Secure Authenticated Broadcast Communication in ...

Download PDF
5 downloads 4372 Views 127KB Size Report
Comment
generating digital signatures with public-keys requires large modular ... cost in a broadcast communication. ..... signature cost is O(N) public-key encryptions.
Secure Authenticated Broadcast Communication in Fully Connected Networks Sandeep Kulkarni Michigan State University [email protected]

Bruhadeshwar Bezawada IIIT Hyderabad India 500019 [email protected]

Mohamed G. Gouda University of Texas at Austin [email protected]

Abstract We address the problem of secure authenticated broadcast in fully connected networks where every user has a communication channel with every other user. The problem poses interesting challenges and current solutions tradeoff either storage or computational overhead. We describe three solutions that provide a good balance of storage and computational complexity. Our solutions use concepts like compatible keys, one-way hash chains and logarithmic keying to achieve efficiency. By using a logical hierarchical partitioning of users our solutions achieve scalability.

1

Introduction

We address the problem of confidentiality and authentication in a fully connected network of users. In such a network, a user is capable of sending a message to (a) a single user, (b) a subset of users and, (c) the entire group of users. Such networks occur in many practical scenarios like peer-to-peer networks and sensor networks. Due to security or commercial reasons, it is necessary to ensure confidentiality and authenticity of the messages being sent. Although, stand-alone confidentiality is relatively easy to achieve, coupled with authentication, it becomes a challenging problem. Existing cryptographic solutions for such applications either require a large storage or are computationally expensive. Thus, for fully connected networks, there is a critical need for solutions that ensure secure and authenticated communication without placing high storage or computational overhead. To achieve confidentiality in broadcast communication, several solutions [1–3], have proposed the use of a common shared group key among the users. The group key is distributed to the users by a central authority called group controller. In fully connected networks, using this solution, the group key can be used by any user to encrypt the message sent to the group and this message can be decrypted by the remaining users. However, since the group key is a symmetric key, it cannot be used for authenticating the sender. Thus, this solution achieves confidentiality but lacks sender authentication. One approach to achieve authentication is to use a single symmetric group key for confidentiality and a public-private key pair for authentication. Public-key cryptography enables senders to use digital signatures for authenticating messages. However, public-key based approaches are computationally expensive especially in scenarios where the sender needs to send many messages. The process of generating digital signatures with public-keys requires large modular exponentiation and hence, 1

drains the resources of the sender e.g., a sensor mote. Moreover, each user will need to store all the public-keys of the remaining users which is not a scalable approach for large groups of users. A feasible and practical approach is use symmetric cryptography based approaches [4–6], for authentication. The symmetric secrets can be pre-established using public-keys or using a kerberos key distribution center. In [6], the authors propose using symmetric shared secrets for authentication. This approach requires different users to share different subsets of keys. The set of keys held by a user can authenticate a user. However, this approach is probabilistic in nature and requires a large number of keys to be stored by each user. In [4], the sender uses one-way hash chains and a delayed disclosure process to ensure authentication. The sender initially reveals a public-value, the hash value in the hash chain that has the highest exponent and reveals other values in a timed manner. This approach requires sender synchronization and moreover, it needs to be repeated for every session. In [5], the authors propose broadcast authentication mechanism that require only a small amount of storage at each user. However, they do not address issue of confidentiality in their work. In this work, we propose different techniques that have interesting features and tradeoffs. To describe our solutions, we use the hierarchical key distribution protocols described in [7,8] and extend them to solve the current problem. For the key distribution in [7], which provides unicast confidentiality, we define and illustrate the use of one-way functions that enable broadcast confidentiality and sender authentication. For the key distribution in [8], which provides broadcast authentication, we describe extensions for achieving broadcast confidentiality as well. We present three solutions in the increasing order of simplicity and efficiency. In the first solution, we use the concept of compatible keys from [9, 10] to enable the users to generate a decrypting key for the broadcasted message. We describe extensions for this technique to reduce signature cost in a broadcast communication. In the second solution, the sender uses a dual one-way hash chain technique to establish the encrypting key for the broadcast message. For authentication, the sender reveals values in the hash chain which only he could have generated. In the third solution, the secret used to encrypt the broadcast message is revealed by the sender at initialization. The basic key distribution are as described in [5, 8] which enables broadcast authentication. By adding this additional feature we show that broadcast confidentiality can be achieved as well. Our contributions are as follows: • We desribe three solutions with various trade-offs in storage and computational complexity. Our solutions required a small amount of storage and enable any user to be able to broadcast a message in a secure and authenticated manner. • As our solutions are extensions of key distribution protocols for unicast confidentiality, by default, they retain the basic properties of the underlying key distribution protocols. For example, if the underlying key distribution protocol provides for unicast confidentiality then, our solutions retain this property of the underlying protocol. Thus, our solutions increase the utility of these existing key distribution protocols. • Our solutions tradeoff collusion resistance for efficiency. However, for most practical scenarios, our solutions provide sufficient security. The actual extent of collusion resistance depends on the application at hand. Organization.

