-
Integrity-protecting block cipher modes -- Untangling a tangled web
Authors:
Chris J Mitchell
Abstract:
This paper re-examines the security of three related block cipher modes of operation designed to provide authenticated encryption. These modes, known as PES-PCBC, IOBC and EPBC, were all proposed in the mid-1990s. However, analyses of security of the latter two modes were published more recently. In each case one or more papers describing security issues with the schemes were eventually published,…
▽ More
This paper re-examines the security of three related block cipher modes of operation designed to provide authenticated encryption. These modes, known as PES-PCBC, IOBC and EPBC, were all proposed in the mid-1990s. However, analyses of security of the latter two modes were published more recently. In each case one or more papers describing security issues with the schemes were eventually published, although a flaw in one of these analyses (of EPBC) was subsequently discovered - this means that until now EPBC had no known major issues. This paper establishes that, despite this, all three schemes possess defects which should prevent their use - especially as there are a number of efficient alternative schemes possessing proofs of security.
△ Less
Submitted 17 June, 2024; v1 submitted 6 March, 2024;
originally announced March 2024.
-
The (in)security of some recently proposed lightweight key distribution schemes
Authors:
Chris J Mitchell
Abstract:
Two recently published papers propose some very simple key distribution schemes designed to enable two or more parties to establish a shared secret key with the aid of a third party. Unfortunately, as we show, most of the schemes are inherently insecure and all are incompletely specified - moreover, claims that the schemes are inherently lightweight are shown to be highly misleading. We also brief…
▽ More
Two recently published papers propose some very simple key distribution schemes designed to enable two or more parties to establish a shared secret key with the aid of a third party. Unfortunately, as we show, most of the schemes are inherently insecure and all are incompletely specified - moreover, claims that the schemes are inherently lightweight are shown to be highly misleading. We also briefly critique a somewhat related very recent paper by the same authors that uses similar techniques to achieve what are claimed to be secure multiparty computations.
△ Less
Submitted 13 March, 2021; v1 submitted 20 January, 2021;
originally announced January 2021.
-
Two closely related insecure noninteractive group key establishment schemes
Authors:
Chris J Mitchell
Abstract:
Serious weaknesses in two very closely related group authentication and group key establishment schemes are described. Simple attacks against the group key establishment part of the schemes are described, which strongly suggest that the schemes should not be used.
Serious weaknesses in two very closely related group authentication and group key establishment schemes are described. Simple attacks against the group key establishment part of the schemes are described, which strongly suggest that the schemes should not be used.
△ Less
Submitted 7 March, 2021; v1 submitted 19 September, 2020;
originally announced September 2020.
-
Provably insecure group authentication: Not all security proofs are what they claim to be
Authors:
Chris J Mitchell
Abstract:
A paper presented at the ICICS 2019 conference describes what is claimed to be a `provably secure group authentication [protocol] in the asynchronous communication model'. We show here that this is far from being the case, as the protocol is subject to serious attacks. To try to explain this troubling case, an earlier (2013) scheme on which the ICICS 2019 protocol is based was also examined and fo…
▽ More
A paper presented at the ICICS 2019 conference describes what is claimed to be a `provably secure group authentication [protocol] in the asynchronous communication model'. We show here that this is far from being the case, as the protocol is subject to serious attacks. To try to explain this troubling case, an earlier (2013) scheme on which the ICICS 2019 protocol is based was also examined and found to possess even more severe flaws - this latter scheme was previously known to be subject to attack, but not in quite as fundamental a way as is shown here. Examination of the security theorems provided in both the 2013 and 2019 papers reveals that in neither case are they exactly what they seem to be at first sight; the issues raised by this are also briefly discussed.
△ Less
Submitted 9 June, 2021; v1 submitted 11 May, 2020;
originally announced May 2020.
-
How not to secure wireless sensor networks revisited: Even if you say it twice it's still not secure
Authors:
Chris J Mitchell
Abstract:
Two recent papers describe almost exactly the same group key establishment protocol for wireless sensor networks. Quite part from the duplication issue, we show that both protocols are insecure and should not be used - a member of a group can successfully impersonate the key generation centre and persuade any other group member to accept the wrong key value. This breaks the stated objectives of th…
▽ More
Two recent papers describe almost exactly the same group key establishment protocol for wireless sensor networks. Quite part from the duplication issue, we show that both protocols are insecure and should not be used - a member of a group can successfully impersonate the key generation centre and persuade any other group member to accept the wrong key value. This breaks the stated objectives of the schemes.
△ Less
Submitted 20 November, 2020; v1 submitted 9 May, 2020;
originally announced May 2020.
-
Who Needs Trust for 5G?
Authors:
Chris J Mitchell
Abstract:
There has been much recent discussion of the criticality of the 5G infrastructure, and whether certain vendors should be able to supply 5G equipment. The key issue appears to be about trust, namely to what degree the security and reliability properties of 5G equipment and systems need to be trusted, and by whom, and how the necessary level of trust might be obtained. In this paper, by considering…
▽ More
There has been much recent discussion of the criticality of the 5G infrastructure, and whether certain vendors should be able to supply 5G equipment. The key issue appears to be about trust, namely to what degree the security and reliability properties of 5G equipment and systems need to be trusted, and by whom, and how the necessary level of trust might be obtained. In this paper, by considering existing examples such as the Internet, the possible need for trust is examined in a systematic way, and possible routes to gaining trust are described. The issues that arise when a security and/or reliability failure actually occurs are also discussed. The paper concludes with a discussion of possible future ways of enabling all parties to gain the assurances they need in a cost-effective and harmonised way.
△ Less
Submitted 2 May, 2020;
originally announced May 2020.
-
How not to secure wireless sensor networks: A plethora of insecure polynomial-based key pre-distribution schemes
Authors:
Chris J Mitchell
Abstract:
Three closely-related polynomial-based group key pre-distribution schemes have recently been proposed, aimed specifically at wireless sensor networks. The schemes enable any subset of a predefined set of sensor nodes to establish a shared secret key without any communications overhead. It is claimed that these schemes are both secure and lightweight, i.e. making them particularly appropriate for n…
▽ More
Three closely-related polynomial-based group key pre-distribution schemes have recently been proposed, aimed specifically at wireless sensor networks. The schemes enable any subset of a predefined set of sensor nodes to establish a shared secret key without any communications overhead. It is claimed that these schemes are both secure and lightweight, i.e. making them particularly appropriate for network scenarios where nodes have limited computational and storage capabilities. Further papers have built on these schemes, e.g. to propose secure routing protocols for wireless sensor networks. Unfortunately, as we show in this paper, all three schemes are completely insecure; whilst the details of their operation varies, they share common weaknesses. In every case we show that an attacker equipped with the information built into at most two sensor nodes can compute group keys for all possible groups of which the attacked nodes are not a member, which breaks a fundamental design objective. The attacks can also be achieved by an attacker armed with the information from a single node together with a single group key to which this sensor node is not entitled. Repairing the schemes appears difficult, if not impossible. The existence of major flaws is not surprising given the complete absence of any rigorous proofs of security for the proposed schemes. A further recent paper proposes a group membership authentication and key establishment scheme based on one of the three key pre-distribution schemes analysed here; as we demonstrate, this scheme is also insecure, as the attack we describe on the corresponding pre-distribution scheme enables the authentication process to be compromised.
△ Less
Submitted 5 October, 2020; v1 submitted 12 April, 2020;
originally announced April 2020.
-
Yet another insecure group key distribution scheme using secret sharing
Authors:
Chris J Mitchell
Abstract:
A recently proposed group key distribution scheme known as UMKESS, based on secret sharing, is shown to be insecure. Not only is it insecure, but it does not always work, and the rationale for its design is unsound. UMKESS is the latest in a long line of flawed group key distribution schemes based on secret sharing techniques.
A recently proposed group key distribution scheme known as UMKESS, based on secret sharing, is shown to be insecure. Not only is it insecure, but it does not always work, and the rationale for its design is unsound. UMKESS is the latest in a long line of flawed group key distribution schemes based on secret sharing techniques.
