Information Security

The number of applications that are downloaded from the Internet and executed on-the-fly is increasing every day. Unfortunately, not all of these applications are benign, and, often, users are unsuspecting and unaware of the intentions of a program. To facilitate and secure this growing class of mobile code, Microsoft introduced the .NET framework, a new development and runtime environment where machine-independent byte-code is executed by a virtual machine. An important feature of this framework is that it allows access to native libraries to support legacy code or to directly invoke the Windows API. Such native code is called

unmanaged

(as opposed to

managed

code). Unfortunately, the execution of unmanaged native code is not restricted by the .NET security model, and, thus, provides the attacker with a mechanism to completely circumvent the framework’s security mechanisms.

The approach described in this paper uses a sandboxing mechanism to prevent an attacker from executing malicious, unmanaged code that is not permitted by the security policy. Our sandbox is implemented as two security layers, one on top of the Windows API and one in the kernel. Also, managed and unmanaged parts of an application are automatically separated and executed in two different processes. This ensures that potentially unsafe code can neither issue system calls not permitted by the .NET security policy nor tamper with the memory of the .NET runtime. Our proof-of-concept implementation is transparent to applications and secures unmanaged code with a generally acceptable performance penalty. To the best of our knowledge, the presented architecture and implementation is the first solution to secure unmanaged code in .NET.

Format-string attack is one of the few truly threats to software security. Many previous methods for addressing this problem rely on program source code analysis or special recompilation, and hence exhibit limitations when applied to protect the source code unavailable software. In this paper, we present a transparent run-time approach to the defense against format-string attacks via dynamic taint and flexible validation. By leveraging library interposition and ELF binary analysis, we taint all the untrusted user-supplied data as well as their propagations during program execution, and add a security validation layer to the

printf

-family functions in C Standard Library in order to enforce a flexible policy to detect the format string attack on the basis of whether the format string has been tainted and contains dangerous format specifiers. Compared with other existing methods, our approach offers several benefits. It does not require the knowledge of the application or any modification to the program source code, and can therefore also be used with legacy applications. Moreover, as shown in our experiment, it is highly effective against the most types of format-string attacks and incurs low performance overhead.

We introduce

mix rings

, a novel peer-to-peer mixnet architecture for anonymity that yields low-latency networking compared to existing mixnet architectures. A mix ring is a cycle of continuous-time mixes that uses carefully coordinated cover traffic and a simple fan-out mechanism to protect the initiator from timing analysis attacks. Key features of the mix ring architecture include decoupling path creation from data transfer, and a mechanism to vary the cover traffic rate over time to prevent bandwidth overuse. We analyze the architecture with respect to other peer-to-peer anonymity systems – onion routing and batching mixnets – and we use simulation to demonstrate performance advantages of nearly 40% over batching mixnets while protecting against a wider variety of adversaries than onion routing.

Universal Re-encryption allows El-Gamal ciphertexts to be re-encrypted without knowledge of their corresponding public keys. This has made it an enticing building block for anonymous communications protocols. In this work we analyze four schemes related to mix networks that make use of Universal Re-encryption and find serious weaknesses in all of them. The Universal Re-encryption of signatures is open to existential forgery, and the two mix schemes can be fully compromised by an passive adversary observing a single message close to the sender. The fourth scheme, the rWonGoo anonymous channel, turns out to be less secure than the original Crowds scheme, on which it is based. Our attacks make extensive use of unintended ‘services’ provided by the network nodes acting as decryption and re-routing oracles. Finally, our attacks against rWonGoo demonstrate that anonymous channels are not automatically composable: using two of them in a careless manner makes the system more vulnerable to attack.

