SeongHan Shin

Leakage-Resilient Authenticated Key Establishment Protocols

Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review AKE protocols from a little bit different point of view, i.e. the relationship between information a client needs to possess (for authentication) and immunity to the respective leakage of stored secrets from a client side and a server side. Since the information leakage would be more conceivable than breaking down the underlying cryptosystems, it is desirable to enhance the immunity to the leakage. First and foremost, we categorize AKE protocols according to how much resilience against the leakage can be provided. Then, we propose new AKE protocols that have immunity to the leakage of stored secrets from a client and a server (or servers), respectively. And we extend our protocols to be possible for updating secret values registered in server(s) or password remembered by a client.

LR-AKE-Based AAA for Network Mobility (NEMO) Over Wireless Links

Network mobility introduces far more complexity than host mobility. Therefore, host mobility protocols such as Mobile IPv6 (MIPv6) need to be extended to support this new type of mobility. To address the extensions needed for network mobility, the IETF NEMO working group has recently standardized the network mobility basic support protocol in RFC 3963. However, in this RFC, it is not mentioned how authentication authorization and accounting (AAA) issues are handled in NEMO environment. Also, the use of IPsec to secure NEMO procedures does not provide robustness against leakage of stored secrets. To address this security issue and to achieve AAA with mobility, we propose new handover procedures to be performed by mobile routers and by visiting mobile nodes. This new handover procedure is based on leakage resilient-authenticated key establishment (LR-AKE) protocol. Using analytical models, we evaluate the proposed handover procedure in terms of handover delay which affects the session continuity. Our performance evaluation is based on transmission, queueing and encryption delays over wireless links

Leakage-resilient security architecture for mobile IPv6 in wireless overlay networks

The coupling of mobility and quality-of-service with security is a challenge that should be addressed in future wireless overlay systems. The mobility of a node can disrupt or even intermittently disconnect an ongoing real-time session because a secure handover must be performed to ensure continuous connectivity. The duration of the such interruptions is called disruption time or handover delay and can heavily affect the user satisfaction. The handover procedure needs to protect its integrity and confidentiality-otherwise, the packets may be rerouted to a malicious node and the legitimate handover may not be performed. The security procedure to ensure this should not lengthen significantly the handover delay to provide good quality real-time services. In this paper, we focus on the network-layer mobility, specifically, on Mobile Internet protocol version 6 (MIPv6) since it is the natural candidate for providing such mobility in future systems. To solve the problem of on-path attackers and prevent leakage of secrets, we propose a security architecture for MIPv6 based on leakage resilient-authenticated key establishment (LR-AKE) protocol and its cooperation with public key infrastructure. The proposed architecture prevents against on-path attackers which was not addressed in the specifications of MIPv6, and also provides robustness against leakage of secret values. Using analytical models, we evaluate MIPv6 handover delay for real-time services. We identify the crucial factors affecting the handover delay among transmission delays of MIPv6, security and LR-AKE messages, queueing delays and en/decryption delays.

A secure threshold anonymous password-authenticated key exchange protocol

At Indocrypt 2005, Viet et al., [20] have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for clients password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n ≤ 2√N - 1 - 1, where N is a dictionary size of passwords. We also show that the TAP protocol provides semantic security of session keys in the random oracle model, with the reduction to the computational Diffie-Hellman problem, as well as anonymity against a passive server. For the threshold t = 1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [20].

A Simple Leakage-Resilient Authenticated Key Establishment Protocol, Its Extensions, and Applications*A preliminary version of this paper appears in ASIACRYPT 2003 [41].

Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search; (3) TRM (Tamper-Resistant Modules) used to store secrets are not perfectly free from bugs and mis-configurations; (4) A client remembers only one password, even if he/she communicates with several different servers. Then, we propose a simple leakage-resilient AKE protocol (cf.[41]) which is described as follows: the client keeps one password in mind and stores one secret value on devices, both of which are used to establish an authenticated session key with the server. The advantages of leakage-resilient AKEs to the previous AKEs are that the former is secure against active adversaries under the above-mentioned assumptions and has immunity to the leakage of stored secrets from a client and a server (or servers), respectively. In addition, the advantage of the proposed protocol to [41] is the reduction of memory size of the clients secrets. And we extend our protocol to be possible for updating secret values registered in server(s) or password remembered by a client. Some applications and the formal security proof in the standard model of our protocol are also provided.