In Section 2, we briefly describe the underlying key distribution protocols that 2

we have extended in our solutions. In Section 3, we describe our solutions in detail and conclude the paper in Section 4.

2

Preliminaries

In Section 2.1, we describe the protocol from [7], which uses one-way functions to achieve an optimal key distribution for securing communication. This solution only provides unicast confidentiality and is not efficient for broadcast communication. In Section 2.2, we describe the protocol from [8], which provides broadcast authentication. This solution does not work well for broadcast confidentiality. Both these solutions are good in terms of the storage required by the users and the computation involved in them.

2.1

One-Way Function Based Key Distribution for Secure Communication

The following describes a scheme for key distribution for secure communication in a fully connected graph. The vertices of the graph correspond to users. The proposed scheme is based on the following subscheme. Consider two groups of users, X and Y . Let users in Y be named y1 , y2 , ...yn . To obtain the key distribution, we proceed as follows: We create a secret, say s, and give it to every user in X. Now, user yj from Y gets the secret f (s, j) where f is a one-way function. Theorem 1. Any message encrypted by f (s, j) can be decrypted only by yj or any user in X. We call the above scheme as hs(X, Y). The secret s used above is called the master secret. Theorem 2. Each user in X ∪ Y gets a unique secret in scheme hs(X, Y). Now, we use this scheme for secure communication between arbitrary users. Towards this end, consider the case where the system users are divided into two parts: X1 and X2 , i.e., X1 ∩ X2 = φ and X1 ∪ X2 =set of all users. Apply the scheme hs(X1 , X2 ) and hs(X2 , X1 ). Let s1 and s2 be the respective master secrets used above. Theorem 3. Given two users, xj ∈ X1 and xk ∈ X2 , they can communicate securely using secrets f (s2 , j)XORf (s1 , k). Proof. Based on Theorem 1, users that can generate f (s2 , j) are those in X2 and xj . Likewise, users that can generate f (s1 , k) are those in X1 and xk . Thus, xj and xk are the only users that can generate both the secrets. The above scheme maintains 2 secrets per user. It allows a user in X1 to communicate with user in X2 and vice versa. However, it does not allow two users in X1 (respectively X2 ) to communicate with each other. This problem can be solved recursively by applying the same algorithm for X1 and X2 independently. Theorem 4. The number of secrets in the recursive scheme is 2log N. Proof. At each level, a user needs to store two keys. One key is its local key with which it generates keys for the other partition of users. Another key which the user gets from the other partition. Since there are log N levels, the total amount of storage is only 2 log N keys.

Theorem 5.

