Information Security Practice and Experience

With a Ciphertext-Policy Attribute-Based Encryption (CP-ABE) scheme, a user’s private key is associated with a set of attributes and the data is encrypted under an access policy defined by the message sender. A user can decrypt a ciphertext if and only if her attributes satisfy the access policy. In CP-ABE, since the message sender enforces the access policy during the encryption phase, the policy moves with the encrypted data. In this paper, we provide an efficient CP-ABE scheme which can express any access policy represented by a formula involving the

and

(∧) and

or

(∨) operators. The scheme is secure under Decision Bilinear Diffie-Hellman (DBDH) assumption. Furthermore, we extend the expressiveness of the scheme by including the

of

operator in addition to ∧ and ∨. We provide a comparison with some existing CP-ABE schemes and show that our schemes are more efficient.

An Attribute-Based Encryption (ABE) is an encryption scheme, where users with some attributes can decrypt ciphertexts associated with these attributes. However, the length of the ciphertext depends on the number of attributes in previous ABE schemes. In this paper, we propose a new Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with constant ciphertext length. Moreover, the number of pairing computations is also constant.

Certificateless Public Key Cryptography was first introduced by Al-Riyami and Paterson in order to eliminate the inherent key-escrow problem of Identity-Based Cryptography. In this paper, we present a new practical construction of certificateless public key encryption scheme without paring. Our scheme is, in the random oracle model, provably secure under the assumption that the RSA problem is intractable.

In this paper, we construct a strongly unforgeable ID-based signature scheme without random oracles. The signature size of our scheme is smaller than that of other schemes based on varieties of the Diffie–Hellman problem or the discrete logarithm problem. The security of the scheme relies on the difficulty to solve three problems related to the Diffie–Hellman problem and a one-way isomorphism.

In traditional public key signature, the public key of a signer is essentially a random string selected from a given set. It is infeasible to prove that a party is indeed the signer for a given signature. In general, the public key of a user needs a management authority to authenticate it. It results in that traditional public key cryptosystem (PKC) requires high maintenance cost for certificate management. Although, identity based cryptosystem (IBC) reduces the overhead of management, it suffers from the drawback of key escrow. Certificate-based cryptosystem combines the advantage of both PKC and IBC as it avoids the usage of certificates and does not suffer from key escrow. Recently, Liu

et.al

proposed an efficient Certificate-based signature and showed that the scheme was secure in the random oracles. Unfortunately, this paper shows that the scheme is insecure and discusses the flaws in their security proof. Then the corresponding attacks are given. To overcome the flaws, an improved scheme is proposed and the result shows that the scheme is provable secure against two game attacks of certificate-based signature in the random oracle model. The security is closely related to the computational Diffie-Hellman problem.

Phone features, e.g.,

911 call

,

voicemail

, and

Do Not Disturb

, are critical and necessary for all deployed VoIP systems. In this paper, we empirically investigate the security of these phone features. We have implemented a number of attacks and experimented with VoIP services by leading VoIP service providers Vonage, AT&T and Gizmo. Our experimental results demonstrate that a man-in-the-middle or remote attacker could transparently 1) hijack selected E911 calls and impersonate the Public Safety Answering Point (PSAP); and 2) spoof the voicemail servers of both the caller and the callee of selected VoIP calls; and 3) make spam calls to VoIP subscribers even if

Do Not Disturb

is enabled. These empirical results confirm that leading deployed SIP-based VoIP systems have serious security vulnerabilities.

DLLs (Dynamic Link Libraries) are usually protected by various anti-reversing engineering techniques. One technique commonly used is code packing as packed DLLs hinder static code analysis such as disassembly. In this paper, we propose a technique to reconstruct a binary file for static analysis by loading a DLL and triggering and monitoring the execution of the entry-point function and exported functions of packed DLLs. By monitoring all memory operations and control transfer instructions, our approach extracts the original hidden code which is written into the memory at run-time and constructs a binary based on the original DLL, the codes extracted and the records of control transfers. To demonstrate its effectiveness, we implemented our prototype ReconPD based on QEMU. The experiments show that ReconPD is able to analyze the packed DLLs, yet practical in terms of performance. Moreover, the reconstructed binary files can be successfully analyzed by static analysis tools, such as IDA Pro.

