Dr Mark Manulis


Deputy Director of Surrey Centre for Cyber Security (SCCS), Senior Lecturer in Security
+44 (0)1483 683911
33 BB 02

Biography

Biography

Dr Mark Manulis is Associate Professor (Senior Lecturer) at the Department of Computer Science of the University of Surrey.

Prior to this appointment he worked as Assistant Professor at the Department of Computer Science of the TU Darmstadt in Germany, where he continues heading the Cryptographic Protocols Group. As Principal Investigator he is further associated with the Center for Advanced Security Research Darmstadt (CASED) and the European Center for Security and Privacy by Design (EC SPRIDE).

Mark obtained his PhD in Cryptography and Information Security from Ruhr-University Bochum (Germany) and spent his post-doc time with the UCL Crypto Group at the Universite catholique de Louvain (Belgium). He holds Dipl.-Inform. and M.Sc. degrees in Computer Science from the TU Braunschweig (Germany).

Mark is a regular member of program committees of international information security conferences. He is the programme chair of ACNS 2016, was general chair of CANS 2012 and PKC 2012, and is sitting on the editorial boards of IET Information Security and Elsevier's Journal of Information Security and Applications.

His research interests include authentication and key management, anonymity and privacy, design and formal analysis of cryptographic protocols, network security, security in distributed systems, wireless networks, and user-centric security.

Please refer for full information to his personal academic website: www.manulis.eu

Teaching

Year 2014/2015/2016

  • Semester 1: COMM044 | Symmetric Cryptography
  • Semester 1: COMM045 | Asymmetric Cryptography
  • Semester 2: COMM047 | Secure Systems and Applications | (co-taught with A.L. Ferrara, S. Li, S. Schneider)

Year 2013/2014

  • Semester 1: COM2031 | Advanced Algorithms
  • Semester 2: COMM036 | Web Hacking Countermeasures

Year 2012/2013

  • Semester 1: COM2031 | Advanced Algorithms
  • Semester 2: COMM036 | Web Hacking Countermeasures

Year 2011/2012

  • Semester 2: COM2027 | Software Engineering Project

Departmental duties

  • Since 2014 Senior Tutor for Professional Training
  • 2012 - 2014 Director of MSc Studies, Programme Leader for Information Systems MSc and Information Security MSc
  • 2012 - 2013 Marketing Coordinator of the Department of Computer Science

My publications

Publications

Fleischhacker N, Manulis M, Azodi A (2014) A Modular Framework for Multi-Factor Authentication and Key Exchange, 1st International Conference on Security Standardisation Research (SSR 2014) 8893 pp. 190-214 Springer
Manulis M, Schwenk J (2007) Provably Secure Framework for Information Aggregation in Sensor Networks, Computational Science and Its Applications - ICCSA 2007, Part I 4705 pp. 603-621 Springer
Manulis M, Poettering B (2010) Practical Affiliation-Hiding Authentication from Improved Polynomial Interpolation., IACR Cryptology ePrint Archive 2010 pp. 659-659
Manulis M, Poettering B, Stebila D (2012) Plaintext Awareness in Identity-Based Key Encapsulation., IACR Cryptology ePrint Archive 2012 pp. 559-559
Gorantla M, Boyd C, Nieto J, Manulis M (2009) Generic One Round Group Key Exchange in the Standard Model., IACR Cryptology ePrint Archive 2009 pp. 514-514
Nieto J, Manulis M, Sun D (2012) Forward-Secure Hierarchical Predicate Encryption., Pairing 7708 pp. 83-101 Springer
Manulis M (2006) Security-Focused Survey on Group Key Exchange Protocols, 2006/03
Bresson E, Manulis M, Schwenk JO (2007) On Security Models and Compilers for Group Key Exchange Protocols, Proceedings of the 2nd International Workshop on Security (IWSEC 2007) LNCS 4752 pp. 292-307 Springer-Verlag
Nieto JMG, Manulis M, Poettering B, Rangasamy J, Stebila D (2012) Publicly Verifiable Ciphertexts, 8th International Conference on Security and Cryptography for Networks (SCN 2012) 7485 pp. 393-410 Springer
In many applications where encrypted traffic flows from an open (public) domain to a protected (private) domain there exists a gateway that bridges the two domains and faithfully forwards the incoming traffic to the receiver. We observe that indistinguishability against (adaptive) chosen-ciphertext attacks (IND-CCA), which is a mandatory goal in face of active attacks in a public domain, can be essentially relaxed to indistinguishability against chosen-plaintext attacks (IND-CPA) for ciphertexts once they pass the gateway that acts as an IND-CCA/CPA filter, by first checking the validity of an incoming IND-CCA ciphertext, then transforming it (if valid) into an IND-CPA ciphertext, and finally forwarding the latter to the recipient in the private domain. ?Non-trivial filtering? can result in reduced decryption costs on the receiver?s side.

We identify a class of encryption schemes with publicly verifiable ciphertexts that admit generic constructions of (non-trivial) IND-CCA/ CPA filters. These schemes are characterized by existence of public algorithms that can distinguish between valid and invalid ciphertexts. To this end, we formally define (non-trivial) public verifiability of ciphertexts for general encryption schemes, key encapsulation mechanisms, and hybrid encryption schemes, encompassing public-key, identity-based, and tag-based encryption flavors. We further analyze the security impact of public verifiability and discuss generic transformations and concrete constructions that enjoy this property.

Dent AW, Fischlin M, Manulis M, Stam M, Schröder D (2010) Confidential Signatures and Deterministic Signcryption, 13th International Conference on Practice and Theory in Public Key Cryptography (PKC 2010) 6056 pp. 462-479 Springer
Cristofaro E, Manulis M, Poettering B (2011) Private Discovery of Common Social Contacts, LNCS Applied Cryptography and Network Security - 9th International Conference, ACNS 2011 6715 pp. 147-165
The increasing use of computing devices for social interactions propels the proliferation of online social applications, yet, it prompts a number of privacy concerns. One common problem occurs when two unfamiliar users, in the process of establishing social relationships, want to assess their social proximity by discovering mutual contacts. In this paper, we introduce Private Contact Discovery, a novel cryptographic primitive that lets two users, on input their respective contact lists, learn their common contacts (if any), and nothing else. We present an efficient and provably secure construction, that (i) prevents arbitrary list manipulation by means of contact certification, and (ii) guarantees user authentication and revocability. Following a rigorous cryptographic treatment of the problem, we define the privacy-protecting contact-hiding property and prove it for our solution, under the RSA assumption in the Random Oracle Model (ROM). We also show that other related cryptographic techniques, such as Private Set Intersection and Secret Handshakes, are unsuitable in this context. Experimental analysis attests to the practicality of our technique, which achieves computational and communication overhead (almost) linear in the number of contacts.
Manulis M (2009) Group Key Exchange Enabling On-Demand Derivation of Peer-to-Peer Keys, Proceedings of the 7th International Conference on Applied Cryptography and Network Security (ACNS 2009) LNCS 5536 pp. 1-19 Springer-Verlag
Gorantla MC, Boyd C, Nieto JMG, Manulis M (2011) Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols, ACM Transactions on Information and Systems Security (TISSEC) 14 (4) 28 ACM
Two-party key exchange (2PKE) protocols have been rigorously analyzed under various models considering different adversarial actions. However, the analysis of group key exchange (GKE) protocols has not been as extensive as that of 2PKE protocols. Particularly, an important security attribute called key compromise impersonation (KCI) resilience has been completely ignored for the case of GKE protocols. Informally, a protocol is said to provide KCI resilience if the compromise of the long-term secret key of a protocol participant A does not allow the adversary to impersonate an honest participant B to A. In this paper, we argue that KCI resilience for GKE protocols is at least as important as it is for 2PKE protocols.

Our first contribution is revised definitions of security for GKE protocols considering KCI attacks by both outsider and insider adversaries. We also give a new proof of security for an existing two-round GKE protocol under the revised security definitions assuming random oracles. We then show how to achieve insider KCIR in a generic way using a known compiler in the literature. As one may expect, this additional security assurance comes at the cost of an extra round of communication. Finally, we show that a few existing protocols are not secure against outsider KCI attacks. The attacks on these protocols illustrate the necessity of considering KCI resilience for GKE protocols.

Chen L, Löhr H, Manulis M, Sadeghi A-R (2008) Property-Based Attestation without a Trusted Third Party, Information Security, 11th International Conference, ISC 2008 5222 pp. 31-46 Springer
Manulis M, Sadeghi A-R, Schwenk J (2006) Linkable Democratic Group Signatures, Proceedings of the 2nd Information Security Practice and Experience Conference (ISPEC 2006) 3903 pp. 187-201 Springer-Verlag
Gajek S, Jager T, Manulis M, Schwenk J (2008) Method, Authentication Server and Service Server for Authenticating a Client,
The invention relates to a method for authenticating a client (C) with respect to a service server (S) comprises the following steps: transmitting an authentication token (c) from an authentication server (K) to the client (C) (110); transmitting the authentication token (c) from the client (C) to the service server (S) (120); verifying the authentication token (c) by the service server (S) (130); and deciding on an approval or disapproval of the requested resource, taking a result of the verification by the service server (S) into consideration (140). An authentication server (K) for authenticating a client (C) with respect to a service server (S) comprises a cryptography device for cryptographically attaching the authentication token (c) to a secret (cid), which is shared between the client (C) and the authentication server (K). The invention further relates to a service server (S) for authenticating a client (C) with respect to the service server (S), wherein the service server (S) comprises an authentication token verifier for verifying whether the authentication token (c) was cryptographically attached to a secret (cid) shared between the client (C) and the authentication server (K).
Liao L, Manulis M (2007) Tree-Based Group Key Agreement Framework for Mobile Ad-Hoc Networks, Future Generation Computer Systems (FGCS) 23 (6) 6 pp. 787-803
Design of protocols for mobile ad-hoc networks (MANETs) is generally tricky compared to wired networks, because on the one hand the increased communication constraints given by the limited bandwidth and frequent network failures, and on the other hand the additional computation and memory constraints due to performance limitations of mobile devices must be considered. We focus on the problem of the establishment of the shared key in mobile ad-hoc groups. This task can be achieved by means of a contributory group key agreement (CGKA) protocol that allows group members to compute the group key based on their individual contributions providing verifiable trust relationship between participants. As shown in this paper there exists currently no CGKA protocol for mobile ad-hoc networks that provides an optimal trade-off between communication and computation efficiency. Based on the comparison results of most suitable CGKA protocols we propose a new framework for the group key agreement in mobile ad-hoc networks. Theoretical analysis and experimental results show that our framework achieves optimal communication and computation efficiency compared to other protocols. © 2007 Elsevier Ltd. All rights reserved.
Nieto J, Manulis M, Sun D (2012) Fully Private Revocable Predicate Encryption., IACR Cryptology ePrint Archive 2012 pp. 403-403
Nieto J, Manulis M, Sun D (2012) Forward-Secure Hierarchical Predicate Encryption., IACR Cryptology ePrint Archive 2012 pp. 402-402
Manulis M, Sadeghi A, Schwenk J (2006) Linkable Democratic Group Signatures., IACR Cryptology ePrint Archive 2006 pp. 40-40
Manulis M, Schwenk J (2004) Pseudonym Generation Scheme for Ad-Hoc Group Communication Based on IDH, ESAS 3313 pp. 107-124 Springer
Manulis M, Poettering B (2011) Practical Affiliation-Hiding Authentication from Improved Polynomial Interpolation, ASIACCS 2011 pp. 286-295 ACM
Among the plethora of privacy-friendly authentication techniques, affiliation-hiding (AH) protocols are valuable for their ability to hide not only identities of communicating users behind their affiliations (memberships to groups), but also these affiliations from non-members. These qualities become increasingly important in our highly computerized user-centric information society, where privacy is an elusive good.

Only little work on practical aspects of AH schemes, pursuing optimized implementations and deployment, has been done so far, and the main question a practitioner might ask --- whether affiliation-hiding schemes are truly practical today --- remained widely unanswered. Improving upon recent advances in the area of AH protocols, in particular on pioneering results in the multi-affiliation setting, we can give an affirmative answer to this question. To this end, we propose numerous algorithmic optimizations to a recent AH scheme leading to a remarkable performance gain. Our results are demonstrated not only at theoretical level, but we also offer implementations, performance measurements, and comparisons. At the same time, our improvements advance the area of efficient polynomial interpolation in finite fields, which is one of our building blocks.

Fleischhacker N, Günther F, Kiefer F, Manulis M, Poettering B (2011) Pseudorandom Signatures., IACR Cryptology ePrint Archive 2011 pp. 673-673
Kuchta V, Manulis M (2013) Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions, 12th International Conference on Cryptology and Network Security (CANS) 8257 pp. 251-270 Springer
Gajek S, Manulis M, Pereira O, Sadeghi A-R, Schwenk J (2008) Universally Composable Security Analysis of TLS - Secure Sessions with Handshake and Record Layer Protocols., IACR Cryptology ePrint Archive 2008 pp. 251-251
Dent A, Fischlin M, Manulis M, Stam M, Schröder D (2009) Confidential Signatures and Deterministic Signcryption., IACR Cryptology ePrint Archive 2009 pp. 588-588
Bresson E, Manulis M (2008) Contributory Group Key Exchange in the Presence of Malicious Participants, IET Information Security 2 (3) pp. 85-93 IET
In a group key exchange (GKE) protocol, the resulting group key should be computed by all participants such that none of them can gain any advantage concerning the protocol's output: misbehaving participants might have personal advantage in influencing the value of the group key. In fact, the absence of trust relationship is the main feature of GKE (when compared with group key transport) protocols. The existing notions of security are enlarged by identifying limitations in some previously proposed security models while taking into account different types of corruptions (weak and strong). To illustrate these notions, two efficient and provably secure generic solutions, compilers, are presented.
Fleischhacker N, Manulis M, Azodi A (2012) Modular Design and Analysis Framework for Multi-Factor Authentication and Key Exchange., IACR Cryptology ePrint Archive 2012 pp. 181-181
Manulis M (2009) Securing Remote Access Inside Wireless Mesh Networks, LNCS. Proceedings of the 10th International Workshop on Information Security and Applications (WISA 2009) 5932 pp. 324-338 Springer Berlin Heidelberg
Wireless mesh networks (WMNs) that are being increasingly deployed in communities and public places provide a relatively stable routing infrastructure and can be used for diverse carrier-managed services. As a particular example we consider the scenario where a mobile device initially registered for the use with one wireless network (its home network) moves to the area covered by another network inside the same mesh. The goal is to establish a secure access to the home network using the infrastructure of the mesh.

Classical mechanisms such as VPNs can protect end-to-end communication between the mobile device and its home network while remaining transparent to the routing infrastructure. In WMNs this transparency can be misused for packet injection leading to the unnecessary consumption of the communication bandwidth. This may have negative impact on the cooperation of mesh routers which is essential for the connection establishment.

In this paper we describe how to establish remote connections inside WMNs while guaranteeing secure end-to-end communication between the mobile device and its home network and secure transmission of the corresponding packets along the underlying multi-hop path. Our solution is a provably secure, yet lightweight and round-optimal remote network access protocol in which intermediate mesh routers are considered to be part of the security architecture. We also sketch some ideas on the practical realization of the protocol using known standards and mention extensions with regard to forward secrecy, anonymity and accounting.

Gajek S, Manulis M, Sadeghi A-R, Schwenk J (2008) Provably Secure Browser-Based User-Aware Mutual Authentication over TLS, Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS?08) pp. 300-311 ACM Press
Abdalla M, Chevalier C, Manulis M, Pointcheval D (2010) Flexible Group Key Exchange with On-Demand Computation of Subgroup Keys, AFRICACRYPT 2010 6055 pp. 351-368 Springer Berlin Heidelberg
Modern multi-user communication systems, including popular instant messaging tools, social network platforms, and cooperative-work applications, offer flexible forms of communication and exchange of data. At any time point concurrent communication sessions involving different subsets of users can be invoked. The traditional tool for achieving security in a multi-party communication environment are group key exchange (GKE) protocols that provide participants with a secure group key for their subsequent communication. Yet, in communication scenarios where various user subsets may be involved in different sessions the deployment of classical GKE protocols has clear performance and scalability limitations as each new session should be preceded by a separate execution of the protocol. The motivation of this work is to study the possibility of designing more flexible GKE protocols allowing not only the computation of a group key for some initial set of users but also efficient derivation of independent secret keys for all potential subsets. In particular we improve and generalize the recently introduced GKE protocols enabling on-demand derivation of peer-to-peer keys (so called GKE+P protocols). We show how a group of users can agree on a secret group key while obtaining some additional information that they can use on-demand to efficiently compute independent secret keys for any possible subgroup. Our security analysis relies on the Gap Diffie-Hellman assumption and uses random oracles.
Camenisch J, Manulis M, Tsudik G, Wright RN (2012) Privacy-Oriented Cryptography (Dagstuhl Seminar 12381)., Dagstuhl Reports 2 9 pp. 165-183
Manulis M (2005) Contributory Group Key Agreement Protocols, Revisited for Mobile Ad-Hoc Groups, Proceedings of 2nd IEEE International Conference on Mobile Adhoc and Sensor Systems (MASS 2005) pp. 811-818 IEEE Computer Society
Nieto J, Manulis M, Poettering B, Rangasamy J, Stebila D (2013) Publicly Verifiable Ciphertexts, Journal of Computer Security 21 pp. 749-778 IOS Press
Manulis M, Poettering B, Stebila D (2014) Plaintext Awareness in Identity-Based Key Encapsulation, International Journal of Information Security 13 pp. 25-49 Springer
Nieto JMG, Manulis M, Sun D (2012) Fully Private Revocable Predicate Encryption, 17th Australasian Conference on Information Security and Privacy (ACISP 2012) 7372 pp. 350-363 Springer
We introduce the concept of Revocable Predicate Encryption (RPE), which extends current predicate encryption setting with revocation support: private keys can be used to decrypt an RPE ciphertext only if they match the decryption policy (defined via attributes encoded into the ciphertext and predicates associated with private keys) and were not revoked by the time the ciphertext was created.

We formalize the notion of attribute hiding in the presence of revocation and propose an RPE scheme, called AH-RPE, which achieves attribute-hiding under the Decision Linear assumption in the standard model.

We then present a stronger privacy notion, termed full hiding, which further cares about privacy of revoked users. We propose another RPE scheme, called FH-RPE, that adopts the Subset Cover Framework and offers full hiding under the Decision Linear assumption in the standard model. The scheme offers very flexible privacy-preserving access control to encrypted data and can be used in sender-local revocation scenarios.

Fujioka A, Manulis M, Suzuki K, Ustaoglu B (2012) Sufficient Condition for Ephemeral Key-Leakage Resilient Tripartite Key Exchange, 17th Australasian Conference on Information Security and Privacy (ACISP 2012) 7372 pp. 15-28 Springer
Cutillo LA, Manulis M, Strufe T (2010) Security and Privacy in Online Social Networks, In: Furht B (eds.), Handbook of Social Network Technologies and Applications 23 Springer-Verlag New York Inc
Gajek S, Jager T, Manulis M, Schwenk J (2008) A Browser-Based Kerberos Authentication Scheme, Proceedings of 13th European Symposium on Research in Computer Security (ESORICS 2008) 5283 pp. 115-129 Springer
Wang Y, Manulis M, Au M, Susilo W (2013) Relations among Privacy Notions for Signcryption and Key Invisible "Sign-then-Encrypt"., IACR Cryptology ePrint Archive 2013 pp. 230-230
Stelle S, Manulis M, Hollick M (2012) Topology-Driven Secure Initialization in Wireless Sensor Networks: A Tool-Assisted Approach, 7th International Conference on International Conference on Availability, Reliability and Security (ARES 2012) pp. 28-37 IEEE Computer Society
Secure initialization of sensor nodes with cryptographic keys is inherent to all security protocols and applicationsin the area of wireless sensor networks (WSN).We introduce a general framework, denoted TOPKEY, thatprovides tool assistance and performs secure initialization ofsensor nodes with cryptographic keys over the air by leveraging the transmission power to confine the area in which potential attackers can eavesdrop on communication. Our analysis shows that physical protection based on transmission power may, inpractice, lead to an acceptable level of key deployment security. Besides the fully automated key deployment, TOPKEY supports a five-step initialization process, suited to off-the-shelf sensor nodes that come without any pre-installed operating system. TOPKEY is currently tailored to static WSN topologies: it supports topology design and deploys topology-driven key generation for a range of WSN communication patterns. We implemented the framework and analyzed its performanceand scalability for commodity TelosB nodes and Contiki OS. Our analysis, performed with respect to different WSN topologies, shows that TOPKEY can be used to securely initialize a static network of about 100 nodes in less than one minute.
Günther F, Manulis M, Strufe T (2011) Key Management in Distributed Online Social Networks, Proceedings of 2011 IEEE International Symposium on a World of Wireless, Mobile, and Multimedia Networks pp. 1-7 IEEE
Decentralized approaches for online social networks (OSNs) have been of recent research interest, enabling users to create profiles and share data like in other OSNs as, e.g., Facebook. Since the decentralized architecture does not contain a central authority that is able perform access control, encryption is needed to ensure the confidentiality of published data. This paper outlines strict requirements and weak constraints for the encryption of data attributes in decentralized OSNs. Subsequently, an overview of possible cryptographic solutions is given and their suitability according to these requirements is analyzed. As a result, the differences and trade-offs between and within the given approaches are expounded. The outcome of this paper can be used as a foundation for further investigations on this topic.
Manulis M, Steiner M (2011) UPBA: User-Authenticated Property-Based Attestation, Proceedings of 9th Annual International Conference on Privacy, Security and Trust pp. 112-119 IEEE
Remote attestation of computing platforms, using trusted hardware, guarantees the integrity, and by this the trustworthiness of a host to remote parties. While classical binary attestation attests the configuration itself, property-based attestation (PBA) attests properties and thus offers higher privacy guarantees to the host and its user. Nonetheless, both techniques are free from any user authentication mechanisms. Especially in distributed applications involving user interactions, the remote party may require assurance for the trustworthiness of the host and the authenticity of its user. Independence of user authentication from platform attestation may become an obstacle due to potential relay attacks. The User-Authenticated Property-Based Attestation (UPBA), introduced in this work, can assure a remote party that some computing platform is trustworthy, and that it is used at that very moment by some particular user. Our basic protocol is secure and practical. We prove its security formally, discuss its compatibility with current trusted computing technology, and illustrate several nice enhancements.
Manulis M, Stebila D, Denham N (2014) Secure Modular Password Authentication for the Web Using Channel Bindings, 1st International Conference on Security Standardisation Research (SSR 2014) 8893 pp. 167-189 Springer
Fleischhacker N, Günther F, Kiefer F, Manulis M, Poettering B (2013) Pseudorandom Signatures, 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013) pp. 107-118 ACM
Fischlin M, Buchmann J, Manulis M (2012) Public Key Cryptography ? PKC 2012, 7293 Springer-Verlag
Bresson E, Manulis M (2008) Securing Group Key Exchange against Strong Corruptions, Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS?08) pp. 249-260 ACM Press
Günther F, Manulis M, Peter A (2014) Privacy-Enhanced Participatory Sensing with Collusion Resistance and Data Aggregation, 13th International Conference on Cryptology and Network Security (CANS) 8813 pp. 321-336 Springer
Participatory sensing enables new paradigms and markets for information collection based on the ubiquitous availability of smartphones, but also introduces privacy challenges for participating users and their data. In this work, we review existing security models for privacy-preserving participatory sensing and propose several improvements that are both of theoretical and practical significance.
We first address an important drawback of prior work, namely the lack of consideration of collusion attacks that are highly relevant for such multi-user settings. We explain why existing security models are insufficient and why previous protocols become insecure in the presence of colluding parties. We remedy this problem by providing new security and privacy definitions that guarantee meaningful forms of collusion resistance. We propose new collusion-resistant participatory sensing protocols satisfying our definitions: a generic construction that uses anonymous identity-based encryption (IBE) and its practical instantiation based on the Boneh-Franklin IBE scheme.
We then extend the functionality of participatory sensing by adding the ability to perform aggregation on the data submitted by the users, without sacrificing their privacy. We realize this through an additively-homomorphic IBE scheme which in turn is constructed by slightly modifying the Boneh-Franklin IBE scheme. From a practical point of view, the resulting scheme is suitable for calculations with small sensor readings/values such as temperature measurements, noise levels, or prices, which is sufficient for many applications of participatory sensing.
Kiefer F, Manulis M (2014) Zero-Knowledge Password Policy Checks and Verifier-Based PAKE, 19th European Symposium on Research in Computer Security (ESORICS) 2 (8713) pp. 295-312 Springer
Zero-Knowledge Password Policy Checks (ZKPPC), introduced in this work, enable blind registration of client passwords at remote servers, i.e., client passwords are never transmitted to the servers. This eliminates the need for trusting servers to securely process and store client passwords. A ZKPPC protocol, executed as part of the registration procedure, allows clients to further prove compliance of chosen passwords with respect to password policies defined by the servers.
The main benefit of ZKPPC-based password registration is that it guarantees that registered passwords never appear in clear on the server side. At the end of the registration phase the server only receives and stores some verification information that can later be used for authentication in a suitable Verifier-based Password Authenticated Key Exchange (VPAKE) protocol.
We give general and concrete constructions of ZKPPC protocols and suitable VPAKE protocols for ASCII-based passwords and policies that are commonly used on the web. To this end we introduce a reversible mapping of ASCII characters to integers that can be used to preserve the structure of the password string and a new randomized password hashing scheme for ASCII-based passwords.
Manulis M, Leroy D, Koeune F, Bonaventure O, Quisquater J (2008) Authenticated Wireless Roaming via Tunnels: Making Mobile Guests Feel at Home., IACR Cryptology ePrint Archive 2008 pp. 382-382
Catuogno L, Löhr H, Manulis M, Sadeghi A-R, Stüble C, Winandy M (2010) Trusted Virtual Domains: Color Your Network, Datenschutz und Datensicherheit (DuD) 34 (5) pp. 289-294 Springer
Trusted Virtual Domains (TVDs) provide a secure IT infrastructure offering a homogeneous
and transparent enforcement of access control policies on data and network resources. In
this article, we give an overview of the fundamental ideas and basic concepts behind TVDs,
present a realization of TVDs, and discuss application scenarios.
Manulis M, Leroy D, Koeune F, Bonaventure O, Quisquater J-J (2009) Authenticated Wireless Roaming via Tunnels: Making Mobile Guests Feel at Home, Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS?09) pp. 92-103 ACM Press
In wireless roaming a mobile device obtains a service from some foreign network while being registered for the similar service at its own home network. However, recent proposals try to keep the service provider role behind the home network and let the foreign network create a tunnel connection through which all service requests of the mobile device are sent to and answered directly by the home network. Such Wireless Roaming via Tunnels (WRT) offers several (security) benefits but states also new security challenges on authentication and key establishment, as the goal is not only to protect the end-to-end communication between the tunnel peers but also the tunnel itself.

In this paper we formally specify mutual authentication and key establishment goals for WRT and propose an efficient and provably secure protocol that can be used to secure such roaming session. Additionally, we describe some modular protocol extensions to address resistance against DoS attacks, anonymity of the mobile device and unlinkability of its roaming sessions, as well as the accounting claims of the foreign network in commercial scenarios.

Manulis M, Suzuki K, Ustaoglu B (2013) Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange, IEICE Transactions 96-A 1 pp. 101-110
We propose a security model, referred as g-eCK model, for group key exchange that captures essentially all non-trivial leakage of static and ephemeral secret keys of participants, i.e., group key exchange version of extended Canetti-Krawczyk (eCK) model. Moreover, we propose the first one-round tripartite key exchange (3KE) protocol secure in the g-eCK model under the gap Bilinear Diffie-Hellman (gap BDH) assumption and in the random oracle model.
Manulis M, Suzuki K, Ustaoglu B (2009) Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange, Information Security and Cryptology - ICISC 2009 5984 pp. 16-33 Springer
Recent advances in the design and analysis of secure two-party key exchange (2KE) such as the leakage of ephemeral secrets used during the attacked sessions remained unnoticed by the current models for group key exchange (GKE). Focusing on a special case of GKE ? the tripartite key exchange (3KE) ? that allows for efficient one-round protocols, we demonstrate how to incorporate these advances to the multi-party setting. From this perspective our work closes the most pronounced gap between provably secure 2KE and GKE protocols.

The proposed 3KE protocol is an implicitly authenticated protocol with one communication round which remains secure even in the event of ephemeral secret leakage. It also significantly improves upon currently known 3KE protocols, many of which are insecure. An optional key confirmation round can be added to our proposal to achieve the explicitly authenticated protocol variant

Nieto J, Manulis M, Poettering B, Rangasamy J, Stebila D (2012) Publicly Verifiable Ciphertexts., IACR Cryptology ePrint Archive 2012 pp. 357-357
Kiefer F, Manulis M (2014) Distributed Smooth Projective Hashing and Its Application to Two-Server Password Authenticated Key Exchange, 12th International Conference on Applied Cryptography and Network Security (ACNS) 8479 pp. 199-216 Springer
Kuchta V, Manulis M (2014) Rerandomizable Threshold Blind Signatures,
Manulis M, Schwenk JO (2009) Security Model and Framework for Information Aggregation in Sensor Networks, ACM Transactions on Sensor Networks (TOSN) 5 (2) 13 ACM
Bresson E, Brecher T, Manulis M (2009) Fully Robust Tree-Diffie-Hellman Group Key Exchange, Proceedings of the 8th International Conference on Cryptology and Network Security (CANS 2009) LNCS 5888 pp. 478-497 Springer
Wang Y, Manulis M, Au MH, Susilo W (2013) Relations among Privacy Notions for Signcryption and Key Invisible ?Sign-then-Encrypt?, 18th Australasian Conference on Information Security and Privacy (ACISP 2013) 7959 pp. 187-202 Springer
Manulis M, Sadeghi A (2010) Key Agreement for Heterogeneous Mobile Ad-Hoc Groups, International Journal of Wireless and Mobile Computing (IJWMC) 4 (1) pp. 17-30 Inderscience
Security of various group-oriented applications for mobile ad-hoc groups requires a group secret shared between all participants. Contributory Group Key Agreement (CGKA) protocols can be used in mobile ad-hoc scenarios due to the absence of any trusted central authority (group manager) that actively participates in the computation of the group key. Members of spontaneously formed mobile ad-hoc groups are usually equipped with different kinds of mobile devices with varying performance capabilities. This heterogeneity opens new ways for the design of CGKA protocols and states additional security requirements with regard to the trustworthiness of the devices. In this paper we propose a CGKA protocol for mobile ad hoc groups that fairly distributes the computation costs amongst mobile devices by taking into account their performance limitations and preventing possible cheating through Trusted Computing techniques.
Manulis M, Schwenk J (2007) Provably Secure Framework for Information Aggregation is Sensor Networks., IACR Cryptology ePrint Archive 2007 pp. 283-283
Catuogno L, Löhr H, Manulis M, Sadeghi A-R, Winandy M (2009) Transparent Mobile Storage Protection in Trusted Virtual Domains, 23rd USENIX Large Installation Systems Administration Conference (LISA 2009) pp. 159-172 USENIX Association
Radke K, Boyd C, Nieto JG, Manulis M, Stebila D (2014) Formalising Human Recognition: A Fundamental Building Block for Security Proofs, 12th Australasian Information Security Conference (AISC 2014) 149 pp. 37-45 Australian Computer Society, Inc.
Bresson E, Manulis M (2008) Securing Group Key Exchange against Strong Corruptions and Key Registration Attacks, International Journal of Applied Cryptography (IJACT) 1 (2) pp. 91-107 Inderscience
In Group Key Exchange (GKE) protocols, users usually extract the group key using some auxiliary (ephemeral) secret information generated during the execution. Strong corruptions are attacks by which an adversary can reveal these ephemeral secrets, in addition to the possibly used long-lived keys. Undoubtedly, security impact of strong corruptions is serious, and thus specifying appropriate security requirements and designing secure GKE protocols appears an interesting yet challenging task ? the aim of our article. We start by investigating the current setting of strong corruptions and derive some refinements like opening attacks that allow to reveal ephemeral secrets of users without their long-lived keys. This allows to consider even stronger attacks against honest, but 'opened' users. Further, we define strong security goals for GKE protocols in the presence of such powerful adversaries and propose a 3-round GKE protocol, named TDH1, which remains immune to their attacks under standard cryptographic assumptions. Our security definitions allow adversaries to register users and specify their long-lived keys, thus, in particular capture attacks of malicious insiders for the appropriate security goals such as Mutual Authentication, key confirmation, contributiveness, key control and key-replication resilience.
Cristofaro E, Manulis M, Poettering B (2011) Private Discovery of Common Social Contacts., IACR Cryptology ePrint Archive 2011 pp. 26-26
Gajek S, Manulis M, Schwenk J (2008) Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy, LNCS Proceedings of 13th Australasian Conference on Information Security and Privacy (ACISP 2008) 5107 pp. 6-20 Springer Berlin Heidelberg
The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user?s browser. Unfortunately, this solution is susceptible to various impersonation attacks such as phishing as it turned out that average Internet users are unable to authenticate servers based on their certificates.

In this paper we address security of cookie-based authentication using the concept of strong locked same origin policy for browsers introduced at ACM CCS?07. We describe a cookie-based authentication protocol between human users and TLS-servers and prove its security in the extended formal model for browser-based mutual authentication introduced at ACM ASIACCS?08. It turns out that the small modification of the browser?s security policy is sufficient to achieve provably secure cookie-based authentication protocols considering the ability of users to recognize images, video, or audio sequences.

