Vers une méthodologie normalisée d'évaluation des solutions RFID en application de sécurité

RÉSUMÉ La technologie d’identification radio-fréquence (RFID) est de plus en plus utilisée dans des applications de sécurité comme le contrôle d’accès et les moyens de paiement. Cependant, elle présente des risques en terme de protection de la vie privée et d’usurpation d’identité. Le but de cette recherche est de mettre en avant ces risques et d’élaborer une ébauche de méthodologie normalisée pour les évaluer. Dans un premier temps, nous avons reproduit les récents résultats d’autres équipes de recherche sur la solution de contrôle d’accès iClass de la société HID. Pour cela, nous avons notamment implémenté la norme RFID ISO/IEC 15693 sur la carte Proxmark3. Nous avons pu confirmé que la mémoire de certains lecteurs iClass peut être récupérée et qu’elle contient des clés permettant de cloner toutes les cartes du niveau Standard Security. Nous avons aussi été en mesure d’implémenter les algorithmes cryptographiques de ce niveau de sécurité sur la Proxmark3, révélés dans un précédent article. Nous pouvons donc parfaitement simuler un lecteur ou une étiquette iClass du niveau Standard Security, ou encore espionner une communication. Dans un deuxième temps, nous avons étudié les limitations physiques des communications RFID. Dans ce cadre, nous avons réalisé la partie émission d’un système permettant d’augmenter la distance de communication entre la carte Proxmark3 et une étiquette. Notre expérience démontre que notre système permet d’activer une étiquette RFID à au moins 81 cm et qu’à cette distance, celle-ci est capable de comprendre les messages envoyés par la Proxmark3 et d’y répondre. Nous avons aussi testé quelques protections de type blindage électromagnétique qui visent à bloquer les communications RFID. Notre expérience montre qu’elles sont efficaces lorsque la carte RFID est complètement insérée dans la protection mais qu’une communication peut être effectuée si la carte ne dépasse que de 12 mm. Enfin, nous avons élaboré une méthodologie en quatre étapes pour évaluer les risques d’une solution RFID complètement inconnue. Cette méthodologie peut aussi servir de cahier des charges partiel pour la fabrication d’une nouvelle solution.----------ABSTRACT Radio-frequency identification (RFID) technology is widely used for security applications like access control or payment. However, this kind of application poses risks concerning privacy and identity theft. The aim of this study is to highlight these risks and to create a standard methodology to evaluate them. At first, we reproduced the results of other research teams concerning the HID iClass access control system. In this process, we implemented the RFID standard ISO/IEC 15693 on the Proxmark3 card. We managed to confirm that one can retrieve the memory of some iClass readers and that it contains keys which permit to clone all iClass cards in the Standard Security level. We also successfully programed on the Proxmark3 all the cryptographic algorithms of this security level, which were revealed in a previous article. Therefore, we can perfectly simulate an iClass reader or an iClass card from the Standard Security level. We can as well spy on iClass RFID communications. Secondly, we focused on the RFID communication physical limitations. We made the emission part of a system aiming to increase the communication range between the Proxmark3 card and a tag. Our experience shows that our system can power a RFID tag at least at 81 cm and that the tag can understand and answer to the Proxmark3 messages at this range. We also tested some protections using electromagnetic shielding. We showed that there are efficient as long as the card is completely inserted in the protection. However, we managed to establish a communication with a card exceeding the protection by 12 mm. Finally, we wrote a methodology in four steps to evaluate the risks of an unknown RFID system. This methodology can also be seen as a list of requirements for designing a new RFID solution

Automotive firmware extraction and analysis techniques

An intricate network of embedded devices, called Electronic Control Units (ECUs), is responsible for the functionality of a modern vehicle. Every module processes a myriad of information and forwards it on to other nodes on the network, typically an automotive bus such as the Controller Area Network (CAN). Analysing embedded device software, and automotive in particular, brings many challenges. The analyst must, especially in the notoriously secretive automotive industry, first lift the ECU firmware from the hardware, which typically prevents unauthorised access. In this thesis, we address this problem in two ways: - We detail and bypass the access control mechanism used in diagnostic protocols in ECU firmware. Using existing diagnostic functionality, we present a generic technique to download code to RAM and execute it, without requiring physical access to the ECU. We propose a generic firmware readout framework on top of this, which only requires access to the CAN bus. - We analyse various embedded bootloaders and combine dynamic analysis with low-level hardware fault attacks, resulting in several fault-injection attacks which bypass on-chip readout protection. We then apply these firmware extraction techniques to acquire immobiliser firmware by two different manufacturers, from which we reverse engineer the DST80 cipher and present it in full detail here. Furthermore, we point out flaws in the key generation procedure, also recovered from the ECU firmware, leading to a full key recovery based on publicly readable transponder pages

From collaborative virtual research environment SOA to teaching and learning environment SOA

This paper explores the extension of the CORE VRE SOA to a collaborative virtual teaching and learning environment (CVTLE) SOA. Key points are brought up to date from a number of projects researching and developing a CVTLE and its component services. Issues remain: there are few implementations of the key services needed to demonstrate the CVTLE concept; there are questions about the feasibility of such an enterprise; there are overlapping standards; questions about the source and use of user profile data remain difficult to answer; as does the issue of where and how to coordinate, control, and monitor such a teaching and learning syste

A note on organizational learning and knowledge sharing in the context of communities of practice

