Can NSEC5 be practical for DNSSEC deployments?

NSEC5 is proposed modification to DNSSEC that simultaneously guarantees two security properties: (1) privacy against offline zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. This paper redesigns NSEC5 to make it both practical and performant. Our NSEC5 redesign features a new fast verifiable random function (VRF) based on elliptic curve cryptography (ECC), along with a cryptographic proof of its security. This VRF is also of independent interest, as it is being standardized by the IETF and being used by several other projects. We show how to integrate NSEC5 using our ECC-based VRF into the DNSSEC protocol, leveraging precomputation to improve performance and DNS protocol-level optimizations to shorten responses. Next, we present the first full-fledged implementation of NSEC5—extending widely-used DNS software to present a nameserver and recursive resolver that support NSEC5—and evaluate their performance under aggressive DNS query loads. Our performance results indicate that our redesigned NSEC5 can be viable even for high-throughput scenarioshttps://eprint.iacr.org/2017/099.pdfFirst author draf

Using quantum key distribution for cryptographic purposes: a survey

The appealing feature of quantum key distribution (QKD), from a cryptographic viewpoint, is the ability to prove the information-theoretic security (ITS) of the established keys. As a key establishment primitive, QKD however does not provide a standalone security service in its own: the secret keys established by QKD are in general then used by a subsequent cryptographic applications for which the requirements, the context of use and the security properties can vary. It is therefore important, in the perspective of integrating QKD in security infrastructures, to analyze how QKD can be combined with other cryptographic primitives. The purpose of this survey article, which is mostly centered on European research results, is to contribute to such an analysis. We first review and compare the properties of the existing key establishment techniques, QKD being one of them. We then study more specifically two generic scenarios related to the practical use of QKD in cryptographic infrastructures: 1) using QKD as a key renewal technique for a symmetric cipher over a point-to-point link; 2) using QKD in a network containing many users with the objective of offering any-to-any key establishment service. We discuss the constraints as well as the potential interest of using QKD in these contexts. We finally give an overview of challenges relative to the development of QKD technology that also constitute potential avenues for cryptographic research.Comment: Revised version of the SECOQC White Paper. Published in the special issue on QKD of TCS, Theoretical Computer Science (2014), pp. 62-8

IMPROVING SMART GRID SECURITY USING MERKLE TREES

Abstract—Presently nations worldwide are starting to convert their aging electrical power infrastructures into modern, dynamic power grids. Smart Grid offers much in the way of efficiencies and robustness to the electrical power grid, however its heavy reliance on communication networks will leave it more vulnerable to attack than present day grids. This paper looks at the threat to public key cryptography systems from a fully realized quantum computer and how this could impact the Smart Grid. We argue for the use of Merkle Trees in place of public key cryptography for authentication of devices in wireless mesh networks that are used in Smart Grid applications

Quantifying Shannon's Work Function for Cryptanalytic Attacks

Attacks on cryptographic systems are limited by the available computational resources. A theoretical understanding of these resource limitations is needed to evaluate the security of cryptographic primitives and procedures. This study uses an Attacker versus Environment game formalism based on computability logic to quantify Shannon's work function and evaluate resource use in cryptanalysis. A simple cost function is defined which allows to quantify a wide range of theoretical and real computational resources. With this approach the use of custom hardware, e.g., FPGA boards, in cryptanalysis can be analyzed. Applied to real cryptanalytic problems, it raises, for instance, the expectation that the computer time needed to break some simple 90 bit strong cryptographic primitives might theoretically be less than two years.Comment: 19 page

Encryption’s Importance to Economic and Infrastructure Security

Det övergripande syftet med den här avhandlingen var att utreda om network coopetition, samarbete mellan konkurrerande aktörer, kan öka värdeskapandet inom hälso- och sjukvården. Inom hälso- och sjukvården är network coopetition ett ämne som fått liten uppmärksamhet i tidigare studier. För att besvara syftet utvecklades en modell för network coopetition inom hälso- och sjukvården. Modellen applicerades sedan på en del av vårdkedjan för patienter i behov av neurokirurgisk vård. Resultaten från avhandlingen visar att: (1) Förutsättningarna för network coopetition i vårdkedjan för patienter i behov av neurokirurgisk vård är uppfyllda. (2) Det finns exempel på horisontell network coopetition i den studerade vårdkedjan. (3) Det existerar en diskrepans mellan hur aktörerna  ser  på  sitt  eget  och  de  andra  aktörernas  värdeskapande. (4)  Värdeskapandet bör utvärderas som ett gemensamt system där hänsyn tas till alla aktörer och utvärderas på process- nivå där hänsyn tas till alla intressenter. Dessa resultat leder fram till den övergripande slutsatsen är att network coopetition bör kunna öka värdeskapandet för högspecialiserade vårdkedjor med en stor andel inomlänspatienter.The overall purpose of this thesis was to investigate whether network coopetition, cooperation between competitive actors, can increase the value creation within the health care system. Within health care, network coopetition is a subject granted little attention in previous research. To fulfil the purpose a model for network coopetition within the health care system was developed. The model was the applied to one part of the chain of care for patients in need of neurosurgery. The results from this thesis show: (1) The conditions for network coopetition in the chain of care for patients in need of neurosurgery are fulfilled. (2) Examples of horizontal network coopetition have been found in the studied chain of care. (3) There is an existing discrepancy between how each actor recognizes its own and the other actors’ value creation. (4) The value creation ought to be evaluated as a common system where all actors are taken into account and at a process level where all stakeholders are considered. These results supports the final conclusion that network coopetition ought to be able to increase the value creation for highly specialized chain of cares with a large share of within-county patients

Implementing a protected zone in a reconfigurable processor for isolated execution of cryptographic algorithms

We design and realize a protected zone inside a reconfigurable and extensible embedded RISC processor for isolated execution of cryptographic algorithms. The protected zone is a collection of processor subsystems such as functional units optimized for high-speed execution of integer operations, a small amount of local memory, and general and special-purpose registers. We outline the principles for secure software implementation of cryptographic algorithms in a processor equipped with the protected zone. We also demonstrate the efficiency and effectiveness of the protected zone by implementing major cryptographic algorithms, namely RSA, elliptic curve cryptography, and AES in the protected zone. In terms of time efficiency, software implementations of these three cryptographic algorithms outperform equivalent software implementations on similar processors reported in the literature. The protected zone is designed in such a modular fashion that it can easily be integrated into any RISC processor; its area overhead is considerably moderate in the sense that it can be used in vast majority of embedded processors. The protected zone can also provide the necessary support to implement TPM functionality within the boundary of a processor