| Introduction / 1: |
| The Key Distribution Problem / 1.1: |
| Solution: Key Establishment Protocols / 1.2: |
| Computer Security Approach / 1.2.1: |
| Computational Complexity Approach / 1.2.2: |
| Research Objectives and Deliverables / 1.2.3: |
| Structure of Book and Contributions to Knowledge / 1.3: |
| References |
| Background Materials / 2: |
| Mathematical Background / 2.1: |
| Abstract Algebra and the Main Groups / 2.1.1: |
| Bilinear Maps from Elliptic Curve Pairings / 2.1.2: |
| Computational Problems and Assumptions / 2.1.3: |
| Cryptographic Tools / 2.1.4: |
| Encryption Schemes: Asymmetric Setting / 2.1.4.1: |
| Encryption Schemes: Symmetric Setting / 2.1.4.2: |
| Digital Signature Schemes / 2.1.4.3: |
| Message Authentication Codes / 2.1.4.4: |
| Cryptographic Hash Functions / 2.1.4.5: |
| Random Oracles / 2.1.4.6: |
| Key Establishment Protocols and their Basis / 2.2: |
| Protocol Architectures / 2.2.1: |
| Existing Cryptographic Keys / 2.2.1.1: |
| Method of Session Key Generation / 2.2.1.2: |
| Number of Entities / 2.2.1.3: |
| Protocol Goals and Attacks / 2.2.2: |
| Protocol Goals / 2.2.2.1: |
| Additional Security Attributes / 2.2.2.2: |
| Types of Attacks / 2.2.2.3: |
| A Need for Rigorous Treatment / 2.2.2.4: |
| The Computational Complexity Approach / 2.3: |
| Adversarial Powers / 2.3.1: |
| Definition of Freshness / 2.3.2: |
| Definition of Security / 2.3.3: |
| The Bellare-Rogaway Models / 2.3.4: |
| The BR93 Model / 2.3.4.1: |
| The BR95 Model / 2.3.4.2: |
| The BPR2000 Model / 2.3.4.3: |
| The Canetti-Krawczyk Model / 2.3.5: |
| Protocol Security / 2.3.6: |
| Summary / 2.4: |
| A Flawed BR95 Partnership Function / 3: |
| A Flaw in the Security Proof for 3PKD Protocol / 3.1: |
| The 3PKD Protocol / 3.1.1: |
| Key Replicating Attack on 3PKD Protocol / 3.1.2: |
| The Partner Function used in the BR95 Proof / 3.1.3: |
| A Revised 3PKD Protocol in Bellare-Rogaway Model / 3.2: |
| Defining SIDs in the 3PKD Protocol / 3.2.1: |
| An Improved Provably Secure 3PKD Protocol / 3.2.2: |
| Security Proof for the Improved 3PKD Protocol / 3.2.3: |
| Adaptive MAC Forger F / 3.2.3.1: |
| Multiple Eavesdropper Attacker ME / 3.2.3.2: |
| Conclusion of Proof / 3.2.3.3: |
| On The Key Sharing Requirement / 3.3: |
| Bellare-Rogaway 3PKD Protocol in CK2001 Model / 4.1: |
| New Attack on 3PKD Protocol / 4.1.1: |
| A New Provably-Secure 3PKD Protocol in CK2001 Model / 4.1.3: |
| Jeong-Katz-Lee Protocol JP2 / 4.2: |
| Protocol JP2 / 4.2.1: |
| New Attack on Protocol JP2 / 4.2.2: |
| An Improved Protocol JP2 / 4.2.3: |
| The Key Sharing Requirement / 4.3: |
| Comparison of Bellare-Rogaway and Canetti-Krawczyk Models / 4.4: |
| Relating The Notions of Security / 5.1: |
| Proving BR93 (EA+KE) to BPR2000 (EA+KE) / 5.1.1: |
| Proof for the key establishment goal / 5.1.1.1: |
| Proof for the entity authentication goal / 5.1.1.2: |
| Proving CK2001 to BPR2000 (KE) / 5.1.2: |
| Proving CK2001 to BR93 (KE) / 5.1.3: |
| BR93 (KE) to BR95 and BR93 (KE), CK2001 [not left arrow] BR95 / 5.1.4: |
| BR93 (KE)/CK2001 [not left arrow] BPR2000 (KE) / 5.1.5: |
| CK2001 [not left arrow] BR93 (EA+KE) / 5.1.6: |
| BR93 (KE) [not left arrow] CK2001 / 5.1.7: |
| BPR200 (KE) [not left arrow] BR95 / 5.1.8: |
| A Drawback in the BPR2000 Model / 5.2: |
| Case Study: Abdalla-Pointcheval 3PAKE / 5.2.1: |
| Unknown Key Share Attack on 3PAKE / 5.2.2: |
| An Extension to the Bellare-Rogaway Model / 5.3: |
| A Provably-Secure Revised Protocol of Boyd / 6.1: |
| Secure Authenticated Encryption Schemes / 6.1.1: |
| Revised Protocol of Boyd / 6.1.2: |
| Security Proof / 6.1.3: |
| Integrity attacker / 6.1.3.1: |
| Confidentiality attacker / 6.1.3.2: |
| Conclusion of Security Proof / 6.1.3.3: |
| An Extension to the BR93 Model / 6.2: |
| An Efficient Protocol in Extended Model / 6.3: |
