Key Establishment Protocols

September 4, 2001

Yongdae Kim

1
Contents
v Classification and framework
v Key transport based on symmetric encryption
v Key agreement based on symmetric techniques
v Key transport based on public-key encryption
v Key agreement based on asymmetric techniques
v Secret sharing
v Conference keying
v Analysis of key establishment protocols

2/52
Classification and concepts
v Key establishment: a shared secret becomes available to
two or more parties, for subsequent cryptographic use.
n key transport protocol
w one party creates, and securely transfers it to the other(s).
n key agreement protocol: key establishment technique in which
w a shared secret is derived by two (or more) parties
w as a function of information contributed by each of these
w (ideally) such that no party can predetermine the resulting value
n Key pre-distribution
w resulting established keys are completely determined a priori by initial
keying material

3/52
Classification and concepts (cnt.)
v Use of trusted servers
n key establishment protocols involve a centralized or trusted party,
for either or both initial system setup and on-line actions
n trusted third party, trusted server, authentication server, key
distribution center (KDC), key translation center (KTC), and
certification authority (CA).
v secure key establishment
n each party in a key establishment protocol be able to determine the
true identity of the other(s) which could possibly gain access to the
resulting key, implying preclusion of any unauthorized additional
parties from deducing the same key
n secrecy of key, and identification of those parties with access to it

4/52
Classification and concepts (cnt.)

authentication depends on context of usage

entity
identity of a party, and aliveness at a given instant
authentication
data origin
identity of the source of data
authentication
(implicit) key
identity of party which may possibly share a key
authentication

key confirmation evidence that a key is possessed by some party

explicit key
evidence an identified party possesses a given key
authentication

5/52
Classification and concepts (still)
v (Implicit) Key authentication
n one party is assured that no other party aside from a specifically
identified second party may gain access to a particular secret key
n independent of the actual possession of such key by the second
party, or knowledge of such actual possession by the first party
v Key confirmation
n one party is assured that a second (possibly unidentified) party
actually has possession of a particular secret key
v Explicit key authentication
n both (implicit) key authentication and key confirmation hold
n Possession of key: (keyed) one-way hash, encryption, ZK

6/52
Classification and concepts (god…)
v authenticated key establishment
n key establishment + key authentication
v identity-based
n identity information of the party involved is used as public key
v message-independent
n messages sent by each party are independent of any per-session
time-variant data (dynamic data) received from other parties
n Message-independent protocols include non-interactive protocols
(zero-pass and one-pass protocols)

7/52
Motivation for use of session key
v Def
n ephemeral secret, i.e., one whose use is restricted to short time
period after which all trace of it is eliminated
v Motivation
n to limit available ciphertext for cryptanalytic attack
n to limit exposure, with respect to both time period and quantity of
data, in the event of (session) key compromise
n to avoid long-term storage of a large number of distinct secret keys
(in the case where one terminal communicates with a large number
of others), by creating keys only when actually required;
n to create independence across communications sessions or
applications

8/52
Key Establishment characteristics
v nature of the authentication: Any combination of entity authentication,
key authentication, and key confirmation.
v reciprocity of authentication: unilateral or mutual authentication
v key freshness
v key control: key distribution vs. key agreement
v efficiency
n number of message exchanges (passes) required between parties
n bandwidth required by messages (total number of bits transmitted)
n complexity of computations by each party (as it affects execution time)
n possibility of precomputation to reduce on-line computational complexity.
v third party requirements
n requirement of an on-line (real-time), off-line, or no third party
n degree of trust required in a third party
v type of certificate used
v non-repudiation: type of receipt keying material has been exchanged

9/52
Assumptions and Adversaries
v Attacks
n passive attack: adversary simply records data and analyze
n active attack: adversary modifies or injects messages
v What are the attacker’s roles?
n deduce a session key using information gained by eavesdropping;
n participate covertly in protocol initiated by one party, and influence
it by altering messages so as to be able to deduce the key
n initiate one or more protocol executions, and combine messages
from one with another, so as to carry out one of the above attacks
n without being able to deduce the session key, deceive a legitimate
party regarding the identity of the party with which it shares a key
n In entity authentication, adversary’s objective is to arrange that one
party receives messages which satisfy that party that the protocol
has been run successfully with a party other than the adversary.

