HoneyPAKEs

We combine two security mechanisms: using a Password-based Authenticated Key Establishment (PAKE) protocol to protect the password for access control and the Honeywords construction of Juels and Rivest to detect loss of password files. The resulting construction combines the properties of both mechanisms: ensuring that the password is intrinsically protected by the PAKE protocol during transmission and the Honeywords mechanisms for detecting attempts to exploit a compromised password file. Our constructions lead very naturally to two factor type protocols. An enhanced version of our protocol further provides protection against a compromised login server by ensuring that it does not learn the index to the true password

A multifaceted formal analysis of end-to-end encrypted email protocols and cryptographic authentication enhancements

Largely owing to cryptography, modern messaging tools (e.g., Signal) have reached a considerable degree of sophistication, balancing advanced security features with high usability. This has not been the case for email, which however, remains the most pervasive and interoperable form of digital communication. As sensitive information (e.g., identification documents, bank statements, or the message in the email itself) is frequently exchanged by this means, protecting the privacy of email communications is a justified concern which has been emphasized in the last years. A great deal of effort has gone into the development of tools and techniques for providing email communications with privacy and security, requirements that were not originally considered. Yet, drawbacks across several dimensions hinder the development of a global solution that would strengthen security while maintaining the standard features that we expect from email clients. In this thesis, we present improvements to security in email communications. Relying on formal methods and cryptography, we design and assess security protocols and analysis techniques, and propose enhancements to implemented approaches for end-to-end secure email communication. In the first part, we propose a methodical process relying on code reverse engineering, which we use to abstract the specifications of two end-to-end security protocols from a secure email solution (called pEp); then, we apply symbolic verification techniques to analyze such protocols with respect to privacy and authentication properties. We also introduce a novel formal framework that enables a system's security analysis aimed at detecting flaws caused by possible discrepancies between the user's and the system's assessment of security. Security protocols, along with user perceptions and interaction traces, are modeled as transition systems; socio-technical security properties are defined as formulas in computation tree logic (CTL), which can then be verified by model checking. Finally, we propose a protocol that aims at securing a password-based authentication system designed to detect the leakage of a password database, from a code-corruption attack. In the second part, the insights gained by the analysis in Part I allow us to propose both, theoretical and practical solutions for improving security and usability aspects, primarily of email communication, but from which secure messaging solutions can benefit too. The first enhancement concerns the use of password-authenticated key exchange (PAKE) protocols for entity authentication in peer-to-peer decentralized settings, as a replacement for out-of-band channels; this brings provable security to the so far empirical process, and enables the implementation of further security and usability properties (e.g., forward secrecy, secure secret retrieval). A second idea refers to the protection of weak passwords at rest and in transit, for which we propose a scheme based on the use of a one-time-password; furthermore, we consider potential approaches for improving this scheme. The hereby presented research was conducted as part of an industrial partnership between SnT/University of Luxembourg and pEp Security S.A