Sharing microdata tables is a primary concern in today information society. Privacy issues can be an obstacle to the free flow of such information. In recent years, disclosure control techniques have been developed to modify microdata tables in order to be anonymous. The

k

-anonymity framework has been widely adopted as a standard technique to remove links between public available identifiers (such as full names) and sensitive data contained in the shared tables. In this paper we give a

weaker

definition of

k

-anonymity, allowing lower distortion on the anonymized data. We show that, under the hypothesis in which the adversary is not sure a priori about the presence of a person in the table, the privacy properties of

k

-anonymity are respected also in the

weak k

-anonymity

framework. Experiments on real-world data show that our approach outperforms

k

-anonymity in terms of distortion introduced in the released data by the algorithms to enforce anonymity.

The paper extends the idea of negative representations of information for enhancing privacy. Simply put, a set

DB

of data elements can be represented in terms of its complement set. That is, all the elements not in

DB

are depicted and

DB

itself is not explicitly stored.

review the negative database (

NDB

) representation scheme for storing a negative image compactly and propose a design for depicting a multiple record

DB

using a collection of

NDB

s—in contrast to the single

NDB

approach of previous work. Finally, we present a method for creating negative databases that are hard to reverse in practice, i.e., from which it is hard to obtain

DB

, by adapting a technique for generating 3-SAT formulas.

Based on the compression function of the hash function standard SHA-256, SHACAL-2 is a 64-round block cipher with a 256-bit block size and a variable length key of up to 512 bits. In this paper, we present a related-key rectangle attack on 42-round SHACAL-2, which requires 2

243.38

related-key chosen plaintexts and has a running time of 2

488.37

. This is the best currently known attack on SHACAL-2.

In this article, the RIPEMD-160 hash function is studied in detail. To analyze the hash function, we have extended existing approaches and used recent results in cryptanalysis. While RIPEMD and RIPEMD-128 reduced to 3 rounds are vulnerable to the attack, it is not feasible for RIPEMD-160. Furthermore, we present an analytical attack on a round-reduced variant of the RIPEMD-160 hash function. To the best of our knowledge this is the first article that investigates the impact of recent advances in cryptanalysis of hash functions on RIPEMD-160.

Blind signatures are a useful ingredient to design secure sophisticated systems like electronic voting or sensitive applications like e-cash. Multi-users signature schemes, like ring or group signatures, are also a useful tool to provide to such systems some properties like scalability, anonymity, (dynamic) group structure, revocation facilities...We propose in this article a simple blind ring signature scheme based on pairings on algebraic curves. We formally prove the security (anonymity, blindness and unforgeability) of our scheme in the random oracle model, under quite standard assumptions.

The concept of concurrent signatures was introduced by Chen, Kudla and Paterson at Eurocrypt 2004. In a concurrent signature scheme, users sign their messages in an ambiguous way so that the signatures are only verifiable by the users themselves

but not

by any other outsiders. At a later stage, one of the users releases an extra bit of information called the

keystone

, then all the signatures become binding to their signers concurrently. At this stage, any outsider can verify the signatures. Chen, Kudla and Paterson proposed a concurrent signature scheme for

two

users. Recently, Susilo and Mu constructed a scheme for

three

users. It is an open problem to construct concurrent signature schemes for multi users. In this paper, we answer this open problem affirmatively. Using techniques of ring signatures and bilinear pairings,

for the first time

we construct a concurrent signature scheme for multi-users.

A multisignature scheme enables multiple signers to cooperate to generate one signature for some message. The aim of the multisignatures is to decrease the total length of the signature and/or the signing (verification) costs. This paper first discusses a formal security model of multisignatures following that of the group signatures [1,4]. This model allows an attacker against multisignatures to access five oracles adaptively. With this model, we can ensure more general security result than that with the existence model [14,11,12]. Second, we propose a multisignature scheme using a claw-free permutation. The proposed scheme can decrease the signature length compared to those of existence multisignature schemes using a trapdoor one-way permutation (TWOP) [11,12], because its signing does not require the random string. We also prove that the proposed scheme is tightly secure with the formal security model, in the random oracle model. Third, we discuss the security of the multisignature schemes [11,12] using a TOWP with the formal security model to confirm that these schemes can be proven to be tightly secure.