| An Efficient Protocol / 6.3.1: |
| Integrity Breaker / 6.3.2: |
| Confidentiality Breaker / 6.3.2.2: |
| Comparative Security and Efficiency / 6.3.2.3: |
| A Proof of Revised Yahalom Protocol / 6.5: |
| The Yahalom Protocol and its Simplified Version / 7.1: |
| A New Provably-Secure Protocol / 7.2: |
| Proof for Protocol 7.2 / 7.2.1: |
| Conclusion of Proof for Theorem 7.2.1 / 7.2.1.1: |
| An Extension to Protocol 7.2 / 7.2.2: |
| Partnering Mechanism: A Brief Discussion / 7.3: |
| Errors in Computational Complexity Proofs for Protocols / 7.4: |
| Boyd-Gonzalez Nieto Protocol / 8.1: |
| Unknown Key Share Attack on Protocol / 8.1.1: |
| An Improved Conference Key Agreement Protocol / 8.1.2: |
| Limitations of Existing Proof / 8.1.3: |
| Jakobsson-Pointcheval MAKEP / 8.2: |
| Unknown Key Share Attack on JP-MAKEP / 8.2.1: |
| Flaws in Existing Security Proof for JP-MAKEP / 8.2.2: |
| Wong-Chan MAKEP / 8.3: |
| A New Attack on WC-MAKEP / 8.3.1: |
| Preventing the Attack / 8.3.2: |
| Flaws in Existing Security Proof for WC-MAKEP / 8.3.3: |
| An MT-Authenticator / 8.4: |
| Encryption-Based MT-Authenticator / 8.4.1: |
| Flaw in Existing Security Proof Revealed / 8.4.2: |
| Addressing the Flaw / 8.4.3: |
| An Example Protocol as a Case Study / 8.4.4: |
| On Session Key Construction / 8.5: |
| Chen-Kudla ID-Based Protocol / 9.1: |
| The ID-Based Protocol / 9.1.1: |
| Existing Arguments on Restriction of Reveal Query / 9.1.2: |
| Improved Chen-Kudla Protocol / 9.1.3: |
| Security Proof for Improved Chen-Kudla Protocol / 9.1.4: |
| McCullagh-Barreto 2P-IDAKA Protocol / 9.2: |
| The 2P-IDAKA Protocol / 9.2.1: |
| Why Reveal Query is Restricted / 9.2.2: |
| Errors in Existing Proof for 2P-IDAKA Protocol / 9.2.3: |
| Error 1 / 9.2.3.1: |
| Error 2 / 9.2.3.2: |
| Improved 2P-IDAKA Protocol / 9.2.4: |
| A Proposal for Session Key Construction / 9.3: |
| Another Case Study / 9.4: |
| Reflection Attack on Lee-Kim-Yoo Protocol / 9.4.1: |
| Complementing Computational Protocol Analysis / 9.4.2: |
| The Formal Framework / 10.1: |
| Analysing a Provably-Secure Protocol / 10.2: |
| Protocol Specification / 10.2.1: |
| Initial State of Protocol 10.1 / 10.2.1.1: |
| Step 1 of Protocol 10.1 / 10.2.1.2: |
| A Malicious State Transition / 10.2.1.3: |
| Protocol Analysis / 10.2.2: |
| Hijacking Attack / 10.2.2.1: |
| New Attack 1 / 10.2.2.2: |
| New Attack 2 / 10.2.2.3: |
| Analysing Another Two Protocols With Claimed Proofs of Security / 10.3: |
| Analysis of Protocol 10.2 / 10.3.1: |
| Analysis of Protocol 10.3 / 10.3.1.2: |
| Flaws in Refuted Proofs / 10.3.2: |
| A Possible Fix / 10.3.3: |
| Analysing Protocols with Heuristic Security Arguments / 10.4: |
| Case Studies / 10.4.1: |
| Jan-Chen Mutual Protocol / 10.4.1.1: |
| Yang-Shen-Shieh Protocol / 10.4.1.2: |
| Kim-Huh-Hwang-Lee Protocol / 10.4.1.3: |
| Lin-Sun-Hwang Key Protocols MDHEKE I and II / 10.4.1.4: |
| Yeh-Sun Key Protocol / 10.4.1.5: |
| Protocol Analyses / 10.4.2: |
| Protocol Analysis 1 / 10.4.2.1: |
| Protocol Analysis 2 / 10.4.2.2: |
| Protocol Analysis 3 / 10.4.2.3: |
| Protocol Analysis 4 / 10.4.2.4: |
| Protocol Analysis 5 / 10.4.2.5: |
| Protocol Analysis 6 / 10.4.2.6: |
| Protocol Analysis 7 / 10.4.2.7: |
| An Integrative Framework to Protocol Analysis and Repair / 10.5: |
| Case Study Protocol / 11.1: |
| Proposed Integrative Framework / 11.2: |
| Protocols Specification / 11.2.1: |
| Defining SIDs in Protocol 11.1 / 11.2.1.1: |
| Description of Goal State / 11.2.1.2: |
| Description of Possible Actions / 11.2.1.3: |
| Protocols Analysis / 11.2.2: |
| Protocol Repair / 11.2.3: |
| Conclusion and Future Work / 11.3: |
| Research Summary / 12.1: |
| Open Problems and Future Directions / 12.2: |
| Index |
| Introduction / 1: |
| The Key Distribution Problem / 1.1: |
| Solution: Key Establishment Protocols / 1.2: |
EB
