Information and Communications Security

RFID technology arouses great interests from both its advocates and opponents because of the promising but privacy-threatening nature of low-cost RFID tags. A main privacy concern in RFID systems results from clandestine scanning through which an adversary could conduct silent tracking and inventorying of persons carrying tagged objects. Thus, the most important security requirement in designing RFID protocols is to ensure untraceability of RFID tags by unauthorized parties (even with knowledge of a tag secret due to no physical security of low-cost RFID tags). Previous work in this direction mainly focuses on backward untraceability, requiring that compromise of a tag secret should not help identify the tag from past communication transcripts. However, in this paper, we argue that forward untraceability, i.e., untraceability of future events even with knowledge of a current tag secret, should be considered as an equally or even more important security property in RFID protocol designs. Furthermore, RFID tags may often change hands during their lifetime and thus the problem of tag ownership transfer should be dealt with as another key issue in RFID privacy problems; once ownership of a tag is transferred to another party, the old owner should not be able to read the tag any more. It is rather obvious that complete transfer of tag ownership is possible only if some degree of forward untraceability is provided. We propose a strong and robust RFID authentication protocol satisfying both forward and backward untraceability and enabling complete transfer of tag ownership.

There has been considerable interest recently on developing a system to track items like pharmaceutical drugs or food products. Such a system can help prevent counterfeits, aid product recall, and improve general logistics. In this paper, we present such system based on radio frequency identity (RFID) technology. Our solution provides the means of storing the entire movement of the item from original manufacturer to final consumer on the RFID tag itself, and also makes it more difficult to introduce large numbers of counterfeits. The solution also allows the end user to easily verify the authenticity of the item.

In this paper, we study the solvability of fair exchange in the context of Byzantine failures. In doing so, we first present a generic model with trusted and untrusted processes, and propose a specification of the fair exchange problem that clearly separates safety and liveness, via fine-grained properties. We then show that the solvability of fair exchange depends on a necessary and sufficient topological condition, which we name the

reachable majority

condition. The first part of this result, i.e., the condition is necessary, was shown in a companion paper and is briefly recalled here. The second part, i.e., the condition is sufficient, is the focal point of this paper. The correctness proof of this second part consists in proposing a solution to fair exchange in the aforementioned model.

This paper reports on a security analysis of the IEEE 1588 standard, a.k.a. Precise Time Protocol (PTP). We show that attackers can use the protocol to (a) incorrectly resynchronize clocks, (b) rearrange or disrupt the hierarchy of PTP clocks, (c) bring the protocol participants into an inconsistent state, or (d) deprive victim slave clocks from synchronization in ways undetectable by generic network intrusion detection systems. We also propose countermeasures for the identified attacks.

A proxy signature enables an original signer to delegate her signing capability to a proxy signer and then the proxy signer can sign a message on behalf of the original signer. In this paper we propose an ID-based proxy signature scheme from bilinear pairings. We provide exact security proof of the proposed ID-based proxy signature scheme in the random oracle model under the Computational Diffie-Hellman assumption without using Forking Lemma.

At PODC’05, Subramanian, Katz, Roth, Shenker and Stoica (SKRSS) introduced and formulated a new theoretical problem called reliable broadcast problems in unknown fixed-identity networks [3] and further proposed a feasible result to this problem. Since the size of signatures of a message traversing a path grows linearly with the number of hops in their implementations, this leaves an interesting research problem (an open problem advertised by Subramanian et al in [3]) – how to reduce the communication complexity of their reliable broadcast protocol?

In this paper, we provide a novel implementation of reliable broadcast problems in unknown fixed-identity networks with lower communication complexity. The idea behind of our improvement is that we first transfer the notion of path-vector signatures to that of sequential aggregate path-vector signatures and show that the notion of sequential aggregate path-vector is a special case of the notion of sequential aggregate signatures. As a result, the currently known results regarding sequential aggregate signatures can be used to solve the open problem. We then describe the work of [3] in light of sequential aggregate signatures working over independent RSA, and show that if the size of an node

v

i

,

j

’s public key |

g

(

v

i

,

j

)| is

t

i

,

j

and the number of hops in a path

p

i

is

d

i

in the unknown fixed-identity graph

G

(with

k

adversaries), the reduced communication complexity is approximate to

$\sum_{j=1} ^{d_i-1} t_{i, j}$

while the computation (time) complexity of our protocol is the same as that presented in [3].

