Juan Manuel González Nieto

Detecting relay attacks with timing-based protocols

Distance-bounding protocols have been proposed as a means of detecting relay attacks, also known as mafia fraud. In this paper we present the first symmetric key based distance-bounding protocol that is also resistant to so-called terrorist fraud, a variant of mafia fraud. Distance-bounding protocols require a communication channel that can exchange single bits with extremely low latency. This unconventional communication requirement has prompted Hancke and Kuhn to assert in a recent publication that ultra wide band (UWB) radio is necessary to achieve a useful distance-bounding resolution for RF security devices (contactless smart cards, RFID tags and the like). We analyse this assertion and present an alternative, novel communication approach that leverages the phenomena of side channel leakage to deliver a low latency channel. Our proposal is capable of detecting sophisticated relay attacks without resorting to the considerable expense and complexity of UWB radio. We present experimental results to support our arguments.

Round-Optimal Contributory Conference Key Agreement

Becker and Wille derived a lower bound of only one round for multi-party contributory key agreement protocols. Up until now no protocol meeting this bound has been proven secure. We present a protocol meeting the bound and prove it is secure in Bellare and Rogaways model. The protocol is much more efficient than other conference key agreement protocols with provable security, but lacks forward secrecy.

Efficient One-Round Key Exchange in the Standard Model

We consider one-round key exchange protocols secure in the standard model. The security analysis uses the powerful security model of Canetti and Krawczyk and a natural extension of it to the ID-based setting. It is shown how KEMs can be used in a generic way to obtain two different protocol designs with progressively stronger security guarantees. A detailed analysis of the performance of the protocols is included; surprisingly, when instantiated with specific KEM constructions, the resulting protocols are competitive with the best previous schemes that have proofs only in the random oracle model.

Security-Mediated certificateless cryptography

We introduce the notion of security-mediated certificateless (SMC) cryptography. This allows more lightweight versions of mediated cryptography while maintaining the ability for instantaneous revocation of keys. Moreover, our solutions avoid key escrow, which has been used in all previous mediated cryptography algorithms. We provide a model of security against a fully-adaptive chosen ciphertext attacker, who may be a rogue key generation centre or any coalition of rogue users. We present a generic construction and also a concrete algorithm based on bilinear pairings. Our concrete scheme is more efficient than the identity-based mediated encryption scheme of Baek and Zheng in PKC 2004 which is provably secure in a comparable security model. In addition, our proposals can be easily extended to support distributed security mediators.

Strongly Secure Certificateless Key Agreement

We introduce a formal model for certificateless authenticated key exchange (CL-AKE) protocols. Contrary to what might be expected, we show that the natural combination of an ID-based AKE protocol with a public key based AKE protocol cannot provide strong security. We provide the first one-round CL-AKE scheme proven secure in the random oracle model. We introduce two variants of the Diffie-Hellman trapdoor introduced by [4]. The proposed key agreement scheme is secure as long as each party has at least one uncompromised secret. Thus, our scheme is secure even if the key generation centre learns the ephemeral secrets of both parties.

Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols

A key exchange protocol allows a set of parties to agree upon a secret session key over a public network. Two-party key exchange (2PKE) protocols have been rigorously analyzed under various models considering different adversarial actions. However, the analysis of group key exchange (GKE) protocols has not been as extensive as that of 2PKE protocols. Particularly, the security attribute of key compromise impersonation (KCI) resilience has so far been ignored for the case of GKE protocols. We first model the security of GKE protocols addressing KCI attacks by both outsider and insider adversaries. We then show that a few existing protocols are not secure even against outsider KCI attacks. The attacks on these protocols demonstrate the necessity of considering KCI resilience. Finally, we give a new proof of security for an existing GKE protocol under the revised model assuming random oracles.

Privacy and trusted computing

This paper examines a model of trusted computing wherein a computing platform is able to make assertions about its current software configuration that may be trusted by the user and remote third parties. The privacy implications of this approach are investigated in the context of the Trusted Computing Platform Alliance (TCPA) specification. The trust relationships of the TCPA architecture are examined in detail. An analysis of the revocation requirements inherent in the TCPA design is presented, which highlights the challenges that revocation presents in the context of a large scale deployment of TCPA platforms. Finally, a modification to the specification is suggested that reduces the level of trust that need to be placed on the Privacy CA.

Toward non-parallelizable client puzzles

Client puzzles have been proposed as a useful mechanism for mitigating denial of service attacks on network protocols. Several different puzzles have been proposed in recent years. This paper reviews the desirable properties of client puzzles, pointing out that there is currently no puzzle which satisfies all such properties. We investigate how to provide the property of non-parallelizability in a practical puzzle. After showing that obvious ideas based on hash chains have significant problems, we propose a new puzzle based on the subset sum problem. Despite some practical implementation issues, this is the first example that satisfies all the desirable properties for a client puzzle.

Stronger difficulty notions for client puzzles and denial-of-service-resistant protocols

Client puzzles are meant to act as a defense against denial of service (DoS) attacks by requiring a client to solve some moderately hard problem before being granted access to a resource. However, recent client puzzle difficulty definitions (Stebila and Ustaoglu, 2009; Chen et al., 2009) do not ensure that solving n puzzles is n times harder than solving one puzzle. Motivated by examples of puzzles where this is the case, we present stronger definitions of difficulty for client puzzles that are meaningful in the context of adversaries with more computational power than required to solve a single puzzle. A protocol using strong client puzzles may still not be secure against DoS attacks if the puzzles are not used in a secure manner. We describe a security model for analyzing the DoS resistance of any protocol in the context of client puzzles and give a generic technique for combining any protocol with a strong client puzzle to obtain a DoS-resistant protocol.

One-round key exchange in the standard model

We consider one-round key exchange protocols secure in the standard model. The security analysis uses the powerful security model of Canetti and Krawczyk and a natural extension of it to the ID-based setting. It is shown how Key-Encapsulation Mechanisms (KEMs) can be used in a generic way to obtain two different protocol designs with progressively stronger security guarantees. A detailed analysis of the performance of the protocols is included; surprisingly, when instantiated with specific KEM constructions, the resulting protocols are competitive with the best previous schemes that have proofs only in the Random Oracle Model.