In many applications where encrypted traffic flows from an open (public) domain to a protected (private) domain there exists a gateway that bridges the two domains and faithfully forwards the incoming traffic to the receiver. We observe that indistinguishability against (adaptive) chosen-ciphertext attacks (IND-CCA), which is a mandatory goal in face of active attacks in a public domain, can be essentially relaxed to indistinguishability against chosen-plaintext attacks (IND-CPA) for ciphertexts once they pass the gateway that acts as an IND-CCA/CPA filter, by first checking the validity of an incoming IND-CCA ciphertext, then transforming it (if valid) into an IND-CPA ciphertext, and finally forwarding the latter to the recipient in the private domain. ?Non-trivial filtering? can result in reduced decryption costs on the receiver?s side.

We identify a class of encryption schemes with publicly verifiable ciphertexts that admit generic constructions of (non-trivial) IND-CCA/ CPA filters. These schemes are characterized by existence of public algorithms that can distinguish between valid and invalid ciphertexts. To this end, we formally define (non-trivial) public verifiability of ciphertexts for general encryption schemes, key encapsulation mechanisms, and hybrid encryption schemes, encompassing public-key, identity-based, and tag-based encryption flavors. We further analyze the security impact of public verifiability and discuss generic transformations and concrete constructions that enjoy this property.

The increasing use of computing devices for social interactions propels the proliferation of online social applications, yet, it prompts a number of privacy concerns. One common problem occurs when two unfamiliar users, in the process of establishing social relationships, want to assess their social proximity by discovering mutual contacts. In this paper, we introduce Private Contact Discovery, a novel cryptographic primitive that lets two users, on input their respective contact lists, learn their common contacts (if any), and nothing else. We present an efficient and provably secure construction, that (i) prevents arbitrary list manipulation by means of contact certification, and (ii) guarantees user authentication and revocability. Following a rigorous cryptographic treatment of the problem, we define the privacy-protecting contact-hiding property and prove it for our solution, under the RSA assumption in the Random Oracle Model (ROM). We also show that other related cryptographic techniques, such as Private Set Intersection and Secret Handshakes, are unsuitable in this context. Experimental analysis attests to the practicality of our technique, which achieves computational and communication overhead (almost) linear in the number of contacts.

Two-party key exchange (2PKE) protocols have been rigorously analyzed under various models considering different adversarial actions. However, the analysis of group key exchange (GKE) protocols has not been as extensive as that of 2PKE protocols. Particularly, an important security attribute called key compromise impersonation (KCI) resilience has been completely ignored for the case of GKE protocols. Informally, a protocol is said to provide KCI resilience if the compromise of the long-term secret key of a protocol participant A does not allow the adversary to impersonate an honest participant B to A. In this paper, we argue that KCI resilience for GKE protocols is at least as important as it is for 2PKE protocols.

Our first contribution is revised definitions of security for GKE protocols considering KCI attacks by both outsider and insider adversaries. We also give a new proof of security for an existing two-round GKE protocol under the revised security definitions assuming random oracles. We then show how to achieve insider KCIR in a generic way using a known compiler in the literature. As one may expect, this additional security assurance comes at the cost of an extra round of communication. Finally, we show that a few existing protocols are not secure against outsider KCI attacks. The attacks on these protocols illustrate the necessity of considering KCI resilience for GKE protocols.

The invention relates to a method for authenticating a client (C) with respect to a service server (S) comprises the following steps: transmitting an authentication token (c) from an authentication server (K) to the client (C) (110); transmitting the authentication token (c) from the client (C) to the service server (S) (120); verifying the authentication token (c) by the service server (S) (130); and deciding on an approval or disapproval of the requested resource, taking a result of the verification by the service server (S) into consideration (140). An authentication server (K) for authenticating a client (C) with respect to a service server (S) comprises a cryptography device for cryptographically attaching the authentication token (c) to a secret (cid), which is shared between the client (C) and the authentication server (K). The invention further relates to a service server (S) for authenticating a client (C) with respect to the service server (S), wherein the service server (S) comprises an authentication token verifier for verifying whether the authentication token (c) was cryptographically attached to a secret (cid) shared between the client (C) and the authentication server (K).

