Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2012 | Buch

Cryptographic Protocols: From the Abstract to the Practical to the Actual Kapitel lesen Erstes Kapitel lesen

Financial Cryptography and Data Security

FC 2011 Workshops, RLCPS and WECSR 2011, Rodney Bay, St. Lucia, February 28 - March 4, 2011, Revised Selected Papers

herausgegeben von: George Danezis, Sven Dietrich, Kazue Sako

Verlag: Springer Berlin Heidelberg

Buchreihe : Lecture Notes in Computer Science

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

This book contains the revised selected papers of the Second Workshop on Real-Life Cryptographic Protocols and Standardization, RLCPS 2011, and the Second Workshop on Ethics in Computer Security Research, WECSR 2011, held in conjunction with the 15th International Conference on Financial Cryptography and Data Security, FC 2010, in Rodney Bay, St. Lucia, in February/March 2011. The 16 revised papers presented were carefully reviewed and selected from numerous submissions. The papers cover topics ranging from anonymity and privacy, authentication and identification, biometrics, commercial cryptographic, digital cash and payment systems, infrastructure design, management and operations, to security economics and trust management.

Inhaltsverzeichnis

Frontmatter

Financial Cryptography and Data Security Workshops

Real-Life Cryptographic Protocols and Standardization

Cryptographic Protocols: From the Abstract to the Practical to the Actual
Abstract
We identify three levels of cryptographic research and development: Starting from the general “abstract” design level, the first layer includes much of theoretical cryptography, and general engineering principles (most present in cryptographic conferences). The second level is of designs which are contributed to systems and international standards, and include mechanisms ready to be implemented in hardware and software; we call this level “practical.” Finally, the third level which we call “actual,” includes fielded cryptography as external contribution to, and part of “general (hardware/ software) engineering projects,” requiring cryptographic participation and supervision throughout the life cycle of the constructed system. I briefly review these three levels and their connections; (the treatment is based on personal experience and is, therefore, subjective). The position expressed here motivates the need for a scientific forum on“real life cryptographic designs and protocols,” to deal with the interactions between the three levels from actual real life perspective.
Moti Yung
Toward Real-Life Implementation of Signature Schemes from the Strong RSA Assumption
Abstract
This paper introduces our work on performance improvement of signature schemes based on the strong RSA assumption for the purpose of real-life implementation and deployment. Many signature schemes based on the strong RSA assumption have been proposed in literature. The main advantage of these schemes is that they have security proofs in the standard model, while the traditional RSA scheme can only be demonstrated secure in the Random Oracle Model. However, the downside is the loss of efficiency among these schemes. Almost all these schemes double the computational cost of signature generation in the RSA scheme. So far the research in this area is more focusing on theoretical aspect. In this paper, we introduce techniques which greatly improve the performance of available schemes, and obtain a state-of-the-art signature scheme in the strong RSA family. In a typical setting where the RSA modulus is 1024 bits, it needs only one exponentiation calculation at the cost of about 160 modular multiplications, and a 162-bit prime number generation. This cost is even lower than the RSA signature scheme. Our work brings the current theoretical results into real-life implementation and deployment.
Ping Yu, Rui Xue
Detailed Cost Estimation of CNTW Attack against EMV Signature Scheme
Abstract
EMV signature is one of specifications for authenticating credit and debit card data, which is based on ISO/IEC 9796-2 signature scheme. At CRYPTO 2009, Coron, Naccache, Tibouchi, and Weinmann proposed a new forgery attack against the signature ISO/IEC 9796-2. They also briefly discussed the possibility when the attack is applied to the EMV signatures. They showed that the forging cost is $45,000 and concluded that the attack could not forge them for operational reason. However their results are derived from not fully analysis under only one condition. The condition they adopt is typical case. For security evaluation, fully analysis and an estimation in worst case are needed. This paper shows cost-estimation of CNTW attack against EMV signature in detail. We constitute an evaluate model and show cost-estimations under all conditions that Coron et al. do not estimate. As results, it has become clear that EMV signature can be forged with less than $2,000 according to a condition. This fact shows that CNTW attack might be a realistic threat.
Tetsuya Izu, Yoshitaka Morikawa, Yasuyuki Nogami, Yumi Sakemi, Masahiko Takenaka
Fast Elliptic Curve Cryptography in OpenSSL
Abstract
