-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
188 lines (106 loc) · 12.4 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>Jan's Blog</title>
<subtitle>Who Am I?</subtitle>
<link href="https://jan-nku.github.io/atom.xml" rel="self"/>
<link href="https://jan-nku.github.io/"/>
<updated>2023-10-15T16:43:38.322Z</updated>
<id>https://jan-nku.github.io/</id>
<author>
<name>Jan_nku</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>躬行之路</title>
<link href="https://jan-nku.github.io/2050/07/03/gong-xing-zhi-lu/"/>
<id>https://jan-nku.github.io/2050/07/03/gong-xing-zhi-lu/</id>
<published>2050-07-02T16:00:00.000Z</published>
<updated>2023-10-15T16:43:38.322Z</updated>
<summary type="html"><h3 id="Research-Weekly-starting-on-October-16th-2023"><a href="#Research-Weekly-starting-on-October-16th-2023" class="headerlink" title="Research Weekly, starting on October 16th, 2023"></a>Research Weekly, starting on October 16th, 2023</h3></summary>
</entry>
<entry>
<title>Protecting Poorly Chosen Secrets from Guessing Attacks</title>
<link href="https://jan-nku.github.io/2023/07/01/protecting-poorly-chosen-secrets-from-guessing-attacks/"/>
<id>https://jan-nku.github.io/2023/07/01/protecting-poorly-chosen-secrets-from-guessing-attacks/</id>
<published>2023-07-01T00:51:35.000Z</published>
<updated>2023-07-02T16:28:51.701Z</updated>
<summary type="html"><p>In a security system that allows people to choose their own passwords, people tend to choose passwords that can be easily guessed. This weakness exists in practically all widely used systems. Instead of forcing users to choose secrets that are likely to be difficult for them to remember, solutions that maintain user convenience and a high level of security at the same time are proposed. The basic idea is to <strong>ensure that data available to the attacker is sufficiently unpredictable</strong> to prevent an offline verification of whether a guess is successful or not. Common forms of guessing attacks are examined, examples of cryptographic protocols that are immune to such attacks are developed, and <strong>a systematic way to examine protocols to detect vulnerabilities to such attacks</strong> is suggested.</p></summary>
<category term="密码协议" scheme="https://jan-nku.github.io/categories/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="密码协议" scheme="https://jan-nku.github.io/tags/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="PAKE" scheme="https://jan-nku.github.io/tags/PAKE/"/>
</entry>
<entry>
<title>Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks</title>
<link href="https://jan-nku.github.io/2023/07/01/encrypted-key-exchange-password-based-protocols-secure-against-dictionary-attacks/"/>
<id>https://jan-nku.github.io/2023/07/01/encrypted-key-exchange-password-based-protocols-secure-against-dictionary-attacks/</id>
<published>2023-07-01T00:41:06.000Z</published>
<updated>2023-07-09T01:28:37.144Z</updated>
<summary type="html"><p>Classical cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. We introduce <strong>a novel combination of asymmetric (public-key) and symmetric (secret-key) cryptography</strong> that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network. These protocols are secure <strong>against active attacks</strong>, and have the property that the password is protected <strong>against off-line “dictionary”attacks</strong>. There ar <a href="Device-Enhanced-Password-Protocols-with-Optimal-Online-Offline-Protection.md">Device-Enhanced-Password-Protocols-with-Optimal-Online-Offline-Protection.md</a> e a number of other useful applications as well,including secure public telephones.</p></summary>
<category term="密码协议" scheme="https://jan-nku.github.io/categories/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="密码协议" scheme="https://jan-nku.github.io/tags/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="PAKE" scheme="https://jan-nku.github.io/tags/PAKE/"/>
</entry>
<entry>
<title>Proverif学习</title>
<link href="https://jan-nku.github.io/2023/06/30/proverif-xue-xi/"/>
<id>https://jan-nku.github.io/2023/06/30/proverif-xue-xi/</id>
<published>2023-06-30T08:10:39.000Z</published>
<updated>2023-06-30T10:26:29.657Z</updated>
<summary type="html"><p>ProVerif可以用来自动分析密码协议的Security性质,功能涵盖对称和非对称加密、数字签名、哈希函数、比特承诺、非交互式零知识证明。ProVerif可以证明可达性(reachability),对应断言(correspondence assertion),和可观察的等价性(observational equivalence)。这个能力使得它能对计算机安全领域中的机密性和认证性质进行分析,也可以考虑一些新兴的性质,如隐私性(privacy)、可追溯性(traceability)、可验证性(verifiability)。它还具有攻击重构的功能,如果某个性质不能被证明,ProVerif就会尝试构造一个反例trace。</p></summary>
<category term="密码协议" scheme="https://jan-nku.github.io/categories/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="密码协议" scheme="https://jan-nku.github.io/tags/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="tools" scheme="https://jan-nku.github.io/tags/tools/"/>
</entry>
<entry>