Design of protocols for mobile ad-hoc networks (MANETs) is generally tricky compared to wired networks, because on the one hand the increased communication constraints given by the limited bandwidth and frequent network failures, and on the other hand the additional computation and memory constraints due to performance limitations of mobile devices must be considered. We focus on the problem of the establishment of the shared key in mobile ad-hoc groups. This task can be achieved by means of a contributory group key agreement (CGKA) protocol that allows group members to compute the group key based on their individual contributions providing verifiable trust relationship between participants. As shown in this paper there exists currently no CGKA protocol for mobile ad-hoc networks that provides an optimal trade-off between communication and computation efficiency. Based on the comparison results of most suitable CGKA protocols we propose a new framework for the group key agreement in mobile ad-hoc networks. Theoretical analysis and experimental results show that our framework achieves optimal communication and computation efficiency compared to other protocols. © 2007 Elsevier Ltd. All rights reserved.

Among the plethora of privacy-friendly authentication techniques, affiliation-hiding (AH) protocols are valuable for their ability to hide not only identities of communicating users behind their affiliations (memberships to groups), but also these affiliations from non-members. These qualities become increasingly important in our highly computerized user-centric information society, where privacy is an elusive good.

Only little work on practical aspects of AH schemes, pursuing optimized implementations and deployment, has been done so far, and the main question a practitioner might ask --- whether affiliation-hiding schemes are truly practical today --- remained widely unanswered. Improving upon recent advances in the area of AH protocols, in particular on pioneering results in the multi-affiliation setting, we can give an affirmative answer to this question. To this end, we propose numerous algorithmic optimizations to a recent AH scheme leading to a remarkable performance gain. Our results are demonstrated not only at theoretical level, but we also offer implementations, performance measurements, and comparisons. At the same time, our improvements advance the area of efficient polynomial interpolation in finite fields, which is one of our building blocks.

In a group key exchange (GKE) protocol, the resulting group key should be computed by all participants such that none of them can gain any advantage concerning the protocol's output: misbehaving participants might have personal advantage in influencing the value of the group key. In fact, the absence of trust relationship is the main feature of GKE (when compared with group key transport) protocols. The existing notions of security are enlarged by identifying limitations in some previously proposed security models while taking into account different types of corruptions (weak and strong). To illustrate these notions, two efficient and provably secure generic solutions, compilers, are presented.

Wireless mesh networks (WMNs) that are being increasingly deployed in communities and public places provide a relatively stable routing infrastructure and can be used for diverse carrier-managed services. As a particular example we consider the scenario where a mobile device initially registered for the use with one wireless network (its home network) moves to the area covered by another network inside the same mesh. The goal is to establish a secure access to the home network using the infrastructure of the mesh.

Classical mechanisms such as VPNs can protect end-to-end communication between the mobile device and its home network while remaining transparent to the routing infrastructure. In WMNs this transparency can be misused for packet injection leading to the unnecessary consumption of the communication bandwidth. This may have negative impact on the cooperation of mesh routers which is essential for the connection establishment.

In this paper we describe how to establish remote connections inside WMNs while guaranteeing secure end-to-end communication between the mobile device and its home network and secure transmission of the corresponding packets along the underlying multi-hop path. Our solution is a provably secure, yet lightweight and round-optimal remote network access protocol in which intermediate mesh routers are considered to be part of the security architecture. We also sketch some ideas on the practical realization of the protocol using known standards and mention extensions with regard to forward secrecy, anonymity and accounting.

Modern multi-user communication systems, including popular instant messaging tools, social network platforms, and cooperative-work applications, offer flexible forms of communication and exchange of data. At any time point concurrent communication sessions involving different subsets of users can be invoked. The traditional tool for achieving security in a multi-party communication environment are group key exchange (GKE) protocols that provide participants with a secure group key for their subsequent communication. Yet, in communication scenarios where various user subsets may be involved in different sessions the deployment of classical GKE protocols has clear performance and scalability limitations as each new session should be preceded by a separate execution of the protocol. The motivation of this work is to study the possibility of designing more flexible GKE protocols allowing not only the computation of a group key for some initial set of users but also efficient derivation of independent secret keys for all potential subsets. In particular we improve and generalize the recently introduced GKE protocols enabling on-demand derivation of peer-to-peer keys (so called GKE+P protocols). We show how a group of users can agree on a secret group key while obtaining some additional information that they can use on-demand to efficiently compute independent secret keys for any possible subgroup. Our security analysis relies on the Gap Diffie-Hellman assumption and uses random oracles.

