A Simple Leakage-Resilient Authenticated Key Establishment Protocol, Its Extensions, and Applications
Summary :
Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search; (3) TRM (Tamper-Resistant Modules) used to store secrets are not perfectly free from bugs and mis-configurations; (4) A client remembers only one password, even if he/she communicates with several different servers. Then, we propose a simple leakage-resilient AKE protocol (cf.[41]) which is described as follows: the client keeps one password in mind and stores one secret value on devices, both of which are used to establish an authenticated session key with the server. The advantages of leakage-resilient AKEs to the previous AKEs are that the former is secure against active adversaries under the above-mentioned assumptions and has immunity to the leakage of stored secrets from a client and a server (or servers), respectively. In addition, the advantage of the proposed protocol to is the reduction of memory size of the client's secrets. And we extend our protocol to be possible for updating secret values registered in server(s) or password remembered by a client. Some applications and the formal security proof in the standard model of our protocol are also provided.
- Publication
- IEICE TRANSACTIONS on Fundamentals Vol.E88-A No.3 pp.736-754
- Publication Date
- 2005/03/01
- Publicized
- Online ISSN
- DOI
- 10.1093/ietfec/e88-a.3.736
- Type of Manuscript
- PAPER
- Category
- Information Security
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
SeongHan SHIN, Kazukuni KOBARA, Hideki IMAI, "A Simple Leakage-Resilient Authenticated Key Establishment Protocol, Its Extensions, and Applications" in IEICE TRANSACTIONS on Fundamentals,
vol. E88-A, no. 3, pp. 736-754, March 2005, doi: 10.1093/ietfec/e88-a.3.736.
Abstract: Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search; (3) TRM (Tamper-Resistant Modules) used to store secrets are not perfectly free from bugs and mis-configurations; (4) A client remembers only one password, even if he/she communicates with several different servers. Then, we propose a simple leakage-resilient AKE protocol (cf.[41]) which is described as follows: the client keeps one password in mind and stores one secret value on devices, both of which are used to establish an authenticated session key with the server. The advantages of leakage-resilient AKEs to the previous AKEs are that the former is secure against active adversaries under the above-mentioned assumptions and has immunity to the leakage of stored secrets from a client and a server (or servers), respectively. In addition, the advantage of the proposed protocol to is the reduction of memory size of the client's secrets. And we extend our protocol to be possible for updating secret values registered in server(s) or password remembered by a client. Some applications and the formal security proof in the standard model of our protocol are also provided.
URL: https://globals.ieice.org/en_transactions/fundamentals/10.1093/ietfec/e88-a.3.736/_p
Copy
@ARTICLE{e88-a_3_736,
author={SeongHan SHIN, Kazukuni KOBARA, Hideki IMAI, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={A Simple Leakage-Resilient Authenticated Key Establishment Protocol, Its Extensions, and Applications},
year={2005},
volume={E88-A},
number={3},
pages={736-754},
abstract={Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search; (3) TRM (Tamper-Resistant Modules) used to store secrets are not perfectly free from bugs and mis-configurations; (4) A client remembers only one password, even if he/she communicates with several different servers. Then, we propose a simple leakage-resilient AKE protocol (cf.[41]) which is described as follows: the client keeps one password in mind and stores one secret value on devices, both of which are used to establish an authenticated session key with the server. The advantages of leakage-resilient AKEs to the previous AKEs are that the former is secure against active adversaries under the above-mentioned assumptions and has immunity to the leakage of stored secrets from a client and a server (or servers), respectively. In addition, the advantage of the proposed protocol to is the reduction of memory size of the client's secrets. And we extend our protocol to be possible for updating secret values registered in server(s) or password remembered by a client. Some applications and the formal security proof in the standard model of our protocol are also provided.},
keywords={},
doi={10.1093/ietfec/e88-a.3.736},
ISSN={},
month={March},}
Copy
TY - JOUR
TI - A Simple Leakage-Resilient Authenticated Key Establishment Protocol, Its Extensions, and Applications
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 736
EP - 754
AU - SeongHan SHIN
AU - Kazukuni KOBARA
AU - Hideki IMAI
PY - 2005
DO - 10.1093/ietfec/e88-a.3.736
JO - IEICE TRANSACTIONS on Fundamentals
SN -
VL - E88-A
IS - 3
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - March 2005
AB - Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search; (3) TRM (Tamper-Resistant Modules) used to store secrets are not perfectly free from bugs and mis-configurations; (4) A client remembers only one password, even if he/she communicates with several different servers. Then, we propose a simple leakage-resilient AKE protocol (cf.[41]) which is described as follows: the client keeps one password in mind and stores one secret value on devices, both of which are used to establish an authenticated session key with the server. The advantages of leakage-resilient AKEs to the previous AKEs are that the former is secure against active adversaries under the above-mentioned assumptions and has immunity to the leakage of stored secrets from a client and a server (or servers), respectively. In addition, the advantage of the proposed protocol to is the reduction of memory size of the client's secrets. And we extend our protocol to be possible for updating secret values registered in server(s) or password remembered by a client. Some applications and the formal security proof in the standard model of our protocol are also provided.
ER -
FlyerIEICE has prepared a flyer regarding multilingual services. Please use the one in your native language.
English
