36:
444:. Voice authentication, however, presumes that it is infeasible for a man-in-the-middle to spoof one participant's voice to the other in real-time, which may be an undesirable assumption. Such protocols may be designed to work with even a small public value, such as a password. Variations on this theme have been proposed for
401:
Hybrid systems use public-key cryptography to exchange secret keys, which are then used in a symmetric-key cryptography systems. Most practical applications of cryptography use a combination of cryptographic functions to implement an overall system that provides all of the four desirable features of
302:
The session key may be generated via: key transport, key agreement and hybrid. If there is no trusted third party, then the cases of key transport and hybrid session key generation are indistinguishable. SKA is concerned with protocols in which the session key is established using only symmetric
328:
A wide variety of cryptographic authentication schemes and protocols have been developed to provide authenticated key agreement to prevent man-in-the-middle and related attacks. These methods generally mathematically bind the agreed key to other agreed-upon data, such as the following:
415:
protocols require the separate establishment of a password (which may be smaller than a key) in a manner that is both private and integrity-assured. These are designed to resist man-in-the-middle and other active attacks on the password and the established keys. For example,
156:
Secure agreement is defined relative to a security model, for example the
Universal Model. More generally, when evaluating protocols, it is important to state security goals and the security model. For example, it may be required for the session key to be
140:
as a function of information provided by each honest party so that no party can predetermine the resulting value. In particular, all honest participants influence the outcome. A key-agreement protocol is a specialisation of a key-exchange protocol.
298:
The pre-shared key may be shared between the two parties, or each party may share a key with a trusted third party. If there is no secure channel (as may be established via a pre-shared key), it is impossible to create an authenticated session key.
392:
component of the IPsec protocol suite for securing
Internet Protocol communications. However, these systems require care in endorsing the match between identity information and public keys by certificate authorities in order to work properly.
225:
with whom the agreeing parties share a secret is assumed. If no third party is present, then achieving SKA can be trivial: we assume that two parties share an initial secret and have tautologically achieved SKA.
144:
At the end of the agreement, all parties share the same key. A key-agreement protocol precludes undesired third parties from forcing a key choice on the agreeing parties.A secure key agreement can ensure
190:
Exponential key exchange in and of itself does not specify any prior agreement or subsequent authentication between the participants. It has thus been described as an anonymous key agreement protocol.
240:
The initial exchange of a shared key must be done in a manner that is private and integrity-assured. Historically, this was achieved by physical means, such as by using a trusted
360:
have a public-key infrastructure, they may digitally sign an agreed Diffie–Hellman key, or exchanged Diffie–Hellman public keys. Such signed keys, sometimes signed by a
389:
440:
to derive a short-term shared key, and then subsequently authenticate that the keys match. One way is to use a voice-authenticated read-out of the key, as in
187:
a generator with random numbers, in such a way that an eavesdropper cannot feasibly determine what the resultant value used to produce a shared key is.
772:
168:
In many key exchange systems, one party generates the key, and sends that key to the other party; the other party has no influence on the key.
356:
vouching for his identity, Alice can have considerable confidence that a signed key she receives is not an attempt to intercept by Eve. When
161:. A protocol can be evaluated for success only in the context of its goals and attack model. An example of an adversarial model is the
100:
72:
53:
79:
809:
755:
666:
592:
585:
Proceedings of the
International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
507:
412:
826:
451:
In an attempt to avoid using any additional out-of-band authentication factors, Davies and Price proposed the use of the
86:
691:
522:
629:
560:
119:
870:
68:
710:
437:
425:
180:
610:"A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract)"
248:
57:
517:
17:
734:. Lecture Notes in Computer Science. Vol. 13093. Springer International Publishing. pp. 681–710.
207:
497:
312:
234:
158:
153:
in communications systems, ranging from simple messaging applications to complex banking transactions.
436:
If one has an integrity-assured way to verify a shared key over a public channel, one may engage in a
263:
as a trusted third party. The original
Needham-Schroeder protocol is vulnerable to a replay attack.
93:
726:
Boyd, Colin; Davies, Gareth T.; de Kock, Bor; Gellert, Kai; Jager, Tibor; Millerjord, Lise (2021).
527:
377:
322:
713:
for a more complete history of both the secret and public development of public-key cryptography.
230:
211:
203:
46:
686:(Third ed.). Boca Raton London New York: CRC Press Taylor & Francis Group. p. 49.
417:
865:
361:
283:
Boyd et al. classify two-party key agreement protocols according to two criteria as follows:
179:
The first publicly known public-key agreement protocol that meets the above criteria was the
791:
421:
373:
8:
402:
secure communications (confidentiality, integrity, authentication, and non-repudiation).