One of the most commonly used two-factor authentication mechanisms is based on smart card and user’s password. Throughout the years, there have been many schemes proposed, but most of them have already been found flawed due to the lack of formal security analysis. On the cryptanalysis of this type of schemes, in this paper, we further review two recently proposed schemes and show that their security claims are invalid. To address the current issue, we propose a new and simplified property set and a formal adversarial model for analyzing the security of this type of schemes. We believe that the property set and the adversarial model themselves are of independent interest.

We then propose a new scheme and a generic construction framework. In particular, we show that a secure password based key exchange protocol can be transformed efficiently to a smartcard and password based two-factor authentication scheme provided that there exist pseudorandom functions and collision-resistant hash functions.

We propose a hierarchical key-assignment method to reduce the ciphertext size in a black-box tracing scheme presented at ASIACRYPT 2004. Applying the proposed method to this scheme, the ciphertext size is reduced from

$O(\sqrt{n})$

to

O

(

k

+log(

n

/

k

)) without a substantial increase in the decryption-key size, where

k

,

n

denote the maximum number of colluders in a coalition and the total number of receivers respectively. The resulting scheme also supports black-box tracing and enjoys the following properties: Even if a pirate decoder does not respond any further queries when it detects itself being examined, the pirate decoder can be traced back to a person who participated in its construction. A tracer’s key, which is necessary for black-box tracing, is public.

Cache based side-channel attacks have recently been attracted significant attention due to the new developments in the field. In this paper, we present an efficient trace-driven cache attack on a widely used implementation of the AES cryptosystem. We also evaluate the cost of the proposed attack in detail under the assumption of a noiseless environment. We develop an accurate mathematical model that we use in the cost analysis of our attack. We use two different metrics, specifically, the expected number of necessary traces and the cost of the analysis phase, for the cost evaluation purposes. Each of these metrics represents the cost of a different phase of the attack.

The notion of Oblivious Commitment Based Envelope (OCBE) was recently proposed; it enables attribute-based access control without revealing any information about the attributes. Previous OCBE protocols are designed by taking zero-knowledge proof protocols that prove a committed value satisfies some property and changing the protocols so that instead of one party proving to the other party, the two parties compute two keys that agree if and only if the committed value indeed satisfy the property. In this paper, we introduce a more general approach for designing OCBE protocols that uses zero-knowledge proof protocols in a black-box fashion. We present a construction such that given a zero-knowledge proof protocol that proves a committed value satisfies a predicate, we have an OCBE protocol for that predicate with constant additional cost. Compared with previous OCBE protocols, our construction is more general, more efficient, and has wide applicability.

To facilitate managing access control in a system, security officers increasingly write access control policies in specification languages such as XACML, and use a dedicated software component called a Policy Decision Point (PDP). To increase confidence on written policies, certain types of policy testing (often in an ad hoc way) are usually conducted, which probe the PDP with some typical requests and check PDP’s responses against expected ones. This paper develops a first step toward systematic policy testing by defining and measuring policy coverage when testing policies. We have developed a coverage-measurement tool to measure policy coverage given a set of XACML policies and a set of requests. We have developed a tool for request generation, which randomly generates requests for a given set of policies, and a tool for request reduction, which greedily selects a nearly minimal set of requests for achieving the same coverage as the originally generated requests. To evaluate coverage-based request reduction and its effect on fault detection, we have conducted an experiment with mutation testing on a set of real policies. Our experimental results show that the coveragebased test reduction can substantially reduce the size of generated requests and incur only relatively low loss on fault detection. We also conduct a study on the policy coverage achieved by manually generated requests.

