ON THE KEY-COMPROMISE IMPERSONATION VULNERABILITY
OF ONE-PASS KEY ESTABLISHMENT PROTOCOLS
K. Chalkias, F. Mpaldimtsi, D. Hristu-Varsakelis and G. Stephanides
Computational Systems and Software Engineering Laboratory
Department of Applied Informatics
University of Macedonia
156 Egnatia St.
Thessaloniki, Greece
Keywords:
Two-party key establishment, one-pass protocols, key-compromise impersonation, one-way channel.
Abstract:
Key establishment protocols are among the most important security mechanisms via which two or more parties
can generate a common session key to in order to encrypt their communications over an otherwise insecure
network. This paper is concerned with the vulnerability of one-pass two-party key establishment protocols
to key-compromise impersonation (K-CI) attacks. The latter may occur once an adversary has obtained the
long-term private key of an honest party, and represents a serious — but often underestimated threat. This is
because an entity may not be aware that her computer has been compromised and her private key is exposed,
and because a successful impersonation attack may result in far greater harm than the reading of past and
future conversations. Our aim is to describe two main classes of K-CI attacks that can be mounted against all
of the best-known one-pass protocols, including MQV and HMQV. We show that one of the attacks described
can be somewhat avoided (though not completely eliminated) through the combined use of digital signatures
and time-stamps; however, there still remains a class of K-CI threats for which there is no obvious solution.
1 INTRODUCTION
In order for two parties to communicate securely over
an unreliable public network, they must be able to au-
thenticate one another and agree on a secret encryp-
tion key. To achieve this, key establishment proto-
cols are used at the start of a communication ses-
sion in order to verify the parties’ identities and es-
tablish a common session key. There are two basic
categories of protocols (Blake-Wilson and Menezes,
1998). The first includes so-called key transport pro-
tocols, in which the session key is created by one en-
tity and is securely transmitted to the other. A sec-
ond category includes key agreement protocols, where
information from both entities is used to derive the
shared secret key. A protocol is said to be symmetric
if both entities a-priori possess some common secret
data, and asymmetric if the two entities share only au-
thenticated public information such as a public key
with a digital certificate.
Since the introduction of the Diffie-Hellman key
exchange (Diffie and Hellman, 1976), there has been
a large number of key establishment protocols pro-
posed, including recent one-round (Jeong et al., 2004;
Law et al., 1998), two-round (Bird et al., 1991;
Lu et al., 2005) and three-round approaches (Blake-
Wilson and Menezes, 1998; Boyd et al., 2004; Kwon,
2001). Some of the disadvantages of these proto-
cols are their high computational and communica-
tion cost which, combined with their round complex-
ity, make them unsuitable for use in one-way com-
munication channels. At the same time, there are a
variety of applications that require low-cost one-way
channel communication. Some of the best-known ex-
amples include e-mail and SMS, where the receiver
cannot immediately reply, store-and-forward applica-
tions (e.g., printers) where messages are sent to re-
sources which need not reply at all, and secure key
exchange in mobile environments where low commu-
nication cost is critical.
To satisfy these requirements, efficient scalable
one-pass key establishment protocols have been de-
veloped recently (Law et al., 1998; Krawczyk, 2005).
In those schemes, only one of the parties transmits in-
formation in order to create the session key (but does
not transmit the key itself). This means that one-pass
222
Chalkias K., Mpaldimtsi F., Hristu-Varsakelis D. and Stephanides G. (2007).
ON THE KEY-COMPROMISE IMPERSONATION VULNERABILITY OF ONE-PASS KEY ESTABLISHMENT PROTOCOLS.
In Proceedings of the Second Inter national Conference on Security and Cryptography, pages 222-228
DOI: 10.5220/0002125702220228
Copyright
c
SciTePress
approaches lie somewhere between the key transport
and key agreement categories
1
. Furthermore, most, if
not all, have been derived from modifications of pre-
existing x-round protocols.