The above scheme allows any two users to communicate securely with each other. 3

2.2

Key Distribution for Star Networks K1, K2

A6

A1

K1

K2, K3

K3

K3, K4

K2

A

A2

K2, K4

A5

K1, K3

K4

A3

A4

K1, K4

Figure 1: Example Key Distribution for Star Network In the key distribution protocols described in [8], the center node maintains a set of k keys. Each satellite node receives a unique subset of size l from this set. Note that, by construction, no two satellite nodes have identical subsets of keys. We term this protocol instance as p(k, l). Using p(k, l), authentication of messages can be achieved in the communication as follows: To authenticate a message m broadcasted by the center node to the satellite node, the center node generates authentication codes with each of the k keys. In this context, an authentication code is a secure hash/encryption computed using a shared symmetric key. Hence, each authentication code consists of the message digest md of the message computed using a key held by the center. The center appends the k authentication codes thus generated to the message and broadcasts the resulting message. Now, when a satellite node receives this message, it uses its subset of l keys to compute l authentication codes. The satellite node then verifies these authentication codes with the corresponding authentication codes sent by the satellite node. Note that, each satellite node can verify only those authentication codes for which it has the corresponding generating key. In [8], authors have shown that given a set of n satellite nodes, maintaining k = log n+1/2 log log n+ 1 serets at the center node is sufficient if each node receives k/2 keys. If each node receives k/2 keys then there exists a set of two nodes whose collusion can reveal all the keys. Hence, to deal with this case, we can assign each node only k/m keys where m is the level of desired collusion resistance. For example, if we choose m = 10 then maintaining 40 keys and letting each node receive 4 would allow C(40, 4) = 91390 satellite nodes. In Figure 1, we show a center node with 6 satellite nodes. The center node generates 4 secrets, which it will use for signing the messages it transmits. Now, from these secrets, the center node chooses a unique subset of size 2 and gives each such subset to a different satellite node. For example, in the Figure, node A1 receives the subset of secrets K1 , K2 and user 2 receives the subset of secrets K2 , K3 . Note that, the center node can support C(4, 2) = 6 users in this manner. Now, for authenticating a message, the center node generates message authentication codes with all the secrets it has and transmits these codes along with the message it has sent out. Each satellite node verifies those codes for which it has the generating secrets. For example, A1 will be able generate 4

and verify the message authentication codes generated using secrets K1 and K2 . Reduced Storage Key Distribution in Fully Connected Networks. The above key distribution will not scale for a fully connected network where every node is a sender as well as a receiver. The amount of storage required by each user will be O(N log N ) keys. Recently, in [8, 11, 12], the authors describe a storage efficient key distribution protocols for achieving confidentiality and authentication in completely connected communication networks. Essentially, these protocols maintain a higher dimension grid to reduce the number of keys used in them. Of these the protocol in [11] uses 4 log2 N keys, the protocol in [12] improves it to log2 N and the protocol in [8] improves it to 21 log2 N + O(log N + log log N ). All these protocols provide a property that if a node sends a message that includes a signature from each of the keys it has and the receiver verifies the signatures based on the common keys then it can conclude that the message is authentic. The most storage efficient protocol from these protocols is from [8]. One can choose the appropriate protocol depending on the type of storage and verification requirements.

3

Our Solutions

We assume that a hierarchical partitioning as described in [7] exists and hence, describe our solutions for the lowest level in this partitioning. The extensions to higher levels are in the same way as described in [7, 8]. We use the notation from Section 2.1. We denote the partitions by X and Y . The users in X as x1 , x2 , . . . and the users in Y as y1 , y2 , . . . ,. Also, we assume that there is a global authority who is in charge of partitioning the users and distributing the keys for each partition.

