Yongge Wang

DOI: https://doi.org/10.1007/978-3-642-35840-1_9

2013-01-01

Abstract:Several identity based and implicitly authenticated key agreement protocols have been proposed in recent years and none of them has achieved all required security properties. It remains an open question to design secure identity based and implicitly authenticated key agreement protocols. In this paper, we propose an efficient identity-based and authenticated key agreement protocol IDAK using Weil/Tate pairing. The security of IDAK is proved in Bellare-Rogaway model. Several required properties for key agreement protocols are not implied by the Bellare-Rogaway model. We proved these properties for IDAK separately.

Huanhuan Lian,Yafang Yang,Yunlei Zhao

DOI: https://doi.org/10.1109/jiot.2022.3219524

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Password authenticated key exchange (PAKE) allows two parties with a shared password to establish a session key. In order to provide secure and private communication between devices in an Internet of Things (IoT) environment, the PAKE protocol is considered one of the most common and promising security methods. However, many existing PAKE proposals still face challenges in security and efficiency. First, both the terminals of participants may suffer from the compromise attack and precomputation attack, which will lead to the leakage of password. Second, the majority of the existing schemes cannot guarantee participants’ identity privacy. Third, most PAKE protocols are not suitable for IoT devices with limited computing capability because of a large number of exponential and pairing operations. To address these issues, we propose a strong symmetric PAKE protocol for IoT devices, which only requires 3 exponentiations per party. The proposed scheme can protect both parties from compromise and precomputation attacks, in which the password file relies on the identity and random salt. What’s more, our protocol guarantees the identity privacy, that is, the transmitted record and password file will not reveal the identity information. We further present a new security model for our protocol, and prove that the proposed scheme is secure under this model. Finally, we show the practicality of our PAKE via experiments and efficiency analysis.

Haochen M. Kotoi-Xie,Takumi Moriyama

2024-04-16

Abstract:In this writing, we introduce a novel biometric-authenticated key exchange protocol that allows secure and privacy-preserving key establishment between a stateless biometric sensing system and a "smart" user token that possesses biometric templates of the user. The protocol yields a shared secret incorporating random nonce from both parties when they positively authenticate each other. Mutual positive authentication here is defined as when the feature vector calculated from the sensor data captured by the biometric sensing system only differs from the feature vector stored as the biometric template within the user token by less than a predefined threshold. The parties exchange only randomized data and cryptographically derived verifiers; no significant information regarding the vectors is ever exchanged. The protocol essentially utilizes the BBKDF scheme for feature vector matching, and as a result, the threshold is compared per component of the two vectors to be matched. This fact makes it straightforward to employ multiple biometric modalities. The protocol also allows online authentication where the biometric sensing system can potentially send multiple queries derived from different sensor data samples, in one or more rounds. The protocol is designed in such a way that the user token can very efficiently answer a multitude of such queries. This makes the protocol especially suitable for interactive systems while posing a minimal computational burden on the user token. The biometric sensing system can be made stateless, i.e. user registration in advance is not required. Furthermore, the protocol is bidirectionally privacy-preserving in the sense that unless mutual authentication is achieved first, neither the biometric sensing system, nor the user token can gain useful information, respectively regarding the biometric template, or sensor-data-derived feature vectors.

Cryptography and Security

Haiyan Sun,Chaoyang Li,Jianwei Zhang,Shujun Liang,Wanwei Huang

DOI: https://doi.org/10.3390/s24010061

IF: 3.9

2023-12-23

Sensors

Abstract:Internet of Things (IoT) applications have been increasingly developed. Authenticated key agreement (AKA) plays an essential role in secure communication in IoT applications. Without the PKI certificate and high time-complexity bilinear pairing operations, identity-based AKA (ID-AKA) protocols without pairings are more suitable for protecting the keys in IoT applications. In recent years, many pairing-free ID-AKA protocols have been proposed. Moreover, these protocols have some security flaws or relatively extensive computation and communication efficiency. Focusing on these problems, the security analyses of some recently proposed protocols have been provided first. We then proposed a family of eCK secure ID-AKA protocols without pairings to solve these security problems, which can be applied in IoT applications to guarantee communication security. Meanwhile, the security proofs of these proposed ID-AKA protocols are provided, which show they can hold provable eCK security. Some more efficient instantiations have been provided, which show the efficient performance of these proposed ID-AKA protocols. Moreover, comparisons with similar schemes have shown that these protocols have the least computation and communication efficiency at the same time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Hu Xiong,Qianhong Wu,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-24861-0_6

