Search

Your search keyword '"Mitchell, Chris"' showing total 1,731 results
Start Over Author "Mitchell, Chris"

Refine your results

more »

more »

more »

more »

more »

more »
1,731 results on '"Mitchell, Chris"'

1. Orientable sequences over non-binary alphabets

Author

Alhakim, Abbas, Mitchell, Chris J., Szmidt, Janusz, and Wild, Peter R.

Subjects
Mathematics - Combinatorics, 94A55
Abstract

We describe new, simple, recursive methods of construction for orientable sequences over an arbitrary finite alphabet, i.e. periodic sequences in which any sub-sequence of n consecutive elements occurs at most once in a period in either direction. In particular we establish how two variants of a generalised Lempel homomorphism can be used to recursively construct such sequences, generalising previous work on the binary case. We also derive an upper bound on the period of an orientable sequence., Comment: Minor bugs fixed

Published
2024

2. Integrity-protecting block cipher modes -- Untangling a tangled web

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

This paper re-examines the security of three related block cipher modes of operation designed to provide authenticated encryption. These modes, known as PES-PCBC, IOBC and EPBC, were all proposed in the mid-1990s. However, analyses of security of the latter two modes were published more recently. In each case one or more papers describing security issues with the schemes were eventually published, although a flaw in one of these analyses (of EPBC) was subsequently discovered - this means that until now EPBC had no known major issues. This paper establishes that, despite this, all three schemes possess defects which should prevent their use - especially as there are a number of efficient alternative schemes possessing proofs of security., Comment: Minor typos fixed

Published
2024

3. Extracting particle size distribution from laser speckle with a physics-enhanced autocorrelation-based estimator (PEACE)

Author

Zhang, Qihang, Gamekkanda, Janaka C., Pandit, Ajinkya, Tang, Wenlong, Papageorgiou, Charles, Mitchell, Chris, Yang, Yihui, Schwaerzler, Michael, Oyetunde, Tolutola, Braatz, Richard D., Myerson, Allan S., and Barbastathis, George

Subjects
Electrical Engineering and Systems Science - Image and Video Processing, Physics - Optics
Abstract

Extracting quantitative information about highly scattering surfaces from an imaging system is challenging because the phase of the scattered light undergoes multiple folds upon propagation, resulting in complex speckle patterns. One specific application is the drying of wet powders in the pharmaceutical industry, where quantifying the particle size distribution (PSD) is of particular interest. A non-invasive and real-time monitoring probe in the drying process is required, but there is no suitable candidate for this purpose. In this report, we develop a theoretical relationship from the PSD to the speckle image and describe a physics-enhanced autocorrelation-based estimator (PEACE) machine learning algorithm for speckle analysis to measure the PSD of a powder surface. This method solves both the forward and inverse problems together and enjoys increased interpretability, since the machine learning approximator is regularized by the physical law.

Published
2022
Full Text
View/download PDF

5. Rivaroxaban for stroke patients with antiphospholipid syndrome (RISAPS): protocol for a randomized controlled, phase IIb proof-of-principle trial

Author

Mittal, Prabal, Gafoor, Rafael, Sayar, Zara, Efthymiou, Maria, Tohidi-Esfahani, Ibrahim, Appiah-Cubi, Stella, Arachchillage, Deepa J., Atkinson, David, Bordea, Ekaterina, Cardoso, M. Jorge, Caverly, Emilia, Chandratheva, Arvind, Chau, Marisa, Freemantle, Nick, Gates, Carolyn, Ja¨ger, H. Rolf, Kaul, Arvind, Mitchell, Chris, Nguyen, Hanh, Packham, Bunis, Paskell, Jaye, Patel, Jignesh P., Round, Chris, Sanna, Giovanni, Zaidi, Abbas, Werring, David J., Isenberg, David, and Cohen, Hannah