We present a 64-bit optimized implementation of the NIST and SECG-standardized elliptic curve P-224. Our implementation is fully integrated into OpenSSL 1.0.1: full TLS handshakes using a 1024-bit RSA certificate and ephemeral Elliptic Curve Diffie-Hellman key exchange over P-224 now run at twice the speed of standard OpenSSL, while atomic elliptic curve operations are up to 4 times faster. In addition, our implementation is immune to timing attacks—most notably, we show how to do small table look-ups in a cache-timing resistant way, allowing us to use precomputation. To put our results in context, we also discuss the various security-performance trade-offs available to TLS applications.
Emilia Käsper
Cryptographic Treatment of Private User Profiles
Abstract
The publication of private data in user profiles in a both secure and private way is a rising problem and of special interest in, e.g., online social networks that become more and more popular. Current approaches, especially for decentralized networks, often do not address this issue or impose large storage overhead. In this paper, we present a cryptographic approach to Private Profile Management that is seen as a building block for applications in which users maintain their own profiles, publish and retrieve data, and authorize other users to access different portions of data in their profiles. In this course, we provide: (i) formalization of confidentiality and unlinkability as two main security and privacy goals for the data which is kept in profiles and users who are authorized to retrieve this data, and (ii) specification, analysis, and comparison of two private profile management schemes based on different encryption techniques.
Felix Günther, Mark Manulis, Thorsten Strufe
An Introspection-Based Memory Scraper Attack against Virtualized Point of Sale Systems
Abstract
Retail industry Point of Sale (POS) computer systems are frequently targeted by hackers for credit/debit card data. Faced with increasing security threats, new security standards requiring encryption for card data storage and transmission were introduced making harvesting card data more difficult. Encryption can be circumvented by extracting unencrypted card data from the volatile memory of POS systems. One scenario investigated in this empirical study is the introspection-based memory scraping attack. Vulnerability of nine commercial POS applications running on a virtual machine was assessed with a novel tool, which exploited the virtual machine state introspection capabilities supported by modern hypervisors to automatically extract card data from the POS virtual machines. The tool efficiently extracted 100% of the credit/debit card data from all POS applications. This is the first detailed description of an introspection-based memory scraping attack on virtualized POS systems.
Jennia Hizver, Tzi-cker Chiueh
A Study on Computational Formal Verification for Practical Cryptographic Protocol: The Case of Synchronous RFID Authentication
Abstract
Formal verification of cryptographic protocols has a long history with a great number of successful verification tools created. Recent progress in formal verification theory has brought more powerful tools capable of handling computational assumption, which leads to more reliable verification results for information systems.
In this paper, we introduce an effective scheme and studies on applying computational formal verification toward a practical cryptographic protocol. As a target protocol, we reconsider a security model for RFID authentication with a man-in-the-middle adversary and communication fault. We define three model and security proofs via a game-based approach that, in a computational sense, makes our security models compatible with formal security analysis tools. Then we show the combination of using a computational formal verification tool and handwritten verification to overcome the computational tool’s limitations. We show that the target RFID authentication protocol is robust against the above-mentioned attacks, and then provide game-based (handwritten) proofs and their verification via CryptoVerif.
Yoshikazu HanataniI, Miyako Ohkubo, Shin’ichiro Matsuo, Kazuo Sakiyama, Kazuo Ohta
Biometric Transaction Authentication Protocol: Formal Model Verification and “Four-Eyes” Principle Extension
Abstract
The BTA protocol for biometric authentication of online banking transactions is extended to allow for multiple person authenticated transactions. In addition a formal specification is given, the protocol is modelled in the applied pi calculus and the security properties of data and person authentication as well as non-repudiation are verified using the tool ProVerif.
Daniel Hartung, Christoph Busch
Exploration and Field Study of a Password Manager Using Icon-Based Passwords
Abstract
We carry out a hybrid lab and field study of a password manager program, and report on usability and security. Our study explores iPMAN, a browser-based password manager that in addition uses a graphical password scheme for the master password. We present our findings as a set of observations and insights expected to be of interest both to those exploring password managers, and graphical passwords.
Kemal Bicakci, Nart Bedin Atalay, Mustafa Yuceel, P. C. van Oorschot

