Information Security

The main contribution of this paper is a new approach to

χ

2

analyses of block ciphers in which plaintexts are chosen in a manner similar to that in a square/saturation attack. The consequence is a faster detection of

χ

2

correlation when compared to conventional

χ

2

cryptanalysis. Using this technique we

(i)

improve the previously best-known

χ

2

attacks on 2- and 4-round RC6, and

(ii)

mount the first attacks on the MRC6 and ERC6 block ciphers. The analyses of these fast primitives were also motivated by their low diffusion power and, in the case of MRC6 and ERC6, their large block sizes, that favour their use in the construction of compression functions. Our analyses indicate that up to 98 rounds of MRC6 and 44 rounds of ERC6 could be attacked.

The need for nodes to be able to generate their own address and verify those from others, without relying on a global trusted authority, is a well-known problem in networking. One popular technique for solving this problem is to use self-certifying addresses that are widely used and standardized; a prime example is cryptographically generated addresses (CGA). We re-investigate the attack models that can occur in practice and analyze the security of CGA-like schemes. As a result, an alternative protocol to CGA, called CGA++, is presented. This protocol eliminates several attacks applicable to CGA and increases the overall security. In many ways, CGA++ offers a nice alternative to CGA and can be used notably for future developments of the Internet Protocol version 6.

We analyze the Password Authenticated Connection Establishment (PACE) protocol for authenticated key agreement, recently proposed by the German Federal Office for Information Security (BSI) for the deployment in machine readable travel documents. We show that the PACE protocol is secure in the real-or-random sense of Abdalla, Fouque and Pointcheval, under a number-theoretic assumption related to the Diffie-Hellman problem and assuming random oracles and ideal ciphers.

While code obfuscation attempts to hide certain characteristics of a program independently of an application, white-box cryptography (WBC) specifically focuses on software implementations of cryptographic primitives in an application. The aim of WBC is to resist attacks from an adversary having access to some ‘executable’ code with an embedded secret key. WBC, if possible, would have several applications. However, unlike obfuscation, it lacks a theoretical foundation. We present a first step towards a theoretical model of WBC via white-box security notions. We also present some positive and negative results on WBC and obfuscation. In particular, we show that for most interesting programs (such as an encryption algorithm), there are security notions that cannot be satisfied when the adversary has white-box access, while they are satisfied when it has black-box access. On the positive side, we show that there exists an obfuscator for a symmetric encryption scheme in the context of a useful security-notion (such as IND-CPA).

We present a calculus for detecting guessing attacks, based on oracles that instantiate cryptographic functions. Adversaries can

observe

oracles, or

control

them either on-line or off-line. These relations can be established by protocol analysis in the presence of a Dolev-Yao intruder, and the derived guessing rules can be used together with standard intruder deductions. Our rules also handle partial verifiers that fit more than one secret. We show how to derive a known weakness in the Anderson-Lomas protocol, and new vulnerabilities for a known faulty ATM system.

The recently started SHA-3 competition in order to find a new secure hash standard and thus a replacement for SHA-1/SHA-2 has attracted a lot of interest in the academic world as well as in industry. There are 51 round one candidates building on sometimes very different principles.

In this paper, we show how to attack two of the 51 round one hash functions. The attacks have in common that they exploit structural weaknesses in the design of the hash function and are independent of the underlying compression function. First, we present a preimage attack on the hash function Blender-

n

. It has a complexity of about

n

·2

n

/2

and negligible memory requirements. Secondly, we show practical collision and preimage attacks on DCH-

n

. To be more precise, we can trivially construct a (2

8

 + 2)-block collision for DCH-

n

and a 1297-block preimage with only 521 compression function evaluations. The attacks on both hash functions work for all output sizes and render the hash functions broken.

We propose preimage and pseudo-preimage attacks on short output lengths of the hash function 3-pass HAVAL, which is designed to be able to output various hash lengths by one algorithm. HAVAL executes a truncate function at the end of the hash computation in order to produce various output lengths. If the hash value is truncated, the internal state size becomes larger than the hash length. Hence, it appears that finding attacks faster than the exhaustive search becomes relatively hard. In this paper, we propose two types of preimage and pseudo-preimage attacks based on the meet-in-the-middle attack. A key point of our attack is how to deal with input information for truncate functions. The first approach works for various types of truncate functions. The second approach uses a property particular to the truncate function of HAVAL. As far as we know, these are the first preimage and pseudo-preimage attacks that work for short output lengths of HAVAL.