Security labels of subjects and objects are crucial for some security policies and are an essential part of the TrustedBSD MAC framework. We find that security labels not being destroyed properly will result in memory leaks. This paper analyzes the security labels management of the TrustedBSD MAC framework and presents a path-sensitive static analysis approach to detect potential memory leaks caused by the security label management. This approach verifies complete destruction of security labels through compiler-integrated checking rules at compile-time. It achieves complete coverage of execution paths and has low false positive rate.

In [16], Pass generalized the definition of zero knowledge proof and defined

n

O

(

σ

(

n

))

-simulatable proof which can be simulated by a simulator in

n

O

(

σ

(

n

))

time. Assuming the existence of one-way permutation secure against sub-exponential circuits and 2-round perfect hiding commitment scheme, an efficient 4-round perfect

n

poly

(log

n

)

-simulatable argument of knowledge was presented there.

In this paper, we construct an efficient concurrent

n

poly

(log

n

)

-simulatable argument of knowledge under more general assumption. The new scheme is 5-round and is based on the existence of one-way permutation secure against sub-exponential circuits. However, for the scheme in [16], if using ordinary

Σ

-protocol for the corresponding statement as sub-protocol, instead of

Σ

-protocol with honest verifier perfect zero knowledge, the resulting protocol is not necessarily closed under concurrent composition.

This paper proposes a novel construction of reusable and non-erasure commitment schemes in the common reference string model. We show that our implementation is secure in the universally composable paradigm assuming that the decisional Diffie-Hellman problem over a squared composite modulus of the form

N

=

pq

is hard. Our methodology relies on state-of-the-art double trap-door public-key encryption protocols so that a simulator in charge of a common reference string can extract messages of cipher-text rather than the equivocability of underlying cryptographic systems. As a result, our method differs from those presented in [2] and [7]. The double trap-door mechanism is of great benefit to an ideal-world simulator since no modifications will be charged to unopened commitments in case that the participants who generated these commitments are corrupted, and thus enables us to implement efficient simulators in the ideal-world.

Signcryption is a cryptographic primitive that fulfills both the functions of digital signature and public key encryption simultaneously, at a cost significantly lower than that required by the traditional signature-then-encryption approach. In this paper, we address a question whether it is possible to construct a hybrid signcryption scheme in the certificateless setting. This question seems to have never been addressed in the literature. We answer the question positively in this paper. In particular, we extend the concept of signcryption tag-KEM to the certificateless setting. We show how to construct a certificateless signcryption scheme using certificateless signcryption tag-KEM. We also give an example of certificateless signcryption tag-KEM.

The characterization of the access structures of ideal secret sharing schemes is one of the main open problems in secret sharing and has important connections with matroid theory. Because of its difficulty, it has been studied for several particular families of access structures. Multipartite access structures, in which the set of participants is divided into several parts and all participants in the same part play an equivalent role, have been studied in seminal works on secret sharing by Shamir, Simmons, and Brickell, and also recently by several authors.. In the EUROCRYPT’07, Farras made a important contribution to this work: By using discrete polymatroids, they obtained a necessary condition and a sufficient condition for a multipartite access structure to be ideal respectively. In particular, they further gave a very difficult open problem, that is, characterizing the representable discrete polymatroids, i.e., which discrete polymatroids are representable and which ones are non-representable. In this paper, by dealing with a family of matroids derived from the Vamos matroid, which was the first matroid that was proved to be non-representable, we obtain a family of non-representable matroids. As a consequence, we extend it to the general case and obtain a sufficient condition for a discrete polymatroid to be non-representable, which is a new contribution to the open problem given by Farras.