Attacks and security proofs of authenticated key-exchange protocols

La grande majorité des communications sur internet et sur les réseaux privés repose fortement sur des infrastructures à clé publique (PKI). Une solution possible, pour réduire la complexité induite par les PKIs, consiste à utiliser des protocoles d'échange de clés authentifiés par des mots de passe (PAKE). Les protocoles PAKE permettent une communication sécurisée entre deux parties qui ne partagent qu'un secret de faible entropie (mot de passe). Les PAKEs furent introduits dans les années 1990. Les premiers modèles et preuves de sécurité ont suivi au début des années 2000. Ainsi, il devint clair que les PAKEs ont un potentiel de déploiement à grande échelle - comblant le vide, là où l'infrastructure à clé publique est insuffisante. Le fait que les PAKEs permettent de se passer d'un PKI, leur résistance aux attaques d'hameçonnage et la confidentialité qu'ils offrent ne sont que quelques-unes des propriétés rendant les PAKEs intéressants à étudier. Cette thèse comporte trois nouveaux résultats concernant divers aspects des PAKEs : une attaque sur une proposition PAKE existante, une application de PAKEs permettant la détection de fuites de mots de passe (HoneyPAKEs), et une analyse de sécurité du protocole J-PAKE qui est utilisé dans la pratique. Cette dernière analyse s'appliquant également aux variantes de J-PAKE. Dans notre premier travail, nous proposons une analyse empirique du protocole zkPAKE proposé en 2015. Nos résultats démontrent que zkPAKE n'est pas sûr contre les attaques par dictionnaire hors ligne, qui est l'une des exigences de sécurité de base des protocoles PAKE. De plus, nous exhibons une implémentation d'une attaque par dictionnaire hors ligne efficace qui souligne que lors de la proposition d'un nouveau protocole, qu'il est nécessaire de fournir une preuve de sécurité rigoureuse. Notre seconde propose un mécanisme de sécurité combiné appelé HoneyPAKE. La construction HoneyPAKE vise à détecter la perte de fichiers de mots de passe et garantit que le PAKE utilisé protège intrinsèquement les mots de passe. Cela rend la partie PAKE du HoneyPAKE plus résistante aux compromissions de serveurs et aux attaques par les communications client-serveur. Notre troisième contribution facilite l'adoption plus large des PAKE. Dans ce travail, nous revisitons J-PAKE, en le simplifiant. Cette simplification s'effectue en supprimant une preuve à divulgation nulle non interactive du dernier tour du protocole, résultant ainsi en une version plus légère appelée sJ-PAKE. De plus, nous prouvons que sJ-PAKE est sûr dans le modèle basé sur le jeu de l'indiscernabilité dit réel-ou-aléatoire (real-or-random), satisfaisant ainsi également la notion de secret avançant (forward secrecy).The vast majority of communication on the Internet and private networks heavily relies on Public-key infrastructure (PKI). One possible solution, to avoid complexities around PKI, is to use Password Authenticated Key-Exchange (PAKE) protocols. PAKE protocols enable a secure communication link between the two parties who only share a low-entropy secret (password). PAKEs were introduced in the 1990s, and with the introduction of the first security models and security proofs in the early 2000s, it was clear that PAKEs have a potential for wide deployment - filling the gap where PKI falls short. PAKEs’ PKI-free nature, resistance to phishing attacks and forward secrecy are just some of the properties that make them interesting and important to study. This dissertation includes three works on various aspects of PAKEs: an attack on an existing PAKE proposal, an application of PAKEs in login (for password leak detection) and authentication protocols (HoneyPAKEs), and a security analysis of the J-PAKE protocol, that is used in practice, and its variants. In our first work, we provide an empirical analysis of the zkPAKE protocol proposed in 2015. Our findings show that zkPAKE is not safe against offline dictionary attacks, which is one of the basic security requirements of the PAKE protocols. Further, we demonstrate an implementation of an efficient offline dictionary attack, which emphasizes that, it is necessary to provide a rigorous security proof when proposing a new protocol. In our second contribution, we propose a combined security mechanism called HoneyPAKE. The HoneyPAKE construction aims to detect the loss of password files and ensures that PAKE intrinsically protects that password. This makes the PAKE part of the HoneyPAKE more resilient to server-compromise and pre-computation attacks which are a serious security threat in a client-server communication. Our third contribution facilitates the wider adoption of PAKEs. In this work, we revisit J-PAKE and simplify it by removing a non-interactive zero knowledge proof from the last round of the protocol and derive a lighter and more efficient version called sJ-PAKE. Furthermore, we prove sJ-PAKE secure in the indistinguishability game-based model, the so-called Real-or-Random, also satisfying the notion of perfect forward secrecy

Attacks and Security Proofs of Password Authenticated Key-Exchange Protocols

The vast majority of communication on the Internet and private networks heavily relies on Public-key infrastructure (PKI). One possible solution, to avoid complexities around PKI, is to use Password Authenticated Key-Exchange (PAKE) protocols. PAKE protocols enable a secure communication link between the two parties who only share a low-entropy secret (password). PAKEs were introduced in the 1990s, and with the introduction of the first security models and security proofs in the early 2000s, it was clear that PAKEs have a potential for wide deployment - filling the gap where PKI falls short. PAKEs' PKI-free nature, resistance to phishing attacks and forward secrecy are just some of the properties that make them interesting and important to study. This dissertation includes three works on various aspects of PAKEs: an attack on an existing PAKE proposal, an application of PAKEs in login (for password leak detection) and authentication protocols (HoneyPAKEs), and a security analysis of the J-PAKE protocol, that is used in practice, and its variants. In our first work, we provide an empirical analysis of the zkPAKE protocol proposed in 2015. Our findings show that zkPAKE is not safe against offline dictionary attacks, which is one of the basic security requirements of the PAKE protocols. Further, we demonstrate an implementation of an efficient offline dictionary attack, which emphasizes that, it is necessary to provide a rigorous security proof when proposing a new protocol. In our second contribution, we propose a combined security mechanism called HoneyPAKE. The HoneyPAKE construction aims to detect the loss of password files and ensures that PAKE intrinsically protects that password. This makes the PAKE part of the HoneyPAKE more resilient to server-compromise and pre-computation attacks which are a serious security threat in a client-server communication. Our third contribution facilitates the wider adoption of PAKEs. In this work, we revisit J-PAKE and simplify it by removing a non-interactive zero knowledge proof from the last round of the protocol and derive a lighter and more efficient version called sJ-PAKE. Furthermore, we prove sJ-PAKE secure in the indistinguishability game-based model, the so-called Real-or-Random, also satisfying the notion of perfect forward secrecy

