Paper 2009/253

Formally and Practically Relating the CK, CK-HMQV, and eCK Security Models for Authenticated Key Exchange

Cas J. F. Cremers

Abstract

Many recent key exchange (KE) protocols have been proven secure in the CK, CK-HMQV, or eCK security models. The exact relation between these security models, and hence between the security guarantees provided by the protocols, is unclear. First, we show that the CK, CK-HMQV, and eCK security models are formally incomparable. Second, we show that these models are also practically incomparable, by providing for each model attacks that are not considered by the other models. Our analysis enables us to find several previously unreported flaws in existing protocol security proofs. We identify the causes of these flaws and show how they can be avoided.

Note: Minor improvements and bugfix related to eCK partial matching observations.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
cas cremers @ inf ethz ch
History
2010-07-27: last of 6 revisions
2009-06-01: received
See all versions
Short URL
https://ia.cr/2009/253
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2009/253,
      author = {Cas J. F.  Cremers},
      title = {Formally and Practically Relating the CK, CK-HMQV, and eCK Security Models for Authenticated Key Exchange},
      howpublished = {Cryptology ePrint Archive, Paper 2009/253},
      year = {2009},
      note = {\url{https://eprint.iacr.org/2009/253}},
      url = {https://eprint.iacr.org/2009/253}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.