Reference : Authentication and Key Management Automation in Decentralized Secure Email and Messag...
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
Security, Reliability and Trust
Authentication and Key Management Automation in Decentralized Secure Email and Messaging via Low-Entropy Secrets
Vazquez Sandoval, Itzel mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Atashpendar, Arash mailto [itrust consulting]
Lenzini, Gabriele mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Proceedings of the 17th International Joint Conference on e-Business and Telecommunications
SECRYPT 2020 - 17th International Conference on Security and Cryptography
from 08-07-2020 to 10-07-2020
[en] entity authentication ; secure email ; decentralized key management ; password authenticated key exchange ; automation ; secure messaging
[en] We revisit the problem of entity authentication in decentralized end-to-end encrypted email and secure messaging to propose a practical and self-sustaining cryptographic solution based on
password-authenticated key exchange (PAKE). This not only allows users to authenticate each other via shared low-entropy secrets, e.g., memorable words, without a public key infrastructure or a trusted third party, but it also paves the way for automation and a series of cryptographic enhancements; improves security by minimizing the impact of human error and potentially improves usability. First, we study a few vulnerabilities in voice-based out-of-band authentication, in particular a combinatorial attack against lazy users, which we analyze in the context of a secure email solution. Next, we propose solving the problem of secure equality test using PAKE to achieve entity authentication and to establish a shared high-entropy secret key. Our solution lends itself to offline settings, compatible with the inherently asynchronous nature of email and modern messaging systems. The suggested approach enables enhancements in key management such as automated key renewal and future key pair authentications, multi-device synchronization, secure secret storage and retrieval, and the possibility of post-quantum security as well as facilitating forward secrecy and deniability in a primarily symmetric-key setting. We also discuss the use of auditable PAKEs for mitigating a class of online guess and abort attacks in authentication protocols.
Published in the proceedings of SECRYPT 2020 (

File(s) associated to this reference

Fulltext file(s):

Open access
Authentication_and_key_management_in_secure_email_via_low-entropy_secrets.pdfAuthor preprint242.69 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.