3,728 research outputs found
On Tightly Secure Primitives in the Multi-Instance Setting
We initiate the study of general tight reductions in cryptography. There already exist a variety of works that offer tight reductions for a number of cryptographic tasks, ranging from encryption and signature schemes to proof systems. However, our work is the first to provide a universal definition of a tight reduction (for arbitrary primitives), along with several observations and results concerning primitives for which tight reductions have not been known.
Technically, we start from the general notion of reductions due to Reingold, Trevisan, and Vadhan (TCC 2004), and equip it with a quantification of the respective reduction loss, and a canonical multi-instance extension to primitives. We then revisit several standard reductions whose tight security
has not yet been considered. For instance, we revisit a generic construction of signature schemes from one-way functions, and show how to tighten the corresponding reduction by assuming collision-resistance from the used one-way function. We also obtain tightly secure pseudorandom generators (by using suitable rerandomisable hard-core predicates), and tightly secure lossy trapdoor functions
Still Wrong Use of Pairings in Cryptography
Several pairing-based cryptographic protocols are recently proposed with a
wide variety of new novel applications including the ones in emerging
technologies like cloud computing, internet of things (IoT), e-health systems
and wearable technologies. There have been however a wide range of incorrect
use of these primitives. The paper of Galbraith, Paterson, and Smart (2006)
pointed out most of the issues related to the incorrect use of pairing-based
cryptography. However, we noticed that some recently proposed applications
still do not use these primitives correctly. This leads to unrealizable,
insecure or too inefficient designs of pairing-based protocols. We observed
that one reason is not being aware of the recent advancements on solving the
discrete logarithm problems in some groups. The main purpose of this article is
to give an understandable, informative, and the most up-to-date criteria for
the correct use of pairing-based cryptography. We thereby deliberately avoid
most of the technical details and rather give special emphasis on the
importance of the correct use of bilinear maps by realizing secure
cryptographic protocols. We list a collection of some recent papers having
wrong security assumptions or realizability/efficiency issues. Finally, we give
a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page
CyberLiveApp: a secure sharing and migration approach for live virtual desktop applications in a cloud environment
In recent years we have witnessed the rapid advent of cloud computing, in which the remote software is delivered as a service and accessed by users using a thin client over the Internet. In particular, the traditional desktop application can execute in the remote virtual machines without re-architecture providing a personal desktop experience to users through remote display technologies. However, existing cloud desktop applications mainly achieve isolation environments using virtual machines (VMs), which cannot adequately support application-oriented collaborations between multiple users and VMs. In this paper, we propose a flexible collaboration approach, named CyberLiveApp, to enable live virtual desktop applications sharing based on a cloud and virtualization infrastructure. The CyberLiveApp supports secure application sharing and on-demand migration among multiple users or equipment. To support VM desktop sharing among multiple users, a secure access mechanism is developed to distinguish view privileges allowing window operation events to be tracked to compute hidden window areas in real time. A proxy-based window filtering mechanism is also proposed to deliver desktops to different users. To support application sharing and migration between VMs, we use the presentation streaming redirection mechanism and VM cloning service. These approaches have been preliminary evaluated on an extended MetaVNC. Results of evaluations have verified that these approaches are effective and useful
Improvements and New Constructions of Digital Signatures
Ein digitales Signaturverfahren, oft auch nur digitale Signatur genannt, ist ein wichtiger und nicht mehr wegzudenkender Baustein in der Kryptographie.
Es stellt das digitale Ăquivalent zur klassischen handschriftlichen Signatur dar und liefert darĂŒber hinaus noch weitere wĂŒnschenswerte Eigenschaften.
Mit solch einem Verfahren kann man einen öffentlichen und einen geheimen SchlĂŒssel erzeugen. Der geheime SchlĂŒssel dient zur Erstellung von Signaturen zu beliebigen Nachrichten. Diese können mit Hilfe des öffentlichen SchlĂŒssels von jedem ĂŒberprĂŒft und somit verifiziert werden.