△ Less
Submitted 18 November, 2020; v1 submitted 31 March, 2020;
originally announced March 2020.
-
The impact of quantum computing on real-world security: A 5G case study
Authors:
Chris J Mitchell
Abstract:
This paper provides a detailed analysis of the impact of quantum computing on the security of 5G mobile telecommunications. This involves considering how cryptography is used in 5G, and how the security of the system would be affected by the advent of quantum computing. This leads naturally to the specification of a series of simple, phased, recommended changes intended to ensure that the security…
▽ More
This paper provides a detailed analysis of the impact of quantum computing on the security of 5G mobile telecommunications. This involves considering how cryptography is used in 5G, and how the security of the system would be affected by the advent of quantum computing. This leads naturally to the specification of a series of simple, phased, recommended changes intended to ensure that the security of 5G (as well as 3G and 4G) is not badly damaged if and when large scale quantum computing becomes a practical reality. By exploiting backwards-compatibility features of the 5G security system design, we are able to propose a novel multi-phase approach to upgrading security that allows for a simple and smooth migration to a post-quantum-secure system.
△ Less
Submitted 13 December, 2019; v1 submitted 18 November, 2019;
originally announced November 2019.
-
The Saeed-Liu-Tian-Gao-Li authenticated key agreement protocol is insecure
Authors:
Chris J Mitchell
Abstract:
A recently proposed authenticated key agreement protocol is shown to be insecure. In particular, one of the two parties is not authenticated, allowing an active man in the middle opponent to replay old messages. The protocol is essentially an authenticated Diffie-Hellman key agreement scheme, and the lack of authentication allows an attacker to replay old messages and have them accepted. Moreover,…
▽ More
A recently proposed authenticated key agreement protocol is shown to be insecure. In particular, one of the two parties is not authenticated, allowing an active man in the middle opponent to replay old messages. The protocol is essentially an authenticated Diffie-Hellman key agreement scheme, and the lack of authentication allows an attacker to replay old messages and have them accepted. Moreover, if the ephemeral key used to compute a protocol message is ever compromised, then the key established using the replayed message will also be compromised. Fixing the problem is simple - there are many provably secure and standardised protocols which are just as efficient as the flawed scheme.
△ Less
Submitted 21 June, 2019;
originally announced June 2019.
-
Beyond Cookie Monster Amnesia: Real World Persistent Online Tracking
Authors:
Nasser Mohammed Al-Fannah,
Wanpeng Li,
Chris J Mitchell
Abstract:
Browser fingerprinting is a relatively new method of uniquely identifying browsers that can be used to track web users. In some ways it is more privacy-threatening than tracking via cookies, as users have no direct control over it. A number of authors have considered the wide variety of techniques that can be used to fingerprint browsers; however, relatively little information is available on how…
▽ More
Browser fingerprinting is a relatively new method of uniquely identifying browsers that can be used to track web users. In some ways it is more privacy-threatening than tracking via cookies, as users have no direct control over it. A number of authors have considered the wide variety of techniques that can be used to fingerprint browsers; however, relatively little information is available on how widespread browser fingerprinting is, and what information is collected to create these fingerprints in the real world. To help address this gap, we crawled the 10,000 most popular websites; this gave insights into the number of websites that are using the technique, which websites are collecting fingerprinting information, and exactly what information is being retrieved. We found that approximately 69\% of websites are, potentially, involved in first-party or third-party browser fingerprinting. We further found that third-party browser fingerprinting, which is potentially more privacy-damaging, appears to be predominant in practice. We also describe \textit{FingerprintAlert}, a freely available browser extension we developed that detects and, optionally, blocks fingerprinting attempts by visited websites.
△ Less
Submitted 23 May, 2019;
originally announced May 2019.
-
OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
Authors:
Wanpeng Li,
Chris J Mitchell,
Thomas Chen
Abstract:
Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are t…
▽ More
Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.
△ Less
Submitted 24 January, 2019;
originally announced January 2019.