In this paper, we present free-start collisions for the TIB3 hash functions with a complexity of about 2

32

compression function evaluations. By using message modification techniques the complexity can be further reduced to 2

24

. Furthermore, we show how to construct collisions for TIB3 slightly faster than brute force search using the fact that we can construct several (different) free-start collisions for the compression function. The complexity to construct collisions is about 2

122.5

for TIB3-256 and 2

242

for TIB3-512 with memory requirements of 2

53

and 2

100

respectively. The attack shows that compression function attacks have been underestimated in the design of TIB3. Although the practicality of the proposed attacks might be debatable, they nevertheless exhibit non-random properties that are not present in the SHA-2 family.

This paper presents a novel approach for detecting intrusions in databases based on fuzzy logic, which combines evidences from user’s current as well as past behavior. A first-order Sugeno fuzzy model is used to compute an initial belief for each transaction. Whether the current transaction is genuine, suspicious or intrusive is first decided based on this belief. If a transaction is found to be suspicious, its posterior belief is computed using the previous suspicion score and the fuzzy evidences obtained from the history databases by applying fuzzy-Bayesian inferencing. Final decision is made about a transaction according to its current suspicion score. Evaluation of the proposed method clearly shows that the application of fuzzy logic significantly reduces the number of false alarms, which is one of the core problems of existing database intrusion detection systems.

In a logical setting, consistency of a database instance with constraints is a fundamental requirement. We show how satisfaction of a set of constraints guarantees confidentiality of some information declared secret by a security policy – albeit at the cost of some modified database entries. We identify a very general class of constraints for which this problem is effectively and in many cases efficiently solvable by means of an automatic procedure. A distance minimization ensures maximal availability of correct database entries.

The concept of

cancelable biometrics

provides a way to protect biometric templates. A possible technique to achieve such protection for iris images is to apply a repeatable, non-reversible transformation in the image domain prior to feature extraction. We applied two classical transformations,

block re-mapping

and

texture warping

, to iris textures obtained from the CASIA V3 Iris database and collected experimental results on the matching performance and key sensitivity of a popular iris recognition method.

Most of the state-of-the-art iris recognition algorithms focus on processing and recognition of the ideal iris images which are captured in a controlled environment. In this paper, we process the nonideal iris images which are acquired in an unconstrained situation and are affected severely by gaze deviation, eyelids and eyelashes occlusion, non uniform intensity, motion blur, reflections, etc. To segment the nonideal iris images accurately, we deploy a variational level set based curve evolution scheme, which uses significantly larger time step for numerically solving the evolution partial differential equation (PDE), and therefore, speeds up the curve evolution process drastically. Genetic Algorithms (GAs) are deployed to select the subset of informative features by combining the valuable outcomes from the multiple feature selection criteria without compromising the recognition accuracy. The verification performance of the proposed scheme is validated using three nonideal iris datasets, namely, UBIRIS Version 2, ICE 2005, and WVU datasets.

Recently, a variant of proxy re-encryption, named conditional proxy re-encryption (C-PRE), has been introduced. Compared with traditional proxy re-encryption, C-PRE enables the delegator to implement fine-grained delegation of decryption rights, and thus is more useful in many applications. In this paper, based on a careful observation on the existing definitions and security notions for C-PRE, we re-formalize more rigorous definition and security notions for C-PRE. We further propose a more efficient C-PRE scheme, and prove its chosen-ciphertext security under the decisional bilinear Diffie-Hellman (DBDH) assumption in the random oracle model. In addition, we point out that a recent C-PRE scheme fails to achieve the chosen-ciphertext security.

Hitag2 is a stream cipher that is widely used in RFID car locks in the automobile industry. It can be seen as a (much) more secure version of the [in]famous Crypto-1 cipher that is used in MiFare Classic RFID products [14,20,15]. Recently, a specification of Hitag2 was circulated on the Internet [29]. Is this cipher secure w.r.t. the recent algebraic attacks [8,17,1,25] that allowed to break with success several LFSR-based stream ciphers? After running some computer simulations we saw that the Algebraic Immunity [25] is at least 4 and we see no hope to get a very efficient attack of this type.