Almost all one-pass approaches belong to the cat-
egory of authenticated key establishment (AK) proto-
cols, because they provide implicit key authentication
(IKA), meaning that the two (uncorrupted) parties us-
ing the protocol are assured that no one else can pos-
sibly learn the value of their session key. On the other
hand, one-pass protocols cannot achieve known key
security (K-KS) because an adversary can simply re-
play a previous protocol run that he has managed to
record; nor can they provide perfect forward secrecy
(PFS) because there can be no protocol for implicit
authentication that achieves PFS with two or fewer
messages (Krawczyk, 2005). Finally, one-pass ap-
proaches are prone to key-compromise impersonation
(K-CI) attacks, in a number of ways which will be
discussed shortly.
Arguably, protocol designers are often more con-
cerned with PFS, and seem to ignore K-CI (Strangio,
2006). However, K-CI can potentially have more seri-
ous consequences: besides reading past or future con-
versations, an attacker would also be able to elicit ad-
ditional information that may never have been com-
municated otherwise, by masquerading as a different
honest principal. Because of this, it is our opinion
that more emphasis should be given on a protocol
being K-CI–resistant. In this paper, we discuss and
demonstrate a series of impersonation attacks that af-
fect one-pass key establishment protocols, after a key-
compromise has occurred. We also examine the use
of time-stamps and standard digital signatures for the
purpose of withstanding certain types of K-CI attacks.
To the best of our knowledge, this is the first detailed
study of such attacks on one-pass key establishment
protocols.
The remainder of this paper is organized as fol-
lows: In Section 2 we fix notation and review some
required definitions. Section 3 describes some of
the best known one-pass two-party key establishment
protocols. Section 4 discusses the K-CI vulnerability
vis-a-vis a series of important and widely-used appli-
cations, and describes two basic types of K-CI attacks
and possible responses.
1
For this reason, it seems more appropriate to speak of
one-pass key establishment as opposed to key agreement, as
is done in most of the literature.
2 NOTATION AND PRIMITIVES
The protocols described in the next Section can be
defined over any finite commutative group G of order
n, that comes equipped with a difficult discrete log-
arithm problem. Throughout this paper we consider
asymmetric protocols based on elliptic curve cryp-
tosystems (G will be the group of points on an ellip-
tic curve), and we will use additive representation for
group operations (Kaliski, 2001). We will let P de-
note a generator of G, and will assume that G, P and
n are fixed and known in advance to the parties. We
will write cP to denote scalar multiplication, where
c Z
n
.
The security of the protocols discussed next is
linked to the following problems, whose solution is
assumed to be difficult to compute in polynomial
time:
Definition 1 Discrete Log Problem (DLP)
Given P, Q G, find an integer a Z
n
such that Q =
aP G.
Definition 2 Computational Diffie-Hellman Prob-
lem (CDHP)
Given P,aP,bP G, for some unknown a, b Z
n
, find
abP G.
In the following we will apply hash functions and
signature schemes to lists of several arguments. In
such cases, we are going to write function arguments
separated by commas, e.g., example H(X,Y,Z). By
doing so, we assume that we have a collision-free
encoding which maps lists of arguments to binary
strings, and that the parties’ identities are arbitrary bi-
nary strings.
An entity, say
ˆ
A , participating in a protocol is
assigned a static key pair (a, A) which consists of a
public and a private key. Public keys (denoted by up-
per case letters) are elements of G, while private keys
(denoted by the corresponding lower case letters) are
elements of Z
n
. For example, the private key a may
correspond to the public key A = aP.
Public keys are registered with a trusted directory,
called the certificate authority (CA). The CA regis-
ters arbitrary keys with the restriction that no party
can have more than one registered public key. We as-
sume that all honest parties have a priori generated
their public keys and have registered them with the
CA, so that they can be known to and verified by other
parties during protocol execution.
Table 1 lists the notation used throughout the pa-
per.
ON THE KEY-COMPROMISE IMPERSONATION VULNERABILITY OF ONE-PASS KEY ESTABLISHMENT
PROTOCOLS
223
Table 1: Notation.