Trust management (TM) is an approach to access control in decentralized distributed systems with access control decisions based on statements made by multiple principals. Li et al. developed the

RT

family of Role-Based Trust-management languages, which combine the strengths of Role-Based Access Control and TM systems. We present a distributed credential chain discovery algorithm for

RT

1

C

, a language in the

RT

family that has parameterized roles and constraints. Our algorithm is a combination of the logic-programming style top-down query evaluation with tabling and a goal-directed version of the deductive database style bottom-up evaluation. Our algorithm uses hints provided through the storage types to determine whether to use a top-down or bottom-up strategy for a particular part of the proof; this enables the algorithm to touch only those credentials that are related to the query, which are likely to be a small fraction of all the credentials in the system.

SAM

is a processor extension used to protect execution of dedicated programs by preventing data disclosure and program manipulations in a multitasking environment. This paper presents an operating system design based on the Linux kernel for

SAM

. The design splits the kernel into a very small protected part and an unprotected part used by drivers and high level functions. Using this kernel protected and unprotected programs can be executed in parallel without diminishing the protection. The protection mechanism does not slow down the execution of unprotected programs, since it is only active during the execution of protected programs.

This paper studies the notion of point-based policies for trust management, and gives protocols for realizing them in a disclosure-minimizing fashion. Specifically, Bob values each credential with a certain number of points, and requires a minimum total threshold of points before granting Alice access to a resource. In turn, Alice values each of her credentials with a privacy score that indicates her reluctance to reveal that credential. Bob’s valuation of credentials and his threshold are private. Alice’s privacy-valuation of her credentials is also private. Alice wants to find a subset of her credentials that achieves Bob’s required threshold for access, yet is of as small a value to her as possible. We give protocols for computing such a subset of Alice’s credentials without revealing any of the two parties’ above-mentioned private information.

When datasets are distributed on different sources, finding out matched data while preserving the privacy of the datasets is a widely required task. In this paper, we address two matching problems against the private datasets on

N

(

N

≥2) parties. The first one is the Privacy Preserving Set Intersection (PPSI) problem, in which each party wants to learn the intersection of the

N

private datasets. The second one is the Privacy Preserving Set Matching (PPSM) problem, in which each party wants to learn whether its elements can be matched in any private set of the other parties. For the two problems we propose efficient protocols based on a threshold cryptosystem which is additive homomorphic. In a comparison with the related work in [18], the computation and communication costs of our PPSI protocol decrease by 81% and 17% respectively, and the computation and communication costs of our PPSM protocol decrease by 80% and 50% respectively. In practical utilities both of our protocols save computation time and communication bandwidth.

Radio Frequency Identification (RFID) systems promise large scale, automated tracking solutions but also pose a threat to customer privacy. The tree-based hash protocol proposed by Molnar and Wagner presents a scalable, privacy-preserving solution. Previous analyses of this protocol concluded that an attacker who can extract secrets from a large number of tags can compromise privacy of other tags. We propose a new metric for information leakage in RFID protocols along with a threat model that more realistically captures the goals and capabilities of potential attackers. Using this metric, we measure the information leakage in the tree-based hash protocol and estimate an attacker’s probability of success in tracking targeted individuals, considering scenarios in which multiple information sources can be combined to track an individual. We conclude that an attacker has a reasonable chance of tracking tags when the tree-based hash protocol is used.

This paper presents the concept of anonymous identification card, a technique enabling a card holder to demonstrates his/her authenticity without disclosing real identity. Anonymous identification card can be used in settings in which people need to demonstrate their eligibility to do certain things, meanwhile they are sensitive to their privacy, not hoping to disclose their identity information to a verifier. We proposed an efficient anonymous authentication scheme for this anonymous identification card, with the support of rogue card revocation. The most advantage of our scheme is its simplicity and efficiency such that all computation can be carried out by a resource-limited identification card. We proved our scheme is secure under the strong RSA assumption and the decisional Diffie-Hellman assumption.