-
The Hsu-Harn-Mu-Zhang-Zhu group key establishment protocol is insecure
Authors:
Chris J Mitchell
Abstract:
A significant security vulnerability in a recently published group key establishment protocol is described. This vulnerability allows a malicious insider to fraudulently establish a group key with an innocent victim, with the key chosen by the attacker. This shortcoming is sufficiently serious that the protocol should not be used.
A significant security vulnerability in a recently published group key establishment protocol is described. This vulnerability allows a malicious insider to fraudulently establish a group key with an innocent victim, with the key chosen by the attacker. This shortcoming is sufficiently serious that the protocol should not be used.
△ Less
Submitted 16 March, 2018; v1 submitted 14 March, 2018;
originally announced March 2018.
-
Security issues in a group key establishment protocol
Authors:
Chris J Mitchell
Abstract:
Major shortcomings in a recently published group key establishment protocol are described. These shortcomings are sufficiently serious that the protocol should not be used.
Major shortcomings in a recently published group key establishment protocol are described. These shortcomings are sufficiently serious that the protocol should not be used.
△ Less
Submitted 16 March, 2018; v1 submitted 3 March, 2018;
originally announced March 2018.
-
Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect
Authors:
Wanpeng Li,
Chris J Mitchell,
Thomas Chen
Abstract:
Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schem…
▽ More
Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect.
△ Less
Submitted 24 January, 2018;
originally announced January 2018.
-
Web password recovery --- a necessary evil?
Authors:
Fatma Al Maqbali,
Chris J Mitchell
Abstract:
Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such…
▽ More
Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted.
△ Less
Submitted 30 January, 2018; v1 submitted 20 January, 2018;
originally announced January 2018.
-
AutoPass: An Automatic Password Generator
Authors:
Fatma Al Maqbali,
Chris J Mitchell
Abstract:
Text password has long been the dominant user authentication technique and is used by large numbers of Internet services. If they follow recommended practice, users are faced with the almost insuperable problem of generating and managing a large number of site-unique and strong (i.e. non-guessable) passwords. One way of addressing this problem is through the use of a password generator, i.e. a cli…
▽ More
Text password has long been the dominant user authentication technique and is used by large numbers of Internet services. If they follow recommended practice, users are faced with the almost insuperable problem of generating and managing a large number of site-unique and strong (i.e. non-guessable) passwords. One way of addressing this problem is through the use of a password generator, i.e. a client-side scheme which generates (and regenerates) site-specific strong passwords on demand, with the minimum of user input. This paper provides a detailed specification and analysis of AutoPass, a password generator scheme previously outlined as part of a general analysis of such schemes. AutoPass has been designed to address issues identified in previously proposed password generators, and incorporates novel techniques to address these issues. Unlike almost all previously proposed schemes, AutoPass enables the generation of passwords that meet important real-world requirements, including forced password changes, use of pre-specified passwords, and generation of passwords meeting site-specific requirements.
△ Less
Submitted 8 March, 2017; v1 submitted 6 March, 2017;
originally announced March 2017.
-
Password Generators: Old Ideas and New
Authors:
Fatma AL Maqbali,
Chris J Mitchell
Abstract:
This paper considers password generators, i.e. systems designed to generate site-specific passwords on demand. Such systems are an alternative to password managers. Over the last 15 years a range of password generator systems have been described. This paper proposes the first general model for such systems, and critically examines options for instantiating this model; options considered include al…
▽ More
This paper considers password generators, i.e. systems designed to generate site-specific passwords on demand. Such systems are an alternative to password managers. Over the last 15 years a range of password generator systems have been described. This paper proposes the first general model for such systems, and critically examines options for instantiating this model; options considered include all those previously proposed as part of existing schemes as well as certain novel possibilities. The model enables a more objective and high-level assessment of the design of such systems; it has also been used to sketch a possible new scheme, AutoPass, intended to incorporate the best features of the prior art whilst also addressing many of the most serious shortcomings of existing systems through the inclusion of novel features.
△ Less
Submitted 15 July, 2016;
originally announced July 2016.