In this paper, we proposed a novel watermarking scheme based on adaptive quantization index modulation and singular value decomposition in the hybrid discrete wavelet transform (DWT) and discrete cosine transform (DCT). The secret watermark bits are embedded on the singular values vector of blocks within low frequency subband in host image hybrid DWT-DCT domain. To embed watermark imperceptibly, robustly and securely, we model the adaptive quantization steps by utilizing human visual system (HVS) characteristics and particle swarm optimization (PSO) algorithm. Experimental results demonstrate that the proposed scheme is robust to variety of image processing attacks. In the proposed algorithm the quantized embedding strategy is adopted, so no host image is needed for blind extraction of watermarking image.

A trace and revoke scheme is an encryption scheme for secure content distribution so that only authorized users can access the copyrighted content. When a clone device is recovered, the ”trace” component detects the pirate users that have compromised the secret keys in their devices and participated in the construction of the clone device. The ”revoke” component excludes the pirate users from accessing the future content. The state-of-art trace-revoke scheme is the very efficient subset difference based NNL scheme [11] which is also deployed in AACS [1], the industry new content protection standard for high definition DVDs. While its revocation and tracing are both very efficient, as pointed out by Kiayias and Pehlivanoglu from Crypto 2007, in its deployment NNL scheme may suffer from a new attack called

pirate evolution attack

. In this attack attackers reveal the compromised secret keys to the clone decoder very slowly through a number of generations of pirate decoders that will take long time to disable them all. They showed in a system with

N

users, the attacker can produce up to

t

*

logN

generations of pirate decoders given

t

sets of keys. In AACS context, that means a pirate can produce more than 300 generations of decoders by compromising only 10 devices. If this happens, it will indeed be a nightmare.

In this paper we are interested in practical solutions that can defend well against the pirate evolution attack in practice. In particular we devise an easy and efficient approach for the subset difference based NNL scheme [11] to defend well against the potential pirate evolution attack. Indeed it takes as small as 2 generations to detect and disable a traitor in a coalition. This can be achieved by only negligibly increasing the cipher text header size in an application like AACS. The simplicity, efficiency and practicality of our approach has made AACS to adopt it to defend against the pirate evolution attack.

Digital Right Management (DRM) can be used to prohibit illegal reproduction, and redistribution of digital content, to protect copyrights. However, current DRM systems are incompatible and lack of interoperability which exchange of data, different platform, designed and protected by different content providers. To overcome these drawbacks, three ways of interoperability are full-formation interoperability, connected interoperability, configuration-driven interoperability, allowing consumers to use the purchased content in their equipments of choice. In this paper, we study on the security specification of configuration-driven interoperability for heterogeneous DRM systems, using the Common Criteria. Then, we study security boundary, security environment, security objectives, and rationale of an CTHDS_PP(Conversion Technologies of Heterogeneous DRM Systems Protection Profile) to find important security features. The CTHDS_PP gives a discussion covered the current security problems to conversion technologies and lists threats to solve those problems. Moreover, this CTHDS_PP can be used for potential developers and system integrators, and reviewed and assessed by evaluators.

Many protocols running over the Internet are neither formalised, nor formally analysed. The amount of documentation for tele- communication protocols used in real-life applications is huge, while the available analysis methods and tools require precise and clear-cut protocol clauses. A manual formalisation of the Session Initiation Protocol (SIP) used in Voice over IP (VoIP) applications is not feasible. Therefore, by combining the information retrieved from the specification documents published by the IETF, and traces of real world SIP traffic we craft a formal specification of the protocol in addition to an implementation of the protocol. In the course of our work we detected several weaknesses, both of SIP call setup and in the Asterisk implementation of the protocol. These weaknesses could be exploited and pose as a threat for authentication and non-repudiation of VoIP calls.

Some systems offer probabilistic anonymity. The degree of anonymity is considered and defined by Reiter and Rubin [1]. In this paper metrics are proposed to measure anonymity of probabilistic systems. The metric induces a topology on probabilistic applied

π

processes, which are used to model anonymous systems. The degree of anonymity is formally defined, and as an illustrating example, Crowds – an anonymous system for web transaction – is analyzed.