10/52
PFS and Known Key Attacks
v perfect forward secrecy
n compromising long-term key do not compromise past session keys
n Idea of PFS is that previous traffic is locked securely in the past
n May be provided by generating session keys by DH key
agreement, wherein DH exponentials are based on short-term keys
n If long-term secrets are compromised, future session can be
impersonated
v known-key attack
n compromise of past session keys allows either a passive adversary
to compromise future session keys, or impersonation by an active
adversary in the future.
n in some environments, the probability of compromise of session
keys may be greater than that of long-term keys.

11/52
Contents
v Classification and framework
v Key transport based on symmetric encryption
v Key agreement based on symmetric techniques
v Key transport based on public-key encryption
v Key agreement based on asymmetric techniques
v Secret sharing
v Conference keying
v Analysis of key establishment protocols

12/52
Key Transport(Symmetric Key Encryption)

Server timestamp messages

point-to-point key update none optional 1-3

Shamir’s no-key protocol none no 3

Kerberos KDC yes 4

Needham-Schroeder shared-key KDC no 5

Otway-Rees KDC no 4

Protocol 13.12 KTC no 3

13/52
Point-to-Point Key Update
v Key Transport with one pass
n A → B: EK(rA)
n Implicit key authentication
n Additional field
w timestamp, sequence number: freshness
w redundancy: explicit key authentication, message modification attack
w target identifier: prevent undetectable message replay
n Hence A → B: EK(rA, tA, B)
n Mutual authentication: A → B: EK(rB, tB, A): K = f(rA, rB)
v Key Transport with challenge-response
n B → A: nB : for freshness
n A → B: EK(rA, nA, nB, B)
n B → A: EK(rB, nB, nA, A)
n Cannot provide PFS

14/52
Point-to-Point Key Update
v Authenticated Key Exchange Protocol 2 (AKEP2)
n A → B: rA
n B → A: (B, A, rA, rB), hK(B, A, rA, rB)
n A → B: (A, rB), hK(A, rB)
n W = h’K’(rB)
v AKEP1
n B → A: (B, A, rA, rB, (r, W ⊕ h’K’(r)), hK(B, A, rA, rB, (r, W ⊕ h’K’(r))
n Optimization: r = rB

15/52
Shamir’s no key algorithm
v Protocol
n A → B: KA mod p
n B → A: (KA)B mod p
-1
n A → B: (KAB) A mod p
v Property
n Provide key transport
n No a priori information is required
n Not necessarily modular exponentiation, but not one-time pad

16/52
Kerberos
v Basic
n A, B, a trusted server share long-term pairwise secret keys a priori
n Server either plays the role of KDC and itself supplies the session
key, or serves as a key translation center (KTC)
n A and B share no secret, while T shares a secret with each
n Goal: for B to verify A’s identity, establishment of a shared key
v Description
n A requests from T credentials to allow it to authenticate itself to B
n T plays the role of a KDC, returning to A a session key encrypted
for A and a ticket encrypted for B
n The ticket contains the session key and A’s identity
w authentication of A to B when accompanied by appropriate message
created by A containing a timestamp encrypted under that session key

17/52
Kerberos (cnt.)
v Protocol
n A → T: A, B, NA NA: freshness
n T → A: EKBT(k, A, L), EKBT(k, NA, L, B): L: lifetime
n A → B: EKBT(k, A, L), Ek(A, TA, Asubkey)
n B → A: Ek(TA, Bsubkey) Optional mutual authentication: (4)
v Properties
n Since timestamps are used, the hosts on which this protocol runs must
provide both secure and synchronized clocks
n If initial shared keys are password-derived, protocol is no more secure than
secrecy of such password or their resistance to password-guessing attack
n Asubkey and Bsubkey allow transfer of a key from A to B
n Lifetime is intended to allow A to re-use the ticket
w A creates new authenticator with new timestamp and same session key k

18/52
Needham-Schroeder
v important primarily for historical reasons
v Protocol
n A → T: A, B, NA
n T → A: EKAT(NA, B, k, EKBT(k, A))
n A → B: EKBT(k, A)
n B → A: Ek(NB)
n A → B: Ek(NB-1)
v Properties
n The protocol provides A and B with a shared key k with key authentication
n (4) and (5) provide entity authentication of A to B. B to A can be obtained
using redundancy check on NB upon decrypting message (4).
n If acceptable for A to re-use key k with B, A may securely cache (3) with k
w To prevent replay of (4), Ek(NA’) should be appended to message (3), and (4)
should be replaced by Ek(NA’ 1, NB) allowing A to verify B’s knowledge of k

