|
Cryptographic Protocols
Prof. Dr. Mark Manulis
Assistant Professor
Cryptographic Protocols Group
Fachbereich Informatik
S4|14 TU Darmstadt / CASED
Mornewegstrasse 30
D-64293 Darmstadt
GERMANY
Office: 4.3.21
+49 6151 16 - 50761
+49 6151 16 - 72051
manulis@informatik.tu...
http://www.manulis.eu
Curriculum Vitae (short)
|
since 2009 |
|
Assistant Professor at Computer Science Department and PI in CASED, TU Darmstadt, Germany |
|
2007 - 2009 |
|
Senior Researcher at UCL Crypto Group, Microelectronics Laboratory, Université catholique de Louvain, Belgium |
|
June 2007 |
|
Dr.-Ing. degree (with distinction) from Ruhr University Bochum |
|
2003 - 2007 |
|
Researcher at Network and Data Security Group, Horst Görtz Institute for IT Security, Ruhr University Bochum, Germany |
|
2001 - 2003 |
|
Internship at Siemens AG, Braunschweig, Germany |
|
1999 - 2003 |
|
Diploma and M.Sc. degrees in computer science from TU Braunschweig, Germany |
Professional Activities
Organization: Dagstuhl-Seminar on Privacy-Oriented Cryptography 2012, DoE CRYPTODOC, PhD Summer School on Applied Cryptographic Protocols 2010, Intl. Workshop on Group-Oriented Cryptographic Protocols 2007
General Chair of CANS 2012
General Co-chair of PKC 2012
Program Committee member of CT-RSA'13, ISC'12, IEEE MASS'12, ICICS'12, SecureComm'12, ProvSec'12, ACNS'12, WISTP'12, SeSoc'11, ICISC'11, ICICS'11, CANS'11, ISC'11, IEEE MASS'11, ACISP'11, ACNS'11, AFRICACRYPT'11, ACM WiSec'11, ASIACCS'11, ICICS'11, ICISC'11, IEEE MASS'11, ISC'11, SeSoc'11, CANS'10, ICISC'10,WISTP'11, WISA'10, ISC'10, Pairing'10, ACISP'10, ACNS'10, PKC'10, SeSoc'10, WISSec'09, ICISC'09, KMIS'09, CANS'09, IWSEC'09, SHPCS'09, ACISP'09, CGMS'09, UASS'09, WISA'08, IWSEC'08, SHPCS'08, UASS'08, ICISC'08, UASS'07, IWSEC'07, ATC'07, SSNDS'07, ATC'06, SNDS'06
Session Chair at ACNS'11, ASIACCS'11, CANS'10, ACNS'10, PKC'10, CANS'09, WISA'09, IWSEC'07, ATC'07, WSNS'05, SNDS'05
Reviewer for Deutsche Forschungsgemeinschaft (German Research Foundation), ETH Zurich Research Commission
Stellv. Sprecher der Fachgruppe Sicherheit in Netzen (NETSEC), Gesellschaft für Informatik
Member of the Board of Directors of Horst Görtz Institute for IT Security (2006-2007)
Member of selection commission "Promotionspreis IT-Sicherheit" (2010, 2011), Gesellschaft für Informatik, CAST e.V.
Lecturer at isits - International School of IT-Security (M.Sc. "Applied IT-Security" program)
Principal Investigator at Center of Advanced Security Research Darmstadt (CASED)
Principal Investigator and founding member of European Center for Security and Privacy by Design (EC SPRIDE)
Journal reviews for Information Processing Letters, Information Sciences, Computers & Security, Computer Communications, Computer Networks, Computer Standards & Interfaces, Ad Hoc Networks, Future Generation Computer Systems (all Elsevier), ACM TISSEC, Communications of the ACM (all ACM), Journal of Cryptology, Peer-to-Peer Networking and Applications (Springer), Information Security (IET), IEEE Trans. on Dependable and Secure Computing, IEEE Trans. on Wireless Communications, IEEE Trans. on Speech and Audio Processing (all IEEE), Communication Systems (Wiley), E-Business Research (IGI Global).
Erdös number: 3 (path Manulis-Quisquater-Odlyzko-Erdös or Manulis-Dent-Cameron-Erdös)
Sufficient Condition for Ephemeral Key-Leakage Resilient Tripartite Key Exchange
A. Fujioka, M. Manulis, K. Suzuki, B. Ustaoglu
17th Australasian Conference on Information Security and Privacy (ACISP 2012), July 2012, Wollongong, Australia
Fully Private Revocable Predicate Encryption
J. M. González Nieto, M. Manulis, D. Sun
17th Australasian Conference on Information Security and Privacy (ACISP 2012), July 2012, Wollongong, Australia
Forward-Secure Hierarchical Predicate Encryption
J. M. González Nieto, M. Manulis, D. Sun
5th International Conference on Pairing-Based Cryptography (Pairing 2012) , May 2012, Cologne, Germany
Modelling Key Compromise Impersonation Attacks on Group Key Exchange Protocols
M. C. Gorantla, C. Boyd, J. M. González Nieto, M. Manulis
ACM Transactions on Information and System Security, 14(4):Art. 28, December 2011
Group Signature with Constant Revocation Costs for Signers and Verifiers
C.-I. Fan, R.-H. Hsu, M. Manulis
10th International Conference on Cryptology and Network Security (CANS 2011), December 2011, Sanya, China
Non-Interactive and Re-Usable Universally Composable String Commitments with Adaptive Security
M. Fischlin, B. Libert, M. Manulis
ASIACRYPT 2011, December 2011, Seoul, Korea
UPBA: User-Aware Property-Based Attestation
M. Manulis, M. Steiner
9th Annual Conference on Privacy, Security, and Trust (PST 2011), July 2011, Montreal, Quebec, Canada
Key Management in Distributed Online Social Networks
F. Günther, M. Manulis, T. Strufe
IEEE WoWMoM 2011, D-SPAN, June 2011, Lucca, Italy
Private Discovery of Common Social Contacts [Abstract]
E. de Cristofaro, M. Manulis, B. Poettering
9th International Conference on Applied Cryptography and Network Security (ACNS 2011), June 2011, Malaga, Spain
| Abstract: | The increasing use of computing devices for social interactions propels the proliferation of online social applications, yet, it prompts a number of privacy concerns. One common problem occurs when two unfamiliar users, in the process of establishing social relationships, want to assess their social proximity by discovering mutual contacts. In this paper, we introduce Private Contact Discovery, a novel cryptographic primitive that lets two users, on input their respective contact lists, learn their common contacts (if any), and nothing else. We present an efficient and provably secure construction, that (i) prevents arbitrary list manipulation by means of contact certification, and (ii) guarantees user authentication and revocability. Following a rigorous cryptographic treatment of the problem, we define Contact-Hiding security and prove it for our solution, under the RSA assumption in the Random Oracle Model (ROM). We also show that other related cryptographic techniques, such as Private Set Intersection and Secret Handshakes, are unsuitable in this context. Experimental analysis attests to the practicality of our technique, which achieves computational and communication overhead (almost) linear in the number of contacts. |
(Best Student Paper) Affiliation-Hiding Authentication with Minimal Bandwidth Consumption [Abstract]
M. Manulis, B. Poettering
5th IFIP WG 11.2 International Workshop on Information Security Theory and Practice (WISTP 2011), June 2011, Heraklion, Greece
| Abstract: | Affiliation-Hiding Authentication (AHA) protocols have the seemingly contradictory property of enabling users to authenticate each other as members of certain groups, without revealing their affiliation to group outsiders. Of particular interest in practice is the group-discovering variant, which handles multiple group memberships per user. Corresponding solutions were only recently introduced, and have two major drawbacks: high bandwidth consumption (typically several kilobits per user and affiliation), and only moderate performance in scenarios of practical application. While prior protocols have O(n^2) time complexity, where n denotes the number of affiliations per user, we introduce a new AHA protocol running in O(n log n) time. In addition, the bandwidth consumed is considerably reduced. We consider these advances a major step towards deployment of privacy-preserving methods in constraint devices, like mobile phones, to which the economization of these resources is priceless. |
Practical Affiliation-Hiding Authentication from Improved Polynomial Interpolation [Abstract] [PDF]
M. Manulis, B. Poettering
ACM Symposium on Information, Computer and Communications Security (ASIACCS 2011), March 2011, Hong Kong
| Abstract: | Among the plethora of privacy-friendly authentication techniques,
affiliation-hiding (AH) protocols are valuable for their ability to hide not
only identities of communicating users behind their affiliations (memberships to
groups), but also these affiliations from non-members. These qualities become
increasingly important in our highly computerized user-centric information
society, where privacy is an elusive good. Only little work on practical aspects
of AH schemes, pursuing optimized implementations and deployment, has been done
so far, and the main question a practitioner might ask --- whether
affiliation-hiding schemes are truly practical today --- remained widely
unanswered. Improving upon recent advances in the area of AH protocols, in particular on pioneering results in the multi-affiliation setting, we can give an affirmative answer to this question. To this end, we propose numerous algorithmic optimizations to a recent AH scheme leading to a remarkable performance gain. Our results are demonstrated not only at theoretical level, but we also offer implementations, performance measurements, and comparisons. At the same time, our improvements advance the area of efficient polynomial interpolation in finite fields, which is one of our building blocks. |
Cryptographic Treatment of Private User Profiles [Abstract] [BibTeX]
F. Günther, M. Manulis, T. Strufe
15th International Conference on Financial Cryptography and Data Security (FC 2011), RLCPS, March 2011, St. Lucia
@inproceedings{ TUD-CS-2011-0059,
author = {Felix G{\"u}nther and Mark Manulis and Thorsten Strufe},
title = {Cryptographic Treatment of Private User Profiles},
year = {2011},
booktitle = {15th International Conference on Financial Cryptography and Data Security
(FC 2011), RLCPS},
pubkey = {TUD-CS-2011-0059},
research_area = {Peer-to-Peer Netzwerke, CASED},
research_sub_area = {- P2P: Online social networks},
}
| Abstract: | The publication of private data in user profiles in a both secure and private
way is a rising problem and of special interest in, e.g., online social networks
that become more and more popular. Current approaches, especially for
decentralized networks, often do not address this issue or impose large storage
overhead. In this paper, we present a cryptographic approach to private profile management that is seen as a building block for applications in which users maintain their own profiles, publish and retrieve data, and authorize other users to access different portions of data in their profiles. In this course, we provide: (i) formalization of confidentiality and unlinkability as two main security and privacy goals for the data which is kept in profiles and users who are authorized to retrieve this data, and (ii) specification, analysis, and comparison of two private profile management schemes based on different encryption techniques. |
SWISH: Secure WiFi Sharing [Abstract] [DOI]
D. Leroy, G. Detal, J. Cathalo, M. Manulis, F. Koeune, O. Bonaventure
Computer Networks, February 2011, Elsevier