We introduce the concept of Revocable Predicate Encryption (RPE), which extends current predicate encryption setting with revocation support: private keys can be used to decrypt an RPE ciphertext only if they match the decryption policy (defined via attributes encoded into the ciphertext and predicates associated with private keys) and were not revoked by the time the ciphertext was created.

We formalize the notion of attribute hiding in the presence of revocation and propose an RPE scheme, called AH-RPE, which achieves attribute-hiding under the Decision Linear assumption in the standard model.

We then present a stronger privacy notion, termed full hiding, which further cares about privacy of revoked users. We propose another RPE scheme, called FH-RPE, that adopts the Subset Cover Framework and offers full hiding under the Decision Linear assumption in the standard model. The scheme offers very flexible privacy-preserving access control to encrypted data and can be used in sender-local revocation scenarios.

Secure initialization of sensor nodes with cryptographic keys is inherent to all security protocols and applicationsin the area of wireless sensor networks (WSN).We introduce a general framework, denoted TOPKEY, thatprovides tool assistance and performs secure initialization ofsensor nodes with cryptographic keys over the air by leveraging the transmission power to confine the area in which potential attackers can eavesdrop on communication. Our analysis shows that physical protection based on transmission power may, inpractice, lead to an acceptable level of key deployment security. Besides the fully automated key deployment, TOPKEY supports a five-step initialization process, suited to off-the-shelf sensor nodes that come without any pre-installed operating system. TOPKEY is currently tailored to static WSN topologies: it supports topology design and deploys topology-driven key generation for a range of WSN communication patterns. We implemented the framework and analyzed its performanceand scalability for commodity TelosB nodes and Contiki OS. Our analysis, performed with respect to different WSN topologies, shows that TOPKEY can be used to securely initialize a static network of about 100 nodes in less than one minute.

Decentralized approaches for online social networks (OSNs) have been of recent research interest, enabling users to create profiles and share data like in other OSNs as, e.g., Facebook. Since the decentralized architecture does not contain a central authority that is able perform access control, encryption is needed to ensure the confidentiality of published data. This paper outlines strict requirements and weak constraints for the encryption of data attributes in decentralized OSNs. Subsequently, an overview of possible cryptographic solutions is given and their suitability according to these requirements is analyzed. As a result, the differences and trade-offs between and within the given approaches are expounded. The outcome of this paper can be used as a foundation for further investigations on this topic.

Remote attestation of computing platforms, using trusted hardware, guarantees the integrity, and by this the trustworthiness of a host to remote parties. While classical binary attestation attests the configuration itself, property-based attestation (PBA) attests properties and thus offers higher privacy guarantees to the host and its user. Nonetheless, both techniques are free from any user authentication mechanisms. Especially in distributed applications involving user interactions, the remote party may require assurance for the trustworthiness of the host and the authenticity of its user. Independence of user authentication from platform attestation may become an obstacle due to potential relay attacks. The User-Authenticated Property-Based Attestation (UPBA), introduced in this work, can assure a remote party that some computing platform is trustworthy, and that it is used at that very moment by some particular user. Our basic protocol is secure and practical. We prove its security formally, discuss its compatibility with current trusted computing technology, and illustrate several nice enhancements.

Participatory sensing enables new paradigms and markets for information collection based on the ubiquitous availability of smartphones, but also introduces privacy challenges for participating users and their data. In this work, we review existing security models for privacy-preserving participatory sensing and propose several improvements that are both of theoretical and practical significance.
We first address an important drawback of prior work, namely the lack of consideration of collusion attacks that are highly relevant for such multi-user settings. We explain why existing security models are insufficient and why previous protocols become insecure in the presence of colluding parties. We remedy this problem by providing new security and privacy definitions that guarantee meaningful forms of collusion resistance. We propose new collusion-resistant participatory sensing protocols satisfying our definitions: a generic construction that uses anonymous identity-based encryption (IBE) and its practical instantiation based on the Boneh-Franklin IBE scheme.
We then extend the functionality of participatory sensing by adding the ability to perform aggregation on the data submitted by the users, without sacrificing their privacy. We realize this through an additively-homomorphic IBE scheme which in turn is constructed by slightly modifying the Boneh-Franklin IBE scheme. From a practical point of view, the resulting scheme is suitable for calculations with small sensor readings/values such as temperature measurements, noise levels, or prices, which is sufficient for many applications of participatory sensing.

Zero-Knowledge Password Policy Checks (ZKPPC), introduced in this work, enable blind registration of client passwords at remote servers, i.e., client passwords are never transmitted to the servers. This eliminates the need for trusting servers to securely process and store client passwords. A ZKPPC protocol, executed as part of the registration procedure, allows clients to further prove compliance of chosen passwords with respect to password policies defined by the servers.
The main benefit of ZKPPC-based password registration is that it guarantees that registered passwords never appear in clear on the server side. At the end of the registration phase the server only receives and stores some verification information that can later be used for authentication in a suitable Verifier-based Password Authenticated Key Exchange (VPAKE) protocol.
We give general and concrete constructions of ZKPPC protocols and suitable VPAKE protocols for ASCII-based passwords and policies that are commonly used on the web. To this end we introduce a reversible mapping of ASCII characters to integers that can be used to preserve the structure of the password string and a new randomized password hashing scheme for ASCII-based passwords.

Trusted Virtual Domains (TVDs) provide a secure IT infrastructure offering a homogeneous
and transparent enforcement of access control policies on data and network resources. In
this article, we give an overview of the fundamental ideas and basic concepts behind TVDs,
present a realization of TVDs, and discuss application scenarios.

In wireless roaming a mobile device obtains a service from some foreign network while being registered for the similar service at its own home network. However, recent proposals try to keep the service provider role behind the home network and let the foreign network create a tunnel connection through which all service requests of the mobile device are sent to and answered directly by the home network. Such Wireless Roaming via Tunnels (WRT) offers several (security) benefits but states also new security challenges on authentication and key establishment, as the goal is not only to protect the end-to-end communication between the tunnel peers but also the tunnel itself.

In this paper we formally specify mutual authentication and key establishment goals for WRT and propose an efficient and provably secure protocol that can be used to secure such roaming session. Additionally, we describe some modular protocol extensions to address resistance against DoS attacks, anonymity of the mobile device and unlinkability of its roaming sessions, as well as the accounting claims of the foreign network in commercial scenarios.

We propose a security model, referred as g-eCK model, for group key exchange that captures essentially all non-trivial leakage of static and ephemeral secret keys of participants, i.e., group key exchange version of extended Canetti-Krawczyk (eCK) model. Moreover, we propose the first one-round tripartite key exchange (3KE) protocol secure in the g-eCK model under the gap Bilinear Diffie-Hellman (gap BDH) assumption and in the random oracle model.

Recent advances in the design and analysis of secure two-party key exchange (2KE) such as the leakage of ephemeral secrets used during the attacked sessions remained unnoticed by the current models for group key exchange (GKE). Focusing on a special case of GKE ? the tripartite key exchange (3KE) ? that allows for efficient one-round protocols, we demonstrate how to incorporate these advances to the multi-party setting. From this perspective our work closes the most pronounced gap between provably secure 2KE and GKE protocols.

The proposed 3KE protocol is an implicitly authenticated protocol with one communication round which remains secure even in the event of ephemeral secret leakage. It also significantly improves upon currently known 3KE protocols, many of which are insecure. An optional key confirmation round can be added to our proposal to achieve the explicitly authenticated protocol variant

Security of various group-oriented applications for mobile ad-hoc groups requires a group secret shared between all participants. Contributory Group Key Agreement (CGKA) protocols can be used in mobile ad-hoc scenarios due to the absence of any trusted central authority (group manager) that actively participates in the computation of the group key. Members of spontaneously formed mobile ad-hoc groups are usually equipped with different kinds of mobile devices with varying performance capabilities. This heterogeneity opens new ways for the design of CGKA protocols and states additional security requirements with regard to the trustworthiness of the devices. In this paper we propose a CGKA protocol for mobile ad hoc groups that fairly distributes the computation costs amongst mobile devices by taking into account their performance limitations and preventing possible cheating through Trusted Computing techniques.

In Group Key Exchange (GKE) protocols, users usually extract the group key using some auxiliary (ephemeral) secret information generated during the execution. Strong corruptions are attacks by which an adversary can reveal these ephemeral secrets, in addition to the possibly used long-lived keys. Undoubtedly, security impact of strong corruptions is serious, and thus specifying appropriate security requirements and designing secure GKE protocols appears an interesting yet challenging task ? the aim of our article. We start by investigating the current setting of strong corruptions and derive some refinements like opening attacks that allow to reveal ephemeral secrets of users without their long-lived keys. This allows to consider even stronger attacks against honest, but 'opened' users. Further, we define strong security goals for GKE protocols in the presence of such powerful adversaries and propose a 3-round GKE protocol, named TDH1, which remains immune to their attacks under standard cryptographic assumptions. Our security definitions allow adversaries to register users and specify their long-lived keys, thus, in particular capture attacks of malicious insiders for the appropriate security goals such as Mutual Authentication, key confirmation, contributiveness, key control and key-replication resilience.

The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user?s browser. Unfortunately, this solution is susceptible to various impersonation attacks such as phishing as it turned out that average Internet users are unable to authenticate servers based on their certificates.

In this paper we address security of cookie-based authentication using the concept of strong locked same origin policy for browsers introduced at ACM CCS?07. We describe a cookie-based authentication protocol between human users and TLS-servers and prove its security in the extended formal model for browser-based mutual authentication introduced at ACM ASIACCS?08. It turns out that the small modification of the browser?s security policy is sufficient to achieve provably secure cookie-based authentication protocols considering the ability of users to recognize images, video, or audio sequences.

The publication of private data in user profiles in a both secure and private way is a rising problem and of special interest in, e.g., online social networks that become more and more popular. Current approaches, especially for decentralized networks, often do not address this issue or impose large storage overhead. In this paper, we present a cryptographic approach to Private Profile Management that is seen as a building block for applications in which users maintain their own profiles, publish and retrieve data, and authorize other users to access different portions of data in their profiles. In this course, we provide: (i) formalization of confidentiality and unlinkability as two main security and privacy goals for the data which is kept in profiles and users who are authorized to retrieve this data, and (ii) specification, analysis, and comparison of two private profile management schemes based on different encryption techniques

We propose a novel group-oriented signature scheme, called a democratic group signature (DGS). In DGS the scheme setting is controlled on a contributory basis, i.e., without any centralized trusted authority (group manager). Group members agree on a common tracing trapdoor, i.e., every member can trace issued signatures individually. Members are able to sign on behalf of the group while remaining anonymous only to third parties. DGS supports dynamic changes of the group formation (joins and leaves of members). For security reasons the tracing trapdoor is updated after every dynamic change. The DGS model results from strong changes to the standard model of group signatures caused by elimination of the group manager's role and distribution of the tracing rights to individuals.

This chapter deals with the issues concerning e-mail communication security. We analyze the most popular security
mechanisms and standards related to the e-mail communication and identify potential threats and vulnerabilities.
The most significant drawback of all current approaches is the impossibility of keeping headers information authentic.
This leads to possible impersonation attacks and profiling of the e-mail communication, and encourages
spam and phishing activities. Furthermore, none of the currently available security mechanisms supports partial
signature generation of the e-mail content by distinct signers, which might be useful in commercial scenarios. To
handle these problems, we suggest a new approach, called XMaiL, which can be considered as an advanced email
security mechanism based on the popular XML technologies. The proposed XMaiL supersedes all currently
available e-mail security standards in the sense of the higher flexibility and security.

We present the first provably secure constructions of universally composable (UC) commitments (in pairing-friendly groups) that simultaneously combine the key properties of being non-interactive, supporting commitments to strings (instead of bits only), and offering re-usability of the common reference string for multiple commitments. Our schemes are also adaptively secure assuming reliable erasures.

The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols.

The fast increase of mobile Internet use motivates the need for WiFi sharing solutions, where a mobile user connects to the Internet via a nearby foreign network while its home network is far away. This situation creates security challenges which are only partially solved by existing solutions like VPNs. Such solutions neglect the security of the visited network, and private users or organizations are thus reluctant to share their connection. In this paper, we present and implement SWISH, an efficient, full scale solution to this problem. SWISH is based on establishing a tunnel from the visited network to the user?s home network. All the data from the mobile is then forwarded through this tunnel. Internet access is therefore provided without endangering the visited network. We also propose protocol extensions that allow the visited network to charge for the data it forwards, and to protect the privacy of the mobile user while preventing abuse. SWISH was successfully deployed on university networks, demonstrating that it can be conveniently implemented in existing networks with a minimal impact on performance.

WiFi technology has become the preferable form for mobile users to connect to the Internet. The growing popularity of WiFi-enabled devices and the increasing number of WiFi networks guarantees that this trend will continue in the future. Since a single network provider is usually not able to ensure WiFi coverage for its own users across many geographic locations the WiFi roaming technology appears to be the promising solution. A special attention upon the practical deployment of WiFi roaming should be paid to possible threats coming from the misuse of technology. In this light we analyze various legal implications that might become relevant due to the deployment of WiFi roaming and discuss several risks and problems related to the security during the establishment of roaming connections between mobile devices and the Internet.

