References of "Atashpendar, Arash"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailPakeMail: Authentication and Key Management in Decentralized Secure Email and Messaging via PAKE
Vazquez Sandoval, Itzel UL; Atashpendar, Arash; Lenzini, Gabriele UL et al

in Obaidat, Mohammad S.; Ben-Othman, Jalel (Eds.) E-Business and Telecommunications - 17th International Conference on E-Business and Telecommunications, ICETE 2020, Online Event, July 8-10, 2020, Revised Selected Papers. (2021, October)

We propose the use of password-authenticated key exchange (PAKE) for achieving and enhancing entity authentication (EA) and key management (KM) in the context of decentralized end-to-end encrypted email ... [more ▼]

We propose the use of password-authenticated key exchange (PAKE) for achieving and enhancing entity authentication (EA) and key management (KM) in the context of decentralized end-to-end encrypted email and secure messaging, i.e., without a public key infrastructure or a trusted third party. This not only simplifies the EA process by requiring users to share only a low-entropy secret such as a memorable word, but it also allows us to establish a high-entropy secret key. This approach enables a series of cryptographic enhancements and security properties, which are hard to achieve using out-of-band (OOB) authentication. We first study a few vulnerabilities in voice-based OOB authentication, in particular a combinatorial attack against lazy users, which we analyze in the context of a secure email solution. We then propose tackling public key authentication by solving the problem of secure equality test using PAKE and discuss various protocols and their properties. This method enables the automation of important KM tasks such as key renewal and future key pair authentications, reduces the impact of human errors and lends itself to the asynchronous nature of email and modern messaging. It also provides cryptographic enhancements including multi-device synchronization, and secure secret storage/retrieval, and paves the path for forward secrecy, deniability and post-quantum security.We also discuss the use of auditable PAKEs for mitigating a class of online guess and abort attacks in authentication protocols. We present an implementation of our proposal, called PakeMail, to demonstrate the feasibility of the core idea and discuss some of its cryptographic details, implemented features and efficiency aspects. We conclude with some design and security considerations, followed by future lines of work. [less ▲]

Detailed reference viewed: 36 (2 UL)
Full Text
Peer Reviewed
See detailAuthentication and Key Management Automation in Decentralized Secure Email and Messaging via Low-Entropy Secrets
Vazquez Sandoval, Itzel UL; Atashpendar, Arash; Lenzini, Gabriele UL

in Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (2020)

We revisit the problem of entity authentication in decentralized end-to-end encrypted email and secure messaging to propose a practical and self-sustaining cryptographic solution based on password ... [more ▼]

We revisit the problem of entity authentication in decentralized end-to-end encrypted email and secure messaging to propose a practical and self-sustaining cryptographic solution based on password-authenticated key exchange (PAKE). This not only allows users to authenticate each other via shared low-entropy secrets, e.g., memorable words, without a public key infrastructure or a trusted third party, but it also paves the way for automation and a series of cryptographic enhancements; improves security by minimizing the impact of human error and potentially improves usability. First, we study a few vulnerabilities in voice-based out-of-band authentication, in particular a combinatorial attack against lazy users, which we analyze in the context of a secure email solution. Next, we propose solving the problem of secure equality test using PAKE to achieve entity authentication and to establish a shared high-entropy secret key. Our solution lends itself to offline settings, compatible with the inherently asynchronous nature of email and modern messaging systems. The suggested approach enables enhancements in key management such as automated key renewal and future key pair authentications, multi-device synchronization, secure secret storage and retrieval, and the possibility of post-quantum security as well as facilitating forward secrecy and deniability in a primarily symmetric-key setting. We also discuss the use of auditable PAKEs for mitigating a class of online guess and abort attacks in authentication protocols. [less ▲]

Detailed reference viewed: 152 (23 UL)