| Abstract: | The fast increase of mobile Internet use motivates the need for WiFi sharing solutions, where a mobile user connects to the Internet via a nearby foreign network while its home network is far away. This situation creates security challenges which are only partially solved by existing solutions like VPNs. Such solutions neglect the security of the visited network, and private users or organizations are thus reluctant to share their connection. In this paper, we present and implement SWISH, an efficient, full scale solution to this problem. SWISH is based on establishing a tunnel from the visited network to the user’s home network. All the data from the mobile is then forwarded through this tunnel. Internet access is therefore provided without endangering the visited network. We also propose protocol extensions that allow the visited network to charge for the data it forwards, and to protect the privacy of the mobile user while preventing abuse. SWISH was successfully deployed on university networks, demonstrating that it can be conveniently implemented in existing networks with a minimal impact on performance. |
Security and Privacy in Online Social Networks
L.-A. Cutillo, M. Manulis, T. Strufe
in: Handbook of Social Network Technologies and Applications,
Springer, October 2010
Security and Privacy Objectives for Sensing Applications in Wireless Community Networks. [Abstract] [BibTeX] [DOI]
D. Christine, M. Hollick, M. Manulis
19th International Conference on Computer Communications and Networks (ICCCN 2010), August 2010, Zurich, Switzerland
@inproceedings{ChHoMa_ICCCN10,
author = {Delphine Christin and Matthias Hollick and Mark Manulis},
title = {{Security and Privacy Objectives for Sensing Applications in Wireless Community Networks}},
booktitle = {Proceedings of 19th International Conference on Computer Communications and Networks (ICCCN 2010)},
pages = {1--6},
publisher = {IEEE Computer Society},
year = {2010}}
| Abstract: | Wireless Community Networks (WCN) are formed by the integration of user-operated wireless sensor networks that are internetworked by wireless mesh networks available within urban communities. WCNs enable novel applications for the members of the community. These include different sensing applications, where individuals contribute sensor data for further use within their community at large or with well-defined restrictions to certain users. Sensing application scenarios for WCNs differ from traditional sensor network applications with respect to their security and privacy requirements. In this paper, we define three representative scenarios—personal sensing, designated sensing, and community sensing. These scenarios are then studied with respect to their privacy and security implications. In particular, we identify main research questions and highlight the challenges of using various security and privacy approaches from networking and cryptography to make sensing applications in WCNs security and privacy aware. |
Taming Big Brother Ambitions: More Privacy for Secret Handshakes [Abstract] [BibTeX] [DOI]
M. Manulis, B. Poettering, G. Tsudik
10th Privacy Enhancing Technologies Symposium (PETS 2010) , July 2010, Berlin, Germany
@inproceedings{MaPoTs_PETS10,
author = {Mark Manulis and
Bertram Poettering and
Gene Tsudik},
title = {{Taming Big Brother Ambitions: More Privacy for Secret Handshakes}},
booktitle = {Privacy Enhancing Technologies},
year = {2010},
pages = {149-165},
}
| Abstract: | In Secret Handshakes (SH) and Affiliation-Hiding Authenticated Key Exchange (AH-AKE) schemes, users become group members by registering with Group Authorities (GAs) and obtaining membership credentials. Group members then use their membership credentials to privately authenticate each other and communicate securely. The distinguishing privacy property of SH and AH-AKE is that parties learn each other’s groups affiliations and compute common session keys only if their groups match. Current SH and AH-AKE schemes consider GAs to be fully trusted, especially, with regard to (i) security of the registration phase (no phantom members), (ii) secrecy of established session keys, and (iii) privacy. The impact of possible “big brother” ambitions of malicious GAs has not been investigated so far. In this paper, we discuss implications on group members’ privacy and security of their communication in the presence of possible GA corruptions. We demonstrate problems arising from relaxed GA trust assumptions and propose an efficient — yet provably secure — AH-AKE protocol with enhanced privacy properties. |
Privacy-Preserving Group Discovery with Linear Complexity [Abstract] [BibTeX] [DOI]
M. Manulis, B. Pinkas, B. Poettering
8th International Conference on Applied Cryptography and Network Security (ACNS 2010), June 2010, Beijing, China
@inproceedings{MaPiPo_ACNS10,
author = {Mark Manulis and
Benny Pinkas and
Bertram Poettering},
title = {{Privacy-Preserving Group Discovery with Linear Complexity}},
booktitle = {ACNS},
year = {2010},
pages = {420-437},
}
| Abstract: | Affiliation-Hiding Authenticated Key Exchange (AH-AKE)
protocols enable two distrusting users, being in possession of membership
credentials for some group, to establish a secure session key without
leaking any information about this group to non-members. In practice,
users might be members of several groups, and such protocols must be
able to generate session keys between users who have one or more groups
in common. Finding efficient solutions for this group discovery problem
has been considered an open research problem, inherent to the practical
deployment of these protocols. We show how to solve the privacy-preserving group discovery problem with linear computational and communication complexity, namely $O(n)$ complexity where $n$ is the number of groups per user. Our generic solution is based on a new primitive --- Index-Hiding Message Encoding (IHME), for which we provide definitions and an unconditionally secure construction. Additionally, we update the syntax and the security model of AH-AKE protocols to allow multiple input groups per participant and session. Furthermore, we design a concrete multi-group AH-AKE protocol by applying IHME to a state-of-the-art single-group scheme. |
Affiliation-Hiding Key Exchange with Untrusted Group Authorities [Abstract] [BibTeX] [DOI]
M. Manulis, B. Poettering, G. Tsudik
8th International Conference on Applied Cryptography and Network Security (ACNS 2010), June 2010, Beijing, China
@inproceedings{MaPoTs_ACNS10,
author = {Mark Manulis and
Bertram Poettering and
Gene Tsudik},
title = {{Affiliation-Hiding Key Exchange with Untrusted Group Authorities}},
booktitle = {ACNS},
year = {2010},
pages = {402-419},
}
| Abstract: | Privacy-preserving techniques are increasingly important in our highly computerized society where privacy is both precious and elusive. Affiliation-Hiding Authenticated Key Exchange (AH-AKE) protocols offer an appealing service: authenticated key agreement coupled with privacy of group memberships of protocol participants. This type of service is essential in privacy-conscious p2p systems, mobile ad hoc net- works and social networking applications. Prior work has succeeded in constructing a number of secure and efficient AH-AKE protocols which all assume full trust in the Group Authority (GA) --- the entity that sets up the group as well as registers and (optionally) revokes members. In this paper, we argue that, for many anticipated application scenarios, the trusted GA model should be relaxed to allow for certain types of malicious behavior. We examine the consequences of malicious GAs and explore the design of stronger AH-AKE protocols that withstand GA attacks. Our results demonstrate that such protocols are both feasible and practical. |
Redactable Signatures for Tree-Structured Data: Definitions and Constructions [Abstract] [BibTeX] [PDF] [DOI]
C. Brzuska, H. Busch, Ö. Dagdelen, M. Fischlin, M. Franz, S. Katzenbeisser, M. Manulis, C. Onete, A. Peter, B. Poettering, D. Schröder
8th International Conference on Applied Cryptography and Network Security (ACNS 2010), June 2010, Beijing, China
@inproceedings{BBDFFKMOPPS_ACNS10,
author = {Christina Brzuska and
Heike Busch and
{\"O}zg{\"u}r Dagdelen and
Marc Fischlin and
Martin Franz and
Stefan Katzenbeisser and
Mark Manulis and
Cristina Onete and
Andreas Peter and
Bertram Poettering and
Dominique Schr{\"o}der},
title = {{Redactable Signatures for Tree-Structured Data: Definitions
and Constructions}},
booktitle = {ACNS},
year = {2010},
pages = {87-104},
}
| Abstract: | Kundu and Bertino (VLDB 2008) recently introduced the idea of structural signatures for trees which support public redaction of subtrees (by third-party distributors) while pertaining the integrity of the remaining parts. An example is given by signed XML documents of which parts should be sanitized before being published by a distributor not holding the signing key. Kundu and Bertino also provide a construction, but fall short of providing formal security definitions and proofs. Here we revisit their work and give rigorous security models for the redactable signatures for tree-structured data, relate the notions, and give a construction that can be proven secure under standard cryptographic assumptions. |
Confidential Signatures and Deterministic Signcryption [Abstract] [BibTeX] [PDF] [DOI]
A. Dent, M. Fischlin, M. Manulis, D. Schröder, M. Stam
13th International Conference on Practice and Theory in Public Key Cryptography (PKC 2010), May 2010, Paris, France
@inproceedings{DeFiMaScSt_PKC10,
author = {Alexander W. Dent and Marc Fischlin and Mark Manulis and Martijn Stam and Dominique Schr{\"o}der},
title = {{Confidential Signatures and Deterministic Signcryption}},
booktitle = {13th International Conference on Practice and Theory in Public Key Cryptography (PKC 2010)},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
volume = {6056},
pages = {462--479},
year = {2010},
month = {May}}
| Abstract: | Encrypt-and-sign, where one encrypts and signs a message in parallel, is usually not recommended for confidential message transmission as the signature may leak information about the message. This motivates our investigation of confidential signature schemes, which hide all information about (high-entropy) input messages. In this work we provide a formal treatment of confidentiality for such schemes and a discussion of the relationship of different notions we propose. We give constructions meeting our notions, both in the random oracle model and the standard model. As part of this we show that full domain hash signatures achieve a weaker level of confidentiality than Fiat-Shamir signatures. We then examine the connection of confidential signatures to signcryption schemes. We give formal security models for deterministic signcryption schemes for high-entropy and low-entropy messages, and prove encrypt-and-sign to be secure for confidential signature schemes and high-entropy messages. Finally, we show that one can derandomize any signcryption scheme in our model and obtain a secure deterministic scheme. |
Trusted Virtual Domains: Color Your Network [Abstract] [BibTeX] [DOI]
L. Catuogno, H. Löhr, M. Manulis, A.-R. Sadeghi, C. Stüble, M. Winandy
Datenschutz und Datensicherheit (DuD), 34(5):289-294, May 2010, Springer
@article{CaLoMaSaStWi_DuD10,
author = {Luigi Catuogno and Hans L{\"o}hr and Mark Manulis and Ahmad-Reza Sadeghi and Christian St{\"u}ble and Marcel Winandy},
title = {{Trusted Virtual Domains: Color Your Network}},
journal = {Datenschutz und Datensicherheit (DuD)},
volume = {34},
number = {5},
pages = {289--294},
publisher = {Springer},
year = {2010}}
