An anonymous password-authenticated key exchange (anonymous PAKE) protocol is designed to provide both password-only authentication and user anonymity against a semi-honest server, who follows the protocol honestly. Very recently, Yang and Zhang have proposed a new anonymous PAKE (NAPAKE) protocol that is claimed efficient compared to the previous constructions. In this paper, we propose a very-efficient anonymous PAKE (called, VEAP) protocol that provides the most efficiency among their kinds in terms of computation and communication costs. The VEAP protocol guarantees semantic security of session keys in the random oracle model under the chosen target CDH problem, and unconditional user anonymity against a semi-honest server. If the pre-computation is allowed, both the user and the server are required to compute only one modular exponentiation, respectively. Surprisingly, this is the same computation cost of the well-known Diffie-Hellman protocol that does not provide authentication at all. In addition, we extend the VEAP protocol in two ways: the first is designed to reduce the communication costs of the VEAP protocol and the second shows that stripping off anonymity parts from the VEAP protocol results in a new PAKE protocol.

Hidden Credential Retrieval (HCR) protocols are designed for access credentials management where users who remember short passwords can retrieve his/her various credentials (access keys and tokens) with the help of a remote storage server over insecure networks (e.g., the Internet). In this paper, we revisit two HCR protocols, both of which are based on blind signature schemes: one (we call it B-HCR) was proposed in ASIACCS 2009 and the other (we call it MRS-HCR) was in WISA 2010. In particular, we show that the B-HCR protocol is insecure against an outside attacker who impersonates server S. Specifically, the attacker can find out the user's password pw with off-line dictionary attacks by eavesdropping the communications between the user and a third-party online service provider. Also, we show that the MRS-HCR protocol does not work correctly itself. In other words, user U can not retrieve the plaintext Msg (i.e., credentials) even if he/she has a knowledge of the password.

Almost all of the current public-key cryptosystems (PKCs) are based on number theory, such as the integer factoring problem and the discrete logarithm problem (which will be solved in polynomial-time after the emergence of quantum computers). While the McEliece PKC is based on another theory, i.e. coding theory, it is vulnerable against several practical attacks. In this paper, we summarize currently known attacks to the McEliece PKC, and then point out that, without any decryption oracles or any partial knowledge on the plaintext of the challenge ciphertext, no polynomial-time algorithm is known for inverting the McEliece PKC whose parameters are carefully chosen. Under the assumption that this inverting problem is hard, we propose a slightly modified version of McEliece PKC that can be proven, in the random oracle model, to be semantically secure against adaptive chosen-ciphertext attacks. Our conversion can achieve the reduction of the redundant data down to 1/3-1/4 compared with the generic conversions for practical parameters.

The WEP (Wired Equivalent Privacy) is a part of IEEE 802.11 standard designed for protecting over-the-air communication. While almost all of the WLAN (Wireless LAN) cards and the APs (Access Points) support WEP, a serious key recovery attack (aka FMS attack) was identified by Fluhrer et al. The FMS attack can basically be prevented by skipping IVs (Initial Values) used in the attack, but naive skip methods reveal information on the WEP key since most of them depend on the WEP key and the patterns of the skipped IV reveal it. In order to skip IVs safely, the skip patterns must be chosen carefully. In this paper, we review the attack conditions (6) and (7), whose success probability is the highest, 0.05, amongst all known conditions to guess one key-byte from one packet. Then we identify their safe skip patterns.

Both mutual authentication and generation of session keys can be accomplished by an authenticated key exchange (AKE) protocol. Let us consider the following situation: (1) a client, who communicates with many different servers, remembers only one password and has insecure devices (e.g., mobile phones or PDAs) with very-restricted computing power and built-in memory capacity; (2) the counterpart servers have enormous computing power, but they are not perfectly secure against various attacks (e.g., virus or hackers); (3) neither PKI (Public Key Infrastructures) nor TRM (Tamper-Resistant Modules) is available. The main goal of this paper is to provide security against the leakage of stored secrets as well as to attain high efficiency on client's side. For those, we propose an efficient and leakage-resilient RSA-based AKE (RSA-AKE) protocol suitable for the above situation whose authenticity is based on password and another secret. In the extended model where an adversary is given access to the stored secret of client, we prove that its security of the RSA-AKE protocol is reduced tightly to the RSA one-wayness in the random oracle model. We also show that the RSA-AKE protocol guarantees several security properties (e.g., security of password, multiple sever scenario with only one password, perfect forward secrecy and anonymity). To our best knowledge, the RSA-AKE protocol is the most efficient, in terms of both computation costs of client and communication costs, over the previous AKE protocols of their kind (using password and RSA).

