article

An unknown key-share attack on the MQV key agreement protocol

Author:

Burton S. Kaliski, Jr.Authors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 4, Issue 3

Pages 275 - 288

https://doi.org/10.1145/501978.501981

Published: 01 August 2001 Publication History

Abstract

The MQV key agreement protocol, a technique included in recent standards, is shown in its basic form to be vulnerable to an unknown key-share attack. Although the attack's practical impact on security is minimal---a key confirmation step easily prevents it---the attack is noteworthy in the principles it illustrates about protocol design. First, minor “efficiency improvements” can significantly alter the security properties of a protocol. Second, protocol analysis must consider potential interactions with all parties, not just those that are normally online. Finally, attacks must be assessed in terms of system requirements, not just in isolation.

References

[1]

ABADI,M.AND NEEDHAM, R. 1996. Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Eng. (TSE) 22, 1 (Jan.), 6-15.]]

Digital Library

[2]

ADAMS,C.AND FARRELL, S. 1999. Internet X.509 public key infrastructure certificate management protocols. IETF RFC 2510.]]

Digital Library

[3]

ANDERSON,R.AND NEEDHAM, R. 1995. Robustness principles for public key protocols. In Advances in Cryptology-CRYPTO '95 Proceedings, D. Coppersmith, Ed., Lecture Notes in Computer Science vol. 963, Springer-Verlag, New York, 236-247.]]

Digital Library

[4]

ANSI. 2000. ANSI X9.63, Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography. ANSI. Working draft. June 15, 2001.]]

[5]

BAEK,J.AND KIM, K. 2000. Remarks on the unknown key-share attacks. IEICE Trans. Fund. E83-A, 12 (Dec.), 2766-2769.]]

[6]

BELLARE,M.AND ROGAWAY, P. 1995a. Optimal asymmetric encryption-How to encrypt with RSA. In Advances in Cryptology-EUROCRYPT '94 Proceedings, A. D. Santis, Ed., vol. 950, Lecture Notes in Computer Science, Springer-Verlag, New York, 92-111.]]

[7]

BELLARE,M.AND ROGAWAY, P. 1995b. Provably secure session key distribution-The three party case. In Proceedings of the 27th Annual Symposium on the Theory of Computing (1995), ACM, New York, 57-66.]]

Digital Library

[8]

BELLARE,M.AND ROGAWAY, P. 1996. The exact security of digital signatures: How to sign with RSA and Rabin. In Advances in Cryptology-EUROCRYPT '96 Proceedings, U. M. Maurer, Ed., vol. 1070, Lecture Notes in Computer Science, Springer-Verlag, New York, 399-416.]]

[9]

BELLARE, M., BOLDYREVA, A., AND MICALI, S. 2000. Public-key encryption in a multi-user setting: Security proofs and improvements. In Advances in Cryptology-EUROCRYPT 2000 Proceedings, B. Preneel, Ed., vol. 1807, Springer-Verlag, New York, 259-274.]]

[10]

BLAKE-WILSON,S.AND MENEZES, A. 1999. Unknown key-share attacks on the Station-to-Station (STS) protocol. In Public Key Cryptography (PKC '99) Proceedings, H. Imai and Y. Zheng, Eds., vol. 1560, Lecture Notes in Computer Science, Springer-Verlag, New York, 154-170.]]

Digital Library

[11]

BLAKE-WILSON, S., JOHNSON,D.,AND MENEZES, A. 1997. Key agreement protocols and their security analysis. In Proceedings of the Sixth IMA International Conference on Cryptography and Coding (IMA '97 ), M. Darnell, Ed., Lecture Notes in Computer Science, vol. 1355, Springer-Verlag, New York, 30-45.]]

Digital Library

[12]

BONEH, D. 1999. Twenty years of attacks on the RSA cryptosystem. Not. Am. Math. Soc. (AMS) 46, 2, 203-213.]]

[13]

CORELLA, F. 2000. Structured certificates and their applications to distributed systems security. Presented at RSA Conference 2000 (San Jose, Calif., Jan. 16-20).]]

[14]

DIFFIE,W.AND HELLMAN, M. 1976a. Multiuser cryptographic techniques. In Proceedings of AFIPS National Computer Conference, 109-112.]]

Digital Library

[15]

DIFFIE,W.AND HELLMAN, M. 1976b. New directions in cryptography. IEEE Trans. Info. Theor. 22,6 (Nov.), 644-654.]]

Digital Library

[16]

DIFFIE,W.,VAN OORSCHOT,P.,AND WIENER, M. 1992. Authentication and authenticated key ex-changes. Des., Codes Cryptogr. 2, 2, 107-125.]]

Digital Library

[17]

EL GAMAL, T. 1985. A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Info. Theor. 31, 469-472.]]

