11 research outputs found
Identity and Aggregate Signature-Based Authentication Protocol for IoD Deployment Military Drone
With the rapid miniaturization in sensor technology, ruddervator, arduino, and multi-rotor system, drone technology has fascinated researchers in the field of network security. It is of critical significance given the advancement in modern strategic narratives. This has special relevance to drone-related operations. This technology can be controlled remotely by an invisible yet credible operator sitting to a powerful intelligence computer system (PICS) or an airborne control and command platform (AC2P). The two types of drones (reconnaissance and attacking) can communicate with each other and with the PICS or AC2P through wireless network channels referred to as Flying Ad Hoc Network or Unmanned Aerial Vehicular Network (FANET or UAVN). This mode of communication is not without some inconvenience. For instance, when the line of sight is broken, communication is mainly carried out through satellite using GPS (Global Positioning System) signals. Both GPS and UAVN/FANET use open network channels for data broadcasting, which are exposed to several threats, thus making security risky and challenging. This risk is specifically eminent in monitoring data transmission traffic, espionage, troop movement, border surveillance, searching, and warfare battlefield phenomenon, etc. This issue of security risk can be minimized conspicuously by developing a robust authentication scheme for IoD deployment military drones. Therefore, this research illustrates the designing of two separate protocols based on the aggregate signature, identity, pairing cryptography, and Computational Diffie-Hellman Problem (CDHP) to guarantee data integrity, authorization, and confidentiality among drones and AC2P/PICS. More importantly, the outdated data transmission flaw has also been tackled, which is of obvious concern to the past designed protocols. The security of the proposed designs is formally verified using a random oracle model (ROM), a real-or-random (ROR) model, and by informally using pragmatic illustration and mathematical lemmas. Nonetheless, the performance analysis section will be executed using the algorithmic big-O notation. The results show that these protocols are verifiably protected in the ROM and ROR model using the CDHP
Enhancing the security of electronic commerce transactions
This thesis looks at the security of electronic commerce transaction process-
ing. It begins with an introduction to security terminology used in the thesis.
Security requirements for card payments via the Internet are then described,
as are possible protocols for electronic transaction processing. It appears that
currently the Secure Socket Layer (SSL) protocol together with its standardised
version Transport Layer Security (TLS) are the most widely used means to se-
cure electronic transactions made over the Internet. Therefore, the analysis and
discussions presented in the remainder of the thesis are based on the assumption
that this protocol provides a `baseline' level of security, against which any novel
means of security should be measured.
The SSL and TLS protocols are analysed with respect to how well they
satisfy the outlined security requirements. As SSL and TLS provide transport
layer security, and some of the security requirements are at the application
level, it is not surprising that they do not address all the identi¯ed security
requirements.
As a result, in this thesis, we propose four protocols that can be used to build
upon the security features provided by SSL/TLS. The main goal is to design
schemes that enhance the security of electronic transaction processing whilst
imposing minimal overheads on the involved parties. In each case, a description
of the new scheme is given, together with its advantages and limitations. In the
¯rst protocol, we propose a way to use an EMV card to improve the security of
online transactions. The second protocol involves the use of the GSM subscriber
authentication service to provide user authentication over the Internet. Thirdly,
we propose the use of GSM data con¯dentiality service to protect sensitive
information as well as to ensure user authentication.
Regardless of the protection scheme employed for the transactions, there
exist threats to all PCs used to conduct electronic commerce transactions. These
residual threats are examined, and motivate the design of the fourth protocol,
proposed speci¯cally to address cookie threats
Self-Certified Public Key Cryptographic Methodologies for Resource-Constrained Wireless Sensor Networks
As sensor networks become one of the key technologies to realize ubiquitous computing, security remains a growing concern. Although a wealth of key-generation methods have been developed during the past few decades, they cannot be directly applied to sensor network environments. The resource-constrained characteristics of sensor nodes, the ad-hoc nature of their deployment, and the vulnerability of wireless media pose a need for unique solutions.
