mobile ad-hoc networks overseen by unmanned aerial vehicles. In the current work, we are concerned with improving the security of the NEKED protocol. We first show that the NEKED protocol is vulnerable not only to an attack against backward secrecy but also to an attack against password security. We then figure out how to eliminate the security vulnerabilities of NEKED.

For any positive integers n ≥ 3, r ≥ 1 we present formulae for the number of irreducible polynomials of degree n over the finite field F2r where the coefficients of x n−1 , x n−2 and x n−3 are zero. Our proofs involve counting the number of points on certain algebraic curves over finite fields, a technique which arose from Fourier-analysing the known formulae for the F2 base field cases, reverse-engineering an economical new proof and then extending it. This approach gives rise to fibre products of supersingular curves and makes explicit why the formulae have period 24 in n.

Leakage attacks, including various kinds of side-channel attacks, allow an attacker to learn partial information about the internal secrets such as the secret key and the randomness of a cryptographic system. Designing a strong, meaningful, yet achievable security notion to capture practical leakage attacks is one of the primary goals of leakage-resilient cryptography. In this work, we revisit the modelling and design of authenticated key exchange (AKE) protocols with leakage resilience. We show that the prior works on this topic are inadequate in capturing realistic leakage attacks. To close this research gap, we propose a new security notion named leakage-resilient eCK model w.r.t. auxiliary inputs (AI-LR-eCK) for AKE protocols, which addresses the limitations of the previous models. Our model allows computationally hard-to-invert leakage of both the long-term secret key and the randomness, and also addresses a limitation existing in most of the previous models where the adversary is disallowed to make leakage queries during the challenge session. As another major contribution of this work, we present a generic framework for the construction of AKE protocols that are secure under the proposed AI-LR-eCK model. An instantiation based on the Decision Diffie-Hellman (DDH) assumption in the standard model is also given to demonstrate the feasibility of our proposed framework.

Leakage attacks, including various kinds of side-channel attacks, allow an attacker to learn partial information about the internal secrets such as the secret key and the randomness of a cryptographic system. Designing a strong, meaningful, yet achievable security notion to capture practical leakage attacks is one of the primary goals of leakage-resilient cryptography. In this work, we revisit the modelling and design of authenticated key exchange (AKE) protocols with leakage resilience. We show that the prior works on this topic are inadequate in capturing realistic leakage attacks. To close this research gap, we propose a new security notion named leakage-resilient eCK model w.r.t. auxiliary inputs (AI-LR-eCK) for AKE protocols, which addresses the limitations of the previous models. Our model allows computationally hard-to-invert leakage of both the long-term secret key and the randomness, and also addresses a limitation existing in most of the previous models where the adversary is disallowed to make leakage queries during the challenge session. As another major contribution of this work, we present a generic framework for the construction of AKE protocols that are secure under the proposed AI-LR-eCK model. An instantiation based on the Decision Diffie-Hellman (DDH) assumption in the standard model is also given to demonstrate the feasibility of our proposed framework.

TLS (Transport Layer Security) is a widely deployed protocol that plays a vital role in securing Internet traffic. Given the numerous known attacks for TLS 1.2, it was imperative to change and even redesign the protocol in order to address them. In August 2018, a new version of the protocol, TLS 1.3, was standardized by the IETF (Internet Engineering Task Force). TLS 1.3 not only benefits from stronger security guarantees, but aims to protect the identities of the server and client by encrypting messages as soon as possible during the authentication. In this paper, we model the privacy guarantees of TLS 1.3 when parties execute a full handshake or use a session resumption, covering all the handshake modes of TLS. We build our privacy models on top of the one defined by Hermans et al. for RFIDs (Radio Frequency Identification Devices) that mostly targets authentication protocols. The enhanced models share similarities to the Bellare-Rogaway AKE (Authenticated Key Exchange) security m...