-
Retrofitting mutual authentication to GSM using RAND hijacking
Authors:
Mohammed Shafiul Alam Khan,
Chris J Mitchell
Abstract:
As has been widely discussed, the GSM mobile telephony system only offers unilateral authentication of the mobile phone to the network; this limitation permits a range of attacks. While adding support for mutual authentication would be highly beneficial, changing the way GSM serving networks operate is not practical. This paper proposes a novel modification to the relationship between a Subscriber…
▽ More
As has been widely discussed, the GSM mobile telephony system only offers unilateral authentication of the mobile phone to the network; this limitation permits a range of attacks. While adding support for mutual authentication would be highly beneficial, changing the way GSM serving networks operate is not practical. This paper proposes a novel modification to the relationship between a Subscriber Identity Module (SIM) and its home network which allows mutual authentication without changing any of the existing mobile infrastructure, including the phones; the only necessary changes are to the authentication centres and the SIMs. This enhancement, which could be deployed piecemeal in a completely transparent way, not only addresses a number of serious vulnerabilities in GSM but is also the first proposal for enhancing GSM authentication that possesses such transparency properties.
△ Less
Submitted 4 July, 2016; v1 submitted 3 July, 2016;
originally announced July 2016.
-
On the security of 2-key triple DES
Authors:
Chris J Mitchell
Abstract:
This paper reconsiders the security offered by 2-key triple DES, an encryption technique that remains widely used despite recently being de-standardised by NIST. A generalisation of the 1990 van Oorschot-Wiener attack is described, constituting the first advance in cryptanalysis of 2-key triple DES since 1990. We give further attack enhancements that together imply that the widely used estimate th…
▽ More
This paper reconsiders the security offered by 2-key triple DES, an encryption technique that remains widely used despite recently being de-standardised by NIST. A generalisation of the 1990 van Oorschot-Wiener attack is described, constituting the first advance in cryptanalysis of 2-key triple DES since 1990. We give further attack enhancements that together imply that the widely used estimate that 2-key triple DES provides 80 bits of security can no longer be regarded as conservative; the widely stated assertion that the scheme is secure as long as the key is changed regularly is also challenged. The main conclusion is that, whilst not completely broken, the margin of safety for 2-key triple DES is slim, and efforts to replace it, at least with its 3-key variant, should be pursued with some urgency.
△ Less
Submitted 17 July, 2016; v1 submitted 19 February, 2016;
originally announced February 2016.
-
Analysing the Security of Google's implementation of OpenID Connect
Authors:
Wanpeng Li,
Chris J Mitchell
Abstract:
Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth…
▽ More
Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.
△ Less
Submitted 7 August, 2015;
originally announced August 2015.
-
Improving Air Interface User Privacy in Mobile Telephony
Authors:
Mohammed Shafiul Alam Khan,
Chris J Mitchell
Abstract:
Although the security properties of 3G and 4G mobile networks have significantly improved by comparison with 2G (GSM), significant shortcomings remain with respect to user privacy. A number of possible modifications to 2G, 3G and 4G protocols have been proposed designed to provide greater user privacy; however, they all require significant modifications to existing deployed infrastructures, which…
▽ More
Although the security properties of 3G and 4G mobile networks have significantly improved by comparison with 2G (GSM), significant shortcomings remain with respect to user privacy. A number of possible modifications to 2G, 3G and 4G protocols have been proposed designed to provide greater user privacy; however, they all require significant modifications to existing deployed infrastructures, which are almost certainly impractical to achieve in practice. In this article we propose an approach which does not require any changes to the existing deployed network infrastructures or mobile devices, but offers improved user identity protection over the air interface. The proposed scheme makes use of multiple IMSIs for an individual USIM to offer a degree of pseudonymity for a user. The only changes required are to the operation of the authentication centre in the home network and to the USIM, and the scheme could be deployed immediately since it is completely transparent to the existing mobile telephony infrastructure. We present two different approaches to the use and management of multiple IMSIs.
△ Less
Submitted 13 April, 2015;
originally announced April 2015.