Attaques et preuves de sécurité des protocoles d'échange de clés authentifiés

The vast majority of communication on the Internet and private networks heavily relies on Public-key infrastructure (PKI). One possible solution, to avoid complexities around PKI, is to use Password Authenticated Key-Exchange (PAKE) protocols. PAKE protocols enable a secure communication link between the two parties who only share a low-entropy secret (password). PAKEs were introduced in the 1990s, and with the introduction of the first security models and security proofs in the early 2000s, it was clear that PAKEs have a potential for wide deployment - filling the gap where PKI falls short. PAKEs’ PKI-free nature, resistance to phishing attacks and forward secrecy are just some of the properties that make them interesting and important to study. This dissertation includes three works on various aspects of PAKEs: an attack on an existing PAKE proposal, an application of PAKEs in login (for password leak detection) and authentication protocols (HoneyPAKEs), and a security analysis of the J-PAKE protocol, that is used in practice, and its variants. In our first work, we provide an empirical analysis of the zkPAKE protocol proposed in 2015. Our findings show that zkPAKE is not safe against offline dictionary attacks, which is one of the basic security requirements of the PAKE protocols. Further, we demonstrate an implementation of an efficient offline dictionary attack, which emphasizes that, it is necessary to provide a rigorous security proof when proposing a new protocol. In our second contribution, we propose a combined security mechanism called HoneyPAKE. The HoneyPAKE construction aims to detect the loss of password files and ensures that PAKE intrinsically protects that password. This makes the PAKE part of the HoneyPAKE more resilient to server-compromise and pre-computation attacks which are a serious security threat in a client-server communication. Our third contribution facilitates the wider adoption of PAKEs. In this work, we revisit J-PAKE and simplify it by removing a non-interactive zero knowledge proof from the last round of the protocol and derive a lighter and more efficient version called sJ-PAKE. Furthermore, we prove sJ-PAKE secure in the indistinguishability game-based model, the so-called Real-or-Random, also satisfying the notion of perfect forward secrecy.La grande majorité des communications sur internet et sur les réseaux privés repose fortement sur des infrastructures à clé publique (PKI). Une solution possible, pour réduire la complexité induite par les PKIs, consiste à utiliser des protocoles d'échange de clés authentifiés par des mots de passe (PAKE). Les protocoles PAKE permettent une communication sécurisée entre deux parties qui ne partagent qu'un secret de faible entropie (mot de passe). Les PAKEs furent introduits dans les années 1990. Les premiers modèles et preuves de sécurité ont suivi au début des années 2000. Ainsi, il devint clair que les PAKEs ont un potentiel de déploiement à grande échelle - comblant le vide, là où l'infrastructure à clé publique est insuffisante. Le fait que les PAKEs permettent de se passer d'un PKI, leur résistance aux attaques d'hameçonnage et la confidentialité qu'ils offrent ne sont que quelques-unes des propriétés rendant les PAKEs intéressants à étudier. Cette thèse comporte trois nouveaux résultats concernant divers aspects des PAKEs : une attaque sur une proposition PAKE existante, une application de PAKEs permettant la détection de fuites de mots de passe (HoneyPAKEs), et une analyse de sécurité du protocole J-PAKE qui est utilisé dans la pratique. Cette dernière analyse s'appliquant également aux variantes de J-PAKE. Dans notre premier travail, nous proposons une analyse empirique du protocole zkPAKE proposé en 2015. Nos résultats démontrent que zkPAKE n'est pas sûr contre les attaques par dictionnaire hors ligne, qui est l'une des exigences de sécurité de base des protocoles PAKE. De plus, nous exhibons une implémentation d'une attaque par dictionnaire hors ligne efficace qui souligne que lors de la proposition d'un nouveau protocole, qu'il est nécessaire de fournir une preuve de sécurité rigoureuse. Notre seconde propose un mécanisme de sécurité combiné appelé HoneyPAKE. La construction HoneyPAKE vise à détecter la perte de fichiers de mots de passe et garantit que le PAKE utilisé protège intrinsèquement les mots de passe. Cela rend la partie PAKE du HoneyPAKE plus résistante aux compromissions de serveurs et aux attaques par les communications client-serveur. Notre troisième contribution facilite l'adoption plus large des PAKE. Dans ce travail, nous revisitons J-PAKE, en le simplifiant. Cette simplification s'effectue en supprimant une preuve à divulgation nulle non interactive du dernier tour du protocole, résultant ainsi en une version plus légère appelée sJ-PAKE. De plus, nous prouvons que sJ-PAKE est sûr dans le modèle basé sur le jeu de l'indiscernabilité dit réel-ou-aléatoire (real-or-random), satisfaisant ainsi également la notion de secret avançant (forward secrecy)