Desweiteren fordert man, dass das Verfahren "sicher" sein soll. Dazu gibt es in der Literatur viele verschiedene Begriffe und Definitionen, je nachdem welche konkreten Vorstellungen beziehungsweise Anwendungsgebiete man hat.
Vereinfacht gesagt, sollte es fĂŒr einen Angreifer ohne Kenntnis des geheimen SchlĂŒssels nicht möglich sein eine gĂŒltige Signatur zu einer beliebigen Nachricht zu fĂ€lschen.
Ein sicheres Signaturverfahren kann somit verwendet werden um die folgenden Ziele zu realisieren:
- AuthentizitĂ€t: Jeder EmpfĂ€nger kann ĂŒberprĂŒfen, ob die Nachricht von einem bestimmten Absender kommt.
- IntegritĂ€t der Nachricht: Jeder EmpfĂ€nger kann feststellen, ob die Nachricht bei der Ăbertragung verĂ€ndert wurde.
- Nicht-Abstreitbarkeit: Der Absender kann nicht abstreiten die Signatur erstellt zu haben.
Damit ist der Einsatz von digitalen Signaturen fĂŒr viele Anwendungen in der Praxis sehr wichtig. Ăberall da, wo es wichtig ist die AuthentizitĂ€t und IntegritĂ€t einer Nachricht sicherzustellen, wie beim elektronischen Zahlungsverkehr, Softwareupdates oder digitalen Zertifikaten im Internet, kommen digitale Signaturen zum Einsatz.
Aber auch fĂŒr die kryptographische Theorie sind digitale Signaturen ein unverzichtbares Hilfsmittel. Sie ermöglichen zum Beispiel die Konstruktion von stark sicheren VerschlĂŒsselungsverfahren.
Eigener Beitrag: Wie bereits erwĂ€hnt gibt es unterschiedliche Sicherheitsbegriffe im Rahmen von digitalen Signaturen. Ein Standardbegriff von Sicherheit, der eine recht starke Form von Sicherheit beschreibt, wird in dieser Arbeit nĂ€her betrachtet. Die Konstruktion von Verfahren, die diese Form der Sicherheit erfĂŒllen, ist ein vielschichtiges Forschungsthema. Dazu existieren unterschiedliche Strategien in unterschiedlichen Modellen. In dieser Arbeit konzentrieren wir uns daher auf folgende Punkte.
- Ausgehend von vergleichsweise realistischen Annahmen konstruieren wir ein stark sicheres Signaturverfahren im sogenannten Standardmodell, welches das realistischste Modell fĂŒr Sicherheitsbeweise darstellt. Unser Verfahren ist das bis dahin effizienteste Verfahren in seiner Kategorie. Es erstellt sehr kurze Signaturen und verwendet kurze SchlĂŒssel, beides unverzichtbar fĂŒr die Praxis.
- Wir verbessern die QualitĂ€t eines Sicherheitsbeweises von einem verwandten Baustein, der identitĂ€tsbasierten VerschlĂŒsselung. Dies hat unter anderem Auswirkung auf dessen Effizienz bezĂŒglich der empfohlenen SchlĂŒssellĂ€ngen fĂŒr den sicheren Einsatz in der Praxis. Da jedes identitĂ€tsbasierte VerschlĂŒsselungsverfahren generisch in ein digitales Signaturverfahren umgewandelt werden kann ist dies auch im Kontext digitaler Signaturen interessant.