The next-generation Internet of vehicles (IoVs) seamlessly connects humans, vehicles, roadside units (RSUs), and service platforms, to improve road safety, enhance transit efficiency, and deliver comfort while conserving the environment. Currently, numerous entities communicate in the IoVs environment via insecure public channels that are susceptible to a variety of security assaults and threats. To address these security challenges, we design an anonymous authenticated key exchange mechanism for the IoVs in smart transportation supported by blockchain, referred to as AAKE-BIVT. AAKE-BIVT securely transmits traffic information to a cluster head, before heading to a nearby RSU utilizing the established secret session keys via mutual authentication and key agreement. A cloud server (CS) then securely aggregates data from related RSUs and generates transactions. The CS combines the transactions into blocks in a peer-to-peer network of CSs, and the blocks are confirmed and added to the blockchain via a voting-based consensus method. By means of rigorous informal security studies and formal security analysis through the random oracle model, we reveal that the proposed AAKE-BIVT is resistant to a broad range of potential security assaults in the IoVs environment. Furthermore, a comparative study reveals that AAKE-BIVT outperforms existing state-of-the-art techniques, in terms of security and functionality while being more efficient in terms of communication and computation. Additionally, the blockchain simulation validates the implementation viability of our proposed AAKE-BIVT.

Mobile IPv6 was proposed to provide mobility support to IPv6 based mobile devices. It includes a route optimization procedure, to overcome the problem of triangular routing, which allows the correspondent node to send packets directly to the mobile node's care-of address. However, when both communicating devices are mobile, Mobile IPv6's route optimization can not handle the handover thus service disruption occurs and communication is stopped. This paper presents a new DNS-assisted solution for Mobile IPv6 to overcome the problem of simultaneous mobility. The proposed mechanism makes some necessary changes in the Mobile IPv6's route optimization procedure and executes handover differently in different scenarios depending upon the type of mobility of communicating nodes in overlapped or non-overlapped coverage access networks. Simulation results show that when proposed mechanism was used for simultaneous mobility, it successfully resumed the communication as compared to Mobile IPv6 where communication was stopped.

Authenticated key exchange (AKE) protocols are central building blocks of security protocols such as TLS, IPsec, and SSH, that are used in modern distributed applications. The security of these protocols can however be affected by threats such as attacks on users' long-term secret keys, attacks based on malicious key registration, and attacks on the random number generator used by the protocol. The goal of this thesis is to model advanced security threats against authenticated key exchange protocols and to develop methods that strengthen the security of these protocols and make them secure against the considered threats. I would like to express my gratitude to my advisor David Basin for giving me the opportunity of pursuing research in the Institute of Information Security and for his support over the last years. I owe many thanks to my advisor Cas Cremers for his time, patience, and for the many helpful and productive discussions we had at ETH Zurich and at the University of Oxford. It was a great pleasure for me to work with Colin Boyd, Cas Cremers, Kenneth Paterson, Bertram Poettering, and Douglas Stebila on authenticated key exchange security incorporating certification systems. Thanks for the very efficient collaboration and for your support. Also, I would like to thank Marc Fischlin for his willingness to serve as a co-examiner. During my PhD, I have had many constructive discussions with other researchers, including

We propose the first user authentication and key exchange protocols that can tolerate strong corruptions on the client-side. If a user happens to log in to a server from a terminal that has been fully compromised, then the other past and future user's sessions initiated from honest terminals stay secure. We define the security model for Human Authenticated Key Exchange (HAKE) protocols and first propose two generic protocols based on human-compatible (HC) function family, password-authenticated key exchange (PAKE), commitment, and authenticated encryption. We prove our HAKE protocols secure under reasonable assumptions and discuss efficient instantiations. We thereafter propose a variant where the human gets help from a small device such as RSA SecurID. This permits to implement an HC function family with stronger security and thus allows to weaken required assumptions on the PAKE. This leads to the very efficient HAKE which is still secure in case of strong corruptions. We believe that our work will promote further developments in the area of human-oriented cryptography.

We show that the effective factorization of Ore polynomials over F q (t) is still an open problem. This is so because the known algorithm [1] presents two gaps, and therefore it does not cover all the examples. We amend one of the gaps, and we discuss what kind of partial factorizations can be then computed by using [1].

