2009 | OriginalPaper | Buchkapitel
Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
Both the “eCK” model, by LaMacchia, Lauter and Mityagin, and the “CK01” model, by Canetti and Krawczyk, address the effect of leaking session specific ephemeral data on the security of key establishment schemes. The CK01-adversary is given a
SessionStateReveal
query to learn session-specific private data defined by the protocol specification, whereas the eCK-adversary is equipped with an
EphemeralKeyReveal
query to access all ephemeral private input required to carry session computations.
SessionStateReveal
cannot
be issued against the test session; by contrast
EphemeralKeyReveal
can
be used against the test session under certain conditions. On the other hand, it is not obvious how
EphemeralKeyReveal
compares to
SessionStateReveal
. Thus it is natural to ask which model is more useful and practically relevant.
While formally the models are not comparable, we show that recent analyses utilizing
SessionStateReveal
and
EphemeralKeyReveal
have a similar approach to ephemeral data leakage. First we pinpoint the features that determine the approach. Then by examining common motives for ephemeral data leakage we conclude that the approach is meaningful, but does not take into account timing, which turns out to be critical for security. Lastly, for Diffie-Hellman protocols we argue that it is important to consider security when discrete logarithm values of the outgoing ephemeral public keys are leaked and offer a method to achieve security even if these values are exposed.