A fundamental requisite for achieving security is the ability to provide for data con…dential- ity and node authentication. However, the scarce resources of sensor networks have rendered the direct applicability of existing public key cryptography (PKC) methodologies impractical. Elliptic Curve Cryptography (ECC) has emerged as a suitable public key cryptographic foun- dation for constrained environments, providing strong security for relatively small key sizes.
This work focuses on the clear need for resilient security solutions in wireless sensor networks (WSNs) by introducing e¢ cient PKC methodologies, explicitly designed to accommodate the distinctive attributes of resource-constrained sensor networks. Primary contributions pertain to the introduction of light-weight cryptographic arithmetic operations, and the revision of self- certi…cation (consolidated authentication and key-generation). Moreover, a low-delay group key generation methodology is devised and a denial of service mitigation scheme is introduced. The light-weight cryptographic methods developed pertain to a system-level e¢ cient utilization of the Montgomery procedure and e¢ cient calculations of modular multiplicative inverses. With respect to the latter, computational complexity has been reduced from O(m) to O(logm), with little additional memory cost.
Complementing the theoretical contributions, practical computation o¤-loading protocols have been developed along with a group key establishment scheme. Implementation on state-of- the-art sensor node platforms has yielded a comprehensive key establishment process obtained in approximately 50 ns, while consuming less than 25 mJ. These exciting results help demonstrate the technology developed and ensure its impact on next-generation sensor networks
Multi-agent system security for mobile communication
This thesis investigates security in multi-agent systems for mobile communication.
Mobile as well as non-mobile agent technology is addressed.
A general security analysis based on properties of agents and multi-agent systems
is presented along with an overview of security measures applicable to
multi-agent systems, and in particular to mobile agent systems.
A security architecture, designed for deployment of agent technology in a mobile
communication environment, is presented. The security architecture allows
modelling of interactions at all levels within a mobile communication system.
This architecture is used as the basis for describing security services and mechanisms
for a multi-agent system. It is shown how security mechanisms can be
used in an agent system, with emphasis on secure agent communication.
Mobile agents are vulnerable to attacks from the hosts on which they are executing.
Two methods for dealing with threats posed by malicious hosts to a
trading agent are presented. The rst approach uses a threshold scheme and
multiple mobile agents to minimise the eect of malicious hosts. The second
introduces trusted nodes into the infrastructure.
Undetachable signatures have been proposed as a way to limit the damage a
malicious host can do by misusing a signature key carried by a mobile agent.
This thesis proposes an alternative scheme based on conventional signatures and
public key certicates.
Threshold signatures can be used in a mobile agent scenario to spread the risk
between several agents and thereby overcome the threats posed by individual
malicious hosts. An alternative to threshold signatures, based on conventional
signatures, achieving comparable security guarantees with potential practical
advantages compared to a threshold scheme is proposed in this thesis.
Undetachable signatures and threshold signatures are both concepts applicable
to mobile agents. This thesis proposes a technique combining the two schemes
to achieve undetachable threshold signatures.
This thesis denes the concept of certicate translation, which allows an agent
to have one certicate translated into another format if so required, and thereby
save storage space as well as being able to cope with a certicate format not
foreseen at the time the agent was created
On the Application of Identity-Based Cryptography in Grid Security
This thesis examines the application of identity-based cryptography
(IBC) in designing security infrastructures for grid applications.
In this thesis, we propose a fully identity-based key infrastructure
for grid (IKIG). Our proposal exploits some interesting properties
of hierarchical identity-based cryptography (HIBC) to replicate
security services provided by the grid security infrastructure (GSI)
in the Globus Toolkit. The GSI is based on public key infrastructure
(PKI) that supports standard X.509 certificates and proxy
certificates. Since our proposal is certificate-free and has small
key sizes, it offers a more lightweight approach to key management
than the GSI. We also develop a one-pass delegation protocol that
makes use of HIBC properties. This combination of lightweight key
management and efficient delegation protocol has better scalability
than the existing PKI-based approach to grid security.