Authenticated Key Exchange (AKE) protocols have been widely deployed in many real-world applications for securing communication channels. In this paper, we make the following contributions. First, we revisit the security modelling of leakage-resilient AKE protocols, and show that the existing models either impose some unnatural restrictions or do not sufficiently capture leakage attacks in reality. We then introduce a new strong yet meaningful security model, named challenge-dependent leakage-resilient eCK (CLR-eCK) model, to capture challenge-dependent leakage attacks on both long-term secret key and ephemeral secret key (i.e., randomness). Second, we propose a general framework for constructing one-round CLR-eCK-secure AKE protocols based on smooth projective hash functions (SPHFs). This framework ensures the session key is private and authentic even if the adversary learns a large fraction of both long-term secret key and ephemeral secret key, and hence provides stronger security guarantee than existing AKE protocols which become insecure if the adversary can perform leakage attacks during the execution of a session. Finally, we also present a practical instantiation of the general framework based on the Decisional Diffie-Hellman assumption without random oracle. Our result shows that the instantiation is efficient in terms of the communication and computation overhead and captures more general leakage attacks.

Luckily, new communication technologies and protocols are nowadays designed considering security issues. A clear example of this can be found in the Internet of Things (IoT) field, a quite recent area where communication technologies such as ZigBee or IPv6 over Low power Wireless Personal Area Networks (6LoWPAN) already include security features to guarantee authentication, confidentiality and integrity. More recent technologies are Low-Power Wide-Area Networks (LP-WAN), which also consider security, but present initial approaches that can be further improved. An example of this can be found in Long Range (LoRa) and its layer-two supporter LoRa Wide Area Network (LoRaWAN), which include a security scheme based on pre-shared cryptographic material lacking flexibility when a key update is necessary. Because of this, in this work, we evaluate the security vulnerabilities of LoRaWAN in the area of key management and propose different alternative schemes. Concretely, the application of a...

This document specifies public-key certificate enrollment procedures protected with lightweight application-layer security protocols suitable for Internet of Things (IoT) deployments. The protocols leverage payload formats defined in Enrollment over Secure Transport (EST) and existing IoT standards including the Constrained Application Protocol (CoAP), Concise Binary Object Representation (CBOR) and the CBOR Object Signing and Encryption (COSE) format. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts.

This document specifies public key certificate enrollment procedures protected with application-layer security protocols suitable for Internet of Things (IoT) deployments. The protocols leverage payload formats defined in Enrolment over Secure Transport (EST) and existing IoT standards including the Constrained Application Protocol (CoAP), Concise Binary Object Representation (CBOR) and the CBOR Object Signing and Encryption (COSE) format.

In 2005, Abdalla and Pointcheval suggested a new variation of the computational DH assumption called chosen based computational Diffie Hellman (CCDH) and presented SPAKE-1 and SPAKE-2 simple password based authenticated key exchange protocols. Since then several three party password authenticated key agreement protocols have been proposed based on CCDH assumption but most of them broken. In this paper, we propose two password based simple three party key exchange protocols via twin Diffie-Hellman problem and show that the proposed protocols provide greater security and efficiency than the existing protocols. The protocols are also verified using Automated Validation of Internet Security Protocols and Applications (AVISPA) which is a push button tool for the automated validation of security protocols and the result shows that they do not have any security flaws.

The proper verification of users plays a vital role during communication over a social network to protect the personal data of users. Multifarious protocols have been implemented to secure the confidential data of the users, but these protocols have various limitations and are incapable of providing secrecy of data against various attacks, such as replay and cryptanalysis attacks. In this article, the authors proposed a novel method for security verification of the social network model using an improved three-party authenticated key exchange (3PAKE) protocol based on symmetric encryption and (ECC) elliptic curve cryptography. The outcome of the paper demonstrates that our proposed algorithm provides the desired secrecy to the confidential data exchange over social networks in real-time and consumes less time in comparison to existing protocols. Our protocol consumes a search time of 0.09 s, overall communication steps took 2 during the verification, and depth plies was 3 along with ...

Mobile IPv6 was proposed to provide mobility support to IPv6 based mobile devices. It includes a route optimization procedure, to overcome the problem of triangular routing, which allows the correspondent node to send packets directly to the mobile node's care-of address. However, when both communicating devices are mobile, Mobile IPv6's route optimization can not handle the handover thus service disruption occurs and communication is stopped. This paper presents a new DNS-assisted solution for Mobile IPv6 to overcome the problem of simultaneous mobility. The proposed mechanism makes some necessary changes in the Mobile IPv6's route optimization procedure and executes handover differently in different scenarios depending upon the type of mobility of communicating nodes in overlapped or non-overlapped coverage access networks. Simulation results show that when proposed mechanism was used for simultaneous mobility, it successfully resumed the communication as compared to Mobile IPv6 where communication was stopped.

