SaTC: CORE: Small: Authentication on the Web: Provable Security for Emerging Protocols

SaTC：核心：小型：网络身份验证：新兴协议的可证明安全性

• 批准号: 1946919
• 负责人: Alexandra Boldyreva
• 金额: $ 48.09万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-04-01 至 2025-03-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1946919&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Authentication; Web

Some important communication and authentication protocols on the Web still lack the provable-security treatment and hence lack the security guarantees as well. The project's impact is in bridging this gap. The project’s novelty is coupling the provable-security approach of modern cryptography with protocol design to yield novel security frameworks and analyses of the following protocols of emerging importance:(1) single sign-on (SSO) services, such as OpenID Connect, that allow service providers to delegate authentication of clients to designated identity providers,(2) FIDO2, a very ambitious project of the FIDO Alliance that helps the world to move away from bothersome use of passwords for authentication, relying instead on second-factor devices or biometrics, as well as secure PINs, (3) HTTPS protocol over TLS or QUIC, which encrypts and authenticates nearly half of Internet traffic nowadays. However, its security is not clear when used in combination with active proxies, middleboxes, or edge servers, all of which inspect, cache, or transform traffic in order to apply security rules, improve performance, etc. For each part of the project, the investigators design formal security definitions that take into account practical adversarial capabilities and various security threats. They then attempt to prove that the cryptographic cores of the aforementioned protocols satisfy the definitions under some reasonable computational assumptions on the protocol's components. When weaknesses are found and such proofs are not possible, then the investigators propose fixes. The novelty in applying such an approach is in modeling parties of more than two types, which may include a human party. The investigators put a serious effort to make the results accessible to a wide audience, including practitioners.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

Web上一些重要的通信和认证协议仍然缺乏可证明安全的处理，因此也缺乏安全性保证。该项目的影响是弥合这一差距。该项目的新奇在于将现代密码学的可证明安全方法与协议设计相结合，以产生新的安全框架，并分析以下新出现的重要协议：（1）单点登录（SSO）服务，例如OpenID Connect，其允许服务提供商将客户端的认证委托给指定的身份提供商，（2）FIDO 2，FIDO联盟的一个非常雄心勃勃的项目，其帮助世界摆脱麻烦的密码用于认证，而是依赖于第二因素设备或生物识别技术以及安全PIN，（3）TLS或QUIC上的HTTPS协议，加密和认证了近一半的互联网流量。然而，当与主动代理、中间盒或边缘服务器结合使用时，其安全性并不明确，所有这些服务器都检查、缓存或转换流量，以应用安全规则、提高性能等。然后，他们试图证明上述协议的加密核心满足协议的组件在一些合理的计算假设下的定义。当发现弱点并且这样的证据是不可能的，然后调查人员提出修复措施。应用这种方法的新奇在于对两种以上类型的政党进行建模，其中可能包括人类政党。研究人员付出了认真的努力，使结果可供广大观众，包括从业人员。这个奖项反映了NSF的法定使命，并已被认为是值得通过使用基金会的智力价值和更广泛的影响审查标准进行评估的支持。

项目成果

Provable Security Analysis of FIDO2

FIDO2 可证明的安全性分析

• DOI: 10.1007/978-3-030-84252
• 发表时间: 2021
• 期刊: CRYPTO 2021: Advances in Cryptology – CRYPTO 2021
• 作者: Barbosa, Manuel;Boldyreva, Alexandra;Chen, Shan;Warinschi, Bogdan
• 通讯作者: Warinschi, Bogdan