| Abstract: | Trusted Virtual Domains (TVDs) provide a secure IT infrastructure offering a homogeneous and transparent enforcement of access control policies on data and network resources. In this article, we give an overview of the fundamental ideas and basic concepts behind TVDs, present a realization of TVDs, and discuss application scenarios. |
Flexible Group Key Exchange with On-Demand Computation of Subgroup Keys [Abstract] [BibTeX] [PDF] [DOI]
M. Abdalla, C. Chevalier, M. Manulis, D. Pointcheval
AFRICACRYPT 2010, May 2010, Stellenbosch, South Africa
@inproceedings{AbChMaPo_AFRICACRYPT10,
author = {Michel Abdalla and C{\'e}line Chevalier and Mark Manulis and David Pointcheval},
title = {{Flexible Group Key Exchange with On-Demand Computation of Subgroup Keys}},
booktitle = {AFRICACRYPT 2010)},
publisher = {Springer},
series = {LNCS},
volume = {6055},
pages = {351--368},
year = {2010},
month = {May}}
| Abstract: | Modern multi-user communication systems, including popular instant messaging tools, social network platforms, and cooperative-work applications, offer flexible forms of communication and exchange of data. At any time point concurrent communication sessions involving different subsets of users can be invoked. The traditional tool for achieving security in a multi-party communication environment are group key exchange (GKE) protocols that provide participants with a secure group key for their subsequent communication. Yet, in communication scenarios where various user subsets may be involved in different sessions the deployment of classical GKE protocols has clear performance and scalability limitations as each new session should be preceded by a separate execution of the protocol. The motivation of this work is to study the possibility of designing more flexible GKE protocols allowing not only the computation of a group key for some initial set of users but also efficient derivation of independent secret keys for all potential subsets. In particular we improve and generalize the recently introduced GKE protocols enabling on-demand derivation of peer-to-peer keys (so called GKE+P protocols). We show how a group of users can agree on a secret group key while obtaining some additional information that they can use on-demand to efficiently compute independent secret keys for any possible subgroup. Our security analysis relies on the Gap Diffie-Hellman assumption and uses random oracles. |
Public-Key Encryption with Non-interactive Opening: New Constructions and Stronger Definitions [Abstract] [BibTeX] [PDF] [DOI]
D. Galindo, B. Libert, M. Fischlin, M. Manulis, G. Fuchsbauer, A. Lehmann, D. Schröder
AFRICACRYPT 2010, May 2010, Stellenbosch, South Africa
@inproceedings{GaLiFiFuLeMaSc_AFRICACRYPT10,
author = {David Galindo and Benoit Libert and Marc Fischlin and Georg Fuchsbauer and Anja Lehmann and Mark Manulis and Dominique Schr{\"o}der},
title = {{Public-Key Encryption with Non-interactive Opening: New Constructions and Stronger Definitions}},
booktitle = {AFRICACRYPT 2010)},
publisher = {Springer},
series = {LNCS},
volume = {6055},
pages = {333--350},
year = {2010},
month = {May}}
| Abstract: | Public-key encryption schemes with non-interactive opening (PKENO) allow a receiver to non-interactively convince third parties that a ciphertext decrypts to a given plaintext or, alternatively, that such a ciphertext is invalid. Two practical generic constructions for PKENO have been proposed so far, starting from either identity-based encryption or public-key encryption with witness-recovering decryption (PKEWR). We show that the known transformation from PKEWR to PKENO fails to provide chosen-ciphertext security; only the transforma- tion from identity-based encryption remains thus valid. Next, we prove that PKENO can be built out of robust non-interactive threshold public-key cryptosystems, a primitive seemingly weaker than identity-based encryption. Using the new transformation, we construct two efficient PKENO schemes: one based on the Decisional Diffie-Hellman assumption (in the Random Oracle Model) and one based on the Decisional Linear assumption (in the standard model). Last but not least, we propose new applications of PKENO in protocol design. Motivated by these applications, we reconsider proof soundness for PKENO and put forward new definitions that are stronger than those considered so far. We give a taxonomy of all definitions and demonstrate them to be satisfiable. |
Key Agreement for Heterogeneous Mobile Ad-Hoc Groups [Abstract] [BibTeX] [DOI]
M. Manulis, A.-R. Sadeghi
International Journal of Wireless and Mobile Computing (IJWMC), 4(1):17-30, April 2010, Inderscience
@article{MaSa_IJWMC10,
author = {Mark Manulis and Ahmad-Reza Sadeghi},
title = {{Key Agreement for Heterogeneous Mobile Ad-Hoc Groups}},
journal = {Int. J. of Wireless and Mobile Computing (IJWMC)},
volume = {4},
number = {1},
pages = {17--30},
publisher = {Inderscience},
year = {2010}}
| Abstract: | Security of various group-oriented applications for mobile ad-hoc groups requires a group secret shared between all participants. Contributory group key agree- ment (CGKA) protocols, originally designed for dynamic peer groups in local- and wide-area wired networks, can be adopted to mobile ad-hoc scenarios because of the similar security requirements and trust relationship between participants. Essential is the absence of any trusted central authority (e.g., a group manager) that actively participates in the computation of the group key. Members of spontaneously formed mobile ad-hoc groups are usually equipped with different kinds of mobile devices, e.g., laptops, PDAs, and mobile phones. Considering performance capabilities of the in- volved mobile devices we distinguish between homogeneous and heterogeneous mobile ad-hoc groups. On the one hand, heterogeneity opens a new way of designing the CGKA protocols considering performance of the devices, on the other hand, it states additional security requirements as shown throughout this paper. We propose a first CGKA pro- tocol for heterogeneous mobile ad hoc groups that fulfills not only common security requirements for CGKA protocols but also additional requirements specified by our model. The main idea behind our protocol is a fair distribution of costs between mobile devices according to their performance capabilities. Our protocols are based on elliptic curve cryptography (ECC) to achieve computation and communication efficiency. |
Privacy-Preserving Admission to Mobile Peer-to-Peer Groups [Abstract] [BibTeX] [PDF] [DOI]
M. Manulis
8th IEEE Intl. Conference on Pervasive Computing and Communications (PerCom 2010), MP2P, March 2010, Mannheim, Germany
@inproceedings{Ma_PerCom10,
author = {Mark Manulis},
title = {{Privacy-Preserving Admission to Mobile Peer-to-Peer Groups}},
booktitle = {8th IEEE International Conference on Pervasive Computing and Communications (PerCom 2010)},
pages = {111--116},
publisher = {IEEE Computer Society},
year = {2010}}
| Abstract: | Mobile peer-to-peer groups, which do not require any pre-deployed infrastructure or trusted centralized authority are valuable for a variety of collaborative applications. This work is focused on how to securely admit new users to such groups. Existing mechanisms based on threshold cryptography require that prospective members collect sufficient number of individual votes from the group prior to obtaining a membership credential. However, this approach does not consider the desirable anonymity of group members towards the admitted or declined users. This paper presents an admission control mechanism in which group members decide collectively and notify prospective members on the outcome of their decision without revealing their identities to prospective members. |
Fully Robust Tree-Diffie-Hellman Group Key Exchange [Abstract] [BibTeX] [PDF] [DOI]
E. Bresson, T. Brecher, M. Manulis
8th International Conference on Cryptology and Network Security (CANS 2009), December 2009, Kanazawa, Ishikawa, Japan
@inproceedings{BrBrMa_CANS09,
author = {Emmanuel Bresson and Timo Brecher and Mark Manulis},
title = {{Fully Robust Tree-Diffie-Hellman Group Key Exchange}},
booktitle = {Proceedings of the 8th International Conference on Cryptology and Network Security (CANS 2009)},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
volume = {5888},
pages = {478--497},
year = {2009},
month = {December}}
| Abstract: | We extend the well-known Tree-Diffie-Hellman technique used for the design of group key exchange (GKE) protocols with robustness, i.e. with resistance to faults resulting from possible system crashes, network failures, and misbehavior of the protocol participants. We propose a fully robust GKE protocol using the novel tree replication technique: our basic protocol version ensures security against outsider adversaries whereas its extension addresses optional insider security. Both protocols are proven secure assuming stronger adversaries gaining access to the internal states of participants. Our security model for robust GKE protocols can be seen as a step towards unification of some earlier security models in this area. |
Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange [Abstract] [BibTeX] [PDF] [DOI]
M. Manulis, K. Suzuki, B. Ustaoglu
12th International Conference on Information Security and Cryptology (ICISC 2009), December 2009, Seoul, Korea
@inproceedings{MaSuUs_ICISC09,
author = {Mark Manulis and Koutarou Suzuki and Berkant Ustaoglu},
title = {{Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange}},
booktitle = {12th International Conference on Information, Security, and Cryptology (ICISC 2009)},
year = {2009},
pages = {16--33},
publisher = {Springer},
series = {LNCS},
volume = {5984}}
| Abstract: | Minimizing complexity of group key exchange (GKE) protocols is an important milestone towards their practical deployment. An interesting approach to achieve this goal is to simplify the design of GKE protocols by using generic building blocks. In this paper we investigate the possibility of founding GKE protocols based on a primitive called multi key encapsulation mechanism (mKEM) and describe advantages and limitations of this approach. In particular, we show how to design a one-round GKE protocol which satisfies the classical requirement of authenticated key exchange (AKE) security, yet without forward secrecy. As a result, we obtain the first one-round GKE protocol secure in the standard model. We also conduct our analysis using recent formal models that take into account both outsider and insider attacks as well as the notion of key compromise impersonation resilience (KCIR). In contrast to previous models we show how to model both outsider and insider KCIR within the definition of mutual authentication. Our analysis additionally implies that the insider security compiler by Katz and Shin from ACM CCS 2005 can be used to achieve more than what is shown in the original work, namely both outsider and insider KCIR. |
Generic One Round Group Key Exchange in the Standard Model [Abstract] [BibTeX] [PDF] [DOI]
M. C. Gorantla, C. Boyd, J. M. González Nieto, M. Manulis
12th International Conference on Information Security and Cryptology (ICISC 2009), December 2009, Seoul, Korea
@inproceedings{GoBoGoMa_ICISC09,
