Several large scale studies on the Maven, NPM, and Android ecosystems point out that many developers do not often update their vulnerable software libraries thus exposing the user of their code to security risks. The purpose of this study is to qualitatively investigate the choices and the interplay of functional and security concerns on the developers' overall decision-making strategies for selecting, managing, and updating software dependencies. We run 25 semi-structured interviews with developers of both large and small-medium enterprises located in nine countries. All interviews were transcribed, coded, and analyzed according to applied thematic analysis. They highlight the trade-offs that developers are facing and that security researchers must understand to provide effective support to mitigate vulnerabilities (for example bundling security fixes with functional changes might hinder adoption due to lack of resources to fix functional breaking changes). We further distill our observations to actionable implications on what algorithms and automated tools should achieve to effectively support (semi-)automatic dependency management.
{"title":"A Qualitative Study of Dependency Management and Its Security Implications","authors":"Ivan Pashchenko, Duc-Ly Vu, F. Massacci","doi":"10.1145/3372297.3417232","DOIUrl":"https://doi.org/10.1145/3372297.3417232","url":null,"abstract":"Several large scale studies on the Maven, NPM, and Android ecosystems point out that many developers do not often update their vulnerable software libraries thus exposing the user of their code to security risks. The purpose of this study is to qualitatively investigate the choices and the interplay of functional and security concerns on the developers' overall decision-making strategies for selecting, managing, and updating software dependencies. We run 25 semi-structured interviews with developers of both large and small-medium enterprises located in nine countries. All interviews were transcribed, coded, and analyzed according to applied thematic analysis. They highlight the trade-offs that developers are facing and that security researchers must understand to provide effective support to mitigate vulnerabilities (for example bundling security fixes with functional changes might hinder adoption due to lack of resources to fix functional breaking changes). We further distill our observations to actionable implications on what algorithms and automated tools should achieve to effectively support (semi-)automatic dependency management.","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"2200 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91395952","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jackson Abascal, Mohammad Hossein Faghihi Sereshgi, Carmit Hazay, Y. Ishai, Muthuramakrishnan Venkitasubramaniam
One of the most challenging aspects in secure computation is offering protection against active adversaries, who may arbitrarily alter the behavior of corrupted parties. A powerful paradigm due to Goldreich, Micali, and Wigderson (GMW), is to follow a two-step approach: (1) design a passively secure protocol π for the task at hand; (2) apply a general compiler to convert π into an actively secure protocol π' for the same task. In this work, we implement the first two-party actively secure protocol whose design is based on the general GMW paradigm. Our implementation applies to a passively secure π based on garbled circuits, using a sublinear zero-knowledge proof to ensure correctness of garbling. The main variant of our protocol makes a black-box use of an underlying oblivious transfer primitive by following the "certified oblivious transfer" blueprint of Ishai et al. (Eurocrypt 2011) and Hazay et. al. (TCC 2017). We also analyze a conceptually simpler but less efficient variant that makes a non-black-box use of oblivious transfer. Our protocol has several important advantages. It supports non-interactive secure computation (NISC), where a receiver posts an "encryption" of its input and gets back from a sender an "encryption" of the output. The efficiency of this NISC protocol is enhanced by using an offline non-interactive preprocessing, where the sender publishes a single garbled circuit together with a proof of correctness, while the receiver need not even be online. The online work of both the sender and the receiver is lightweight, with a small overhead compared Yao's passively secure protocol depending mostly on the input size rather than the circuit size.