Microprocessor devices, such as smart cards, are used more and more to store and protect secret information. This development has its advantages, but microprocessor devices are susceptible to various attacks. Much attention has been devoted to side-channel attacks, exploiting unintentional correlation between internal secret information, such as cryptographic keys, and the various side channels. We present a wireless covert channel attack (WCCA) that intentionally correlates secret information with the electromagnetic side channel. WCCA exploits subversive code hidden on all cards during manufacture, to launch an attack, without physical access, when infected cards are used. Experiments on modern smart cards confirm that an insider with the opportunity to hide subversive code can potentially broadcast the card’s internal secrets to a nearby receiver. Security features against side-channel attacks will limit the range but not prevent the attack.

Proxy encryption schemes transform cipher-text from one key to another without revealing the plain-text. Agents that execute such transformations are therefore minimally trusted in distributed systems leading to their usefulness in many applications. However, till date no application of proxy encryption has been deployed and used in practice. In this work we describe our efforts in developing a deployable secure mailing list solution based on proxy encryption techniques. Securing emails exchanged on mailing lists requires that confidentiality, integrity, and authentication of the emails be provided. This includes ensuring their confidentiality while in transit at the list server; a functionality that is uniquely supported by proxy encryption. In developing this solution we addressed the challenges of identifying requirements for deployability, defining a component architecture that maximizes the use of COTS components to help in deployment, developing the proxy encryption protocol to satisfy requirements and to fit within the component architecture, implementing and testing the solution, and packaging the release. As evidence of its deployability, the resulting secure mailing list solution is compatible with common email clients including Outlook, Thunderbird, Mac Mail, Emacs, and Mutt.

A low-rate DoS attack to iterative servers has recently appeared as a new approach for defeating services using rates of traffic that could be adjusted to bypass security detection mechanisms. Although the fundamentals and effectiveness of these kind of attacks are known, it is not clear how to design the attack to achieve specific constraints based on the used rate and the efficiency in denial of service obtained. In this paper, a comprehensive mathematical framework that models the behaviour of the attack is presented. The main contribution of this model is to give a better understanding of the dynamics of these kind of attacks, in order to facilitate the development of detection and defense mechanisms.

A function-parallel network firewall is a scalable architecture that consists of multiple firewalls. Rules are distributed across the array such that each firewall implements a portion of the original policy. This resutls in significantly lower delays than other parallel designs; however, the design requires firewall intercommunication to coordinate the array which is difficult to implement and introduces additional delay.

This paper describes how the performance of a function-parallel firewall array can be increased if the individual firewalls can operate independently, without firewall intercommunication. By distributing rules using accept sets, the independent firewall array and a traditional single firewall will always arrive at the same decision (integrity is maintained). Simulation results will show the system is significantly faster than other designs and has the unique ability to provide service differentiation.

In order to resist an unauthorized use of the resources accessible through mobile terminals, masquerader detection means can be employed. In this paper, the problem of mobile-masquerader detection is approached as a classification problem, and the detection is performed by an ensemble of one-class classifiers. Each classifier compares a measure describing user behavior or environment with the profile accumulating the information about past behavior and environment. The accuracy of classification is empirically estimated by experimenting with a dataset describing the behavior and environment of two groups of mobile users, where the users within groups are affiliated with each other. It is assumed that users within a group have similarities in their behavior and environment and hence are more difficult to differentiate, as compared with distinguishing between the users of different groups. From the practical detection perspective, the former case corresponds to the “worst-case” scenario where the masquerader has a rich knowledge of the user behavior and environment and is able to mimic them, while the latter case corresponds to the “best-case” scenario, where the masquerader makes little or no attempt to mimic the behavior and environment of the user. The classification accuracies are also evaluated for different levels of false rejection errors. The obtained results indicate that, when smaller values of false rejection errors are required, ensembles of few best-performing classifiers are preferable, while a five-classifier ensemble achieves better accuracy when higher levels of false rejection errors are tolerated.