2011-01-01

Abstract:Certificateless authenticated key exchange (CL-AKE) protocols do not suffer from intricate certificate management or heavy trust reliance on a third party. Unfortunately, these advantages are partially counteracted in most CL-AKE protocols which require expensive pairing operations. This paper proposes a new CL-AKE protocol without requiring any pairing operation during the protocol execution, although a pairing map may be required to realize a Decisional Diffie-Hellman (DDH) oracle in the security proof. With implicit authentication, we illustrate modular proofs in a security model incorporating standard definitions of AKE protocols and certificateless cryptography. Analysis shows that our protocol is also efficient.

An-Li Peng,Yuh-Min Tseng,Sen-Shan Huang

DOI: https://doi.org/10.1109/jsyst.2020.3038216

IF: 4.802

2021-12-01

IEEE Systems Journal

Abstract:Authenticated key exchange (AKE) protocol for client–server environments is a significant cryptographic primitive that provides communication confidentiality and mutual authentication between clients and servers. In an Internet of Things (IoT) environment, clients typically employ IoT devices with limited computing capability to interact with servers through the Internet. Numerous AKE protocols suitable for IoT devices, called AKE-IoT protocols, have been proposed. Recently, side-channel attacks have been conducted to defeat traditional cryptographic protocols because a side-channel adversary can retrieve partial content of long-term or short-term secret keys. Several leakage-resilient AKE (LRAKE) protocols were presented to counteract such attacks. Unfortunately, the existing LRAKE protocols are not suitable for IoT devices because expensive pairing operations are required for client sides. In this article, we propose the first efficient LRAKE protocol suitable for IoT devices, named LRAKE-IoT. By the unbalanced computation method, no pairing operation is required for client sides in our protocol. In the generic bilinear pairing group model, security analysis is conducted to demonstrate the security of the proposed protocol in the continuous-leakage-resilient extended-Canetti–Krawczyk model. Finally, computational experiences on two IoT devices are given to show that the proposed protocol is well-suited for IoT devices.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

María Isabel González Vasco,Angel L. Pérez del Pozo,Claudio Soriente,Maria Isabel Gonzalez Vasco,Angel Perez Del Pozo

DOI: https://doi.org/10.1109/tdsc.2019.2919013

2019-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Anonymous Password-Authenticated Key Exchange ($sf{ APAKE}$APAKE) can be seen as the hybrid offspring of standard key exchange and anonymous password authentication protocols. $sf{ APAKE}$APAKE allows a client holding a low-entropy password to establish a session key with a server, provided that the client's password is in the server's set. Moreover, no information about the password input by the client or the set of valid passwords held by the server should leak to the other party–beyond whether the client's password lies or not in the server's password database. To the best of our knowledge, all $sf{ APAKE}$APAKE proposals to date either assume client storage or force the client to remember the index assigned to its password in the server's database. Furthermore, earlier works either provide only informal definitions or fail in some sense to properly model the primitive. In this paper, we provide a formal security model for $sf{ APAKE}$APAKE, capturing security and ano-ymity provisions for both clients and servers. In addition, we present two $sf{ APAKE}$APAKE protocols that only require clients to remember a password and that attain our sought key secrecy and anonymity guarantees. Our first protocol leverages oblivious pseudo-random functions, while the second one builds upon a special type of identity-based encryption scheme.

computer science, information systems, software engineering, hardware & architecture