However, there are other algebraic attacks that rely on experimentation but nevertheless work. For example Faugère and Ars have discovered that many simple stream ciphers can be broken experimentally with Gröbner bases, given an extremely small quantity of keystream, see [17]. Similarly reduced-round versions of DES [9] and KeeLoq [11,12] were broken using SAT solvers, that actually seem to outperform Gröbner basis techniques. Thus, we have implemented a generic experimental algebraic attack with conversion and SAT solvers,[10,9]. As a result we are able to break Hitag2 quite easily, the full key can be recovered in a few hours on a PC. In addition, given the specific protocol in which Hitag2 cipher is used in cars, some of our attacks are practical.

Because of the algebraic attacks, a high algebraic immunity is now an important criteria for Boolean functions used in stream ciphers. In this paper, we study the construction of Boolean functions with maximum algebraic immunity. We first present a new method to construct Boolean functions, in any number of variables, with maximum algebraic immunity(AI), and we also improve our algorithm to construct balanced functions with optimum algebraic immunity for any even number of variables. Furthermore, the enumeration and algebraic degree of the constructed Boolean functions are investigated.

Continued improvements in network bandwidth, cost, and ubiquitous access are enabling service providers to host desktop computing environments to address the complexity, cost, and mobility limitations of today’s personal computing infrastructure. However, distributed denial of service attacks can deny use of such services to users. We present A

2

M, a secure and attack-resilient desktop computing hosting infrastructure. A

2

M combines a stateless and secure communication protocol, a single-hop Indirection-based network (IBN) and a remote display architecture to provide mobile users with continuous access to their desktop computing sessions. Our architecture protects both the hosting infrastructure and the client’s connections against a wide range of service disruption attacks. Unlike any other DoS protection system, A

2

M takes advantage of its low-latency remote display mechanisms and asymmetric traffic characteristics by using multi-path routing to send a small number of replicas of each packet transmitted from client to server. This packet replication through different paths, diversifies the client-server communication, boosting system resiliency and reducing end-to-end latency. Our analysis and experimental results on PlanetLab demonstrate that A

2

M significantly increases the hosting infrastructure’s attack resilience even for wireless scenarios. Using conservative ISP bandwidth data, we show that we can protect against attacks involving thousands (150,000) attackers, while providing good performance for multimedia and web applications and basic GUI interactions even when up to 30% and 50%, respectively, of indirection nodes become unresponsive.

Various online studies on the prevalence of spyware attest overwhelming numbers (up to 80%) of infected home computers. However, the term spyware is ambiguous and can refer to anything from plug-ins that display advertisements to software that records and leaks user input. To shed light on the true nature of the spyware problem, a recent measurement paper attempted to quantify the extent of spyware on the Internet. More precisely, the authors crawled the web and analyzed the executables that were downloaded. For this analysis, only a single anti-spyware tool was used. Unfortunately, this is a major shortcoming as the results from this single tool neither capture the actual amount of the threat, nor appropriately classify the functionality of suspicious executables in many cases.

For our analysis, we developed a fully-automated infrastructure to collect and install executables from the web. We use three different techniques to analyze these programs: an online database of spyware-related identifiers, signature-based scanners, and a behavior-based malware detection technique. We present the results of a measurement study that lasted about ten months. During this time, we crawled over 15 million URLs and downloaded 35,853 executables. Almost half of the spyware samples we found were not recognized by the tool used in previous work. Moreover, a significant fraction of the analyzed programs (more than 80%) was incorrectly classified. This underlines that our measurement results are more comprehensive and precise than those of previous approaches, allowing us to draw a more accurate picture of the spyware threat.