353:
272:
268:
222:
549:
512:
472:
452:
385:
260:
137:
805:
751:
687:
662:
625:
588:
556:
492:
477:
349:
841:
797:
743:
735:
654:
617:
614:
Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98
580:
256:
739:
162:
146:
658:
646:
581:"Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels"
502:
487:
318:
184:
150:
801:
728:"Symmetric Key Exchange with Full Forward Security and Robust Synchronization"
727:
859:
482:
357:
218:
202:
Symmetric Key
Agreement (SKA) is a method of key-agreement that uses solely
621:
747:
365:
291:
252:
609:
229:
SKA contrasts with key-agreement protocols that include techniques from
460:
456:
845:
773:"On the impossibility of fair exchange without a trusted third party"
445:
406:
264:
136:
is a protocol whereby two (or more) parties generate a cryptographic
35:
463:, which has been subject to both attack and subsequent refinement.
441:
352:
keys that must be integrity-assured: if Bob's key is signed by a
348:
A widely used mechanism for defeating such attacks is the use of
241:
317:
Anonymous key exchange, like Diffie–Hellman, does not provide
369:
608:
Bellare, Mihir; Canetti, Ran; Krawczyk, Hugo (23 May 1998).
271:
are included to fix this attack. It forms the basis for the
616:. Association for Computing Machinery. pp. 419–428.
428:
are password-authenticated variations of Diffie–Hellman.
381:
214:. It is related to Symmetric Authenticated Key Exchange.
725:
790:
Boyd, Colin; Mathuria, Anish; Stebila, Douglas (2020).
651:
Proceedings 1996 IEEE Symposium on
Security and Privacy
546:
523:
Neural cryptography § Neural key exchange protocol
607:
547:
Menezes, A.; Oorschot, P. van; Vanstone, S. (1997).
364:, are one of the primary mechanisms used for secure
789:
60:. Unsourced material may be challenged and removed.
793:Protocols for Authentication and Key Establishment
548:
857:
834:IEEE Journal on Selected Areas in Communications
278:
578:
770:
287:whether a pre-shared key already exists or not
827:"Security architectures using formal methods"
574:
572:
27:Protocol for agreeing on a cryptographic key
681:
647:"What do we mean by entity authentication?"
579:Canetti, Ran; Krawczyk, Hugo (6 May 2001).
174:
721:
719:
569:
321:of the parties, and is thus vulnerable to
197:
796:. Information Security and Cryptography.
771:Pagnia, Henning; Gaertner, Felix (1999).
653:. IEEE Computer Society. pp. 46–54.
120:Learn how and when to remove this message
682:Katz, Jonathan; Lindell, Yehuda (2021).
644:
380:protocols). Other specific examples are
249:Needham-Schroeder Symmetric Key Protocol
783:
732:Advances in Cryptology – ASIACRYPT 2021
716:
14:
858:
824:
705:
703:
508:Password-authenticated key agreement
413:Password-authenticated key agreement
247:An example of a SKA protocol is the
58:adding citations to reliable sources
29:
684:Introduction to modern cryptography
24:
217:SKA may assume the use of initial
25:
882:
700:
396:
306:
551:Handbook of Applied Cryptography
255:between two parties on the same
34:
818:
431:
183:, in which two parties jointly
45:needs additional citations for
777:Echnical Report TUD-BS-1999-02
764:
675:
638:
601:
540:
343:
13:
1:
533:
518:Zero-knowledge password proof
290:the method of generating the
279:Types of Secret Key Agreement
740:10.1007/978-3-030-92068-5_23
587:. Springer-Verlag: 453–474.
405:
235:key encapsulation mechanisms
208:cryptographic hash functions
7:
711:Diffie–Hellman key exchange
645:Gollmann, D. (6 May 1996).
555:(5th ed.). CRC Press.
498:Key encapsulation mechanism
466:
438:Diffie–Hellman key exchange
313:Authenticated key agreement
181:Diffie–Hellman key exchange
10:
887:
659:10.1109/SECPRI.1996.502668
310:
802:10.1007/978-3-662-58146-9
323:man-in-the-middle attacks
528:Quantum key distribution
378:Transport Layer Security
333:Public/private key pairs
212:cryptographic primitives
175:Exponential key exchange
69:"Key-agreement protocol"
871:Key-agreement protocols
231:asymmetric cryptography
198:Symmetric Key Agreement
825:Boyd, C. (June 1993).
204:symmetric cryptography
134:key-agreement protocol
622:10.1145/276698.276854
362:certificate authority
54:improve this article
448:pairing protocols.
354:trusted third party
251:. It establishes a
223:trusted third party
132:In cryptography, a
513:Interlock protocol
473:Key (cryptography)
453:interlock protocol
336:Shared secret keys
846:10.1109/49.223872
811:978-3-662-58145-2
757:978-3-030-92067-8
668:978-0-8186-7417-4
594:978-3-540-42070-5
493:Digital signature
478:Computer security
273:Kerberos protocol
130:
129:
122:
104:
16:(Redirected from
878:
850:
849:
831:
822:
816:
815:
787:
781:
780:
768:
762:
761:
723:
714:
707:
698:
697:
679:
673:
672:
642:
636:
635:
605:
599:
598:
576:
567:
566:
554:
544:
350:digitally signed
125:
118:
114:
111:
105:
103:
62:
38:
30:
21:
886:
885:
881:
880:
879:
877:
876:
875:
856:
855:
854:
853:
829:
823:
819:
812:
788:
784:
769:
765:
758:
724:
717:
708:
701:
694:
680:
676:
669:
643:
639:
632:
606:
602:
595:
577:
570:
563:
545:
541:
536:
469:
434:
410:
399:
346:
315:
309:
281:
233:. For example,
200:
194:
177:
171:
163:Dolev-Yao model
147:confidentiality
126:
115:
109:
106:
63:
61:
51:
39:
28:
23:
22:
15:
12:
11:
5:
884:
874:
873:
868:
852:
851:
840:(5): 694–701.