Yunlei Zhao

DOI: https://doi.org/10.1145/2976749.2978350

2016-01-01

Abstract:Identity concealment and zero-round trip time (0-RTT) connection are two of current research focuses in the design and analysis of secure transport protocols, like TLS1.3 and Google's QUIC, in the client-server setting. In this work, we introduce a new primitive for identity-concealed authenticated encryption in the public-key setting, referred to as higncryption, which can be viewed as a novel monolithic integration of public-key encryption, digital signature, and identity concealment. We then present the security definitional framework for higncryption, and a conceptually simple (yet carefully designed) protocol construction. As a new primitive, higncryption can have many applications. In this work, we focus on its applications to 0-RTT authentication, showing higncryption is well suitable to and compatible with QUIC and OPTLS, and on its applications to identity-concealed authenticated key exchange (CAKE) and unilateral CAKE (UCAKE). Of independent interest is a new concise security definitional framework for CAKE and UCAKE proposed in this work, which unifies the traditional BR and (post-ID) frameworks, enjoys composability, and ensures very strong security guarantee. Along the way, we make a systematically comparative study with related protocols and mechanisms including Zheng's signcryption, one-pass HMQV, QUIC, TLS1.3 and OPTLS, most of which are widely standardized or in use.

Zhishuo Zhang,Wen Huang,Ying Huang,Yongjian Liao,Zhun Zhang,Shijie Zhou

DOI: https://doi.org/10.1109/jiot.2023.3349005

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Authenticated Key agreement protocol (AKA) is one of the essential components for reliable secure communication in Industrial Internet-of-Things (IIoT) communication model. Recently, Srinivas et al. proposed a three-factor elliptic curve cryptosystem (ECC)-based AKA protocol called UAP-BCIoT for WSN-based intelligent transportation system (ITS). In this paper, we first find out that their protocol has a security weak point inherently called master secret disclose and key forgery defect which makes their protocol susceptible to variant impersonation attacks. To overcome the deficiency of their protocol, we construct an improved ECC-based three-factors (credential, password and biometric) tripartite authenticated key agreement protocol among managers Ui, domain gateway DG and IIoT nodes INj with identity dynamic revocation and online updating (IDR-OU-TAKA) for secure communication in IIoT. Unlike the vast majority of previous GWN-assisted MAKA protocols that only negotiate the session key between Ui and INj, our IDR-OU-TAKA protocol can selectively achieve Ui DG INj tripartite key negotiation according to Ui’s IPv6 addresses, meaning that any two parties can use the session key to establish a secure channel which can achieve isolation security within the IIoT domain. Besides, in our proposed IDR-OU-TAKA, the overdue or corrupted manager can be immediately revoked by dynamically maintaining the revocation list and the identity of manager can be securely updated online through an open channel. We give rigorous security proof based on real-or-random (ROR) model and the non-mathematical (informal) security analysis to our proposed IDR-OU-TAKA protocol. Finally, we conduct a comprehensive comparison and evaluation to our proposed IDR-OU-TAKA protocol with other state-of-art MAKA protocols in terms of security and functionality features, communication, and computation costs which clearly indicate that our protocol is more practical and suitable for IIoT.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hu Xiong,Zhong Chen,Fagen Li

DOI: https://doi.org/10.1016/j.jnca.2012.10.001

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Key agreement allows multi-parties exchanging public information to create a common secret key that is known only to those entities over an insecure network. In the recent years, several identity-based (ID-based) authenticated key agreement protocols have been proposed and most of them broken. In this paper, we formalize the security model of ID-based authenticated tripartite key agreement protocol and propose a provably secure ID-based authenticated key agreement protocol for three parties with formal security proof under the computational Diffie-Hellman assumption. Experimental results by using the AVISPA tool show that the proposed protocol is secure against various malicious attacks.

