Application of NTRU Cryptographic Algorithm for securing SCADA communication

Supervisory Control and Data Acquisition (SCADA) system is a control system which is widely used in Critical Infrastructure System to monitor and control industrial processes autonomously. Most of the SCADA communication protocols are vulnerable to various types of cyber-related attacks. The currently used security standards for SCADA communication specify the use of asymmetric cryptographic algorithms like RSA or ECC for securing SCADA communications. There are certain performance issues with cryptographic solutions of these specifications when applied to SCADA system with real-time constraints and hardware limitations. To overcome this issue, in this thesis we propose the use of a faster and light-weighted NTRU cryptographic algorithm for authentication and data integrity in securing SCADA communication. Experimental research conducted on ARMv6 based Raspberry Pi and Intel Core machine shows that cryptographic operations of NTRU is two to thirty five times faster than the corresponding RSA or ECC. Usage of NTRU algorithm reduces computation and memory overhead significantly making it suitable for SCADA systems with real-time constraints and hardware limitations

Ring Learning With Errors: A crossroads between postquantum cryptography, machine learning and number theory

The present survey reports on the state of the art of the different cryptographic functionalities built upon the ring learning with errors problem and its interplay with several classical problems in algebraic number theory. The survey is based to a certain extent on an invited course given by the author at the Basque Center for Applied Mathematics in September 2018.Comment: arXiv admin note: text overlap with arXiv:1508.01375 by other authors/ comment of the author: quotation has been added to Theorem 5.

The Future Between Quantum Computing and Cybersecurity

Quantum computing, a novel branch of technology based on quantum theory, processes information in ways beyond the capabilities of classical computers. Traditional computers use binary digits [bits], but quantum computers use quantum binary digits [qubits] that can exist in multiple states simultaneously. Since developing the first two-qubit quantum computer in 1998, the quantum computing field has experienced rapid growth. Cryptographic algorithms such as RSA and ECC, essential for internet security, rely on the difficulty of complex math problems that classical computers can’t solve. However, the advancement of quantum technology threatens these encryption systems. Algorithms, such as Shor’s, leverage the power of quantum machines to factor large numbers, a task challenging for classical computers. Acknowledging this threat, it is important to develop and implement quantum-resistant cryptography to safeguard communication, financial systems, and national security. This study covers the past, present, and future of quantum computing and cybersecurity and their increasingly connected roles. It provides a detailed history of both fields, explores the challenges posed by quantum computing to traditional cryptographic methods, and discusses the development of new, robust cryptographic solutions to ensure security in a future where quantum computing is prevalent

Retrofitting Post-Quantum Cryptography in Internet Protocols:A Case Study of DNSSEC

Quantum computing is threatening current cryptography, especially the asymmetric algorithms used in many Internet protocols. More secure algorithms, colloquially referred to as Post-Quantum Cryptography (PQC), are under active development. These new algorithms differ significantly from current ones. They can have larger signatures or keys, and often require more computational power. This means we cannot just replace existing algorithms by PQC alternatives, but need to evaluate if they meet the requirements of the Internet protocols that rely on them. In this paper we provide a case study, analyzing the impact of PQC on the Domain Name System (DNS) and its Security Extensions (DNSSEC). In its main role, DNS translates human-readable domain names to IP addresses and DNSSEC guarantees message integrity and authenticity. DNSSEC is particularly challenging to transition to PQC, since DNSSEC and its underlying transport protocols require small signatures and keys and efficient validation. We evaluate current candidate PQC signature algorithms in the third round of the NIST competition on their suitability for use in DNSSEC. We show that three algorithms, partially, meet DNSSEC’s requirements but also show where and how we would still need to adapt DNSSEC. Thus, our research lays the foundation for making DNSSEC, and protocols with similar constraints ready for PQC

Protection of an intrusion detection engine with watermarking in ad hoc networks

Mobile ad hoc networks have received great attention in recent years, mainly due to the evolution of wireless networking and mobile computing hardware. Nevertheless, many inherent vulnerabilities exist in mobile ad hoc networks and their applications that affect the security of wireless transactions. As intrusion prevention mechanisms, such as encryption and authentication, are not sufficient we need a second line of defense, Intrusion Detection. In this pa-per we present an intrusion detection engine based on neural networks and a protection method based on watermarking techniques. In particular, we exploit information visualization and machine learning techniques in order to achieve intrusion detection and we authenticate the maps produced by the application of the intelligent techniques using a novel combined watermarking embedding method. The performance of the proposed model is evaluated under different traffic conditions, mobility patterns and visualization metrics