3.1

Using Compatible Keys

We use the notion of compatible keys from [9, 10], to describe our solution. In [10], the authors apply compatible keys to reduce multicast encryption/decryption, but do not address the issue of multiple senders. If the scheme in [10] is directly applied for mutliple sender scenario then the amount of storage required per user is O(N ). We show that, using the hierarchical partitioning, the storage can be reduced. Moreover, we extend this scheme to provide broadcast authentication as well. The notion of compatible keys can be understood as follows. Consider a pair of keys, {Ki , Ki−1 }. The key Ki−1 can decrypt any message that is encrypted with Ki . The encryption/decryption algorithm is the same as RSA algorithm. Now, a compatible key {Kj , Kj−1 } exists for this key pair when Ki = Kj but Ki−1 6= Kj−1 . This implies that for decrypting a message encrypted with {Ki } any of the keys Ki−1 or Kj−1 can be used. According to the theory in [9], many such compatible keys can be constructed for a given encrypting key Ki . For simplicity, we call Ki as the encrypting key and the keys Ki−1 , Kj−1 etc, as the compatible decrypting keys. Confidentiality. Now, assume that a user x1 in a partition X needs to send a broadcast to all the users in the partition Y . The global controller generates a key Ki and gives it to all the users in X. Also, for each user in Y , the global controller distributes a different compatible decrypting key for the key Ki . The encrypting key is not given to the users in Y . By using techniques in [9], it is possible to generate compatible decrypting keys without revealing the encrypting key. Now, a user x1 can use the key Ki to send a broadcast message to the users. Since every other user in the Y partition has a (different) compatible decrypting key, they can decrypt the broadcasted message. 5

Thus, this approach requires only one encryption and decryption. Authentication. Now, to achieve authentication, we consider the compatible key that x1 received from the partition Y . By construction, this key is unique to x1 . So, the user x1 computes a hash of the message and encrypts the message with this compatible key. Since the users in Y partition have the corresponding decrypting key, they can verify this message. Furthermore, by construction, the users in Y can be guaranteed that no other user in x1 could have sent this message. This process is equivalent to computing digital signatures using public-keys in RSA and hence, security is equivalent to that of RSA. For comparing the complexity, we consider the straightforward extension of the scheme from [10] i.e., each user generates one encrypting key and N − 1 compatible decryption keys for each of the remaining N − 1 users. The storage in this case is N public-keys per user as each user needs to store N − 1 compatible decrypting keys for every sender. The encryption overhead in the simple scheme is only one encryption. But the signature cost is very high as the sender needs to sign the message with all the compatible decrypting keys that he received from the other users. Thus, the signature cost is O(N ) public-key encryptions. Storage Overhead. Each user needs to store one encrypting key –for the partition he belongs to and one compatible key –that he receives from the other partition. Since there are log N levels, the number of public-keys stored using this scheme is 2 log N per user. Note that, as required in the RSA algorithm, the size of the public-keys needs to be large i.e., greater than or equal to 1024bits. This, implies that an O(N ) public-key storage is significantly higher than O(log N ) storage. Thus, using the hierarchical partitioning we have reduced the storage cost from O(N ) in the simple solution to O(log N ). Computation Overhead. For one broadcasted message, per partition, each user needs to perform, (a) one public-key encryption to encrypt the message, and (b) one digital signature i.e., one message digest computation using MD5/SHA1 and one public-key encryption. The sender complexity is two public-key encryptions and one message digest computation. Thus, the total cost of sending an encrypted and signed message is 2 log N public-key encryptions and log N message digest computations. Hence, our solution reduces the signature cost from O(N ) to O(log N ) while increasing the public-key encryption cost from O(1) to O(log N ). This saving is significant in the context of large groups. The computational complexity is slightly better for the receiver. Each receiver only needs to perform one public-key decryption and one digital signature verification. Public-key based solutions often suffer from high complexity or storage. For example, 2 log N keys of size of 1024-bits are equivalent to 16 log N symmetric keys of size 128-bits , which is a large value. Moreover, one public-key operation is equivalent to 100 symmetric operations in software and 1000 operations in hardware. So, it is preferable to choose symmetric cryptography based solutions. In the next two sections, we describe two such solutions.