There are two existing solutions to secure e-voting: homomorphic tallying and shuffling, each of which has its own advantages and disadvantages. The former supports efficient tallying but depends on costly vote validity check and does not support complex elections. The latter supports complex elections and dose not need vote validity check but depends on costly shuffling operations in the tallying operation. In this paper, the two techniques are combined to exploit their advantages and avoid their disadvantages. The resulting e-voting scheme is called hybrid e-voting, which supports complex elections, employs efficient vote validity check and only needs shuffling with a very small scale. So it is more efficient than the existing e-voting schemes, especially in complex elections.

We first introduce the new notion of the so-called target-independent smooth projective hashing (TISPHash) based on computationally-hiding commitments. Based on it and a class of pseudo-random functions (PRFs), we propose a framework for (PKI-based) authenticated key exchange protocols without random oracles and prove it to be secure in the (currently) strongest security definition, the extended Canetti-Krawczyk security definition. Our protocol is actually an abstraction of the efficient key exchange protocol of T. Okamoto. The abstracted protocol enjoys efficient instantiations from any secure encryption scheme that admits an efficient construction of TISPHash and allows a simple and intuitive understanding of its security. In some sense, our construction generalizes the design of T. Okamoto.

Secret handshake allows two members in the same group to authenticate each other secretly. In previous works of secret handshake schemes, two types of anonymities against the group authority (GA) of a group

G

are discussed: 1)

Even

GA cannot identify members, namely nobody can identify them (No-Traceability), 2)

Only

GA can identify members (Traceability). In this paper, first the necessity of tracing of the identification is shown. Second, we classify abilities of GA into the ability of identifying players and that of issuing the certificate to members. We introduce two anonymities

Co-Traceability

and

Strong Detector Resistance

. When a more strict anonymity is required ever for GA, the case 2) is unfavorable for members. Then, we introduce

Co-Traceability

where even if

${\cal A}$

has GA’s ability of identifying members or issuing the certificate,

${\cal A}$

cannot trace members identification. However, if a scheme satisfies Co-Traceability, GA may be able to judge whether handshake players belong to the own group. Then, we introduce

Strong Detector Resistance

where even if an adversary

${\cal A}$

has GA’s ability of identifying members,

${\cal A}$

cannot make judgments whether a handshaking player belongs to

G

. Additionally, we propose a secret handshake scheme which satisfies previous security requirements and our proposed anonymity requirements by using group signature scheme with message recovery.

Identification, authentication and key agreement protocol of UMTS networks have some weaknesses to provide DoS-attack resistance, mutual freshness, and efficient bandwidth consumption. In this article we consider UMTS AKA and some other proposed schemes. Then we explain the known weaknesses in the previous frameworks suggested for UMTS AKA protocol. After that we propose a new UMTS AKA protocol (called EAKAP) for UMTS mobile network that combines identification stage and AKA stage of UMTS AKA protocol as well as eliminating disadvantages of related works and bringing some new features to improve the UMTS AKA mechanism such as reducing the interactive rounds of the UMTS AKA protocol.

We propose two symmetric-key management schemes for the encryption of scalable compressed video content. The schemes are applicable to MPEG-4 Fine Grain Scalability video coding. Our constructions make only use of hash functions and achieve the optimal bound regarding the minimum number of keys and the time complexity in computing all the decryption keys. We also formalize new security notions about collusion-resistance. Unlike prior key management schemes, our second scheme resists to certain collusion attacks. The collusion-resistance achieved is practical and hence sufficient for encryption of scalable video streams.

In this paper we present

Twister

, a new framework for hash functions.

Twister

incorporates the ideas of wide pipe and sponge functions. The core of this framework is a – very easy to analyze –

Mini-Round

providing both extremely fast diffusion as well as collision-freeness for one

Mini-Round

. The total security level is claimed to be not below 2

n

/2

for collision attacks and 2

n

for 2nd pre-image attacks.

Twister

instantiations are secure against all known generic attacks. We also propose three instances

Twister

-

n

for hash output sizes

n

 = 224,256,384,512. These instantiations are highly optimized for 64-bit architectures and run very fast in hardware and software, e.g

Twister

-256 is faster than SHA2-256 on 64-bit platforms and

Twister

-512 is faster than SHA2-512 on 32-bit platforms. Furthermore,

Twister

scales very well on low-end platforms.