Cooperation between participants is essential to P2P applications’ viability. Due to obscure possibility to match peers’ needs and supplies in pairs, the widely used pair-wise exchange-based incentive schemes perform poorly. The N-way exchange-based incentive scheme enlarges the matching possibility by introducing n person exchanges. But some old problems remain and some new ones emerge with the N-way design. In this paper we present an enhanced n-way exchange-based incentive scheme for P2P file sharing systems. By distributing extra tasks to all the peers involved in an n-way exchange, the proposed scheme eliminates prohibitive computation and communication cost on the cooperators, resulting in greater efficiency, effectiveness, and security.

Non-interference

has become the standard criterion for ensuring confidentiality of sensitive data in the information flow literature. However, application of non-interference to practical software systems has been limited. This is partly due to the imprecision that is inherent in static analyses that have formed the basis of previous non-interference based techniques. Runtime approaches can be significantly more accurate than static analysis, and have often been more successful in practice. However, they can only reason about explicit information flows that take place via assignments in a program. Implicit flows that take place without involving assignments, and can be inferred from the structure and/or semantics of the program, are missed by runtime techniques. This paper seeks to bridge the gap between the accuracy provided by runtime techniques and the completeness provided by static analysis techniques. In particular, we develop a hybrid technique that relies primarily on runtime information-flow tracking, but augments it with static analysis to reason about implicit flows that arise due to unexecuted paths in a program. We prove that the resulting technique preserves non-interference, while providing some of the traditional benefits of dynamic analysis such as improved accuracy.

Self-modifying codes (SMC) refer to programs that intentionally modify themselves at runtime, causing the runtime code to differ from the static binary representation of the code before execution. Hence SMC is an effective method to obstruct software disassembling. This paper presents a method which circumvents the SMC protection, thus improving the performance of disassembling. By disabling the write privilege to the code section, an access violation exception occurs when an SMC attempts to execute. Intercepting this exception allows the attacker to determine and thus compromise the SMC and generate equivalent static code. Our experiments demonstrate that it is viable and efficient.

Modern computing environments depend on extensive shared libraries. In this paper, we propose monitoring the calls between those libraries as a new source of data for host-based anomaly detection. That is, we characterize an application by its use of shared library functions and characterize each shared library function by its use of (lower-level) shared libraries. This approach to intrusion detection offers significant benefits, especially in systems such as Windows, much of which is implemented above the kernel as dynamically linked libraries (DLLs). It localizes anomalies to particular code modules, facilitating anomaly analysis and assessment and discouraging mimicry attacks. It reduces retraining after system updates and enables training concurrent with detection. The proposed approach can be used with various techniques for modeling call sequences, including N-grams, automata, and techniques that consider parameter values. To demonstrate its potential, we have studied how a DLL-level profiling IDS would detect two recent attacks on Windows systems.

Bugs in dynamic memory management, including for instance heap-based buffer overflows and dangling pointers, are an important source of vulnerabilities in C and C++. Overwriting the management information of the memory allocation library is often a source of attack on these vulnerabilities. All existing countermeasures with low performance overhead rely on magic values or canaries. A secret value is placed before a crucial memory location and by monitoring whether the value has changed, overruns can be detected. Hence, if attackers are able to read arbitrary memory locations, they can bypass the countermeasure. In this paper we present an approach that, when applied to a memory allocator, will protect against this attack vector without resorting to magic. We implemented our approach by modifying an existing widely-used memory allocator. Benchmarks show that this implementation has a negligible, sometimes even beneficial, impact on performance.

Password authentication is an important mechanism for remote login systems, where only authorized users can be authenticated via using their passwords and/or some similar secrets. In 1999, Yang and Shieh [14] proposed two password authentication schemes using smart cards. Their schemes are not only very efficient, but also allow users to change their passwords freely and the server has no need to maintain a verification table for authenticating users. However, their schemes are later identified to be flawed. To overcome those security flaws, Shen et al. [9] and Yoon et al. [17] proposed further improvements and claimed their new schemes are secure. In this paper, we first point out that Yang et al.’s attack [15] against Shen et al.’s scheme is actually

invalid

, since we can show that in a real implementation it is extremely difficult to find two hash values such that one is divisible by the other. After that, we show that both of Shen et al.’ scheme and Yoon et al.’s scheme are

insecure

by identifying several effective impersonation attacks. Those attacks enable an outsider to be successfully authenticated and then enjoy the resources and/or services provided by the server.