Contributions to Securing Software Updates in IoT

The Internet of Things (IoT) is a large network of connected devices. In IoT, devices can communicate with each other or back-end systems to transfer data or perform assigned tasks. Communication protocols used in IoT depend on target applications but usually require low bandwidth. On the other hand, IoT devices are constrained, having limited resources, including memory, power, and computational resources. Considering these limitations in IoT environments, it is difficult to implement best security practices. Consequently, network attacks can threaten devices or the data they transfer. Thus it is crucial to react quickly to emerging vulnerabilities. These vulnerabilities should be mitigated by firmware updates or other necessary updates securely. Since IoT devices usually connect to the network wirelessly, such updates can be performed Over-The-Air (OTA). This dissertation presents contributions to enable secure OTA software updates in IoT. In order to perform secure updates, vulnerabilities must first be identified and assessed. In this dissertation, first, we present our contribution to designing a maturity model for vulnerability handling. Next, we analyze and compare common communication protocols and security practices regarding energy consumption. Finally, we describe our designed lightweight protocol for OTA updates targeting constrained IoT devices. IoT devices and back-end systems often use incompatible protocols that are unable to interoperate securely. This dissertation also includes our contribution to designing a secure protocol translator for IoT. This translation is performed inside a Trusted Execution Environment (TEE) with TLS interception. This dissertation also contains our contribution to key management and key distribution in IoT networks. In performing secure software updates, the IoT devices can be grouped since the updates target a large number of devices. Thus, prior to deploying updates, a group key needs to be established among group members. In this dissertation, we present our designed secure group key establishment scheme. Symmetric key cryptography can help to save IoT device resources at the cost of increased key management complexity. This trade-off can be improved by integrating IoT networks with cloud computing and Software Defined Networking (SDN).In this dissertation, we use SDN in cloud networks to provision symmetric keys efficiently and securely. These pieces together help software developers and maintainers identify vulnerabilities, provision secret keys, and perform lightweight secure OTA updates. Furthermore, they help devices and systems with incompatible protocols to be able to interoperate

A measurement study of peer-to-peer bootstrapping and implementations of delay-based cryptography

This thesis researches two distinct areas of study in both peer-to-peer networking formodern cryptocurrencies and implementations of delay-based cryptography.The first part of the thesis researches elements of peer-to-peer network mechanisms,with a specific focus on the dependencies on centralised infrastructure required for theinitial participation in such networks.Cryptocurrencies rely on decentralised peer-to-peer networks, yet the method bywhich new peers initially join these networks, known as bootstrapping, presents a significantchallenge. Our original research consists of a measurement study of 74 cryptocurrencies.Our study reveals a prevalent reliance on centralised infrastructure which leadsto censorship-prone bootstrapping techniques leaving networks vulnerable to censorshipand manipulation.In response, we explore alternative bootstrapping methods seeking solutions lesssusceptible to censorship. However, our research demonstrates operational challengesand limitations which hinder their effectiveness, highlighting the complexity of achievingcensorship-resistance in practice.Furthermore, our global measurement study uncovers the details of cryptocurrencypeer-to-peer networks, revealing instances outages and intentional protocol manipulationimpacting bootstrapping operations. Through a volunteer network of probes deployedacross 42 countries, we analyse network topology, exposing centralisation tendencies andunintentional peer exposure.Our research also highlights the pervasive inheritance of legacy bootstrapping methods,perpetuating security vulnerabilities and censorship risks within cryptocurrencysystems. These findings illuminate broader concerns surrounding decentralisation andcensorship-resistance in distributed systems.In conclusion, our study offers valuable insights into cryptocurrency bootstrappingtechniques and their susceptibility to censorship, paving the way for future research andinterventions to enhance the resilience and autonomy of peer-to-peer networks.In the second part of the thesis, attention shifts towards delay-based cryptography,where the focus lies on the creation and practical implementations of timed-release encryptionschemes. Drawing from the historical delay-based cryptographic protocols, thisthesis presents two original research contributions.The first is the creation of a new timed-release encryption scheme with a propertytermed implicit authentication. The second contribution is the development of a practicalconstruction called TIDE (TIme Delayed Encryption) tailored for use in sealed-bidauctions.Timed-Release Encryption with Implicit Authentication (TRE-IA) is a cryptographicprimitive which presents a new property named implicit authentication (IA). This propertyensures that only authorised parties, such as whistleblowers, can generate meaningfulciphertexts. By incorporating IA techniques into the encryption process, TRE-IAaugments a new feature in standard timed-release encryption schemes by ensuring thatonly the party with the encryption key can create meaningful ciphertexts. This propertyensures the authenticity of the party behind the sensitive data disclosure. Specifically, IAenables the encryption process to authenticate the identity of the whistleblower throughthe ciphertext. This property prevents malicious parties from generating ciphertextsthat do not originate from legitimate sources. This ensures the integrity and authenticityof the encrypted data, safeguarding against potential leaks of information not vettedby the party performing the encryption.TIDE introduces a new method for timed-release encryption in the context of sealedbidauctions by creatively using classic number-theoretic techniques. By integratingRSA-OEAP public-key encryption and the Rivest Shamir Wagner time-lock assumptionwith classic number theory principles, TIDE offers a solution that is both conceptuallystraightforward and efficient to implement.Our contributions in TIDE address the complexities and performance challengesinherent in current instantiations of timed-release encryption schemes. Our researchoutput creates a practical timed-release encryption implementation on consumer-gradehardware which can facilitate real-world applications such as sealed-bid auctions withclear steps for implementation.Finally, our thesis concludes with a review of the prospects of delay-based cryptographywhere we consider potential applications such as leveraging TIDE for a publicrandomness beacon.<br/