Session Corruption Attack and Improvements on Encryption Based MT-Authenticators

  • Xiaojian Tian
  • Duncan S. Wong
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3860)


Bellare, Canetti and Krawczyk proposed a security model (BCK-model) for authentication and key exchange protocols in 1998. The model not only reasonably captures the power of practical attackers but also provides a modular approach to the design of secure key exchange protocols. One important element in this approach is the MT-authenticator. An MT-authenticator transforms a message transmission protocol for an ideally authenticated network to an equivalent protocol for a real, unauthenticated network such that all attacks that can be launched in the unauthenticated network can also be launched in the authenticated network. In this paper, we show that the proof of the encryption-based MT-authenticator proposed in their paper is flawed, which leads to their encryption-based MT-authenticator insecure. An attack called session corruption attack can be launched successfully against the MT-authenticator in the unauthenticated network but not against the corresponding message transmission protocol in the authenticated network. To thwart this attack, we propose several improved techniques and two new encryption-based MT-authenticators.


MT-authenticator BCK-model CK-model Verifiable Encryption 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 591–606. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. 2.
    Bao, F.: An efficient verifiable encryption scheme for encryption of discrete logarithms. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 213–220. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: A modular approach to the design and analysis of authentication and key exchange protocols. In: Proc. 30th ACM Symp. on Theory of Computing, May 1998, pp. 419–428. ACM, New York (1998)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Provably secure session key distribution – the three party case. In: Proc. 27th ACM Symp. on Theory of Computing, Las Vegas, pp. 57–66. ACM, New York (1995)Google Scholar
  6. 6.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Blake-Wilson, S., Menezes, A.: Entity authentication and authenticated key transport protocols employing asymmetric techniques. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 137–158. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  8. 8.
    Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer, Heidelberg (2003)Google Scholar
  9. 9.
    Camenisch, J., Damgård, I.: Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 331–345. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)Google Scholar
  12. 12.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001), CrossRefGoogle Scholar
  13. 13.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–199. Springer, Heidelberg (1987)Google Scholar
  14. 14.
    Goldreich, O.: Foundations of Cryptography Basic Tools. Cambridge University Press, Cambridge (2001)zbMATHCrossRefGoogle Scholar
  15. 15.
    Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  16. 16.
    Stadler, M.A.: Publicly verifiable secret sharing. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Yang, G., Wong, D., Deng, X.: Efficient anonymous roaming and its security analysis. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 334–349. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Xiaojian Tian
    • 1
  • Duncan S. Wong
    • 1
  1. 1.Department of Computer ScienceCity University of Hong KongHong Kong

Personalised recommendations