ˆ
A,
ˆ
B identities of two communicating parties
P generator of the group G
n prime order of G
a,b static private keys of
ˆ
A and
ˆ
B, a,b Z
n
A,B static public keys of
ˆ
A and
ˆ
B, A = aP, B = bP
r ephemeral private key
R ephemeral public key, R = rP
sk
i
session key generated by entity i
Q denotes the integer obtained from the binary
representation of the x-coordinate of an
elliptic curve point, Q
H a cryptographic hash function
¯
H an l-bit hash function, l = (log
2
n + 1)/2
|| concatenation symbol
XOR function
x
R
X sampling of an element uniformly at random
from X
3 ONE - PASS PROTOCOLS
In a one-pass AK protocol it is possible for entities
ˆ
A and
ˆ
B to agree upon a session key after a single
message having been sent from
ˆ
A to
ˆ
B, if
ˆ
A has an au-
thenticated copy of
ˆ
Bs static public key. A two-pass
protocol can be converted to one-pass simply by re-
placing
ˆ
Bs ephemeral public key with his static pub-
lic key (Blake-Wilson et al., 1997). In this Section we
use precisely this technique create one-pass versions
of the following protocols (described in Tables (2 - 7)
respectively):
The Unified Model, proposed by Ankney, John-
son and Matyas (Ankney et al., 1995); it is an
AK protocol in the draft standards ANSI X9.42
(ANSI-X9.42, 1998), ANSI X9.63 (ANSI-X9.63,
1998), and IEEE P1363 (IEEE-1363, 1998).
The Key Exchange Algorithm (KEA) designed by
the National Security Agency and declassified in
1998 (NIST, 1998). KEA is the key agreement
protocol in the FORTEZZA suite of cryptographic
algorithms designed by NSA in 1994 and it is sim-
ilar to the Goss (Goss, 1990) and MTI/A0 (Mat-
sumoto et al., 1986) protocols.
The KEA+ protocol proposed by (Lauter and
Mityagin, 2001); a modified version of the KEA
protocol, which satisfies stronger security require-
ments than simple KEA for authenticated key-
exchange.
The MQV protocol (Law et al., 1998) that is in
the draft standards ANSI X9.42 (ANSI-X9.42,
1998), ANSI X9.63 (ANSI-X9.63, 1998), and
IEEE P1363 (IEEE-1363, 1998). MQV was pro-
posed by NSA as the standard key exchange pro-
tocol for the US government.
The HMQV protocol by (Krawczyk, 2005;
Menezes, 2005) that was proposed as an alterna-
tive of MQV. In particular, there are two one-pass
variants, namely HMQV(1) and HMQV(2). The
two are quite similar; HMQV(2) was proposed
for compatibility reasons (with the others x-round
variants of HMQV).
For each protocol, we assume that two entities, say
Bob and Alice, own a static key pair, the public part
of which is presumed to be known and verified by the
other party. Alice generates an ephemeral key pair
(r, R) and sends the ephemeral public key, R, to Bob,
along with her identity
ˆ
A. Afterward, they compute
a session key which can be shown to be the same for
the both of them.
Table 2: One-pass UM.
Alice (a,A) Bob (b,B)
r
R
Z
n
, R = rP
R,
ˆ
A
sk
A
= aB||rB sk
B
= bA||bR
Table 3: One-pass KEA.
Alice (a,A) Bob (b,B)
r
R
Z
n
, R = rP
R,
ˆ
A
sk
A
= aB rB sk
B
= bA bR
Table 4: One-pass KEA+.
Alice (a,A) Bob (b,B)
r
R
Z
n
, R = rP
R,
ˆ
A
sk
A
= H(aB,rB,
ˆ
A,
ˆ
B) sk
B
= H(bA,bR,
ˆ
A,
ˆ
B)
4 KEY-COMPROMISE
IMPERSONATION ATTACKS
Obviously, if a private key is compromised then the
attacker can impersonate the “corrupted” party to
other entities, because entities are identified precisely
by their private key. This kind of impersonation at-
tack cannot be prevented in any of the existing public
key cryptographic schemes. Instead, by “resistance to
key-compromise impersonation (K-CI) attacks”, we
will understand the property of a protocol whereby
if one party’s long-term private key is somehow dis-
closed to an adversary, then that adversary will not be
SECRYPT 2007 - International Conference on Security and Cryptography
224
Table 5: One-pass MQV.