- Wir betrachten Varianten von digitalen Signaturen mit zusĂ€tzlichen Eigenschaften, sogenannte aggregierbare Signaturverfahren. Diese ermöglichen es mehrere Signaturen effizient zu einer zusammenzufassen und dabei trotzdem alle zugehörigen verschiedenen Nachrichten zu verifizieren. Wir geben eine neue Konstruktion von solch einem aggregierbaren Signaturverfahren an, bei der das Verfahren eine Liste aller korrekt signierten Nachrichten in einer aggregierten Signatur ausgibt anstatt, wie bisher ĂŒblich, nur gĂŒltig oder ungĂŒltig. Wenn eine aggregierte Signatur aus vielen Einzelsignaturen besteht wird somit das erneute Berechnen und eventuell erneute Senden hinfĂ€llig und dadurch der Aufwand erheblich reduziert
Cryptology in the Crowd
Uhell skjer: Kanskje mistet du nÞkkelen til huset, eller hadde PIN-koden til innbruddsalarmen skrevet pÄ en dÄrlig plassert post-it lapp. Og kanskje endte de slik opp i hendene pÄ feil person, som nÄ kan pÄfÞre livet ditt all slags ugagn: Sikkerhetssystemer gir ingen garantier nÄr nÞkler blir stjÄlet og PIN-koder lekket. Likevel burde naboen din, hvis nÞkkel-og-PIN-kode rutiner er heller vanntette, kunne fÞle seg trygg i vissheten om at selv om du ikke evner Ä sikre huset ditt mot innbrudd, sÄ forblir deres hjem trygt.
Det er tilsvarende for kryptologi, som ogsÄ lener seg pÄ at nÞkkelmateriale hemmeligholdes for Ä kunne garantere sikkerhet: Intuitivt forventer man at kjennskap til ett systems hemmelige nÞkkel ikke burde vÊre til hjelp for Ä bryte inn i andre, urelaterte systemer. Men det har vist seg overraskende vanskelig Ä sette denne intuisjonen pÄ formell grunn, og flere konkurrerende sikkerhetsmodeller av varierende styrke har oppstÄtt. Det blir dermed naturlig Ä spÞrre seg: Hvilken formalisme er den riktige nÄr man skal modellere realistiske scenarioer med mange brukere og mulige lekkasjer? Eller: hvordan bygger man kryptografi i en folkemengde?
Artikkel I begir seg ut pÄ reisen mot et svar ved Ä sammenligne forskjellige flerbrukervarianter av sikkerhetsmodellen IND-CCA, med og uten evnen til Ä motta hemmelige nÞkler tilhÞrende andre brukere. Vi finner et delvis svar ved Ä vise at uten denne evnen, sÄ er noen modeller faktisk Ä foretrekke over andre. Med denne evnen, derimot, forblir situasjonen uavklart.
Artikkel II tar et sidesteg til et sett relaterte sikkerhetsmodeller hvor, heller enn Ä angripe én enkelt bruker (ut fra en mengde av mulige ofre), angriperen Þnsker Ä bryte kryptografien til sÄ mange brukere som mulig pÄ én gang. Man ser for seg en uvanlig mektig motstander, for eksempel en statssponset aktÞr, som ikke har problemer med Ä bryte kryptografien til en enkelt bruker: MÄlet skifter dermed fra Ä garantere trygghet for alle brukerne, til Ä gjÞre masseovervÄking sÄ vanskelig som mulig, slik at det store flertall av brukere kan forbli sikret.
Artikkel III fortsetter der Artikkel I slapp ved Ă„ sammenligne og systematisere de samme IND-CCA sikkerhetsmodellene med en stĂžrre mengde med sikkerhetsmodeller, med det til felles at de alle modellerer det samme (eller lignende) scenarioet. Disse modellene, som gĂ„r under navnene SOA (Selective Opening Attacks; utvalgte Ă„pningsangrep) og NCE (Non-Committing Encryption; ikke-bindende kryptering), er ofte vesentlig sterkere enn modellene studert i Artikkel I. Med et system pĂ„ plass er vi i stand til Ă„ identifisere en rekke hull i litteraturen; og dog vi tetter noen, etterlater vi mange som Ă„pne problemer.Accidents happen: you may misplace the key to your home, or maybe the PIN to your home security system was written on an ill-placed post-it note. And so they end up in the hands of a bad actor, who is then granted the power to wreak all kinds of havoc in your life: the security of your home grants no guarantees when keys are stolen and PINs are leaked. Nonetheless your neighbour, whose key-and-pin routines leave comparatively little to be desired, should feel safe that just because you canât keep your house safe from intruders, their home remains secured.