The Unbalanced Oil and Vinegar scheme (UOV) is a signature scheme based on multivariate quadratic equations. It has

o

oil variables and

v

vinegar variables. UOV has

m

equations and

n

variables, where

m

=

o

and

n

=

v

+

o

. In this paper, we define the weak key of UOV and study how to find the weak key from the public key. Second, we study the security when

m

>

o

. And our result shows that the security strengths of the current version of TTS, TRMS, Rainbow and MFE are 2

59

~2

67.6

3DES operations.

In this paper, we propose a new stream cipher construction based on block cipher design principles. The main idea is to replace the building blocks used in block ciphers by equivalent stream cipher components. In order to illustrate this approach, we construct a very simple synchronous stream cipher which provides a lot of flexibility for hardware implementations, and seems to have a number of desirable cryptographic properties.

In this paper we analyze the

E

0

cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of

E

0

. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR’s in the

E

0

system. We describe several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced)

E

0

cipher. Our best attack can recover the initial value of the four LFSR’s, for the first time, with a realistic space complexity of 2

23

(84MB RAM), and with a time complexity of 2

87

. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of

E

0

, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.

We describe an attack on the RSA cryptosystem when the private exponent

d

is chosen to be ’small’, under the condition that a sufficient amount of bits of

d

is available to the attacker. The attack uses a 2-dimensional lattice and is therefore (in the area of the keyspace where it applies) more efficient than known attacks using Coppersmith techniques. Moreover, we show that the attacks of Wiener and Verheul/Van Tilborg, using continued fractions techniques, are special deterministic cases of our attack, which in general is heuristic.

In this paper, we consider the problem of combining a public key encryption (PKE) scheme and a public key encryption with keyword search (PEKS) scheme proposed by Boneh, Di Crescenzo, Ostrovsky and Persiano (BDOP) in Eurocrypt 2004. We argue that the two schemes need to be treated as a single scheme to securely provide the PEKS service that BDOP envisioned. We formally define such a scheme, which we call “PKE/PEKS” and its security against chosen ciphertext attack, which we call “IND-PKE/PEKS-CCA”. We then construct a highly efficient PKE/PEKS scheme using the PEKS scheme presented by BDOP and a variation of ElGamal encryption scheme and show that it is IND-PKE/PEKS-CCA secure in the random oracle model assuming that the Computational Diffie-Hellman (CDH) problem is intractable. We also propose a generic construction of PKE/PEKS, which is slightly less efficient than the first one. Finally, we present two extensions of a PKE/PEKS scheme to the multi-receiver setting and multi-keyword setting.

A policy-based encryption scheme allows a user to encrypt a message with respect to a credential-based policy formalized as monotone boolean expression written in standard normal form. The encryption is so that only a user having access to a qualified set of credentials for the policy is able to successfully decrypt the message. An inherent property of policy-based encryption is that in addition to the recipient an encrypted message is intended for, any collusion of credential issuers or end users who are able to collect a qualified set of credentials for the policy used to encrypt the message can decrypt it as well. In some applications, the collusion property may be acceptable or even useful. However, for most other applications it is undesirable. In this paper, we present a collusion-free policy-based encryption primitive, called policy-based public-key encryption. We provide precise definition for the new primitive as well as for the related security model. Then, we describe a concrete implementation using pairings over elliptic curves and prove its security in the random oracle model.

Having no trusted user interface, smart cards are unable to communicate with the user directly. Communication is possible with the aid of a terminal only, which leads to several security problems. For example, if the terminal is untrusted (which is a very typical scenario), it may perform a man-in-the middle attack. Thus, a malicious terminal can make the user sign documents that she would not sign otherwise. A signature that a card computes at a malicious terminal does not prove anything about the content of the signed document. What it does prove, is that the user did insert her card into a malicious terminal and she did intend to sign – something.

