Summary
|
For Full-Text PDF, please login, if you are a member of IEICE, or go to Pay Per View on menu list, if you are a nonmember of IEICE. |
|
A Simple Leakage-Resilient Authenticated Key Establishment Protocol, Its Extensions, and Applications SeongHan SHIN Kazukuni KOBARA Hideki IMAI Publication IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences Vol.E88-A No.3 pp.736-754 Publication Date: 2005/03/01 Online ISSN: DOI: 10.1093/ietfec/e88-a.3.736 Print ISSN: 0916-8508 Type of Manuscript: PAPER Category: Information Security Keyword: entropy of passwords, on-line and off-line attacks, authentication, key establishment protocol, leakage of stored secrets, proactive security, DDH problem, standard model, Full Text: PDF(524.8KB)>>
Summary: Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search; (3) TRM (Tamper-Resistant Modules) used to store secrets are not perfectly free from bugs and mis-configurations; (4) A client remembers only one password, even if he/she communicates with several different servers. Then, we propose a simple leakage-resilient AKE protocol (cf.[41]) which is described as follows: the client keeps one password in mind and stores one secret value on devices, both of which are used to establish an authenticated session key with the server. The advantages of leakage-resilient AKEs to the previous AKEs are that the former is secure against active adversaries under the above-mentioned assumptions and has immunity to the leakage of stored secrets from a client and a server (or servers), respectively. In addition, the advantage of the proposed protocol to is the reduction of memory size of the client's secrets. And we extend our protocol to be possible for updating secret values registered in server(s) or password remembered by a client. Some applications and the formal security proof in the standard model of our protocol are also provided. | ||||||||||
| ||||||||||
