Efficient Private Matching for Private Databases

Private matching (PM) is a key cryptographic primitive in secure computation that allows several parties to jointly compute some functions depending on their private inputs. Indeed, this primitive has many practical applications. For instance, in online advertising, two companies may wish to find their common customers for a joint marketing campaign. In this scenario, privacy is of utmost importance and it is imperative to ensure that neither company can learn more than their own data and the results of the match. In recent years, secure computation in general and PM in particular has attracted considerable attention from the research community, partly due to the rise of Big Data along with the ever-increasing privacy concerns. This thesis describes three secure private set intersection (PSI) protocols, one private set union (PSU) construction, and one pattern matching scheme. PM can be considered as a main building block in all these protocols. To securely compute the intersection of two sets of size $2^{20}$ our proposed protocols require only 3 seconds which is $4\times$ faster than the previous best protocol. In the multi-party setting, we provide the first implementation that takes only 72 seconds to compute PSI for 5 parties with data-sets of $2^{20}$ items each. For private set union (PSU), our protocol improves prior work by a factor up to $7,600 \times$ for large instances. In addition, our wild-card pattern matching (WPM) protocol shows over two orders of magnitude faster than the state-of-the-art scheme

MQTT+: Enhanced syntax and broker functionalities for data filtering, processing and aggregation

In the last few years, the Message Queueing Telemetry Transport (MQTT) publish/subscribe protocol emerged as the de facto standard communication protocol for IoT, M2M and wireless sensor networks applications. Such popularity is mainly due to the extreme simplicity of the protocol at the client side, appropriate for low-cost and resource-constrained edge devices. Other nice features include a very low protocol overhead, ideal for limited bandwidth scenarios, the support of different Quality of Services (QoS) and many others. However, when an edge device is interested in performing processing operations over the data published by multiple clients, the use of MQTT may result in high network bandwidth usage and high energy consumption for the end devices, which is unacceptable in resource constrained scenarios. To overcome these issues, we propose in this paper MQTT+, which provides an enhanced protocol syntax and enrich the pub/sub broker with data filtering, processing and aggregation functionalities. MQTT+ is implemented starting from an open source MQTT broker and evaluated in different application scenarios

Contributions to Securing Software Updates in IoT

The Internet of Things (IoT) is a large network of connected devices. In IoT, devices can communicate with each other or back-end systems to transfer data or perform assigned tasks. Communication protocols used in IoT depend on target applications but usually require low bandwidth. On the other hand, IoT devices are constrained, having limited resources, including memory, power, and computational resources. Considering these limitations in IoT environments, it is difficult to implement best security practices. Consequently, network attacks can threaten devices or the data they transfer. Thus it is crucial to react quickly to emerging vulnerabilities. These vulnerabilities should be mitigated by firmware updates or other necessary updates securely. Since IoT devices usually connect to the network wirelessly, such updates can be performed Over-The-Air (OTA). This dissertation presents contributions to enable secure OTA software updates in IoT. In order to perform secure updates, vulnerabilities must first be identified and assessed. In this dissertation, first, we present our contribution to designing a maturity model for vulnerability handling. Next, we analyze and compare common communication protocols and security practices regarding energy consumption. Finally, we describe our designed lightweight protocol for OTA updates targeting constrained IoT devices. IoT devices and back-end systems often use incompatible protocols that are unable to interoperate securely. This dissertation also includes our contribution to designing a secure protocol translator for IoT. This translation is performed inside a Trusted Execution Environment (TEE) with TLS interception. This dissertation also contains our contribution to key management and key distribution in IoT networks. In performing secure software updates, the IoT devices can be grouped since the updates target a large number of devices. Thus, prior to deploying updates, a group key needs to be established among group members. In this dissertation, we present our designed secure group key establishment scheme. Symmetric key cryptography can help to save IoT device resources at the cost of increased key management complexity. This trade-off can be improved by integrating IoT networks with cloud computing and Software Defined Networking (SDN).In this dissertation, we use SDN in cloud networks to provision symmetric keys efficiently and securely. These pieces together help software developers and maintainers identify vulnerabilities, provision secret keys, and perform lightweight secure OTA updates. Furthermore, they help devices and systems with incompatible protocols to be able to interoperate

