Experience report: How to extract security protocols’ specifications from C libraries

Interdisciplinary Research Group in Socio-technical CybersecurityExperience report: How to extract security protocols’ specifications from C librariesItzel Vazquez Sandoval, Gabriele LenziniAbstract:Often, analysts have to face a challenging situation when formally verifying the implementation of a security protocol: they need to build a model of the protocol from only poorly or not documented code, and with little … Continued

A Formal Security Analysis of the pEp Authentication Protocol for Decentralized Key Distribution and End-to-End Encrypted Email

Interdisciplinary Research Group in Socio-technical CybersecurityA Formal Security Analysis of the pEp Authentication Protocol for Decentralized Key Distribution and End-to-End Encrypted EmailVazquez Sandoval Itzel, Lenzini GabrieleAbstract:To send encrypted emails, users typically need to create and exchange keys which later should be manually authenticated, for instance, by comparing long strings of characters. These tasks are cumbersome … Continued

A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack

Interdisciplinary Research Group in Socio-technical CybersecurityA Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption AttackZiya Alper Genç, Gabriele Lenzini, Peter Y. A. Ryan, Itzel Vazquez SandovalAbstract:Password-based authentication is a widespread method to access into systems, thus password files are a valuable resource often target of attacks. To detect when a password file … Continued

A Protocol to Strengthen Password-Based Authentication

Interdisciplinary Research Group in Socio-technical CybersecurityA Protocol to Strengthen Password-Based AuthenticationVazquez Sandoval Itzel, Lenzini Gabriele, Stojkovski BorceAbstract:We discuss a password-based authentication protocol that we argue to be robust against password-guessing and o-line dictionary attacks. The core idea is to hash the passwords with a seed that comes from an OTP device, making the resulting identity … Continued