Despite the advantages that IKIG offers, key escrow remains an issue
which may not be desirable for certain grid applications. Therefore,
we present an alternative identity-based approach called dynamic key
infrastructure for grid (DKIG). Our DKIG proposal combines both
identity-based techniques and the conventional PKI approach. In this
hybrid setting, each user publishes a fixed parameter set through a
standard X.509 certificate. Although X.509 certificates are involved
in DKIG, it is still more lightweight than the GSI as it enables the
derivation of both long-term and proxy credentials on-the-fly based
only on a fixed certificate.
We also revisit the notion of secret public keys which was
originally used as a cryptographic technique for designing secure
password-based authenticated key establishment protocols. We
introduce new password-based protocols using identity-based secret
public keys. Our identity-based techniques can be integrated
naturally with the standard TLS handshake protocol. We then discuss
how this TLS-like identity-based secret public key protocol can be
applied to securing interactions between users and credential
storage systems, such as MyProxy, within grid environments
Crytographic applications of bilinear maps
Bilinear maps have become an important new item in the cryptographer’s toolkit. They first came to prominence when they were used by Menezes, Okamoto and Vanstone to help solve the elliptic curve discrete logarithm problem on elliptic curves of small embedding degree.
In 1984, Shamir developed the first identity based signature scheme, and posed the construction of an identity based encryption scheme as an open problem [118]. Subsequently identity based identification and identity based key agreement schemes were proposed. However, identity based encryption remained an open problem. In 2000, Sakai, Ohgishi and Kasahara used bilinear maps to implement an efficient identity based non-interactive key agreement and identity based digital signature [111]. In 2001, some 17 years after it was suggested, Boneh and Franklin proposed the first efficient identity based encryption scheme, constructed using bilinear maps [31].
In this thesis we review some of the numerous cryptographic protocols that have been constructed using bilinear maps.
We first give a review of public key cryptography. We then review the mathematics behind the two known bilinear maps, the Weil and Tate pairings, including several improvements suggested m [67, 14]. We develop a Java library to implement pairing based cryptography. In Ch 4 we look at some of the cryptographically hard problems that arise from bilinear maps. In Ch 5 we review identity based signature schemes and present the fastest known scheme. In Ch 6 we review some encryption schemes, make some observations that help improve the performance of many identity based cryptosystems, and propose the fastest scheme for public key encryption with keyword search. In Ch 7 we review identity based key agreements and propose the fastest scheme secure in a modified Bellare-Rogaway model [19]. In Ch 8 we review identity based signcryption schemes and present the fastest known scheme
Side-Channel Analysis and Cryptography Engineering : Getting OpenSSL Closer to Constant-Time
As side-channel attacks reached general purpose PCs and started to be more practical for attackers to exploit, OpenSSL adopted in 2005 a flagging mechanism to protect against SCA. The opt-in mechanism allows to flag secret values, such as keys, with the BN_FLG_CONSTTIME flag. Whenever a flag is checked and detected, the library changes its execution flow to SCA-secure functions that are slower but safer, protecting these secret values from being leaked. This mechanism favors performance over security, it is error-prone, and is obscure for most library developers, increasing the potential for side-channel vulnerabilities. This dissertation presents an extensive side-channel analysis of OpenSSL and criticizes its fragile flagging mechanism. This analysis reveals several flaws affecting the library resulting in multiple side-channel attacks, improved cache-timing attack techniques, and a new side channel vector. The first part of this dissertation introduces the main topic and the necessary related work, including the microarchitecture, the cache hierarchy, and attack techniques; then it presents a brief troubled history of side-channel attacks and defenses in OpenSSL, setting the stage for the related publications. This dissertation includes seven original publications contributing to the area of side-channel analysis, microarchitecture timing attacks, and applied cryptography. From an SCA perspective, the results identify several vulnerabilities and flaws enabling protocol-level attacks on RSA, DSA, and ECDSA, in addition to full SCA of the SM2 cryptosystem. With respect to microarchitecture timing attacks, the dissertation presents a new side-channel vector due to port contention in the CPU execution units. And finally, on the applied cryptography front, OpenSSL now enjoys a revamped code base securing several cryptosystems against SCA, favoring a secure-by-default protection against side-channel attacks, instead of the insecure opt-in flagging mechanism provided by the fragile BN_FLG_CONSTTIME flag