3.2

Using One-way Hash Chains

To describe the solution using one-way hash chains consider the notion of one-way hash chains. One-way hash chains were used by Lamport [13] for authentication. A one-way hash chain is generated from a random seed s by repeated application of a hash function on the seed. The values in a one-way hash chain are as follows: h(s), h2 (s), h3 (s) . . .. The notation, ht (s) denotes that the one-way hash function h has been applied t times over the random seed. Assuming that

6

h is a strong collision resistant hash function, it is difficult to compute ht−1 (s) from ht (s). But computing ht+1 (s) and higher values in the chain from ht (s) is very easily achieved. Using the above concepts, we proceed to describe our solution. As before, consider the users in X. To these users, the global controller distributes two random seeds, sf , called the forward seed, and sr , called the reverse seed. Now, the global controller generates two one-way hash chains of the form h(sf ), h2 (sf ) . . . called the forward chain and h(sr ), h2 (sr ) . . ., called the reverse chain, of length |Y | each. Let |Y | be equal to m. Now, a user yj in the partition gets two values from these two chains. From the forward chain the user yj receives hj (sf ) and from the reverse chain the user receives hm−j (sr ). The benefit of distributing values in this manner is that, only user yj in Y has the combination of these two values. No other single user in Y has both these values nor can generate them. The combination of these values serves as unique identifying secret for yj . Confidentiality. Now, users in the X partition generate a encrypting key that is used for encrypting messages broadcasted to the users in partition Y . This key is given by hm (sf ) XOR hm (sr ). Note that, this value can be computed by all the users in the partition Y by using the hash values they received from X. When a user in X wants to send a broadcast message to Y , the message is encrypted with this value and sent. The users in Y can generate the decrypting key to recover the message. To reduce the cost of computing the decrypting key, the users in X can pre-compute this key once and use it whenever required. This only increases their storage by one additional value. Authentication. For authentication, we use a similar approach as in the previous solution i.e., the sending user in X signs the message using the hash chain values that he receives from Y . Since these values uniquely identify a user to Y , they suffice to authenticate this user. Storage Overhead. Each user receives two values from the other partition and in addition stores two values, one for encrypting messages sent to the other partition and one for decrypting messages received from the other partition. Also, users in each partition need to store the random seeds required to generate the necessary hash chain values. These values can be pre-hashed to reduce storage i.e., the users can store h(sf ) and h(sr ) as these values are sufficient to compute the necessary secrets. Since there are log N partitions the total storage is 6 log N hash values. Computation Overhead. To broadcast a message to the entire group, a user needs to perform one encryption per partition and generate one signature per partition. Thus, the total cost is log N symmetric key encryptions and log N symmetric key signatures (message authentication codes). This solution provides an efficient alternative to the earlier solution that used compatible keys. However, this solution has some drawbacks, especially, if the users need to use this approach for achieving unicast confidentiality as well. The reason for this is as follows. Consider two users x1 and y1 , from different partitions who need to establish a symmetric session secret. The user x1 uses the combination of the hash values that X distributed to y1 and the hash values that it received from Y . Note that, x1 needs to generate the hash values that are given to y1 at run-time as storing these values will add to the storage overhead. A similar operation is done by y1 to generate the corresponding secrets needed for the symmetric session secret. Thus, the cost of computing the symmetric session secret is O(M ) hash values where M is the size of the partition X or Y . Note that, if x1 and y1 do not use a combination of secrets then, some other user can compromise their communication by generating the corresponding secrets.