19/52
Needham-Schroeder vs. Kerberos
v Kerberos lifetime parameter is not present
v (3) (corresponds to Kerberos ticket) is double-encrypted
v authentication here employs nonce rather than timestamp
v since B has no way of knowing if k is fresh, should k ever
be compromised, any party knowing it may both resend
message (3) and compute a correct message (5) to
impersonate A to B
n This situation is ameliorated in Kerberos by the lifetime parameter
which limits exposure to a fixed time interval.

20/52
Otway-Rees protocol
v Protocol
n A → B: M, A, B, EKAT(M, A, B, NA) M: Another nonce
n B → T: M, A, B, EKAT(M, A, B, NA), EKBT(M, A, B, NB)
n T → B: EKAT(k, NA), EKBT(k, NB)
n B → A: EKAT(k, NA)
v Properties
n Only 4 rounds
n NA could be eliminated in (1), (2), and replaced by M in (3), (4)
n Could provide key confirmation and entity authentication (5 round)
w B → A: EKAT(k, NA), Ek(NA, NB)
w A → B: Ek(NB)

21/52
Contents
v Classification and framework
v Key transport based on symmetric encryption
v Key agreement based on symmetric techniques
v Key transport based on public-key encryption
v Key agreement based on asymmetric techniques
v Secret sharing
v Conference keying
v Analysis of key establishment protocols

22/52
Key Agreement(Symmetric key encryption)
v KDS is said to be j-secure if coalition of j or fewer users
can do no better at computing the key shared by two than
a party which guesses key without any pieces whatsoever
v Blom KDS bound: In any j-secure KDS(m-bit session key),
secret data by each user must be at least m(j + 1) bits
v Blom’s scheme
n engineered to provide unconditional security against coalitions of a
specified maximum size
n initial keying material assigned to each user (row of S, correspond
to k keys) allows computation of larger number of derived keys (a
row of K, providing n keys), one per each other user
n Storage savings results from choosing k less than n
n derived keys of different user pairs are not statistically independent

23/52
Key Agreement(Symmetric key encryption)
v Blom’s scheme
n Summary: each user is given initial secret keying material and public data
n Result: each pair of users Ui, Uj computes m-bit pairwise secret key Kij
1. k X n public generator matrix G of an (n, k) MDS code over Fq of order q
2. trusted party T creates a random secret k X k symmetric matrix D over Fq
3. T gives to Ui secret key Si, defined as row i of the n X k matrix S = (DG)T
n Si: k-tuple over Fq of k lg(q) bits, allowing Ui to compute entry in row i of (DG)TG
4. Ui and Uj compute common secret Kij = Kji of bitlength m = lg(q) as follows
n Using Si and column j of G, Ui computes the (i, j) entry of the K = (DG)TG.
n Using Sj and column i of G, Uj similarly computes the (j, i) entry (K: symmetric)

v Do not explain in detail

24/52
Key Agreement(Symmetric key encryption)
v Blom’s scheme
n Summary: each user is given initial secret keying material and public data
n Result: each pair of users Ui, Uj computes m-bit pairwise secret key Kij
1. k X n public generator matrix G of an (n, k) MDS code over Fq of order q
2. trusted party T creates a random secret k X k symmetric matrix D over Fq
3. T gives to Ui secret key Si, defined as row i of the n X k matrix S = (DG)T
n Si: k-tuple over Fq of k lg(q) bits, allowing Ui to compute entry in row i of (DG)TG
4. Ui and Uj compute common secret Kij = Kji of bitlength m = lg(q) as follows
n Using Si and column j of G, Ui computes the (i, j) entry of the K = (DG)TG.
n Using Sj and column i of G, Uj similarly computes the (j, i) entry (K: symmetric)

v Do not explain in detail

25/52
Contents
v Classification and framework
v Key transport based on symmetric encryption
v Key agreement based on symmetric techniques
v Key transport based on public-key encryption
v Key agreement based on asymmetric techniques
v Secret sharing
v Conference keying
v Analysis of key establishment protocols