Please, cite this publication as: Antonova, A. & Gourova, E. (2006). A note on organizational learning and knowledge sharing in the context of communities of practice. Proceedings of International Workshop in Learning Networks for Lifelong Competence Development, TENCompetence Conference. September 12th, Sofia, Bulgaria: TENCompetence. Retrieved June 30th, 2006, from http://dspace.learningnetworks.orgThe knowledge management (KM) literature emphasizes the impact of human factors for successful implementation of KM within the organization. Isolated initiatives for promoting learning organization and team collaboration, without taking consideration of the knowledge sharing limitations and constraints can defeat further development of KM culture. As an effective instrument for knowledge sharing, communities of practice (CoP) are appearing to overcome these constraints and to foster human collaboration.This work has been sponsored by the EU project TENCompetenc

Citrate carrier links chromatin, metabolism and stemness upon ageing and exposure to high oxygen

Ageing is accompanied by a general decline in the function of many cellular pathways. Although the contribution of each individual pathway in ageing has been extensively studied over the last years, how these pathways crosstalk to regulate the development and progression of ageing remained elusive. Here, I sought to determine whether ageassociated changes in mitochondrial function, epigenetic modifications and stem cell activity are causally or functionally interconnected. Therefore, I studied the effects of mitochondrial–nuclear communication on stem cell function upon ageing. I found that aged mesenchymal stem cells isolated from the bone marrow (BM-MSCs) exhibit reduced chromatin accessibility and lower histone acetylation, particularly on promoters and enhancers of osteogenic genes. The reduced histone acetylation is due to impaired export of mitochondrial acetyl-CoA, owing to the lower levels of citrate carrier (CiC). I demonstrated that aged cells show enhanced lysosomal degradation of CiC, which is mediated via mitochondrial-derived vesicles. Strikingly, restoring cytosolic acetyl-CoA levels either by exogenous CiC expression or via acetate supplementation, remodels the chromatin landscape and rescues the osteogenesis defects of aged BM-MSCs. Collectively, my results establish a tight, age-dependent connection between mitochondrial quality control, chromatin and stem cell fate, which are altogether linked by CiC. The bone marrow stroma is characterized by low oxygen concentration (hypoxia), which is essential for the maintenance of BM-MSC stemness. However, in vitro BMMSC culture during stem cell therapies is performed under high oxygen conditions (normoxia), which could dramatically impact BM-MSC activity. Here, I explored how the metabolism-chromatin-stemness axis is affected by oxygen tension. I found that high oxygen impairs osteogenesis irreversibly, due to higher chromatin compaction and lower histone acetylation on promoters and enhancers of osteogenic genes. Although normoxia induces a metabolic switch which results in production of higher acetyl-CoA levels, I showed that this remains trapped inside the mitochondria, potentially due to lower CiC activity. Impressively, modulating CiC function impacts both the metabolic and the epigenetic profile of BM-MSCs, whereas exogenous supplementation with acetate restores the osteogenic differentiation capacity of normoxia-cultured cells

Legal regulations of the capital market in Nigeria:analysis and prospects for reform

This thesis focuses on the legal regulations governing the Nigerian capital market. Nigeria is described as one of biggest economies in Africa, endowed with natural and other resources that could be exploited to boost the economy of the country. There is however, a need for infrastructural development and job creation that can stimulate economic growth. The execution of these projects requires the free-flow of capital. The capital market serves various purposes to a country, principal amongst these is that it facilitates the free-flow of short and long term equity and debt capital to corporations and governments that use it to carry out capital-intensive projects that subsequently enhances the economy. In view of this, it is imperative that a capital market is efficient in its structure and operations so as to attract investors. This is tied to the realisation that capital markets thrive on investor confidence. This thesis, drawing on rules and practices in the United Kingdom, focuses on key problems affecting the Nigerian capital market, including information asymmetry, insider trading and inertia in the enforcement of regulations relating to the capital market. The issues highlighted, though not exhaustive, represent foundational and fundamental challenges with the current system in Nigeria. Using a mix of doctrinal and comparative analysis, the thesis argues that the subsisting regulation of the capital market in Nigeria lacks in many respects requisite legislative and enforcement tools to deal with the problems highlighted. As such, redressing these problems along the lines of the recommendations contained in this thesis would prove to be a crucial step in achieving sustainable financing for corporations in Nigeria as well as a viable Nigerian economy

Exposing iClass key diversification

Contains fulltext : 91798.pdf (author's version ) (Open Access)WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologie

Lawrence University Course Catalog, 2005-2006

https://lux.lawrence.edu/coursecatalogs/1003/thumbnail.jp

Evolutionary genomics : statistical and computational methods

This open access book addresses the challenge of analyzing and understanding the evolutionary dynamics of complex biological systems at the genomic level, and elaborates on some promising strategies that would bring us closer to uncovering of the vital relationships between genotype and phenotype. After a few educational primers, the book continues with sections on sequence homology and alignment, phylogenetic methods to study genome evolution, methodologies for evaluating selective pressures on genomic sequences as well as genomic evolution in light of protein domain architecture and transposable elements, population genomics and other omics, and discussions of current bottlenecks in handling and analyzing genomic data. Written for the highly successful Methods in Molecular Biology series, chapters include the kind of detail and expert implementation advice that lead to the best results. Authoritative and comprehensive, Evolutionary Genomics: Statistical and Computational Methods, Second Edition aims to serve both novices in biology with strong statistics and computational skills, and molecular biologists with a good grasp of standard mathematical concepts, in moving this important field of study forward