Alice (a,A) Bob (b, B)
r
R
Z
n
, R = rP
R,
ˆ
A
sk
A
= (r +
Ra)(1+ B)B sk
B
= (b+ Bb)(R+ RA)
Table 6: One-pass HMQV(1).
Alice (a,A) Bob (b,B)
r
R
Z
n
, R = rP
R,
ˆ
A
sk
A
= (r + ad)B sk
B
= (bR+ bdA)
where d =
¯
H(R, (
ˆ
A,
ˆ
B))
able to impersonate other entities to that party (Blake-
Wilson et al., 1997). A number of security models
for K-CI resilience of AKE protocols have been de-
veloped in the literature (Zhu et al., 2005; Krawczyk,
2005; LaMacchia et al., ). The work in (Krawczyk,
2005), mentions that protocols which use long-term
static Diffie-Hellman keys g
a
, g
b
to derive a session
key g
ab
(as all of the one-pass protocols examined
here do) are insecure against K-CI attacks, but does
not elaborate further. Before describing any attacks,
we briefly mention some of the applications for which
the use of one-pass protocols has been proposed (Oh
et al., 2003), and the consequences of a K-CI attack
in each setting.
4.1 Consequences of K-CI Vulnerability
The major danger with K-CI is that an adversary can
possibly gain much more knowledge than by simply
having access to past or future conversations of an en-
tity. Obviously, with knowledge of a party’s private
key, an attacker can eavesdrop and decrypt past or fu-
ture conversations of that party
2
. Besides eavesdrop-
ping, however, a KC-I attacker would also be able to
actively elicit additional information that may never
have been communicated otherwise, by pretending to
be a trusted entity to the victim (e.g., the attacker
steals one’s private key and then is able to pretend to
be their lawyer or business associate).
E-mail In an e-mail system one may wish to send
encrypted messages by only using their own public in-
formation, such as name or e-mail address. Because
one party may be temporarily off-line, e-mail com-
munication resembles a one-way channel, and thus
an one-pass AK protocol might be suitable in or-
der to send a message without additional communi-
2
This attack can be prevented by modern x-round pro-
tocols, in which both parties exchange an ephemeral public
key.
Table 7: One-pass HMQV(2).
Alice (a,A) Bob (b,B)
r
R
Z
n
, R = rP
R,
ˆ
A
sk
A
= (1+ e)(r+ da)B sk
B
= (R+ dA)(b+ be)
where d =
¯
H(R,
ˆ
B) and e =
¯
H(B,
ˆ
A)
cation overload (Oh et al., 2003). All modern one-
pass schemes provide assurance that no user other
than the receiver will be able to compute the value
of the shared secret key, as long as users remain un-
corrupted. However, the vast number of e-mail users
combined with the extensive presence of malicious
software, makes it likely that private keys stored on
personal computers (e.g., in conventional memory)
can be compromised. Examples of serious K-CI con-
sequences include the impersonation of a government
entity or victims’s lawyer to obtain information, and
the impersonation of a stockbroker’s clients and vice-
versa.
E- Commerce For transactions held exclusively in
cyberspace, one needs a key agreement protocol that
offers authentication of the sender’s identity. Fur-
thermore, as the session key must be changed in ev-
ery session, a protocol must provide both implicit
key authentication and key freshness. One-pass AK
protocols meet both of these requirements, and have
been proposed as a possible mechanism for secure
e-shopping. The consequences of a K-CI attack on
an on-line transaction might include an adversary, say
Eve, impersonating an on-line shop to a client whose
private key she has obtained, and asking for personal
or credit information.
Mobile Transactions In wireless communications,
such as wireless e-commerce, the authentication of a
user is a very important issue, since its physical loca-
tion changes frequently. Moreover, the computational
power of a mobile device is likely to be limited. In
light of these considerations, one-pass AK protocols
have been proposed as a possible solution in wire-
less environments, because of their low communica-
tion overhead. As with K-CI attacks on e-commerce
applications, an adversary can cause the disclosure of
confidential data from the victims. Moreover, in cases
where the attacker impersonates the wireless connec-
tion server, victims may be connected on an unautho-
rized network, and thus their (mobile) computer may
be corrupted further.
