High-level Cryptographic Abstractions

The interfaces exposed by commonly used cryptographic libraries are clumsy, complicated, and assume an understanding of cryptographic algorithms. The challenge is to design high-level abstractions that require minimum knowledge and effort to use while also allowing maximum control when needed. This paper proposes such high-level abstractions consisting of simple cryptographic primitives and full declarative configuration. These abstractions can be implemented on top of any cryptographic library in any language. We have implemented these abstractions in Python, and used them to write a wide variety of well-known security protocols, including Signal, Kerberos, and TLS. We show that programs using our abstractions are much smaller and easier to write than using low-level libraries, where size of security protocols implemented is reduced by about a third on average. We show our implementation incurs a small overhead, less than 5 microseconds for shared key operations and less than 341 microseconds (< 1%) for public key operations. We also show our abstractions are safe against main types of cryptographic misuse reported in the literature

Comparative Analysis of Cryptography Library in IoT

The paper aims to do a survey along with a comparative analysis of the various cryptography libraries that are applicable in the field of Internet of Things (IoT). The first half of the paper briefly introduces the various cryptography libraries available in the field of cryptography along with a list of all the algorithms contained within the libraries. The second half of the paper deals with cryptography libraries specifically aimed for application in the field of Internet of Things. The various libraries and their performance analysis listed down in this paper are consolidated from various sources with the aim of providing a single comprehensive repository for reference to the various cryptography libraries and the comparative analysis of their features in IoT.Comment: 5 pages, 14 table

A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components

The semiconductor industry is fully globalized and integrated circuits (ICs) are commonly defined, designed and fabricated in different premises across the world. This reduces production costs, but also exposes ICs to supply chain attacks, where insiders introduce malicious circuitry into the final products. Additionally, despite extensive post-fabrication testing, it is not uncommon for ICs with subtle fabrication errors to make it into production systems. While many systems may be able to tolerate a few byzantine components, this is not the case for cryptographic hardware, storing and computing on confidential data. For this reason, many error and backdoor detection techniques have been proposed over the years. So far all attempts have been either quickly circumvented, or come with unrealistically high manufacturing costs and complexity. This paper proposes Myst, a practical high-assurance architecture, that uses commercial off-the-shelf (COTS) hardware, and provides strong security guarantees, even in the presence of multiple malicious or faulty components. The key idea is to combine protective-redundancy with modern threshold cryptographic techniques to build a system tolerant to hardware trojans and errors. To evaluate our design, we build a Hardware Security Module that provides the highest level of assurance possible with COTS components. Specifically, we employ more than a hundred COTS secure crypto-coprocessors, verified to FIPS140-2 Level 4 tamper-resistance standards, and use them to realize high-confidentiality random number generation, key derivation, public key decryption and signing. Our experiments show a reasonable computational overhead (less than 1% for both Decryption and Signing) and an exponential increase in backdoor-tolerance as more ICs are added

Hybrid Cryptography security in public cloud using TwoFish and ECC algorithm

Cloud computing is a structure for rendering service to the user for free or paid basis through internet facility where we can access to a bulk of shared resources which results in saving managing cost and time for large companies, The data which are stored in the data center may incur various security, damage and threat issues which may result in data leakage, insecure interface and inside attacks. This paper will demonstrate the implementation of hybrid cryptography security in public cloud by a combination of Elliptical Curve Cryptography and Twofish algorithm, which provides an innovative solution to enhance the security features of the cloud so that we can improve the service thus results in increasing the trust over the technology.   

A Comparison of the Standardized Versions of ECIES

Elliptic Curve Cryptography (ECC) can be used as a tool for encrypting data, creating digital signatures or performing key exchanges. In relation to encryption, the Elliptic Curve Integrated Encryption Scheme (ECIES) is the best known scheme based on ECC, and as such it has been included in several cryptographic standards. In the present work, we provide an extensive review and comparison of the versions of ECIES included in documents from ANSI, IEEE, ISO/IEC, and SECG, highlighting the main differences between them that can prevent implementations of ECIES from being fully interoperable.This work has been partially supported by Ministerio de Ciencia e Innovación (Spain), under the grant TEC2009-13964-C04-02, and Ministerio de Industria, Turismo y Comercio (Spain), in collaboration with CDTI and Telefónica I+D, under the project Segur@ CENIT-2007 2004.Peer reviewe

