1,044 research outputs found
Compiling and securing cryptographic protocols
Protocol narrations are widely used in security as semi-formal notations to
specify conversations between roles. We define a translation from a protocol
narration to the sequences of operations to be performed by each role. Unlike
previous works, we reduce this compilation process to well-known decision
problems in formal protocol analysis. This allows one to define a natural
notion of prudent translation and to reuse many known results from the
literature in order to cover more crypto-primitives. In particular this work is
the first one to show how to compile protocols parameterised by the properties
of the available operations.Comment: A short version was submitted to IP
Preventing EFail Attacks with Client-Side WebAssembly: The Case of Swiss Post's IncaMail
Traditional email encryption schemes are vulnerable to EFail attacks, which
exploit the lack of message authentication by manipulating ciphertexts and
exfiltrating plaintext via HTML backchannels. Swiss Post's IncaMail, a secure
email service for transmitting legally binding, encrypted, and verifiable
emails, counters EFail attacks using an authenticated-encryption with
associated data (AEAD) encryption scheme to ensure message privacy and
authentication between servers. IncaMail relies on a trusted infrastructure
backend and encrypts messages per user policy. This paper presents a revised
IncaMail architecture that offloads the majority of cryptographic operations to
clients, offering benefits such as reduced computational load and energy
footprint, relaxed trust assumptions, and per-message encryption key policies.
Our proof-of-concept prototype and benchmarks demonstrate the robustness of the
proposed scheme, with client-side WebAssembly-based cryptographic operations
yielding significant performance improvements (up to ~14x) over conventional
JavaScript implementations.Comment: This publication incorporates results from the VEDLIoT project, which
received funding from the European Union's Horizon 2020 research and
innovation programme under grant agreement No 95719
Grid Cryptographic Simulation: A Simulator to Evaluate the Scalability of the X.509 Standard in the Smart Grid
PKI may be pushed beyond known limits when scaled to some visions of the smart grid; our research developed a simulation, Grid Cryptographic Simulation (GCS), to evaluate these potential issues, identify cryptographic bottlenecks, and evaluate tradeoffs between performance and security. Ultimately, GCS can be used to identify scalability challenges and suggest improvements to make PKI more efficient, effective, and scalable before it is deployed in the envisioned smart grid
SAVAH: Source address validation with Host Identity Protocol
Abstract. Explosive growth of the Internet and lack of mechanisms that validate the authenticity of a packet source produced serious security and accounting issues. In this paper, we propose validating source addresses in LAN using Host Identity Protocol (HIP) deployed in a first-hop router. Compared to alternative solutions such as CGA, our approach is suitable both for IPv4 and IPv6. We have implemented SAVAH in Wi-Fi access points and evaluated its overhead for clients and the first-hop router
The Reality of Algorithm Agility:Studying the DNSSEC Algorithm Life-Cycle
The DNS Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System (DNS), the naming system of the Internet. With DNSSEC, signatures are added to the information provided in the DNS using public key cryptography. Advances in both cryptography and cryptanalysis make it necessary to deploy new algorithms in DNSSEC, as well as deprecate those with weakened security. If this process is easy, then the protocol has achieved what the IETF terms "algorithm agility". In this paper, we study the lifetime of algorithms for DNSSEC. This includes: (i) standardizing the algorithm, (ii) implementing support in DNS software, (iii) deploying new algorithms at domains and recursive resolvers, and (iv) replacing deprecated algorithms. Using data from more than 6.7 million signed domains and over 10,000 vantage points in the DNS, combined with qualitative studies, we show that DNSSEC has only partially achieved algorithm agility. Standardizing new algorithms and deprecating insecure ones can take years. We highlight the main barriers for getting new algorithms deployed, but also discuss success factors. This study provides key insights to take into account when new algorithms are introduced, for example when the Internet must transition to quantum-safe public key cryptography
Token Based Authentication and Authorization with Zero-Knowledge Proofs for Enhancing Web API Security and Privacy
This design science study showcases an innovative artifact that utilizes Zero-Knowledge Proofs for API Authentication and Authorization. A comprehensive examination of existing literature and technology is conducted to evaluate the effectiveness of this alternative approach. The study reveals that existing APIs are using slower techniques that don’t scale, can’t take advantage of newer hardware, and have been unable to adequately address current security issues. In contrast, the novel technique presented in this study performs better, is more resilient in privacy sensitive and security settings, and is easy to implement and deploy. Additionally, this study identifies potential avenues for further research that could help advance the field of Web API development in terms of security, privacy, and simplicity
- …