26/52
Key Transport based on PKC

Sign required entity authen. #msg

basic PK encryption (1-pass) no no 1
Needham-Schroeder PK no mutual 3
encrypting signed keys yes data origin only 1
separate signing, encrypting yes data origin only 1
signing encrypted keys yes data origin only 1
X.509 (2-pass) – timestamps yes mutual 2
X.509 (3-pass) – random #’s yes mutual 3
Beller-Yacobi (4-pass) yes mutual 4
Beller-Yacobi (2-pass) yes unilateral 2

27/52
Key Transport using PKC without signature
v Needham-Schroeder
n Algorithm
w A → B: PB(k1, A)
w B → A: PA(k2, B)
w A → B: PB(k2)
n Properties
w Mutual authentication, mutual key transport
v Modified NS
n Algorithm
w A → B: PB(k1, A, r1)
w B → A: PA(k2, r1, r2)
w A → B: r2
n Removing third encryption

28/52
Combining PK encryption and signature
v Encrypting signed keys
n A → B: PB(k, tA, SA(B, k, tA))
n Problem: Data for encryption is too large
v Encrypting and signing separately
n A → B: PB(k, tA), SA(B, k, tA)
n Acceptable only if no information regarding plaintext data can be
deduced from the signature
v Encrypting signed keys
n A → B: tA, PB(A, k), SA(B, tA, PB(A, k))
n Prevent the above problem
n Can provide mutual authentiation

29/52
Combining PK and signature (cnt.)
v Assurances of X.509 strong authentication
n identity of A, and that the token received by B was constructed by A
n the token received by B was specifically intended for B;
n the token received by B has “freshness”
n the mutual secrecy of the transferred key.
v X.509 strong authentication
n DA=(tA, rA, B, data1, PB(k1)), DB=(tB, rB, A, rA, data2, PA(k2)),
n A → B: certA, DA, SA(DA)
n B → A: certB, DB, SB(DB)
v Comments
n Since protocol does not specify inclusion of an identifier within the
scope of the encryption PB within DA, one cannot guarantee that the
signing party actually knows (or was the source of) plaintext key

30/52
Hybrid Key Transport using PKE
v Beller-Yacobi (4 pass)
n Properties
w mutual authentication, explicit key authentication
w for applications where there is imbalance in processing power
w identity of the weaker remains concealed from eavesdroppers
n Algorithm
w B→ A : certB = (IB, nB, GB) : certificate generated with RSA
w A→ B : PB(K) =K3 mod nB
w B→ A : EK(m, {0}t) : Encryption with symmetric key encryption
w A→ B : EK((v, w), certA) : DSA signature with precomputation
n Comment
w To achieve mutual authentication, each party carry out at least one
private-key operation, and one or two public-key operations
w careful selection of two separate public-key schemes
w RSA public operation and ElGamal private-key operation are cheap

31/52
Hybrid Key Transport using PKE (cnt.)
v Beller-Yacobi (2 pass)
n Algorithm
w precompute x, v = gx mod nS select random challenge m
w verify certB via PT(GB) ← send m, certB
w compute (v, w) =SA(m, IB) certB = (IB, nB, GB)
w send PB(v), Ev(certA, w) → recover v, set K = v
w certA = (IA, uA, GA) verify certA, signature (v, w)
n Properties: slightly weaker authentication assurances
w B obtains entity authentication of A and obtains a key K that A alone
knows, while A has key authentication with respect to B
w For A to obtain explicit key authentication of B, a third message may be
added whereby B exhibits knowledge through use of K on a challenge
or standard message (e.g., {0}t )

32/52
Contents
v Classification and framework
v Key transport based on symmetric encryption
v Key agreement based on symmetric techniques
v Key transport based on public-key encryption
v Key agreement based on asymmetric techniques
v Secret sharing
v Conference keying
v Analysis of key establishment protocols

33/52
Key Agreement (Asymmetric technique)

key authentication entity authentication #msg

Diffie-Hellman none none 2

ElGamal key agreement unilateral none 1

MTI/A0 mutual-implicit none 2

Gunther mutual-implicit none 2

STS mutual-implicit mutual 3

34/52
Diffie-Hellman and ElGamal
v Diffie-Hellman
n Setup: prime p, generator g of Zp*
n A → B : gx mod p
n B → A : gy mod p
n Properties
w fixed exponent: zero-pass key agreement with special certificates
w Zp*, F2m
w Signature is required
v ElGamal
n A → B : gx mod p
n no entity authentication or key confirmation