As pervasive computing technologies develop fast, the privacy protection becomes a crucial issue and needs to be coped with very carefully. Typically, it is difficult to efficiently identify and manage plenty of the low-cost pervasive devices like Radio Frequency Identification Devices (RFID), without leaking any privacy information. In particular, the attacker may not only eavesdrop the communication in a passive way, but also mount an active attack to ask queries adaptively, which is obviously more dangerous. Towards settling this problem, in this paper, we propose two lightweight authentication protocols which are privacy-preserving against active attack, in an asymmetric way. That asymmetric style with privacy-oriented simplification succeeds to reduce the load of low-cost devices and drastically decrease the computation cost for the management of server. This is because that, unlike the usual management of the identities, our approach does not require any synchronization nor exhaustive search in the database, which enjoys great convenience in case of a large-scale system. The protocols are based on a fast asymmetric encryption with specialized simplification and only one cryptographic hash function, which consequently assigns an easy work to pervasive devices. Besides, our results do not require the strong assumption of the random oracle.

A purpose of password-based anonymous authentication schemes is to provide not only password-based authentication but also user anonymity. In [19], Yang et al., proposed a password-based anonymous authentication scheme (we call it YZWB10 scheme) using the password-protected credentials. In this paper, we discuss user anonymity of the YZWB10 scheme [19] against a third-party attacker, who is much weaker than a malicious server. First, we show that a third-party attacker in the YZWB10 scheme can specify which user actually sent the login request to the server. This attack also indicates that the attacker can link different login requests to be sent later by the same user. Second, we give an effective countermeasure to this attack which does not require any security for storing users' password-protected credentials.

The WEP (Wired Equivalent Privacy) is a part of IEEE 802.11 standard designed for protecting over the air communication. While almost all of the WLAN (Wireless LAN) cards and the APs (Access Points) support WEP, a serious key recovery attack (aka FMS attack) was identified by Fluhrer et al. The attack was then extended and implemented as WEP cracking tools. The key recovery attacks can basically be prevented by skipping certain IVs (Initial Values) called weak IVs, but the problem is that there exist huge amount of key-dependent weak IVs and the patterns of them have not been fully identified yet. The difficult part is that a naive approach to identify the key-dependent weak IVs requires the exhaustive search of IVs and WEP keys, and hence is infeasible. On the other hand, it might be feasible to skip the key-dependent weak IVs for the currently set WEP key but this reveals information on the WEP key from the skipped patterns. To skip them safely, the patterns of the key-dependent weak IVs must be identified in the first place. In this paper, we analyze the famous condition for IVs and WEP keys to be weak in the FMS attack, i.e. 0≤S[1]≤t'

An augmented PAKE (Password-Authenticated Key Exchange) protocol provides password-only authentication in the presence of an attacker, establishment of session keys between the involving parties, and extra protection for server compromise (i.e., exposure of password verification data). Among many augmented PAKE protocols, AMP variants (AMP2 [16] and AMP+ [15]) have been standardized in IEEE 1363.2 [9] and ISO/IEC 11770-4 [10]. In this paper, we thoroughly investigate APKAS-AMP (based on AMP2 [16]) and KAM3 (based on AMP+ [15]) which require several validity checks on the values, received and computed by the parties, when using a secure prime. After showing some attacks on APKAS-AMP and KAM3, we suggest new sanity checks that are clear and sufficient to prevent an attacker from doing these attacks.