Very-Efficient Anonymous Password-Authenticated Key Exchange and Its Extensions

An anonymous password-authenticated key exchange (anonymous PAKE) protocol is designed to provide both password-only authentication and user anonymity. In this paper, we propose a very-efficient anonymous PAKE (called, VEAP) protocol that provides the most efficiency among their kinds in terms of computation and communication costs. The VEAP protocol guarantees semantic security of session keys in the random oracle model under the chosen target CDH problem, and unconditional user anonymity against a semi-honest server. If the pre-computation is allowed, the computation cost of the VEAP protocol is the same as the well-known Diffie-Hellman protocol! In addition, we extend the VEAP protocol in two ways.

A Secure Construction for Threshold Anonymous Password-Authenticated Key Exchange

At Indocrypt 2005, Viet et al., [21] have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for clients password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n ≤ 2 √N-1-1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t = 1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [21].

Efficient and leakage-resilient authenticated key transport protocol based on RSA

Let us consider the following situation: (1) a client, who communicates with a variety of servers, remembers only one password and has insecure devices with very-restricted computing power and built-in memory capacity; (2) the counterpart servers have enormous computing power, but they are not perfectly secure; (3) neither PKI (Public Key Infrastructures) nor TRM (Tamper-Resistant Modules) is available. Our main goal of this paper is to provide its security against the leakage of stored secrets as well as to attain high efficiency on clients side. For those, we propose an efficient and leakage-resilient RSA-based Authenticated Key Establishment (RSA-AKE) protocol suitable for the above situation whose authenticity is based on password and an additional stored secret. The RSA-AKE protocol is provably secure in the random oracle model where an adversary is given the stored secret of client and the RSA private key of server. In terms of computation costs, the client is required to compute only one modular exponentiation with an exponent e (e ≥ 3) in the protocol execution. We also show that the RSA-AKE protocol has several security properties and efficiency over the previous ones of their kinds.

Partnership in key exchange protocols

In this paper, we investigate the notion of partnership as found in security models for key exchange protocols. Several different approaches have been pursued to define partnership, with varying degrees of success. We aim to provide an overview and criticism of the various definitions and point out some pitfalls that can be encountered when trying to define partnership. As a result, we propose an intuitive way of defining partnership directly from equality of session keys. In addition, we show that authentication can be captured using a definition of partnership by equality of partner identifiers, and give proofs that both definitions achieve what we expect from them.

An Efficient and Leakage-Resilient RSA-Based Authenticated Key Exchange Protocol with Tight Security Reduction*A preliminary version appeared in [33]. Some mistakes about security proof are corrected in this paper.

Both mutual authentication and generation of session keys can be accomplished by an authenticated key exchange (AKE) protocol. Let us consider the following situation: (1) a client, who communicates with many different servers, remembers only one password and has insecure devices (e.g., mobile phones or PDAs) with very-restricted computing power and built-in memory capacity; (2) the counterpart servers have enormous computing power, but they are not perfectly secure against various attacks (e.g., virus or hackers); (3) neither PKI (Public Key Infrastructures) nor TRM (Tamper-Resistant Modules) is available. The main goal of this paper is to provide security against the leakage of stored secrets as well as to attain high efficiency on clients side. For those, we propose an efficient and leakage-resilient RSA-based AKE (RSA-AKE) protocol suitable for the above situation whose authenticity is based on password and another secret. In the extended model where an adversary is given access to the stored secret of client, we prove that its security of the RSA-AKE protocol is reduced tightly to the RSA one-wayness in the random oracle model. We also show that the RSA-AKE protocol guarantees several security properties (e.g., security of password, multiple sever scenario with only one password, perfect forward secrecy and anonymity). To our best knowledge, the RSA-AKE protocol is the most efficient, in terms of both computation costs of client and communication costs, over the previous AKE protocols of their kind (using password and RSA).