Joint work with Alan Sherman, Richard Chang, Enis Golaszewski, Ryan Wnuk-Fink, Cyrus Bonyadi, Mario Costa, Moses Liskov, and Edward Zieglar
Secure Remote Password (SRP) is a widely deployed password authenticated key exchange (PAKE) protocol used in products such as 1Password and iCloud Keychain. As with other PAKE protocols, the two participants in SRP use knowledge of a pre-shared password to authenticate each other and establish a session key. I will explain the SRP protocol and security goals it seeks to achieve. I will demonstrate how to model the protocol using the Cryptographic Protocol Shapes Analyzer (CPSA) tool and present my analysis of the shapes produced by CPSA.
Erin Lanus earned her Ph.D. in computer science in May 2019 from Arizona State University. Dr. Lanus is currently conducting research with Professor Sherman’s Protocol Analysis Lab at UMBC. Her previous results include how to use state to enable CPSA to reason about time in forced-latency protocols. Her research also explored algorithmic approaches to constructing combinatorial arrays employed in interaction testing and the creation of a new type of array for attribute distribution to achieve anonymous authorization in attribute-based systems. In October she will begin as a research assistant professor at Virginia Tech’s Hume Center in Northern Virginia. email:
Support for this research was provided in part by grants to CISA from the Department of Defense, CySP grants H98230-17-1-0387 and H98230-18-0321.
Dr. Behnam Shariati, Assistant Director of the UMBC Graduate Cybersecurity Program, is one of the authors of a new NIST Cybersecurity Practice Guide guide on how organizations can use standards-based, commercially available products to help meet their mobile device security and privacy needs. Dr. Shariati is also a lecturer in Cybersecurity graduate program and oversees its operations at the Universities at Shady Grove in Rockville, MD.
To address the challenge of securing mobile devices while managing risks, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) built a laboratory environment to explore how various mobile security technologies can be integrated within an enterprise’s network.
A draft version of the document is available as NIST SPECIAL PUBLICATION 1800-21A, Mobile Device Security, Corporate-Owned Personally-Enabled (COPE) and NIST solicits comments on it by September 23, 2019.
From the summary:
“The rapid pace at which mobile technologies evolve requires regular reevaluation of a mobility program to ensure it is accomplishing its security, privacy, and workplace functionality. Built-in mobile protections may not be enough to fully mitigate the security challenges associated with mobile information systems. Usability, privacy, and regulatory requirements each influence which mobile security technologies and security controls are going to be well-suited to meet the needs of an organization’s mobility program.
The goal of the Mobile Device Security: Corporate-Owned Personally-Enabled (COPE) project is to provide an example solution demonstrating how organizations can use a standards-based approach and commercially available technologies to meet their security needs for using mobile devices to access enterprise resources.
The sample solution details tools for an enterprise mobility management (EMM) capability located on-premises, mobile threat defense (MTD), mobile threat intelligence (MTI), application vetting, secure boot/image authentication, and virtual private network (VPN) services.”
This NCCoE project is the first in a series on Mobile Device Security for Enterprises. The next one, Mobile Device Security: Bring Your Own Device (BYOD), is under development.
UMBC has partnered to create a global university network dedicated to securing critical systems against cyber threats: the International Cybersecurity Center of Excellence (INCS-CoE).
The INCS-CoE has its foundations in a 2018 cybersecurity collaboration that included UMBC, Keio University in Japan, and Royal Holloway University of London. That initial group has now formally expanded to include Northeastern University, Kyushu University in Japan, and Imperial College London.
The INCS-CoE will support the efforts of the participating universities as they work together to address cybersecurity challenges facing society. The collaboration focuses on cybersecurity for critical national infrastructures including information technology, public transit, and financial services. Additionally, the Center of Excellence will include research, advocacy, and education components.
“Trust is one of the key pillars for a free and interconnected world, for commerce and for exchange of information, be it in the real world or in the digital world,” says Karl V. Steiner, UMBC’s vice president for research. “In order for machines to communicate well with each other, we need to put in place policies and technologies that establish a trust basis.”
He explains, “The INCS-CoE is built on a similar strong layer of trust among six institutions from three different continents. This first-of-its-kind global Center of Excellence will enable us to rapidly exchange ideas and find solutions to developing issues in an increasingly networked world.”
In the future, INCS-CoE may expand to include government and corporate partners, says Steiner.
“The challenges this first-of-its-kind partnership aims to solve span a complex set of cybersecurity issues,” said David Luzzi, senior vice provost for research at Northeastern.
Each academic institution has specific strengths and areas of expertise that they bring to the partnership. UMBC’s Center for Cybersecurity and Center for Accelerated Real Time Analytics will be instrumental in contributing to INCS-CoE’s goals for UMBC.
Learn more about the INCS-CoE.
Adapted from a UMBC News article by Megan Hanks, photo by Marlayna Demond ’11 for UMBC.
Mobile communication is an essential part or modern life, however it is dependent on some fundamental security technologies. Critical amongst these technologies, is mobile authentication, the ability to identify valid users (and networks) and enable their secure usage of communication services. In the GSM standards and the 3GPP standards that evolved from them, the subscriber-side security has been founded on a removable, attack-resistant smart card known as a SIM (or USIM) card. The presentation explains how this situation came about, and how and why the protocols and algorithms have improved over time. It will cover some work by the author on a recent algorithm for 3GPP and then discuss how Machine-to-Machine and IoT considerations have led to new standards, which may herald the demise of the conventional removable SIM, in favour of an embedded eSIM.
Professor Keith Mayes B.Sc. Ph.D. CEng FIET A.Inst.ISP, is a professor of information security within the Information Security Group (ISG) at Royal Holloway University of London. Prior to his sabbatical, he was the Director of the ISG and Head of the School of Mathematics and Information Security. He is an active researcher/author with 100+ publications in numerous conferences, books and journals. His current research interests are diverse, including, mobile communications, smart cards/RFIDS, the Internet of Things, and embedded systems. Keith joined the ISG in 2002, originally as the Founder Director of the ISG Smart Card Centre, following a career in industry working for Pye TVT, Honeywell Aerospace and Defence, Racal Research and Vodafone. Keith is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology, a Founder Associate Member of the Institute of Information Security Professionals, a Member of the Licensing Executives Society and an experienced company director and consultant. He is active in the UK All Party Parliamentary Group (APPG) on Cyber Security and is an adjunct professor at UMBC.
Several cryptographic protocols have been proposed to address the Man-in-the-Middle attack without the prior exchange of keys. This talk will describe a formal analysis of one such protocol proposed by Zooko Wilcox-O’Hearn, the forced-latency defense against the chess grandmaster attack. Using the Cryptographic Protocol Shapes Analyzer (CPSA), we validate the security properties of the protocol through the novel use of CPSA’s state features to represent time. We also describe a small message space attack that highlights how assumptions made in protocol design can affect the security of a protocol in use, even for a protocol with proven security properties.
Edward Zieglar is a security researcher in the Research Directorate of the National Security Agency, where he concentrates on formal analysis and verification of cryptographic protocols and network security. He is also an adjunct professor at UMBC where he teaches courses in networking and network security. He received his master’s and doctoral degrees in computer science from UMBC.