author = {M. Choudary Gorantla and Colin Boyd and Juan Manuel Gonz{\'a}lez Nieto and Mark Manulis},
title = {{Generic One Round Group Key Exchange in the Standard Model}},
booktitle = {12th International Conference on Information, Security, and Cryptology (ICISC 2009)},
year = {2009},
pages = {1--15},
publisher = {Springer},
series = {LNCS},
volume = {5984}}
| Abstract: | Minimizing complexity of group key exchange (GKE) protocols is an important milestone towards their practical deployment. An interesting approach to achieve this goal is to simplify the design of GKE protocols by using generic building blocks. In this paper we investigate the possibility of founding GKE protocols based on a primitive called multi key encapsulation mechanism (mKEM) and describe advantages and limitations of this approach. In particular, we show how to design a one-round GKE protocol which satisfies the classical requirement of authenticated key exchange (AKE) security, yet without forward secrecy. As a result, we obtain the first one-round GKE protocol secure in the standard model. We also conduct our analysis using recent formal models that take into account both outsider and insider attacks as well as the notion of key compromise impersonation resilience (KCIR). In contrast to previous models we show how to model both outsider and insider KCIR within the definition of mutual authentication. Our analysis additionally implies that the insider security compiler by Katz and Shin from ACM CCS 2005 can be used to achieve more than what is shown in the original work, namely both outsider and insider KCIR. |
Enhanced Wireless Roaming Security Using Three-Party Authentication and Tunnels [Abstract] [BibTeX] [PDF] [DOI]
D. Leroy, M. Manulis, O. Bonaventure
5th ACM Conference on Emerging Network Experiment and Technology (CoNEXT 2009), U-Net, December 2009, Rome, Italy
@inproceedings{LeMaBo_CoNEXT09,
author = {Damien Leroy and Mark Manulis and Olivier Bonaventure},
title = {{Enhanced Wireless Roaming Security Using Three-Party Authentication and Tunnels}},
booktitle = {Proceedings of the 1st ACM workshop on User-provided Networking (U-Net), CoNEXT 2009},
publisher = {ACM Press},
pages = {7--12},
year = {2009}}}
| Abstract: | Many organizations and many home users have deployed WiFi networks permitting external users to connect to the Internet through their networks. Such WiFi sharing poses many security risks for the visited network as well as for the visiting user. In this paper, we focus on the recently introduced con- cept for tunneled WiFi roaming in which the infrastructure of the visited network is considered as part of the security architecture. A secure layer-2 tunneling between the user's device and his home network is performed by the visited network only after the successful authentication of all three parties. The authentication protocol provides the mobile device and its home network with a secret key that protects their end-to-end communication. Additionally, it provides another tunnel key, shared with the visited network, that protects the actual traffic exchanged between the visited and home networks and prevents diverse resource consumption attacks against the latter. This concept encourages users to provide roaming service in a more secure and privacy- friendly way. We show how to implement this concept using the IEEE802.11i/EAP framework, based on existing infras- tructures and standard tunneling protocols. |
Transparent Mobile Storage Protection in Trusted Virtual Domains [Abstract] [BibTeX] [PDF] [Link]
L. Catuogno, H. Löhr, M. Manulis, A.-R. Sadeghi, M. Winandy
23rd USENIX Large Installation Systems Administration Conference (LISA 2009), November 2009, Baltimore, USA
@inproceedings{CaLoMaSaWi_LISA09,
author = {Luigi Catuogno and Hans L{\"o}hr and Mark Manulis and Ahmad-Reza Sadeghi and Marcel Winandy},
title = {{Transparent Mobile Storage Protection in Trusted Virtual Domains}},
booktitle = {23rd USENIX Large Installation Systems Administration Conference (LISA 2009)},
publisher = {USENIX Association},
pages = {159--172},
year = {2009}}
| Abstract: | Mobile Storage Devices, such as USB flash drives, offer a flexible solution for the transport and exchange of data. Nevertheless, in order to prevent unauthorized access to sensitive data, many enterprises require strict security policies for the use of such devices with the effect of rendering their advantages rather unfruitful. Trusted Virtual Domains (TVDs) provide a secure IT infrastructure offering a homogeneous and transparent enforcement of access control policies on data and network resources, however, the current model does not specifically deal with Mobile Storage Devices. In this paper, we present an extension of the TVD architecture to incorporate the usage of Mobile Storage Devices. Our proposal addresses three major issues: coherent extension of TVD policy enforcement by introducing architectural components that feature identification and management of transitory devices; transparent mandatory encryption of sensitive data stored on mobile devices; and highly dynamic centralized key management service. In particular we address offline scenarios allowing users to access and modify data while being temporarily disconnected from the domain. We also present a prototype implementation based on the Turaya security kernel. |
Securing Remote Access Inside Wireless Mesh Networks [Abstract] [BibTeX] [PDF] [DOI]
M. Manulis
10th International Workshop on Information Security Applications (WISA 2009), August 2009, Busan, Korea
@inproceedings{Ma_WISA09,
author = {Mark Manulis},
title = {{Securing Remote Access Inside Wireless Mesh Networks}},
booktitle = {Proceedings of the 10th International Workshop on Information Security and Applications (WISA 2009)},
publisher = {Springer-Verlag},
series = {Lecture Notes in Computer Science},
volume = {5932},
pages = {324--338},
year = {2009}}
| Abstract: | Wireless mesh networks (WMNs) that are being increasingly deployed in communities and public places provide a relatively stable routing infrastructure and can be used for diverse carrier-managed services. As a particular example we consider the scenario where a mobile device initially registered for the use with one wireless network (its home network) moves to the area covered by another network inside the same mesh. The goal is to establish a secure access to the home network using the infrastructure of the mesh. Classical mechanisms such as VPNs can protect end-to-end communication between the mobile device and its home network while remaining transparent to the routing infrastructure. In WMNs this transparency can be misused for packet injection leading to the unnecessary consumption of the communication bandwidth. This may have negative impact on the cooperation of mesh routers which is essential for the connection establishment. In this paper we describe how to establish remote connections inside WMNs while guaranteeing secure end-to-end communication between the mobile device and its home network and secure transmission of the corresponding packets along the underlying multi-hop path. Our solution is a provably secure, yet lightweight and round-optimal remote network access protocol in which intermediate mesh routers are considered to be part of the security architecture. We also sketch some ideas on the practical realization of the protocol using known standards and mention extensions with regard to forward secrecy, anonymity and accounting. |
Group Key Exchange Enabling On-Demand Derivation of Peer-to-Peer Keys [Abstract] [BibTeX] [PDF] [DOI]
M. Manulis
7th International Conference on Applied Cryptography and Network Security (ACNS 2009), June 2009, Paris-Rocquencourt, France
@inproceedings{Ma_ACNS09,
author = {Mark Manulis},
title = {{Group Key Exchange Enabling On-Demand Derivation of Peer-to-Peer Keys}},
booktitle = {Proceedings of the 7th International Conference on Applied Cryptography and Network Security (ACNS 2009)},
publisher = {Springer-Verlag},
series = {Lecture Notes in Computer Science},
volume = {5536},
pages = {1--19},
year = {2009},
month = {June}}
| Abstract: | We enrich the classical notion of group key exchange (GKE) protocols by a new property that allows each pair of users to derive an independent peer-to- peer (p2p) key on-demand and without any subsequent communication; this, in addition to the classical group key shared amongst all the users. We show that GKE protocols enriched in this way impose new security challenges concerning the secrecy and independence of both key types. The special attention should be paid to possible collusion attacks aiming to break the secrecy of p2p keys possibly established between any two non-colluding users. In our constructions we utilize the well-known parallel Diffie-Hellman key exchange (PDHKE) technique in which each party uses the same exponent for the computation of p2p keys with its peers. First, we consider PDHKE in GKE protocols where parties securely transport their secrets for the establishment of the group key. For this we use an efficient multi-recipient ElGamal encryption scheme. Further, based on PDHKE we design a generic compiler for GKE protocols that extend the classical Diffie-Hellman method. Finally, we investigate possible optimizations of these protocols allowing parties to re-use their exponents to compute both group and p2p keys, and show that not all such GKE protocols can be optimized. |
Authenticated Wireless Roaming via Tunnels: Making Mobile Guests Feel at Home [Abstract] [BibTeX] [PDF] [DOI]
M. Manulis, D. Leroy, F. Koeune, O. Bonaventure, J.-J. Quisquater
ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009), March 2009, Sydney, Australia
@inproceedings{MaLeKoBoQu_ASIACCS09,
author = {Mark Manulis and Damien Leroy and Francois Koeune and Olivier Bonaventure and Jean-Jacques Quisquater},
title = {{Authenticated Wireless Roaming via Tunnels: Making Mobile Guests Feel at Home}},
booktitle = {Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS'09)},
publisher = {ACM Press},
pages = {92--103},
year = {2009}}}
| Abstract: | In wireless roaming a mobile device obtains a service from some foreign network while being registered for the similar service at its own home network. However, recent proposals try to keep the service provider role behind the home network and let the foreign network create a tunnel connection through which all service requests of the mobile device are sent to and answered directly by the home network. Such wireless roaming via tunnels (WRT) offers several (security) benefits but states also new security challenges on authentication and key establishment, as the goal is not only to protect the end-to-end communication between the tunnel peers but also the tunnel itself. In this paper we formally specify mutual authentication and key establishment goals for WRT and propose an efficient and provably secure protocol that can be used to secure such roaming sessions. Additionally, we describe some modular protocol extensions to address resistance against DoS attacks, anonymity of the mobile device and unlinkability of its roaming sessions, as well as the accounting claims of the foreign network in commercial scenarios. |
User-Aware Provably Secure Protocols for Browser-Based Mutual Authentication [Abstract] [BibTeX] [DOI]