RIPEMD is a cryptographic hash function devised in the framework of the RIPE project (RACE Integrity Primitives Evaluation, 1988-1992). It consists of two parallel lines, and each line is identical to MD4 except for some internal constants. It has been broken by the collision attack, but no preimage attack was given. In this paper, we give a preimage attack on the compression function of the 26-step reduced RIPEMD with complexity 2

110

compression function computations, and we extend the attack on the compression function to an attack on the 26-step reduced RIPEMD with complexity 2

115.2

instead of 2

128

. Then we extend the attack on 26 steps to the attack on 29 steps with the same complexity. Moreover, we can reduce the complexity of the preimage attack on the full RIPEMD without the padding rule by 1 bit compared with the brute-force attack.

In this paper, we give the full key-recovery attacks on the HMAC/NMAC instantiated with 3 and 4-Pass HAVAL using our new differential paths. The complexity to recover the inner key is about 2

103

MAC queries for the 3-Pass HAVAL and 2

123

MAC queries for the 4-Pass HAVAL. The complexity to recover the outer key is about 2

69

MAC queries and 2

198

offline computations for the 3-Pass HAVAL based HMAC/NMAC. For the 4-Pass HAVAL case, the number of MAC queries for outer key-recovery is about 2

103

and the offline work is about 2

180

4-Pass HAVAL computations.

In this paper we present the first attack on the full 24 round internal block cipher of Tiger [1]. Tiger is a hash function proposed by Biham and Anderson at FSE’96. It takes about ten years until the first cryptanalytic result was presented by Kelsey and Lucks [10] at FSE’06. Up to now, the best known attack on the internal block cipher of Tiger is able to break 22 rounds. Our attack on the full 24 rounds of the Tiger block cipher has a data complexity of 2

3.5

chosen plaintexts and ciphertexts, which can be called memoryless. This is since we do not have to store all the data generated in our attack. The time complexity is about 2

259.5

24-round Tiger encryptions. Moreover, we have further reduced the time complexity using a bit fixing technique to 2

195.5

24-round encryptions.

SHACAL-2 is a 64-round block cipher based on the compression function of the hash function standard SHA-256. It has a 256-bit block size and a variable length key of up to 512 bits. Up to now, all attacks on more than 37 rounds require at least 2

235

bytes of memory. Obviously such attacks will never become of practical interest due to this high amount of space. In this paper we adopt the relate-key boomerang attack and present the first memoryless attack on 39-round SHACAL-2. Our attack only employs 2

8.5

bytes of memory and thus improves the data complexity of comparable attacks up to a factor of at least 2

230

, which is a substantial improvement. We do not need to store all the data which gives this low data complexity. The related-key boomerang attack presented in this paper can also be seen as a starting point for more advanced attacks on SHACAL-2. The main advantage of our new attack is that we can proceed the data sequentially instead of parallel as needed for other attacks, which reduces the memory requirements dramatically.

SMS4 is a 128-bit block cipher used in the WAPI standard in wireless networks in China. The cipher has attracted much attention in the past two years. This paper consists of two parts. The first part is on the design of the linear diffusion layer

L

of SMS4. Some new observations on

L

are present, which open out the design rationales of

L

and such class functions to a great extent. The second part is on the differential attack against SMS4. A class of 18-round differential characteristics with a higher probability is given. Then a simple differential attack on 22-round SMS4 is present, which is an improvement of the previous work, thus our attack becomes the best known one on SMS4. Furthermore, we make a remark on the construction of differential characteristics of SMS4.

