Key Exchange with Unilateral Authentication: Composable Security Definition and Modular Protocol Design.

Finally, we use our timed extension to the BR model to establish the security of an efficient ISO protocol for key transport and unilateral entity authentication. ... In the timed CK model we concentrate on modular design and analysis of protocols, and propose a more efficient timed authenticator relying on timestamps. ... Acknowledgments The authors would like to thank Alex Dent for proposing and discussing the original ideas that led to this work. ...

doi:10.1007/978-3-642-02384-2_15 fatcat:c3hjqggvi5arppe3k3qsgzprde

key exchange (CAKE) and unilateral CAKE (UCAKE). ... We then present the security definitional framework for higncryption, and a conceptually simple (yet carefully designed) protocol construction. ... But ID-privacy was treated separately from the security definition for authenticated key-exchange or channel establishment. ...

doi:10.1145/2976749.2978350 dblp:conf/ccs/Zhao16 fatcat:pyzgs3ltoncpvkzzldwif3yqjm

We propose a novel framework of authentication and authorization patterns for securing access to services for authorized users only, and we demonstrate how the patterns can be dynamically composed with ... This paper focuses on the incremental means to ensure access to services for authorized users only by composing authentication and authorization patterns and services. ... Messages are generated and exchanged between the parties, at least one message/pass is required for unilateral authentication, and at least two messages/passes are required for mutual authentication. ...

doi:10.4304/jcp.1.8.13-26 fatcat:bwz7bzs4wrguzbpxnf6ekpkpqa

Open Access

simple definitions of security that we introduce, and the key-exchange protocol is secure. ... We consider communication sessions in which a pair of parties begin by running an authenticated key-exchange protocol to obtain a shared session key, and then secure successive data transmissions between ... I also thank Ran Canetti and Hugo Krawczyk for their insights and comments especially regarding the notion of secure channels. ...

doi:10.1007/3-540-36178-2_32 fatcat:sne4vizurvatpjohy2qgxnb33q

We propose a novel framework of authentication and authorization patterns for securing access to services for authorized users only, and we demonstrate how the patterns can be dynamically composed with ... This report focuses on the incremental means to ensure access to services for authorized users only by composing authentication and authorization patterns and services. ... This report has been updated to be consistent with the terminolgy presented in [45] . ...

doi:10.1109/ares.2006.135 dblp:conf/IEEEares/RosseboB06 fatcat:zzhqch4lkbdkhggaihs3x7u534

Browser-based Single Sign-On (SSO) protocols relieve the user from the burden of dealing with multiple credentials thereby improving the user experience and the security. ... We show that the main emerging SSO protocols, namely SAML SSO and OpenID, suffer from an authentication flaw that allows a malicious service provider to hijack a client authentication attempt or force ... We are also grateful to Scott Cantor, Brian Eaton, Matteo Grasso, and the SAP NetWeaver SIM team for the valuable discussions and feedback they provided. ...

doi:10.1016/j.cose.2012.08.007 fatcat:pnjt6mdjfzgnzblcfapvbkezx4

Flaws and insecurities in the original design required the protocol to be fixed repeatedly; the current version is TLS 1.2 [12] . ... Our Contributions We prove the security of (a slightly modified version of) the ephemeral Diffie-Hellman handshake of TLS 1.3 with unilateral authentication, that is, where only the server has a certificate ... Indeed, our difficulties in the analysis encourages constructing protocols that are modular by design and can be analyzed by combining simple modular steps. ...

doi:10.1007/978-3-319-26617-6_5 fatcat:qy32ftanvrchllc74m72v7mkre

Recently, Chen and Deng (2009) proposed an interesting new mutual authentication protocol. ... The authors claimed that the proposed protocol is secure against all classical attacks against RFID systems, and that it has better security and performance than its predecessors. ... In 2009, a new mutual authentication protocol was proposed by Chen and Deng that claimed to offer better security margins. ...

doi:10.1016/j.engappai.2011.04.001 fatcat:n5nxu5g665gydfa4pem6cqpwzy

A security concern regarding the authentication protocols is that of the malicious verifiers. ... More specifically, the minimum number of passes for a zero-knowledge proof with negligible soundness error is shown to be 3 [1] (and 4 if the simulation is black-box), while our protocol has only 5 passes ... Next, we define what it means for a protocol to be a secure authentication protocol. Definition 1 (Secure Authentication Protocol). ...