817:
810:
782:
763:
756:
715:
699:
693:978-0815354369
692:
674:
667:
637:
630:
600:
593:
568:
561:
538:
537:
535:
532:
531:
530:
525:
520:
515:
510:
505:
503:Key management
500:
495:
490:
488:Secure channel
485:
480:
475:
468:
465:
433:
430:
409:
404:
398:
397:Hybrid systems
395:
345:
342:
341:
340:
337:
334:
319:authentication
311:Main article:
308:
307:Authentication
305:
296:
295:
288:
280:
277:
219:shared secrets
199:
196:
176:
173:
151:data integrity
128:
127:
42:
40:
33:
26:
9:
6:
4:
3:
2:
883:
872:
869:
867:
864:
863:
861:
847:
843:
839:
835:
828:
821:
813:
807:
803:
799:
795:
794:
786:
778:
774:
767:
759:
753:
749:
748:11250/2989781
745:
741:
737:
733:
729:
722:
720:
712:
706:
704:
695:
689:
685:
678:
670:
664:
660:
656:
652:
648:
641:
633:
631:0-89791-962-9
627:
623:
619:
615:
611:
604:
596:
590:
586:
582:
575:
573:
564:
562:0-8493-8523-7
558:
553:
552:
543:
539:
529:
526:
524:
521:
519:
516:
514:
511:
509:
506:
504:
501:
499:
496:
494:
491:
489:
486:
484:
483:Cryptanalysis
481:
479:
476:
474:
471:
470:
464:
462:
458:
454:
449:
447:
443:
439:
429:
427:
423:
419:
414:
408:
403:
394:
391:
387:
383:
379:
375:
371:
367:
363:
359:
358:Alice and Bob
355:
351:
338:
335:
332:
331:
330:
326:
324:
320:
314:
304:
300:
293:
289:
286:
285:
284:
276:
274:
270:
266:
262:
258:
254:
250:
245:
243:
238:
236:
232:
227:
224:
220:
215:
213:
209:
205:
195:
192:
188:
186:
182:
172:
169:
166:
164:
160:
159:authenticated
154:
152:
148:
142:
139:
135:
124:
121:
113:
102:
99:
95:
92:
88:
85:
81:
78:
74:
71: –
70:
66:
65:Find sources:
59:
55:
49:
48:
43:This article
41:
37:
32:
31:
19:
18:Key agreement
866:Cryptography
837:
833:
820:
792:
785:
776:
766:
731:
683:
677:
650:
640:
613:
603:
584:
550:
542:
450:
435:
432:Other tricks
411:
400:
347:
327:
316:
303:primitives.
301:
297:
282:
246:
239:
228:
216:
201:
193:
189:
185:exponentiate
178:
170:
167:
155:
143:
133:
131:
116:
107:
97:
90:
83:
76:
64:
52:Please help
47:verification
44:
368:(including
366:web traffic
344:Public keys
292:session key
253:session key
860:Categories
534:References
461:Adi Shamir
457:Ron Rivest
265:Timestamps
259:, using a
110:March 2024
80:newspapers
446:Bluetooth
407:Passwords
339:Passwords
467:See also
388:and the
779:: 1–15.
442:PGPfone
257:network
242:courier
94:scholar
808:
754:
690:
665:
628:
591:
559:
424:, and
390:ISAKMP
269:nonces
261:server
96:
89:
82:
75:
67:
830:(PDF)
422:SPEKE
370:HTTPS
221:or a
101:JSTOR
87:books
806:ISBN
752:ISBN
709:See
688:ISBN
663:ISBN
626:ISBN
589:ISBN
557:ISBN
459:and
267:and
244:.
206:and
149:and
73:news
842:doi
798:doi
744:hdl
736:doi
655:doi
618:doi
455:of
426:SRP
418:EKE
416:DH-
386:YAK
382:MQV
376:or
374:SSL
237:.
210:as
165:.
138:key
56:by
862::
838:11
836:.
832:.
804:.
775:.
750:.
742:.
730:.
718:^
702:^
661:.
649:.
624:.
612:.
583:.
571:^
420:,
384:,
372:,
325:.
275:.
848:.
844::
814:.
800::
760:.
746::
738::
696:.
671:.
657::
634:.
620::
597:.
565:.
294:.
123:)
117:(
112:)
108:(
98:·
91:·
84:·
77:·
50:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.