In the literature, many cryptosystems have been proposed to be secure under the Strong Diffie-Hellman (SDH) and related problems. For example, there is a cryptosystem that is based on the SDH/related problem or allows the Diffie-Hellman oracle. If the cryptosystem employs general domain parameters, this leads to a significant security loss caused by Cheon's algorithm [14], [15]. However, all elliptic curve domain parameters explicitly recommended in the standards (e.g., ANSI X9.62/63 [1], [2], FIPS PUB 186-4 [43], SEC 2 [50], [51]) are susceptible to Cheon's algorithm [14], [15]. In this paper, we first prove that (q-1)(q+1) is always divisible by 24 for any prime order q>3. Based on this result and depending on small divisors d1,d2≤(log q)2, we classify primes q>3, such that both (q-1)/d1 and (q+1)/d2 are primes, into Perfect, Semiperfect, SEC1v2 and Acceptable. Then, we describe algorithmic procedures and show their simulation results of secure elliptic curve domain parameters over prime/character 2 finite fields resistant to Cheon's algorithm [14], [15]. Also, several examples of the secure elliptic curve domain parameters (including Perfect or Semiperfect prime q) are followed.

Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search; (3) TRM (Tamper-Resistant Modules) used to store secrets are not perfectly free from bugs and mis-configurations; (4) A client remembers only one password, even if he/she communicates with several different servers. Then, we propose a simple leakage-resilient AKE protocol (cf.[41]) which is described as follows: the client keeps one password in mind and stores one secret value on devices, both of which are used to establish an authenticated session key with the server. The advantages of leakage-resilient AKEs to the previous AKEs are that the former is secure against active adversaries under the above-mentioned assumptions and has immunity to the leakage of stored secrets from a client and a server (or servers), respectively. In addition, the advantage of the proposed protocol to is the reduction of memory size of the client's secrets. And we extend our protocol to be possible for updating secret values registered in server(s) or password remembered by a client. Some applications and the formal security proof in the standard model of our protocol are also provided.

Cyber-attacks and cybersecurity used to be the issues for those who use Internet and computers. The issues, however, are expanding to anyone who does not even use them directly. The society is gradually and heavily depending on networks and computers. They are not closed within a cyberspace anymore and having interaction with our real world with sensors and actuators. Such systems are known as CPS (Cyber Physical Systems), IoT/E (Internet of Things/Everything), Industry 4.0, Industrial Internet, M2M, etc. No matter what they are called, exploitation of any of these systems may cause a serious influence to our real life and appropriate countermeasures must be taken to mitigate the risks. In this paper, cybersecurity in ICS (Industrial Control Systems) is reviewed as a leading example of cyber physical security for critical infrastructures. Then as a future aspect of it, IoT security for consumers is explained.

At Indocrypt 2005, Viet et al.[21], have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for client's password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n 2 -1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t=1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [21].

An augmented PAKE (Password-Authenticated Key Exchange) protocol is said to be secure against server-compromise impersonation attacks if an attacker who obtained password verification data from a server cannot impersonate a client without performing off-line dictionary attacks on the password verification data. There are two augmented PAKE protocols where the first one [12] was proposed in the IEEE Communications Letters and the second one [15] was submitted to the IEEE P1363.2 standard working group [9]. In this paper, we show that these two augmented PAKE protocols [12], [15] (claimed to be secure) are actually insecure against server-compromise impersonation attacks. More specifically, we present generic server-compromise impersonation attacks on these augmented PAKE protocols [12],[15].

Secure channels can be realized by an authenticated key exchange (AKE) protocol that generates authenticated session keys between the involving parties. In, Shin et al., proposed a new kind of AKE (RSA-AKE) protocol whose goal is to provide high efficiency and security against leakage of stored secrets as much as possible. Let us consider more powerful attacks where an adversary completely controls the communications and the stored secrets (the latter is denoted by "replacement" attacks). In this paper, we first show that the RSA-AKE protocol is no longer secure against such an adversary. The main contributions of this paper are as follows: (1) we propose an RSA-based leakage-resilient AKE (RSA-AKE2) protocol that is secure against active attacks as well as replacement attacks; (2) we prove that the RSA-AKE2 protocol is secure against replacement attacks based on the number theory results; (3) we show that it is provably secure in the random oracle model, by showing the reduction to the RSA one-wayness, under an extended model that covers active attacks and replacement attacks; (4) in terms of efficiency, the RSA-AKE2 protocol is comparable to in the sense that the client needs to compute only one modular multiplication with pre-computation; and (5) we also discuss about extensions of the RSA-AKE2 protocol for several security properties (i.e., synchronization of stored secrets, privacy of client and solution to server compromise-impersonation attacks).