Digital Library

[18]

ELLISON, C., FRANTZ, B., LAMPSON, B., RIVEST, R., THOMAS,B.,AND YLONEN, T. 1999. SPKI certificate theory. IETF RFC 2693.]]

Digital Library

[19]

GOSS, K. 1990. Cryptographic method and apparatus for public key exchange with authentication. U.S. Patent No. 4,956,865.]]

[20]

HIROSE,S.AND YOSHIDA, S. 1998. An authenticated Diffie-Hellman key agreement protocol secure against active attacks. In Public Key Cryptography (PKC '98) Proceedings, H. Imai and Y. Zheng, Eds., Lecture Notes in Computer Science, vol. 1431, Springer-Verlag, New York, 135-148.]]

Digital Library

[21]

IEEE. 2000. IEEE Std 1363-2000: Standard Specifications for Public Key Cryptography. IEEE.]]

[22]

IEEE P1363 Working Group. 2001. IEEE P1363a D10 (Draft Version 10):Standard Specifications for Public Key Cryptography: Additional Techniques. IEEE P1363 Working Group. Working draft. Available from http://grouper.ieee.org/groups/1363/.]]

[23]

JABLON, D. 1996. Strong password-only authenticated key exchange. Comput. Commun. Rev. 26, 5 (Oct.), 5-26.]]

Digital Library

[24]

KALISKI,JR., B. S. 1998. Compatible cofactor multiplication for Diffie-Hellman primitives. Electron. Lett. 34, 25 (Dec. 10), 2396-2397.]]

[25]

LAW, L., MENEZES, A., QU, M., SOLINAS,J.,AND VANSTONE, S. 1998. An efficient protocol for authenticated key agreement. Tech. Rep. CORR 98-05, Department of C&O, University of Waterloo. Also available from http://grouper.ieee.org/groups/1363/.]]

[26]

LIM,C.AND LEE, P. 1997. A key recovery attack on discrete log-based schemes using a prime order subgroup. In Advances in Cryptology-CRYPTO '97 Proceedings, B. S. Kaliski, Jr., Ed., Lecture Notes in Computer Science, vol. 1294, Springer-Verlag, New York, 249-263.]]

Digital Library

[27]

MATSUMOTO, T., TAKASHIMA,Y.,AND IMAI, H. 1986. On seeking smart public-key distribution systems. Trans. IECE Japan E69, 99-106.]]

[28]

MENEZES, A., QU, M., AND VANSTONE, S. 1995a. Key agreement and the need for authentication. Presented at Public Key Solutions '95 (Toronto, Nov.).]]

[29]

MENEZES, A., QU, M., AND VANSTONE, S. 1995b. Some new key agreement protocols providing mutual implicit authentication. In Proceedings of the Second Workshop on Selected Areas in Cryptography (SAC '95, Ottawa, May 18-19), 22-32.]]

[30]

MENEZES, A., VAN OORSCHOT,P.,AND VANSTONE, S. 1997. Handbook of Applied Cryptography. CRC Press, Boca Raton, Fla.]]

Digital Library

[31]

MENEZES,A.J.,QU, M., AND VANSTONE, S. A. 1995c. Some new key agreement protocols providing implicit authentication. Manuscript.]]

[32]

MYERS, M., ANKNEY, R., MALPANI, A., GALPERIN,S.,AND ADAMS, C. 1999. X.509 Internet public key infrastructure online certificate status protocol-OCSP. IETF RFC 2560.]]

Digital Library

[33]

SHOUP, V. 1999. On formal models for secure key exchange. Tech. Rep. RZ 3120, April, IBM Research Report. Revised version available from http://www.shoup.net/papers/.]]

[34]

VAN OORSCHOT,P.AND WIENER, M. 1996. On Diffie-Hellman key agreement with short exponents. In Advances in Cryptology-EUROCRYPT '96 Proceedings, U. M. Maurer, Ed., Lecture Notes in Computer Science, vol. 1070, Springer-Verlag, New York, 332-343.]]

[35]

VANSTONE, S., MENEZES,A.J.,AND QU, M. 1998. Key agreement and transport protocol with implicit signatures. U.S. Patent No. 5,761,305.]]