7

3.3

Using Logarithmic Keying

In this section, we describe extensions to the solutions proposed in [8] to achieve authenticated broadcast. Note that, our extensions can be trivially applied to any key distribution protocols of the for p(k, l) e.g., the logarithmic keying from [5]. Consider that let p(k, l) denote the keys that are given to users in the Y partition i.e., each user in the Y partition receives a distinct subset of size l that are chosen from the pool of k keys. Now, for each user, the global controller computes an XOR of the keys that are not given to the user in p(k, l). In other words, the set of keys not given to the user is complementary to the set of keys that it receives. For example, if the set of keys given to y1 is denoted by Ky1 then, the set of keys not given to y1 is denoted by Ky′ 1 . The global controller computes the XOR of the keys in Ky′ 1 and gives this result to the user. Note that, the user cannot learn of the individual keys in Ky′ 1 as it does not have even one key from this set. Confidentiality. Using the above extension, users in X can achieve confidentiality as follows. The encrypting key used by a user in X for broadcasting a message to Y is given by the XOR of all the keys that given to the partition X. To decrypt this message, a user y1 in Y can XOR the keys that it received from X i.e., Ky1 and the XOR of Ky′ 1 , to compute the decryption key. The computation consists of XORing all the keys in Ky1 and then XORing the result with Ky′ 1 . Since XOR is associative and commutative, this value will be equal to the XOR of keys given to X. Furthermore, by construction, any user in Y will be able to compute the decryption key. Authentication. For authentication, we use the same approach as in the previous solutions i.e., a user x1 in X uses the keys that it received from Y to authenticate itself. The user x1 computes message authentication codes using the set of keys that it received from Y . For stronger authentication guarantees, the user x1 can add the signatures using the p(k, l) scheme as well. This only adds to the overhead of signature generation. Storage Overhead. Using our extension, each user only needs to store one additional key per level. Hence, the storage complexity is O(log2 N ) for the protocol in [8] and O(log N ) for incorporating our extension. Computation Overhead. The encryption/decryption cost in our solution is O(1) symmetric key encryption/decryption. The signature overhead is slightly higher. The signature generation, for user x1 , which includes signatures from p(k, l) as well is O(log2 N ) + O(log2 N ). The verification cost is at the most log N (at the highest level in the partition). If x1 decides not to use p(k, l) signatures then, the signature generation cost is O(log2 N ) and verification cost is O(log N ).

4

Conclusion

We have addressed the problem of authenticated and secure broadcast communication in fully connected networks. We have proposed three solutions that provide interesting tradeoffs in storage and computational complexity. Our solutions are efficient. The future work is to study the extent of collusion resistance and devising efficient means to handle such scenarios for these solutions.

8

References [1] H.Harney and C.Muckenhirn. Group key management protocol (GKMP) specification. RFC 2093, July 1997. [2] Debby M. Wallner, Eric J. Harder, and Ryan C. Agee. Key management for multicast: Issues and architectures. RFC 2627. [3] Chung Kei Wong, Mohamed Gouda, and Simon S. Lam. Secure group communications using key graphs. IEEE/ACM Transactions on Networking, 2000. [4] A. Perrig, R. Canetti, D. Tygar, and D. Song. The TESLA broadcast authentication protocol. Cryptobytes, 5(2), 2002. [5] Gouda M. G., Kulkarni S. S., and Elmallah S. E. Logarithmic keying of communication networks. In 8th International Symposium on Stabilization, Safety, and Securit y of Distributed Systems, SSS-06, 2006. [6] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas. Multicast security: A taxonomy and some efficient constructions. In IEEE INFOCOMM, 1999. [7] Sandeep S. Kulkarni, Bruhadeshwar Bezawada, and Mohamed Gouda. Optimal key distribution for secure communication. Technical Report MSU-CSE-07-189, Department of Computer Science, Michigan State University, East Lansing, Michigan, July 2007. [8] Bruhadeshwar Bezawada and Sandeep S. An optimal symmetric secret distribution of star networks. Technical Report MSU-CSE-07-196, Department of Computer Science, Michigan State University, East Lansing, Michigan, November 2007. [9] Indrakshi Ray, Indrajit Ray, and Natu Narasimhamurthi. A cryptographic solution to implement access control in a hierarchy and more. In SACMAT, pages 65–73, 2002. [10] Indrakshi Ray and Indrajit Ray. Using compatible keys for secure multicasting in e-commerce. In 16th International Parallel and Distributed Processing Symposium (IPDPS 2002), 15-19 April 2002, Fort Lauderdale, FL, USA, CD-ROM/Abstracts Proceedings. IEEE Computer Society, 2002. [11] Amitanand S. Aiyer, Alvisi Lorenzo, and Mohammed G. Gouda. Key grids: A protocol family for assigning symmetric keys. In IEEE International Conference on Network Protocols, 2006. [12] Neeraj Mittal. Space-efficient keying in wireless communication networks. Technical Report UTDCS-26-07, Dept. of Computer Science, University of Texas at Dallas, 2007. [13] Leslie Lamport. Password authentication with insecure communication, 1981.

