9,318 research outputs found
Security Through Amnesia: A Software-Based Solution to the Cold Boot Attack on Disk Encryption
Disk encryption has become an important security measure for a multitude of
clients, including governments, corporations, activists, security-conscious
professionals, and privacy-conscious individuals. Unfortunately, recent
research has discovered an effective side channel attack against any disk
mounted by a running machine\cite{princetonattack}. This attack, known as the
cold boot attack, is effective against any mounted volume using
state-of-the-art disk encryption, is relatively simple to perform for an
attacker with even rudimentary technical knowledge and training, and is
applicable to exactly the scenario against which disk encryption is primarily
supposed to defend: an adversary with physical access. To our knowledge, no
effective software-based countermeasure to this attack supporting multiple
encryption keys has yet been articulated in the literature. Moreover, since no
proposed solution has been implemented in publicly available software, all
general-purpose machines using disk encryption remain vulnerable. We present
Loop-Amnesia, a kernel-based disk encryption mechanism implementing a novel
technique to eliminate vulnerability to the cold boot attack. We offer
theoretical justification of Loop-Amnesia's invulnerability to the attack,
verify that our implementation is not vulnerable in practice, and present
measurements showing our impact on I/O accesses to the encrypted disk is
limited to a slowdown of approximately 2x. Loop-Amnesia is written for x86-64,
but our technique is applicable to other register-based architectures. We base
our work on loop-AES, a state-of-the-art open source disk encryption package
for Linux.Comment: 13 pages, 4 figure
Maintaining consumer confidence in electronic payment mechanisms
Credit card fraud is already a significant factor inhibiting consumer confidence in e-commerce. As more advanced payment systems become common, what legal and technological mechanisms are required to ensure that fraud does not do long-term damage to consumers' willingness to use electronic payment mechanisms
Mobile Application Security Platforms Survey
Nowadays Smartphone and other mobile devices have become incredibly important in every aspect of our life. Because they have practically offered same capabilities as desktop workstations as well as come to be powerful in terms of CPU (Central processing Unit), Storage and installing numerous applications. Therefore, Security is considered as an important factor in wireless communication technologies, particularly in a wireless ad-hoc network and mobile operating systems. Moreover, based on increasing the range of mobile application within variety of platforms, security is regarded as on the most valuable and considerable debate in terms of issues, trustees, reliabilities and accuracy. This paper aims to introduce a consolidated report of thriving security on mobile application platforms and providing knowledge of vital threats to the users and enterprises. Furthermore, in this paper, various techniques as well as methods for security measurements, analysis and prioritization within the peak of mobile platforms will be presented. Additionally, increases understanding and awareness of security on mobile application platforms to avoid detection, forensics and countermeasures used by the operating systems. Finally, this study also discusses security extensions for popular mobile platforms and analysis for a survey within a recent research in the area of mobile platform security
A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components
The semiconductor industry is fully globalized and integrated circuits (ICs)
are commonly defined, designed and fabricated in different premises across the
world. This reduces production costs, but also exposes ICs to supply chain
attacks, where insiders introduce malicious circuitry into the final products.
Additionally, despite extensive post-fabrication testing, it is not uncommon
for ICs with subtle fabrication errors to make it into production systems.
While many systems may be able to tolerate a few byzantine components, this is
not the case for cryptographic hardware, storing and computing on confidential
data. For this reason, many error and backdoor detection techniques have been
proposed over the years. So far all attempts have been either quickly
circumvented, or come with unrealistically high manufacturing costs and
complexity.
This paper proposes Myst, a practical high-assurance architecture, that uses
commercial off-the-shelf (COTS) hardware, and provides strong security
guarantees, even in the presence of multiple malicious or faulty components.
The key idea is to combine protective-redundancy with modern threshold
cryptographic techniques to build a system tolerant to hardware trojans and
errors. To evaluate our design, we build a Hardware Security Module that
provides the highest level of assurance possible with COTS components.
Specifically, we employ more than a hundred COTS secure crypto-coprocessors,
verified to FIPS140-2 Level 4 tamper-resistance standards, and use them to
realize high-confidentiality random number generation, key derivation, public
key decryption and signing. Our experiments show a reasonable computational
overhead (less than 1% for both Decryption and Signing) and an exponential
increase in backdoor-tolerance as more ICs are added
- …