CryptoDB
Alexandra Boldyreva
Publications
Year
Venue
Title
2021
CRYPTO
Provable Security Analysis of FIDO2
📺
Abstract
We carry out the first provable security analysis of the new FIDO2 protocols, the promising FIDO Alliance’s proposal for a standard for passwordless user authentication. Our analysis covers the core components of FIDO2: the W3C’s Web Authentication (WebAuthn) specification and the new Client-to-Authenticator Protocol (CTAP2).
Our analysis is modular. For WebAuthn and CTAP2, in turn, we propose appropriate security models that aim to capture their intended security goals and use the models to analyze their security. First, our proof confirms the authentication security of WebAuthn. Then, we show CTAP2 can only be proved secure in a weak sense; meanwhile, we identify a series of its design flaws and provide suggestions for improvement. To withstand stronger yet realistic adversaries, we propose a generic protocol called sPACA and prove its strong security; with proper instantiations, sPACA is also more efficient than CTAP2. Finally, we analyze the overall security guarantees provided by FIDO2 and WebAuthn+sPACA based on the security of their components.
We expect that our models and provable security results will help clarify the security guarantees of the FIDO2 protocols. In addition, we advocate the adoption of our sPACA protocol as a substitute for CTAP2 for both stronger security and better performance.
2021
JOFC
Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUIC
Abstract
Secure channel establishment protocols such as Transport Layer Security (TLS) are some of the most important cryptographic protocols, enabling the encryption of Internet traffic. Reducing latency (the number of interactions between parties before encrypted data can be transmitted) in such protocols has become an important design goal to improve user experience. The most important protocols addressing this goal are TLS 1.3, the latest TLS version standardized in 2018 to replace the widely deployed TLS 1.2, and Quick UDP Internet Connections (QUIC), a secure transport protocol from Google that is implemented in the Chrome browser. There have been a number of formal security analyses for TLS 1.3 and QUIC, but their security, when layered with their underlying transport protocols, cannot be easily compared. Our work is the first to thoroughly compare the security and availability properties of these protocols. Toward this goal, we develop novel security models that permit “layered” security analysis. In addition to the standard goals of server authentication and data confidentiality and integrity, we consider the goals of IP spoofing prevention, key exchange packet integrity, secure channel header integrity, and reset authentication, which capture a range of practical threats not usually taken into account by existing security models that focus mainly on the cryptographic cores of the protocols. Equipped with our new models we provide a detailed comparison of three low-latency layered protocols: TLS 1.3 over TCP Fast Open (TFO), QUIC over UDP, and QUIC[TLS] (a new design for QUIC that uses TLS 1.3 key exchange) over UDP. In particular, we show that TFO’s cookie mechanism does provably achieve the security goal of IP spoofing prevention. Additionally, we find several new availability attacks that manipulate the early key exchange packets without being detected by the communicating parties. By including packet-level attacks in our analysis, our results shed light on how the reliability, flow control, and congestion control of the above layered protocols compare, in adversarial settings. We hope that our models will help protocol designers in their future protocol analyses and that our results will help practitioners better understand the advantages and limitations of secure channel establishment protocols.
2012
JOFC
On-line Ciphers and the Hash-CBC Constructions
Abstract
We initiate a study of on-line ciphers. These are ciphers that can take input plaintexts of large and varying lengths and will output the i th block of the ciphertext after having processed only the first i blocks of the plaintext. Such ciphers permit length-preserving encryption of a data stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates, including CBC with fixed IV. We then provide two constructions, HCBC1 and HCBC2, based on a given block cipher E and a family of computationally AXU functions. HCBC1 is proven secure against chosen-plaintext attacks assuming that E is a PRP secure against chosen-plaintext attacks, while HCBC2 is proven secure against chosen-ciphertext attacks assuming that E is a PRP secure against chosen-ciphertext attacks.
2011
CRYPTO
2008
CRYPTO
Program Committees
- PKC 2023 (Program chair)
- Crypto 2022
- Crypto 2019 (Program chair)
- Crypto 2018 (Program chair)
- Eurocrypt 2017
- Eurocrypt 2015
- TCC 2014
- PKC 2014
- PKC 2012
- TCC 2012
- PKC 2011
- PKC 2010
- TCC 2010
- Eurocrypt 2009
- Eurocrypt 2008
- PKC 2008
- Asiacrypt 2007
- Eurocrypt 2006
- Crypto 2005
Coauthors
- Manuel Barbosa (1)
- Mihir Bellare (8)
- Alexandra Boldyreva (22)
- David Cash (1)
- Shan Chen (2)
- Nathan Chenette (3)
- Jean Paul Degabriele (2)
- Anand Desai (1)
- Serge Fehr (1)
- Marc Fischlin (4)
- Matthew Jagielski (1)
- Samuel Jero (1)
- Lars R. Knudsen (2)
- Younho Lee (1)
- Silvio Micali (1)
- Chanathip Namprempre (2)
- Cristina Nita-Rotaru (1)
- Adam O'Neill (4)
- Adriana Palacio (2)
- Kenneth G. Paterson (2)
- Christopher Patton (1)
- David Pointcheval (1)
- Thomas Shrimpton (1)
- Jessica Staddon (1)
- Martijn Stam (2)
- Bogdan Warinschi (3)