Formalising Human Recognition: a Fundamental Building Block for Security Proofs

A fundamental part of many authentication protocols which authenticate a party to a human involves the human recognizing or otherwise processing a message received from the party. Examples include typical implementations of Verified by Visa in which a message, previously stored by the human at a bank, is sent by the bank to the human to authenticate the bank to the human; or the expectation that humans will recognize or verify an extended validation certificate in a HTTPS context. This paper presents general definitions and building blocks for the modelling and analysis of human recognition in authentication protocols, allowing the creation of proofs for protocols which include humans. We cover both generalized trawling and human-specific targeted attacks. As examples of the range of uses of our construction, we use the model presented in this paper to prove the security of a mutual authentication login protocol and a human-assisted device pairing protocol.

[1]  Emmanuel Aroms,et al.  NIST Special Publication 800-63 Electronic Authentication Guideline , 2012 .

[2]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[3]  Nitesh Saxena,et al.  Efficient Device Pairing Using "Human-Comparable" Synchronized Audiovisual Patterns , 2008, ACNS.

[4]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[5]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[6]  Serge Vaudenay,et al.  SAS-Based Authenticated Key Agreement , 2006, Public Key Cryptography.

[7]  Serge Vaudenay,et al.  Secure Communications over Insecure Channels Based on Short Authenticated Strings , 2005, CRYPTO.

[8]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[9]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions , 2009, IEEE Symposium on Security and Privacy.

[10]  Alexander W. Dent A Note On Game-Hopping Proofs , 2006, IACR Cryptol. ePrint Arch..

[11]  Jörg Schwenk,et al.  User-aware provably secure protocols for browser-based mutual authentication , 2009, Int. J. Appl. Cryptogr..

[12]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[13]  Ahmad-Reza Sadeghi,et al.  Provably secure browser-based user-aware mutual authentication over TLS , 2008, ASIACCS '08.

[14]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.