{"title":"Is the Classical GMW Paradigm Practical? The Case of Non-Interactive Actively Secure 2PC","authors":"Jackson Abascal, Mohammad Hossein Faghihi Sereshgi, Carmit Hazay, Y. Ishai, Muthuramakrishnan Venkitasubramaniam","doi":"10.1145/3372297.3423366","DOIUrl":"https://doi.org/10.1145/3372297.3423366","url":null,"abstract":"One of the most challenging aspects in secure computation is offering protection against active adversaries, who may arbitrarily alter the behavior of corrupted parties. A powerful paradigm due to Goldreich, Micali, and Wigderson (GMW), is to follow a two-step approach: (1) design a passively secure protocol π for the task at hand; (2) apply a general compiler to convert π into an actively secure protocol π' for the same task. In this work, we implement the first two-party actively secure protocol whose design is based on the general GMW paradigm. Our implementation applies to a passively secure π based on garbled circuits, using a sublinear zero-knowledge proof to ensure correctness of garbling. The main variant of our protocol makes a black-box use of an underlying oblivious transfer primitive by following the \"certified oblivious transfer\" blueprint of Ishai et al. (Eurocrypt 2011) and Hazay et. al. (TCC 2017). We also analyze a conceptually simpler but less efficient variant that makes a non-black-box use of oblivious transfer. Our protocol has several important advantages. It supports non-interactive secure computation (NISC), where a receiver posts an \"encryption\" of its input and gets back from a sender an \"encryption\" of the output. The efficiency of this NISC protocol is enhanced by using an offline non-interactive preprocessing, where the sender publishes a single garbled circuit together with a proof of correctness, while the receiver need not even be online. The online work of both the sender and the receiver is lightweight, with a small overhead compared Yao's passively secure protocol depending mostly on the input size rather than the circuit size.","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"23 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91366446","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hubert Comon-Lundh, Charlie Jacomme, Guillaume Scerri
We provide a composition framework together with a variety of composition theorems allowing to split the security proof of an unbounded number of sessions of a compound protocol into simpler goals. While many proof techniques could be used to prove the subgoals, our model is particularly well suited to the Computationally Complete Symbolic Attacker (ccsA) model. We address both sequential and parallel composition, with state passing and long term shared secrets between the protocols. We also provide with tools to reduce multi-session security to single session security, with respect to a stronger attacker. As a consequence, our framework allows, for the first time, to perform proofs in the CCSA model for an unbounded number of sessions. To this end, we introduce the notion of O-simulation: a simulation by a machine that has access to an oracle O. Carefully managing the access to long term secrets, we can reduce the security of a composed protocol, for instance P || Q, to the security of P (resp. Q), with respect to an attacker simulating Q (resp. P) using an oracle O. As demonstrated by our case studies the oracle is most of the time quite generic and simple. These results yield simple formal proofs of composed protocols, such as multiple sessions of key exchanges, together with multiple sessions of protocols using the exchanged keys, even when all the parts share long terms secrets (e.g. signing keys). We also provide with a concrete application to the SSH protocol with (a modified) forwarding agent, a complex case of long term shared secrets, which we formally prove secure.
{"title":"Oracle Simulation: A Technique for Protocol Composition with Long Term Shared Secrets","authors":"Hubert Comon-Lundh, Charlie Jacomme, Guillaume Scerri","doi":"10.1145/3372297.3417229","DOIUrl":"https://doi.org/10.1145/3372297.3417229","url":null,"abstract":"We provide a composition framework together with a variety of composition theorems allowing to split the security proof of an unbounded number of sessions of a compound protocol into simpler goals. While many proof techniques could be used to prove the subgoals, our model is particularly well suited to the Computationally Complete Symbolic Attacker (ccsA) model. We address both sequential and parallel composition, with state passing and long term shared secrets between the protocols. We also provide with tools to reduce multi-session security to single session security, with respect to a stronger attacker. As a consequence, our framework allows, for the first time, to perform proofs in the CCSA model for an unbounded number of sessions. To this end, we introduce the notion of O-simulation: a simulation by a machine that has access to an oracle O. Carefully managing the access to long term secrets, we can reduce the security of a composed protocol, for instance P || Q, to the security of P (resp. Q), with respect to an attacker simulating Q (resp. P) using an oracle O. As demonstrated by our case studies the oracle is most of the time quite generic and simple. These results yield simple formal proofs of composed protocols, such as multiple sessions of key exchanges, together with multiple sessions of protocols using the exchanged keys, even when all the parts share long terms secrets (e.g. signing keys). We also provide with a concrete application to the SSH protocol with (a modified) forwarding agent, a complex case of long term shared secrets, which we formally prove secure.","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"50 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90387936","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Shota Fujii, Takayuki Sato, Sho Aoki, Yu Tsuda, Y. Okano, Tomohiro Shigemoto, N. Kawaguchi, M. Terada