Attack graph is used as an effective method to model, analyze, and evaluate the security of complicated computer systems or networks. The attack graph workflow consists of three parts: information gathering, attack graph construction, and visualization. To construct an attack graph, runtime information on the target system or network environment should be monitored, gathered, and later evaluated with existing descriptions of known vulnerabilities. The output will be visualized into a graph structure for further measurements. Information gatherer, vulnerability repository, and the visualization module are three important components of an attack graph constructor. However, high quality attack graph construction relies on up-to-date vulnerability information. There are already some existing databases maintained by security companies, a community, or governments. Such databases can not be directly used for generating attack graph, due to missing unification of the provided information. This paper challenged the automatic extraction of meaningful information from various existing vulnerability databases. After comparing existing vulnerability databases, a new method is proposed for automatic extraction of vulnerability information from textual descriptions. Finally, a prototype was implemented to proof the applicability of the proposed method for attack graph construction.

Traitor tracing is an essential mechanism for discouraging the piracy in digital content distribution. An adversarial model is identified as rebroadcasting the content encrypting keys or the content in the clear form. It is possible to fight against these piracy models by employing a fingerprinting code that gives a way to differentiate the encryption capability of each individual. We point three important characteristics of a fingerprinting code that affects its deployment in traitor tracing scheme against pirate rebroadcasting: (i) A robust fingerprinting code tolerates an adversary that chooses not to rebroadcast some messages. (ii) A tracing algorithm for fingerprinting code that does not require a priori upper-bound on coalition size to be successful in detecting a traitor. (iii) Extending the length of the fingerprinting code which refers to traitor-identification procedure of the code that doesn’t depend on the length of the code or the distribution of the markings over the code.

We presented the first traitor tracing scheme with formal analysis of its success in traitor-identification that doesn’t assume a priori bound on a traitor-coalition size while at the same time it is possible to extend the code without degrading the success of traitor identification due to non-extended part. This construction also supports the robustness without requiring a high pirate rebroadcasting threshold.

Epidemic spreading in complex networks has received much attention in recent years. Previous research identified a propagation scenario of electronic threats which has not been described by any of the existing analytical models. In this scenario an infected node instead of being removed contributes to the infection spreading upon the reinfection attempt (for example, Sober, Sobig, and Mydoom Worms). In this paper we formally define and describe analytically a new model, Susceptible-Infected-Suspended-Reinfected (SISR), which complies with this scenario of epidemic spreading in both homogeneous and complex networks. We then evaluate the model by comparing it to the SIR model and by comparing its estimations with simulation results.

The Mafia fraud consists in an adversary transparently relaying the physical layer signal during an authentication process between a verifier and a remote legitimate prover. This attack is a major concern for certain RFID systems, especially for payment related applications.

Previously proposed protocols that thwart the Mafia fraud treat relaying and non-relaying types of attacks equally: whether or not signal relaying is performed, the same probability of false-acceptance is achieved. Naturally, one would expect that non-relay type of attacks achieve a lower probability of false-acceptance.

We propose a low complexity authentication protocol that achieves a probability of false-acceptance essentially equal to the best possible false-acceptance probability in the presence of Mafia frauds. This performance is achieved without degrading the performance of the protocol in the non-relay setting. As an additional feature, the verifier can make a rational decision to accept or to reject a proof of identity even if the protocol gets unexpectedly interrupted.

In this work we utilize a physically unclonable function (PUF) to improve resilience of authentication protocols to various types of compromise. As an example application, we consider users who authenticate at an ATM using their bank-issued PUF and a password. We present a scheme that is provably secure and achieves strong security properties. In particular, we ensure that (i) the user is unable to authenticate without her device; (ii) the device cannot be used by someone else to successfully authenticate as the user; (iii) the device cannot be duplicated (e.g., by a bank employee); (iv) an adversary with full access to the bank’s personal and authentication records is unable to impersonate the user even if he obtains access to the device before and/or after the setup; (v) the device does not need to store any information. We also give an extension that endows the solution with emergency capabilities: if a user is coerced into opening her secrets and giving the coercer full access to the device, she gives the coercer alternative secrets whose use notifies the bank of the coercion in such a way that the coercer is unable to distinguish between emergency and normal operation of the protocol.

Microsoft has designed a user-centric identity metasystem encompassing a suite of various protocols for identity management. CardSpace is based on open standards, so that various applications can make use of the identity metasystem, including, for example, Microsoft Internet Explorer or Firefox (with some add-on). We therefore expect Microsoft’s identity metasystem to become widely deployed on the Internet and a popular target to attack. We examine the security of CardSpace against today’s Internet threats and identify risks and attacks. The browser-based CardSpace protocol does not prevent against replay of security tokens. Users can be impersonated and are potential victims of identity theft. We demonstrate the practicability of the flaw by presenting a proof of concept attack. Finally, we suggest several areas of improvement.