Anonymous password-based authentication protocols are designed to provide not only password-based authentication but also client anonymity. In [22], Qian et al. proposed a simple anonymous password-based authentication protocol (SAPAKE). In this paper, we reconsider the SAPAKE protocol [22] by first showing that an (third party) active attacker can impersonate the server and compute a session key with probability 1. After giving a formal model that captures such attacks, we propose a simple and secure anonymous password-based authentication (for short, S2APA) protocol that provides security against modification attacks on protocol-specific values and is more efficient than YZWB09/10 [32], [33] and SAPAKE [22]. Also, we prove that the S2APA protocol is AKE-secure against active attacks as well as modification attacks under the computational Diffie-Hellman problem in the random oracle model, and provides unconditional client anonymity against a semi-honest server, who honestly follows the protocol.

The RSA-based Password-Authenticated Key Exchange (PAKE) protocols have been proposed to realize both mutual authentication and generation of secure session keys where a client is sharing his/her password only with a server and the latter should generate its RSA public/private key pair (e,n),(d,n) every time due to the lack of PKI (Public-Key Infrastructures). One of the ways to avoid a special kind of off-line (so called e-residue) attacks in the RSA-based PAKE protocols is to deploy a challenge/response method by which a client verifies the relative primality of e and φ(n) interactively with a server. However, this kind of RSA-based PAKE protocols did not give any proof of the underlying challenge/response method and therefore could not specify the exact complexity of their protocols since there exists another security parameter, needed in the challenge/response method. In this paper, we first present an RSA-based PAKE (RSA-PAKE) protocol that can deploy two different challenge/response methods (denoted by Challenge/Response Method1 and Challenge/Response Method2). The main contributions of this work include: (1) Based on the number theory, we prove that the Challenge/Response Method1 and the Challenge/Response Method2 are secure against e-residue attacks for any odd prime e; (2) With the security parameter for the on-line attacks, we show that the RSA-PAKE protocol is provably secure in the random oracle model where all of the off-line attacks are not more efficient than on-line dictionary attacks; and (3) By considering the Hamming weight of e and its complexity in the RSA-PAKE protocol, we search for primes to be recommended for a practical use. We also compare the RSA-PAKE protocol with the previous ones mainly in terms of computation and communication complexities.

In this paper, we propose a pretty-simple password-authenticated key-exchange protocol, which is proven to be secure in the standard model under the following three assumptions. (1) DDH (Decision Diffie-Hellman) problem is hard. (2) The entropy of the password is large enough to avoid on-line exhaustive search (but not necessarily off-line exhaustive search). (3) MAC is selectively unforgeable against partially chosen message attacks, (which is weaker than being existentially unforgeable against chosen message attacks).

The concept of personal networks is very user-centric and representative for the next generation networks. However, the present security mechanism does not consider at all what happens whenever a mobile node (device) is compromised, lost or stolen. Of course, a compromised, lost or stolen mobile node (device) is a main factor to leak stored secrets. This kind of leakage of stored secrets remains a great danger in the field of communication security since it can lead to the complete breakdown of the intended security level. In order to solve this problem, we propose a 3-way Leakage-Resilient and Forward-Secure Authenticated Key Exchange (3LRFS-AKE) protocol and its security architecture suitable for personal networks. The 3LRFS-AKE protocol guarantees not only forward secrecy of the shared key between device and its server as well as providing a new additional layer of security against the leakage of stored secrets. The proposed security architecture includes two different types of communications: PN wide communication and communication between P-PANs of two different users. In addition, we give a performance evaluation and numerical results of the delay generated by the proposed security architecture.

Password-based anonymous authentication schemes provide not only password-based authentication but also user anonymity. In [15], Yang et al., proposed a password-based anonymous authentication scheme (we call it YZWB10 scheme) using the password-protected credentials. This scheme has being standardized in ISO/IEC 20009-4 that was approved to proceed to the CD stage in the 49th ISO/IEC JTC 1/SC 27 Mexico meeting. In this paper, we analyze unlinkability of the YZWB10 scheme [15]. In particular, we show that a (malicious) server in the YZWB10 scheme can specify which user actually sent the login request to the server. Unlike Yang et al.,'s claim, the YZWB10 scheme [15] does not provide unlinkability against server.