9

Suggest Documents

Secure and Authenticated Data Communication in Wireless ... - MDPI

Secure and Authenticated Data Communication in Wireless ... - MDPI
Read more
Visually Authenticated Communication - CiteSeerX

Visually Authenticated Communication - CiteSeerX
Read more
Secure Anonymous Broadcast

Secure Anonymous Broadcast
Read more
Attacking NTP's Authenticated Broadcast Mode - acm sigcomm

Attacking NTP's Authenticated Broadcast Mode - acm sigcomm
Read more
Maintaining Authenticated Communication in the ... - CiteSeerX

Maintaining Authenticated Communication in the ... - CiteSeerX
Read more
Maintaining Authenticated Communication in the ... - CiteSeerX

Maintaining Authenticated Communication in the ... - CiteSeerX
Read more
Maintaining Authenticated Communication in the ... - CiteSeerX

Maintaining Authenticated Communication in the ... - CiteSeerX
Read more
Secure Revocable Anonymous Authenticated Inter ... - CiteSeerX

Secure Revocable Anonymous Authenticated Inter ... - CiteSeerX
Read more
Securing Every Bit: Authenticated Broadcast in ... - Infoscience - EPFL

Securing Every Bit: Authenticated Broadcast in ... - Infoscience - EPFL
Read more
Adaptively Secure Broadcast, Revisited - people.vcu.edu

Adaptively Secure Broadcast, Revisited - people.vcu.edu
Read more
A Secure Threshold Anonymous Password-Authenticated Key ...

A Secure Threshold Anonymous Password-Authenticated Key ...
Read more
Adaptively Secure Broadcast, Revisited - people.vcu.edu

Adaptively Secure Broadcast, Revisited - people.vcu.edu
Read more
Authenticated Key Exchange Secure Against Dictionary ... - CiteSeerX

Authenticated Key Exchange Secure Against Dictionary ... - CiteSeerX
Read more
Secure Authenticated and Key Agreement Protocols ...

Secure Authenticated and Key Agreement Protocols ...
Read more
Authenticated Key Exchange Provably Secure ... - Semantic Scholar

Authenticated Key Exchange Provably Secure ... - Semantic Scholar
Read more
Secure Anonymously Authenticated and Traceable ... - Semantic Scholar

Secure Anonymously Authenticated and Traceable ... - Semantic Scholar
Read more
Computationally Secure Two-Round Authenticated Message Exchange

Computationally Secure Two-Round Authenticated Message Exchange
Read more
Secure authenticated group key agreement protocol in the MANET ...

Secure authenticated group key agreement protocol in the MANET ...
Read more
Secure In-Vehicle Communication - CiteSeerX

Secure In-Vehicle Communication - CiteSeerX
Read more
Secure Communication in Vehicular Networks

Secure Communication in Vehicular Networks
Read more
Efficient and Reliable Broadcast in Intervehicle Communication ...

Efficient and Reliable Broadcast in Intervehicle Communication ...
Read more
Secure Communications Over Wireless Broadcast Networks - INLAB

Secure Communications Over Wireless Broadcast Networks - INLAB
Read more
An Enhanced and Secure Protocol for Authenticated Key Exchange

An Enhanced and Secure Protocol for Authenticated Key Exchange
Read more
A Provable Secure ID-Based Explicit Authenticated Key Agreement ...

A Provable Secure ID-Based Explicit Authenticated Key Agreement ...
Read more