Jiangshan Yu

Security Analysis of a Single Sign-On Mechanism for Distributed Computer Networks

Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Recently, Chang and Lee proposed a new SSO scheme and claimed its security by providing well-organized security arguments. In this paper, however, we demonstrative that their scheme is actually insecure as it fails to meet credential privacy and soundness of authentication. Specifically, we present two impersonation attacks. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the users credential and then to impersonate the user to access resources and services offered by other service providers. In another attack, an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. We identify the flaws in their security arguments to explain why attacks are possible against their SSO scheme. Our attacks also apply to another SSO scheme proposed by Hsu and Chuang, which inspired the design of the Chang-Lee scheme. Moreover, by employing an efficient verifiable encryption of RSA signatures proposed by Ateniese, we propose an improvement for repairing the Chang-Lee scheme. We promote the formal study of the soundness of authentication as one open problem.

An Efficient Generic Framework for Three-Factor Authentication With Provably Secure Instantiation

Remote authentication has been widely studied and adapted in distributed systems. The security of remote authentication mechanisms mostly relies on one of or the combination of three factors: 1) something users know-password; 2) something users have-smart card; and 3) something users are-biometric characteristics. This paper introduces an efficient generic framework for three-factor authentication. The proposed generic framework enhances the security of existing two-factor authentication schemes by upgrading them to three-factor authentication schemes, without exposing user privacy. In addition, we present a case study by upgrading a secure two-factor authentication scheme to a secure three-factor authentication scheme. Furthermore, implementation analysis, formal proof, and privacy discussion are provided to show that the derived scheme is practical, secure, and privacy preserving.

DTKI: A New Formalized PKI with Verifiable Trusted Parties

The security of public key validation protocols for web-based applications has recently attracted attention because of weaknesses in the certificate authority model, and consequent attacks. Recent proposals using public logs have succeeded in making certificate management more transparent and verifiable. However, those proposals involve a fixed set of authorities. This means an oligopoly is created. Another problem with current log-based system is their heavy reliance on trusted parties that monitor the logs. We propose a distributed transparent key infrastructure (DTKI), which greatly reduces the oligopoly of service providers and allows verification of the behaviour of trusted parties. In addition, this paper formalises the public log data structure and provides a formal analysis of the security that DTKI guarantees.

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks

Distributed systems and networks have been adopted by telecommunications, remote educations, businesses, armies and governments. A widely applied technique for distributed systems and networks is the single sign-on (SSO) which enables a user to use a unitary secure credential (or token) to access multiple computers and systems where he/she has access permissions. However, most existing SSO schemes have not been formally proved to satisfy credential privacy and soundness of credential based authentication. To overcome this drawback, we formalise the security model of single sign-on scheme with authenticated key exchange. Specially, we point out the difference between soundness and credential privacy, and define them together in one definition. Also, we propose a provably secure single sign-on authentication scheme, which satisfies soundness, preserves credential privacy, meets user anonymity, and supports session key exchange. The proposed scheme is very efficient so that it suits for mobile devices in distributed systems and networks.

DECIM: Detecting Endpoint Compromise In Messaging

We present DECIM, an approach to solve the challenge of detecting endpoint compromise in messaging. DECIM manages and refreshes encryption/decryption keys in an automatic and transparent way: it makes it necessary for uses of the key to be inserted in an append-only log, which the device owner can interrogate in order to detect misuse. We propose a multi-device messaging protocol that exploits our concept to allow users to detect unauthorised usage of their device keys. It is co-designed with a formal model, and we verify its core security property using the Tamarin prover. We present a proof-of-concept implementation providing the main features required for deployment. We find that DECIM messaging is efficient even for millions of users. The methods we introduce are not intended to replace existing methods used to keep keys safe (such as hardware devices, careful procedures, or key refreshment techniques). Rather, our methods provide a useful and effective additional layer of security.

Authenticating Compromisable Storage Systems

A service may be implemented over several servers, and those servers may become compromised by an attacker, e.g. through software vulnerabilities. When this happens, the service manager will remove the vulnerabilities and re-instate the server. Typically, this will involve regenerating the public key by which clients authenticate the service, and revoking the old one. This paper presents a scheme which allows a storage service composed of several servers to create a group public key in a decentralised manner, and maintain its security even when such compromises take place. By maintaining keys for a long term, we reduce the reliance on public-key certification. The storage servers periodically update the decryption secrets corresponding to a public key, in such a way that secrets gained by an attacker are rendered useless after an update takes place. An attacker would have to compromise all the servers within a short period lying between two updates in order to fully compromise the system.

Permanent Reencryption: How to Survive Generations of Cryptanalysts to Come.

The protection of long-lived sensitive information puts enormous stress on traditional ciphers, to survive generations of cryptanalysts. In addition, there is a continued risk of adversaries penetrating and attacking the systems in which these ciphers are implemented. In this paper, we present our work-in-progress on an approach to survive both cryptanalysis and intrusion attacks for extended periods of time. A prime objective of any similar work is to prevent the leakage of plaintexts. However, given the long lifespan of sensitive information, during which cryptanalysts could focus on breaking the cipher, it is equally important to prevent leakage of unduly high amounts of ciphertext. Our approach consists in an enclave-based architectural set-up bringing in primary resilience against attacks, seconded by permanently reencrypting portions of the confidential or privacy-sensitive data with fresh keys and combining ciphers in a threshold-based encryption scheme.

Automatically Detecting the Misuse of Secrets: Foundations, Design Principles, and Applications

We develop foundations and several constructions for security protocols that can automatically detect, without false positives, if a secret (such as a key or password) has been misused. Such constructions can be used, e.g., to automatically shut down compromised services, or to automatically revoke misused secrets to minimize the effects of compromise. Our threat model includes malicious agents, (temporarily or permanently) compromised agents, and clones.Previous works have studied domain-specific partial solutions to this problem. For example, Googles Certificate Transparency aims to provide infrastructure to detect the misuse of a certificate authoritys signing key, logs have been used for detecting endpoint compromise, and protocols have been proposed to detect cloned RFID/smart cards. Contrary to these existing approaches, for which the designs are interwoven with domain-specific considerations and which usually do not enable fully automatic response (i.e., they need human assessment), our approach shows where automatic action is possible. Our results unify, provide design rationales, and suggest improvements for the existing domain-specific solutions.Based on our analysis, we construct several mechanisms for the detection of misuse. Our mechanisms enable automatic response, such as revoking keys or shutting down services, thereby substantially limiting the impact of a compromise.In several case studies, we show how our mechanisms can be used to substantially increase the security guarantees of a wide range of systems, such as web logins, payment systems, or electronic door locks. For example, we propose and formally verify an improved version of Cloudflares Keyless SSL protocol that enables key misuse detection.

Chapter 7: Evaluating web PKIs

Abstract Certificate authorities serve as trusted parties to help secure web communications. They are a vital component for ensuring the security of cloud infrastructures and big data repositories. Unfortunately, recent attacks using mis-issued certificates show that this model is severely broken. Much research has been done to enhance certificate management in order to create more secure and reliable cloud architectures. However, none of it has been widely adopted yet, and it is hard to judge which one is the winner. This chapter provides a survey with critical analysis on the existing proposals for managing public key certificates. This evaluation framework would be helpful for future research on designing an alternative certificate management system to secure the Internet.