In this paper we propose a solution where a user has multiple smart cards, and each card represents a ’signal’, a certain piece of information. The user encodes her message by using a subset of her cards for signing at the untrusted terminal. The recipient decodes the message by checking which cards were used. We also make use of time stamps from a trusted time stamping authority to allow cards to be used more than once.

Currently, the most popular ways of dealing with the key distribution problem in sensor networks are random predistribution schemes. For relaxed, realistic assumptions about the attacker, the key infection protocol [1] is also available. In this paper, by accepting the relaxed assumptions from [1], we propose a scheme which makes pairwise keys “drift” or diverge, which enhances security and can be used as a key distribution method. The most notable feature of this scheme is that, under some assumptions about the sensor nodes, it incurs no communication overhead at all.

Broadcast Encryption (BE) schemes allow a sender to efficiently encrypt messages for a large set of receivers. The currently most efficient BE schemes in the stateless receiver scenario are based on symmetric cryptography. However, a variety of business models with mutually mistrusting senders necessitates the use of asymmetric cryptography. We propose a generic framework that allows to transform a large class of symmetric BE schemes into asymmetric schemes, where the transformation employs an arbitrary hierarchical identity based encryption scheme. Applying our framework, we transform a recent symmetric scheme, called layered punctured interval scheme, for which no asymmetric version has yet been published. In addition, we give a formal proof of the chosen ciphertext security of our framework, which allows to generically transform any future symmetric BE scheme within the large class into a chosen-ciphertext-secure asymmetric scheme with the same efficiency measures.

Many application scenarios do not demand confidential encryption of visual data, but on the contrary require that certain image information is public (transparent encryption). One scenario is e.g., Pay-TV, where a low quality version should become public to attract possible customers. Transparent encryption can be implemented most efficiently in case of scalable bitstreams by encrypting enhancement layer data and baseline JPEG is therefore not well suited for designing such encryption schemes in an efficient manner. This paper investigates how transparent encryption can be realized through selective encryption of the progressive JPEG modes. The traditional approach which encrypts enhancement layers starting at the end of the bitstream suffers from high computational load. Encryption schemes with significantly reduced encryption effort are shown to deliver equivalent image quality and security.

The predominance of short-lived connections in today’s Internet has created the perception that it is perfectly acceptable to change a host’s IP address with little regard about established connections. Indeed, the increased mobility offered by laptops with wireless network interfaces, and the aggressive use of short DHCP leases are leading the way towards an environment where IP addresses are transient and last for short time periods. However, there is still a place for long-lived connections (typically lasting hours or even days) for remote login sessions, over the network backups,

etc.

There is, therefore, a real need for a system that allows such connections to survive changes in the IP addresses of the hosts at either end of the connection.

In this paper we present a kernel-based mechanism that recognizes address changes and recovers from them. Furthermore, we discuss the security implications of such a scheme, and show that our system provides an effective defense against both eavesdropping and man-in-the-middle attacks.

This paper describes a security architecture for a LAN. The architecture uses the 802.1X access control mechanisms and is supported by a Key Distribution Centre built upon an 802.1X Authentication Server. The KDC is used, together with a new host identification policy and modified DHCP servers, to provide proper resource allocation and message authentication in DHCP transactions. Finally, the KDC is used to authenticate ARP transactions and to distribute session keys to pairs of LAN hosts, allowing them to set up other peer-to-peer secure interactions using such session keys. The new, authenticated DHCP and ARP protocols are fully backward compatible with the original protocols; all security-related data is appended to standard protocol messages.

The paper considers the software simulation tool DDoSSim which has been developed for comprehensive investigation of Internet DDoS attacks and defense mechanisms. This tool can be characterized by three main peculiarities: agent-oriented approach to simulation, packet-based imitation of network security processes, and open library of different DDoS attacks and defense mechanisms. DDoSSim allows deeply investigating various attacks and defense methods and generating valuable recommendations on choosing the best defense. In the paper the agent-oriented approach suggested is considered. The taxonomy of input and output parameters for simulation is outlined. The main DDoSSim components are specified. One of the experiments on protection against DDoS attacks demonstrates some DDoSSim possibilities. We consider different phases of defense operations – learning, decision making and protection, including adaptation to the actions of malefactors.