S. Gajek, J. Schwenk, M. Manulis
International Journal of Applied Cryptography (IJACT), 1(4):290-308, January 2009, Inderscience
@article{GaMaSc_IJACT09,
author = {Sebastian Gajek and Mark Manulis and J{\"o}rg Schwenk},
title = {{User-Aware Provably Secure Protocols for Browser-Based Mutual Authentication}},
journal = {Int. J. of Applied Cryptography (IJACT)},
volume = {1},
number = {4},
pages = {290--308},
publisher = {Inderscience},
year = {2009}}
| Abstract: | The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognizable authenticators such as images, video, or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake we furthermore design two efficient provably secure password- and cookie-based authentication protocols. |
Security Model and Framework for Information Aggregation in Sensor Networks [Abstract] [BibTeX] [DOI]
M. Manulis, J. Schwenk
ACM Transactions on Sensor Networks (TOSN), 5(2):Art. 13, January 2009, ACM
@article{MaSc_TOSN09,
author = {Mark Manulis and J{\" o}rg Schwenk},
title = {Security Model and Framework for Information Aggregation in Sensor Networks},
journal = {ACM Transactions on Sensor Networks (TOSN)},
volume = {5},
number = {2},
pages = {Article 13},
year = {2009},
publisher = {ACM}}
| Abstract: | Information aggregation is an important operation in wireless sensor networks (WSNs) executed for the purpose of monitoring and reporting of the environmental data. Due to the performance constraints of sensor nodes the in-network form of the aggregation is especially attractive since it allows to save expensive resources during the frequent network queries. Easy accessibility of networks and nodes and almost no physical protection against corruptions arise high security challenges. Especially, protection against attacks aiming to falsify the aggregated result is considered to be of prime importance. In this paper we design the first general framework for the secure information aggregation in WSNs focusing on scenarios where aggregation is performed by one of its nodes. The framework achieves security against node corruptions and is based solely on the symmetric cryptographic primitives that are more suitable for WSNs in terms of efficiency. We analyze performance of the framework and unlike many previous approaches increase confidence into it by a rigorous proof of security within the specially designed formal security model. |
Universally Composable Security Analysis of TLS [Abstract] [BibTeX] [DOI]
S. Gajek, M. Manulis, O. Pereira, A.-R. Sadeghi, J. Schwenk
2nd International Conference on Provable Security (ProvSec 2008), October 2008, Shanghai, China
@inproceedings{GaMaPeSaSc_ProvSec08,
author = {Sebastian Gajek and Mark Manulis and Olivier Pereira and Ahmad-Reza Sadeghi and J{\"o}rg Schwenk},
title = {{Universally Composable Security Analysis of TLS.}},
booktitle = {Proceedings of the 2nd International Conference on Provable Security (ProvSec 2008)},
pages = {313--327},
series = {Lecture Notes in Computer Science},
volume = {5324},
publisher = {Springer},
year = {2008}}
| Abstract: | We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Our analysis shows that TLS, including the Diffie-Hellman and key transport suites in the uni-directional and bi-directional models of authentication, securely emulates secure communication sessions. |
A Browser-Based Kerberos Authentication Scheme [Abstract] [BibTeX] [DOI]
S. Gajek, T. Jager, M. Manulis, J. Schwenk
13th European Symposium on Research in Computer Security (ESORICS 2008), October 2008, Malaga, Spain
@inproceedings{GaJaMaSc_ESORICS08,
author = {Sebastian Gajek and Tibor Jager and Mark Manulis and J{\"o}rg Schwenk},
title = {{A Browser-Based Kerberos Authentication Scheme}},
booktitle = {Proceedings of 13th European Symposium on Research in Computer Security (ESORICS 2008)},
pages = {115--129},
series = {Lecture Notes in Computer Science},
volume = {5283},
publisher = {Springer},
year = {2008}}
| Abstract: | When two players wish to share a security token (e.g., for the purpose of authentication and accounting), they call a trusted third party. This idea is the essence of Kerberos protocols, which are widely deployed in a large scale of computer networks. Browser-based Kerberos protocols are the derivates with the exception that the Kerberos client application is a commodity Web browser. Whereas the native Kerberos protocol has been repeatedly peer-reviewed without finding flaws, the history of browser-based Kerberos protocols is tarnished with negative results due to the fact that subtleties of browsers have been disregarded. We propose a browser-based Kerberos protocol based on client certificates and prove its security in the extended formal model for browser-based mutual authentication introduced at ACM ASIACCS'08. |
Property-Based Attestation without a Trusted Third Party [Abstract] [BibTeX] [DOI]
L. Chen, H. Löhr, M. Manulis, A.-R. Sadeghi
11th Information Security Conference (ISC 2008), September 2008, Taipei, Taiwan
@inproceedings{ChLoMaSa08,
author = {Liqun Chen and Hans L{\"o}hr and Mark Manulis and Ahmad-Reza Sadeghi},
title = {{Property-Based Attestation without a Trusted Third Party}},
booktitle = {Information Security, 11th International Conference, ISC 2008},
year = {2008},
pages = {31--46},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
volume = {5222}}
| Abstract: | The concept of property-based attestation (PBA) compensates for the shortcomings of the binary attestation proposed by the Trusted Computing Group, where a computing platform with a dedicated security chip, Trusted Platform Module (TPM), reports its state to remote parties. In particular, PBA enhances user privacy by allowing the trusted platform to prove the availability of certain properties to a remote entity without revealing own configuration. The existing PBA solutions, however, require a Trusted Third Party TTP (in addition to the TPM) to provide a certificate linking configurations to properties. We present a new privacy-preserving PBA approach that avoids such TTP. We define a formal model, propose an efficient protocol based on the ideas of ring signatures, and prove its security. The cryptographic technique deployed in our protocol is of independent interest, as it shows how ring signatures can be used to efficiently prove the knowledge of an element in a list without disclosing it. |
Securing Email Communication with XML Technology [Abstract] [Link]
L. Liao, J. Schwenk, M. Manulis
in: Handbook of Research on Information Security and Assurance,
IGI Global, August 2008
| Abstract: | While emerging information and internet ubiquitous technologies provide tremendous positive opportunities, there are still numerous vulnerabilities associated with technology. Attacks on computer systems are increasing in sophistication and potential devastation more than ever before. As such, organizations need to stay abreast of the latest protective measures and services to prevent cyber attacks. The Handbook of Research on Information Security and Assurance includes 47 chapters offering comprehensive definitions and explanations on topics such as firewalls, information warfare, encryption standards, and social and ethical concerns in enterprise security. Edited by over 90 scholars in information science, this reference provides tools to combat the growing risk associated with technology. |
Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy [Abstract] [BibTeX] [PDF] [DOI]
S. Gajek, M. Manulis, J. Schwenk
13th Australasian Conference on Information Security and Privacy (ACISP 2008), July 2008, Wollongong, Australia
@inproceedings{GaMaSc_ACISP08,
author = {Sebastian Gajek and Mark Manulis and J{\"o}rg Schwenk},
title = {{Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy}},
booktitle = {Proceedings of 13th Australasian Conference on Information Security and Privacy (ACISP 2008)},
pages = {6-20},
series = {Lecture Notes in Computer Science},
volume = {5107},
publisher = {Springer},
year = {2008}}
| Abstract: | The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user’s browser. Unfortunately, this solution is susceptible to various impersonation attacks such as phishing as it turned out that average Internet users are unable to authenticate servers based on their certificates. In this paper we address security of cookie-based authentication using the concept of strong locked same origin policy for browsers introduced at ACMCCS’07. We describe a cookie-based authentication protocol between human users and TLS-servers and prove its security in the extended formal model for browser-based mutual authentication introduced at ACM ASIACCS’08. It turns out that the small modification of the browser’s security policy is sufficient to achieve provably secure cookie-based authentication protocols considering the ability of users to recognize images, video, or audio sequences. |
Secure Multi-Coupons for Federated Environments: Privacy-Preserving and Customer-Friendly [Abstract] [BibTeX] [PDF] [DOI]
F. Armknecht, A. N. Escalante, H. Löhr, M. Manulis, A.-R. Sadeghi
4th International Conference on Information Security Practice and Experience (ISPEC 2008), April 2008, Sydney, Australia
@inproceedings{ArEsLoMaSa08,
author = {Frederik Armknecht and Alberto N. Escalante and Hans L{\"o}hr and Mark Manulis and Ahmad-Reza Sadeghi},
title = {{Secure Multi-Coupons for Federated Environments: Privacy-Preserving and Customer-Friendly}},
booktitle = {Information Security Practice and Experience, 4th International Conference, ISPEC 2008},
year = {2008},
pages = {29--44},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
volume = {4991}}
| Abstract: | A digital multi-coupon is similar to a paper-based booklet containing k coupons that can be purchased from one vendor and later redeemed at a vendor in exchange for services. Current schemes, offering privacy-protection and strong security properties such as unsplittability of multi-coupons, address business scenarios with a single vendor and multiple customers, and require customers to redeem coupons in some fixed order. In this paper, we propose a multi-coupon scheme for federated environments that preserves the security and privacy properties of existing schemes, as well as their asymptotic communication and computation complexity. We define a generic formal security model and show that our scheme meets the formal requirements of this framework. Moreover, in contrast to previous solutions, we allow customers to redeem their coupons in an arbitrary order. |
Securing Group Key Exchange against Strong Corruptions [Abstract] [BibTeX] [PDF] [DOI]
E. Bresson, M. Manulis
ACM Symposium on Information, Computer and Communications Security (ASIACCS 2008), March 2008, Tokyo, Japan
@inproceedings{BreMa_ASIACCS08,
author = {Emmanuel Bresson and Mark Manulis},
title = {{Securing Group Key Exchange against Strong Corruptions}},
booktitle = {Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS'08)},
publisher = {ACM Press},
pages = {249--260},
year = {2008}}