We present the first

fair e-cash system

with a compact wallet that enables users to spend efficiently

k

coins while only sending to the merchant

$\mathcal{O}(\lambda\log k)$

bits, where

λ

is a security parameter. The best previously known schemes require to transmit data of size at least linear in the number of spent coins. This result is achieved thanks to a new way to use the Batch RSA technique and a tree-based representation of the wallet. Moreover, we give a variant of our scheme with a less compact wallet but where the computational complexity of the spend operation does not depend on the number of spent coins, instead of being linear at best in existing systems.

Signcryption is a cryptographic primitive which offers authentication and confidentiality simultaneously with a cost lower than signing and encrypting the message independently. Ring signcryption enables a user to signcrypt a message along with the identities of a set of potential senders (that includes him) without revealing which user in the set has actually produced the signcryption. Thus a ring signcrypted message has anonymity in addition to authentication and confidentiality. Ring signcryption schemes have no group managers, no setup procedures, no revocation procedures and no coordination: any user can choose any set of users (ring), that includes himself and signcrypt any message by using his private and public key as well as other users (in the ring) public keys, without getting any approval or assistance from them. Ring Signcryption is useful for leaking trustworthy secrets in an anonymous, authenticated and confidential way.

To the best of our knowledge, seven identity based ring signcryption schemes are reported in the literature. Two of them were already proved to be insecure in [1] and [2]. In this paper, we show that four among the remaining five schemes do not provide confidentiality, to be specific, two schemes are not secure against chosen plaintext attack and other two schemes do not provide adaptive chosen ciphertext security. We then propose a new scheme and formally prove the security of the new scheme in the random oracle model. A comparison of our scheme with the only existing correct scheme by Huang et al. shows that our scheme is much more efficient than the scheme by Huang et al.

In this paper, we propose a simple redactable signature scheme for super-sets whose message-signature size is

O

(|

M

| + 

τ

), where

τ

is a security parameter and

M

is a message to be signed. The scheme proposed by Johnson et al. in CT-RSA 2003 has the similar performance but this scheme was proven secure based on the RSA assumption in the random oracle model. In this paper, we show that such a scheme can be constructed based on the RSA assumption without the random oracles.

The concept of stateful encryption was introduced by Bellare et al. in 2006. Compared with conventional public key encryption scheme, stateful encryption can achieve much better encryption performance. In this paper, we introduce a related primitive called stateful identity based key encapsulation mechanism (SIBKEM). SIBKEM is a simpler primitive, however, together with multi-time use

IND-CCA

secure symmetric encryption, it implies secure stateful identity based encryption. We then demonstrate there is a generic construction of SIBKEM from a wide class of identity based non-interactive key exchange schemes.

As a new public key primitive, attribute-based encryption (ABE) is envisioned to be a promising tool for implementing fine-grained access control. To further address the concern of user access privacy, privacy-aware ABE schemes are being developed to achieve hidden access policy recently. For the purpose of secure access control, there is, however, still one critical functionality missing in the existing ABE schemes, which is user accountability. Currently, no ABE scheme can completely prevent the problem of illegal key sharing among users. In this paper, we tackle this problem by firstly proposing the notion of accountable, anonymous, and ciphertext-policy ABE (CP-A

3

BE, in short) and then giving out a concrete construction. We start by improving the state-of-the-art of anonymous CP-ABE to obtain shorter public parameters and ciphertext length. In the proposed CP-A

3

BE construction, user accountability can be achieved in black-box model by embedding additional user-specific information into the attribute private key issued to that user, while still maintaining hidden access policy. The proposed constructions are provably secure.