Brzuska C, Busch H, Dagdelen Ö, Fischlin M, Franz M, Katzenbeisser S, Manulis M, Onete C, Peter A, Poettering B, Schröder D (2010) Redactable Signatures for Tree-Structured Data: Definitions and Constructions, Applied Cryptography and Network Security (ACNS 2010) pp. 87-104
Günther F, Manulis M, Strufe T (2011) Cryptographic Treatment of Private User Profiles, Financial Cryptography and Data Security. Lecture Notes in Computer Science 7126 pp. 40-54 Springer Berlin Heidelberg
The publication of private data in user profiles in a both secure and private way is a rising problem and of special interest in, e.g., online social networks that become more and more popular. Current approaches, especially for decentralized networks, often do not address this issue or impose large storage overhead. In this paper, we present a cryptographic approach to Private Profile Management that is seen as a building block for applications in which users maintain their own profiles, publish and retrieve data, and authorize other users to access different portions of data in their profiles. In this course, we provide: (i) formalization of confidentiality and unlinkability as two main security and privacy goals for the data which is kept in profiles and users who are authorized to retrieve this data, and (ii) specification, analysis, and comparison of two private profile management schemes based on different encryption techniques
Gorantla MC, Boyd C, Nieto JMG, Manulis M (2009) Generic One Round Group Key Exchange in the Standard Model, 12th International Conference on Information, Security, and Cryptology (ICISC 2009) 5984 pp. 1-15 Springer
Armknecht F, Escalante AN, Löhr H, Manulis M, Sadeghi A-R (2008) Secure Multi-Coupons for Federated Environments: Privacy-Preserving and Customer-Friendly, Information Security Practice and Experience, 4th International Conference, ISPEC 2008 4991 pp. 29-44 Springer
Manulis M, Poettering B, Tsudik G (2010) Taming Big Brother Ambitions: More Privacy for Secret Handshakes, Privacy Enhancing Technologies pp. 149-165
Christin D, Hollick M, Manulis M (2010) Security and Privacy Objectives for Sensing Applications in Wireless Community Networks, Proceedings of 19th International Conference on Computer Communications and Networks (ICCCN 2010) pp. 1-6 IEEE Computer Society
Manulis M, Pinkas B, Poettering B (2010) Privacy-Preserving Group Discovery with Linear Complexity, Applied Cryptography and Network Security (ACNS 2010) pp. 420-437
Manulis M (2006) Democratic Group Signatures - On an Example of Joint Ventures, Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS?06) pp. 365-365 ACM Press
We propose a novel group-oriented signature scheme, called a democratic group signature (DGS). In DGS the scheme setting is controlled on a contributory basis, i.e., without any centralized trusted authority (group manager). Group members agree on a common tracing trapdoor, i.e., every member can trace issued signatures individually. Members are able to sign on behalf of the group while remaining anonymous only to third parties. DGS supports dynamic changes of the group formation (joins and leaves of members). For security reasons the tracing trapdoor is updated after every dynamic change. The DGS model results from strong changes to the standard model of group signatures caused by elimination of the group manager's role and distribution of the tracing rights to individuals.
Pieprzyk J, Sadeghi AR, Manulis M (2012) Cryptology and Network Security ? CANS 2012, 7712
Manulis, Mark (2012) Cryptology and Network Security, 11th International Conference, CANS 2012, Darmstadt, Germany, December 12-14, 2012. Proceedings, CANS 7712 Springer
Liao L, Manulis M, Schwenk J (2008) Securing Email Communication with XML Technology, In: Gupta JND, Sharma S (eds.), Handbook of Research on Information Security and Assurance XVII pp. 202-217 IGI Global
This chapter deals with the issues concerning e-mail communication security. We analyze the most popular security
mechanisms and standards related to the e-mail communication and identify potential threats and vulnerabilities.
The most significant drawback of all current approaches is the impossibility of keeping headers information authentic.
This leads to possible impersonation attacks and profiling of the e-mail communication, and encourages
spam and phishing activities. Furthermore, none of the currently available security mechanisms supports partial
signature generation of the e-mail content by distinct signers, which might be useful in commercial scenarios. To
handle these problems, we suggest a new approach, called XMaiL, which can be considered as an advanced email
security mechanism based on the popular XML technologies. The proposed XMaiL supersedes all currently
available e-mail security standards in the sense of the higher flexibility and security.
Fischlin M, Libert B, Manulis M (2011) Non-Interactive and Re-Usable Universally Composable String Commitments with Adaptive Security, Lecture Notes in Computer Science: Advances in Cryptology ? ASIACRYPT 2011 7073 pp. 468-485 Springer
We present the first provably secure constructions of universally composable (UC) commitments (in pairing-friendly groups) that simultaneously combine the key properties of being non-interactive, supporting commitments to strings (instead of bits only), and offering re-usability of the common reference string for multiple commitments. Our schemes are also adaptively secure assuming reliable erasures.
Manulis M, Poettering B, Tsudik G (2010) Affiliation-Hiding Key Exchange with Untrusted Group Authorities, Applied Cryptography and Network Security (ACNS 2010) pp. 402-419
Manulis M (2008) Survey on Security Requirements and Models for Group Key Exchange, 2006/02
Manulis M (2005) Democratic Group Signatures on Example of Joint Ventures., IACR Cryptology ePrint Archive 2005 pp. 446-446
Gajek S, Manulis M, Schwenk J (2009) User-Aware Provably Secure Protocols for Browser-Based Mutual Authentication, International Journal of Applied Cryptography (IJACT) 1 (4) pp. 290-308 Inderscience
The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols.
Manulis M (2005) Key Agreement for Heterogeneous Mobile Ad-Hoc Groups, Proceedings of 11th International Conference on Parallel and Distributed Systems (ICPADS 2005), Vol. 2 pp. 290-294 IEEE Computer Society
Chen L, Escalante AN, Löhr H, Manulis M, Sadeghi A-R (2008) A Privacy-Protecting Multi-Coupon Scheme with Stronger Protection against Splitting, Financial Cryptography and Data Security, 11th International Conference, FC 2007 4886 pp. 29-44 Springer-Verlag
Leroy D, Detal G, Cathalo J, Manulis M, Koeune F, Bonaventure O (2011) SWISH: Secure WiFi sharing, Computer Networks 55 (7) pp. 1614-1630 Elsevier
The fast increase of mobile Internet use motivates the need for WiFi sharing solutions, where a mobile user connects to the Internet via a nearby foreign network while its home network is far away. This situation creates security challenges which are only partially solved by existing solutions like VPNs. Such solutions neglect the security of the visited network, and private users or organizations are thus reluctant to share their connection. In this paper, we present and implement SWISH, an efficient, full scale solution to this problem. SWISH is based on establishing a tunnel from the visited network to the user?s home network. All the data from the mobile is then forwarded through this tunnel. Internet access is therefore provided without endangering the visited network. We also propose protocol extensions that allow the visited network to charge for the data it forwards, and to protect the privacy of the mobile user while preventing abuse. SWISH was successfully deployed on university networks, demonstrating that it can be conveniently implemented in existing networks with a minimal impact on performance.
Galindo D, Libert B, Fischlin M, Fuchsbauer G, Lehmann A, Manulis M, Schröder D (2010) Public-Key Encryption with Non-interactive Opening: New Constructions and Stronger Definitions, AFRICACRYPT 2010 6055 pp. 333-350 Springer
Leroy D, Manulis M, Bonaventure O (2009) Enhanced Wireless Roaming Security Using Three-Party Authentication and Tunnels, Proceedings of the 1st ACM workshop on User-provided Networking (U-Net), CoNEXT 2009 pp. 7-12 ACM Press
Manulis M (2010) Privacy-Preserving Admission to Mobile Peer-to-Peer Groups, 8th IEEE International Conference on Pervasive Computing and Communications (PerCom 2010) pp. 111-116 IEEE Computer Society
Robert R, Manulis M, Villenfagne FD, Leroy D, Jost J, Koeune F, Ker C, Dinant J-M, Poullet Y, Bonaventure O, Quisquater J-J (2008) WiFi Roaming: Legal Implications and Security Constraints, International Journal of Law and Information Technology 16 (3) pp. 205-241 Oxford University Press