Published
2024
Full Text
View/download PDF

7. Privacy-Preserving Biometric Matching Using Homomorphic Encryption

Author

Pradel, Gaëtan and Mitchell, Chris

Subjects
Computer Science - Cryptography and Security
Abstract

Biometric matching involves storing and processing sensitive user information. Maintaining the privacy of this data is thus a major challenge, and homomorphic encryption offers a possible solution. We propose a privacy-preserving biometrics-based authentication protocol based on fully homomorphic encryption, where the biometric sample for a user is gathered by a local device but matched against a biometric template by a remote server operating solely on encrypted data. The design ensures that 1) the user's sensitive biometric data remains private, and 2) the user and client device are securely authenticated to the server. A proof-of-concept implementation building on the TFHE library is also presented, which includes the underlying basic operations needed to execute the biometric matching. Performance results from the implementation show how complex it is to make FHE practical in this context, but it appears that, with implementation optimisations and improvements, the protocol could be used for real-world applications.

Published
2021

8. Constructing orientable sequences

Author

Mitchell, Chris J and Wild, Peter R

Subjects
Mathematics - Combinatorics
Abstract

This paper describes new, simple, recursive methods of construction for orientable sequences, i.e. periodic binary sequences in which any n-tuple occurs at most once in a period in either direction. As has been previously described, such sequences have potential applications in automatic position-location systems, where the sequence is encoded onto a surface and a reader needs only examine n consecutive encoded bits to determine its location and orientation on the surface. The only previously described method of construction (due to Dai et al.) is somewhat complex, whereas the new techniques are simple to both describe and implement. The methods of construction cover both the standard `infinite periodic' case, and also the aperiodic, finite sequence, case. Both the new methods build on the Lempel homomorphism, first introduced as a means of recursively generating de Bruijn sequences.

Published
2021

10. Critical shortfalls in the management of PBC: Results of a UK-wide, population-based evaluation of care delivery

Author

Abbas, Nadir, Smith, Rachel, Flack, Steven, Bains, Vikram, Aspinall, Richard J., Jones, Rebecca L., Burke, Laura, Thorburn, Douglas, Heneghan, Michael, Yeoman, Andrew, Leithead, Joanna, Braniff, Conor, Robertson, Andrew, Mitchell, Chris, Thain, Collette, Mitchell-Thain, Robert, Jones, David, Trivedi, Palak J., Mells, George F., and Alrubaiy, Laith

Published
2024
Full Text
View/download PDF

11. The (in)security of some recently proposed lightweight key distribution schemes

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Two recently published papers propose some very simple key distribution schemes designed to enable two or more parties to establish a shared secret key with the aid of a third party. Unfortunately, as we show, most of the schemes are inherently insecure and all are incompletely specified - moreover, claims that the schemes are inherently lightweight are shown to be highly misleading. We also briefly critique a somewhat related very recent paper by the same authors that uses similar techniques to achieve what are claimed to be secure multiparty computations., Comment: This version adds a brief critique of a related paper on secure multiparty computation

Published
2021

13. Two closely related insecure noninteractive group key establishment schemes

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Serious weaknesses in two very closely related group authentication and group key establishment schemes are described. Simple attacks against the group key establishment part of the schemes are described, which strongly suggest that the schemes should not be used., Comment: Paper updated to describe an attack on a closely related scheme

Published
2020

14. Provably insecure group authentication: Not all security proofs are what they claim to be

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

A paper presented at the ICICS 2019 conference describes what is claimed to be a `provably secure group authentication [protocol] in the asynchronous communication model'. We show here that this is far from being the case, as the protocol is subject to serious attacks. To try to explain this troubling case, an earlier (2013) scheme on which the ICICS 2019 protocol is based was also examined and found to possess even more severe flaws - this latter scheme was previously known to be subject to attack, but not in quite as fundamental a way as is shown here. Examination of the security theorems provided in both the 2013 and 2019 papers reveals that in neither case are they exactly what they seem to be at first sight; the issues raised by this are also briefly discussed., Comment: The previous versions of the paper contained an incorrect description of the ICICS 2019 scheme. This has been corrected. The attack has also been changed so that it applies to the correct version of the scheme. The main conclusions are unchanged

