11 research outputs found

    Contraste de los riesgos valorados para los tipos de tarjetas que han sido utilizadas como medio de pago en el sistema integrado de transporte público

    Get PDF
    Trabajo de InvestigaciónEl sistema integrado de transporte público SITP, es uno de los sistemas más grandes y sofisticados de transporte en Colombia; el ingreso a este se hace mediante tarjetas inteligentes sin contacto entre las cuales se encuentran: tarjeta monedero, cliente frecuente y tullave bajo la licitación de recaudo Bogotá. Debido a diferentes sucesos presentados, vulneración del medio de pago, se realizó una valoración de riesgos por medio de la norma ISO 27005,seguridad de la información de activos, basándose en la identificación de amenazas, vulnerabilidades y riesgos de las tarjetas utilizadas en el sistema.RESUMEN ABSTRACT INTRODUCCIÓN 1. GENERALIDADES 2. ESTABLECIMIENTO DEL CONTEXTO 3. IDENTIFICACIÓN DE RIESGOS 4. ESTIMACIÓN DE RIESGOS 5. EVALUACIÓN DE RIESGOS 6. CONCLUSIONES 7. RECOMENDACIONES Y TRABAJOS FUTUROS 8. ANEXOS 9. REFERENCIASPregradoIngeniero de Sistema

    State of the Art in Lightweight Symmetric Cryptography

    Get PDF
    Lightweight cryptography has been one of the hot topics in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a lightweight algorithm is usually designed to satisfy in both the software and the hardware case. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (NIST...) and international (ISO/IEC...) standards are listed. We identified several trends in the design of lightweight algorithms, such as the designers\u27 preference for ARX-based and bitsliced-S-Box-based designs or simpler key schedules. We also discuss more general trade-offs facing the authors of such algorithms and suggest a clearer distinction between two subsets of lightweight cryptography. The first, ultra-lightweight cryptography, deals with primitives fulfilling a unique purpose while satisfying specific and narrow constraints. The second is ubiquitous cryptography and it encompasses more versatile algorithms both in terms of functionality and in terms of implementation trade-offs

    Lightweight cryptography on ultra-constrained RFID devices

    Full text link
    Devices of extremely small computational power like RFID tags are used in practice to a rapidly growing extent, a trend commonly referred to as ubiquitous computing. Despite their severely constrained resources, the security burden which these devices have to carry is often enormous, as their fields of application range from everyday access control to human-implantable chips providing sensitive medical information about a person. Unfortunately, established cryptographic primitives such as AES are way to 'heavy' (e.g., in terms of circuit size or power consumption) to be used in corresponding RFID systems, calling for new solutions and thus initiating the research area of lightweight cryptography. In this thesis, we focus on the currently most restricted form of such devices and will refer to them as ultra-constrained RFIDs. To fill this notion with life and in order to create a profound basis for our subsequent cryptographic development, we start this work by providing a comprehensive summary of conditions that should be met by lightweight cryptographic schemes targeting ultra-constrained RFID devices. Building on these insights, we then turn towards the two main topics of this thesis: lightweight authentication and lightweight stream ciphers. To this end, we first provide a general introduction to the broad field of authentication and study existing (allegedly) lightweight approaches. Drawing on this, with the (n,k,L)^-protocol, we suggest our own lightweight authentication scheme and, on the basis of corresponding hardware implementations for FPGAs and ASICs, demonstrate its suitability for ultra-constrained RFIDs. Subsequently, we leave the path of searching for dedicated authentication protocols and turn towards stream cipher design, where we first revisit some prominent classical examples and, in particular, analyze their state initialization algorithms. Following this, we investigate the rather young area of small-state stream ciphers, which try to overcome the limit imposed by time-memory-data tradeoff (TMD-TO) attacks on the security of classical stream ciphers. Here, we present some new attacks, but also corresponding design ideas how to counter these. Paving the way for our own small-state stream cipher, we then propose and analyze the LIZARD-construction, which combines the explicit use of packet mode with a new type of state initialization algorithm. For corresponding keystream generator-based designs of inner state length n, we prove a tight (2n/3)-bound on the security against TMD-TO key recovery attacks. Building on these theoretical results, we finally present LIZARD, our new lightweight stream cipher for ultra-constrained RFIDs. Its hardware efficiency and security result from combining a Grain-like design with the LIZARD-construction. Most notably, besides lower area requirements, the estimated power consumption of LIZARD is also about 16 percent below that of Grain v1, making it particularly suitable for passive RFID tags, which obtain their energy exclusively through an electromagnetic field radiated by the reading device. The thesis is concluded by an extensive 'Future Research Directions' chapter, introducing various new ideas and thus showing that the search for lightweight cryptographic solutions is far from being completed