In the literature, many three-party authenticated key exchange (3PAKE) protocols are put forwarded to established a secure session key between two users with the help of trusted server. The computed session key will ensure secure message exchange between the users over any insecure communication networks. In this paper, we identified some deficiencies in Tan's 3PAKE protocol and then devised an improved 3PAKE protocol without symmetric key en/decryption technique for mobile-commerce environments. The proposed protocol is based on the elliptic curve cryptography and one-way cryptographic hash function. In order to prove security validation of the proposed 3PAKE protocol we have used widely accepted AVISPA software whose results confirm that the proposed protocol is secure against active and passive attacks including replay and man-in-themiddle attacks. The proposed protocol is not only secure in the AVISPA software, but it also secure

Password-based authenticated key exchange protocol is a type of authenticated key exchange protocols which enables two or more communication entities, who only share weak, low-entropy and easily memorable passwords, to authenticate each other and establish a high-entropy secret session key. In 2012, Tallapally proposed an enhanced three-party password-based authenticated key exchange protocol to overcome the weaknesses of Huang's scheme. However, in this paper, we indicate that the Tallapally's scheme not only is still vulnerable to undetectable online password guessing attack, but also is insecure against off-line password guessing attack. Therefore, we propose a more secure and efficient scheme to overcome the security flaws.

With the development of side-channel attacks, a necessity arises to invent authenticated key exchange protocols in a leakage-resilient manner. Constructing authenticated key exchange protocols using existing cryptographic schemes is an effective method, as such construction can be instantiated with any appropriate scheme in a way that the formal security argument remains valid. In parallel, constructing authenticated key exchange protocols that are proven to be secure in the standard model is more preferred as they rely on real-world assumptions. In this paper, we present a Diffie-Hellman-style construction of a leakageresilient authenticated key exchange protocol, that can be instantiated with any CCLA2-secure public-key encryption scheme and a function from the pseudo-random function family. Our protocol is proven to be secure in the standard model assuming the hardness of the decisional Diffie-Hellman problem. Furthermore, it is resilient to continuous partial leakage of long-term secret keys, that happens even after the session key is established, while satisfying the security features defined by the eCK security model.

This paper 1 presents a new paradigm to realize cryptographic primitives such as authenticated key exchange and key encapsulation without random oracles under three assumptions: the decisional Diffie-Hellman (DDH) assumption, target collision resistant (TCR) hash functions and a class of pseudo-random functions (PRFs), πPRFs, PRFs with pairwise-independent random sources. We propose a (PKI-based) two-pass authenticated key exchange (AKE) protocol that is comparably as efficient as the existing most efficient protocols like MQV and that is secure without random oracles (under these assumptions). Our protocol is shown to be secure in the (currently) strongest security definition, the extended Canetti-Krawczyk (eCK) security definition introduced by LaMacchia, Lauter and Mityagin. We also show that a variant of the Kurosawa-Desmedt key encapsulation mechanism (KEM) using a πPRF is CCA-secure under the three assumptions. This scheme is secure in a stronger security notion, the chosen public-key and ciphertext attack (CPCA) security, with using a generalized TCR (GTCR) hash function in place of a TCR hash function. The proposed schemes in this paper are validity-check-free and the implication is that combining them with validity-check-free symmetric encryption (DEM) will yield validity-check-free (e.g., MAC-free) CCA-secure hybrid encryption.

With the rise of the Internet of Things and the growing popularity of constrained end-devices, several security protocols are widely deployed or strongly promoted (e.g., Sigfox, LoRaWAN, NB-IoT). Based on symmetric-key functions, these protocols lack in providing security properties usually ensured by asymmetric schemes, in particular forward secrecy. We describe a 3-party authenticated key exchange protocol solely based on symmetric-key functions (regarding the computations done between the end-device and the back-end network) which guarantees forward secrecy. Our protocol enables session resumption (without impairing security). This allows saving communication and computation cost, and is particularly advantageous for low-resource end-devices. Our 3party protocol can be applied in a real-case IoT deployment (i.e., involving numerous end-devices and servers) such that the latter inherits from the security properties of the protocol. We give a concrete instantiation of our key exchange protocol, and formally prove its security.

