9 research outputs found
A cryptographic airbag for metadata: protecting business records against unlimited search and seizure
Governments around the world require that electronic
service providers, including telecoms, ISP’s, and even
online services like Twitter and Facebook, must provide
law enforcement agencies (LEA’s) with broad access to
so-called “business records” including communications
metadata. Metadata is data about data; it does not include
the contents of the users’ communications, but it
does typically show who each user communicated with,
and at what times, and for how long. Metadata is actually
surprisingly powerful, especially in a time when
more and more messages are being encrypted from “endto-
end.”
In this paper, we present a new approach for protecting
communications metadata and other business records
against unwarranted, bulk seizure. Our approach is designed
from the start to be robust against this new class of
political and legal attack. To achieve this, we borrow the
recent notion of cryptographic crumple zones [31], i.e.
encryption that can be broken, but only at a substantial
monetary cost. We propose that a service provider who
wishes to protect their users’ privacy should encrypt each
business record with its own unique, crumpled, symmetric
key. Then, a law enforcement agency who compels
disclosure of the records learns only ciphertext until they
expend the necessary resources to recover keys for the
records of interest. We show how this approach can be
easily applied to protect metadata in the form of network
flow records. We describe how a service provider might
select the work factor of the crumpling algorithm to allow
legitimate investigations while preventing the use of
metadata for mass surveillance.Published versio
Proof-of-PUF enabled blockchain: concurrent data and device security for internet-of-energy
A detailed review on the technological aspects of Blockchain and Physical Unclonable Functions (PUFs) is presented in this article. It stipulates an emerging concept of Blockchain that integrates hardware security primitives via PUFs to solve bandwidth, integration, scalability, latency, and energy requirements for the Internet-of-Energy (IoE) systems. This hybrid approach, hereinafter termed as PUFChain, provides device and data provenance which records data origins, history of data generation and processing, and clone-proof device identification and authentication, thus possible to track the sources and reasons of any cyber attack. In addition to this, we review the key areas of design, development, and implementation, which will give us the insight on seamless integration with legacy IoE systems, reliability, cyber resilience, and future research challenges
Protecting cryptography against compelled self-incrimination
The information security community has devoted substantial effort to the design, development, and
universal deployment of strong encryption schemes that withstand search and seizure by computationally-
powerful nation-state adversaries. In response, governments are increasingly turning to a different tactic:
issuing subpoenas that compel people to decrypt devices themselves, under the penalty of contempt of
court if they do not comply. Compelled decryption subpoenas sidestep questions around government
search powers that have dominated the Crypto Wars and instead touch upon a different (and still unsettled) area of the law: how encryption relates to a person's right to silence and against self-incrimination.
In this work, we provide a rigorous, composable definition of a critical piece of the law that determines whether cryptosystems are vulnerable to government compelled disclosure in the United States. We justify our definition by showing that it is consistent with prior court cases. We prove that decryption is
often not compellable by the government under our definition. Conversely, we show that many techniques that bolster security overall can leave one more vulnerable to compelled disclosure.
As a result, we initiate the study of protecting cryptographic protocols against the threat of future compelled disclosure. We find that secure multi-party computation is particularly vulnerable to this threat, and we design and implement new schemes that are provably resilient in the face of government
compelled disclosure. We believe this work should in
influence the design of future cryptographic primitives
and contribute toward the legal debates over the constitutionality of compelled decryption.Accepted manuscrip
HUC-HISF: A Hybrid Intelligent Security Framework for Human-centric Ubiquitous Computing
制度:新 ; 報告番号:乙2336号 ; 学位の種類:博士(人間科学) ; 授与年月日:2012/1/18 ; 早大学位記番号:新584
Towards Secure Identity-Based Cryptosystems for Cloud Computing
The convenience provided by cloud computing has led to an increasing trend of many business organizations, government agencies and individual customers to migrate their services and data into cloud environments. However, once clients’ data is migrated to the cloud, the overall security control will be immediately shifted from data owners to the hands of service providers. When data owners decide to use the cloud environment, they rely entirely on third parties to make decisions about their data and, therefore, the main challenge is how to guarantee that the data is accessible by data owners and authorized users only.
Remote user authentication to cloud services is traditionally achieved using a combination of ID cards and passwords/PINs while public key infrastructure and symmetric key encryptions are still the most common techniques for enforcing data security despite the missing link between the identity of data owners and the cryptographic keys. Furthermore, the key management in terms of the generation, distribution, and storage are still open challenges to traditional public-key systems.
Identity-Based Cryptosystems (IBCs) are new generations of public key encryptions that can potentially solve the problems associated with key distribution in public key infrastructure in addition to providing a clear link between encryption keys and the identities of data owners. In IBCs, the need for pre-distributed keys before any encryption/decryption will be illuminated, which gives a great deal of flexibility required in an environment such as the cloud. Fuzzy identity-based cryptosystems are promising extensions of IBCs that rely on biometric modalities in generating the encryption and decryption keys instead of traditional identities such as email addresses.
This thesis argues that the adoption of fuzzy identity-based cryptosystems seems an ideal option to secure cloud computing after addressing a number of vulnerabilities related to user verification, key generation, and key validation stages. The thesis is mainly concerned with enhancing the security and the privacy of fuzzy identity-based cryptosystems by proposing a framework with multiple security layers. The main contributions of the thesis can be summarised as follows.
1. Improving user verification based on using a Challenge-Response Multifactor Biometric Authentication (CR-MFBA) in fuzzy identity-based cryptosystems that reduce the impacts of impersonators attacks.
2. Reducing the dominance of the “trusted authority” in traditional fuzzy identity-based cryptosystems by making the process of generating the decryption keys a cooperative process between the trusted authority server and data owners. This leads to shifting control over the stored encrypted data from the trusted authority to the data owners.
3. Proposing a key-validity method that relies on employing the Shamir Secret Sharing, which also contributes to giving data owners more control over their data.
4. Further improving the control of data owners in fuzzy identity-based cryptosystems by linking the decryption keys parameters with their biometric modalities.
5. Proposing a new asymmetric key exchange protocol based on utilizing the scheme of fuzzy identity-based cryptosystems to shared encrypted data stored on cloud computing