Ibrahim Hajjeh

Key-exchange authentication using shared secrets

Transport Layer Security standard provides connection security with peer entity authentication, data confidentiality and integrity, key generation and distribution, and security parameters negotiation. Its native integration in browsers and Web servers makes TLS the most frequently deployed security protocol. The TLS specifications use public-key certificates for mutual authentication and key establishment. We extend the TLS protocol with a new authentication scheme based on an out-of-band shared secret. Our extension, the TLS key-exchange method (KEM), ensures an end-to-end authenticated session-key exchange and allows identity protection, perfect forward secrecy (PFS), and anonymity. Furthermore, it reduces message flow and thus bandwidth on both wired and wireless networks.

ISAKMP handshake for SSL/TLS

SSL/TLS protocol is without any doubt the most used security protocol. It presents nevertheless some limitations regarding the weakness of the handshake protocol and the absence of an authorization mechanism. In this paper, we give a new dimension to SSL/TLS by integrating the Internet security association and key management protocol (ISAKMP) in its session establishment phase. ISAKMP defines a framework for security association management and cryptographic key establishment for the Internet. This protocol opens a new perspective for secure sessions for all network layers. We then define an SSL/TLS security domain of interpretation (TLS DOI) which instantiates ISAKMP for use with SSL/TLS. This makes it possible to extend the work of SSL/TLS to support new services.

Flexible and fast security solution for wireless LAN

The great promise of wireless LAN will never be realized unless they have an appropriate security level. From this point of view, various researches have proposed many security protocols for wireless LAN. This is in order to handle WLAN security problems which are mostly due to the lack of physical protection in WLAN or because of the transmission on the radio link. In this paper, we propose a security protocol named FFTLS (flexible and fast transport layer security), an EAP authentication method that enables secure communication between a client and an authentication server in a powerful and flexible way. Unlike existing EAP authentication methods, FFTLS protocol has the ability to combine between shared secrets and certificate-based infrastructures and to natively ensure additional security services such as identity protection, non-repudiation and perfect forward secrecy. Moreover, it efficiently optimizes the computational time and the message flows needed to open secure sessions for both clients and authentication servers.

Enabling VPN and Secure Remote Access using TLS Protocol

Virtual private networks (VPN) technology allows users to remotely access their enterprise networks through a public network such as Internet. To accomplish secure remote accesses to private networks, many security protocols including transport layer security (TLS) have been introduced. TLS is an IETF standard allowing secure channels between two applications conversing over the Internet as well as over wireless networks. However, using TLS with VPN is limited to web-based applications due to the fact that TLS cannot multiplex application data over a single TLS session. Therefore, actual VPN based-TLS solutions use multiplexing with HTTP encapsulation and they are consequently limited to applications running over reliable transport protocols such as TCP. Hence, streaming and sensitive data (voice and video) will not be able to perfectly running with existing VPN solution since exchanging streaming data over reliable transport protocols reduces application performances. In this paper, we extend TLS with a new extension providing application multiplexing/demultiplexing through a single TLS session. The extension use is backward-compatible with existing TLS implementations and it is designed to be deployed over reliable transport protocols using TLS as long as over unreliable transport protocols using datagram TLS (DTLS)

Building a secure and extensible protocol for wired and wireless environments

Many security mechanisms and protocols have been developed to handle security problems in various circumstances. However, these solutions based on traditional security services could not answer special application needs. In this paper, we propose to free from current data exchange security protocols drawbacks to build a new secure and flexible security protocol. We present a new approach named secure and extensible protocol (SEP) that incorporates the recent data exchange security protocols evolutions, in a powerful and flexible way. This protocol enables, among others, client identity protection, end to end security throw the presence of an intermediate authority, and access control. We also propose a formal validation of our protocol with EVA language using Hermes, its automatic validation tool.

A secure way to combine IPsec, NAT & DHCP

This paper examines the use of NAT with IPsec as a transparent security mechanism. It discusses the security needs and solutions that define how to combine IPsec and NAT. Because of the inherent limitations of current proposed solutions, this paper proposes an end-to-end security architecture using IPsec in the NAT/DHCP environment with a formal validation to the proposed architecture using an automatic protocol analyser called Hermes. This paper is builds upon works previously published.

Hiding User Credentials during the TLS authentication phase

TLS (Transport Layer Security) defines several ciphersuites providing authentication, data protection and session key exchange between two communicating entities. Some of these ciphersuites are used for completely anonymous key exchange, in which neither party is authenticated. However, they are vulnerable to man-in-the-middle attacks and are therefore deprecated. This article defines a set of ciphersuites to add client credential protection to the TLS protocol. This protection is essential in wireless infrastructures, in which it guaranties user’s privacy and makes exchanges untraceable to eavesdroppers. We compare our proposition in terms of performance and cost to an ordinary TLS session

Intégrationfr de la signature numérique au protocole SSL/TLS

RésuméLe protocoleSsl/tls est le protocole de sécurité le plus déployé. Il le doit en bonne partie à son intégration à la plupart des navigateurs et des serveurs Web. Il sécurise les transactions Internet de bout en bout en assurant les services : d’authentication des parties en jeu, de confidentialité et de contrôle d’intégrité des données, et de non-rejeu. Il manque au protocoleSsl/tls le service de non répudiation pour couvrir les besoins des transactions notamment commerciales. Ce service est basé essentiellement sur la signature et une composante architecturale pour l’archivage et le tiers de confiance. Dans cet article, nous proposons donc une méthode pour la fourniture optionnelle du service de non-répudiation à travers le protocoleSsl/tls. Cette approche permet aux deux entitésSsl/tls de générer une preuve qu’une transaction a eu lieu entre elles ainsi que sur le contenu des données échangées. Cette proposition permet une séparation claire entre la fourniture du service de non-répudiation et entre la conception et le développement des applications.AbstractSsl/tls is currently the most deployed security protocol on the Internet,Ssl/tls provides end-to-end secure communications between two entities with authentication and data protection. However, what is missing from the protocol is a way to provide the non-repudiation service. In this paper, we describe a generic implementation of the non-repudiation service as an optional module in theSsl/tls protocol. This approach provides both parties with evidence that the transaction has taken place and a clear separation with application design and development. We discuss the motivation for our approach and our proposed architecture.