WiFi technology has become the preferable form for mobile users to connect to the Internet. The growing popularity of WiFi-enabled devices and the increasing number of WiFi networks guarantees that this trend will continue in the future. Since a single network provider is usually not able to ensure WiFi coverage for its own users across many geographic locations the WiFi roaming technology appears to be the promising solution. A special attention upon the practical deployment of WiFi roaming should be paid to possible threats coming from the misuse of technology. In this light we analyze various legal implications that might become relevant due to the deployment of WiFi roaming and discuss several risks and problems related to the security during the establishment of roaming connections between mobile devices and the Internet.
Fan CI, Hsu RH, Manulis M (2011) Group Signature with Constant Revocation Costs for Signers and Verifiers, Lecture Notes in Computer Science: Cryptology and Network Security 7092 pp. 214-233 Springer
Membership revocation, being an important property for applications of group signatures, represents a bottleneck in today?s schemes. Most revocation methods require linear amount of work to be performed by unrevoked signers or verifiers, who usually have to obtain fresh update information (sometimes of linear size) published by the group manager. We overcome these disadvantages by proposing a novel group signature scheme, where computation costs for unrevoked signers and potential verifiers remain constant, and so is the length of the update information that must be fetched by these parties from the data published by the group manager. We achieve this complexity by increasing the amount of work at the group manager?s side, which growths quadratic with the total number of members. This increase is acceptable since algorithms of the group manager are typically executed on resourceful devices. Our scheme uses a slightly modified version of the pairing-based dynamic accumulator, introduced by Camenisch, Kohlweiss, and Soriente (PKC 2009), which we implicitly combine with the short (non-revocable) group signature scheme by Boneh, Boyen, and Shacham (CRYPTO 2004). We prove that our revocable scheme satisfies the desired security properties of anonymity, traceability, and non-frameability in the random oracle model, although for better efficiency we resort to a somewhat stronger hardness assumption.
Liao L, Manulis M (2006) Tree-Based Group Key Agreement Framework for Mobile Ad-Hoc Networks, Proceedings of 20th International Conference on Advanced Information Networking and Applications (AINA 2006), Vol. 2 pp. 5-9 IEEE Computer Society
Manulis M, Sadeghi A-R (2006) Property-Based Taming of Lying Mobile Nodes, Proceedings of 20th International Conference on Advanced Information Networking and Applications (AINA 2006), Vol. 2 pp. 476-480 IEEE Computer Society
Bresson E, Manulis M, Schwenk J (2006) On Security Models and Compilers for Group Key Exchange Protocols., IACR Cryptology ePrint Archive 2006 pp. 385-385
Manulis M, Poettering B (2011) Affiliation-Hiding Authentication with Minimal Bandwidth Consumption, pp. 85-99 Springer
Manulis M (2007) Provably Secure Group Key Exchange, 5 Europäischer Universitätsverlag
Gajek S, Manulis M, Pereira O, Sadeghi A-R, Schwenk J (2008) Universally Composable Security Analysis of TLS., Proceedings of the 2nd International Conference on Provable Security (ProvSec 2008) 5324 pp. 313-327 Springer
Bresson E, Manulis M (2007) Malicious Participants in Group Key Exchange: Key Control and Contributiveness in the Shadow of Trust, Proceedings of the 4th Autonomic and Trusted Computing Conference (ATC 2007) LNCS 4610 pp. 395-409 Springer-Verlag
Nieto J, Manulis M, Sun D (2014) Forward-Secure Hierarchical Predicate Encryption, The Computer Journal 57 pp. 510-536 Oxford University Press
Kiefer F, Manulis M (2016) Universally Composable Two-Server PAKE, LNCS Information Security 9866 pp. 147-166
Two-Server Password Authenticated Key Exchange (2PAKE) protocols apply secret shar-ing techniques to achieve protection against server-compromise attacks. 2PAKE protocols eliminate the need for password hashing and remain secure as long as one of the servers remains honest. This concept has also been explored in connection with two-server password authenticated secret sharing (2PASS) protocols for which game-based and universally composable versions have been proposed. In contrast, universally composable PAKE protocols exist currently only in the single-server scenario and all proposed 2PAKE protocols use game-based security de?nitions. In this paper we propose the ?rst construction of an universally composable 2PAKE protocol, alongside with its ideal functionality. The protocol is proven UC-secure in the standard model, assuming a common reference string which is a common assumption to many UC-secure PAKE and PASS protocols. The proposed protocol remains secure for arbitrary password distributions. As one of the building blocks we de?ne and construct a new cryptographic primitive, called Trapdoor Distributed Smooth Projective Hash Function (TD-SPHF), which could be of independent interest.
Many organisations enforce policies on the length and formation of passwords to encourage selection of strong passwords and protect their multi-user systems. For Two-Server Password Authenticated Key Exchange (2PAKE) and Two-Server Password Authenticated Secret Sharing (2PASS) protocols, where the password chosen by the client is secretly shared between the two servers, the initial remote registration of policy-compliant passwords represents a major problem because none of the servers is supposed to know the password in clear. We solve this problem by introducing Two-Server Blind Password Registration (2BPR) protocols that can be executed between a client and the two servers as part of the remote registration procedure. 2BPR protocols guarantee that secret shares sent to the servers belong to a password that matches their combined password policy and that the plain password remains hidden from any attacker that is in control of at most one server. We propose a security model for 2BPR protocols capturing the requirements of policy compliance for client passwords and their blindness against the servers. Our model extends the adversarial setting of 2PAKE/2PASS protocols to the registration phase and hence closes the gap in the formal treatment of such protocols. We construct an efficient 2BPR protocol for ASCII-based password policies, prove its security in the standard model, give a proof of concept implementation, and discuss its performance.
Cristofaro E, Manulis M, Poettering B (2013) Private Discovery of Common Social Contacts, International Journal of Information Security 12 (1) pp. 49-65 Springer
Manulis M, Stebila D, Kiefer F, Denham N (2016) Secure modular password authentication for the web using channel bindings, International Journal of Information Security 16 (6) pp. 597-620
Secure protocols for password-based user authentication are well-studied in the cryptographic literature but have failed to see wide-spread adoption on the Internet; most proposals to date require extensive modifications to the Transport Layer Security (TLS) protocol, making deployment challenging. Recently, a few modular designs have been proposed in which a cryptographically secure password-based mutual authentication protocol is run inside a confidential (but not necessarily authenticated) channel such as TLS; the password protocol is bound to the established channel to prevent active attacks. Such protocols are useful in practice for a variety of reasons: security no longer relies on users? ability to validate server certificates and can potentially be implemented with no modifications to the secure channel protocol library. We provide a systematic study of such authentication protocols. Building on recent advances in modelling TLS, we give a formal definition of the intended security goal, which we call password-authenticated and confidential channel establishment (PACCE). We show generically that combining a secure channel protocol, such as TLS, with a password authentication or password authenticated key exchange protocol, where the two protocols are bound together using the transcript of the secure channel?s handshake, the server?s certificate, or the server?s domain name, results in a secure PACCE protocol. Our prototypes based on TLS are available as a cross-platform client-side Firefox browser extension as well as an Android application and a server-side web application that can easily be installed on servers.