24 research outputs found

    Design an active verification mechanism for certificates revocation in OCSP for internet authentication

    Get PDF
    No doubt that data security online is crucial. Therefore, great attention has been paid to that aspect by companies and organizations given its economic and social implications. Thus, online certificate status protocol (OCSP) is considered one of the most prominent protocol functioning in this field, which offers a prompt support for certificates online. In this research, a model designed based on field programable gate array (FPGA) using Merkel’s tree has been proposed to overcome the delay that might have occurred in sorting and authentication of certificates. Having adopted this model and with the assistance of Hash function algorithm, more than 50% of certificates have been processed in comparison with standard protocol. Moreover, certificates have been provided with substantial storage space with high throughput. Basically, Hash function algorithm has been designed to arrange and specify a site of verified or denied certificates within time of validity to protect servers from intrusion and clients from using applications with harmful contents

    Post-Quantum Authentication in TLS 1.3: A Performance Study

    Get PDF
    The potential development of large-scale quantum computers is raising concerns among IT and security research professionals due to their ability to solve (elliptic curve) discrete logarithm and integer factorization problems in polynomial time. All currently used public key algorithms would be deemed insecure in a post-quantum (PQ) setting. In response, the National Institute of Standards and Technology (NIST) has initiated a process to standardize quantum-resistant crypto algorithms, focusing primarily on their security guarantees. Since PQ algorithms present significant differences over classical ones, their overall evaluation should not be performed out-of-context. This work presents a detailed performance evaluation of the NIST signature algorithm candidates and investigates the imposed latency on TLS 1.3 connection establishment under realistic network conditions. In addition, we investigate their impact on TLS session throughput and analyze the trade-off between lengthy PQ signatures and computationally heavy PQ cryptographic operations. Our results demonstrate that the adoption of at least two PQ signature algorithms would be viable with little additional overhead over current signature algorithms. Also, we argue that many NIST PQ candidates can effectively be used for less time-sensitive applications, and provide an in-depth discussion on the integration of PQ authentication in encrypted tunneling protocols, along with the related challenges, improvements, and alternatives. Finally, we propose and evaluate the combination of different PQ signature algorithms across the same certificate chain in TLS. Results show a reduction of the TLS handshake time and a significant increase of a server\u27s TLS tunnel connection rate over using a single PQ signature scheme

    Attacking Deterministic Signature Schemes using Fault Attacks

    Get PDF
    Many digital signature schemes rely on random numbers that are unique and non-predictable per signature. Failures of random number generators may have catastrophic effects such as compromising private signature keys. In recent years, many widely-used cryptographic technologies adopted deterministic signature schemes because they are presumed to be safer to implement. In this paper, we analyze the security of deterministic ECDSA and EdDSA signature schemes and show that the elimination of random number generators in these schemes enables new kinds of fault attacks. We formalize these attacks and introduce practical attack scenarios against EdDSA using the Rowhammer fault attack. EdDSA is used in many widely used protocols such as TLS, SSH and IPSec, and we show that these protocols are not vulnerable to our attack. We formalize the necessary requirements of protocols using these deterministic signature schemes to be vulnerable, and discuss mitigation strategies and their effect on fault attacks against deterministic signature schemes

    Interoperable Credentials Management for Wholesale Banking

    Get PDF
    A gap exists between wholesale-banking business practices and security best practices: wholesale banks operate within the boundaries of contract law, while security best practices often relies upon a benevolent trusted party outside the scope of straightforward contracts. While some business domains may be able to bridge this gap, the ultra-high-value transactions used in business-to-business banking substantially increase the size of the gap. The gap becomes most apparent when regarded from the perspective of interoperability. If a single user applies the same credential to sign high-value transactions at multiple banks, then the trusted-party model becomes overly cumbersome and conflicts with an acceptable concept of liability. This paper outlines the business complexities of wholesale banking and proposes a solution called Partner Key Management (PKM). PKM technology manages the credentials required to authenticate users and sign transactions. This paper presents PKM technology by describing an interoperable protocol, requisite data structures, and an interoperable XML definition. The paper uses formal methods to demonstrate a security equivalence between revocation options within PKM against the security offered by the traditional Public Key Infrastructure (PKI), a technology that features the benevolent trusted party

    Open Source Solution of IPsec Virtual Private Networks

    Get PDF
    Import 05/08/2014Cílem této diplomové práce je analyzovat problematiku IPsec virtuálních privátních sítí a prakticky realizovat různá řešení za použití softwaru strongSwan. Jsou zde realizovány jednotlivé konfigurace s komentáři a konfiguračními soubory. Všechny realizace jsou doplněny o komentáře a podrobné výpisy sestavených spojení. Dále analyzuje problematiku certifikačních autorit, digitálních certifikátů a jejich využití pro vzájemnou autentizaci. K vytvoření a práci s certifikáty je využit program XCA, který slouží i pro import a využití certifikátů v USB tokenech. Závěrem se práce zabývá využitím VPN klienta strongSwan, v mobilních telefonech s operačním systémem Android.The aim of this thesis is to analyse the issues concerning IPsec of virtual private nets and put distinct solutions into practise by using the software strongSwan. Each configurations are implemented with comments and configuration files. All implementations are supplemented with remarks and detailed statements of assembled connection. Thereafter, the thesis analyses the issues of certificate authorities, digital certifications and their application in mutual authentication. The programme XCA is utilized for the creation and work with certifications. It functions as import and utilization of certifications in USB token. In closing, the thesis deals with the employment of VPN of strongSwan´s client in mobile phones with the operating system Android.440 - Katedra telekomunikační technikyvýborn