35/52
MTI/A0
v Protocol
n A → B : gx mod p
n B → A : gy mod p
n A: k = (gy)aPKbx = gya gbx = gya+bx
n B: k = (gx)bPKay
n source-substitution attack: C is not actually able to compute k itself,
but rather causes B to have false beliefs.
w C registers A’s public key as its own
w When A sends B, C replaces A’s certificate with its own
w C forwards B’s response gy to A
w B concludes that subsequently received messages encrypted by k =
gbx+ay originated from C, it is only A who knows k and can originate such
messages

36/52
STS
v Algorithm
n A → B : gx mod p
n B → A : gy mod p, Ek(SB(gy, gx))
n A → B : Ek(SA(gx, gy))
v Properties
n Encryption under key k provides mutual key confirmation plus
allows the conclusion that the party knowing the key is that which
signed the exponentials.

37/52
Gunther’s implicitly-certified ID-based PK
v Algorithm
n SUMMARY: TTP creates an implicitly-certified, publicly-recoverable DH
PK for A, and transfers to A the corresponding private key.
1. TTP selects p and g of Zp*, a random integer t, gcd(t, p 1) = 1 as its
private key, and publishes its public key u = gt mod p
2. TTP assigns to each A DN IA and a random integer kA with (kA, p 1) = 1,
then computes PA = gkA mod p
n PA is A’s reconstruction public, allowing other parties to compute PAa below.
n The gcd condition ensures that PA itself is a generator
3. T solves the following equation for a
n h(IA) = t PA + kA a (mod p 1)
4. T securely transmits to A the pair (r, s) = (PA, a) (ElGamal signature on IA)
5. Any other party can then reconstruct A’s public key PAa(=gkA a ) by
computing PAa = gh(IA) u PA mod p

38/52
DH with Implicitly-certified keys
v Algorithm
n A → B : IA, PA
n B → A : IB, PB, (PA)y mod p
n A → B : (PB)x mod p
v Properties
n Subject to known key attacks

39/52
Contents
v Classification and framework
v Key transport based on symmetric encryption
v Key agreement based on symmetric techniques
v Key transport based on public-key encryption
v Key agreement based on asymmetric techniques
v Secret sharing
v Conference keying
v Analysis of key establishment protocols

40/52
Secret Sharing
v Motivation
n To safeguard cryptographic keys from loss, desirable to create backup
n The greater number of copies made, the greater risk of security exposure;
the smaller the number, the greater the risk that all are lost
n address this issue by allowing enhanced reliability without increased risk
n facilitate distributed trust or shared control for critical activities by gating the
critical action on cooperation by t of n users.
v Basic idea
n to start with a secret, and divide it into pieces called shares which are
distributed amongst users such that the pooled shares of specific subsets
of users allow reconstruction of the original secret
n may be viewed as a key pre-distribution technique, facilitating one-time key
establishment, wherein the recovered key is pre-determined

41/52
Secret Sharing (cnt.)
v Trivial (n, n) scheme
n S = Σ Si
n Shouldn’t split r bit key into r/t pieces
v Threshold schemes
n Def: A (t, n) threshold scheme (t ≤ n) is a method by which
w a trusted party computes secret shares Si, 1 ≤ i ≤ n from an initial secret
S and securely distributes Si to user Pi such that the following is true:
w any t or more users who pool their shares may easily recover S
w but any group knowing only t 1 or fewer shares may not

42/52
Secret Sharing (cnt.)
v Shamir’s threshold scheme
n based on polynomial interpolation, and that a uni-variate polynomial
y = f(x) of degree t 1 is uniquely defined by t points (xi, yi)
n since these define t linearly independent equations in t unknowns
n Algorithm
w Setup: T begins with a secret integer S it wishes to distribute among n
users.
n T chooses a prime p >max(S, n), and defines a0 = S, selects t 1
random coefficients a1, …, at 1 defining the polynomial over Zp, f(x)
= Σt 1j=0 ajxj
n T computes Si = f(i) mod p for all i, and securely transfers the share
Si to Pi
w Pooling of shares: Group of t or more users pool shares, which provide
t distinct points allowing computation of aj’s by Lagrange interpolation