Side-channel attacks are a very powerful cryptanalytic technique. Li and Gu [ProvSec’07] proposed an approach against side-channel attacks, which states that a symmetric encryption scheme is IND-secure in side-channel model, if it is IND-secure in black-box model and there is no adversary who can recover the whole key of the scheme computationally in side-channel model, i.e. WKR-SCA ∧ IND → IND-SCA. Our researches show that it is not the case. We analyze notions of security against key recovery attacks and security against distinguishing attacks, and then construct a scheme which is WKR-SCA-secure and IND-secure, but not IND-SCA-secure in the same side-channel environment. Furthermore, even if the scheme is secure again partial key recovery attacks in side-channel model, this approach still does not hold true.

Network security analysis based on attack graphs has been applied extensively in recent years. The ranking of nodes in an attack graph is an important step towards analyzing network security. This paper proposes an alternative attack graph ranking scheme based on a recent approach to machine learning in a structured graph domain, namely, Graph Neural Networks (GNNs). Evidence is presented in this paper that the GNN is suitable for the task of ranking attack graphs by learning a ranking function from examples and generalizes the function to unseen possibly noisy data, thus showing that the GNN provides an effective alternative ranking method for attack graphs.

Intrusion Detection System (IDS) management is an important component for most distributed IDS solutions. One of the main requirements is extensibility, which enables the integration of different types of IDS sensors as well as the deployment in different kinds of environments. Lock-Keeper is a simple implementation of the high level security idea, “Physical Separation”. It works as a sluice to exchange data between two networks without having to establish a direct and physical connection. To enhance the security of the Lock-Keeper system itself, it is necessary to deploy IDS sensors on Lock-Keeper components. This paper proposes an extensible IDS management architecture, which can be easily integrated on the special hardware platform of Lock-Keeper. Unified interface and communication between different integrated IDS sensors are designed using the known IDS standard, IDMEF, and realized as several kinds of plugins, such as handlers, receivers, and senders. A prototype of implementation is presented and some practical experiments are carried out to show the extensibility and applicability of the proposed architecture.

While RFID technology has greatly facilitated the supply chain management, designing a secure, visible, and efficient RFID- enabled supply chain system is still a challenge since the three equally important requirements (i.e., security, visibility, and efficiency) may conflict to each other. Few research works have been conducted to address these issues simultaneously. In this paper, we observe the different security requirements in RFID-enabled supply chain environments and differentiate the simplified model into two security levels. Accordingly, dual security modes are properly defined in our RFID setting. In the relatively secure environment, our system is set to the

weak security mode

, the tagged products can be processed in a highly efficient way. When in the

strong security mode

, our system guarantees a high level of security, while its efficiency is lower than that in the

weak security mode

. A set of RFID tag/reader protocols to facilitate the duel security modes are presented. Their security, visibility and efficiency are analyzed and compared with the relevant works.

A wireless sensor network (WSN) is an ad-hoc wireless network composed of small sensor nodes deployed in large numbers. Sensor nodes are usually severely resource limited and power constrained. Security enforcement in WSNs is thus a challenging task. In this paper we propose a clustered heterogeneous architecture for WSNs, where high-end cluster heads are incorporated, and they are further equipped with trusted computing technology (TC). As such, the cluster heads act as trusted parties, and are expected to help effectively address privacy issues in WSNs. As concrete examples, we discuss in details how user query privacy and source location privacy can be better protected.

With the growing use of the Internet, users need to reveal an increasing amount of private information when accessing online services, and, with growing integration, this information is shared among services. Although progress was achieved in acknowledging the need to design privacy-friendly systems and protocols, there are still no satisfactory technical privacy-protecting solutions that reliably enforce user-defined flexible privacy policies. Today, the users can assess and analyze privacy policies of data controllers, but they cannot control access to and usage of their private data beyond their own computing environment.

In this paper, we propose a conceptual framework for user-controlled formal privacy policies and examine elements of its design and implementation. In our vision, a Trusted Personal Information Wallet manages private data according to a user-defined privacy policies. We build on Trusted Virtual Domains (TVDs), leveraging trusted computing and virtualization to construct privacy domains for enforcing the user’s policy. We present protocols for establishing these domains, and describe the implementation of the building blocks of our framework. Additionally, a simple privacy policy for trusted privacy domains functioning between different organizations and entities across networks is described as an example. Finally, we identify future research challenges in this area.