Authentication proxies, which store users’ secret credentials and submit them to servers on their behalf, offer benefits with respect to security of the authentication and usability of credential management. However, as being a service that is not in control of users, one important problem they suffer is the trust problem; how users trust that their secrets are handled securely in the proxy and...

An attribute is a particular property of an entity, such as a role, access identity, group, or clearance. If attributes are provided integrity, authentication, and conndentiality, Web servers can then trust these secure attributes and use them for many purposes, such as access control, authorization, authentication, and electronic transactions. In this paper, we present a comprehensive approach...

Zero-knowledge proofs are a cryptographic technique that allows one entity, the prover, to convince another, the verifier, of the truth of a statement without revealing any information other than that the statement is true. Neither the verifier nor any observer of the interaction between the two parties will have any information they did not have before. The zero-knowledge property provides som...

In 2004, Ari Juels [1] proposed a Yoking-Proofs protocol for RFID systems. The aim is to permit tags to generate a proof which is verifiable off-line by a trusted entity even when the readers are potentially untrusted. However, we find that their protocol not only doesn’t possess the anonymity property but also suffers from both of the off-line and replay attacks. In 2006, Kirk H.M. Wong et al....

Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication. Steganography is the science of embedding information into the cover image viz., text, video, and image without causing statistically significant modification to the cover image. Combining these two techni...

Location-dependent services are services that adapt their behavior based on the locations of mobile devices. For many applications, it is critical that location-dependent services use trustworthy device locations, namely locations that are both accurate and recent. These properties are captured by a security goal called locale authentication whereby an entity can authenticate the physical locat...

We formally analyze the family of entity authentication protocols defined by the ISO/IEC 9798 standard and find numerous weaknesses, both old and new, including some that violate even the most basic authentication guarantees. We analyze the cause of these weaknesses, propose repaired versions of the protocols, and provide automated, machine-checked proofs of their correctness. From an engineeri...

Two-party key establishment has been a very fruitful research area in cryptography, with many security models and numerous protocols proposed. In this paper, we take another look at the YAK protocol and the HMQV protocols and present some extended analysis. Motivated by our analysis, we reflect on the security properties that are desired by two-party key establishment protocols, and their forma...

Network users today have to remember one username/password pair for every service they are registered with. One solution to the security and usability implications of this situation is Single Sign-On, a mechanism by which the user authenticates only once to an entity termed the ‘Authentication Service Provider’ (ASP) and subsequently uses disparate Service Providers (SPs) without necessarily re...

At present, network users have to remember a username and a corresponding password for every service with which they are registered. Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once to an entity termed the ‘Authentication Service Provider’ (ASP) and subsequently use d...