The number of cybersecurity threats has been increasing, and these threats have become more sophisticated year after year. Malicious hosts play a large role in modern cyberattacks, e.g., as a launcher of remote-control attacks or as a receiver of stolen information. In such circumstances, continuous monitoring of malicious hosts (URL/IP addresses) is indispensable to reveal cyberattack activities, and many studies have been conducted on that. However, many of them have limitations: they help only in the short-term or they help only a few regions and/or a few organizations. Therefore, we cannot effectively monitor attacks that are active for only a short time or that change their behavior depending on where the victims are from (e.g., country/organization). In this paper, we propose Stargazer, a program that monitors malicious hosts from multiple points on a long-term basis. Multiregional monitoring sensors and inter-organizational collaboration are conducted to achieve this surveillance. In this paper, we describe an implementation of the Stargazer prototype and how monitoring was carried out using multiregional sensors starting in Dec. 2018 of 1,050 malicious hosts; 10,929,418 measurements were obtained. Case studies on (1) revived hosts, (2) hosts that only respond to specific regions, and (3) the behavior of attack preparation were created.
{"title":"Continuous and Multiregional Monitoring of Malicious Hosts","authors":"Shota Fujii, Takayuki Sato, Sho Aoki, Yu Tsuda, Y. Okano, Tomohiro Shigemoto, N. Kawaguchi, M. Terada","doi":"10.1145/3372297.3420018","DOIUrl":"https://doi.org/10.1145/3372297.3420018","url":null,"abstract":"The number of cybersecurity threats has been increasing, and these threats have become more sophisticated year after year. Malicious hosts play a large role in modern cyberattacks, e.g., as a launcher of remote-control attacks or as a receiver of stolen information. In such circumstances, continuous monitoring of malicious hosts (URL/IP addresses) is indispensable to reveal cyberattack activities, and many studies have been conducted on that. However, many of them have limitations: they help only in the short-term or they help only a few regions and/or a few organizations. Therefore, we cannot effectively monitor attacks that are active for only a short time or that change their behavior depending on where the victims are from (e.g., country/organization). In this paper, we propose Stargazer, a program that monitors malicious hosts from multiple points on a long-term basis. Multiregional monitoring sensors and inter-organizational collaboration are conducted to achieve this surveillance. In this paper, we describe an implementation of the Stargazer prototype and how monitoring was carried out using multiregional sensors starting in Dec. 2018 of 1,050 malicious hosts; 10,929,418 measurements were obtained. Case studies on (1) revived hosts, (2) hosts that only respond to specific regions, and (3) the behavior of attack preparation were created.","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"36 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91021091","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 5C: Forensics","authors":"Juan Caballero","doi":"10.1145/3432979","DOIUrl":"https://doi.org/10.1145/3432979","url":null,"abstract":"","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"104 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73643692","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 1D: Applied Cryptography and Cryptanalysis","authors":"X. Wang","doi":"10.1145/3432960","DOIUrl":"https://doi.org/10.1145/3432960","url":null,"abstract":"","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"4 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"72982409","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 4C: Kernel Security","authors":"Erik van der Kouwe","doi":"10.1145/3432974","DOIUrl":"https://doi.org/10.1145/3432974","url":null,"abstract":"","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"10 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74716080","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Anonymous Committed Broadcast is a functionality that extends DC-nets and allows a set of clients to privately commit messages to set of servers, which can then simultaneously open all committed messages in a random ordering. Anonymity holds since no one can learn the ordering or the content of the client's committed message. We present Blinder, the first system that provides a scalable and fully robust solution for anonymous committed broadcast. Blinder maintains both properties of security (anonymity) and robustness (aka. 'guaranteed output delivery' or 'availability') in the face of a global active (malicious) adversary. Moreover, Blinder is censorship resistant, that is, an honest client cannot be blocked from participating. Blinder obtains its security and scalability by carefully combining classical and state-of-the-art techniques from the fields of anonymous communication and secure multiparty computation (MPC). Relying on MPC for such a system is beneficial since it naturally allows the parties (servers) to enforce some properties on accepted messages prior their publication. A GPU based implementation of Blinder with 5 servers, which accepts 1 million clients, incurs a latency of less than 8 minutes; faster by a factor of $>100$ than the 3-servers Riposte protocol (S&P '15), which is not robust and not censorship resistant; we get an even larger factor when comparing to AsynchroMix and PowerMix (CCS '19), which are the only ones that guarantee fairness (or robustness in the online phase).
{"title":"Blinder -- Scalable, Robust Anonymous Committed Broadcast","authors":"Ittai Abraham, Benny Pinkas, Avishay Yanai","doi":"10.1145/3372297.3417261","DOIUrl":"https://doi.org/10.1145/3372297.3417261","url":null,"abstract":"Anonymous Committed Broadcast is a functionality that extends DC-nets and allows a set of clients to privately commit messages to set of servers, which can then simultaneously open all committed messages in a random ordering. Anonymity holds since no one can learn the ordering or the content of the client's committed message. We present Blinder, the first system that provides a scalable and fully robust solution for anonymous committed broadcast. Blinder maintains both properties of security (anonymity) and robustness (aka. 'guaranteed output delivery' or 'availability') in the face of a global active (malicious) adversary. Moreover, Blinder is censorship resistant, that is, an honest client cannot be blocked from participating. Blinder obtains its security and scalability by carefully combining classical and state-of-the-art techniques from the fields of anonymous communication and secure multiparty computation (MPC). Relying on MPC for such a system is beneficial since it naturally allows the parties (servers) to enforce some properties on accepted messages prior their publication. A GPU based implementation of Blinder with 5 servers, which accepts 1 million clients, incurs a latency of less than 8 minutes; faster by a factor of $>100$ than the 3-servers Riposte protocol (S&P '15), which is not robust and not censorship resistant; we get an even larger factor when comparing to AsynchroMix and PowerMix (CCS '19), which are the only ones that guarantee fairness (or robustness in the online phase).","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"88 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74202666","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Nick Frymann, Daniel Gardham, Franziskus Kiefer, E. Lundberg, M. Manulis, Dain Nilsson
WebAuthn, forming part of FIDO2, is a W3C standard for strong authentication, which employs digital signatures to authenticate web users whilst preserving their privacy. Owned by users, WebAuthn authenticators generate attested and unlinkable public-key credentials for each web service to authenticate users. Since the loss of authenticators prevents users from accessing web services, usable recovery solutions preserving the original WebAuthn design choices and security objectives are urgently needed. We examine Yubico's recent proposal for recovering from the loss of a WebAuthn authenticator by using a secondary backup authenticator. We analyse the cryptographic core of their proposal by modelling a new primitive, called Asynchronous Remote Key Generation (ARKG), which allows some primary authenticator to generate unlinkable public keys for which the backup authenticator may later recover corresponding private keys. Both processes occur asynchronously without the need for authenticators to export or share secrets, adhering to WebAuthn's attestation requirements. We prove that Yubico's proposal achieves our ARKG security properties under the discrete logarithm and PRF-ODH assumptions in the random oracle model. To prove that recovered private keys can be used securely by other cryptographic schemes, such as digital signatures or encryption schemes, we model compositional security of ARKG using composable games by Brzuska et al. (ACM CCS 2011), extended to the case of arbitrary public-key protocols. As well as being more general, our results show that private keys generated by ARKG may be used securely to produce unforgeable signatures for challenge-response protocols, as used in WebAuthn. We conclude our analysis by discussing concrete instantiations behind Yubico's ARKG protocol, its integration with the WebAuthn standard, performance, and usability aspects.
{"title":"Asynchronous Remote Key Generation: An Analysis of Yubico's Proposal for W3C WebAuthn","authors":"Nick Frymann, Daniel Gardham, Franziskus Kiefer, E. Lundberg, M. Manulis, Dain Nilsson","doi":"10.1145/3372297.3417292","DOIUrl":"https://doi.org/10.1145/3372297.3417292","url":null,"abstract":"WebAuthn, forming part of FIDO2, is a W3C standard for strong authentication, which employs digital signatures to authenticate web users whilst preserving their privacy. Owned by users, WebAuthn authenticators generate attested and unlinkable public-key credentials for each web service to authenticate users. Since the loss of authenticators prevents users from accessing web services, usable recovery solutions preserving the original WebAuthn design choices and security objectives are urgently needed. We examine Yubico's recent proposal for recovering from the loss of a WebAuthn authenticator by using a secondary backup authenticator. We analyse the cryptographic core of their proposal by modelling a new primitive, called Asynchronous Remote Key Generation (ARKG), which allows some primary authenticator to generate unlinkable public keys for which the backup authenticator may later recover corresponding private keys. Both processes occur asynchronously without the need for authenticators to export or share secrets, adhering to WebAuthn's attestation requirements. We prove that Yubico's proposal achieves our ARKG security properties under the discrete logarithm and PRF-ODH assumptions in the random oracle model. To prove that recovered private keys can be used securely by other cryptographic schemes, such as digital signatures or encryption schemes, we model compositional security of ARKG using composable games by Brzuska et al. (ACM CCS 2011), extended to the case of arbitrary public-key protocols. As well as being more general, our results show that private keys generated by ARKG may be used securely to produce unforgeable signatures for challenge-response protocols, as used in WebAuthn. We conclude our analysis by discussing concrete instantiations behind Yubico's ARKG protocol, its integration with the WebAuthn standard, performance, and usability aspects.","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"151 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77239865","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Frederik Armknecht, Paul Walther, G. Tsudik, Martin Beck, T. Strufe
Efficiently integrity verification of received data requires Message Authentication Code (MAC) tags. However, while security calls for rather long tags, in many scenarios this contradicts other requirements. Examples are strict delay requirements (e.g., robot or drone control) or resource-scarce settings (e.g., LoRaWAN networks with limited battery capacity). Prior techniques suggested truncation of MAC tags, thus trading off linear performance gain for exponential security loss. To achieve security of full-length MACs with short(er) tags, we introduce Progressive MACs (ProMACs) -- a scheme that uses internal state to gradually increase security upon reception of subsequent messages. We provide a formal framework and propose a provably secure, generic construction called Whips. We evaluate applicability of ProMACs in several realistic scenarios and demonstrate example settings where ProMACs can be used as a drop-in replacement for traditional MACs.
{"title":"ProMACs: Progressive and Resynchronizing MACs for Continuous Efficient Authentication of Message Streams","authors":"Frederik Armknecht, Paul Walther, G. Tsudik, Martin Beck, T. Strufe","doi":"10.1145/3372297.3423349","DOIUrl":"https://doi.org/10.1145/3372297.3423349","url":null,"abstract":"Efficiently integrity verification of received data requires Message Authentication Code (MAC) tags. However, while security calls for rather long tags, in many scenarios this contradicts other requirements. Examples are strict delay requirements (e.g., robot or drone control) or resource-scarce settings (e.g., LoRaWAN networks with limited battery capacity). Prior techniques suggested truncation of MAC tags, thus trading off linear performance gain for exponential security loss. To achieve security of full-length MACs with short(er) tags, we introduce Progressive MACs (ProMACs) -- a scheme that uses internal state to gradually increase security upon reception of subsequent messages. We provide a formal framework and propose a provably secure, generic construction called Whips. We evaluate applicability of ProMACs in several realistic scenarios and demonstrate example settings where ProMACs can be used as a drop-in replacement for traditional MACs.","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"14 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76184584","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: