Mark Manulis - Academia.edu (original) (raw)
Papers by Mark Manulis
Group key exchange protocols allow their participants to compute a secret key which can be used t... more Group key exchange protocols allow their participants to compute a secret key which can be used to ensure security and privacy for various multi-party applications. The resulting group key should be computed through cooperation of all protocol participants such that none of them is trusted to have any advantage concerning the protocol's output. This trust relationship states the main difference between group key exchange and group key transport protocols. Obviously, misbehaving participants in group key exchange protocols may try to influence the resulting group key, thereby disrupting this trust relationship, and also causing further security threats. This paper analyzes the currently known security models for group key exchange protocols with respect to this kind of attacks by malicious participants and proposes an extended model to remove the identified limitations. Additionally, it proposes an efficient and provably secure generic solution, a compiler, to guarantee these additional security goals for group keys exchanged in the presence of malicious participants.
Group key exchange protocols allow their participants to compute a secret key which can be used t... more Group key exchange protocols allow their participants to compute a secret key which can be used to ensure security and privacy for various multi-party applications. The resulting group key should be computed through cooperation of all protocol participants such that none of them is trusted to have any advantage concerning the protocol's output. This trust relationship states the main difference between group key exchange and group key transport protocols. Obviously, misbehaving participants in group key exchange protocols may try to influence the resulting group key, thereby disrupting this trust relationship, and also causing further security threats. This paper analyzes the currently known security models for group key exchange protocols with respect to this kind of attacks by malicious participants and proposes an extended model to remove the identified limitations. Additionally, it proposes an efficient and provably secure generic solution, a compiler, to guarantee these additional security goals for group keys exchanged in the presence of malicious participants.
Lecture Notes in Computer Science, 2010
Modern multi-user communication systems, including popular instant messaging tools, social networ... more Modern multi-user communication systems, including popular instant messaging tools, social network platforms, and cooperative-work applications, offer flexible forms of communication and exchange of data. At any time point concurrent communication sessions involving different subsets of users can be invoked. The traditional tool for achieving security in a multi-party communication environment are group key exchange (GKE) protocols that provide participants with a secure group key for their subsequent communication. Yet, in communication scenarios where various user subsets may be involved in different sessions the deployment of classical GKE protocols has clear performance and scalability limitations as each new session should be preceded by a separate execution of the protocol. The motivation of this work is to study the possibility of designing more flexible GKE protocols allowing not only the computation of a group key for some initial set of users but also efficient derivation of independent secret keys for all potential subsets. In particular we improve and generalize the recently introduced GKE protocols enabling on-demand derivation of peer-to-peer keys (so called GKE+P protocols). We show how a group of users can agree on a secret group key while obtaining some additional information that they can use on-demand to efficiently compute independent secret keys for any possible subgroup. Our security analysis relies on the Gap Diffie-Hellman assumption and uses random oracles.
Lecture Notes in Computer Science, 2007
Group key exchange (GKE) protocols can be used to guarantee confidentiality and authentication in... more Group key exchange (GKE) protocols can be used to guarantee confidentiality and authentication in group applications. The paradigm of provable security subsumes an abstract formalization (security model) that considers the protocol environment and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKEsecurity (authenticated key exchange; a.k.a. indistinguishability of the key) and MA-security (mutual authentication) became meanwhile standard. In this paper we analyze the BCPQ model and some of its variants and identify several risks resulting from its technical core constructionthe notion of partnering. Consequently, we propose a revised model extending AKE-and MA-security in order to capture attacks by malicious participants and strong corruptions. Then, we turn to generic solutions (known as compilers) for AKE-and MA-security in BCPQ-like models. We describe a compiler C-AMA which provides AKE-and MA-security for any GKE protocol, under standard cryptographic assumptions, that eliminates some identified limitations in existing compilers.
Proceedings of the 2008 ACM symposium on Information, computer and communications security - ASIACCS '08, 2008
The standard solution for user authentication on the Web is to establish a TLS-based secure chann... more The standard solution for user authentication on the Web is to establish a TLS-based secure channel in server authenticated mode and run a protocol on top of TLS where the user enters a password in an HTML form. However, as many studies point out, the average Internet user is unable to identify the server based on a X.509 certificate so that impersonation attacks (e.g., phishing) are feasible. We tackle this problem by proposing a protocol that allows the user to identify the server based on human perceptible authenticators (e.g., picture, voice). We prove the security of this protocol by refining the game-based security model of Bellare and Rogaway and present a proof of concept implementation.
Lecture Notes in Computer Science, 2011
Affiliation-Hiding Authentication (AHA) protocols have the seemingly contradictory property of en... more Affiliation-Hiding Authentication (AHA) protocols have the seemingly contradictory property of enabling users to authenticate each other as members of certain groups, without revealing their affiliation to group outsiders. Of particular interest in practice is the group-discovering variant, which handles multiple group memberships per user. Corresponding solutions were only recently introduced, and have two major drawbacks: high bandwidth consumption (typically several kilobits per user and affiliation), and only moderate performance in scenarios of practical application.
Lecture Notes in Computer Science, 2008
The standard solution for mutual authentication between human users and servers on the Internet i... more The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. Unfortunately, this solution is susceptible to various impersonation attacks such as phishing as it turned out that average Internet users are unable to authenticate servers based on their certificates. In this paper we address security of cookie-based authentication using the concept of strong locked same origin policy for browsers introduced at ACM CCS'07. We describe a cookie-based authentication protocol between human users and TLS-servers and prove its security in the extended formal model for browserbased mutual authentication introduced at ACM ASIACCS'08. It turns out that the small modification of the browser's security policy is sufficient to achieve provably secure cookie-based authentication protocols considering the ability of users to recognize images, video, or audio sequences. This is the full version of the extended abstract which appeared in:
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security - ASIACCS '11, 2011
... Copyright 2011 ACM 978-1-4503-0564-8/11/03 ...$10.00. ... In Sec-tion 4 we focus on further b... more ... Copyright 2011 ACM 978-1-4503-0564-8/11/03 ...$10.00. ... In Sec-tion 4 we focus on further building blocks and techniques that constitute (in addition to IHME) the entire AH protocol 1For instance, an average Facebook user is connected to about 80 community pages and ...
Lecture Notes in Computer Science, 2014
ABSTRACT Smooth projective hash functions have been used as building block for various cryptograp... more ABSTRACT Smooth projective hash functions have been used as building block for various cryptographic applications, in particular for password-based authentication. In this work we propose the extended concept of distributed smooth projective hash functions where the computation of the hash value is distributed across n parties and show how to instantiate the underlying approach for languages consisting of Cramer-Shoup ciphertexts. As an application of distributed smooth projective hashing we build a new framework for the design of two-server password authenticated key exchange protocols, which we believe can help to “explain” the design of earlier two-server password authenticated key exchange protocols.
20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06), 2006
Intelligent security protocols can verify whether the involved principals have properties that ar... more Intelligent security protocols can verify whether the involved principals have properties that are defined based on certain functional and security policies. The property we focus on is the performance of mobile devices participating in a security protocol. In this context, the protocol should distribute the computation, communication and storage costs fairly among all devices. However, the protocol should foresee against cheating participants who may lie about their properties to gain advantage.
2010 Proceedings of 19th International Conference on Computer Communications and Networks, 2010
Wireless Community Networks (WCN) are formed by the integration of user-operated wireless sensor ... more Wireless Community Networks (WCN) are formed by the integration of user-operated wireless sensor networks that are internetworked by wireless mesh networks available within urban communities. WCNs enable novel applications for the members of the community. These include different sensing applications, where individuals contribute sensor data for further use within their community at large or with well-defined restrictions to certain users. Sensing application scenarios for WCNs differ from traditional sensor network applications with respect to their security and privacy requirements. In this paper, we define three representative scenarios-personal sensing, designated sensing, and community sensing. These scenarios are then studied with respect to their privacy and security implications. In particular, we identify main research questions and highlight the challenges of using various security and privacy approaches from networking and cryptography to make sensing applications in WCNs security and privacy aware.
Lecture Notes in Computer Science, 2010
Affiliation-Hiding Authenticated Key Exchange (AH-AKE) protocols enable two distrusting users, be... more Affiliation-Hiding Authenticated Key Exchange (AH-AKE) protocols enable two distrusting users, being in possession of membership credentials for some group, to establish a secure session key without leaking any information about this group to non-members. In practice, users might be members of several groups, and such protocols must be able to generate session keys between users who have one or more
2012 Seventh International Conference on Availability, Reliability and Security, 2012
Lecture Notes in Computer Science, 2011
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security - ASIA CCS '13, 2013
We develop a three-level hierarchy of privacy notions for (unforgeable) digital signatures, start... more We develop a three-level hierarchy of privacy notions for (unforgeable) digital signatures, starting with existing notions of anonymity and confidentiality, whose independence we prove formally. The ultimate privacy goal in our hierarchy is pseudorandomness: signatures with this property hide the entire information about the signing process and they cannot be recognized as signatures when transmitted over a public network. This implies very strong unlinkability guarantees across different signers and even different signing algorithms and gives rise to new forms of private public-key authentication. We prove that one way towards pseudorandom signatures leads over the mid-level notion, called indistinguishability: these signatures can be simulated using only the public parameters of the scheme. Indistinguishable signatures exist in different cryptographic settings (e.g. based on RSA, discrete logarithms, pairings) and can be efficiently lifted to the highest privacy level using general transformations based on appropriate encoding techniques. We also show a more direct way for obtaining pseudorandomness from any unforgeable signature scheme. Our transformations work in the standard model. We keep public verifiability of signatures in the setting of system-wide known public keys and we allow full disclosure of signatures, and even of secret signing keys, while working with messages of high entropy.
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security - ASIA CCS '13, 2013
We develop a three-level hierarchy of privacy notions for (unforgeable) digital signature schemes... more We develop a three-level hierarchy of privacy notions for (unforgeable) digital signature schemes. We first prove mutual independence of existing notions of anonymity and confidentiality, and then show that these are implied by higher privacy goals. The top notion in our hierarchy is pseudorandomness: signatures with this property hide the entire information about the signing process and cannot be recognized as signatures when transmitted over a public network. This implies very strong unlinkability guarantees across different signers and even different signing algorithms, and gives rise to new forms of private public-key authentication. We show that one way towards pseudorandom signatures leads over our mid-level notion, called indistinguishability: such signatures can be simulated using only the public parameters of the scheme. As we reveal, indistinguishable signatures exist in different cryptographic settings (e.g. based on RSA, discrete logarithms, pairings) and can be efficiently lifted to pseudorandomness deploying general transformations using appropriate encoding techniques. We also examine a more direct way for obtaining pseudorandomness for any unforgeable signature scheme. All our transformations work in the standard model. We keep public verifiability of signatures in the setting of system-wide known public keys. Some results even hold if signing keys are disclosed to the adversary -given that signed messages have high entropy.
Lecture Notes in Computer Science, 2014
Lecture Notes in Computer Science, 2007
Group key exchange protocols allow their participants to compute a secret key which can be used t... more Group key exchange protocols allow their participants to compute a secret key which can be used to ensure security and privacy for various multi-party applications. The resulting group key should be computed through cooperation of all protocol participants such that none of them is trusted to have any advantage concerning the protocol's output. This trust relationship states the main difference between group key exchange and group key transport protocols. Obviously, misbehaving participants in group key exchange protocols may try to influence the resulting group key, thereby disrupting this trust relationship, and also causing further security threats. This paper analyzes the currently known security models for group key exchange protocols with respect to this kind of attacks by malicious participants and proposes an extended model to remove the identified limitations. Additionally, it proposes an efficient and provably secure generic solution, a compiler, to guarantee these additional security goals for group keys exchanged in the presence of malicious participants.
Lecture Notes in Computer Science, 2008
When two players wish to share a security token (e.g., for the purpose of authentication and acco... more When two players wish to share a security token (e.g., for the purpose of authentication and accounting), they call a trusted third party. This idea is the essence of Kerberos protocols, which are widely deployed in a large scale of computer networks. Browser-based Kerberos protocols are the derivates with the exception that the Kerberos client application is a commodity Web
Group key exchange protocols allow their participants to compute a secret key which can be used t... more Group key exchange protocols allow their participants to compute a secret key which can be used to ensure security and privacy for various multi-party applications. The resulting group key should be computed through cooperation of all protocol participants such that none of them is trusted to have any advantage concerning the protocol's output. This trust relationship states the main difference between group key exchange and group key transport protocols. Obviously, misbehaving participants in group key exchange protocols may try to influence the resulting group key, thereby disrupting this trust relationship, and also causing further security threats. This paper analyzes the currently known security models for group key exchange protocols with respect to this kind of attacks by malicious participants and proposes an extended model to remove the identified limitations. Additionally, it proposes an efficient and provably secure generic solution, a compiler, to guarantee these additional security goals for group keys exchanged in the presence of malicious participants.
Group key exchange protocols allow their participants to compute a secret key which can be used t... more Group key exchange protocols allow their participants to compute a secret key which can be used to ensure security and privacy for various multi-party applications. The resulting group key should be computed through cooperation of all protocol participants such that none of them is trusted to have any advantage concerning the protocol's output. This trust relationship states the main difference between group key exchange and group key transport protocols. Obviously, misbehaving participants in group key exchange protocols may try to influence the resulting group key, thereby disrupting this trust relationship, and also causing further security threats. This paper analyzes the currently known security models for group key exchange protocols with respect to this kind of attacks by malicious participants and proposes an extended model to remove the identified limitations. Additionally, it proposes an efficient and provably secure generic solution, a compiler, to guarantee these additional security goals for group keys exchanged in the presence of malicious participants.
Lecture Notes in Computer Science, 2010
Modern multi-user communication systems, including popular instant messaging tools, social networ... more Modern multi-user communication systems, including popular instant messaging tools, social network platforms, and cooperative-work applications, offer flexible forms of communication and exchange of data. At any time point concurrent communication sessions involving different subsets of users can be invoked. The traditional tool for achieving security in a multi-party communication environment are group key exchange (GKE) protocols that provide participants with a secure group key for their subsequent communication. Yet, in communication scenarios where various user subsets may be involved in different sessions the deployment of classical GKE protocols has clear performance and scalability limitations as each new session should be preceded by a separate execution of the protocol. The motivation of this work is to study the possibility of designing more flexible GKE protocols allowing not only the computation of a group key for some initial set of users but also efficient derivation of independent secret keys for all potential subsets. In particular we improve and generalize the recently introduced GKE protocols enabling on-demand derivation of peer-to-peer keys (so called GKE+P protocols). We show how a group of users can agree on a secret group key while obtaining some additional information that they can use on-demand to efficiently compute independent secret keys for any possible subgroup. Our security analysis relies on the Gap Diffie-Hellman assumption and uses random oracles.
Lecture Notes in Computer Science, 2007
Group key exchange (GKE) protocols can be used to guarantee confidentiality and authentication in... more Group key exchange (GKE) protocols can be used to guarantee confidentiality and authentication in group applications. The paradigm of provable security subsumes an abstract formalization (security model) that considers the protocol environment and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKEsecurity (authenticated key exchange; a.k.a. indistinguishability of the key) and MA-security (mutual authentication) became meanwhile standard. In this paper we analyze the BCPQ model and some of its variants and identify several risks resulting from its technical core constructionthe notion of partnering. Consequently, we propose a revised model extending AKE-and MA-security in order to capture attacks by malicious participants and strong corruptions. Then, we turn to generic solutions (known as compilers) for AKE-and MA-security in BCPQ-like models. We describe a compiler C-AMA which provides AKE-and MA-security for any GKE protocol, under standard cryptographic assumptions, that eliminates some identified limitations in existing compilers.
Proceedings of the 2008 ACM symposium on Information, computer and communications security - ASIACCS '08, 2008
The standard solution for user authentication on the Web is to establish a TLS-based secure chann... more The standard solution for user authentication on the Web is to establish a TLS-based secure channel in server authenticated mode and run a protocol on top of TLS where the user enters a password in an HTML form. However, as many studies point out, the average Internet user is unable to identify the server based on a X.509 certificate so that impersonation attacks (e.g., phishing) are feasible. We tackle this problem by proposing a protocol that allows the user to identify the server based on human perceptible authenticators (e.g., picture, voice). We prove the security of this protocol by refining the game-based security model of Bellare and Rogaway and present a proof of concept implementation.
Lecture Notes in Computer Science, 2011
Affiliation-Hiding Authentication (AHA) protocols have the seemingly contradictory property of en... more Affiliation-Hiding Authentication (AHA) protocols have the seemingly contradictory property of enabling users to authenticate each other as members of certain groups, without revealing their affiliation to group outsiders. Of particular interest in practice is the group-discovering variant, which handles multiple group memberships per user. Corresponding solutions were only recently introduced, and have two major drawbacks: high bandwidth consumption (typically several kilobits per user and affiliation), and only moderate performance in scenarios of practical application.
Lecture Notes in Computer Science, 2008
The standard solution for mutual authentication between human users and servers on the Internet i... more The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. Unfortunately, this solution is susceptible to various impersonation attacks such as phishing as it turned out that average Internet users are unable to authenticate servers based on their certificates. In this paper we address security of cookie-based authentication using the concept of strong locked same origin policy for browsers introduced at ACM CCS'07. We describe a cookie-based authentication protocol between human users and TLS-servers and prove its security in the extended formal model for browserbased mutual authentication introduced at ACM ASIACCS'08. It turns out that the small modification of the browser's security policy is sufficient to achieve provably secure cookie-based authentication protocols considering the ability of users to recognize images, video, or audio sequences. This is the full version of the extended abstract which appeared in:
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security - ASIACCS '11, 2011
... Copyright 2011 ACM 978-1-4503-0564-8/11/03 ...$10.00. ... In Sec-tion 4 we focus on further b... more ... Copyright 2011 ACM 978-1-4503-0564-8/11/03 ...$10.00. ... In Sec-tion 4 we focus on further building blocks and techniques that constitute (in addition to IHME) the entire AH protocol 1For instance, an average Facebook user is connected to about 80 community pages and ...
Lecture Notes in Computer Science, 2014
ABSTRACT Smooth projective hash functions have been used as building block for various cryptograp... more ABSTRACT Smooth projective hash functions have been used as building block for various cryptographic applications, in particular for password-based authentication. In this work we propose the extended concept of distributed smooth projective hash functions where the computation of the hash value is distributed across n parties and show how to instantiate the underlying approach for languages consisting of Cramer-Shoup ciphertexts. As an application of distributed smooth projective hashing we build a new framework for the design of two-server password authenticated key exchange protocols, which we believe can help to “explain” the design of earlier two-server password authenticated key exchange protocols.
20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06), 2006
Intelligent security protocols can verify whether the involved principals have properties that ar... more Intelligent security protocols can verify whether the involved principals have properties that are defined based on certain functional and security policies. The property we focus on is the performance of mobile devices participating in a security protocol. In this context, the protocol should distribute the computation, communication and storage costs fairly among all devices. However, the protocol should foresee against cheating participants who may lie about their properties to gain advantage.
2010 Proceedings of 19th International Conference on Computer Communications and Networks, 2010
Wireless Community Networks (WCN) are formed by the integration of user-operated wireless sensor ... more Wireless Community Networks (WCN) are formed by the integration of user-operated wireless sensor networks that are internetworked by wireless mesh networks available within urban communities. WCNs enable novel applications for the members of the community. These include different sensing applications, where individuals contribute sensor data for further use within their community at large or with well-defined restrictions to certain users. Sensing application scenarios for WCNs differ from traditional sensor network applications with respect to their security and privacy requirements. In this paper, we define three representative scenarios-personal sensing, designated sensing, and community sensing. These scenarios are then studied with respect to their privacy and security implications. In particular, we identify main research questions and highlight the challenges of using various security and privacy approaches from networking and cryptography to make sensing applications in WCNs security and privacy aware.
Lecture Notes in Computer Science, 2010
Affiliation-Hiding Authenticated Key Exchange (AH-AKE) protocols enable two distrusting users, be... more Affiliation-Hiding Authenticated Key Exchange (AH-AKE) protocols enable two distrusting users, being in possession of membership credentials for some group, to establish a secure session key without leaking any information about this group to non-members. In practice, users might be members of several groups, and such protocols must be able to generate session keys between users who have one or more
2012 Seventh International Conference on Availability, Reliability and Security, 2012
Lecture Notes in Computer Science, 2011
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security - ASIA CCS '13, 2013
We develop a three-level hierarchy of privacy notions for (unforgeable) digital signatures, start... more We develop a three-level hierarchy of privacy notions for (unforgeable) digital signatures, starting with existing notions of anonymity and confidentiality, whose independence we prove formally. The ultimate privacy goal in our hierarchy is pseudorandomness: signatures with this property hide the entire information about the signing process and they cannot be recognized as signatures when transmitted over a public network. This implies very strong unlinkability guarantees across different signers and even different signing algorithms and gives rise to new forms of private public-key authentication. We prove that one way towards pseudorandom signatures leads over the mid-level notion, called indistinguishability: these signatures can be simulated using only the public parameters of the scheme. Indistinguishable signatures exist in different cryptographic settings (e.g. based on RSA, discrete logarithms, pairings) and can be efficiently lifted to the highest privacy level using general transformations based on appropriate encoding techniques. We also show a more direct way for obtaining pseudorandomness from any unforgeable signature scheme. Our transformations work in the standard model. We keep public verifiability of signatures in the setting of system-wide known public keys and we allow full disclosure of signatures, and even of secret signing keys, while working with messages of high entropy.
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security - ASIA CCS '13, 2013
We develop a three-level hierarchy of privacy notions for (unforgeable) digital signature schemes... more We develop a three-level hierarchy of privacy notions for (unforgeable) digital signature schemes. We first prove mutual independence of existing notions of anonymity and confidentiality, and then show that these are implied by higher privacy goals. The top notion in our hierarchy is pseudorandomness: signatures with this property hide the entire information about the signing process and cannot be recognized as signatures when transmitted over a public network. This implies very strong unlinkability guarantees across different signers and even different signing algorithms, and gives rise to new forms of private public-key authentication. We show that one way towards pseudorandom signatures leads over our mid-level notion, called indistinguishability: such signatures can be simulated using only the public parameters of the scheme. As we reveal, indistinguishable signatures exist in different cryptographic settings (e.g. based on RSA, discrete logarithms, pairings) and can be efficiently lifted to pseudorandomness deploying general transformations using appropriate encoding techniques. We also examine a more direct way for obtaining pseudorandomness for any unforgeable signature scheme. All our transformations work in the standard model. We keep public verifiability of signatures in the setting of system-wide known public keys. Some results even hold if signing keys are disclosed to the adversary -given that signed messages have high entropy.
Lecture Notes in Computer Science, 2014
Lecture Notes in Computer Science, 2007
Group key exchange protocols allow their participants to compute a secret key which can be used t... more Group key exchange protocols allow their participants to compute a secret key which can be used to ensure security and privacy for various multi-party applications. The resulting group key should be computed through cooperation of all protocol participants such that none of them is trusted to have any advantage concerning the protocol's output. This trust relationship states the main difference between group key exchange and group key transport protocols. Obviously, misbehaving participants in group key exchange protocols may try to influence the resulting group key, thereby disrupting this trust relationship, and also causing further security threats. This paper analyzes the currently known security models for group key exchange protocols with respect to this kind of attacks by malicious participants and proposes an extended model to remove the identified limitations. Additionally, it proposes an efficient and provably secure generic solution, a compiler, to guarantee these additional security goals for group keys exchanged in the presence of malicious participants.
Lecture Notes in Computer Science, 2008
When two players wish to share a security token (e.g., for the purpose of authentication and acco... more When two players wish to share a security token (e.g., for the purpose of authentication and accounting), they call a trusted third party. This idea is the essence of Kerberos protocols, which are widely deployed in a large scale of computer networks. Browser-based Kerberos protocols are the derivates with the exception that the Kerberos client application is a commodity Web