Fuzzing is a well-known black-box approach to the security testing of applications. Fuzzing has many advantages in terms of simplicity and effectiveness over more complex, expensive testing approaches. Unfortunately, current fuzzing tools suffer from a number of limitations, and, in particular, they provide little support for the fuzzing of stateful protocols.

In this paper, we present SNOOZE, a tool for building flexible, security-oriented, network protocol fuzzers. SNOOZE implements a stateful fuzzing approach that can be used to effectively identify security flaws in network protocol implementations. SNOOZE allows a tester to describe the stateful operation of a protocol and the messages that need to be generated in each state. In addition, SNOOZE provides attack-specific fuzzing primitives that allow a tester to focus on specific vulnerability classes. We used an initial prototype of the SNOOZE tool to test programs that implement the SIP protocol, with promising results. SNOOZE supported the creation of sophisticated fuzzing scenarios that were able to expose real-world bugs in the programs analyzed.

We propose a rights protection scheme for data cubes. The scheme embeds ownership information by modifying a set of selected cell values. The embedded message will not affect the usefulness of data cubes in the sense that the sum queries at any aggregation level are not affected. At the same time, the errors introduced to individual cell values are under control. The embedded message can be detected with a high probability even in the presence of typical data cube attacks. The proposed scheme can thus be used for protecting data cubes from piracy in an open, distributed environment.

This paper describes an efficient scheme of probabilistic packet marking. The main idea is to preserve the victims’ IP addresses at the routers participating in the packet marking scheme, based on the precondition that a router won’t begin to marking until it receives a signal from the victim. Then, the destination address field of IP header can be used to carry edge information without fragmenting, and the identification field can be used to check attack paths’ validity under DDoS. We describe the scheme and discuss the number of packets required for reconstructing the attack paths, the number of false positives of attackers and the extra cost at routers in this paper.

Most network intruders launch their attacks through a chain of compromised hosts (stepping-stones) to reduce the risks of being detected or captured. Detecting such kind of attacks is important and difficult because of intruders’ evasion to detection, such as time perturbation, and chaff perturbation. In this paper, we propose a clustering algorithm to detect stepping-stone intrusion based on TCP packet round-trip time to estimate the downstream length of an interactive terminal session and give its resistibility to intruders’ evasion. The analysis and simulation results show that this algorithm can detect stepping-stone intrusion without false alarm, and low misdetection. It can resist to intruders’ time perturbation completely, as well as chaff perturbation to a certain extent.

Intrusion detection and secure routing schemes have been proposed for increasing the security and reliability in critical scenarios like mobile ad hoc networks. In this paper we present an integrated secure routing system based on Intrusion Detection Systems (IDS) and SUCV (Statistically Unique and Cryptographically Verifiable) identifiers. The proposed IDS has been used for the support of secure AODV routing, named IDS-based Secure AODV (IS-AODV), in a wireless ad hoc network scenario. Our IDS solution is based on the detection of behavior anomalies on behalf of neighbor hosts, with passive reactions, aiming to create a

cluster

whose route paths will include only safe nodes, eventually. Simulation results show that the proposed IDS is effective in isolating misbehaving hosts, and it assists the AODV secure routing scheme to converge in finding end-to-end safe routes.

In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the on-going result of clustering.

Cooperative

defensive systems communicate and cooperate in their

response

to worm attacks, but determine the presence of a worm attack solely on local information.

Distributed

worm detection and immunization systems track suspicious behavior at multiple cooperating nodes to determine

whether

a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed defensive systems allow detectors to be more conservative (i.e. paranoid) about potential attacks because they manage false alarms efficiently.