Applications typically rely on the operating system to enforce access control policies such as MAC, DAC, or other policies. However, in the face of a compromised operating system, such protection mechanisms may be ineffective. Since security-sensitive applications are most motivated to maintain access control to their secret or sensitive information, and have no control over the operating system, it is desirable to provide mechanisms to enable applications to protect information with application-specific policies, in spite of a compromised operating system. In this paper, we enable application-level access control and information sharing with direct

hardware

support and protection, bypassing the dependency on the operating system. We analyze an originator-controlled information sharing policy (ORCON), where the content creator specifies who has access to the file created and maintains this control

after

the file has been distributed. We show that this policy can be enforced by the software-hardware mechanisms provided by the Secret Protection (SP) architecture, where a Trusted Software Module (TSM) is directly protected by SP’s hardware features. We develop a proof-of-concept text editor application which contains such a TSM. This TSM can implement many different policies, not just the originator-controlled policy that we have defined. We also propose a general methodology for

trust-partitioning

an application into security-critical and non-critical parts.

The need to delegate, which allows the temporary grant or transfer of access rights, arise in many applications. Although a lot of research appears in extending Role-Based Access Control (RBAC) to support delegation, not much appears on providing a formal basis for choosing delegatees. We provide an approach that allows one to assess the trustworthiness of potential delegatees in the context of the task that is to be delegated. It is also important to ensure that the choice of the delegatee does not cause any security policy violation. Towards this end, we show how to formally analyze the application using existing SAT solvers to get assurance that our choice of delegatee does not cause a security breach. Once the process of choosing delegatee can be formalized, it will be possible to automate delegation and use it for real-time applications.

Ensuring secure interoperation in multidomain environments based on role based access control (RBAC) has drawn considerable research works in the past. However, RBAC primarily consider static authorization decisions based on subjects’ permissions on target objects, and there is no further enforcement during the access. Recently proposed usage control (UCON) can address these requirements of access policy representation for temporal and time-consuming problems. In this paper, we propose a framework to facilitate the establishment of secure interoperability in multidomain environments employing Usage Control (UCON) policies. In particular, we propose an attribute mapping technique to establish secure context in multidomain environments. A key challenge in the establishment of secure interoperability is to guarantee security of individual domains in presence of interoperation. We study how conflicts arise and show that it is efficient to resolve the security violations of cyclic inheritance and separation of duty.

Separation-of-Duty (SoD) policy is a fundamental security principle for prevention of fraud and errors in computer security. The research of static SoD (SSoD) policy in recently presented usage control (UCON) model has not been explored. Consequently, this paper attempts to address two important issues: the specification and enforcement of SSoD in UCON. We give a set-based specification scheme, which is simpler and more general than existing approaches. As for the enforcement, we study the problem of determining whether an SSoD policy is enforceable, and show that directly enforcing an SSoD policy is a coNP-complete problem. In indirect enforcement, we generate the least restrictive static mutually exclusive attribute (SMEA) constraints to enforce SSoD policies, by using the attribute level SSoD requirement as an intermediate step. The results are fundamental to understanding the effectiveness of using constraints to enforce SSoD policies in UCON.

A nonce is a cryptographic input value which must never repeat within a given context. Nonces are important for the security of many cryptographic building blocks, such as stream ciphers, block cipher modes of operation, and message authentication codes. Nonetheless, the correct generation of nonces is rarely discussed in the cryptographic literature.

In this paper, we collect a number of nonce generators and describe their cryptographic properties. In particular, we derive upper bounds on the nonce collision probabilities of nonces that involve a random component, and lower bounds on the resulting nonce lengths.

We also discuss an important practical vulnerability of nonce-based systems, namely the nonce reset problem. While ensuring that nonces never repeat is trivial in theory, practical systems can suffer from accidental or even malicious resets which can wipe out the nonce generators current state. After describing this problem, we compare the resistance of the nonce generators described to nonce resets by again giving formal bounds on collision probabilities and nonce lengths.

The main purpose of this paper is to provide a help for system designers who have to choose a suitable nonce generator for their application. Thus, we conclude by giving recommendations indicating the most suitable nonce generators for certain applications.

We present

ShMAC

(Shallow MAC), a fixed input length message authentication code that performs most of the computation

prior

to the availability of the message. Specifically, ShMAC’s message-dependent computation is much faster and smaller in hardware than the evaluation of a pseudorandom permutation (PRP), and can be implemented by a small

shallow

circuit, while its precomputation consists of one PRP evaluation.

A main building block for ShMAC is the notion of

strong differential uniformity

(SDU), which we introduce, and which may be of independent interest. We present an efficient SDU construction built from previously considered differentially uniform functions.