In [17], Zhu, et al. proposed a RSA-based password authenticated key exchange scheme which supports short RSA public exponents. The scheme is the most efficient one among all the RSA-based schemes currently proposed when implemented on low-power asymmetric wireless networks. We observe that its performance can further be improved by proposing two modifications. The first modification shortens the size of the message sent from the server to the client. The second modification dramatically reduces the size of the message sent from the client to the server and therefore can be used to reduce the power consumption of the client for wireless communications in a significant way. We also generalize our modified schemes and formalize the security requirements of all underlying primitives that the generic scheme is constituted. A new primitive called password-keyed permutation family is introduced. We show that the security of our password-keyed permutation family is computationally equivalent to the RSA Problem in the random oracle model.

A Physical Unclonable Function (PUF) provides a physical device a unique output for a given input, which can be regarded as the device's digital fingerprint. Thus, PUFs can provide unique identities for billions of connected devices in Internet of Things (IoT) architectures. Plenty of PUF based authenticated key exchange (AKE) protocols have been proposed. However, most of them are designed for the authentication between an IoT node and the specific server/verifier, whom the IoT node registered with. Only a few of them are designed for the authentication between IoT nodes, and all these protocols need verifiers or explicit Challenge-Response Pairs (CRPs). In this paper, we propose the first PUF based AKE protocol for IoT without verifiers and explicit CRPs, which IoT nodes can freely authenticate each other and create a session key on their own without the help of any server or verifier. We compare the proposed protocol with 27 relevant PUF based AKE protocols to show the superiority, and analyze the computational cost of each entity in the proposed protocol to show the efficiency. We define the adversarial model of a PUF based AKE protocol for IoT and formally prove the security of the proposed protocol in random oracle model. The security of the proposed protocol is based on the Elliptic Curve Discrete Logarithm (ECDL), Elliptic Curve Computational Diffie-Hellman (ECCDH), and Decisional Bilinear Diffie-Hellman (DBDH) assumptions. INDEX TERMS Device authentication, internet of things, key agreement, key management, physical unclonable function.

State-of-the-art authenticated key exchange (AKE) protocols are proven secure in gamebased security models. These models have considerably evolved in strength from the original Bellare-Rogaway model. However, so far only informal impossibility results, which suggest that no protocol can be secure against stronger adversaries, have been sketched. At the same time, there are many different security models being used, all of which aim to model the strongest possible adversary. In this paper we provide the first systematic analysis of the limits of game-based security models. Our analysis reveals that different security goals can be achieved in different relevant classes of AKE protocols. From our formal impossibility results, we derive strong security models for these protocol classes and give protocols that are secure in them. In particular, we analyse the security of AKE protocols in the presence of adversaries who can perform attacks based on chosen randomness, in which the adversary controls the randomness used in protocol sessions. Protocols that do not modify memory shared among sessions, which we call stateless protocols, are insecure against chosen-randomness attacks. We propose novel stateful protocols that provide resilience even against this worst case randomness failure, thereby weakening the security assumptions required on the random number generator.

Fog computing is one of the prominent technology that bridges the gap between IoT nodes and cloud servers. For increasing the efficiency at the fog level, a fog federation can be employed. Fog federation at the fog level can be controlled by the fog coordinator. However, the information exchange between the fog coordinator and IoT nodes needs to be secured. Recently, a lightweight secure key exchange (LKSE) protocol for secure key exchange for fog federation was proposed. In this paper, the cryptanalysis of the LKSE is carried out. The cryptanalysis indicates that LKSE is vulnerable to spoofing and man in the middle attacks. To overcome the limitation of the LKSE, a design of an ECC-based secure key exchange protocol for IoT devices and fog coordinators is proposed. The security strength of the designed method has been evaluated using BAN logic and the random oracle model. Simulations on AVISPA have been performed for automatic security verification of the proposed method. A detaile...

