Abstract
Browser-based security protocols perform cryptographic tasks within the constraints of commodity browsers. They are the bearer protocols for many security critical applications on the Internet. Roughly speaking, they are the offspring of key exchange and secure sessions protocols. Although browser-based protocols are widely deployed, their security has not been formally proved. We provide a security model for the analysis of browser-based protocols based on the Universal Composability framework.
Keywords
Please contact the author for the full version.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Barak, B., Lindell, Y., Rabin, T.: Protocol initialization for the framework of universal composability. Cryptology ePrint Archive, Report 2004/006 (2004), http://eprint.iacr.org/
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS, pp. 136–145. IEEE Computer Society, Los Alamitos (2001)
Canetti, R., Cheung, L., Kaynar, D., Liskov, M., Lynch, N., Pereira, O., Segala, R.: Analyzing Security Protocols Using Time-Bounded Task-PIOAs. Discrete Event Dynamic Systems 18(1), 111–159 (2008)
Canetti, R., Halevi, S., Steiner, M.: Mitigating dictionary attacks on password-protected local storage. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 160–179. Springer, Heidelberg (2006)
Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)
Dhamija, R., Tygar, J.D., Hearst, M.A.: Why phishing works. In: CHI, pp. 581–590. ACM, New York (2006)
Dolev, D., Yao, A.C.-C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–207 (1983)
Ellison, C.: Ceremony design and analysis. Cryptology ePrint Archive, Report 2007/399 (2007)
Gajek, S., Manulis, M., Sadeghi, A.-R., Schwenk, J.: Provably secure browser-based user-aware mutual authentication over TLS. In: ASIACCS, pp. 300–311. ACM Press, New York (2008)
Gross, T., Pfitzmann, B.: SAML artifact information flow revisited. In: IEEE Workshop on Web Services Security, Berkeley, USA (May 2006); Appeared also as IBM Research Report RZ 3643 (#99653) 01/03/06, IBM Research Division, Zurich (January 2006)
Groß, T., Pfitzmann, B., Sadeghi, A.-R.: Browser model for security analysis of browser-based protocols. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 489–508. Springer, Heidelberg (2005)
Herzberg, A.: Why Johnny can’t surf, safely? (Work in Progress) (2007)
Herzberg, A., Yoffe, I.: Layered specifications, design and analysis of security protocols. Cryptology ePrint Archive, Report 2006/398 (2006)
Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from dns rebinding attacks. In: CCS 2007, pp. 421–431. ACM, New York (2007)
Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: CCS 2007, pp. 58–71. ACM, New York (2007)
Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: IEEE Symposium on Security and Privacy, pp. 184–200 (2001)
Pfitzmann, B., Waidner, M.: Analysis of liberty single-sign-on with enabled clients. IEEE Internet Computing 7(6), 38–44 (2003)
Sebastian Gajek, M.M., Pereira, O.: Universally composable security analysis of tls—secure sessions with handshake and record layer protocols. Cryptology ePrint Archive, Report 2008/251 (2008), http://eprint.iacr.org/
Shoup, V.: On formal models for secure key exchange (version 4). Technical report, IBM Research Report RZ 3120, November 15 (1999)
Soghoian, C., Jakobsson, M.: A deceit-augmented man in the middle attack against bank of america’s sitekey service (2007)
Stuart Schechter, A.O., Dhamija, R., Fischer, I.: The emperor’s new security indicators. In: Symposium on Security and Privacy, pp. 51–65. IEEE Computer Society, Los Alamitos (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gajek, S. (2008). A Universally Composable Framework for the Analysis of Browser-Based Security Protocols. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds) Provable Security. ProvSec 2008. Lecture Notes in Computer Science, vol 5324. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88733-1_20
Download citation
DOI: https://doi.org/10.1007/978-3-540-88733-1_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88732-4
Online ISBN: 978-3-540-88733-1
eBook Packages: Computer ScienceComputer Science (R0)