    Ampliación y mejora de servicios en la infraestructura de clave pública para e-ciencia de la UNLP (PKIGrid UNLP)

    Get PDF
    La Universidad Nacional de La Plata cuenta con una infraestructura de clave pública (PKIGrid UNLP) para emisión de certificados para Argentina acreditada por TAGPMA la cual soporta las actividades de e-ciencia de la comunidad académica argentina. En esta tesina de grado se presenta una alternativa a la tecnología que se utiliza actualmente en PKIGrid UNLP para la infraestructura de clave pública, proponiendo mejoras a los servicios existentes y evaluando la posibilidad de incorporar nuevos servicios.Facultad de Informátic

    Secure Communications in Next Generation Digital Aeronautical Datalinks

    Get PDF
    As of 2022, Air Traffic Management (ATM) is gradually digitizing to automate and secure data transmission in civil aviation. New digital data links like the L-band Digital Aeronautical Communications System (LDACS) are being introduced for this purpose. LDACS is a cellular, ground-based digital communications system for flight guidance and safety. Unfortunately, LDACS and many other datalinks in civil aviation lack link layer security measures. This doctoral thesis proposes a cybersecurity architecture for LDACS, developing various security measures to protect user and control data. These include two new authentication and key establishment protocols, along with a novel approach to secure control data of resource-constrained wireless communication systems. Evaluations demonstrate a latency increase of 570 to 620 milliseconds when securely attaching an aircraft to an LDACS cell, along with a 5% to 10% security data overhead. Also, flight trials confirm that Ground-based Augmentation System (GBAS) can be securely transmitted via LDACS with over 99% availability. These security solutions enable future aeronautical applications like 4D-Trajectories, paving the way for a digitized and automated future of civil aviation

    Dual-factor Authentication in Virtual Private Networks

    Get PDF
    Import 22/07/2015Cílem této diplomové práce je návrh a realizace dvoufaktorové autentizace ve virtuálních privátních sítích pomocí USB tokenu a hesla. Pro praktickou realizaci navržených řešení je použit software OpenVPN a strongSwan. Nachází se zde kompletní návod na instalaci a práci s USB tokenem. K vytvoření a práci s certifikáty je využit nástroj Easy RSA a software XCA. U navržených řešení jsou uvedeny jednotlivé konfigurace a konfigurační soubory. Dále je popsáno ověření funkčnosti dvoufaktorové autentizace a připojení klientů z operačních systémů Ubuntu a Windows. Ověření funkčnosti je doplněno o výpisy sestavených spojení. Na závěr jsou mezi sebou jednotlivá řešení srovnána.The goal of this master thesis is proposal and realization of dual-factor authentication in virtual private networks using USB token and password. Practical realization of proposed solutions is going to be made using OpenVPN and strongSwan software. Complete instructions for installation and operation of USB token is described here. Easy RSA tool and XCA software are used to create the certificates. Proposed solutions are listed with configurations and configuration files. They are followed by a description of verification of functionality of dual-factor authentication and connection of clients from Ubuntu and Windows operating systems. Verification is accompanied by listing of compiled connections. In the end each solutions are compared.440 - Katedra telekomunikační technikyvýborn

    Efficient Key Management Schemes for Smart Grid

    Get PDF
    With the increasing digitization of different components of Smart Grid by incorporating smart(er) devices, there is an ongoing effort to deploy them for various applications. However, if these devices are compromised, they can reveal sensitive information from such systems. Therefore, securing them against cyber-attacks may represent the first step towards the protection of the critical infrastructure. Nevertheless, realization of the desirable security features such as confidentiality, integrity and authentication relies entirely on cryptographic keys that can be either symmetric or asymmetric. A major need, along with this, is to deal with managing these keys for a large number of devices in Smart Grid. While such key management can be easily addressed by transferring the existing protocols to Smart Grid domain, this is not an easy task, as one needs to deal with the limitations of the current communication infrastructures and resource-constrained devices in Smart Grid. In general, effective mechanisms for Smart Grid security must guarantee the security of the applications by managing (1) key revocation; and (2) key exchange. Moreover, such management should be provided without compromising the general performance of the Smart Grid applications and thus needs to incur minimal overhead to Smart Grid systems. This dissertation aims to fill this gap by proposing specialized key management techniques for resource and communication constrained Smart Grid environments. Specifically, motivated by the need of reducing the revocation management overhead, we first present a distributed public key revocation management scheme for Advanced Metering Infrastructure (AMI) by utilizing distributed hash trees (DHTs). The basic idea is to enable sharing of the burden among smart meters to reduce the overall overhead. Second, we propose another revocation management scheme by utilizing cryptographic accumulators, which reduces the space requirements for revocation information significantly. Finally, we turn our attention to symmetric key exchange problem and propose a 0-Round Trip Time (RTT) message exchange scheme to minimize the message exchanges. This scheme enables a lightweight yet secure symmetric key-exchange between field devices and the control center in Smart Gird by utilizing a dynamic hash chain mechanism. The evaluation of the proposed approaches show that they significantly out-perform existing conventional approaches
    corecore