Andrew C. Yao,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-642-13708-2_20

2010-01-01

Abstract:In this work, we develop a family of non-malleable and deniable Diffie-Hellman key-exchange (DHKE) protocols, named deniable Internet key-exchange (DIKE). The newly developed DIKE protocols are of conceptual clarity, provide much remarkable privacy protection to protocol participants, and are of highly practical (online) efficiency.For the security of the DIKE protocols, we formulate the notion of tag-based robust non-malleability (TBRNM) for DHKE protocols, which ensures robust non-malleability for DHKE protocols against concurrent man-in-the-middle (CMIM) adversaries and particularly implies concurrent forward deniability for both protocol participants. We show that the TBRNM security and the session-key security (SK-security) in accordance with the Canetti-Krawczyk framework are mutually complementary, thus much desirable to have DHKE protocols that enjoy both of them simultaneously. We prove our DIKE protocol indeed satisfies both (privacy preserving) TBRNM security and SK-security (with post-specified peers). The TBRNM analysis is based on a variant of the knowledge-of-exponent assumption (KEA), called concurrent KEA assumption introduced and clarified in this work, which might be of independent interest.

Andrew Chi-Chih Yao,Yunlei Zhao

DOI: https://doi.org/10.1109/tifs.2013.2293457

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Key-exchange, in particular Diffie-Hellman key-exchange (DHKE), is among the core cryptographic mechanisms for ensuring network security. For key-exchange over the Internet, both security and privacy are desired. In this paper, we develop a family of privacy-preserving authenticated DHKE protocols named deniable Internet key-exchange (DIKE), both in the traditional PKI setting and in the identity-based setting. The newly developed DIKE protocols are of conceptual clarity and practical (online) efficiency. They provide useful privacy protection to both protocol participants, and add novelty and new value to the IKE standard. To the best of our knowledge, our protocols are the first provably secure DHKE protocols that additionally enjoy all the following privacy protection advantages: 1) forward deniability, actually concurrent non-malleable statistical zero-knowledge, for both protocol participants simultaneously; 2) the session transcript and session-key can be generated merely from DH-exponents (together with some public values), which thus cannot be traced to the pair of protocol participants; and 3) exchanged messages do not bear peer's identity, and do not explicitly bear player role information.

Siyue Dong,Zhen Zhao,Baocang Wang,Wen Gao,Shanshan Zhang

DOI: https://doi.org/10.3390/electronics13071256

IF: 2.9

2024-03-29

Electronics

Abstract:Public key encryption with equality test (PKEET) is a cryptographic primitive that enables a tester to determine whether two ciphertexts encrypted with same or different public keys have been generated from the same message without decryption. Previous studies extended PKEET to public key encryption with designated-position fuzzy equality test (PKE-DFET), enabling testers to verify whether plaintexts corresponding to two ciphertexts are equal while ignoring specific bits at designated positions. In this work, we have filled the research gap in the identity-based encryption (IBE) cryptosystems for this primitive. Furthermore, although our authorization method is the all-or-nothing (AoN) type, it overcomes the shortcomings present in the majority of AoN-type authorization schemes. In our scheme, equality tests can only be performed between a ciphertext and a given plaintext. Specifically, even if a tester acquires multiple AoN-type authorizations, it cannot conduct unpermitted equality tests between users. This significantly reduces the risk of user privacy leaks when handling sensitive information in certain scenarios, while still retaining the flexible and simple characteristics of AoN-type authorizations. We use the Chinese national cryptography standard SM9-IBE algorithm to provide the concrete construction of our scheme, enhancing the usability and security of our scheme, while making deployment more convenient. Finally, we prove that our scheme achieves F-OW-ID-CCA security when the adversary has the trapdoor of the challenge ciphertext, and achieves IND-ID-CCA security when the adversary does not have the trapdoor of the challenge ciphertext.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yanli Ren,Shuozhong Wang,Xinpeng Zhang

DOI: https://doi.org/10.6138/jit.2011.12.4.13

2011-01-01

Abstract:The problem of key-exposure is an important issue in modern society due to the growing use of mobile devices. Weng et al. proposed an identity-based parallel key-insulated encryption (IBPKIE) scheme to solve the key-exposure problem in an identity-based cryptosystem. The scheme has long public parameters and a loose security reduction. Ren et al. presented a new IBPKIE scheme which had constant size public parameters and a tight reduction, and then extended it to a hierarchical IBPKIE (HIBPKIE) scheme. However, Wang et al. analyzed two schemes of Ren et al. and showed that they are not secure against chosen-plaintext attack. In this paper, we propose an improved IBPKIE scheme which achieves IND-ID-KI-CPA security without random oracles. Moreover, our scheme has short public parameters and a tight reduction. We then present an HIBPKIE scheme which achieves IND-sID-KI-CPA security without random oracles. In this scheme, the ciphertext size is independent of the level of the hierarchy in the HIBPKIE scheme.