It is likewise with cryptography, whose security also relies on the secrecy of key material: intuitively, the ability to recover the secret keys of other users should not help an adversary break into an uncompromised system. Yet formalizing this intuition has turned out tricky, with several competing notions of security of varying strength. This begs the question: when modelling a real-world scenario with many users, some of which may be compromised, which formalization is the right one? Or: how do we build cryptology in a crowd?
Paper I embarks on the quest to answer the above questions by studying how various notions of multi-user IND-CCA compare to each other, with and without the ability to adaptively compromise users. We partly answer the question by showing that, without compromise, some notions of security really are preferable over others. Still, the situation is left largely open when compromise is accounted for.
Paper II takes a detour to a related set of security notions in which, rather than attacking a single user, an adversary seeks to break the security of many. One imagines an unusually powerful adversary, for example a state-sponsored actor, for whom brute-forcing a single system is not a problem. Our goal then shifts from securing every user to making mass surveillance as difficult as possible, so that the vast majority of uncompromised users can remain secure.
Paper III picks up where Paper I left off by comparing and systemizing the same security notions with a wider array of security notions that aim to capture the same (or similar) scenarios. These notions appear under the names of Selective Opening Attacks (SOA) and Non-Committing Encryption (NCE), and are typically significantly stronger than the notions of IND-CCA studied in Paper I. With a system in place, we identify and highlight a number of gaps, some of which we close, and many of which are posed as open problems.Doktorgradsavhandlin
Formal security analysis of registration protocols for interactive systems: a methodology and a case of study
In this work we present and formally analyze CHAT-SRP (CHAos based
Tickets-Secure Registration Protocol), a protocol to provide interactive and
collaborative platforms with a cryptographically robust solution to classical
security issues. Namely, we focus on the secrecy and authenticity properties
while keeping a high usability. In this sense, users are forced to blindly
trust the system administrators and developers. Moreover, as far as we know,
the use of formal methodologies for the verification of security properties of
communication protocols isn't yet a common practice. We propose here a
methodology to fill this gap, i.e., to analyse both the security of the
proposed protocol and the pertinence of the underlying premises. In this
concern, we propose the definition and formal evaluation of a protocol for the
distribution of digital identities. Once distributed, these identities can be
used to verify integrity and source of information. We base our security
analysis on tools for automatic verification of security protocols widely
accepted by the scientific community, and on the principles they are based
upon. In addition, it is assumed perfect cryptographic primitives in order to
focus the analysis on the exchange of protocol messages. The main property of
our protocol is the incorporation of tickets, created using digests of chaos
based nonces (numbers used only once) and users' personal data. Combined with a
multichannel authentication scheme with some previous knowledge, these tickets
provide security during the whole protocol by univocally linking each
registering user with a single request. [..]Comment: 32 pages, 7 figures, 8 listings, 1 tabl
A Calculus for Orchestration of Web Services
Service-oriented computing, an emerging paradigm for distributed computing based on the use of services, is calling for the development of tools and techniques to build safe and trustworthy systems, and to analyse their behaviour. Therefore, many researchers have proposed to use process calculi, a cornerstone of current foundational research on specification and analysis of concurrent, reactive, and distributed systems. In this paper, we follow this approach and introduce CWS, a process calculus expressly designed for specifying and combining service-oriented applications, while modelling their dynamic behaviour. We show that CWS can model all the phases of the life cycle of service-oriented applications, such as publication, discovery, negotiation, orchestration, deployment, reconfiguration and execution. We illustrate the specification style that CWS supports by means of a large case study from the automotive domain and a number of more specific examples drawn from it
FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs
FLAIM (Framework for Log Anonymization and Information Management) addresses
two important needs not well addressed by current log anonymizers. First, it is
extremely modular and not tied to the specific log being anonymized. Second, it
supports multi-level anonymization, allowing system administrators to make
fine-grained trade-offs between information loss and privacy/security concerns.
In this paper, we examine anonymization solutions to date and note the above
limitations in each. We further describe how FLAIM addresses these problems,
and we describe FLAIM's architecture and features in detail.Comment: 16 pages, 4 figures, in submission to USENIX Lis
- âŠ