| Abstract: | When users run a group key exchange (GKE) protocol, they usually extract the key from some auxiliary (ephemeral) secret information generated during the execution. Strong corruptions are attacks by which an adversary can reveal these ephemeral secrets, in addition to the possibly used long-lived keys. Undoubtedly, security impact of strong corruptions is serious, and thus specifying appropriate security requirements and designing secure GKE protocols appears an interesting yet challenging task -- the aim of our paper. We start by investigating the current setting of strong corruptions and derive some further refinements such as opening attacks that allow to reveal ephemeral secrets of users without their long-lived keys. This allows to consider even stronger attacks against honest, but "opened" users. Further, we define strong security goals for GKE protocols in the presence of such powerful adversaries and propose a Tree Diffie-Hellman protocol immune to their attacks. Our security definitions in particular include the case of malicious insiders, for appropriate security goals such as mutual authentication, key confirmation, contributiveness and key-replication resilience. The proposed protocol proceeds in three rounds and is provably secure in the standard model. |
Provably Secure Browser-Based User-Aware Mutual Authentication over TLS [Abstract] [BibTeX] [PDF] [DOI]
S. Gajek, M. Manulis, A.-R. Sadeghi, J. Schwenk
ACM Symposium on Information, Computer and Communications Security (ASIACCS 2008), March 2008, Tokyo, Japan
@inproceedings{GaMaSaSc_ASIACCS08,
author = {Sebastian Gajek and Mark Manulis and Ahmad-Reza Sadeghi and J{\"o}rg Schwenk},
title = {{Provably Secure Browser-Based User-Aware Mutual Authentication over TLS}},
booktitle = {Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS'08)},
publisher = {ACM Press},
pages = {300--311},
year = {2008}}
| Abstract: | The standard solution for user authentication on the Web is to establish a TLS-based secure channel in server authenticated mode and run a protocol on top of TLS where the user enters a password in an HTML form. However, as many studies point out, the average Internet user is unable to identify the server based on a X.509 certificate so that impersonation attacks (e.g., phishing) are feasible. We tackle this problem by proposing a protocol that allows the user to identify the server based on human perceptible authenticators (e.g., picture, voice). We prove the security of this protocol by refining the game-based security model of Bellare and Rogaway and present a proof of concept implementation. |
WiFi Roaming: Legal Implications and Security Constraints [Abstract] [BibTeX] [DOI]
R. Robert, M. Manulis, F. De Villenfagne, D. Leroy, J. Jost, F. Koeune, C. Ker, J.-M. Dinant, Y. Poullet, O. Bonaventure, J.-J. Quisquater
International Journal of Law and Information Technology (IJLIT), 16(3):205-241, January 2008, Oxford University Press
@article{RoMaVietal_IJLIT08,
author = {Romain Robert and Mark Manulis and Florence De Villenfagne and Damien Leroy and Julien Jost and Francois Koeune and Caroline Ker and Jean-Marc Dinant and Yves Poullet and Olivier Bonaventure and Jean-Jacques Quisquater},
title = {{WiFi Roaming: Legal Implications and Security Constraints}},
journal = {Int. J. of Law and Information Technology (IJLIT)},
volume = {16},
number = {3},
pages = {205--241},
publisher = {Oxford University Press},
year = {2008}}
| Abstract: | WiFi technology has become the preferable form for mobile users to connect to the Internet. The growing popularity of WiFi-enabled devices and the increasing number of WiFi networks guarantees that this trend will continue in the future. Since a single network provider is usually not able to ensure WiFi coverage for its own users across many geographic locations the WiFi roaming technology appears to be the promising solution. A special attention upon the practical deployment of WiFi roaming should be paid to possible threats coming from the misuse of technology. In this light we analyze various legal implications that might become relevant due to the deployment of WiFi roaming and discuss several risks and problems related to the security during the establishment of roaming connections between mobile devices and the Internet. |
Contributory Group Key Exchange in the Presence of Malicious Participants [Abstract] [BibTeX] [DOI]
E. Bresson, M. Manulis
IET Information Security, 2(3):85-93, January 2008, IET
@article{BreMa_IET08,
author = {Emmanuel Bresson and Mark Manulis},
title = {{Contributory Group Key Exchange in the Presence of Malicious Participants}},
journal = {IET Information Security},
volume = {2},
number = {3},
pages = {85--93},
publisher = {IET},
year = {2008}}
| Abstract: | In a group key exchange protocol, the resulting group key should be computed by all participants such that none of them can gain any advantage concerning the protocol’s output: misbehaving participants might have personal advantage in influencing the value of the group key. In fact, the absence of trust relationship is the main feature of group key exchange (when compared to group key transport) protocols. This paper enlarges existing notions of security by identifying limitations in some previously proposed security models while taking into account different types of corruptions (weak and strong). To illustrate these notions, two efficient and provably secure generic solutions – compilers – are presented. |
Securing Group Key Exchange against Strong Corruptions and Key Registration Attacks [Abstract] [BibTeX] [DOI]
E. Bresson, M. Manulis
International Journal of Applied Cryptography (IJACT), 1(2):91-107, January 2008, Inderscience
@article{BreMa_IJACT08,
author = {Emmanuel Bresson and Mark Manulis},
title = {{Securing Group Key Exchange against Strong Corruptions and Key Registration Attacks}},
journal = {Int. J. of Applied Cryptography (IJACT)},
volume = {1},
number = {2},
pages = {91--107},
publisher = {Inderscience},
year = {2008}}
| Abstract: | In group key exchange (GKE) protocols users usually extract the group key using some auxiliary (ephemeral) secret information generated during the execution. Strong corruptions are attacks by which an adversary can reveal these ephemeral secrets, in addition to the possibly used long-lived keys. Undoubtedly, security impact of strong corruptions is serious, and thus specifying appropriate security requirements and designing secure GKE protocols appears an interesting yet challenging task - the aim of our paper. We start by investigating the current setting of strong corruptions and derive some refinements such as opening attacks that allow to reveal ephemeral secrets of users without their long-lived keys. This allows to consider even stronger attacks against honest, but "opened" users. Further, we define strong security goals for GKE protocols in the presence of such powerful adversaries and propose a 3-round GKE protocol, named TDH1, which remains immune to their attacks under standard cryptographic assumptions. Our security definitions allow adversaries to register users and specify their long-lived keys, thus, in particular capture attacks of malicious insiders for the appropriate security goals such as mutual authentication, key confirmation, contributiveness, key control and key-replication resilience. |
On Security Models and Compilers for Group Key Exchange Protocols [Abstract] [BibTeX] [PDF] [DOI]
E. Bresson, M. Manulis, J. Schwenk
2nd International Workshop on Security (IWSEC 2007), October 2007, Nara, Japan
@inproceedings{BreMaSc_IWSEC07,
author = {Emmanuel Bresson and Mark Manulis and J{\" o}rg Schwenk},
title = {On {S}ecurity {M}odels and {C}ompilers for {G}roup {K}ey {E}xchange {P}rotocols},
booktitle = {Proceedings of the 2nd International Workshop on Security (IWSEC 2007)},
publisher = {Springer-Verlag},
series = {Lecture Notes in Computer Science},
volume = {4752},
pages = {292--307},
year = {2007},
month = {October}}
| Abstract: | Group key exchange (GKE) protocols can be used to guarantee confidentiality and authentication in group applications. The paradigm of provable security subsumes an abstract formalization (security model) that considers the protocol environment and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKE-security (authenticated key exchange; a.k.a. indistinguishability of the key) and MA-security (mutual authentication) became meanwhile standard. In this paper we analyze the BCPQ model and some of its variants and identify several risks resulting from its technical core construction – the notion of partnering. Consequently, we propose a revised model extending AKE- and MA-security in order to capture attacks by malicious participants and strong corruptions. Then, we turn to generic solutions (known as compilers) for AKE- and MA-security in BCPQ-like models. We describe a compiler C-AMA which provides AKE- and MA-security for any GKE protocol, under standard cryptographic assumptions, that eliminates some identified limitations in existing compilers. |
Provably Secure Framework for Information Aggregation in Sensor Networks [Abstract] [BibTeX] [PDF] [DOI]
M. Manulis, J. Schwenk
International Conference on Computational Science and Its Applications (ICCSA 2007), August 2007, Kuala Lumpur, Malaysia
@inproceedings{MaSc_ICCSA07,
author = {Mark Manulis and J{\" o}rg Schwenk},
title = {{Provably Secure Framework for Information Aggregation in Sensor Networks}},
booktitle = {Computational Science and Its Applications - ICCSA 2007, Part I},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
volume = {4705},
pages = {603--621},
year = {2007},
month = {August},
isbn = {3-540-74468-9}}
| Abstract: | Information aggregation is an important operation in wireless sensor networks executed for the purpose of monitoring and reporting of the environmental data. Due to the performance constraints of sensor nodes the in-network form of the aggregation is especially attractive since it allows to save expensive resources during the frequent network queries. Easy accessibility of networks and nodes and almost no physical protection against corruptions arise high challenges on the security of the aggregation process. Especially, protection against attacks aiming to falsify the aggregated result is considered to be of prime importance. In this paper we propose a novel security model for the aggregation process based on the well-established cryptographic techniques, focusing on the scenario with the single aggregator node. In order to show soundness and feasibility of our definitions we describe a generic practical approach that achieves security against node corruptions during the aggregation process in a provable cryptographic way based solely on the symmetric cryptographic primitives. To the best of our knowledge this is the first paper which aims to combine the paradigm of provable security in the cryptographic sense with the task of information aggregation in WSNs. |
Provably Secure Group Key Exchange [Abstract] [BibTeX] [Link]
M. Manulis
, 5 August 2007, Europäisches Universitätsverlag
@BOOK{Man07_PSGKE,
AUTHOR = {Mark Manulis},
editor = {Christof Paar and Ahmad-Reza Sadeghi and J{\"o}rg Schwenk},
TITLE = {{Provably Secure Group Key Exchange}},
PUBLISHER = {Europ{\"a}ischer Universit{\"a}tsverlag},
YEAR = {2007},
volume = {5},
series = {IT Security},
address = {Berlin, Bochum, D{\"u}lmen, London, Paris},
month = {August},
isbn = {978-3-89966-275-7}}
