Forthcoming articles have been peer-reviewed and accepted for publication but are pending final changes, are not yet published and may not appear here in their final order of publication until they are assigned to issues. Therefore, the content conforms to our standards but the presentation (e.g. typesetting and proof-reading) is not necessarily up to the Inderscience standard. Additionally, titles, authors, abstracts and keywords may change before publication. Articles will not be published until the final proofs are validated by their authors.
Forthcoming articles must be purchased for the purposes of research, teaching and private study only. These articles can be cited using the expression "in press". For example: Smith, J. (in press). Article Title. Journal Title.
Articles marked with this shopping trolley icon are available for purchase - click on the icon to send an email request to purchase.
Online First articles are published online here, before they appear in a journal issue. Online First articles are fully citeable, complete with a DOI. They can be cited, read, and downloaded. Online First articles are published as Open Access (OA) articles to make the latest research available as early as possible.
Articles marked with this Open Access icon are Online First articles. They are freely available and openly accessible to all without any restriction except the ones stated in their respective CC licenses.
International Journal of Applied Cryptography (2 papers in press)
A reduction-based proof for authentication and session key security in 3-Party Kerberos by Jörg Schwenk, Douglas Stebila Abstract: Kerberos is one of the earliest network security protocols, providing authentication between clients and servers with the assistance of trusted servers. It remains widely used, notably as the default authentication protocol in Microsoft Active Directory (thus shipped with every major operating system), and is the ancestor of modern single sign-on protocols such as OAuth and OpenID Connect. There have been many analyses of Kerberos in the symbolic (Dolev--Yao) model, which is more amenable to computer-aided verification tools than the computational model, but also idealises messages and cryptographic primitives more. Reduction-based proofs in the computational model can provide assurance against a richer class of adversaries, and proofs with concrete probability analyses help in picking security parameters, but Kerberos has had no such analyses to date. We give a reduction-based security proof of Kerberos authentication and key establishment, focusing on the mandatory three-party mode. We show that it is a secure authentication protocol under standard assumptions on its encryption scheme; our results can be lifted to apply to quantum adversaries as well. As has been the case for other real-world authenticated key exchange (AKE) protocols, the standard AKE security notion of session key indistinguishability cannot be proven for Kerberos since the session key is used in the protocol itself, breaking indistinguishability. We provide two positive results despite this: we show that the standardised but optional sub-session mode of Kerberos does yield secure session keys, and that the hash of the main session key is also a secure session key under Krawczyk's generalisation of the authenticated and confidential channel establishment model. Keywords: Kerberos; authenticated key exchange; single sign-on; security protocol.
End-to-end verifiable cumulative voting
without Tallying Authorities by Samiran Bag, Muhammad Ajmal Azad, Feng Hao Abstract: In this paper, we propose the first end-to-end (E2E) verifiable e-voting system for cumulative voting without requiring any tallying authorities. Cumulative voting is an electoral system, heavily used in corporate governance as practised in several US states, and in participatory budgeting as seen in many European cities where local residents decide how to spend a portion of the local governments budget through voting. Traditionally, cumulative voting is done with pen and paper, but the manual counting process is time consuming and costly, especially when such voting events occur frequently. Many systems have changed to use electronic voting, but without considering the security aspects of this change. To our knowledge, none of the existing e-voting systems implemented for cumulative voting is end-to-end verifiable; if there is any bug or tampering at the tallying software, the tally would be inadvertently modified without any voter noticing this. Although there are existing voting systems (e.g., mix-net based) that could be adapted to support cumulative voting with E2E verifiability, they generally require a set of tallying authorities, which can lead to substantial complexity of finding and managing such authorities in practice. We address this issue by adopting novel cryptographic techniques to achieve E2E verifiability for cumulative voting, but without involving any tallying authorities. We formally define a model to prove the security of our system, and present the efficiency analysis to show that our proposed solution is feasible for practical use. Keywords: end-to-end verifiability; verifiable e-voting; cumulative voting; provable security; receipt-freeness.