ON THE KEY-COMPROMISE IMPERSONATION VULNERABILITY OF ONE-PASS KEY ESTABLISHMENT
PROTOCOLS
225
4.2 K-CI Attacks
We will distinguish between two types of K-CI at-
tacks, defined below.
4.2.1 Type-1
All existing one-pass AK establishment protocols are
open to the general K-ci attack, in which an intruder,
Eve, masquerades as a different entity and tries to
establish a valid session key with the compromised
party, Bob. There is no need for eavesdropping in
this case: Eve, knowing Bob’s private key, can initi-
ate a new session with him by creating and sending
an ephemeral public key, R, pretending to be another
honest entity, Alice. In that case, Eve can compute
the same session key as Bob, who is convinced that
the key is shared with Alice. The attack is illustrated
in Table 8. Its success is based on the fact that none
of the one-pass approaches mentioned here includes
a sender verification mechanism. For instance, an ex-
ponential challenge-response (XCR) signature (from
a player A to a player B), used in the HMQV pro-
tocol (Krawczyk, 2005), can also be constructed by
anyone who has knowledge of the recipient’s private
key. This means that if an attacker has knowledge of
B’s private key, he is able to create a signature of this
type and thus impersonate A to B.
Table 8: Type-1 K-CI attack on HMQV(1).
Eve knows b, B,A Bob (b, B)
r
R
Z
n
, R = rP
R,
ˆ
A
sk
E
= (bR+ bdA) sk
B
= (bR+ bdA)
where d =
¯
H(R, (
ˆ
A,
ˆ
B))
Table 9: Solution to Type-1 K-CI attack on HMQV(1).
Alice (a,A) Bob (b,B)
r
R
Z
n
, R = rP
R,
ˆ
A,T,Sig
ˆ
A
(R,T,
ˆ
B)
verify Sig
ˆ
A
(R,T,
ˆ
B)
if OK continue
sk
A
= (r + ad)B sk
B
= (bR+ bdA)
where d =
¯
H(R, (
ˆ
A,
ˆ
B))
A possible solution to the Type-1 K-CI attack
would be to have the sender transmit their digital sig-
nature on her ephemeral public key (see Table 9).
Then, the receiver would be able to verify the signa-
ture before accepting the key (and the sender’s iden-
tity). We stress the importance of including the re-
cipient’s identity,
ˆ
B, in the signed message to avoid
the possibility of an attacker impersonating A by re-
using As signature from a protocol run between A
and a different entity. The procedure described above
does not protect against replay attacks. One way to
reduce, but do not eliminate, the replay vulnerability,
is to have parties append time-stamps to their mes-
sages
3
. More specifically, B can examine the time-
stamp T sent by the protocol initiator, A, and termi-
nate the protocol if “too much” time has elapsed since
T. Of course, this requires synchronization of As and
B’s clocks, to within some reasonable tolerance. De-
pending on the statistics of the transmission delay im-
posed by the communication channel, an entity can
set a time threshold that leaves a potential attacker lit-
tle time to mount a replay attack. If As and B’s clocks
are perfectly synchronized and the transmission delay
is known with certainty, then the time left for an at-
tack could be made arbitrarily small. The question
of what is an acceptable time threshold will generally
be application-dependent, and will not be discussed
further here. Finally, one could also claim that sign-
ing every message involving the shared key could be a
possible solution to Type-1 K-CI attacks, however, the
additional communication/computational cost would
be very high.
Remark: We have not included a formal proof
of security against Type-1 K-CI attacks for the fix
proposed in this Section. Such proof could be con-
structed based on the enhanced Canneti-Krawczyk
model in (Zhu et al., 2005), where in addition to the
typical queries an adversary can make, one introduces
a new query called key compromise. When an adver-
sary issues this query for a specified party, B, the ad-
versary learns B’s long-term secret, b, but no other
internal information. The key compromise query is
different from the weaker type of party corruption
query described in (Bellare et al., 2000; Katz et al.,
2002) under their “weak-corruption” model, because
a party may be uncorrupted while compromised. Fur-
thermore, because in our case there is a single data
flow, one can easily show that a successful Type-1 K-
CI attack against the protocol in Tab. 4.2.1, for exam-
ple, implies that the adversary has defeated the digital
signature scheme under the assumptions made on the
time-stamps T.