In this paper we begin a preliminary investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to balance effectiveness against viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.

In this paper, we propose a leakage-resilient and proactive authenticated key exchange (called

LRP-AKE

) protocol for credential services which provides not only a higher level of security against leakage of stored secrets but also secrecy of private key with respect to the involving server. The

LRP-AKE

protocol is provably secure in the random oracle model with the reduction to the computational Diffie-Hellman problem.

In this paper we make progress towards solving an open problem posed by Katz and Yung at CRYPTO 2003. We propose the first protocol for key exchange among

n

≥2

k

+1 parties which simultaneously achieves all of the following properties:

1. Key Privacy (including forward security) against active attacks by group

outsiders

,

2. Non-malleability — meaning in particular that no subset of up to

k

corrupted group

insiders

can ‘fix’ the agreed key to a desired value, and

3. Robustness against denial of service attacks by up to

k

corrupted group

insiders

.

Our insider security properties above are achieved assuming the availability of a reliable broadcast channel.

Receipt-freeness is the property of voting protocols that a voter cannot create a receipt which proves how she voted. Since Benaloh and Tuinstra introduced this property, there has been a large amount of work devoted to the construction of receipt-free voting protocols. This paper provides a generic and uniform formalism that captures the notion of a receipt. The formalism is then applied to analyse the receipt-freeness of a number of voting protocols.

Security is a major concern for all involved in E-Commerce and particularly in the case of online transactions using debit/credit card. Following the failure of Secure Electronic Transaction (SET), 3-D Secure is an emerging industry standard for online transaction security. Although 3-D Secure is a well designed protocol, it is still prone to some security problems and excessive numbers of messages which could reduce the speed of transaction. This paper uses a new cryptographic technique based on password only authentication and key exchange to present a new vision for 3-D Secure. The new vision covers the security problems and reduces the number of messages for 3-D Secure. Moreover, the new vision has the development ability to simulate SSL/TLS in its simplicity and at the same time abolishes SSL/TLS security glitches. This simplicity and security are the necessary factors for online transaction protocol to be the future standard.

Geographic privacy services provide location information on roaming targets to location recipients via location servers, in a way that protects the privacy of the individuals involved. In this paper we propose and discuss new protocols representing the core of Geopriv, with particular focus on the security requirements stated in the IETF’s RFC 3693. Using the AVISPA tool, we check that these requirements, namely anonymity against the location server, as well as confidentiality, integrity, and authenticity of the location information, are actually met. In the design phase of such protocols, numerous variants are to be considered and evaluated. Here the use of model checkers turns out to be very helpful in exploring the security implications quickly and precisely.

The development of infrastructures to facilitate the sharing of data for healthcare delivery and research purposes is becoming increasingly widespread. In addition to the technical requirements pertaining to efficient and transparent sharing of data across organisational boundaries, there are requirements pertaining to ethical and legal issues. Functional and non-functional concerns need to be balanced: for resource sharing to be as transparent as possible, an entity should be allowed to delegate a subset of its rights to another so that the latter can perform actions on the former’s behalf, yet such delegation needs to be performed in a fashion that complies with relevant legal and ethical restrictions. The contribution of this paper is twofold: to characterise the requirements for secure and flexible delegation within the emerging distributed healthcare context; and to evaluate existing approaches with respect to these requirements. We also suggest how some of these limitations might be overcome.

For how long can a business remain without its information systems? Current business goals and objectives highly depend on their availability. This highly dynamic and complex system must be properly secured and managed in order to ensure business survivability. However, the lack of a universally accepted information security critical factors’ taxonomy and indicators make security management of information systems (SMIS) a tough challenge. Effective information security management requires special focus on identifying the critical success factors (CSFs) when implementing and ensuring SMIS. The purpose of this paper is to share a group of 12 CSFs identified in the current information security literature as well as a set of 76 indicators which are easy to calculate and attempt to provide valuable information to organizations seeking information security level measurements.