Recently, a number of ID-based authenticated key agreement protocols from bilinear pairings have been proposed. In this paper we present security analysis of four ID-based authenticated key agreement protocols from pairings proposed in [11, 12, 7, 18]. These results demonstrate that no more ID-based authenticated key agreement protocols should be constructed with such ad-hoc methods, i.e, the formal design methodology as in [1, 2, 3, 10] should be employed in future design.

Seifert (ACM CCS 2005) recently described a new fault attack against an implementation of RSA signature

verification

. Seifert’s attack differs from the seminal work of Boneh, DeMillo and Lipton (EUROCRYPT 1997) in that it targets a public-key rather than a private-key operation. Here we give a simplified analysis of Seifert’s attack and gauge its practicality against RSA moduli of practical sizes. Our intent is to give practice-oriented work estimates rather than asymptotic results. We also suggest an improvement to Seifert’s attack which has the following consequences: If an adversary is able to cause random faults in only 4 bits of a 1024-bit RSA modulus stored in a device, then there is a greater than 50% chance that they will be able to make that device accept a signature on a message of their choice. For 2048-bit RSA, 6 bits suffice.

In Eurocrypt 2004, Chen, Kudla and Paterson introduced the concept of

concurrent signatures

, which allow two parties to produce two ambiguous signatures until the initial signer releases an extra piece of information (called

keystone

). Once the keystone is publicly known, both signatures are bound to their true signers

concurrently

. In ICICS 2004, Susilo, Mu and Zhang further proposed

perfect concurrent signatures

to strengthen the ambiguity of concurrent signatures. That is, even if the both signers are known having issued one of the two ambiguous signatures, any third party is still unable to deduce who signed which signature, different from Chen et al.’s scheme. In this paper, we point out that Susilo et al.’s two perfect concurrent signature schemes are actually

not

concurrent signatures. Specifically, we identify an attack that enables the initial signer to release a carefully prepared keystone that binds the matching signer’s signature, but not the initial signer’s. Therefore, their schemes are

unfair

for the matching signer. Moreover, we present an effective way to avoid this attack so that the improved schemes are truly perfect concurrent signatures.

A wide variety of powerful cryptographic tools have been built using RSA, Diffie-Hellman, and other similar assumptions as their basis. Computational security has been achieved relative to complexity assumptions about the computational difficulty of a variety of number theoretic problems. However, these problems are closely related, and it is likely that if any one of them turns out to be efficiently solvable with new mathematical advances or new kinds of computational devices, then similar techniques could be applicable to all of them. To provide greater diversity of security assumptions so that a break of one of them is less likely to yield a break of many or all of them, it is important to expand the body of computational problems on which security systems are based. Specifically, we suggest the use of hardness assumptions based on the complexity of logic problems, and in particular, we consider the well known Boolean

3Sat

problem.

In this paper, we consider the use of the

3Sat

problem to provide a cryptographic primitive,

secure set membership

. Secure set membership is a general problem for participants holding set elements to generate a representation of their set that can then be used to prove knowledge of set elements to others. Set membership protocols can be used, for example, for authentication problems such as digital credentials and some signature problems such as timestamping.

Koblitz curves are often used in digital signature schemes where signature verifications need to be computed efficiently. Simultaneous elliptic scalar multiplication is a useful method of carrying out such verifications. This paper presents an efficient alternative to

τ

-adic Joint Sparse Form that moves left-to-right for computations involving two points. A generalization of this algorithm is then presented for generating a low joint weight representation of an arbitrary number of integers.