4.2.2 Type-2
There is a special K-ci attack that apparently succeeds
with all one-flow protocols. It is illustrated in Ta-
ble 10. An intruder, Eve, that learns Bob’s secret key
and then eavesdrops on a single message from Alice
(the initiator of the protocol) to Bob, would then be
3
We note that the proposed technique for improving K-
CI security in HMQV can be made more efficient by com-
puting d as
¯
H(R,(
ˆ
A,
ˆ
B),T) and signing only the d value.)
SECRYPT 2007 - International Conference on Security and Cryptography
226
Table 10: Type-2 K-CI attack on HMQV(1).
Alice (a,A) Eve knows b,B, A Bob (b,B)
r
R
Z
n
, R = rP
R,
ˆ
A,T,Sig
ˆ
A
(R,T,
ˆ
B)
- - - - - - - - - - - - -
R,
ˆ
A,T,Sig
ˆ
A
(R,T,
ˆ
B)
verify Sig
ˆ
A
(R,T,
ˆ
B)
intercept Alice
sk
E
= (bR+ bdA) sk
B
= (bR+ bdA)
where d =
¯
H(R,(
ˆ
A,
ˆ
B))
able to compute the current session key and thus im-
personate Alice (but no one else) to Bob, and only for
the current session. To achieve this, after Eve inter-
cepts Alice’s ephemeral public key, R, she computes
the session key in the same way as Bob, and then
must “cut out” Alice from the current conversation.
There is no apparent solution for this attack, even if
a scheme is to be equipped with digital signatures or
time-stamps, or both. However, the Type-2 attack is
rather limited compared with the general K-CI attack
in which the intruder can impersonate any entity and
at any time.
5 CONCLUSIONS
In this paper we have examined the resistance of
the most efficient one-pass asymmetric AK establish-
ment protocols to K-CI attacks. The use of one-pass
protocols is unavoidable in settings where the com-
munication channel is one-way (e.g., e-mail, store-
and-forward applications) or in cases where compu-
tational and communication cost is to be minimized
(e.g., low-power mobile applications). We distin-
guished between two types of K-CI threats. Unfor-
tunately, due to their similarities, none of the proto-
cols examined here are resistant to either K-CI attack.
However, their security against Type-1 K-CI attacks
can be somewhat improved with the help of standard
digital signatures and time-stamps, at a significant ad-
ditional communication and computational cost.
Although forward secrecy (another harmful threat
related to party corruption) is usually considered more
important than K-CI, our discussion suggests that a
K-CI attack can be more dangerous: in widely-used
applications, such as e-mail, mobile and e-business
transactions, the security practices of the average user
are likely to be lax (making key-compromise a real
possibility) while at the same time a K-CI adversary
can ask for and obtain information that would have
not been transmitted otherwise. For this reason, the
use of one-pass protocols should be avoided when
possible.
REFERENCES
Ankney, R., Johnson, D., and Matyas, M. (1995). The uni-
fied model. In Contribution to X9F1.
ANSI-X9.42 (1998). Agreement of symmetric algorithm
keys using Diffie-Hellman. In Working Draft.
ANSI-X9.63 (1998). Elliptic curve key agreement and key
transport protocols. In Working Draft.
Bellare, M., Pointcheval, D., and Rogaway, P. (2000). Au-
thenticated key exchange secure against dictionary at-
tacks. In Proceedings EUROCRYPT 2000, LNCS
1807, pp. 139-155. Springer-Verlag.
Bird, R., Gopal, I., Herzberg, A., Janson, P., Kutten, S.,
Molva, R., and Yung, M. (1991). Systematic design
of two-party authentication protocols. In Proceedings
of Advances in Cryptography - Crypto ‘91, LNCS 576,
pp. 44-61. Springer-Verlag.
