References 17

(eds), Proceedings of Applied Cryptography and Network Security - ACNS 2006. Lecture

Notes in Computer Science 3989/2006: 226-238

112. Steve Schneider 1997. Verifying Authentication Protocols with CSP, in Proceedings of IEEE

Computer Security Foundation Workshop - CSFW 1997. IEEE Computer Society Press: 3“17

113. Shiuh-Pyng Shieh, Wen-Her Yang & H M Sun 1997. An Authentication Protocol without

Trusted Third Party. IEEE Communications Letters 1(3): 87“89

114. Kyungah Shim 2003. Cryptanalysis of Mutual Authentication and Key Exchange for Low

Power Wireless Communications. IEEE Communications Letters 7(5): 248“250

115. Victor Shoup 1999. On Formal Models for Secure Key Exchange (Version 4). Technical

report no RZ 3120 (#93166). IBM Research, Zurich

116. Victor Shoup. OAEP Reconsidered, in Joe Kilian (ed), Proceedings of Advances in Cryptol-

ogy - CRYPTO 2001. Lecture Notes in Computer Science 2139/2001: 239“259

117. Victor Shoup 2002. OAEP Reconsidered. Journal of Cryptology 15(4): 223“249

118. Jason Smith, Suratose Tritilanunt, Colin Boyd, Juan Manuel Gonz´ lez Nieto & Ernest Foo

a

2006. Denial-of-Service Resistance in Key Establishment. International Journal of Wireless

and Mobile Computing 2(1): 59“91

119. Graham Steel & Alan Bundy 2005. Attacking Group Multicast Key Management Protocols

Using Coral, in Alessandro Armando & Luca Vigan´ (eds), Proceedings of 2nd International

o

Joint Conference on Automated Reasoning - ARSPA 2004. Electronic Notes in Theoretical

Computer Science 125(1)/2005: 125“144

120. Graham Steel, Alan Bundy & Monika Maidl 2004. Attacking a Protocol for Group Key

Agreement by Refuting Incorrect Inductive Conjectures, in David A Basin & Micha¨ l Rusi-

e

nowitch (eds), Proceedings of 2nd International Joint Conference on Automated Reasoning -

IJCAR 2004. Lecture Notes in Computer Science 3097/2005: 137“151

121. Adam Stubble¬eld, John Ioannidis & Aviel D Rubin 2004. A Key Recovery Attack on the

802.11b Wired Equivalent Privacy Protocol (WEP). ACM Transactions on Information and

System Security (TISSEC) 7(2): 319“332

122. Sabrina Tarento 2005. Machine-Checked Security Proofs of Cryptographic Signature

Schemes, in Sabrina de Capitani di Vimercati, Paul Syverson & Dieter Gollmann (eds), Pro-

ceedings of 10th European Symposium on Research in Computer Security - ESORICS 2005.

Lecture Notes in Computer Science 3679/2005: 140“158

123. Xiaojian Tian & Duncan S Wong 2006. Session Corruption Attack and Improvements on

Encryption Based MT-Authenticators, in David Pointcheval (ed), Proceedings of Cryptog-

raphers™ Track at RSA Conference - CT-RSA 2006. Lecture Notes in Computer Science

3860/2006: 34“51

124. Zhiguo Wan & Shuhong Wang 2004. Cryptanalysis of Two Password-Authenticated Key

Exchange Protocols, in Huaxiong Wang, Josef Pieprzyk & Vijay Varadharajan (eds), Pro-

ceedings of 9th Australasian Conference on Information Security and Privacy - ACISP 2004.

Lecture Notes in Computer Science 3108/2004: 164“175

125. Shuhong Wang, Jie Wang & Maozhi Xu 2004. Weaknesses of a Password-Authenticated Key

Exchange Protocol between Clients with Different Passwords, in Markus Jakobsson, Moti

Yung & Jianying Zhou (eds), Proceedings of Applied Cryptography and Network Security -

ACNS 2004. Lecture Notes in Computer Science 3089/2004: 414-425

126. Jeannette M Wing 1998. A Symbiotic Relationship Between Formal Methods and Security, in

Proceedings of Workshops on Computer Security, Fault Tolerance, and Software Assurance:

From Needs to Solution. IEEE Computer Press

127. Stefan Wolf 1999. Information-Theoretically and Computationally Secure Key Agreement

in Cryptography. Ph.D. Thesis. ETH Zurich, Swiss Federal Institute of Technology Zurich.