A password-based authenticated key agreement enables several parties to establish a shared cryptographically strong key over a public unreliable and insecure network using short low-entropy passwords. This authenticated key agreement is definitely required even in Internet of Things (IoT) environments, since no additional device is required. There are few researches for password-based explicit authenticated key agreement (EAKA). Recently, Zheng et al. proposed a 3-round password-based EAKA protocol. In this paper, we reveal that their protocol is vulnerable to impersonation attack, and the used security definition is not formally treated. We then formalize the security definition of two-party password-based EAKA protocol and improve the construction of Zheng et al. to eliminate its security vulnerabilities. The security of the proposal is formally proved according to a new security model.

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215

Mobile ad hoc networks (MANETs) are known to be unprotected due to the nature of message propagation and the openness of public channel. Another important characteristic of MANETs is their being basically energy constrained. While it is known that symmetric key cryptography provides a high degree of secrecy and efficiency, but has a number of significant difficulties for the MANET domain in key distribution, key management, scalability and provision of non-repudiation. Public key cryptography (PKC) on other hand provides solutions to the problems inherent in symmetric key cryptography with authenticated key agreement protocols. However the constraints of MANETs such as mobility of nodes, lack of network services and servers make such a proposition difficult. In this paper, we propose a PKC based new energy efficient twoparty mutual authenticated key agreement protocol suitable for MANETs. Its security is based on the elliptic curve discrete logarithm assumption. We provide proof here for the security of the proposed protocol and show its relative better performance when compared with other relevant protocols.

Biometric data offer a potential source of high-entropy, secret information that can be used in cryptographic protocols provided two issues are addressed: (1) biometric data are not uniformly distributed; and (2) they are not exactly reproducible. Recent work, most notably that of Dodis, Reyzin, and Smith, has shown how these obstacles may be overcome by allowing some auxiliary public information to be reliably sent from a server to the human user. Subsequent work of Boyen has shown how to extend these techniques, in the random oracle model, to enable unidirectional authentication from the user to the server without the assumption of a reliable communication channel. We show two efficient techniques enabling the use of biometric data to achieve mutual authentication or authenticated key exchange over a completely insecure (i.e., adversarially controlled) channel. In addition to achieving stronger security guarantees than the work of Boyen, we improve upon his solution in a number of other respects: we tolerate a broader class of errors and, in one case, improve upon the parameters of his solution and give a proof of security in the standard model.

Anonymous digital signatures such as Direct Anonymous Attestation (DAA) and group signatures have been a fundamental building block for anonymous entity authentication. In this paper, we show how to incorporate DAA schemes into a key exchange protocol between two entities to achieve anonymous authentication and to derive a shared key between them. We propose a modification to the SIGMA key exchange protocol used in the Internet Key Exchange (IKE) standards to support anonymous authentication using DAA. Our key exchange protocol can be also extended to support group signature schemes instead of DAA. We present a secure model for key exchange with anonymous authentication derived from the Canetti-Krawczyk key-exchange security model. We prove that our DAA-SIGMA protocol is secure under our security model.

In Mobile IPv6, each packet sent and received by a mobile node contains its home address. As a result, it is very easy for an eavesdropper or for a correspondent node to track the movement and usage of a mobile node. This paper proposes a simple and practical solution to this problem. The main idea is to replace the home address in the packets by a temporary mobile identifier (TMI), that is cryptographically generated and therefore random. As a result, packets cannot be linked to a mobile node anymore and traffic analysis is more difficult. With our solution, an eavesdropper can still identify the IP addresses of two communicating nodes but is not able to identify their identities (i.e., their home addresses). Furthermore since a mobile node uses a new identifier for each communication, an eavesdropper cannot link the different communications of a given mobile node together. We show that HMIPv6 can also benefit from the proposed privacy extension.

This paper addresses the identifier ownership problem. It does so by using characteristics of Statistical Uniqueness and Cryptographic Verifiability (SUCV) of certain entities which this document calls SUCV Identifiers and Addresses, or, alternatively, Crypto-based Identifiers. Their characteristics allow them to severely limit certain classes of denial-of-service attacks and hijacking attacks. SUCV addresses are particularly applicable to solve the address ownership problem that hinders mechanisms like Binding Updates in Mobile IPv6.