| Abstract: | The rapid and promising development of applications and communication systems designed for groups of participants like groupware, computer supported collaborative work systems, or digital conference systems implies exigence of mechanisms providing adequate security properties. These mechanisms can be designed based on the foundations of cryptography. Group key exchange protocols are multi-party cryptographic protocols those participants compute a shared secret key that can then be used in conjunction with other cryptographic constructions like encryption schemes and message authentication codes for the purpose of privacy, confidentiality and authentication. Security confidence of modern cryptographic constructions can be increased via adequate security proofs. The paradigm of provable security gains in importance for all kinds of cryptographic constructions, including group key exchange protocols those security issues represent the scope of this dissertation. We give an analytical overview of the state-of-the-art research in this area and identify strengths and weaknesses of many previous approaches. We suggest a new approach in form of a security model those stronger definitions provide background for more confident security analyzes and proofs. Additionally, we present a number of generic solutions (compilers) that can be applied to independently designed group key exchange protocols in order to enhance security thereof with respect to various goals considered by our security model. Finally, we present a concrete group key exchange protocol that provably satisfies the apparently strongest currently available formally specified security requirements. |
Malicious Participants in Group Key Exchange: Key Control and Contributiveness in the Shadow of Trust [Abstract] [BibTeX] [PDF] [DOI]
E. Bresson, M. Manulis
4th Autonomic and Trusted Computing Conference (ATC 2007), July 2007, Hong Kong, China
@inproceedings{BreMa_ATC07,
author = {Emmanuel Bresson and Mark Manulis},
title = {{Malicious Participants in Group Key Exchange: Key Control and Contributiveness in the Shadow of Trust}},
booktitle = {Proceedings of the 4th Autonomic and Trusted Computing Conference (ATC 2007)},
publisher = {Springer-Verlag},
series = {Lecture Notes in Computer Science},
volume = {4610},
pages = {395--409},
year = {2007},
month = {July},
isbn = {3-540-73546-5}}
| Abstract: | Group key exchange protocols allow their participants to compute a secret key which can be used to ensure security and privacy for various multi-party applications. The resulting group key should be computed through cooperation of all protocol participants such that none of them is trusted to have any advantage concerning the protocol's output. This trust relationship states the main difference between group key exchange and group key transport protocols. Obviously, misbehaving participants in group key exchange protocols may try to influence the resulting group key, thereby disrupting this trust relationship, and also causing further security threats. This paper analyzes the currently known security models for group key exchange protocols with respect to this kind of attacks by malicious participants and proposes an extended model to remove the identified limitations. Additionally, it proposes an efficient and provably secure generic solution, a compiler, to guarantee these additional security goals for group keys exchanged in the presence of malicious participants. |
Tree-Based Group Key Agreement Framework for Mobile Ad-Hoc Networks [Abstract] [BibTeX] [DOI]
L. Liao, M. Manulis
Future Generation Computer Systems (FGCS), 23(6):787-803, July 2007, Elsevier
@article{LiMa07,
author = {Lijun Liao and Mark Manulis},
title = {{T}ree-{B}ased {G}roup {K}ey {A}greement {F}ramework for {M}obile {A}d-{H}oc {N}etworks},
journal = {Future Generation Computer Systems (FGCS)},
year = {2007},
volume = {23},
number = {6},
pages = {787--803},
month = {July},
}
| Abstract: | Design of protocols for mobile ad-hoc networks (MANETs) is generally tricky compared to wired networks, because on the one hand the increased communication constraints given by the limited bandwidth and frequent network failures, and on the other hand the additional computation and memory constraints due to performance limitations of mobile devices must be considered. We focus on the problem of the establishment of the shared key in mobile ad-hoc groups. This task can be achieved by means of a contributory group key agreement (CGKA) protocol that allows group members to compute the group key based on their individual contributions providing verifiable trust relationship between participants. As shown in this paper there exists currently no CGKA protocol for mobile ad-hoc networks that provides an optimal trade-off between communication and computation efficiency. Based on the comparison results of most suitable CGKA protocols we propose a new framework for the group key agreement in mobile ad-hoc networks. Theoretical analysis and experimental results show that our framework achieves optimal communication and computation efficiency compared to other protocols. |
A Privacy-Protecting Multi-Coupon Scheme with Stronger Protection against Splitting [Abstract] [BibTeX] [PDF] [DOI]
L. Chen, A. N. Escalante, H. Löhr, M. Manulis, A.-R. Sadeghi
11th International Conference on Financial Cryptography and Data Security (FC 2007), February 2007, Trinidad/Tobago
@inproceedings{CELMS07,
author = {Liqun Chen and Alberto N. Escalante and Hans L{\"o}hr and Mark Manulis and Ahmad-Reza Sadeghi},
title = {A {P}rivacy-{P}rotecting {M}ulti-{C}oupon {S}cheme with {S}tronger {P}rotection against {S}plitting},
booktitle = {Financial Cryptography and Data Security, 11th International Conference, FC 2007},
publisher = {Springer-Verlag},
series = {Lecture Notes in Computer Science},
volume = {4886},
pages = {29--44},
year = {2008}}
| Abstract: | A multi-coupon (MC) represents a collection of k coupons that a user can redeem to a vendor in exchange for some goods or services. Nguyen (FC 2006), deepening the ideas of Chen et al. (FC 2005), introduced an unforgeable privacy-protecting MC system with constant complexity for issuing and redemption of MCs, that discourages sharing of coupons through a property called weak unsplittability, where sharing of a single coupon implies sharing of the whole multi-coupon (all-ornothing sharing). Both schemes still lack some features required by many applications in practice, and also stronger forms of unsplittability are desirable. In this paper, we propose a new security model for MC systems with stronger definitions, followed by a concrete realization where single coupons within a MC may represent different goods or services, have independent validity periods, and must be redeemed sequentially ensuring a stronger version of unsplittability compared to all-or-nothing sharing. The complexity of the proposed scheme is linear in k for the generation of multi-coupons and constant for each redeemed single coupon. |
Security-Focused Survey on Group Key Exchange Protocols [BibTeX] [PDF] [Link]
M. Manulis
Technical report. Horst Görtz Institute for IT Security. November 2006
@techreport{Ma06b,
author = {Mark Manulis},
title = {Security-{F}ocused {S}urvey on {G}roup {K}ey {E}xchange {P}rotocols},
institution = {Horst-G\"ortz Institute, Network and Data Security Group},
year = {2006},
number = {2006/03},
month = {November}}
Survey on Security Requirements and Models for Group Key Exchange [BibTeX] [PDF] [Link]
M. Manulis
Technical report. Horst-Görtz Institute for IT Security. November 2006
@techreport{Ma06a,
author = {Mark Manulis},
title = {Survey on {S}ecurity {R}equirements and {M}odels for {G}roup {K}ey {E}xchange},
institution = {Horst-G\"ortz Institute, Network and Data Security Group},
year = {2008},
number = {2006/02},
month = {January}}
Property-Based Taming of Lying Mobile Nodes [Abstract] [BibTeX] [PDF] [Link]
M. Manulis, A.-R. Sadeghi
20th International Conference on Advanced Information Networking and Applications (AINA 2006), April 2006, Vienna, Austria
@inproceedings{MaSa06,
author = {Mark Manulis and Ahmad-Reza Sadeghi},
title = {{Property-Based Taming of Lying Mobile Nodes}},
booktitle = {Proceedings of 20th International Conference on Advanced Information Networking and Applications (AINA 2006), Vol. 2},
pages = {476--480},
publisher = {IEEE Computer Society},
year = {2006}}
| Abstract: | Intelligent security protocols can verify whether the involved principals have properties that are defined based on certain functional and security policies. The property we focus on is the performance of mobile devices participating in a security protocol. In this context, the protocol should distribute the computation, communication and storage costs fairly among all devices. However, the protocol should foresee against cheating participants who may lie about their properties to gain advantage. |
Tree-based Group Key Agreement Framework for Mobile Ad-Hoc Networks [Abstract] [BibTeX] [PDF] [Link]
L. Liao, M. Manulis
20th International Conference on Advanced Information Networking and Applications (AINA 2006), April 2006, Vienna, Austria
@inproceedings{LiMa06,
author = {Lijun Liao and Mark Manulis},
title = {{Tree-Based Group Key Agreement Framework for Mobile Ad-Hoc Networks}},
booktitle = {Proceedings of 20th International Conference on Advanced Information Networking and Applications (AINA 2006), Vol. 2},
pages = {5--9},
publisher = {IEEE Computer Society},
year = {2006}}
| Abstract: | Design of protocols for mobile ad-hoc networks (MANETs) is generally tricky compared to wired networks, because on the one hand the increased communication constraints given by the limited bandwidth and frequent network failures, and on the other hand the additional computation and memory constraints due to performance limitations of mobile devices must be considered. We focus on the problem of the establishment of the shared key in mobile ad-hoc groups. This task can be achieved by means of a contributory group key agreement (CGKA) protocol that allows group members to compute the group key based on their individual contributions providing verifiable trust relationship between participants. As shown in this paper there exists currently no CGKA protocol for mobile ad-hoc networks that provides an optimal trade-off between communication and computation efficiency. Based on the comparison results of most suitable CGKA protocols we propose a new framework for the group key agreement in mobile ad-hoc networks. Theoretical analysis and experimental results show that our framework achieves optimal communication and computation efficiency compared to other protocols. |
Linkable Democratic Group Signatures [Abstract] [BibTeX] [PDF] [DOI]
M. Manulis, A.-R. Sadeghi, J. Schwenk
2nd Information Security Practice and Experience Conference (ISPEC 2006), April 2006, Hangzhou, China
@inproceedings{MaSaSc06,
author = {Mark Manulis and Ahmad-Reza Sadeghi and J{\"o}rg Schwenk},
title = {{L}inkable {D}emocratic {G}roup {S}ignatures},
booktitle = {Proceedings of the 2nd Information Security Practice and Experience Conference (ISPEC 2006)},
series = {Lecture Notes in Computer Science},
volume = {3903},