Published
2020

15. How not to secure wireless sensor networks revisited: Even if you say it twice it's still not secure

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Two recent papers describe almost exactly the same group key establishment protocol for wireless sensor networks. Quite part from the duplication issue, we show that both protocols are insecure and should not be used - a member of a group can successfully impersonate the key generation centre and persuade any other group member to accept the wrong key value. This breaks the stated objectives of the schemes., Comment: Minor typos fixed

Published
2020

16. Who Needs Trust for 5G?

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

There has been much recent discussion of the criticality of the 5G infrastructure, and whether certain vendors should be able to supply 5G equipment. The key issue appears to be about trust, namely to what degree the security and reliability properties of 5G equipment and systems need to be trusted, and by whom, and how the necessary level of trust might be obtained. In this paper, by considering existing examples such as the Internet, the possible need for trust is examined in a systematic way, and possible routes to gaining trust are described. The issues that arise when a security and/or reliability failure actually occurs are also discussed. The paper concludes with a discussion of possible future ways of enabling all parties to gain the assurances they need in a cost-effective and harmonised way.

Published
2020

17. How not to secure wireless sensor networks: A plethora of insecure polynomial-based key pre-distribution schemes

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Three closely-related polynomial-based group key pre-distribution schemes have recently been proposed, aimed specifically at wireless sensor networks. The schemes enable any subset of a predefined set of sensor nodes to establish a shared secret key without any communications overhead. It is claimed that these schemes are both secure and lightweight, i.e. making them particularly appropriate for network scenarios where nodes have limited computational and storage capabilities. Further papers have built on these schemes, e.g. to propose secure routing protocols for wireless sensor networks. Unfortunately, as we show in this paper, all three schemes are completely insecure; whilst the details of their operation varies, they share common weaknesses. In every case we show that an attacker equipped with the information built into at most two sensor nodes can compute group keys for all possible groups of which the attacked nodes are not a member, which breaks a fundamental design objective. The attacks can also be achieved by an attacker armed with the information from a single node together with a single group key to which this sensor node is not entitled. Repairing the schemes appears difficult, if not impossible. The existence of major flaws is not surprising given the complete absence of any rigorous proofs of security for the proposed schemes. A further recent paper proposes a group membership authentication and key establishment scheme based on one of the three key pre-distribution schemes analysed here; as we demonstrate, this scheme is also insecure, as the attack we describe on the corresponding pre-distribution scheme enables the authentication process to be compromised., Comment: This version adds a brief analysis of a recently published group authentication scheme very closely related to one of the three analysed key pre-distribution schemes

Published
2020

18. Yet another insecure group key distribution scheme using secret sharing

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security, E.3
Abstract

A recently proposed group key distribution scheme known as UMKESS, based on secret sharing, is shown to be insecure. Not only is it insecure, but it does not always work, and the rationale for its design is unsound. UMKESS is the latest in a long line of flawed group key distribution schemes based on secret sharing techniques., Comment: Minor modifications to provide extra background

Published
2020

21. The impact of quantum computing on real-world security: A 5G case study

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

This paper provides a detailed analysis of the impact of quantum computing on the security of 5G mobile telecommunications. This involves considering how cryptography is used in 5G, and how the security of the system would be affected by the advent of quantum computing. This leads naturally to the specification of a series of simple, phased, recommended changes intended to ensure that the security of 5G (as well as 3G and 4G) is not badly damaged if and when large scale quantum computing becomes a practical reality. By exploiting backwards-compatibility features of the 5G security system design, we are able to propose a novel multi-phase approach to upgrading security that allows for a simple and smooth migration to a post-quantum-secure system., Comment: The latest version corrects a couple of minor errors and adds a further reference

Published
2019

26. On Defense Electronics, U.S. Just Past Square One

Author

Mitchell, Chris

Subjects
Semiconductor industry, Military electronics industry, Semiconductor industry, Aerospace and defense industries, Business
Abstract

The good news is that U.S. government leaders are taking the important first steps in rebuilding America's electronics industrial base. The tougher news to swallow is that the United States--having [...]

