Secure Communications over Insecure Channels Based on Short Authenticated Strings

Vaudenay, Serge

doi:10.1007/11535218_19

Cited by 170 publications

(173 citation statements)

References 37 publications

Supporting

Mentioning

172

Contrasting

Order By: Relevance

“…By comparing an SAS on an OOB channel, human users can authenticate information received from an insecure high bandwidth channel. Nguyen and Roscoe wrote an extensive survey [28] of HISPs, comparing their cost and efficiency, of which [30,32,33] are good examples.…”

Section: Choosing a Hispmentioning

confidence: 99%

Mobile Electronic Identity: Securing Payment on Mobile Phones

Chen¹,

Roscoe²

2011

Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication

View full text Add to dashboard Cite

Abstract. The pervasive use of mobile phones has created a dynamic computing platform that a large percentage of the population carries routinely. There is a growing trend of integrating mobile phones with electronic identity, giving the phone the ability to prove or support the identity of the owner by containing, for example, a tuple of name, ID, photo and public key. While this helps phone owners prove who they are, it does not prove to them that they are giving their identities to intended parties. This is important in its own right for reasons of privacy and avoiding cases of "identity theft", but all the more important when identity is being provided to support the transfer of value (e.g. in mobile payment) or information. In this paper we show how Human Interactive Security Protocols can support this type of authentication in cases where PKIs are inappropriate, misunderstood or too expensive, concentrating on the case of payment.

show abstract

Section: Choosing a Hispmentioning

confidence: 99%

Mobile Electronic Identity: Securing Payment on Mobile Phones

Chen¹,

Roscoe²

2011

Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication

View full text Add to dashboard Cite

show abstract

“…One proposal is the use of a narrowband authenticated channel, along with a broadband insecure channel, in order to achieve message authentication in such an environment has been investigated in several recent papers, see for example [GN04,MS09,SA99,Vau05]. In such solutions, the narrow-band channel is available all the time and can be used at least once for every message.…”

Section: Literature Reviewmentioning

confidence: 99%

A Message Recognition Protocol Based on Standard Assumptions

Mashatan

Vaudenay

2010

Applied Cryptography and Network Security

Self Cite

View full text Add to dashboard Cite

Abstract. We look at the problem of designing Message Recognition Protocols (MRP) and note that all proposals available in the literature have relied on security proofs which hold in the random oracle model or are based on non-standard assumptions. Incorporating random coins, we propose a new MRP using a pseudorandom function F and prove its security based on new assumptions. Then, we show that these new assumptions are equivalent to the standard notions of preimage resistance, second preimage resistance, and existential unforgeability given that F is a pseudorandom function.

show abstract

“…Some protocols based on the Diffie-Hellman one were proposed [11,15] with an incomplete security analysis. A provably secure solution was finally proposed by Vaudenay [22]. This protocol can work with only 20 bits to authenticate and is based on a commitment scheme.…”

Section: Setting Up Secure Communicationsmentioning

confidence: 99%

“…We adapt the security model of [5,6] and [22]. We assume that the powerful adversary can launch instances of the preparing/repairing protocol on chosen inputs by making a chosen participant to play the (chosen) role of Alice or Bob with a chosen input.…”

Section: Adversarial Modelmentioning

confidence: 99%

On Bluetooth Repairing: Key Agreement Based on Symmetric-Key Cryptography

Vaudenay

2005

Information Security and Cryptology

Self Cite

View full text Add to dashboard Cite

Abstract. Despite many good (secure) key agreement protocols based on publickey cryptography exist, secure associations between two wireless devices are often established using symmetric-key cryptography for cost reasons. The consequence is that common daily used security protocols such as Bluetooth pairing are insecure in the sense that an adversary can easily extract the main private key from the protocol communications. Nevertheless, we show that a feature in the Bluetooth standard provides a pragmatic and costless protocol that can eventually repair privateless associations, thanks to mobility. This proves (in the random oracle model) the pragmatic security of the Bluetooth pairing protocol when repairing is used. Setting up Secure CommunicationsDigital communications are often secured by means of symmetric encryption and message authentication codes. This provided high throughput and security. However, setting up this channel requires agreeing on a private key with large entropy. Private key agreement between remote peers through insecure channel is a big challenge. A first (impractical) solution was proposed in 1975 by Merkle [19]. A solution was proposed by Diffie and Hellman in 1976 [12]. It works, provided that the two peers can communicate over an authenticated channel which protects the integrity of messages and that a standard computational problem (namely, the Diffie-Hellman problem) is hard.To authenticate messages of the Diffie-Hellman protocol is still expensive since those messages are pretty long (typically, a thousand bits, each) and that authentication is often manually done by human beings. Folklore solutions consist of shrinking this amount of information by means of a collision-resistant hash function and of authenticating only the digest of the protocol transcript. The amount of information to authenticate typically reduces to 160 bits. However, collision-resistant hash functions are threatened species these days due to collapses of MD5, RIPEMD, SHA, etc. [9,23,24,25,26]. Furthermore, 160 bits is still pretty large for human beings to authenticate. Another solution using shorter messages have been proposed by Pasini and Vaudenay [20] using

show abstract

Secure Communications over Insecure Channels Based on Short Authenticated Strings

Cited by 170 publications

References 37 publications

Mobile Electronic Identity: Securing Payment on Mobile Phones

Mobile Electronic Identity: Securing Payment on Mobile Phones

A Message Recognition Protocol Based on Standard Assumptions

On Bluetooth Repairing: Key Agreement Based on Symmetric-Key Cryptography

Contact Info

Product

Resources

About