Blake-Wilson, S., Johnson, D., and Menezes, A. (1997).
Key agreement protocols and their security analysis.
In Proceedings of 6th IMA International Conference
on Cryptography and Coding, LNCS 1355, pp. 30-45.
Springer-Verlag.
Blake-Wilson, S. and Menezes, A. (1998). Authenticated
Diffie-Hellman key agreement protocols. In Proceed-
ings of the 5th annual international workshop - SAC
‘98, pp. 339-361. Springer-Verlag.
Boyd, C., Mao, W., and Paterson, K.-G. (2004). Key agree-
ment using statically keyed authenticators. In Pro-
ceedings of Applied Cryptography and Network Secu-
rity - ACNS ‘04, LNCS 3089, pp. 248-262. Springer-
Verlag.
Diffie, W. and Hellman, M. (1976). New directions in cryp-
tography. In IEEE Transactions on Information The-
ory 22(6), pp. 644-654.
Goss, K.-C. (1990). Cryptographic method and apparatus
for public key exchange with authentication. In U.S.
Patent 4956865.
IEEE-1363 (1998). Standard specifications for public key
cryptography. In Working Draft.
Jeong, I., Katz, J., and Lee, D. (2004). One-round protocols
for two-party authenticated key exchange. In Applied
ON THE KEY-COMPROMISE IMPERSONATION VULNERABILITY OF ONE-PASS KEY ESTABLISHMENT
PROTOCOLS
227
Cryptography and Network Security - ACNS 2004, pp.
220–232., Vol. 3089/2004 of LNCS. Springer-Verlag.
Kaliski, B. (2001). An unknown key share attack on the
mqv key agreement protocol. In ACM Transactions on
Information and System Security, pp. 3649. Springer-
Verlag.
Katz, J., Ostrovsky, R., and Yung, M. (2002). Forward
secrecy in password-only key exchange protocols.
In Proceedings SCN 2002, LNCS 2576, pp. 29-44.
Springer-Verlag.
Krawczyk, H. (2005). Hmqv: A high-performance secure
diffie- hellman protocol. In Proceedings of Advances
in Cryptology - Crypto ‘05, LNCS 3621, pp. 546-566.
Springer-Verlag.
Kwon, T. (2001). Authentication and key agreement via
memorable password. In NDSS 2001 Symposium Con-
ference Proceedings.
LaMacchia, B., Lauter, K., and Mityagin, A.
Stronger security of authenticated key exchange.
http://citeseer.ist.psu.edu/lamacchia06stronger.html.
Lauter, K. and Mityagin, A. (2001). Authentication and key
agreement via memorable password. In NDSS 2001
Symposium Conference Proceedings.
Law, L., Menezes, A., Qu, M., Solinas, J., and Vanstone,
S. (1998). An efficient protocol for authenticated key
agreement. In Technical report CORR 98-05, Univer-
sity of Waterloo.
Lu, R., Cao, Z., Su, R., and Shao, J. (2005). Pairing-based
two-party authenticated key agreement protocol.
Matsumoto, T., Takashima, Y., and Imai, H. (1986). On
seeking smart public-key distribution systems. In
Transactions of the IECE of Japan, E69, pp. 99-106,.
Menezes, A. (2005). Another look at HMQV. In Cryptology
ePrint Archive, Report 2005/205.
NIST (1998). Skipjack and kea algorithm specification.
Oh, S., Kwak, J., and Lee, S.and Won, D. (2003). Security
analysis and applications of standard key agreement
protocols. In ICCSA (2), pp.191-200. Springer-Verlag.
Strangio, M.-A. (2006). On the resilience of key agreement
protocols to key compromise impersonation. In Eu-
ropean PKI Workshop on Public Key Infrastructure ,
LNCS 4043, pp. 233-247. Springer-Verlag.
Zhu, R. W., Tian, X., and Wong, D. S. (2005).
Enhancing ck-model for key compromise imper-
sonation resilience and identity-based key ex-
change. Cryptology ePrint Archive, Report 2005/455.
http://eprint.iacr.org/.
SECRYPT 2007 - International Conference on Security and Cryptography
228