Published
2024

27. The Saeed-Liu-Tian-Gao-Li authenticated key agreement protocol is insecure

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

A recently proposed authenticated key agreement protocol is shown to be insecure. In particular, one of the two parties is not authenticated, allowing an active man in the middle opponent to replay old messages. The protocol is essentially an authenticated Diffie-Hellman key agreement scheme, and the lack of authentication allows an attacker to replay old messages and have them accepted. Moreover, if the ephemeral key used to compute a protocol message is ever compromised, then the key established using the replayed message will also be compromised. Fixing the problem is simple - there are many provably secure and standardised protocols which are just as efficient as the flawed scheme.

Published
2019

28. Beyond Cookie Monster Amnesia: Real World Persistent Online Tracking

Author

Al-Fannah, Nasser Mohammed, Li, Wanpeng, and Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Browser fingerprinting is a relatively new method of uniquely identifying browsers that can be used to track web users. In some ways it is more privacy-threatening than tracking via cookies, as users have no direct control over it. A number of authors have considered the wide variety of techniques that can be used to fingerprint browsers; however, relatively little information is available on how widespread browser fingerprinting is, and what information is collected to create these fingerprints in the real world. To help address this gap, we crawled the 10,000 most popular websites; this gave insights into the number of websites that are using the technique, which websites are collecting fingerprinting information, and exactly what information is being retrieved. We found that approximately 69\% of websites are, potentially, involved in first-party or third-party browser fingerprinting. We further found that third-party browser fingerprinting, which is potentially more privacy-damaging, appears to be predominant in practice. We also describe \textit{FingerprintAlert}, a freely available browser extension we developed that detects and, optionally, blocks fingerprinting attempts by visited websites.

Published
2019
Full Text
View/download PDF

29. OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect

Author

Li, Wanpeng, Mitchell, Chris J, and Chen, Thomas

Subjects
Computer Science - Cryptography and Security
Abstract

Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation., Comment: 20 pages, 6 figures. arXiv admin note: substantial text overlap with arXiv:1801.07983

Published
2019

30. The Hsu-Harn-Mu-Zhang-Zhu group key establishment protocol is insecure

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

A significant security vulnerability in a recently published group key establishment protocol is described. This vulnerability allows a malicious insider to fraudulently establish a group key with an innocent victim, with the key chosen by the attacker. This shortcoming is sufficiently serious that the protocol should not be used.

Published
2018

31. Security issues in a group key establishment protocol

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Major shortcomings in a recently published group key establishment protocol are described. These shortcomings are sufficiently serious that the protocol should not be used., Comment: arXiv admin note: text overlap with arXiv:1803.05365

Published
2018

32. Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect

Author

Li, Wanpeng, Mitchell, Chris J, and Chen, Thomas

Subjects
Computer Science - Cryptography and Security
Abstract

Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect., Comment: 18 pages, 3 figures

Published
2018

33. Web password recovery --- a necessary evil?

Author

Maqbali, Fatma Al and Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted., Comment: v2. Revised version