IoT oriented SIEM tools

openNowadays, most devices can connect and communicate data. One example is IoT devices, technological devices that can communicate information gathered from the environment with a high degree of automation, communicating the data through networks. New IoT devices and increasingly reliable and fast wireless networks make it easy to collect large amounts of data with high accuracy. The introduction of these new technologies has created new vulnerabilities in complex systems, allowing an attacker to breach them more easily. Attackers use these devices, which generally lack important protections because they are composed of minimal hardware. Generally, the attackers' goal is to capture data, create malfunctions, steal sensitive and personal information and more. In order to protect and limit the actions of possible attackers, new software has been developed to neutralise or reduce vulnerabilities in a complex system. An example of software that belongs to this category is SIEM which is analysed in this thesis. They make it possible to analyse real-time data and logs to understand the system situation. They give the possibility of creating a history of the information collected by the system, indexing the data allowing efficient and fast analysis. In addition, they make it possible to visualise the collected data in a user-friendly way. The introduction of artificial intelligence has made these tools more precise, allowing the automatic creation of thresholds that generate alerts in critical situations if exceeded. These tools may also be able to autonomously analyse the environment, identify any vulnerability in the system, and respond to certain situations autonomously. In this thesis, SIEM and IoT are combined. The purpose is to evaluate the effectiveness of the tool in protecting a complex system that also consists of IoT devices. Greenhouse sensors are simulated communicating data using the MQTT protocol. DoS attacks are performed in the system and the network status is collected using SIEM. With the use of the SIEM, user-friendly visualisations are made available to the security teams to easily analyse and evaluate the status of the system. In conclusion, the combination of IoT devices and SIEM is effective and easy to implement, thanks in part to the use of the MQTT data protocol. This provides end-users with a tool that allows them to easily detect and resolve vulnerabilities that may be present within a complex system, relating to security, authentication and authorisation. They can also evaluate the information collected by the sensors. Thanks to the low cost of implementation, and ease and intuitiveness of deployment, this combination can also be easily used by end-users without high economic means and in any field, becoming a tool accessible to anyone.Nowadays, most devices can connect and communicate data. One example is IoT devices, technological devices that can communicate information gathered from the environment with a high degree of automation, communicating the data through networks. New IoT devices and increasingly reliable and fast wireless networks make it easy to collect large amounts of data with high accuracy. The introduction of these new technologies has created new vulnerabilities in complex systems, allowing an attacker to breach them more easily. Attackers use these devices, which generally lack important protections because they are composed of minimal hardware. Generally, the attackers' goal is to capture data, create malfunctions, steal sensitive and personal information and more. In order to protect and limit the actions of possible attackers, new software has been developed to neutralise or reduce vulnerabilities in a complex system. An example of software that belongs to this category is SIEM which is analysed in this thesis. They make it possible to analyse real-time data and logs to understand the system situation. They give the possibility of creating a history of the information collected by the system, indexing the data allowing efficient and fast analysis. In addition, they make it possible to visualise the collected data in a user-friendly way. The introduction of artificial intelligence has made these tools more precise, allowing the automatic creation of thresholds that generate alerts in critical situations if exceeded. These tools may also be able to autonomously analyse the environment, identify any vulnerability in the system, and respond to certain situations autonomously. In this thesis, SIEM and IoT are combined. The purpose is to evaluate the effectiveness of the tool in protecting a complex system that also consists of IoT devices. Greenhouse sensors are simulated communicating data using the MQTT protocol. DoS attacks are performed in the system and the network status is collected using SIEM. With the use of the SIEM, user-friendly visualisations are made available to the security teams to easily analyse and evaluate the status of the system. In conclusion, the combination of IoT devices and SIEM is effective and easy to implement, thanks in part to the use of the MQTT data protocol. This provides end-users with a tool that allows them to easily detect and resolve vulnerabilities that may be present within a complex system, relating to security, authentication and authorisation. They can also evaluate the information collected by the sensors. Thanks to the low cost of implementation, and ease and intuitiveness of deployment, this combination can also be easily used by end-users without high economic means and in any field, becoming a tool accessible to anyone