Performance and Security of Group Signature in Wireless Networks

A Group signature protocol is a cryptographic scheme that decouples a user identity and location from verification procedure during authentication. In a group signature scheme, a user is allowed to generate signatures on behalf of other group members but identity and location information of the signer is not known by a verifier. This ensures privacy, authentication and unlinkability of users. Although group signature is expensive to implement, its existential anonymity, non-repudiation and untraceablility properties make it attractive especially for resources-constrained devices in wireless network. A general group signature scheme usually contains six basic phases: setup (or key generation), join, message signing (or signature generation), signature verification, open and user revocation. In this paper, an evaluation of the performance of group signature based on three of the phases mentioned above is considered and its security in wireless networks examined. The key generation, signing and verification algorithms are implemented in Java 8. A proof of security of group signature by implication is also presented

End-to-end security for mobile devices

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2004Includes bibliographical references (leaves: 120)Text in English; Abstract: Turkish and Englishix, 133 leavesEnd-to-end security has been an emerging need for mobile devices with the widespread use of personal digital assistants and mobile phones. Transport Layer Security Protocol (TLS) is an end-to-end security protocol that is commonly used in Internet, together with its predecessor, SSL protocol. By using TLS protocol in mobile world, the advantage of the proven security model of this protocol can be taken.J2ME (Java 2 Micro Edition) has been the de facto application platform used in mobile devices. This thesis aims to provide an end-to-end security protocol implementation based on TLS 1.0 specification and that can run on J2ME MIDP (Mobile Information Device Profile) environment. Because of the resource intensive public-key operations used in TLS, this protocol needs high resources and has low performance. Another motivation for the thesis is to adapt the protocol for mobile environment and to show that it is possible to use the protocol implementation in both client and server modes. An alternative serialization mechanism is used instead of the standard Java object serialization that is lacking in MIDP. In this architecture, XML is used to transmit object data.The mobile end-to-end security protocol has the main design issues of maintainability and extensibility. Cryptographic operations are performed with a free library, Bouncy Castle Cryptography Package. The object-oriented architecture of the protocol implementation makes the replacement of this library with another cryptography package easier.Mobile end-to-end security protocol is tested with a mobile hospital reservation system application. Test cases are prepared to measure the performance of the protocol implementation with different cipher suites and platforms. Measured values of all handshake operation and defined time spans are given in tables and compared with graphs

A Certificateless One-Way Group Key Agreement Protocol for Point-to-Point Email Encryption

Over the years, email has evolved and grown to one of the most widely used form of communication between individuals and organizations. Nonetheless, the current information technology standards do not value the significance of email security in today\u27s technologically advanced world. Not until recently, email services such as Yahoo and Google started to encrypt emails for privacy protection. Despite that, the encrypted emails will be decrypted and stored in the email service provider\u27s servers as backup. If the server is hacked or compromised, it can lead to leakage and modification of one\u27s email. Therefore, there is a strong need for point-to-point (P2P) email encryption to protect email user\u27s privacy. P2P email encryption schemes strongly rely on the underlying Public Key Cryptosystems (PKC). The evolution of the public key cryptography from the traditional PKC to the Identity-based PKC (ID-PKC) and then to the Certificateless PKC (CL-PKC) provides a better and more suitable cryptosystem to implement P2P email encryption. Many current public-key based cryptographic protocols either suffer from the expensive public-key certificate infrastructure (in traditional PKC) or the key escrow problem (in ID-PKC). CL-PKC is a relatively new cryptosystem that was designed to overcome both problems. In this thesis, we present a CL-PKC group key agreement protocol, which is, as the author\u27s knowledge, the first one with all the following features in one protocol: (1) certificateless and thus there is no key escrow problem and no public key certificate infrastructure is required. (2) one-way group key agreement and thus no back-and-forth message exchange is required; (3) n-party group key agreement (not just 2- or 3-party); and (4) no secret channel is required for key distribution. With the above features, P2P email encryption can be implemented securely and efficiently. This thesis provides a security proof for the proposed protocol using ``proof by simulation\u27\u27. Efficiency analysis of the protocol is also presented in this thesis. In addition, we have implemented the prototypes (email encryption systems) in two different scenarios in this thesis