Formally based semi-automatic implementation of an open security protocol

International audienceThis paper presents an experiment in which an implementation of the client side of the SSH Transport Layer Protocol (SSH-TLP) was semi-automatically derived according to a model-driven development paradigm that leverages formal methods in order to obtain high correctness assurance. The approach used in the experiment starts with the formalization of the protocol at an abstract level. This model is then formally proved to fulfill the desired secrecy and authentication properties by using the ProVerif prover. Finally, a sound Java implementation is semi-automatically derived from the verified model using an enhanced version of the Spi2Java framework. The resulting implementation correctly interoperates with third party servers, and its execution time is comparable with that of other manually developed Java SSH-TLP client implementations. This case study demonstrates that the adopted model-driven approach is viable even for a real security protocol, despite the complexity of the models needed in order to achieve an interoperable implementation

Temporal verification in secure group communication system design

The paper discusses an experience in using a real-time UML/SysML profile and a formal verification toolkit to check a secure group communication system against temporal requirements. A generic framework is proposed and specialized for hierarchical groups

Proceedings of International Workshop "Global Computing: Programming Environments, Languages, Security and Analysis of Systems"

According to the IST/ FET proactive initiative on GLOBAL COMPUTING, the goal is to obtain techniques (models, frameworks, methods, algorithms) for constructing systems that are flexible, dependable, secure, robust and efficient. The dominant concerns are not those of representing and manipulating data efficiently but rather those of handling the co-ordination and interaction, security, reliability, robustness, failure modes, and control of risk of the entities in the system and the overall design, description and performance of the system itself. Completely different paradigms of computer science may have to be developed to tackle these issues effectively. The research should concentrate on systems having the following characteristics: • The systems are composed of autonomous computational entities where activity is not centrally controlled, either because global control is impossible or impractical, or because the entities are created or controlled by different owners. • The computational entities are mobile, due to the movement of the physical platforms or by movement of the entity from one platform to another. • The configuration varies over time. For instance, the system is open to the introduction of new computational entities and likewise their deletion. The behaviour of the entities may vary over time. • The systems operate with incomplete information about the environment. For instance, information becomes rapidly out of date and mobility requires information about the environment to be discovered. The ultimate goal of the research action is to provide a solid scientific foundation for the design of such systems, and to lay the groundwork for achieving effective principles for building and analysing such systems. This workshop covers the aspects related to languages and programming environments as well as analysis of systems and resources involving 9 projects (AGILE , DART, DEGAS , MIKADO, MRG, MYTHS, PEPITO, PROFUNDIS, SECURE) out of the 13 founded under the initiative. After an year from the start of the projects, the goal of the workshop is to fix the state of the art on the topics covered by the two clusters related to programming environments and analysis of systems as well as to devise strategies and new ideas to profitably continue the research effort towards the overall objective of the initiative. We acknowledge the Dipartimento di Informatica and Tlc of the University of Trento, the Comune di Rovereto, the project DEGAS for partially funding the event and the Events and Meetings Office of the University of Trento for the valuable collaboration

A QUIC Implementation for ns-3

Quick UDP Internet Connections (QUIC) is a recently proposed transport protocol, currently being standardized by the Internet Engineering Task Force (IETF). It aims at overcoming some of the shortcomings of TCP, while maintaining the logic related to flow and congestion control, retransmissions and acknowledgments. It supports multiplexing of multiple application layer streams in the same connection, a more refined selective acknowledgment scheme, and low-latency connection establishment. It also integrates cryptographic functionalities in the protocol design. Moreover, QUIC is deployed at the application layer, and encapsulates its packets in UDP datagrams. Given the widespread interest in the new QUIC features, we believe that it is important to provide to the networking community an implementation in a controllable and isolated environment, i.e., a network simulator such as ns-3, in which it is possible to test QUIC's performance and understand design choices and possible limitations. Therefore, in this paper we present a native implementation of QUIC for ns-3, describing the features we implemented, the main assumptions and differences with respect to the QUIC Internet Drafts, and a set of examples.Comment: 8 pages, 4 figures. Please cite it as A. De Biasio, F. Chiariotti, M. Polese, A. Zanella, M. Zorzi, "A QUIC Implementation for ns-3", Proceedings of the Workshop on ns-3 (WNS3 '19), Firenze, Italy, 201

Design of a Data Encryption Test-Bed Used to Analyze Encryption Processing Overhead

Data security is one of the most pressing issues faced by the organizations today. Unauthorized access to confidential information corresponding to employees/customers like SSN (Social Security numbers), financial information, health records, birth dates can be compromised both to the individual customers involved and the company withholding the data. The problem has become immense, approximately 260 million records were compromised since 2005 and companies, states and countries have reacted by mandating that industries should stringently follow the best security practices, including encryption and decryption of data. Also, the costs associated with data threats are quite increasing (Whitfield & Susan, 2007). Businesses that use strong encryption methodologies in their mobile devices, computers, cloud systems, other locations might not gain 100 % protection from dangerous hackers, but they can decrease their vulnerability to such attacks and thereby the potential of financial losses. Data encryption is the method of converting data in a computer or any communication system making it unintelligible in a way that the data can be reversed only by the authorized people accessing the original data. The primary goal is to safeguard the confidentiality of data, but integrity checks are also provided by the technique in various forms of authentication message codes. For instance, digital signature schemes are also fundamentals of encryption. The purpose of it is to ensure the authenticity of the identity of the receiver and sender. With an increasing awareness of security threats, many of the current companies are using cryptographic techniques for ensuring data security. Many of the companies like Amazon, Apple, AT&T and Comcast are using encryption techniques for securing the information. While there are a many encryption and decryption techniques available today, there is an obvious requirement for the current companies to find and choose the best reliable cryptographic techniques for securing their data. A performance test of various algorithms is needed to bring up the best technique. This research paper deals with the implementation of different cryptographic algorithms with a programming language called JAVA. It involves designing a graphical user interface (GUI) where sample input can be entered, common algorithms used to encrypt and decrypt the input can be selected. A mechanism for building a test bed for comparing the performances of the implemented algorithms is designed to calculate the encryption processing overhead