Our motivating application is a system where a hardware-secured processor uses memory controlled by an adversary. We present in technical detail a novel, more efficient approach to encrypting and authenticating memory and discuss the associated trade-offs, while paying special attention to minimizing hardware costs and the reduction of DRAM latency.

We present a new secret-prefix MAC (Message Authentication Code) based on hash functions. Just like the well-known HMAC algorithm, the new MAC can utilize current hash functions without modifying their Merkle-Damgård implementations. Indeed, the new MAC is almost the same as HMAC except that the

second call

to the secret key, which is made at the finalization stage, is

omitted

. In this way we not only increase efficiency over HMAC but also reduce the cost of managing the key, as the new MAC invokes a key only once at the initialization stage, and the rest of the process depends solely on incoming data. We give a rigorous security proof of the new MAC algorithm. Like HMAC, our new MAC is proven to be a secure PRF (Pseudo-Random Function) based on a reasonable assumption about the underlying compression function. In theory our assumption is neither stronger nor weaker than the PRF-type compression-function requirement for the PRF security of HMAC. In practice our assumption looks somewhat similar to the PRF-type requirement for the security of HMAC.

While peer-to-peer (P2P) file-sharing is a powerful and cost-effective content distribution model, most paid-for digital-content providers (CPs) use direct download to deliver their content. CPs are hesitant to rely on a P2P distribution model because it introduces a number of security concerns including content pollution by malicious peers, and lack of enforcement of authorized downloads. Furthermore, because users communicate directly with one another, the users can easily form illegal file-sharing clusters to exchange copyrighted content. Such exchange could hurt the content providers’ profits. We present a P2P system TP2P, where we introduce a notion of trusted auditors (TAs). TAs are P2P peers that police the system by covertly monitoring and taking measures against misbehaving peers. This policing allows TP2P to enable a stronger security model making P2P a viable alternative for the distribution of paid digital content. Through analysis and simulation, we show the effectiveness of even a small number of TAs at policing the system. In a system with as many as 60% of misbehaving users, even a small number of TAs can detect 99% of illegal cluster formation. We develop a simple economic model to show that even with such a large presence of malicious nodes, TP2P can improve CP’s profits (which could translate to user savings) by 62% to 122%, even while assuming conservative estimates of content and bandwidth costs. We implemented TP2P as a layer on top of BitTorrent and demonstrated experimentally using PlanetLab that our system provides trusted P2P file sharing with negligible performance overhead.

The complexity of modern network architectures and the epidemic diffusion of malware require collaborative approaches for defense. We present a novel distributed system where each component collaborates to the intrusion and malware detection and to the dissemination of the local analyses. The proposed architecture is based on a decentralized, peer-to-peer and sensor-agnostic design that addresses dependability and load unbalance issues affecting existing systems based on centralized and hierarchical schemes. Load balancing properties, ability to tolerate churn, self-organization capabilities and scalability are demonstrated through a prototype integrating different open source defensive software.

The frequency and severity of a number of recent intrusions involving data theft and leakages has shown that online users’ trust, voluntary or not, in the ability of third parties to protect their sensitive data is often unfounded. Data may be exposed anywhere along a corporation’s web pipeline, from the outward-facing web servers to the back-end databases. The problem is exacerbated in service-oriented architectures (SOAs) where data may also be exposed as they transit between SOAs. For example, credit card numbers may be leaked during transmission to or handling by transaction-clearing intermediaries.

We present F3ildCrypt, a system that provides end-to-end protection of data across a web pipeline and between SOAs. Sensitive data are protected from their origin (the user’s browser) to their legitimate final destination. To that end, F3ildCrypt exploits browser scripting to enable application- and merchant-aware handling of sensitive data. Such techniques have traditionally been considered a security risk; to our knowledge, this is one of the first uses of web scripting that

enhances

overall security.Our approach scales well in the number of public key operations required for web clients and does not reveal proprietary details of the logical enterprise network. We evaluate F3ildCrypt and show an additional cost of 40 to 150 ms when making sensitive transactions from the web browser, and a processing rate of 100 to 140 protected fields/second on the server. We believe such costs to be a reasonable tradeoff for increased sensitive-data confidentiality.