Sufficient condition for ephemeral key-leakage resilient tripartite key exchange

17th Australasian Conference on Information Security and Privacy, ACISP 2012; Wollongong, NSW; Australia; 9 July 2012 through 11 July 2012Tripartite (Diffie-Hellman) Key Exchange (3KE), introduced by Joux (ANTS-IV 2000), represents today the only known class of group key exchange protocols, in which computation of unauthenticated session keys requires one round and proceeds with minimal computation and communication overhead. The first one-round authenticated 3KE version that preserved the unique efficiency properties of the original protocol and strengthened its security towards resilience against leakage of ephemeral (session-dependent) secrets was proposed recently by Manulis, Suzuki, and Ustaoglu (ICISC 2009). In this work we explore sufficient conditions for building such protocols. We define a set of admissible polynomials and show how their construction generically implies 3KE protocols with the desired security and efficiency properties. Our result generalizes the previous 3KE protocol and gives rise to many new authenticated constructions, all of which enjoy forward secrecy and resilience to ephemeral key-leakage under the gap Bilinear Diffie-Hellman assumption in the random oracle model. © 2012 Springer-Verlag

Secure data storage and retrieval in cloud computing

Nowadays cloud computing has been widely recognised as one of the most inuential information technologies because of its unprecedented advantages. In spite of its widely recognised social and economic benefits, in cloud computing customers lose the direct control of their data and completely rely on the cloud to manage their data and computation, which raises significant security and privacy concerns and is one of the major barriers to the adoption of public cloud by many organisations and individuals. Therefore, it is desirable to apply practical security approaches to address the security risks for the wide adoption of cloud computing

Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eCK-Secure Key Exchange Protocol in the Standard Model

LaMacchia, Lauter and Mityagin presented a strong security model for authenticated key agreement, namely the eCK model. They also constructed a protocol, namely the NAXOS protocol, that enjoys a simple security proof in the eCK model. However, the NAXOS protocol uses a random-oracle-based technique to combine the long-term secret key and the per-session-randomness; so-called NAXOS- trick, in order to achieve the eCK security definition. For NAXOS-trick-based protocols, the leakage of per-session-randomness modelled in the eCK model is somewhat unnatural, because the eCK model leaks per-session-randomness, while the output of the NAXOS-trick computation remains safe. In this work, we present a standard model eCK-secure protocol construction, eliminating the NAXOS-trick. Moreover, our protocol is a generic constructions, which can be instantiated with arbitrary suitable cryptographic primitives. Thus, we present a generic eCK-secure, NAXOS-free, standard model key exchange protocol. To the best of our knowledge this is the first paper on generic transformation of a CCA2-secure public key encryption scheme to an eCK-secure key exchange protocol in the standard model

On the Leakage-Resilient Key Exchange

Typically, secure channels are constructed from an authenticated key exchange (AKE) protocol, which authenticates the communicating parties based on long-term public keys and establishes secret session keys. In this paper we address the partial leakage of long-term secret keys of key exchange protocol participants due to various side-channel attacks. Security models for two-party authenticated key exchange protocols have developed over time to provide security even when the adversary learns certain secret values. This paper combines and extends the advances of security modelling for AKE protocols addressing more granular partial leakage of long-term secrets of protocol participants

Efficient Compilers for After-the-Fact Leakage: from CPA to CCA-2 secure PKE to AKE

The goal of leakage-resilient cryptography is to construct cryptographic algorithms that are secure even if the adversary obtains side-channel information from the real world implementation of these algorithms. Most of the prior works on leakage-resilient cryptography consider leakage models where the adversary has access to the leakage oracle before the challenge-ciphertext is generated (before-the-fact leakage). In this model, there are generic compilers that transform any leakage-resilient CPA-secure public key encryption (PKE) scheme to its CCA-2 variant using Naor-Yung type of transformations. In this work, we give an efficient generic compiler for transforming a leakage-resilient CPA-secure PKE to leakage-resilient CCA-2 secure PKE in presence of after-the-fact split-state (bounded) memory leakage model, where the adversary has access to the leakage oracle even after the challenge phase. The salient feature of our transformation is that the leakage rate (defined as the ratio of the amount of leakage to the size of secret key) of the transformed after-the-fact CCA-2 secure PKE is same as the leakage rate of the underlying after-the-fact CPA-secure PKE, which is $1-o(1)$. We then present another generic compiler for transforming an after-the-fact leakage-resilient CCA-2 secure PKE to a leakage-resilient authenticated key exchange (AKE) protocol in the bounded after-the-fact leakage-resilient eCK (BAFL-eCK) model proposed by Alawatugoda et al. (ASIACCS\u2714). To the best of our knowledge, this gives the first compiler that transform any leakage-resilient CCA-2 secure PKE to an AKE protocol in the leakage variant of the eCK model

LDAKM-EIoT: Lightweight Device Authentication and Key Management Mechanism for Edge-Based IoT Deployment

In recent years, edge computing has emerged as a new concept in the computing paradigm that empowers several future technologies, such as 5G, vehicle-to-vehicle communications, and the Internet of Things (IoT), by providing cloud computing facilities, as well as services to the end users. However, open communication among the entities in an edge based IoT environment makes it vulnerable to various potential attacks that are executed by an adversary. Device authentication is one of the prominent techniques in security that permits an IoT device to authenticate mutually with a cloud server with the help of an edge node. If authentication is successful, they establish a session key between them for secure communication. To achieve this goal, a novel device authentication and key management mechanism for the edge based IoT environment, called the lightweight authentication and key management scheme for the edge based IoT environment (LDAKM-EIoT), was designed. The detailed security analysis and formal security verification conducted by the widely used Automated Validation of Internet Security Protocols and Applications (AVISPA) tool prove that the proposed LDAKM-EIoT is secure against several attack vectors that exist in the infrastructure of the edge based IoT environment. The elaborated comparative analysis of the proposed LDAKM-EIoT and different closely related schemes provides evidence that LDAKM-EIoT is more secure with less communication and computation costs. Finally, the network performance parameters are calculated and analyzed using the NS2 simulation to demonstrate the practical facets of the proposed LDAKM-EIoT

HMAKE: Legacy-Compliant Multi-factor Authenticated Key Exchange from Historical Data

In this paper, we introduce two lightweight historical data based multi-factor authenticated key exchange (HMAKE) protocols in the random oracle model. Our HMAKE protocols use a symmetric secret key, as their first authentication factor, together with their second authentication factor, historical data exchanged between the two parties in the past, and the third authentication factor, a set of secret tags associated with the historical data, to establish a secure communication channel between the client and the server. A remarkable security feature of HMAKE is bounded historical tag leakage resilience, which means that (informally speaking) if a small portion of the secret tags is leaked to an adversary, it will not affect the security of one HMAKE protocol with an overwhelming probability. Our first HMAKE protocol can provide static bounded leakage resilience, meaning that the secret tags are leaked at the beginning of the security game. To enhance its security, our second HMAKE protocol makes use of our first protocol as a compiler to transform any passively secure two-message key exchange protocol to an actively secure HMAKE protocol with perfect forward secrecy, and therefore it can be secure even if the historical tags are compromised adaptively by an attacker. In addition to the strong security properties we achieved, our protocols can potentially have great impacts in practice: they are efficient in computation, and they are compatible with legacy devices in cyber-physical systems