pages = {187--201},
publisher = {Springer-Verlag},
month = {March},
year = {2006},
isbn = {3-540-33052-6}}
| Abstract: | In a variety of group-oriented applications cryptographic primitives like group signatures or ring signatures are valuable methods to achieve anonymity of group members. However, in their classical form, these schemes cannot be deployed for applications that simultaneously require (i) to avoid centralized management authority like group manager and (ii) the signer to be anonymous only against non-members while group members have rights to trace and identify the signer. The idea of recently introduced democratic group signatures is to provide these properties. Based on this idea we introduce a group-oriented signature scheme that allows the group members to trace the identity of any other group member who issued a signature while non-members are only able to link the signatures issued by the same signer without tracing. For this purpose the signature scheme assigns to every group member a unique pseudonym that can be used by any non-member verifier to communicate with the anonymous signer from the group. We present several group-oriented application scenarios where this kind of linkability is essential. We propose a concrete linkable democratic group signature scheme for two-parties, prove its security in the random oracle model, and describe how to modularly extend it to the multi-party case. |
Democratic Group Signatures - On an Example of Joint Ventures [Abstract] [BibTeX] [PDF] [DOI]
M. Manulis
ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006), March 2006, Taipei, Taiwan
@inproceedings{Ma06,
author = {Mark Manulis},
title = {Democratic {G}roup {S}ignatures - {O}n an {E}xample of {J}oint {V}entures},
booktitle = {Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS'06)},
pages = {365},
year = {2006},
publisher = {ACM Press},
isbn = {1-59593-272-0},
note = {Full version at: \url{http://eprint.iacr.org/2005/446}},
}
| Abstract: | In the presence of economic globalization joint venture is one of the most common and effective means of conducting business internationally. By building joint ventures companies form strategic alliances that help them to enter new economic markets and further their business goals in a cooperative effort without loosing own independence. Upon building a joint venture company, two or more "parent" companies agree to share capital, technology, human ressources, risks and rewards in a formation of a new entity under shared control by a "board of directors", which consists of representatives of "parent" companies. The establishment of such shared control is tricky and relies generally on the "trust, but verify" relationship, i.e., companies trust the information they receive from prospective partners, but it is a good business practice to verify the facts. In this paper we focus on the issue of the shared financial control in a joint venture. We consider the mostly preferred form of the control where every member of the board is able to issue payment orders on behalf of the joint venture, but at the same time representatives of other companies, should be able to monitor the accounting to achieve fairness in the spending of shared funds. For this form of the shared control we propose a new secure group-oriented signature scheme, called a democratic group signature scheme, which results from the modification of the standard notion of group signatures by eliminating the role of the group manager. We also show that existing schemes, e.g., ring and group signatures, cannot be used to realize the required shared control based on the "trust, but verify" relationship. |
| Note: | Full version at: http://eprint.iacr.org/2005/446 |
Voice over IP - Sichere Umstellung der Sprachkommunikation auf IP-Technologie [Abstract] [Link]
A. Adelsbach, A. Alkassar, K.-H. Garbe, M. Luzaic, E. Scherer, J. Schwenk, E. Siemens, M. Manulis
, December 2005, Bundesanzeiger Verlag
| Abstract: | Sprach- und Datendienste werden in Zukunft immer stärker miteinander verzahnt sein. Auf diesen Trend stellen sich auch die traditionellen Anbieter von Telekommunikationsanlagen ein. Neue Technologien – wie Voice over IP – lassen innovative Geschäftsmodelle und neue Dienstleistungen entstehen. Von der daraus resultierenden Angebotsvielfalt profitieren die Kunden. Mit der Verbreitung neuer Systeme erhöht sich aber immer auch das Risiko für Angriffe. Schwachstellen können von potenziellen Angreifern gefunden und unlauter ausgenutzt werden. Voice over IP (VoIP) bildet hierbei keine Ausnahme. Die vorliegende Studie beschäftigt sich daher mit der Sicherheit von VoIP-Systemen. Sie beleuchtet, was bei der Konvergenz von Sprach- und Datendiensten technisch und organisatorisch notwendig ist. Aufgezeigt werden die Grundlagen der Echtzeitübertragung von Informationen über ein IP-Netz. Ebenfalls betrachtet werden die drei Säulen der IT-Sicherheit, Vertraulichkeit, Integrität und Verfügbarkeit, wobei der Aspekt Verfügbarkeit in vielen Fällen eine besonders wichtige Rolle spielt. Den Vorteilen der VoIP-Technik wird damit eine detaillierte Sicherheitsbetrachtung gegenübergestellt. Ob und inwieweit VoIP eine Alternative zu herkömmlichen Technologien darstellt, muss immer im Einzelfall entschieden werden. Was am Ende zählt ist die Sicherheit – ohne Ausnahme. |
Contributory Group Key Agreement Protocols, Revisited for Mobile Ad-Hoc Groups [Abstract] [BibTeX] [PDF] [Link]
M. Manulis
2nd IEEE International Conference on Mobile Adhoc and Sensor Systems (MASS 2005), November 2005, Washington, USA
@inproceedings{Ma05b,
author = {Mark Manulis},
title = {{Contributory Group Key Agreement Protocols, Revisited for Mobile Ad-Hoc Groups}},
booktitle = {Proceedings of 2nd IEEE International Conference on Mobile Adhoc and Sensor Systems (MASS 2005)},
pages = {811--818},
publisher = {IEEE Computer Society},
year = {2005}}
| Abstract: | Security of various group-oriented applications for mobile ad-hoc groups requires a group secret shared between all participants. Contributory group key agreement (CGKA) protocols, originally designed for peer groups in local- and wide-area wired networks, can also be used in ad-hoc scenarios because of the similar security requirements and trust relationship between participants that excludes any trusted central authority (e.g., a group manager) from the computation of the group key. We revise original protocols from the perspective of the mobile ad-hoc communication, classify mobile ad-hoc groups based on the performance of involved mobile devices, specify trust relationship between participants, propose further optimizations to original protocols to achieve better communication, computation and memory complexities. |
VoIPSEC - Studie zur Sicherheit von Voice over Internet Protocol [Abstract] [PDF] [Link]
M. Manulis, A. Adelsbach, A. Alkassar, K.-H. Garbe, M. Luzaic, E. Scherer, J. Schwenk, E. Siemens
Study (in German) commissioned and published by Bundesamt für Sicherheit in der Informationstechnik (BSI), 2005 October 2005
| Abstract: | Sprach- und Datendienste werden in Zukunft immer stärker miteinander verzahnt sein. Auf diesen Trend stellen sich auch die traditionellen Anbieter von Telekommunikationsanlagen ein. Neue Technologien – wie Voice over IP – lassen innovative Geschäftsmodelle und neue Dienstleistungen entstehen. Von der daraus resultierenden Angebotsvielfalt profitieren die Kunden. Mit der Verbreitung neuer Systeme erhöht sich aber immer auch das Risiko für Angriffe. Schwachstellen können von potenziellen Angreifern gefunden und unlauter ausgenutzt werden. Voice over IP (VoIP) bildet hierbei keine Ausnahme. Die vorliegende Studie beschäftigt sich daher mit der Sicherheit von VoIP-Systemen. Sie beleuchtet, was bei der Konvergenz von Sprach- und Datendiensten technisch und organisatorisch notwendig ist. Aufgezeigt werden die Grundlagen der Echtzeitübertragung von Informationen über ein IP-Netz. Ebenfalls betrachtet werden die drei Säulen der IT-Sicherheit, Vertraulichkeit, Integrität und Verfügbarkeit, wobei der Aspekt Verfügbarkeit in vielen Fällen eine besonders wichtige Rolle spielt. Den Vorteilen der VoIP-Technik wird damit eine detaillierte Sicherheitsbetrachtung gegenübergestellt. Ob und inwieweit VoIP eine Alternative zu herkömmlichen Technologien darstellt, muss immer im Einzelfall entschieden werden. Was am Ende zählt ist die Sicherheit – ohne Ausnahme. |
Key Agreement for Heterogeneous Mobile Ad-Hoc Groups [Abstract] [BibTeX] [PDF] [Link]
M. Manulis
11th International Conference on Parallel and Distributed Systems (ICPADS 2005), July 2005, Fukuoka, Japan
@inproceedings{Ma05a,
author = {Mark Manulis},
title = {{Key Agreement for Heterogeneous Mobile Ad-Hoc Groups}},
booktitle = {Proceedings of 11th International Conference on Parallel and Distributed Systems (ICPADS 2005), Vol. 2},
pages = {290--294},
publisher = {IEEE Computer Society},
year = {2005}}
| Abstract: | In this paper we propose an efficient key agreement protocol suite for heterogeneous mobile ad-hoc groups, whose members use mobile devices with different performance limitations, e.g., laptops, PDAs, and mobile phones. Absence of a trusted central authority in ad-hoc groups requires contributory computation of the group key by interacting members. We introduce a performance ratio parameter to quantify the performance of a mobile device. Our protocols are based on elliptic curve cryptography (ECC) to achieve better computation efficiency and are proven secure. |
Pseudonym Generation Scheme for Ad-Hoc Group Communication Based on IDH [Abstract] [BibTeX] [PDF] [DOI]
M. Manulis, J. Schwenk
1st European Workshop on Security in Ad-Hoc and Sensor Networks (ESAS 2004), August 2004, Heidelberg, Germany
@inproceedings{MaSc_ESAS04,
author = {Mark Manulis and J{\"o}rg Schwenk},
title = {{Pseudonym Generation Scheme for Ad-Hoc Group Communication Based on IDH}},
booktitle = {ESAS},
year = {2004},
pages = {107--124},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
volume = {3313}
}
| Abstract: | In this paper we describe the advantages of using iterative Diffie-Hellman (IDH) key trees for mobile ad-hoc group communication. We focus on the Tree-based Group Diffie-Hellman (TGDH) protocol suite, that consists of group key agreement protocols based on IDH key trees. Furthermore, we consider the anonymity of members during group communication over a public broadcast channel that provides untraceability of messages. The main goal of the proposed pseudonym generation scheme is to allow group members to generate their own pseudonyms that can be linked to their real identities only by a democratic decision of some interacting group members. The real identities are bound to public keys used in the group key agreement. The communication and computation costs as well as the security of the scheme can be optimized with respect to the characteristics of involved mobile devices. |
Browser Models for Usable Authentication Protocols [PDF]
M. Manulis, S. Gajek, A.-R. Sadeghi, J. Schwenk
Research position paper. Workshop on Web 2.0 Security and Privacy (W2SP 2007)
Strong Corruptions in Group Key Exchange Protocols [PDF]
M. Manulis
Research position paper. Workshop on Cryptographic Protocols (WCP 2007)
Print
Impressum
Contact