http://www.iro.umontreal.ca/˜wolf/papers.html

128. Duncan S Wong & Agnes H Chan 2001. Ef¬cient and Mutually Authenticated Key Exchange

for Low Power Computing Devices, in Colin Boyd (ed), Proceedings of Advances in Cryp-

tology - ASIACRYPT 2001. Lecture Notes in Computer Science 2248/2001: 172“289

129. Yacov Yacobi 1987. Attack on the Koyama-Ohta Identity Based Key Distribution Scheme,

in Carl Pomerance (ed), Proceedings of Advances in Cryptology - CRYPTO 1987. Lecture

Notes in Computer Science 293/1988: 429“433

18 1 Introduction

130. Xun Yi, Chee Kheong Siew, Hung-Min Sun, Her-Tyan Yeh, Chun-Li Lin & Tzonelih Hwang

2003. Security of Park-Lim Key Agreement Scheme for VSAT Satellite Communications.

IEEE Transactions on Vehicular Technology 52(2): 465“468

131. Muxiang Zhang 2004. Further Analysis of Password Authenticated Key Exchange Protocol

Based on RSA for Imbalanced Wireless Networks, in Kan Zhang & Yuliang Zheng (eds),

Proceedings of 7th Information Security Conference - ISC 2004. Lecture Notes in Computer

Science 3225/2004: 13-24

132. Muxiang Zhang 2005. Breaking an Improved Password Authenticated Key Exchange Proto-

col for Imbalanced Wireless Networks. IEEE Communications Letters 9(3): 276“278

133. Zhu Zhao, Zhongqi Dong & Yongge Wang 2006. Security Analysis of a Password-based

Authentication Protocol Proposed to IEEE 1363. Theoretical Computer Science 352(1-3):

280“287

134. Jianying Zhou 2000. Further Analysis of the Internet Key Exchange Protocol. Journal of

Computer Communications 23(17): 1606“1612

Chapter 2

Background Materials

In this chapter, we cover the nomenclature and de¬nitions necessary for understand-

ing the remainder of the book. Necessary background material on the topic of cryp-

tographic protocols, and in particular key establishment protocols, is presented. We

also present overviews of the Bellare“Rogaway [13, 14, 16] and Canetti“Krawczyk

[10, 30] computational complexity models which will serve as building blocks in

this book. We mainly work in these models and several protocols proposed in this

book are proven secure in one of these models.

2.1 Mathematical Background

This section introduces the basic ideas of complexity theory, introduces several

different cryptographic de¬nitions, and provides the necessary mathematical back-

ground required for the book. The notation used throughout the book is presented

in Table 2.1.

2.1.1 Abstract Algebra and the Main Groups

G denotes a group which is a set with some binary operation. We denote G— as the

set of non-identity elements of the group.

De¬nition 2.1.1 A group is an algebraic structure consisting of a set G of group

elements and a binary group operation · : G — G ’ G such that the following con-

ditions hold:

if a, b ∈ G, then a · b ∈ G,

1.

the group operation is associative (i.e., a · (b · c) = (a · b) · c for all a, b, c ∈ G),

2.

there is an identity element 1 ∈ G such that a · 1 = a = 1 · a for all a ∈ G, and

3.

for each a ∈ G there is an inverse a’1 ∈ G such that a · a’1 = 1 = a’1 · a.

4.

19

20 2 Background Materials

Principals Denotes protocol participants or entities.

A and B Denote honest parties where A is usually the initiator entity and B the responder entity

(unless otherwise stated).

x ∈R {0, 1}k Denotes that x is randomly chosen from {0, 1}k where the superscript k symbolises

the security parameter.

x||y If x and y are strings, then x||y denotes their concatenation.

? ?

x=y If x and y are strings, x = y denotes comparing if x = y.

A

Denotes a probabilistic, polynomial time adversary.

{·}K

Denotes the encryption of some message under some encryption key, K.

Denote the computation of a MAC digest under some MAC key K MAC .

[·]K MAC

Denote the signature of some message under some signature key K Sign .

σK Sign (·)

•

Denotes the bit-wise exclusive OR (XOR) operator.

Denotes the probability that p(·) is true after ordered execution of the listed experi-

Pr[·]

ments.

pwdU1U2 Denotes some secret password shared between two users, U1 and U2 .

H and Hi Denote some secure and independent cryptographic hash functions, where i = 0, 1, . . ..

Z— Denotes the multiplicative group of non-zero integers modulo p where p is a suf¬-

p

ciently large prime p.

Zq Denotes the group of integers modulo q where q is a prime such that q|p ’ 1.