Cited By

Anisimov A(2024)DIGITAL AUTHENTICATION “FRIEND-OR-FOE”Kibernetyka ta Systemnyi Analiz10.34229/KCA2522-9664.24.3.1(3-14)Online publication date: 2024
https://doi.org/10.34229/KCA2522-9664.24.3.1
Anisimov A(2024)Digital Friend-or-Foe AuthenticationCybernetics and Systems Analysis10.1007/s10559-024-00675-660:3(341-349)Online publication date: 1-May-2024
https://dl.acm.org/doi/10.1007/s10559-024-00675-6
Daniel RThomas ARajsingh ESilas S(2023)A strengthened eCK secure identity based authenticated key agreement protocol based on the standard CDH assumptionInformation and Computation10.1016/j.ic.2023.105067294(105067)Online publication date: Oct-2023
https://doi.org/10.1016/j.ic.2023.105067
Show More Cited By

Index Terms

An unknown key-share attack on the MQV key agreement protocol
1. General and reference
  1. Document types
    1. Computing standards, RFCs and guidelines
2. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Public key encryption

Recommendations

Vulnerabilities of generalized MQV key agreement protocol without using one-way hash functions

The MQV protocol is the first authenticated key agreement protocol which uses a digital signature to sign Diffie-Hellman public keys without using any one-way hash functions. Based on the MQV protocol, Harn and Lin proposed an authenticated multiple-key ...
Security improvement on a group key exchange protocol for mobile networks
ICCSA'11: Proceedings of the 2011 international conference on Computational science and its applications - Volume Part IV

A group key exchange (GKE) protocol is designed to allow a group of parties communicating over a public network to establish a common secret key called a session key. As group-oriented applications gain popularity over the Internet, a number of GKE ...
Provably secure three-party password authenticated key exchange protocol in the standard model

Three-party password authenticated key exchange protocol is a very practical mechanism to establish secure session key through authenticating each other with the help of a trusted server. Most three-party password authenticated key exchange protocols ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 4, Issue 3

August 2001

129 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/501978

Issue’s Table of Contents

Copyright © 2001 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 August 2001

Published in TISSEC Volume 4, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

99
Total Citations
View Citations
1,664
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)4

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Anisimov A(2024)DIGITAL AUTHENTICATION “FRIEND-OR-FOE”Kibernetyka ta Systemnyi Analiz10.34229/KCA2522-9664.24.3.1(3-14)Online publication date: 2024
https://doi.org/10.34229/KCA2522-9664.24.3.1
Anisimov A(2024)Digital Friend-or-Foe AuthenticationCybernetics and Systems Analysis10.1007/s10559-024-00675-660:3(341-349)Online publication date: 1-May-2024
https://dl.acm.org/doi/10.1007/s10559-024-00675-6
Daniel RThomas ARajsingh ESilas S(2023)A strengthened eCK secure identity based authenticated key agreement protocol based on the standard CDH assumptionInformation and Computation10.1016/j.ic.2023.105067294(105067)Online publication date: Oct-2023
https://doi.org/10.1016/j.ic.2023.105067
Boeira FAsplund M(2022)Exploiting Partial Order of Keys to Verify Security of a Vehicular Group Protocol2022 IEEE 35th Computer Security Foundations Symposium (CSF)10.1109/CSF54842.2022.9919664(305-318)Online publication date: Aug-2022
https://doi.org/10.1109/CSF54842.2022.9919664
Yap EChin JChia JGoh A(2022)Efficient Implementations of MQV-Based Protocols on Client-Server ArchitecturesProceedings of the 8th International Conference on Computational Science and Technology10.1007/978-981-16-8515-6_16(195-206)Online publication date: 26-Mar-2022
https://doi.org/10.1007/978-981-16-8515-6_16
Mohammad ZNyangaresi VAbusukhon A(2021)On the Security of the Standardized MQV Protocol and Its Based Evolution Protocols2021 International Conference on Information Technology (ICIT)10.1109/ICIT52682.2021.9491775(320-325)Online publication date: 14-Jul-2021
https://doi.org/10.1109/ICIT52682.2021.9491775
Yap EChin JGoh A(2021)Verifying MQV-Based Protocols Using ProVerifIT Convergence and Security10.1007/978-981-16-4118-3_6(55-63)Online publication date: 2-Oct-2021
https://doi.org/10.1007/978-981-16-4118-3_6
Mehibel NHamadouche M(2021)Authenticated secret session key using elliptic curve digital signature algorithmSecurity and Privacy10.1002/spy2.1484:2Online publication date: 5-Mar-2021
Abusukhon AMohammad ZAl‐Thaher A(2021)An authenticated, secure, and mutable multiple‐session‐keys protocol based on elliptic curve cryptography and text‐to‐image encryption algorithmConcurrency and Computation: Practice and Experience10.1002/cpe.664934:4Online publication date: 6-Oct-2021
https://doi.org/10.1002/cpe.6649
Daniel RRajsingh ESilas S(2020)An Efficient eCK secure Identity Based Two Party Authenticated Key Agreement Scheme with Security Against Active AdversariesInformation and Computation10.1016/j.ic.2020.104630(104630)Online publication date: Sep-2020
https://doi.org/10.1016/j.ic.2020.104630
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents