TY - JOUR
T1 - The Security of Lazy Users in Out-of-Band Authentication
AU - Naor, Moni
AU - Rotem, Lior
AU - Segev, Gil
N1 - M. N. is the incumbent of the Judith Kleeman Professorial Chair, and is supported in part by a grant from the Israel Science Foundation. L. R. and G. S. are supported by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253), by the Israel Science Foundation (Grant No. 483/13), by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11), and by the US-Israel Binational Science Foundation (Grant No. 2014632). L. R. is supported by the Adams Fellowship Program of the Israel Academy of Sciences and Humanities.
PY - 2020/5
Y1 - 2020/5
N2 - Faced with the threats posed by man-in-the-middle attacks, messaging platforms rely on "out-of-band" authentication, assuming that users have access to an external channel for authenticating one short value. For example, assuming that users recognizing each other's voice can authenticate a short value, Telegram and WhatApp ask their users to compare 288-bit and 200-bit values, respectively. The existing protocols, however, do not take into account the plausible behavior of users who may be "lazy" and only compare parts of these values (rather than their entirety). Motivated by such a security-critical user behavior, we study the security of lazy users in out-of-band authentication. We start by showing that both the protocol implemented by WhatsApp and the statistically optimal protocol of Naor, Segev, and Smith (CRYPTO'06) are completely vulnerable to man-in-the-middle attacks when the users consider only a half of the out-of-band authenticated value. In this light, we put forward a framework that captures the behavior and security of lazy users. Our notions of security consider both statistical security and computational security, and for each flavor we derive a lower bound on the tradeoff between the number of positions that are considered by the lazy users and the adversary's forgery probability. Within our framework, we then provide two authentication protocols. First, in the statistical setting, we present a transformation that converts any out-of-band authentication protocol into one that is secure even when executed by lazy users. Instantiating our transformation with a new refinement of the protocol of Naor et al. results in a protocol whose tradeoff essentially matches our lower bound in the statistical setting. Then, in the computational setting, we show that the computationally optimal protocol of Vaudenay (CRYPTO'05) is secure even when executed by lazy users - and its tradeoff matches our lower bound in the computational setting.
AB - Faced with the threats posed by man-in-the-middle attacks, messaging platforms rely on "out-of-band" authentication, assuming that users have access to an external channel for authenticating one short value. For example, assuming that users recognizing each other's voice can authenticate a short value, Telegram and WhatApp ask their users to compare 288-bit and 200-bit values, respectively. The existing protocols, however, do not take into account the plausible behavior of users who may be "lazy" and only compare parts of these values (rather than their entirety). Motivated by such a security-critical user behavior, we study the security of lazy users in out-of-band authentication. We start by showing that both the protocol implemented by WhatsApp and the statistically optimal protocol of Naor, Segev, and Smith (CRYPTO'06) are completely vulnerable to man-in-the-middle attacks when the users consider only a half of the out-of-band authenticated value. In this light, we put forward a framework that captures the behavior and security of lazy users. Our notions of security consider both statistical security and computational security, and for each flavor we derive a lower bound on the tradeoff between the number of positions that are considered by the lazy users and the adversary's forgery probability. Within our framework, we then provide two authentication protocols. First, in the statistical setting, we present a transformation that converts any out-of-band authentication protocol into one that is secure even when executed by lazy users. Instantiating our transformation with a new refinement of the protocol of Naor et al. results in a protocol whose tradeoff essentially matches our lower bound in the statistical setting. Then, in the computational setting, we show that the computationally optimal protocol of Vaudenay (CRYPTO'05) is secure even when executed by lazy users - and its tradeoff matches our lower bound in the computational setting.
KW - End-to-end encryption
KW - cryptographic protocols
KW - key exchange
KW - messaging
UR - http://www.scopus.com/inward/record.url?scp=85085595507&partnerID=8YFLogxK
U2 - https://doi.org/10.1145/3377849
DO - https://doi.org/10.1145/3377849
M3 - مقالة
SN - 2471-2566
VL - 23
JO - ACM Transactions on Privacy and Security
JF - ACM Transactions on Privacy and Security
IS - 2
M1 - 9
ER -