43/52
Secret Sharing (cnt.)
v Lagrange interpolation
t x − xj t xj
f ( x ) = ∑ yi ∏ S = ∑ ci yi , where ci = ∏
i =1 1≤ j ≤t , j ≠ i xi − x j i =1 1≤ j ≤ t , j ≠ i x j − xi

n f(xs) = ys
v Properties
n perfect: Given knowledge of any t 1 or fewer shares, the shared
secret remain equally probable
n ideal: The size of one share is the size of the secret
n extendable for new users: New shares (for new users) may be
computed and distributed without affecting shares of existing users.
n varying levels of control possible: Providing a single user with
multiple shares bestows more control upon that individual
n no unproven assumptions

44/52
Secret Sharing (cnt.)
v detection of cheaters,and verifiable secret sharing. These
schemes respectively address cheating by one or more
group members, and the distributor of the shares
v Proactive secret sharing: secret shares are periodically
updated to provide robustness against intrusion

45/52
Conferencing Keying
v A conference keying protocol is a generalization of two-
party key establishment to provide three or more parties
with a shared secret key
v Cliques, BD, TGDH, STR

46/52
Contents
v Classification and framework
v Key transport based on symmetric encryption
v Key agreement based on symmetric techniques
v Key transport based on public-key encryption
v Key agreement based on asymmetric techniques
v Secret sharing
v Conference keying
v Analysis of key establishment protocols

47/52
Attack strategies and classic flaws
v Intruder-in-the-middle
n “man-in-the-middle” attack on unauthenticated DH
v Reflection attack
n Original protocol
1. A → B : rA
2. B → A : Ek(rA, rB)
3. A → B : rB
n Attack
1. A → E : rA
2. E → A : rA : Starting a new session
3. A → E : Ek(rA, rA’) : Reply of (2)
4. E → A : Ek(rA, rA’) : Reply of (1)
5. A → E : rA’
n Can be prevented by using different keys for different sessions

48/52
Attack strategies and classic flaws (cnt.)
v Interleaving attacks
n To provide freshness and entity authentication
n Flawed protocol
1. A → B : rA
2. B → A : rB, SB(rB, rA, A)
3. A → B : rA’, SA(rA’, rB, B)
n Attack
1. E→ B : rA
2. B→ E : rB, SB(rB, rA, A)
3. E→ A : rB
4. A→ E : rA’, SA(rA’, rB, B)
5. A→ E : rA’, SA(rA’, rB, B)
n Due to symmetric messages (2), (3)

49/52
Analysis methods
v ad hoc and practical analysis (Provide heuristic security)
n convincing arguments that any successful attack requires resource
level greater than the resources of the perceived adversary
n May uncover protocol flaws establishing that a protocol is bad
n Subtle flaws in protocols typically escape ad hoc analysis
v reducibility from hard problems
n proving that any successful protocol attack leads directly to the
ability to solve a well-studied reference problem
n provably secure protocol
n A challenge is to establish that all possible attacks have been
taken into account, and can be equated to solving the identified
reference problems

50/52
Analysis methods
v complexity-theoretic analysis
n Model of computation is defined, and adversaries are modeled as
having polynomial power. Security proof relative to the model is
then constructed
n The existence of underlying cryptographic primitives with specified
properties is typically assumed.
n An objective is to design cryptographic protocols which require the
fewest cryptographic primitives, or the weakest assumptions.
n As the analysis is asymptotic, care is required to determine when
proofs have practical significance
n Polynomial attacks which are feasible under such a model may in
practice be computationally infeasible
n Despite these issues, complexity-theoretic analysis is invaluable
for formulating fundamental principles and confirming intuition.

51/52
Analysis methods
v information-theoretic analysis
n mathematical proofs involving entropy relationships to prove protocols are
unconditionally secure
n Adversaries are modeled to have unbounded computing resources
n not applicable to most practical schemes for several reasons
w many schemes can at best be computationally secure
w typically involve keys of impractically large size, or can only be used once
v 5. formal methods
n logics of authentication (BAN), term re-writing systems, expert systems,
and other methods combining algebraic and state-transition technique
n utility in finding flaws and redundancies in protocols
n the “proofs” provided are proofs within the specified formal system, and
cannot be interpreted as absolute proofs of security
n Absence of discovered flaws does not imply the absence of flaws

52/52