Published
2018

36. Provably Insecure Group Authentication: Not All Security Proofs are What they Claim to Be

Author

Mitchell, Chris J, Angrisani, Leopoldo, Series Editor, Arteaga, Marco, Series Editor, Panigrahi, Bijaya Ketan, Series Editor, Chakraborty, Samarjit, Series Editor, Chen, Jiming, Series Editor, Chen, Shanben, Series Editor, Chen, Tan Kay, Series Editor, Dillmann, Rüdiger, Series Editor, Duan, Haibin, Series Editor, Ferrari, Gianluigi, Series Editor, Ferre, Manuel, Series Editor, Hirche, Sandra, Series Editor, Jabbari, Faryar, Series Editor, Jia, Limin, Series Editor, Kacprzyk, Janusz, Series Editor, Khamis, Alaa, Series Editor, Kroeger, Torsten, Series Editor, Liang, Qilian, Series Editor, Martín, Ferran, Series Editor, Ming, Tan Cher, Series Editor, Minker, Wolfgang, Series Editor, Misra, Pradeep, Series Editor, Möller, Sebastian, Series Editor, Mukhopadhyay, Subhas, Series Editor, Ning, Cun-Zheng, Series Editor, Nishida, Toyoaki, Series Editor, Pascucci, Federica, Series Editor, Qin, Yong, Series Editor, Seng, Gan Woon, Series Editor, Speidel, Joachim, Series Editor, Veiga, Germano, Series Editor, Wu, Haitao, Series Editor, Zhang, Junjie James, Series Editor, Stănică, Pantelimon, editor, Gangopadhyay, Sugata, editor, and Debnath, Sumit Kumar, editor

Published
2021
Full Text
View/download PDF

37. Automating the Evaluation of Trustworthiness

Author

Sel, Marc, Mitchell, Chris J., Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Fischer-Hübner, Simone, editor, Lambrinoudakis, Costas, editor, Kotsis, Gabriele, editor, Tjoa, A Min, editor, and Khalil, Ismail, editor

Published
2021
Full Text
View/download PDF

38. AutoPass: An Automatic Password Generator

Author

Maqbali, Fatma Al and Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Text password has long been the dominant user authentication technique and is used by large numbers of Internet services. If they follow recommended practice, users are faced with the almost insuperable problem of generating and managing a large number of site-unique and strong (i.e. non-guessable) passwords. One way of addressing this problem is through the use of a password generator, i.e. a client-side scheme which generates (and regenerates) site-specific strong passwords on demand, with the minimum of user input. This paper provides a detailed specification and analysis of AutoPass, a password generator scheme previously outlined as part of a general analysis of such schemes. AutoPass has been designed to address issues identified in previously proposed password generators, and incorporates novel techniques to address these issues. Unlike almost all previously proposed schemes, AutoPass enables the generation of passwords that meet important real-world requirements, including forced password changes, use of pre-specified passwords, and generation of passwords meeting site-specific requirements., Comment: 22 pages

Published
2017

40. Post-quantum Certificates for Electronic Travel Documents

Author

Pradel, Gaëtan, Mitchell, Chris J., Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Boureanu, Ioana, editor, Drăgan, Constantin Cătălin, editor, Manulis, Mark, editor, Giannetsos, Thanassis, editor, Dadoyan, Christoforos, editor, Gouvas, Panagiotis, editor, Hallman, Roger A., editor, Li, Shujun, editor, Chang, Victor, editor, Pallas, Frank, editor, Pohle, Jörg, editor, and Sasse, Angela, editor

Published
2020
Full Text
View/download PDF

41. Password Generators: Old Ideas and New

Author

Maqbali, Fatma AL and Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security, D.4.6, K.6.5
Abstract

This paper considers password generators, i.e. systems designed to generate site-specific passwords on demand. Such systems are an alternative to password managers. Over the last 15 years a range of password generator systems have been described. This paper proposes the first general model for such systems, and critically examines options for instantiating this model; options considered include all those previously proposed as part of existing schemes as well as certain novel possibilities. The model enables a more objective and high-level assessment of the design of such systems; it has also been used to sketch a possible new scheme, AutoPass, intended to incorporate the best features of the prior art whilst also addressing many of the most serious shortcomings of existing systems through the inclusion of novel features., Comment: This is the full version of a paper with the same title due to be published in the proceedings of WISTP 2016 in September 2016