    An Investigation of Security in Near Field Communication Systems

    Get PDF
    Increasingly, goods and services are purchased over the Internet without any form of physical currency. This practice, often called e-commerce, offers sellers and buyers a convenient way to trade globally as no physical currency must change hands and buyers from anywhere in the world can browse online store fronts from around the globe. Nevertheless, many transactions still require a physical presence. For these sorts of transactions, a new technology called Near Field Communication has emerged to provide buyers with some of the conveniences of e-commerce while still allowing them to purchase goods locally. Near Field Communication (NFC), an evolution of Radio-Frequency Identification (RFID), allows one electronic device to transmit short messages to another nearby device. A buyer can store his or her payment information on a tag and a cashier can retrieve that information with an appropriate reader. Advanced devices can store payment information for multiple credit and debit cards as well as gift cards and other credentials. By consolidating all of these payment forms into a single device, the buyer has fewer objects to carry with her. Further, proper implementation of such a device can offer increased security over plastic cards in the form of advanced encryption. Using a testing platform consisting of commercial, off-the-shelf components, this dissertation investigates the security of the NFC physical-layer protocols as well as the primary NFC security protocol, NFC-SEC. In addition, it analyzes a situation in which the NFC protocols appear to break, potentially compromising sensitive data. Finally, this dissertation provides a proof of security for the NFC-SEC-1 variation of NFC-SEC

    A Target to the Heart of the First Amendment: Government Endorsement of Responsible Disclosure as Unconstitutional

    Get PDF
    Brian Krebs, a former reporter for the Washington Post who is now known for his blog Krebs on Security, remained relatively unknown for most of his career. But in December 2013, Mr. Krebs found that hackers had exploited a data vulnerability in Target’s electronic-payment system, compromising millions of credit-card numbers that had been used to purchase goods from the second-largest discount retailer in the United States. In the following months, an investigation revealed that the breach affected nearly half of the 110-million credit cards recently used at Target, resulting in one of the largest known digital credit-card heists in history. Even before Target’s data breach personally affected millions of consumers, concern over the security of personal data was endemic. A survey conducted in March 2013 revealed that 82.1% of Americans were at least somewhat worried about a data breach involving banks, government entities, or other organizations, and roughly the same percentage were concerned about identity theft and credit-card fraud. With over 78- million data records containing personal information exposed to breaches in the first ten months of 2014 alone, it is unsurprising that a separate survey found that 77% of consumers agreed that expeditious notification of vulnerabilities involving stolen or lost data was important. Coupled with the potential widespread harm caused by data breaches, discrepancies in data-holders’ approaches to security vulnerabilities have prompted a call for a national response. Generally, two approaches exist for confronting data security issues: full disclosure and responsible disclosure. Proponents of the former argue that stifling communication about data breaches or vulnerabilities, no matter the source, is detrimental, conflicting with both public sentiment and constitutional rights. On the other end of the spectrum, supporters of a responsible disclosure policy suggest that allowing companies to rectify data security issues before public dissemination provides a better solution. In effect, responsible disclosure requires those who discover a data vulnerability to not only notify the affected organization, but also keep knowledge of the data security weakness confidential, regardless of its potential impact on consumers. Although the predominant industry approach, this Article argues that the responsible disclosure approach should not be legislatively or judicially adopted. Not only does a responsible disclosure policy violate the First Amendment as a prior restraint, but it also constitutes poor public policy, ultimately causing a chilling effect that would reduce business accountability. In an effort to avoid both limiting the development of enhanced data security safeguards and restricting the public’s ability to engage in self-help, Congress and the judiciary should allow basic market forces to pave the way for innovation in this continually evolving field

    A Target to the Heart of the First Amendment: Government Endorsement of Responsible Disclosure as Unconstitutional

    Get PDF
    Brian Krebs, a former reporter for the Washington Post who is now known for his blog Krebs on Security, remained relatively unknown for most of his career. But in December 2013, Mr. Krebs found that hackers had exploited a data vulnerability in Target’s electronic-payment system, compromising millions of credit-card numbers that had been used to purchase goods from the second-largest discount retailer in the United States. In the following months, an investigation revealed that the breach affected nearly half of the 110-million credit cards recently used at Target, resulting in one of the largest known digital credit-card heists in history. Even before Target’s data breach personally affected millions of consumers, concern over the security of personal data was endemic. A survey conducted in March 2013 revealed that 82.1% of Americans were at least somewhat worried about a data breach involving banks, government entities, or other organizations, and roughly the same percentage were concerned about identity theft and credit-card fraud. With over 78- million data records containing personal information exposed to breaches in the first ten months of 2014 alone, it is unsurprising that a separate survey found that 77% of consumers agreed that expeditious notification of vulnerabilities involving stolen or lost data was important. Coupled with the potential widespread harm caused by data breaches, discrepancies in data-holders’ approaches to security vulnerabilities have prompted a call for a national response. Generally, two approaches exist for confronting data security issues: full disclosure and responsible disclosure. Proponents of the former argue that stifling communication about data breaches or vulnerabilities, no matter the source, is detrimental, conflicting with both public sentiment and constitutional rights. On the other end of the spectrum, supporters of a responsible disclosure policy suggest that allowing companies to rectify data security issues before public dissemination provides a better solution. In effect, responsible disclosure requires those who discover a data vulnerability to not only notify the affected organization, but also keep knowledge of the data security weakness confidential, regardless of its potential impact on consumers. Although the predominant industry approach, this Article argues that the responsible disclosure approach should not be legislatively or judicially adopted. Not only does a responsible disclosure policy violate the First Amendment as a prior restraint, but it also constitutes poor public policy, ultimately causing a chilling effect that would reduce business accountability. In an effort to avoid both limiting the development of enhanced data security safeguards and restricting the public’s ability to engage in self-help, Congress and the judiciary should allow basic market forces to pave the way for innovation in this continually evolving field

    Computing and estimating information leakage with a quantitative point-to-point information flow model

    Get PDF
    Information leakage occurs when a system exposes its secret information to an unauthorised entity. Information flow analysis is concerned with tracking flows of information through systems to determine whether they process information securely or leak information. We present a novel information flow model that permits an arbitrary amount of secret and publicly-observable information to occur at any point and in any order in a system. This is an improvement over previous models, which generally assume that systems process a single piece of secret information present before execution and produce a single piece of publicly-observable information upon termination. Our model precisely quantifies the information leakage from secret to publicly-observable values at user-defined points - hence, a "point-to-point" model - using the information-theoretic measures of mutual information and min-entropy leakage; it is ideal for analysing systems of low to moderate complexity. We also present a relaxed version of our information flow model that estimates, rather than computes, the measures of mutual information and min-entropy leakage via sampling of a system. We use statistical techniques to bound the accuracy of the estimates this model provides. We demonstrate how our relaxed model is more suitable for analysing complex systems by implementing it in a quantitative information flow analysis tool for Java programs

    Knowledge and Management Models for Sustainable Growth

    Full text link
    In the last years sustainability has become a topic of global concern and a key issue in the strategic agenda of both business organizations and public authorities and organisations. Significant changes in business landscape, the emergence of new technology, including social media, the pressure of new social concerns, have called into question established conceptualizations of competitiveness, wealth creation and growth. New and unaddressed set of issues regarding how private and public organisations manage and invest their resources to create sustainable value have brought to light. In particular the increasing focus on environmental and social themes has suggested new dimensions to be taken into account in the value creation dynamics, both at organisations and communities level. For companies the need of integrating corporate social and environmental responsibility issues into strategy and daily business operations, pose profound challenges, which, in turn, involve numerous processes and complex decisions influenced by many stakeholders. Facing these challenges calls for the creation, use and exploitation of new knowledge as well as the development of proper management models, approaches and tools aimed to contribute to the development and realization of environmentally and socially sustainable business strategies and practices
    corecore