Password Authenticated Key Exchange in a Group

Today, we release a new paper entitled “The Fairy-Ring Dance: Password Authenticated Key Exchange in a Group“. This is joint work with Xun Yi (RMIT University), Liqun Chen (HP Labs) and Siamak Shahandashti (Newcastle University). The initial work started when Xun visited us at the School of Computing Science, Newcastle University in Feb, 2014. This is one of the collaborative research outcomes, which stem from that visit.

The subject of two-party Password Authenticated Key Exchange (PAKE) has been well studied for nearly three decades, however the topic of multi-party Group PAKE (GPAKE) has so far received little attention. Partly, this is because a Group PAKE is significantly more complex to design than a two-party PAKE due to more interactions between participants, hence exposing more potential attack vectors for an adversary to exploit.

We decided to investigate this subject as we believed Group PAKE protocols would become increasingly more important in the next 10 years – especially in the era of Internet of Things (IoT). Using a Group PAKE protocol can help set up a group of out-of-box IoT devices that have no pre-installed secrets or certificates; one just needs to enter a common (low-entropy) passcode into each of the devices. The protocol can then take over to ensure secure group communication among these IoT devices despite that all data is transmitted through an insecure Internet.

One major technical challenge here is to make the protocol as round efficient as possible. With Moore’s law, the computational efficiency can rapidly improve over time, but the round efficiency will stay more or less the same. Intuitively, when a group of entities engage in multiple rounds of interactions over a distributed network, the bottleneck of the overall latency will likely be determined by the slowest responder in each round. Hence, our strategy is to trade off computation for optimal round efficiency, with the aim to minimize the number of rounds as much as possible.

The paper (a free copy available at IACR ePrint) gives more technical details about how the above strategy is realized. I’ll present the paper at the ASIACCS Workshop on IoT Privacy, Trust, and Security (IoTPTS), in April 2015. It will be interesting to hear feedback from academic and industrial researchers working on IoT.

Before reading the paper, I would suggest the reader to watch the following “Fairy Ring Dance” from YouTube first, since the structural design of our solution shares some similarity to that dance.

Fairy Ring Dance (YouTube)

 

Every Vote Counts: Ensuring Integrity in Large-Scale Electronic Voting

Last week, at USENIX EVT/WOTE’14, in the beautiful city of San Diego, I presented a paper that was jointly co-authored with my former colleague at Thales (Mr Matthew Kreeger) and colleagues at Newcastle University (Prof Brian Randell, Dr Dylan Clarke, Dr Siamak Shahandashti, Peter Hyun-Jeen Lee). The title of our joint paper is “Every Vote Counts: Ensuring Integrity in Large-Scale Electronic Voting” (presentation slides here).

In this paper, we first highlight a significant gap in the e-voting research field that many people seem to have ignored: while the End-to-End (E2E) e-voting systems have been extensively researched for over twenty years and have been commonly heralded as a rescuer to many controversies in e-voting, in practice few of those systems have actually been implemented and almost none of them used in real-world national elections.

We are motivated to find out the root cause and to narrow the gap. Our hypothesis is that the existing E2E systems’ universal dependence on a set of tallying authorities (who are assumed to be from parties of conflicting interests, be expert in cryptographic key management and be expert in computing) presents a significant hurdle towards the practical deployment of those systems.

We then show that the involvement of tallying authorities is not strictly necessary at least in some election scenarios. In particular, we focus on DRE-based (Direct Recording Electronic) elections conducted at supervised polling stations. This is perhaps the most common election scenario in national elections around the world, e.g., USA, India and Brazil.  We present a new cryptographic voting protocol called Direct Recording Electronic with Integrity (DRE-i). The DRE-i protocol provides the same E2E verifiability as other E2E voting protocols, but without involving any tallying authorities. Hence, the system is “self-enforcing”. By comparing with related E2E protocols that are dependent on tallying authorities, we demonstrate that a self-enforcing e-voting system is significantly simpler, earlier to implement, more efficient and has better usability – all of this is achieved without degrading security.

We welcome interested readers to scrutinize our paper, point out any error or discrepancy that you can find, and feel free to write your feedback in the “Comments” below.

On the privacy of private browsing – A forensic approach

Most readers should already be familiar with the concept of Private Browsing (also known as the Incognito mode in Google Chrome and Inprivate Browsing in IE). This post is about our newly published paper in “Journal of Information Security and Applications” (Vol. 19, No. 1, 2014), which investigates the privacy issues of Private Browsing among four mainstream browsers: IE, Firefox, Chrome and Safari.

Our work is motivated by an apparent lack of research on the subject, despite that millions of users have been using private browsing to protect their privacy on the daily basis. In USENIX Security’08, Agrawal et al. studied the security of then-newly introduced private browsing feature in modern browsers and discovered several security issues. Their experiments were mainly focused on Firefox (in particular, Firefox V3.6). A year later, Said et al. extended the earlier work into analyzing the computer memory and they found traces of private browsing data in memory and cache after the browser is closed. Recently, in ESORICS’13, Lerner et al. presented a software tool that allows automatic verification of the browser extensions’ compliance with the private mode. The tool was mainly tested on Firefox extensions. Apart from these papers, the subject of private browsing seems to have received little attention from the security community.

In our paper, we conducted a systematic approach to investigate the privacy of private browsing across four main browsers: IE, Firefox, Chrome and Safari, and from various angles: not just in memory, but also in local database and web traffic. Our work constitutes an independent evaluation of the private browsing feature provided by mainstream web browsers. It presents the latest understanding on the security of private browsing as of February, 2014.

Our threat model is defined in terms of the attacker’s goals and capabilities. We divide the attacks into two categories: local and remote attacks. Local attacks mean the attacker has physical access to the user’s computer and has full control over it after the target user has exited the private browsing session (i.e., “after the fact” forensic). Remote attacks assume that the attacker is engaged with the user through HTTP(S) and wants to find out if the user is currently in the private browsing mode. Typically, this happens when the target user is visiting a web site controlled by the attacker. We have assessed different attacks in each category. A summary of all the attacks is presented in the following table. Those marked with * contain new results discovered by our study, while others correspond to attacks that have been previously known but validated again by our study. Full details about the attacks can be found in our paper. All the source codes for extensions and timing attacks are freely available here. We welcome any comments.

Firefox  Chrome  IE  Safari  Information leakage
Domain name system Browsing history
Memory inspection Browsing history, passwords, cookies
File timestamp When private mode was last used
Index.dat* N/A N/A N/A When private mode was last used
SQLite database crash* N/A Minor to serious depending on browsers
SQLite added bookmark* N/A Minor to serious depending on browsers
Extension* Browsing history
Cross-mode Interference* N/A N/A N/A User activities in private mode
Hyperlink attack If the user is in private mode
Timing attack* If the user is in private mode

Acknowledgements: This paper is based on an MSc dissertation titled “Is private browsing private?” by Kiavash Satvat.The authors of the paper are Kiavash Satvat, Matthew Forshaw, Feng Hao and Ehsan Toreini.