Harry Halpin

Introduction to Security and Privacy on the Blockchain

The blockchain has fueled one of the most enthusiastic bursts of activity in applied cryptography in years, but outstanding problems in security and privacy research must be solved for blockchain technologies to go beyond the hype and reach their full potential. At the first IEEE Privacy and Security on the Blockchain Workshop (IEEE S&B), we presented peer-reviewed papers bringing together academia and industry to analyze problems ranging from deploying newer cryptographic primitives on Bitcoin to enabling usecases like privacy-preserving file storage. We overview not only the larger problems the workshop has set out to tackle, but also outstanding unsolved issues that will require further cooperation between academia and the blockchain community.

End-to-End Encrypted Messaging Protocols: An Overview

This paper aims at giving an overview of the different core protocols used for decentralized chat and email-oriented services. This work is part of a survey of 30 projects focused on decentralized and/or end-to-end encrypted internet messaging, currently conducted in the early stages of the H2020 CAPS project NEXTLEAP.

UnlimitID: Privacy-Preserving Federated Identity Management using Algebraic MACs

UnlimitID is a method for enhancing the privacy of commodity OAuth and applications such as OpenID Connect, using anonymous attribute-based credentials based on algebraic Message Authentication Codes (aMACs). OAuth is one of the most widely used protocols on the Web, but it exposes each of the requests of a user for data by each relying party (RP) to the identity provider (IdP). Our approach allows for the creation of multiple persistent and unlinkable pseudo-identities and requires no change in the deployed code of relying parties, only in identity providers and the client.

Security Analysis of the W3C Web Cryptography API

Due to the success of formal modeling of protocols such as TLS, there is a revival of interest in applying formal modeling to standardized APIs. We argue that formal modeling should happen as the standard is being developed (not afterwards) as it can detect complex or even simple attacks that the standardization group may not otherwise detect. As a case example of this, we discuss in detail the W3C Web Cryptography API. We demonstrate how a formal analysis of the API using the modeling language AVISPA with a SAT solver demonstrates that while the API has no errors in basic API operations and maintains its security properties for the most part, there are nonetheless attacks on secret key material due to how key wrapping and usages are implemented. Furthermore, there were a number of basic problems in terms of algorithm selection and a weakness that led to a padding attack. The results of this study led to the removal of algorithms before its completed standardization and the removal of the padding attack via normalization of error codes, although the key wrapping attack is still open. We expect this sort of formal methodology to be applied to new standardization efforts at the W3C such as the W3C Web Authentication API.

Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments

Abstract Decentralized systems are a subset of distributed systems where multiple authorities control different components and no authority is fully trusted by all. This implies that any component in a decentralized system is potentially adversarial. We revise fifteen years of research on decentralization and privacy, and provide an overview of key systems, as well as key insights for designers of future systems. We show that decentralized designs can enhance privacy, integrity, and availability but also require careful trade-offs in terms of system complexity, properties provided, and degree of decentralization. These trade-offs need to be understood and navigated by designers. We argue that a combination of insights from cryptography, distributed systems, and mechanism design, aligned with the development of adequate incentives, are necessary to build scalable and successful privacy-preserving decentralized systems.

A Roadmap for High Assurance Cryptography

Although an active area of research for years, formal verification has still not yet reached widespread deployment. We outline the steps needed to move from low-assurance cryptography, as given by libraries such as OpenSSL, to high assurance cryptography in deployment. In detail, we outline the need for a suite of high-assurance cryptographic software with per-microarchitecture optimizations that maintain competitive speeds with existing hand-optimized assembly and the bundling of these cryptographic primitives in a new API that prevents common developer mistakes. A new unified API with both formally verified primitives and an easy-to-use interface is needed to replace OpenSSL in future security-critical applications.

The Crisis of Standardizing DRM: The Case of W3C Encrypted Media Extensions

The process of standardizing DRM via the W3C Encrypted Media Extensions (EME) Recommendation has caused a crisis for W3C and potentially other open standards organizations. While open standards bodies are considered by definition to be open to input from the wider security research community, EME led civil society and security researchers asking for greater protections to be positioned actively against the W3C. This analysis covers both the procedural issues in open standards at the W3C that both allowed EME to be standardized as well as for vigorous opposition by civil society. The claims of both sides are tested via technical analysis and quantitative analysis of participation in the Working Group. We include recommendations for future standards that touch upon some of the same issues as EME.

LEAP: A Next-Generation Client VPN and Encrypted Email Provider

As demonstrated by the revelations of Edward Snowden on the extent of pervasive surveillance, one pressing danger is in the vast predominance of unencrypted messages, due to the influence of the centralizing silos such as Microsoft, Facebook, and Google. We present the threat model and architectural design of the LEAP platform and client applications, which currently provisions opportunistic email encryption combined with a VPN tunnel and cross-device synchronization.

Formal verification of the W3C web authentication protocol

The science of security can be set on firm foundations via the formal verification of protocols. New protocols can have their design validated in a mechanized manner for security flaws, allowing protocol designs to be scientifically compared in a neutral manner. Given that these techniques have discovered critical flaws in protocols such as TLS 1.2 and are now being used to re-design protocols such as TLS 1.3, we demonstrate how formal verification can be used to analyze new protocols such as the W3C Web Authentication API. We model W3C Web Authentication with the formal verification language ProVerif, showing that the protocol itself is secure. However, we also stretch the boundaries of formal verification by trying to verify the privacy properties of W3C Web Authentication given in terms of the same origin policy. We use ProVerif to show that without further mandatory requirements in the specification, the claimed privacy properties do not hold. Next steps on how formal verification can be further integrated into standards and the further development of the privacy properties of W3C Web Authentication is outlined.

NEXTLEAP: Decentralizing Identity with Privacy for Secure Messaging

Identity systems today link users to all of their actions and serve as centralized points of control and data collection. NEXTLEAP proposes an alternative decentralized and privacy-enhanced architecture. First, NEXTLEAP is building privacy-enhanced federated identity systems, using blind signatures based on Algebraic MACs to improve OpenID Connect. Second, secure messaging applications ranging from Signal to WhatsApp may deliver the content in an encrypted form, but they do not protect the metadata of the message and they rely on centralized servers. The EC Project NEXTLEAP is focussed on fixing these two problems by decentralizing traditional identities onto a privacy-enhanced based blockchain that can then be used to build access control lists in a decentralized manner, similar to SDSI. Furthermore, we improve on secure messaging by then using this notion of decentralized identity to build in group messaging, allowing messaging between different servers. NEXTLEAP is also working with the PANORAMIX EC project to use a generic mix networking infrastructure to hide the metadata of the messages themselves and plans to add privacy-enhanced data analytics that work in a decentralized manner.