Workshop on Ethics in Computer Security Research

Ethical Issues in E-Voting Security Analysis
Abstract
Research about weaknesses in deployed electronic voting systems raises a variety of pressing ethical concerns. In addition to ethical issues common to vulnerability research, such as the potential harms and beneifts of vulnerability disclosure, electronic voting researchers face questions that flow from the unique and important role voting plays in modern democratic societies. Should researchers worry that their own work (not unlike the flaws they study) could sway an election outcome? When elected officials authorize a security review, how should researchers address the conflicted interests of these incumbent politicians, who may have powerful incentives to downplay problems, and might in principle be in a position to exploit knowledge about vulnerabilities when they stand for re-election? How should researchers address the risk that identifying specific flaws will lead to a false sense of security, after those particular problems have been resolved? This paper makes an early effort to address these and other questions with reference to experience from previous e-voting security reviews. We hope our provisional analysis will help practicing researchers anticipate and address ethical issues in future studies.
David G. Robinson, J. Alex Halderman
Computer Security Research with Human Subjects: Risks, Benefits and Informed Consent
Abstract
Computer security research frequently entails studying real computer systems and their users; studying deployed systems is critical to understanding real world problems, so is having would-be users test a proposed solution. In this paper we focus on three key concepts in regard to ethics: risks, benefits, and informed consent. Many researchers are required by law to obtain the approval of an ethics committee for research with human subjects, a process which includes addressing the three concepts focused on in this paper. Computer security researchers who conduct human subjects research should be concerned with these aspects of their methodology regardless of whether they are required to by law, it is our ethical responsibility as professionals in this field. We augment previous discourse on the ethics of computer security research by sparking the discussion of how the nature of security research may complicate determining how to treat human subjects ethically. We conclude by suggesting ways the community can move forward.
Maritza L. Johnson, Steven M. Bellovin, Angelos D. Keromytis
Human Subjects, Agents, or Bots: Current Issues in Ethics and Computer Security Research
Abstract
In this panel, we explore some of the issues surrounding the ethical review of computer security research by institutional review boards (IRBs) and other ethical review bodies. These issues include interpretation of legal language defining how ethical review is to be performed, the impact of information and communication technologies (ICT) on research methods and ethical analysis, how terms like “risk” and “harm” must be interpreted in the light of ICT. We examine two case studies in which these issues surface, and conclude by providing some ideas on the path forward.
John Aycock, Elizabeth Buchanan, Scott Dexter, David Dittrich
Enforced Community Standards for Research on Users of the Tor Anonymity Network
Abstract
Security and privacy researchers are increasingly taking an interest in the Tor network, and have even performed studies that involved intercepting the network communications of Tor users. There are currently no generally agreed upon community norms for research on Tor users, and so unfortunately, several projects have engaged in problematic behavior – not because the researchers had malicious intent, but because they simply did not see the ethical or legal issues associated with their data gathering. This paper proposes a set of four bright-line rules for researchers conducting privacy invading research on the Tor network. The author hopes that it will spark a debate, and hopefully lead to responsible program committees taking some action to embrace these, or similar rules.
Christopher Soghoian
Ethical Dilemmas in Take-Down Research
Abstract
We discuss nine ethical dilemmas which have arisen during the investigation of ‘notice and take-down’ regimes for Internet content. Issues arise when balancing the desire for accurate measurement to advance the security community’s understanding with the need to immediately reduce harm that is uncovered in the course of measurement. Research methods demand explanation to be accepted in peer-reviewed publications, yet the dissemination of knowledge may help miscreants improve their operations and avoid detection in the future. Finally, when researchers put forward solutions to problems they have identified, it is important that they ensure that their interventions demonstrably improve the situation and do not cause undue collateral damage.
Tyler Moore, Richard Clayton
Ethical Considerations of Sharing Data for Cybersecurity Research
Abstract
Governments, companies, and scientists performing cyber security research need reference data sets, based on real systems and users, to test the validity and efficacy of the predictions of a given theory. However, various ethical and practical concerns complicate when and how proprietary operational data should be shared. In this paper, we discuss hypothetical and actual examples to illustrate the reasons for increasing the availability of data for legitimate research purposes. We also discuss the reasons, such as privacy and competition, to limit data sharing. We discuss the capabilities and limitations of several existing models of data sharing. We present an infrastructure specifically designed for making proprietary operational data available for cyber security research and experimentation. We conclude by discussing the ways in which a new infrastructure, WINE, balances the values of openness, sound experimentation, and privacy by enabling data sharing with privacy controls.
Darren Shou
Moving Forward, Building an Ethics Community (Panel Statements)
Abstract
The organizing question around which this panel at WECSR 2011 rallied was how to move toward building a nation-state-agnostic ethics community in computer security research.
Erin Kenneally, Angelos Stavrou, John McHugh, Nicolas Christin
Backmatter
Metadaten
Titel
Financial Cryptography and Data Security
herausgegeben von
George Danezis
Sven Dietrich
Kazue Sako
Copyright-Jahr
2012
Verlag
Springer Berlin Heidelberg
Electronic ISBN
978-3-642-29889-9
Print ISBN
978-3-642-29888-2
DOI
https://doi.org/10.1007/978-3-642-29889-9