In Asiacrypt 2003, the notion of the universal designated verifier signature (UDVS) was put forth by Steinfeld, Bull, Wang and Pieprzyk. In the new paradigm,

any

signature holder (not necessarily the signer) can designate the standard signature to any desired designated verifier (using the verifier’s public key), such that

only

the designated verifier will believe that the signature holder holds a valid standard signature, and hence, believe that the signer has indeed signed the message. When the signature holder is the

signer

himself, the UDVS scheme can be considered as a designated verifier signature (DVS) which was proposed by Jakobsson, Sako and Impagliazzo in Eurocrypt 1996. In the recent paper published in ICALP 2005, Lipmaa, Wang and Bao introduced a new security property, called “non-delegatability”, as an essential property of (universal) designated verifier signature. Subsequently, Li, Lipmaa and Pei used this new property to “attack” four designated verifier signatures in ICICS 2005 and showed that

none

of them satisfy the required property. To date, there is no UDVS scheme that does not suffer from the delegatability problem. In this paper, we propose the

first

provably secure UDVS without delegatability, which can also be regarded as another DVS scheme

without

delegatability. We also refine the models of the UDVS schemes and introduce the notion of the strong universal designated verifier signature (SUDVS). We believe that the model itself is of an independent interest.

Tracing nefarious HTTP activity to its source is sometimes extremely difficult when HTTP (and/or SOCKS) proxies are used for origin obfuscation. This paper describes a technique for tracing HTTP traffic through one or more non-cooperating HTTP (and/or SOCKS) proxies. The technique uses only passive observations of TCP/IP headers. Furthermore, the technique need only observe a single direction of the underlying TCP flows, i.e. the technique is asymmetric-route-robust. The technique represents a set of HTTP transactions as an activity profile. These profiles may be either distilled from passive network observations, or logged by a cooperating web server. Using statistical correlation techniques, we can trace both end-to-end SSL-encrypted HTTP, and unencrypted HTTP despite the source obfuscation methods employed by many contemporary proxies. The technique may be used to narrow the search space before applying other more resource intensive traceback techniques.

We show the fastest implementation result of RSA on Itanium 2. For realizing the fast implementation, we improved the implementation algorithm of Montgomery multiplication proposed by Itoh et al. By using our implementation algorithm, pilepine delay is decreased than previous one on Itanium 2. And we implemented this algorithm with highly optimized for parallel processing. Our code can execute 4 instructions per cycle (At maximum, 6 instructions are executed per cycle on Itanium 2), and its probability of pipeline stalling is just only 5%. Our RSA implementation using this code performs 32 times per second of 4096-bit RSA decryption with CRT on Itanium 2 at 900MHz. As a result, our implementation of RSA is the fastest on Itanium2. This is 3.1 times faster than IPP, a software library developed by Intel, in the best case.

We report our implementation of the RSA and ECC public-key cryptosystem on Berkeley Motes. We detail the implementation of 1024-bit RSA and 160-bit ECC cryptosystems on MICA mote sensors. We have achieved the performance of 0.79s for RSA public key operation and 21.5s for private operation, and 1.3s for ECC signature generation and 2.8s for verification. For comparison, we also show our new ECC implementation on TelosB motes with a signature time 1.60s and a verification time 3.30s. For the detailed description of the implementation, we refer to our technical report [13].

Implementations of cryptographic algorithms are vulnerable to side-channel attacks. Masking techniques are employed to counter side-channel attacks that are based on multiple measurements of the same operation on different data. Most currently known techniques require new random values after every nonlinear operation and they are not effective in the presence of glitches. We present a new method to protect implementations. Our method has a higher computational complexity, but requires random values only at the start, and stays effective in the presence of glitches.

Implementing IP security in broadband router without sacrificing the performance is main work we focused on. To meet the need of protecting wire speed forwarding data passing through fast path of the router, security module implemented with encryption chip was adopted; to protect non real time data passing through slow path of the router, the scheme of implementing IP security inside kernel of Master control module with software was introduced. Security architecture and several testing architectures were finely designed and depicted in the paper. Testing of security architecture was undergone in SR1880s router, which was developed by National Digital Switching System Engineering & Technological R&D Center of China (NDSC). Testing results show that the two schemes work well together.