发布求助
文献互助 智能选刊 最新文献

2017 IEEE 30th Computer Security Foundations Symposium (CSF)最新文献

筛选
英文 中文
The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines Web单点登录标准OpenID连接:深入的正式安全分析和安全指南
2017 IEEE 30th Computer Security Foundations Symposium (CSF) Pub Date : 2017-04-27 DOI: 10.1109/CSF.2017.20
Daniel Fett, Ralf Küsters, G. Schmitz
{"title":"The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines","authors":"Daniel Fett, Ralf Küsters, G. Schmitz","doi":"10.1109/CSF.2017.20","DOIUrl":"https://doi.org/10.1109/CSF.2017.20","url":null,"abstract":"Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis.In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties.In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.","PeriodicalId":269696,"journal":{"name":"2017 IEEE 30th Computer Security Foundations Symposium (CSF)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115824144","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 61
Human Computing for Handling Strong Corruptions in Authenticated Key Exchange 在认证密钥交换中处理强损坏的人工计算
2017 IEEE 30th Computer Security Foundations Symposium (CSF) Pub Date : 2017-03-10 DOI: 10.1109/CSF.2017.31
A. Boldyreva, Shan Chen, Pierre-Alain Dupont, D. Pointcheval
{"title":"Human Computing for Handling Strong Corruptions in Authenticated Key Exchange","authors":"A. Boldyreva, Shan Chen, Pierre-Alain Dupont, D. Pointcheval","doi":"10.1109/CSF.2017.31","DOIUrl":"https://doi.org/10.1109/CSF.2017.31","url":null,"abstract":"We propose the first user authentication and key exchange protocols that can tolerate strong corruptions on the client-side. If a user happens to log in to a server from a terminal that has been fully compromised, then the other past and future user's sessions initiated from honest terminals stay secure. We define the security model for Human Authenticated Key Exchange HAKE) protocols and first propose two generic protocols based on human-compatible (HC) function family, password-authenticated key exchange (PAKE), commitment, and authenticated encryption. We prove our HAKE protocols secure under reasonable assumptions and discuss efficient instantiations. We thereafter propose a variant where the human gets help from a small device such as RSA SecurID. This permits to implement an HC function family with stronger security and thus allows to weaken required assumptions on the PAKE. This leads to the very efficient HAKE which is still secure in case of strong corruptions. We believe that our work will promote further developments in the area of human-oriented cryptography.","PeriodicalId":269696,"journal":{"name":"2017 IEEE 30th Computer Security Foundations Symposium (CSF)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129698438","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Rényi Differential Privacy 差别隐私
2017 IEEE 30th Computer Security Foundations Symposium (CSF) Pub Date : 2017-02-24 DOI: 10.1109/CSF.2017.11
Ilya Mironov
{"title":"Rényi Differential Privacy","authors":"Ilya Mironov","doi":"10.1109/CSF.2017.11","DOIUrl":"https://doi.org/10.1109/CSF.2017.11","url":null,"abstract":"We propose a natural relaxation of differential privacy based on the Rényi divergence. Closely related notions have appeared in several recent papers that analyzed composition of differentially private mechanisms. We argue that the useful analytical tool can be used as a privacy definition, compactly and accurately representing guarantees on the tails of the privacy loss.We demonstrate that the new definition shares many important properties with the standard definition of differential privacy, while additionally allowing tighter analysis of composite heterogeneous mechanisms.","PeriodicalId":269696,"journal":{"name":"2017 IEEE 30th Computer Security Foundations Symposium (CSF)","volume":"56 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-02-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126665982","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1015
A Formal Approach to Cyber-Physical Attacks 网络物理攻击的正式方法
2017 IEEE 30th Computer Security Foundations Symposium (CSF) Pub Date : 2016-11-04 DOI: 10.1109/CSF.2017.12
R. Lanotte, Massimo Merro, R. Muradore, L. Viganò
{"title":"A Formal Approach to Cyber-Physical Attacks","authors":"R. Lanotte, Massimo Merro, R. Muradore, L. Viganò","doi":"10.1109/CSF.2017.12","DOIUrl":"https://doi.org/10.1109/CSF.2017.12","url":null,"abstract":"We apply formal methods to lay and streamline theoretical foundations to reason about Cyber-Physical Systems (CPSs) and cyber-physical attacks. We focus on integrity and DoS attacks to sensors and actuators of CPSs, and on the timing aspects of these attacks. Our contributions are threefold: (1) we define a hybrid process calculus to model both CPSs and cyber-physical attacks. (2) we define a threat model of cyber-physical attacks and provide the means to assess attack tolerance/vulnerability with respect to a given attack. (3) we formalise how to estimate the impact of a successful attack on a CPS and investigate possible quantifications of the success chances of an attack. We illustrate definitions and results by means of a non-trivial engineering application.","PeriodicalId":269696,"journal":{"name":"2017 IEEE 30th Computer Security Foundations Symposium (CSF)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130619589","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 49
首页 上一页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信