Seyedsina Nabavirazavi,S. Sitharama Iyengar

DOI: https://doi.org/10.48550/arXiv.2210.16367

2022-10-29

Abstract:The rapid development of IoT networks has led to a research trend in designing effective security features for them. Due to the power-constrained nature of IoT devices, the security features should remain as lightweight as possible. Currently, most of the IoT network traffic is unencrypted. The leakage of smart devices' unencrypted data can come with the significant cost of a privacy breach. To have a secure channel with encrypted traffic, two endpoints in a network have to authenticate each other and calculate a short-term key. They can then communicate through an authenticated and secure channel. This process is referred to as authenticated key exchange (AKE). Although Datagram Transport Layer Security (DTLS) offers an AKE protocol for IoT networks, research has proposed more efficient and case-specific alternatives. This paper presents LAKEE, a straightforward, lightweight AKE protocol for IoT networks. Our protocol employs elliptic curve cryptography for generating a short-term session key. It reduces the communication and computational overhead of its alternatives while maintaining or improving their security strength. The simplicity and low overhead of our protocol make it a fit for a network of constrained devices.

Cryptography and Security

Andrew Chi-Chih Yao,Yunlei Zhao

DOI: https://doi.org/10.1145/2508859.2516695

2013-01-01

Abstract:Cryptography algorithm standards play a key role both to the practice of information security and to cryptography theory research. Among them, the MQV and HMQV protocols ((H)MQV, in short) are a family of implicitly authenticated Diffie-Hellman key-exchange (DHKE) protocols that are among the most efficient and are widely standardized. In this work, from some new perspectives and under some new design rationales, and also inspired by the security analysis of HMQV, we develop a new family of practical implicitly authenticated DHKE (IA-DHKE) protocols, which enjoy notable performance among security, efficiency, privacy, fairness and easy deployment. We make detailed comparisons between our new protocols and (H)MQV, showing that the newly developed protocols outperform HMQV in most aspects. Very briefly speaking, we achieve: • The most efficient provably secure IA-DHKE protocol to date, and the first online-optimal provably secure IA-DHKE protocols. • The first IA-DHKE protocol that is provably secure, resilience to the leakage of DH components and exponents, under merely standard assumptions without additionally relying on the knowledge-of-exponent assumption (KEA). • The first provably secure privacy-preserving and computationally fair IA-DHKE protocol, with privacy-preserving properties of reasonable deniability and post-ID computability and the property of session-key computational fairness. Guided by our new design rationales, in this work we also formalize and introduce some new concept, say session-key computational fairness (as a complement to session-key security), to the literature.

Hu Xiong,Zhong Chen,Fagen Li

DOI: https://doi.org/10.1016/j.mcm.2011.10.001

2012-01-01

Mathematical and Computer Modelling

Abstract:Authenticated key agreement (AKA) protocols are multi-party protocols in which entities exchange public information allowing them to create a common secret key that is known only to those entities over an open network. Recently, in order to circumvent the key escrow problem inherent to ID-based cryptography and the certificate management burden in traditional public key infrastructure, the notion of certificateless public key cryptography (CL-PKC) was introduced. In this paper, we first present a security model for certificateless AKA protocols for three parties, and then propose an efficient construction based on bilinear pairings. The security of the proposed scheme can be proved to be equivalent to the computational Diffie–Hellman problem in the random oracle model.

Yunxia Han,Chunxiang Xu,Changsong Jiang,Kefei Chen

DOI: https://doi.org/10.1109/tdsc.2024.3382359

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Two-factor authentication key exchange (AKE) is an effective way to strengthen the security of password-authenticated key exchange. Most two-factor AKE schemes using smart cards as the second factor require users to have the second factor with them any time, which causes users inconveniences. Biometrics provide a user-friendly manner to achieve two-factor AKE since they need not be carried. However, biometrics may have less entropy than expected and would suffer from offline guessing attacks. In this paper, we propose a secure two-factor authentication key exchange scheme TAKE that resists offline guessing attacks against biometrics and passwords. In TAKE, a user generates a combined factor of his/her biometrics and password. To protect the combined factor, the user and the server leverages secure two-party computation to blind it with a key which is protected in a trusted execution environment. Thus, TAKE prevents an adversary from eavesdropping on the combined factor, and simultaneously guarantees that he cannot recover the combined factor from blinded one to undertake offline guessing attacks even if he compromises the server and obtains the blinded combined factor. We provide the formal security proof of TAKE. The experiments show that TAKE is efficient in terms of storage, computation, and communication overhead.

computer science, information systems, software engineering, hardware & architecture

Changsong Jiang,Chunxiang Xu,Yunxia Han,Zhao Zhang,Kefei Chen

DOI: https://doi.org/10.1109/tifs.2024.3372812

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Multi-factor authenticated key exchange (AKE) enables a user to be authenticated by a server using multiple factors and negotiate a shared session key to protect subsequent communications. Most existing multi-factor AKE schemes utilize biometrics as one factor due to their uniqueness and invariance properties. To support matching for noisy biometrics and protect them, fuzzy extractors are employed to extract a constant random string from varying biometric measurements without disclosing biometric data. However, the fuzzy extractors used in these schemes merely work on biometrics with an entropy rate greater than the error rate. Hence these schemes are unsuitable for biometrics with low entropy rates. In this paper, we propose a secure two-factor AKE scheme dubbed AHEAD from passwords and biometrics, which eliminates the limitation of biometric entropy rates. In AHEAD, we conceive a matching mechanism to simultaneously check whether an input biometric measurement with low entropy rates is close enough to the registered one, and whether an input password exactly matches the registered password. The mechanism allows a valid user to generate a secret element shared with the server in an oblivious way. By adopting a randomization technique, the secret element can be randomized for derivation of session keys. The security and efficiency of AHEAD are demonstrated by formal security proofs and experimental evaluations.

computer science, theory & methods,engineering, electrical & electronic

Jintai Ding,Saed Alsayigh,Jean Lancrenon,R. Saraswathy,Michael Snook

DOI: https://doi.org/10.1007/978-3-319-52153-4_11

2017-01-01

Abstract:Authenticated Key Exchange (AKE) is a cryptographic scheme with the aim to establish a high-entropy and secret session key over a insecure communications network. Password-Authenticated Key Exchange (PAKE) assumes that the parties in play share a simple password, which is cheap and human-memorable and is used to achieve the authentication. PAKEs are practically relevant as these features are extremely appealing in an age where most people access sensitive personal data remotely from more-and-more pervasive hand-held devices. Theoretically, PAKEs allow the secure computation and authentication of a high-entropy piece of data using a low-entropy string as a starting point. In this paper, we apply the recently proposed technique introduced in [19] to construct two lattice-based PAKE protocols enjoying a very simple and elegant design that is an parallel extension of the class of Random Oracle Model (ROM)-based protocols PAK and PPK [13,41], but in the lattice-based setting. The new protocol resembling PAK is three-pass, and provides mutual explicit authentication, while the protocol following the structure of PPK is two-pass, and provides implicit authentication. Our protocols rely on the Ring-Learning-with-Errors (RLWE) assumption, and exploit the additive structure of the underlying ring. They have a comparable level of efficiency to PAK and PPK, which makes them highly attractive. We present a preliminary implementation of our protocols to demonstrate that they are both efficient and practical. We believe they are suitable quantum safe replacements for PAK and PPK.