| Authenticated key agreement protocols are the base for constructing secure networks. With authenticated key agreement protocols, ID authentication can be provided in the communication system, and a shared key which is used for encrypting messages, is produced by the users attend in the protocol.The encryption algorithms, Hash functions, MAC algorithms and digital signature schemes are the primitives which are used in the key agreement protocols. With respect to the number of users attend in the protocol, there are three kinds of key agreement protocols: two-party key agreement protocols, three-party key agreement protocols, group key agreement protocols. And with respect to the methods for authentication, there are also three kinds: authenticated protocols based on public key certificates, ID-based authenticated key agreement protocols, and certificateless authenticated key agreement protocols. Besides key authentication and key confirmation, a number of desirable security attributes have been identified for key agreement protocols: known-session key security, forward secrecy, resistance to key-compromise impersonation attack, resistance to unknown key-share attack and no key control. In addition to the security, we must consider the efficiency which includes communication cost and computation complexity.The paper concerns security models for authenticated key agreement protocols, ID-based two-party key agreement protocols, certificateless two-party key agreement protocols, and group key agreement protocols. Main achievements in this paper are summarized as follows:1. We analyze that the model for two party key agreement protocols——BR model, and the model for three party case——BR+ model, and find that they don't provide perfect forward secrecy, and they haven't consider malicious attacker and no key control. CK model and BCP model are also analyzed. Key confirmation, mutual authentication, no key control and contributiveness are not considered in CK model. AKE security is defined in BCP model for group key agreement protocol. It provides key independence, implicit key confirmation, (perfect) forward secrecy, and resistance to passive attack. However it doesn't achieve key integrity and known-key security. Definitions of group key security and freshness are given to extend the model. 2. An authenticated group key agreement protocol for resource-limited mobile devices is proposed by Tseng Y M. It is demonstrated that his protocol has security vulnerabilities by mounting a man-in-middle attack against it.. The protocol doesn't achieve key authentication in the presence of an active attacker. An improved protocol is proposed. The improved protocol achieves mutual authentication. It not only meets the properties of forward secrecy and key authentication, but it is also provably secure against passive attack and man-in-middle attack. It is more efficient and practical in the application of wireless communication in terms that the computation cost required by each low power node is only 2.03 seconds, the computation cost of the powerful node is only half of Tseng's protocol's, and the communication cost is reduced by 40% in the improved protocol.3. Wang et al recently proposed ID-based authenticated key agreement protocols which are provably secure in the standard model. It is found that the protocol in escrowless mode doesn't provide KGC forward secrecy, that is, a malicious KGC can obtain all of the agreed session keys. Aiming at the requirement of key agreement protocol in escrowless mode, an improved protocol is presented, and it is proved to be secure in the standard model. It is also shown that the new protocol achieves perfect forward secrecy and KGC-forward secrecy.4. McCullagh-Barreto key agreement protocol and its variant achieve perfect forward security and KGC forward security, but provide no resistance to key compromise impersonation attack (KCI attack). We give a formal treatment of key compromise impersonation (KCI) attack and define the security notion against it. Then an variant of McCullagh-Barreto protocol is presented with only one more Hash operation. The improved protocol preserves perfect forward security and KGC forward secrecy, and furthermore is proved to be secure against KCI attack under k-Gap-BCAA1 assumption.5. Inspired by the certificateless public key encryption scheme proposed by Jong et al, we present a new certificateless authenticated key agreement protocol (CL-AK). It is provably secure in the standard model. CL-AK protocol provides perfect forward secrecy. Compared with a certificateless authenticated key agreement protocol which is only provably secure in the random oracle model, the new protocol is improved with respect to the security properties, computation and communication efficiency.6. Key independence is very important for dynamic group key agreement protocols. The two round dynamic group key agreement protocol (Dutta-Barua protocol) proposed by Dutta and Barua and ID-based dynamic group key agreement protocol by Wang et al. don't provide key independence. To improve these two protocols, an ID-based authenticated key agreement protocol in dynamic peer group is presented by using Sakai R and Kasahara M's key construction. To avoid the correlation of the sub-keys of different sessions, hash functions and session identifiers are included while computing the sub-keys in the new protocol. So the new protocol achieves key independence, and it provides perfect forward secrecy, KGC-forward secrecy and resistance to passive and active attacks as well. Compared with these two protocols, the computation and communication costs are greatly reduced in the new protocol. So the new protocol is more efficient and applicable for dynamic peer network.
|
PDF Full Text Request