Recent studies have shown that a significant number of mobile applications, often handling sensitive data such as bank accounts and login credentials, suffers from SSL vulnerabilities. Most of the time, these vulnerabilities are due to improper use of the SSL protocol (in particular, in its handshake phase), resulting in applications exposed to man-in-the-middle attacks. In this paper, we prese...

This paper provides a uniied and generalized treatment of information-theoretic lower bounds on an opponent's probability of cheating in one-way message authentication. It extends and generalizes, in a number of directions, the substantial body of known results, each of which holds only for a certain restricted scenario. At the same time the treatment of unconditionally-secure authentication is...

In 2005, Wen et al. proposed the first provably secure three-party password-based authenticated key exchange using Weil pairings, and provided their proof in a modified Bellare-Rogaway model (BR-model). Here, we show an impersonation attack on Wen et al.’s scheme and point out a main flaw of their model that allows a man-in-the-middle adversary easily violate the security.

Key issuing protocols deal with overcoming the two inherent problems: key escrow and secure channel requirement of the identity based cryptosystems. An efficient key issuing protocol enables the identity based cryptosystems to be more acceptable and applicable in the real world. We present a secure and efficient threshold key issuing protocol. In our protocol, neither KGC nor KPA can impersonat...

– This work presents a software solution to the problem of remotely authenticating software during execution, which aims at assuring that the software is not changed prior to and during execution. The solution is based on a flow of idiosyncratic signatures that is generated by a function hidden in the software to be authenticated and validated by a remote computing component. The TrustedFlow™ a...

Securely associating, or“pairing,”wireless devices via out-ofband communication channels is a well established approach. Unfortunately, this technique is prone to human errors that lead to security problems such as man-in-the-middle attacks. To address this problem by motivating users, a previous proposal suggested the use of computer games. Games can make the pairing process rewarding, thus po...

Joux’s protocol [29] is a one round, tripartite key agreement protocol that is more bandwidth-efficient than any previous three-party key agreement protocol. But it is insecure, suffering from a simple man-inthe-middle attack. This paper shows how to make Joux’s protocol secure, presenting several tripartite, authenticated key agreement protocols that still require only one round of communicati...

In this paper we review and comment on “A novel protocol-authentication algorithm ruling out a man-in-the-middle attack in quantum cryptography”, [M. Peev et al., Int. J. Quant. Inform., 3, 225, (2005)]. In particular, we point out that the proposed primitive is not secure when used in a generic protocol, and needs additional authenticating properties of the surrounding quantum-cryptographic pr...

Man-in-the-middle attacks in TLS due to compromised CAs have been mitigated by log-based PKI enhancements such as Certificate Transparency. However, these log-based schemes do not offer sufficient incentives to logs and monitors, and do not offer any actions that domains can take in response to CA misbehavior. We propose IKP, a blockchain-based PKI enhancement that offers automatic responses to...

Network level surveillance, censorship, and various man-in-the-middle attacks target only specific types of network traffic (e.g., HTTP, HTTPS, VoIP, or Email). Therefore packets of these types will likely receive ”special” treatment by a transit network or a man-in-the-middle attacker. A transit ISP or an attacker may pass the targeted traffic through special software or equipment to gather da...