基于身份的认证密钥协商协议的安全分析与改进

对基于身份的标准模型下可证明安全的认证密钥协商协议进行安全性分析,发现恶意的密钥生成中心(PKG,pfivate key generator)能计算出所有的会话密钥,即它在无会话密钥托管模式下不满足PKG前向安全性.因此,为满足无托管的要求,提出一个改进的基于身份的认证密钥协商协议,并在标准模型下证明其为安全的认证密钥协商协议.结果表明,改进后协议满足完善前向安全性和PKG前向安全性.     

标准模型下完美前向安全的基于身份认证密钥交换

一轮Diffie-Hellman密钥交换(One-Round Diff ie-Hellman key exchange,OR-DHKE)协议被认为无法实现完美的前向安全性(Perfect Forward Secrecy,PFS)。基于身份的OR-DHKE协议也是如此,现有研究仅实现了弱的完美 前向安全性(wPFS)。基于Cremers等人对密钥交换协议完美前向安全性的研究,文章提出 一种新的具有完美前向安全的基于身份认证密钥交换方案。文章首先提出一种较弱安全性的 基于身份 OR-DHKE协议π₀,然后采用Cremers等人提出的SIG变换方法,将π₀转化为具有完美前 向安全的基于身份认 证密钥交换方案π₁。文章简要分析了CK、CK⁺、eCK和eCK-PFS安全模型的异同,在此 基 础上定义了基于身 份认证密钥交换协议分析的强安全模型ID-eCK-PFS。在ID-eCK-PFS模型下,协议π₀和π₁的安全性被规约为 求解判定性BDH(Decisional Bilinear Diffie-Hellman,DBDH)问题,规约过程未使用随 机预言机,实现了在标准模型下的完美前向安全性和可证明安全性。     

一种故障容忍的可证安全组密钥协商协议

 对Burmester等人提出的非认证组密钥协商协议的安全性进行了深入分析,指出该协议不能抵抗内部恶意节点发起的密钥协商阻断攻击和密钥控制攻击.提出了一种故障容忍的组密钥协商(FT-GKA)协议,FT-GKA协议在密钥协商过程中加入了消息正确性的认证机制,该机制利用数字签名技术检测组内恶意节点,并在驱逐恶意节点后保证组内诚实节点能计算出正确的会话密钥,解决了Burmester等人提出协议中存在的内部恶意节点攻击问题.并证明提出的协议在DDH假设下能抵抗敌手的被动攻击,在DL假设和随机预言模型下能够抵抗内部恶意节点发起的密钥协商阻断攻击和密钥控制攻击.理论分析与实验测试表明,提出的协议具有较高的通信轮效率和较低的计算开销.     

对Bellare-Rogaway 3PKD模型安全性定义的修正

指出Bellare和Rogaway在1995年提出的三方密钥分发模型——Bellare-Rogaway 3PKD模型的安全性定义存在缺陷。为此,设计了一个新的三方密钥分发协议P-Flaw。该协议在Bellare-Rogaway 3PKD模型下是可证明安全的。但是通过分析发现该协议不能够抵抗服务器欺骗攻击、已知会话密钥攻击和重放攻击等攻击形式,其原因在于Bellare-Rogaway 3PKD模型不能够对分发的会话密钥进行源识别。利用匹配会话的概念,修正了Bellare-Rogaway 3PKD模型的安全性定义。     

多属性机构环境下的属性基认证密钥交换协议

已有基于属性的认证密钥交换协议都是在单属性机构环境下设计的,而实际应用中不同属性机构下的用户也有安全通信的需求。该文在Waters属性基加密方案的基础上提出了一个多属性机构环境下的属性基认证密钥交换协议,并在基于属性的eCK(extended Canetti-Krawczyk)模型中将该协议的安全性归约到GBDH(Gap Bilinear Diffie-Hellman)和CDH(Computational Diffie-Hellman)假设,又通过布尔函数传输用线性秘密共享机制设计的属性认证策略,在制订灵活多样的认证策略的同时,显著地降低了通信开销。     

一种适用于非平衡无线网络的组密钥交换协议

组认证密钥交换协议允许两方或多方用户通过公开的信道协商出共享的组会话密钥。针对非平衡无线网络中用户计算能力强弱不等的情况,该文提出一种适用于非平衡无线网络的组组认证密钥交换协议。该协议不但可以抵抗临时密钥泄露所带来的安全隐患,而且任意两个组中用户可以根据需要使用先前组通信消息计算独立于组会话密钥的两方会话密钥。与已有非平衡网络组密钥交换协议相比,该协议具有更高的安全性和实用性并且在随机预言模型下是可证安全的。     

无双线性对的基于身份的认证密钥协商协议

鉴于目前大多数基于身份的认证密钥协商(ID-AK)协议需要复杂的双线性对运算,该文利用椭圆曲线加法群构造了一个无双线性对的ID-AK协议。协议去除了双线性对运算,效率比已有协议提高了至少33.3%;同时满足主密钥前向保密性、完善前向保密性和抗密钥泄露伪装。在随机预言机模型下,协议的安全性可规约到标准的计算性Diffie-Hellman假设。     

可证明安全的基于位置的Prover-to-Prover密钥交换协议

本文针对两个证明者之间可证明安全的基于位置密钥交换协议展开研究.首次将基于位置密钥交换分为P2V(Prover-to-Verifier)模式和P2P(Prover-to-Prover)模式,并给出P2P模式下基于位置密钥交换的安全定义.随后,在1维空间下设计了可证明安全的基于位置P2P密钥交换协议P2PKE¹,并以此为基础构造了d(1≤d≤3)维空间下基于位置P2P密钥交换协议P2PKE^d.同时,分别提出了具有密钥确认性质的基于位置P2P密钥交换协议P2PKE^d-c和无密钥托管的基于位置P2P密钥交换协议P2PKE^d-e.最后,从安全性和效率两方面对所设计的协议进行了讨论.     

计算可靠的Diffie-Hellman密钥交换协议自动证明

针对Diffie-Hellman密钥交换协议,提出了采用观测等价关系的建模方法,证明了该方法的可靠性,并利用该方法扩展了自动工具CryptoVerif的验证能力。发现了对公钥Kerberos协议自动证明中敌手能力模型的缺陷,并提出了修正方法。利用扩展的CryptoVerif自动证明了基于Diffie-Hellman的Kerberos协议的安全性,验证了该扩展方法的有效性。与现有大部分证明方法不同的是,该证明方法既保留了自动证明工具的易用性,又保证了计算模型下的强可靠性。     

UC安全的空间网络双向认证与密钥协商协议

 为了满足空间信息网络异构互联和高动态组网时,实施接入时的访问控制要求,基于Diffie-Hellman 密钥交换,采用签名认证方式,在飞行器与外部子网无任何安全关联的假设条件下,提出了基于有证书的公钥系统模型下的空间信息网络安全接入认证与密钥协商协议,可用于飞行器进入空间信息网或跨子网漫游时,与接入点之间的双向认证与密钥协商过程.分析表明,在DDH(Decisional Diffie-Hellman)假定成立的前提下,所提出的协议在UC(Universally Composable)安全模型下是可证明安全的.     

基于向量空间接入结构的分布式密钥生成

密钥生成是密码系统的一个重要组成部分,其安全性对整个密码系统的安全性起着至关重要的作用.在群体保密通信、电子商务和面向群体的密码学中,往往需要采用分布式的密钥生成方式.本文对基于向量空间接入结构的分布式密钥生成进行了研究.以向量空间接入结构上信息论安全的一个可验证秘密分享方案为基础,提出了适应于这类接入结构的一个安全高效的分布式密钥生成协议.该协议比常见的基于门限接入结构的分布式密钥生成协议具有更广泛的适用性.     

A secure and efficient password‐authenticated group key exchange protocol for mobile ad hoc networks

Password‐authenticated group key exchange protocols enable communication parties to establish a common secret key (a session key) by only using short secret passwords. Such protocols have been receiving significant attention. This paper shows some security weaknesses in some recently proposed password‐authenticated group key exchange protocols. Furthermore, a secure and efficient password‐authenticated group key exchange protocol in mobile ad hoc networks is proposed. It only requires constant round to generate a group session key under the dynamic scenario. In other words, the overhead of key generation is independent of the size of a total group. Further, the security properties of our protocol are formally validated by a model checking tool called AVISPA. Security and performance analyses show that, compared with other related group key exchange schemes, the proposed protocol is also efficient for real‐world applications in enhancing the security over wireless communications. Copyright © 2011 John Wiley & Sons, Ltd.     

PUF‐based solutions for secure communications in Advanced Metering Infrastructure (AMI)

Advanced metering infrastructure (AMI) provides 2‐way communications between the utility and the smart meters. Developing authenticated key exchange (AKE) and broadcast authentication (BA) protocols is essential to provide secure communications in AMI. The security of all existing cryptographic protocols is based on the assumption that secret information is stored in the nonvolatile memories. In the AMI, the attackers can obtain some or all of the stored secret information from memories by a great variety of inexpensive and fast side‐channel attacks. Thus, all existing AKE and BA protocols are no longer secure. In this paper, we investigate how to develop secure AKE and BA protocols in the presence of memory attacks. As a solution, we propose to embed a physical unclonable function (PUF) in each party, which generates the secret values as required without the need to store them. By combining PUFs and 2 well‐known and secure protocols, we propose PUF‐based AKE and BA protocols. We show that our proposed protocols are memory leakage resilient. In addition, we prove their security in the standard model. Performance analysis of both protocols shows their efficiency for AMI applications. The proposed protocols can be easily implemented.     

Cryptanalysis and improvement of the YAK protocol with formal security proof and security verification via Scyther

Hao proposed the YAK as a robust key agreement based on public‐key authentication, and the author claimed that the YAK protocol withstands all known attacks and therefore is secure against an extremely strong adversary. However, Toorani showed the security flaws in the YAK protocol. This paper shows that the YAK protocol cannot withstand the known key security attack, and its consequences lead us to introduce a new key compromise impersonation attack, where an adversary is allowed to reveal both the shared static secret key between two‐party participation and the ephemeral private key of the initiator party in order to mount this attack. In addition, we present a new security model that covers these attacks against an extremely strong adversary. Moreover, we propose an improved YAK protocol to remedy these attacks and the previous attacks mentioned by Toorani on the YAK protocol, and the proposed protocol uses a verification mechanism in its block design that provides entity authentication and key confirmation. Meanwhile, we show that the proposed protocol is secure in the proposed formal security model under the gap Diffie‐Hellman assumption and the random oracle assumption. Moreover, we verify the security of the proposed protocol and YAK protocol by using an automatic verification method such as the Scyther tool, and the verification result shows that the security claims of the proposed protocol are proven, in contrast to those of the YAK protocol, which are not proven. The security and performance comparisons show that the improved YAK protocol outperforms previous related protocols.     

Cryptanalysis of an identity‐based authenticated key exchange protocol

Authenticated key exchange protocols represent an important cryptographic mechanism that enables several parties to communicate securely over an open network. Elashry, Mu, and Susilo proposed an identity‐based authenticated key exchange (IBAKE) protocol where different parties establish secure communication by means of their public identities.The authors also introduced a new security notion for IBAKE protocols called resiliency, that is, if the secret shared key is compromised, the entities can generate another shared secret key without establishing a new session between them. They then claimed that their IBAKE protocol satisfies this security notion. We analyze the security of their protocol and prove that it has a major security flaw, which renders it insecure against an impersonation attack. We also disprove the resiliency property of their scheme by proposing an attack where an adversary can compute any shared secret key if just one secret bit is leaked.     

Strongly secure ID‐based authenticated key agreement protocol for mobile multi‐server environments

To provide mutual authentication and communication confidentiality between mobile clients and servers, numerous identity‐based authenticated key agreement (ID‐AKA) protocols were proposed to authenticate each other while constructing a common session key. In most of the existing ID‐AKA protocols, ephemeral secrets (random values) are involved in the computations of the common session key between mobile client and server. Thus, these ID‐AKA protocols might become vulnerable because of the ephemeral‐secret‐leakage (ESL) attacks in the sense that if the involved ephemeral secrets are compromised, an adversary could compute session keys and reveal the private keys of participants in an AKA protocol. Very recently, 2 ID‐AKA protocols were proposed to withstand the ESL attacks. One of them is suitable for single server environment and requires no pairing operations on the mobile client side. The other one fits multi‐server environments, but requires 2 expensive pairing operations. In this article, we present a strongly secure ID‐AKA protocol resisting ESL attacks under mobile multi‐server environments. By performance analysis and comparisons, we demonstrate that our protocol requires the lowest communication overhead, does not require any pairing operations, and is well suitable for mobile devices with limited computing capability. For security analysis, our protocol is provably secure under the computational Diffie‐Hellman assumption in the random oracle model.     

A lightweight anonymous two‐factor authentication protocol for wireless sensor networks in Internet of Vehicles

Internet of Vehicles (IoV), as the next generation of transportation systems, tries to make highway and public transportation more secure than used to be. In this system, users use public channels for their communication so they can be the victims of passive or active attacks. Therefore, a secure authentication protocol is essential for IoV; consequently, many protocols are presented to provide secure authentication for IoV. In 2018, Yu et al proposed a secure authentication protocol for WSNs in vehicular communications and claimed that their protocol could satisfy all crucial security features of a secure authentication protocol. Unfortunately, we found that their protocol is susceptible to sensor capture attack, user traceability attack, user impersonation attack, and offline sink node's secret key guessing attack. In this paper, we propose a new authentication protocol for IoV which can solve the weaknesses of Yu et al's protocol. Our protocol not only provides anonymous user registration phase and revocation smart card phase but also uses the biometric template in place of the password. We use both Burrow‐Abadi‐Needham (BAN) logic and real‐or‐random (ROR) model to present the formal analysis of our protocol. Finally, we compare our protocol with other existing related protocols in terms of security features and computation overhead. The results prove that our protocol can provide more security features and it is usable for IoV system.     

An authenticated group key distribution mechanism using theory of numbers

A group key distribution protocol can enable members of a group to share a secret group key and use it for secret communications. In 2010, Harn and Lin proposed an authenticated group key distribution protocol using polynomial‐based secret sharing scheme. Recently, Guo and Chang proposed a similar protocol based on the generalized Chinese remainder theorem. In this paper, we point out that there are some security problems of Guo and Chang's protocol and propose a simpler authenticated group key distribution protocol based on the Chinese remainder theorem. The confidentiality of our proposed protocol is unconditionally secure. Copyright © 2013 John Wiley & Sons, Ltd.     

A simple three‐party password‐based key exchange protocol

In three‐party password‐based key exchange (3PAKE) protocol, a client is allowed to share a human‐memorable password with a trusted server such that two clients can agree on a secret session key for secure connectivity. Recently, many 3PAKE protocols have been developed. However, not all of them can simultaneously achieve security and efficiency. Without any server's public key, this article will propose a simple three‐party password‐based authenticated key exchange scheme. Compared with the existing schemes, the proposed scheme is not only more efficient, but also is secure. Copyright © 2009 John Wiley & Sons, Ltd.