Protocols for Authentication and Key Establishment

Colin Boyd and Anish Mathuria

Available from Springer-Verlag in their Information Security and Cryptography series . Also available at amazon.com.

Sample Pages

Errata

Please report any errors to

. Thanks to Raymond Choo, Ying Di, Rob Delicata, Paul Hankes Drielsma, Lars Martensen and Terry Tin for finding some of the errors below.

page X, last line: "Anselm Lingau" should be "Anselm Lingnau".
page 29, Attack 1.2: Add "M" to start of message 4 so that it becomes "C_B -> A: M, {N_A, M, A, B}_{K_{AS}}.
page 52, last sentence of 2.4.2: insert "protection against" before "key compromise impersonation".
page 60, the sentence beginning: "Consider the message exchange S -> A: {N_A,B,K_{AB}}_{K_{AB}} ..." should read "Consider the message exchange S -> A: {N_A,B,K_{AB}}_{K_{AS}} ...". Also the following sentence: "Here K_{AB} is a key shared by A and S ..." should read "Here K_{AS} is a key shared by A and S ...". (In both cases change an instance of "K_{AB}" to "K_{AS}").
page 94, Protocol 3.28 has been broken by Cheng and Comley.
page 97, Attack 3.9: last line in the table should be "I_A -> B: {A, N_I, N_B}_{K_{BS}},{N_B}_{N_I}" not "I_S -> B: ...".
page 97, Attack 3.10: fifth line should be "3'. S -> I_B: N_A, ..." not "3': S -> I_A: N_A, ...".
page 102, first equation: replace "K_{BS}" with "K_{AS}".
page 104, Protocol 3.42: The notation here is somewhat ambiguous. The last part of message 1 is generated for each server. However, the corresponding fields in message 2 are sent separately to each server. Also note that messages 1 and 4 are of size linear in n, so the message count 2n+3 may be rather unfair.
page 120, Attack 4.3: "K_{AB}" should be "K_{AC}" in first flow.
page 155, line 10: "r_A" should be "x_A".
page 168, Protocol 5.17: the MACs computed by B and A should be on the signatures Sig_B(t_B, t_A) and Sig_A(t_A, t_B), respectively (instead of (t_B, t_A) and (t_A, t_B)).
page 169, Protocol 5.18: The message from B to A should have t_B followed by t_A in the signature (not the other way).
page 194, Protocol 5.36: in the definition of K_{AB} replace y_A with y_B so that K_{AB} = h_1(y_B, t_A, K).
page 195, Protocol 5.37: "Three hash functions $h_1, h_2, h_3$" should be "Hash function $H$".
page 222-223, the sentence "In the new run suppose that new values r1', r2' and r3' are chosen by U1, U2, and U3." should have had r4' and U4 in place of r3' and U3.
page 236, Protocol 6.18: Both signatures should include both t_1 and t_i.
page 238, Protocol 6.19: A comma is missing from the end of the first line in both the second and fourth flows.
page 250ff., Section 7.2.1: In the description of EKE the encryption indicated by {.} is not intended to provide integrity, only confidentiality.
page 298, reference 43: "Crypography" should be "Cryptography".
page 310, Reference 252: Missing "i" in "establshment".

Last modified: 2nd April 2007

Colin Boyd