Published
2016

42. Retrofitting mutual authentication to GSM using RAND hijacking

Author

Khan, Mohammed Shafiul Alam and Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

As has been widely discussed, the GSM mobile telephony system only offers unilateral authentication of the mobile phone to the network; this limitation permits a range of attacks. While adding support for mutual authentication would be highly beneficial, changing the way GSM serving networks operate is not practical. This paper proposes a novel modification to the relationship between a Subscriber Identity Module (SIM) and its home network which allows mutual authentication without changing any of the existing mobile infrastructure, including the phones; the only necessary changes are to the authentication centres and the SIMs. This enhancement, which could be deployed piecemeal in a completely transparent way, not only addresses a number of serious vulnerabilities in GSM but is also the first proposal for enhancing GSM authentication that possesses such transparency properties., Comment: 17 pages, 2 figures

Published
2016

43. On the security of 2-key triple DES

Author

Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

This paper reconsiders the security offered by 2-key triple DES, an encryption technique that remains widely used despite recently being de-standardised by NIST. A generalisation of the 1990 van Oorschot-Wiener attack is described, constituting the first advance in cryptanalysis of 2-key triple DES since 1990. We give further attack enhancements that together imply that the widely used estimate that 2-key triple DES provides 80 bits of security can no longer be regarded as conservative; the widely stated assertion that the scheme is secure as long as the key is changed regularly is also challenged. The main conclusion is that, whilst not completely broken, the margin of safety for 2-key triple DES is slim, and efforts to replace it, at least with its 3-key variant, should be pursued with some urgency., Comment: Typos in v1 fixed

Published
2016

46. Analysing the Security of Google's implementation of OpenID Connect

Author

Li, Wanpeng and Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.

Published
2015

47. Improving Air Interface User Privacy in Mobile Telephony

Author

Khan, Mohammed Shafiul Alam and Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Although the security properties of 3G and 4G mobile networks have significantly improved by comparison with 2G (GSM), significant shortcomings remain with respect to user privacy. A number of possible modifications to 2G, 3G and 4G protocols have been proposed designed to provide greater user privacy; however, they all require significant modifications to existing deployed infrastructures, which are almost certainly impractical to achieve in practice. In this article we propose an approach which does not require any changes to the existing deployed network infrastructures or mobile devices, but offers improved user identity protection over the air interface. The proposed scheme makes use of multiple IMSIs for an individual USIM to offer a degree of pseudonymity for a user. The only changes required are to the operation of the authentication centre in the home network and to the USIM, and the scheme could be deployed immediately since it is completely transparent to the existing mobile telephony infrastructure. We present two different approaches to the use and management of multiple IMSIs.

Published
2015

48. Excavations at Redhouse, Adwick Le Street, Doncaster : Bronze Age, Iron Age and Roman Occupation

Author

Preece, Tracy, Brigstock, Richard, Chapman, Andy, Chinnock, Chris, Cumberpatch, Chris, Erb-Satullo, Nathaniel L., Fryer, Val, Gordon, Rebecca, Hylton, Tora, Leary, Ruth, Mackreth, Don, Meadows, Ian, Nair, Sreelakshmi Sajeevukumar, Putland, Robin, Vyner, Blaise, Wild, Felicity, Wolframm-Murray, Yvonne, Ardis, Carla, Illustrations by, Mitchell, Chris, with reconstruction drawings by, Preece, Tracy, Brigstock, Richard, Chapman, Andy, Chinnock, Chris, Cumberpatch, Chris, Erb-Satullo, Nathaniel L., Fryer, Val, Gordon, Rebecca, Hylton, Tora, Leary, Ruth, Mackreth, Don, Meadows, Ian, Nair, Sreelakshmi Sajeevukumar, Putland, Robin, Vyner, Blaise, Wild, Felicity, Wolframm-Murray, Yvonne, Ardis, Carla, and Mitchell, Chris

Published
2023

Catalog

Books, media, physical & digital resources
See catalog results