<title>基于RSA的网关口令认证密钥交换协议的分析与改进</title>
<link href="https://jan-nku.github.io/2023/06/28/ji-yu-rsa-de-wang-guan-kou-ling-ren-zheng-mi-yao-jiao-huan-xie-yi-de-fen-xi-yu-gai-jin/"/>
<id>https://jan-nku.github.io/2023/06/28/ji-yu-rsa-de-wang-guan-kou-ling-ren-zheng-mi-yao-jiao-huan-xie-yi-de-fen-xi-yu-gai-jin/</id>
<published>2023-06-28T10:17:10.000Z</published>
<updated>2023-06-30T23:56:04.416Z</updated>
<summary type="html"><p>2011 年 Wei 等学者首次提出了一个基于 RSA 的可证明安全的网关口令认证密钥交换协议,并声称在随机预言模型下基于大整数素因子分解的困难性证明了协议的安全性。利用该协议中服务器端提供的预言机服务,提出一 种分离攻击,攻击者只需发起几十次假冒会话便可恢复出用户的口令。攻击结果表明,该协议无法实现所声称的口令保护这一基本安全目标,突出显示了分离攻击是针对基于 RSA 的口令认证密钥交换协议的一种严重安全威胁。进一步指出了协议形式化安全证明中的失误,给出一个改进方案。分析结果表明,改进方案在提高安全性的同时保持了较高效率,更适于移动通信环境。</p></summary>
<category term="密码协议" scheme="https://jan-nku.github.io/categories/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="密码协议" scheme="https://jan-nku.github.io/tags/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="PAKE" scheme="https://jan-nku.github.io/tags/PAKE/"/>
</entry>
<entry>
<title>Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound</title>
<link href="https://jan-nku.github.io/2023/06/26/two-birds-with-one-stone-two-factor-authentication-with-security-beyond-conventional-bound/"/>
<id>https://jan-nku.github.io/2023/06/26/two-birds-with-one-stone-two-factor-authentication-with-security-beyond-conventional-bound/</id>
<published>2023-06-26T15:09:35.000Z</published>
<updated>2023-07-03T07:21:27.285Z</updated>
<summary type="html"><p>As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is <strong>no comprehensive and systematical metric available for schemes to be assessed objectively</strong>, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found <strong>short of important security goals or lack of critical properties</strong>, especially being stuck with the security-usability tension. To overcome this issue, in this work we first <strong>explicitly define a security model</strong> that can accurately capture the practical capabilities of an adversary and then suggest <strong>a broad set of twelve properties framed as a systematic methodology for comparative evaluation</strong>, allowing schemes to be rated across a common spectrum. As our main contribution, <strong>a new scheme is advanced</strong> to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating <strong>“honeywords”</strong>, traditionally the purview of system security, with a <strong>“fuzzy-verifier”</strong>, our scheme hits “two birds”: it not only <strong>eliminates the long-standing security-usability conflict</strong> that is considered intractable in the literature, but also <strong>achieves security guarantees beyond the conventional optimal security bound</strong>.<br></summary>
<category term="密码协议" scheme="https://jan-nku.github.io/categories/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="密码协议" scheme="https://jan-nku.github.io/tags/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="PAKE" scheme="https://jan-nku.github.io/tags/PAKE/"/>
</entry>
<entry>
<title>Analysing and Patching SPEKE in ISO/IEC</title>
<link href="https://jan-nku.github.io/2023/06/26/analysing-and-patching-speke-in-iso-iec/"/>
<id>https://jan-nku.github.io/2023/06/26/analysing-and-patching-speke-in-iso-iec/</id>
<published>2023-06-26T10:49:25.000Z</published>
<updated>2023-06-30T23:45:27.658Z</updated>
<summary type="html"><p>In this paper, we analyse the SPEKE protocol as specified in the ISO/IEC and IEEE standards. We identify that the protocol is vulnerable to two new attacks</p>
<ul>
<li><p><strong>impersonation attack</strong></p>
<p>allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim</p>
</li>
<li><p><strong>key-malleability attack</strong></p>
<p>allows a man-in-the-middle (MITM) to manipulate the session key without being detected by the end users</p>
</li>
</ul>
<p>We propose a patched SPEKE called P-SPEKE and present a formal analysis in the Applied Pi Calculus using ProVerif to show that the proposed patch prevents both attacks.</p></summary>
<category term="密码协议" scheme="https://jan-nku.github.io/categories/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="密码协议" scheme="https://jan-nku.github.io/tags/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="PAKE" scheme="https://jan-nku.github.io/tags/PAKE/"/>
</entry>
<entry>
<title>密码协议</title>
<link href="https://jan-nku.github.io/2023/06/22/mi-ma-xie-yi/"/>
<id>https://jan-nku.github.io/2023/06/22/mi-ma-xie-yi/</id>
<published>2023-06-21T16:00:00.000Z</published>
<updated>2023-06-28T10:13:04.505Z</updated>
<summary type="html"><p>2023spring 密码协议课程笔记<br>授课老师:汪定<br></summary>
<category term="密码协议" scheme="https://jan-nku.github.io/categories/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
<category term="密码协议" scheme="https://jan-nku.github.io/tags/%E5%AF%86%E7%A0%81%E5%8D%8F%E8%AE%AE/"/>
</entry>
</feed>