Privacy-Preserving Regular Expression Matching using Nondeterministic Finite Automata

Motivated by the privacy requirements in network intrusion detection and DNS policy checking, we have developed a suite of protocols and algorithms for regular expression matching with enhanced privacy: - A new regular expression matching algorithm that is oblivious to the input strings, of which the complexity is only $O(mn)$ where $m$ and $n$ are the length of strings and the regular expression respectively. It is achieved by exploiting the structure of the Thompson nondeterministic automata. - A zero-knowledge proof of regular expression pattern matching in which a prover generates a proof to demonstrate that a public regular expression matches her input string without revealing the string itself. -Two secure-regex protocols that ensure the privacy of both the string and regular expression. The first protocol is based on the oblivious stack and reduces the complexity of the state-of-the-art from $O(mn^2)$ to $O(mn\log n)$. The second protocol relies on the oblivious transfer and performs better empirically when the size of regular expressions is smaller than $2^{12}$. We also evaluated our protocols in the context of encrypted DNS policy checking and intrusion detection and achieved 4.5X improvements over the state-of-the-art. These results also indicate the practicality of our approach in real-world applications

Affine Determinant Programs: A Framework for Obfuscation and Witness Encryption

An affine determinant program ADP: {0,1}^n → {0,1} is specified by a tuple (A,B_1,...,B_n) of square matrices over F_q and a function Eval: F_q → {0,1}, and evaluated on x \in {0,1}^n by computing Eval(det(A + sum_{i \in [n]} x_i B_i)). In this work, we suggest ADPs as a new framework for building general-purpose obfuscation and witness encryption. We provide evidence to suggest that constructions following our ADP-based framework may one day yield secure, practically feasible obfuscation. As a proof-of-concept, we give a candidate ADP-based construction of indistinguishability obfuscation (iO) for all circuits along with a simple witness encryption candidate. We provide cryptanalysis demonstrating that our schemes resist several potential attacks, and leave further cryptanalysis to future work. Lastly, we explore practically feasible applications of our witness encryption candidate, such as public-key encryption with near-optimal key generation

Towards a secure and efficient search over encrypted cloud data

Includes bibliographical references.2016 Summer.Cloud computing enables new types of services where the computational and network resources are available online through the Internet. One of the most popular services of cloud computing is data outsourcing. For reasons of cost and convenience, public as well as private organizations can now outsource their large amounts of data to the cloud and enjoy the benefits of remote storage and management. At the same time, confidentiality of remotely stored data on untrusted cloud server is a big concern. In order to reduce these concerns, sensitive data, such as, personal health records, emails, income tax and financial reports, are usually outsourced in encrypted form using well-known cryptographic techniques. Although encrypted data storage protects remote data from unauthorized access, it complicates some basic, yet essential data utilization services such as plaintext keyword search. A simple solution of downloading the data, decrypting and searching locally is clearly inefficient since storing data in the cloud is meaningless unless it can be easily searched and utilized. Thus, cloud services should enable efficient search on encrypted data to provide the benefits of a first-class cloud computing environment. This dissertation is concerned with developing novel searchable encryption techniques that allow the cloud server to perform multi-keyword ranked search as well as substring search incorporating position information. We present results that we have accomplished in this area, including a comprehensive evaluation of existing solutions and searchable encryption schemes for ranked search and substring position search