doi:10.1080/00207160.2015.1011629 fatcat:zr7akbtr5vbonkd6yw33j3p3di

A KEM can be viewed as a key-exchange protocol in which only a single message is transmitted; the main application is in combination with symmetric encryption to achieve public-key encryption of messages ... This resource can be used in designing and proving higher-level protocols; the composition theorem guarantees the security of the combined protocol without the need for a specific reduction. ... Hence, the approach supports a fully modular protocol design where each cryptographic mechanism is proven in isolation to achieve one construction step, and multiple such steps are composed by the general ...

doi:10.1007/978-3-642-42001-6_16 fatcat:jtdoh6gqf5ca7nt73m2monsryu

We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. ... Let KE be a multi-stage key exchange protocol. Let Π be a secure symmetric-key protocol w.r.t. some game G Π with a key generation algorithm that outputs keys with distribution D. ... Benjamin Dowling and Douglas Stebila are supported by Australian Research Council (ARC) Discovery Project grant DP130104304. ...

doi:10.1145/2810103.2813653 dblp:conf/ccs/DowlingFGS15 fatcat:wc535ehl5rh2vp7jdlruqb5ire

Third, we propose a provably-secure alternative to soon-to-be-standardized mcTLS: a generic and modular protocol-design that carefully composes generic secure channel-establishment protocols, which we ... Finally, we present a proof-of-concept implementation of our design, instantiated with unmodified TLS 1.3 draft 23, and evaluate its overheads. ... We presented our modular, ACCE-AP-secure design called Π for 1 middlebox, in an abstract manner, using generic authenticated key-exchange protocols. ...

doi:10.1109/sp.2018.00021 dblp:conf/sp/BhargavanBDFO18 fatcat:hml3dbswn5g4fpoi46eidiqsh4

First, we introduce a multi-level&stage security model, an adaptation of the Bellare-Rogaway authenticated key exchange model, covering all kinds of compositional interactions between different TLS handshake ... The Transport Layer Security (TLS) protocol is by far the most widely deployed protocol for securing communications and the Internet Engineering Task Force (IETF) is currently developing TLS 1.3 as the ... Compositional Security In [22] and [19] , the authors present a compositional framework for Multi-Stage-secure key exchange protocols such that QUIC and TLS 1.3 full handshake can be securely composed ...

doi:10.1109/sp.2016.36 dblp:conf/sp/LiXZFH16 fatcat:zmdchlwumbc6zlk3piug4chwji

Our work also shows that by replacing the RSA-PSS scheme with a tightly secure scheme (e.g., in a future TLS version), one can obtain the first fully tightly secure TLS protocol. ... Our results enable a theoretically sound selection of parameters for TLS 1.3, even in large-scale settings with many users and sessions per user. ... Funding Open Access funding enabled and organized by Projekt DEAL. ...

doi:10.1007/s00145-021-09388-x fatcat:vhz6kgeejfd7tgfvbowgjbrfne

Open Access

Based on our new agile definitions, we construct a modular proof of security for the miTLS reference implementation of the handshake, including ciphersuite negotiation, key exchange, renegotiation, and ... We present our main definitions, constructions, and proofs for an abstract model of the protocol, featuring series of related runs of the handshake with different ciphersuites. ... Our definition also provides (some) security for anonymous connections, which can be composed with other authentication mechanisms to achieve application security. ...

doi:10.1007/978-3-662-44381-1_14 fatcat:pvdbzqnzurc6xdz5i65wzspb34

Security Analysis of Standard Authentication and Key Agreement Protocols Utilising Timestamps [chapter]

Preserved Fulltext

Identity-Concealed Authenticated Encryption and Key Exchange

Preserved Fulltext

A Policy-driven Approach to Dynamic Composition of Authentication and Authorization Patterns and Services

Preserved Fulltext

Secure Channels Based on Authenticated Encryption Schemes: A Simple Characterization [chapter]

Preserved Fulltext

Towards a framework of authentication and authorization patterns for ensuring availability in service composition

Preserved Fulltext

An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations

Preserved Fulltext

(De-)Constructing TLS 1.3 [chapter]

Preserved Fulltext

Cryptanalysis of an EPC Class-1 Generation-2 standard compliant authentication protocol

Preserved Fulltext

An efficient statistical zero-knowledge authentication protocol for smart cards

Preserved Fulltext

A Constructive Perspective on Key Encapsulation [chapter]

Preserved Fulltext

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates

Preserved Fulltext

A Formal Treatment of Accountable Proxying Over TLS

Preserved Fulltext

Multiple Handshakes Security of TLS 1.3 Candidates

Preserved Fulltext

On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments

Preserved Fulltext

Proving the TLS Handshake Secure (As It Is) [chapter]

Preserved Fulltext