Membership revocation, being an important property for applications of group signatures, represents a bottleneck in today?s schemes. Most revocation methods require linear amount of work to be performed by unrevoked signers or verifiers, who usually have to obtain fresh update information (sometimes of linear size) published by the group manager. We overcome these disadvantages by proposing a novel group signature scheme, where computation costs for unrevoked signers and potential verifiers remain constant, and so is the length of the update information that must be fetched by these parties from the data published by the group manager. We achieve this complexity by increasing the amount of work at the group manager?s side, which growths quadratic with the total number of members. This increase is acceptable since algorithms of the group manager are typically executed on resourceful devices. Our scheme uses a slightly modified version of the pairing-based dynamic accumulator, introduced by Camenisch, Kohlweiss, and Soriente (PKC 2009), which we implicitly combine with the short (non-revocable) group signature scheme by Boneh, Boyen, and Shacham (CRYPTO 2004). We prove that our revocable scheme satisfies the desired security properties of anonymity, traceability, and non-frameability in the random oracle model, although for better efficiency we resort to a somewhat stronger hardness assumption.

Two-Server Password Authenticated Key Exchange (2PAKE) protocols apply secret shar-ing techniques to achieve protection against server-compromise attacks. 2PAKE protocols eliminate the need for password hashing and remain secure as long as one of the servers remains honest. This concept has also been explored in connection with two-server password authenticated secret sharing (2PASS) protocols for which game-based and universally composable versions have been proposed. In contrast, universally composable PAKE protocols exist currently only in the single-server scenario and all proposed 2PAKE protocols use game-based security de?nitions. In this paper we propose the ?rst construction of an universally composable 2PAKE protocol, alongside with its ideal functionality. The protocol is proven UC-secure in the standard model, assuming a common reference string which is a common assumption to many UC-secure PAKE and PASS protocols. The proposed protocol remains secure for arbitrary password distributions. As one of the building blocks we de?ne and construct a new cryptographic primitive, called Trapdoor Distributed Smooth Projective Hash Function (TD-SPHF), which could be of independent interest.

Many organisations enforce policies on the length and formation of passwords to encourage selection of strong passwords and protect their multi-user systems. For Two-Server Password Authenticated Key Exchange (2PAKE) and Two-Server Password Authenticated Secret Sharing (2PASS) protocols, where the password chosen by the client is secretly shared between the two servers, the initial remote registration of policy-compliant passwords represents a major problem because none of the servers is supposed to know the password in clear. We solve this problem by introducing Two-Server Blind Password Registration (2BPR) protocols that can be executed between a client and the two servers as part of the remote registration procedure. 2BPR protocols guarantee that secret shares sent to the servers belong to a password that matches their combined password policy and that the plain password remains hidden from any attacker that is in control of at most one server. We propose a security model for 2BPR protocols capturing the requirements of policy compliance for client passwords and their blindness against the servers. Our model extends the adversarial setting of 2PAKE/2PASS protocols to the registration phase and hence closes the gap in the formal treatment of such protocols. We construct an efficient 2BPR protocol for ASCII-based password policies, prove its security in the standard model, give a proof of concept implementation, and discuss its performance.

Secure protocols for password-based user authentication are well-studied in the cryptographic literature but have failed to see wide-spread adoption on the Internet; most proposals to date require extensive modifications to the Transport Layer Security (TLS) protocol, making deployment challenging. Recently, a few modular designs have been proposed in which a cryptographically secure password-based mutual authentication protocol is run inside a confidential (but not necessarily authenticated) channel such as TLS; the password protocol is bound to the established channel to prevent active attacks. Such protocols are useful in practice for a variety of reasons: security no longer relies on users? ability to validate server certificates and can potentially be implemented with no modifications to the secure channel protocol library. We provide a systematic study of such authentication protocols. Building on recent advances in modelling TLS, we give a formal definition of the intended security goal, which we call password-authenticated and confidential channel establishment (PACCE). We show generically that combining a secure channel protocol, such as TLS, with a password authentication or password authenticated key exchange protocol, where the two protocols are bound together using the transcript of the secure channel?s handshake, the server?s certificate, or the server?s domain name, results in a secure PACCE protocol. Our prototypes based on TLS are available as a cross-platform client-side Firefox browser extension as well as an Android application and a server-side web application that can easily be installed on servers.