Protecting EST Payloads with OSCORE: IETF Internet Draft

draft-selander-ace-coap-est-oscore-04This document specifies public-key certificate enrollment procedures protected with lightweight application-layer security protocols suitable for Internet of Things (IoT) deployments. The protocols leverage payload formats defined in Enrollment over Secure Transport (EST) and existing IoT standards including the Constrained Application Protocol (CoAP), Concise Binary Object Representation (CBOR) and the CBOR Object Signing and Encryption (COSE) format

Trust management for the World Wide Web

Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1997.Includes bibliographical references (leaves 62-[63]).by Yang-hua Chu.M.Eng

Робоча програма навчальної дисципліни "Інфраструктура відкритих ключів"

Робоча навчальна програма з курсу «Інфраструктура відкритих ключів» є нормативним документом Київського університету імені Бориса Грінченка, який розроблено кафедрою інформаційної та кібернетичної безпеки імені професора Володимира Бурячка на основі освітньо-професійної програми підготовки здобувачів першого (бакалаврського) рівня відповідно до навчального плану спеціальності 125 «Кібербезпека». Навчальна дисципліна «Інфраструктура відкритих ключів» складається з двох змістовних модулів: Основи побудови та застосування інфраструктури відкритих ключів; Практичні аспекти розгортання системи ІВК та забезпечення її функціонування. Обсяг дисципліни – 180 год. (6 кредитів)

An Extensible Framework for Creating Personal Archives of Web Resources Requiring Authentication

The key factors for the success of the World Wide Web are its large size and the lack of a centralized control over its contents. In recent years, many advances have been made in preserving web content but much of this content (namely, social media content) was not archived, or still to this day is not being archived,for various reasons. Tools built to accomplish this frequently break because of the dynamic structure of social media websites. Because many social media websites exhibit a commonality in hierarchy of the content, it would be worthwhile to setup a means to reference this hierarchy for tools to leverage and become adaptive as the target websites evolve. As relying on the service to provide this means is problematic in the context of archiving, we can surmise that the only way to assure that all of these shortcomings are not experienced is to rely on the original context in which the user views the content, i.e. the webbrowser. In this thesis I will describe an abstract specification and concrete implementations of the specification that allow tools to leverage the context of theweb browser to capture content into personal web archives. These tools will then be able to accomplish personal web archiving in a way that makes them more robust. As evaluation, I will make a change in the hierarchy of a synthetic social media website and its respective specification. Then, I will show that anadapted tool, using the specification, continues to function and is able to archive the social media website

Design and development of practical and secure e-mail system /

Key distribution and management in applications that use public key cryptosystems generally rely on Public Key Infrastructures (PKI). In this thesis, the disadvantages of this approach are discussed and an e-mail system that performs public key distribution and management in a unique way is proposed. The name of this system is "Practical and Secure E-Mail System" ("PractiSES"). PractiSES does not use the certification mechanisms of PKIs. A central authority, which is trusted by all users, takes the responsibility of key distribution and management in PractiSES. PractiSES Client is an e-mail application that is designed for end users. On top of regular e-mail client features, PractiSES Client can also be used to exchange e-mails among users in encrypted and/or signed fashion. PractiSES is designed according to the phases of "Object Oriented Analyses and Design (OOAD)". It is implemented using Java programming language. In PractiSES, there are several secure protocols developed for initializing users, removing and updating public keys of the users and obtaining the others' public keys. Key management and distribution features of PractiSES do not let the e-mail addresses move around in an uncontrolled fashion-this is one of the problems of PKI based systems. Moreover, certificate revocation problem does not exist in PractiSES. The trust mechanism of PractiSES is simple and straightforward so that an average user can easily use. Those characteristics of PractiSES make it "practical". On the other hand, PractiSES supports enough security features, such as authentic registration, encryption and digital signatures. The first version of PractiSES will be for closed-group e-mail exchange. PractiSES will be a free application that can be used without any warranty by companies and universities

A framework for cryptography algorithms on mobile devices

Mobile communication devices have become a popular tool for gathering and disseminating information and data. With the evidence of the growth of wireless technology and a need for more flexible, customizable and better-optimised security schemes, it is evident that connection-based security such as HTTPS may not be sufficient. In order to provide sufficient security at the application layer, developers need access to a cryptography package. Such packages are available as third party mobile cryptographic toolkits or are supported natively on the mobile device. Typically mobile cryptographic packages have reduced their number of API methods to keep the package lightweight in size, but consequently making it quite complex to use. As a result developers could easily misuse a method which can weaken the entire security of a system without knowing it. Aside from the complexities in the API, mobile cryptography packages often do not apply sound cryptography within the implementation of the algorithms thus causing vulnerabilities in its utilization and initialization. Although FIPS 140-2 and CAPI suggest guidelines on how cryptographic algorithms should be implemented, they do not define the guidelines for implementing and using cryptography in a mobile environment. In our study, we do not define new cryptographic algorithms, instead, we investigate how sound cryptography can be applied practically in a mobile application environment and developed a framework called Linca (which stands for Logical Integration of Cryptographic Architectures) that can be used as a mobile cryptographic package to demonstrate our findings. The benefit that Linca has is that it hides the complexity of making incorrect cryptographic algorithm decisions, cryptographic algorithm initialization and utilization and key management, while maintaining a small size. Linca also applies sound cryptographic fundamentals internally within the framework, which radiates these benefits outwards at the API. Because Linca is a framework, certain architecture and design patterns are applied internally so that the cryptographic mechanisms and algorithms can be easily maintained. Linca showed better results when evaluated against two mobile cryptography API packages namely Bouncy Castle API and Secure and Trust Service API in terms of security and design. We demonstrate the applicability of Linca on using two realistic examples that cover securing network channels and on-device data.Dissertation (MSc (Computer Science))--University of Pretoria, 2007.Computer ScienceMScunrestricte

A Mobile Secure Bluetooth-Enabled Cryptographic Provider

The use of digital X509v3 public key certificates, together with different standards for secure digital signatures are commonly adopted to establish authentication proofs between principals, applications and services. One of the robustness characteristics commonly associated with such mechanisms is the need of hardware-sealed cryptographic devices, such as Hardware-Security Modules (or HSMs), smart cards or hardware-enabled tokens or dongles. These devices support internal functions for management and storage of cryptographic keys, allowing the isolated execution of cryptographic operations, with the keys or related sensitive parameters never exposed. The portable devices most widely used are USB-tokens (or security dongles) and internal ships of smart cards (as it is also the case of citizen cards, banking cards or ticketing cards). More recently, a new generation of Bluetooth-enabled smart USB dongles appeared, also suitable to protect cryptographic operations and digital signatures for secure identity and payment applications. The common characteristic of such devices is to offer the required support to be used as secure cryptographic providers. Among the advantages of those portable cryptographic devices is also their portability and ubiquitous use, but, in consequence, they are also frequently forgotten or even lost. USB-enabled devices imply the need of readers, not always and not commonly available for generic smartphones or users working with computing devices. Also, wireless-devices can be specialized or require a development effort to be used as standard cryptographic providers. An alternative to mitigate such problems is the possible adoption of conventional Bluetooth-enabled smartphones, as ubiquitous cryptographic providers to be used, remotely, by client-side applications running in users’ devices, such as desktop or laptop computers. However, the use of smartphones for safe storage and management of private keys and sensitive parameters requires a careful analysis on the adversary model assumptions. The design options to implement a practical and secure smartphone-enabled cryptographic solution as a product, also requires the approach and the better use of the more interesting facilities provided by frameworks, programming environments and mobile operating systems services. In this dissertation we addressed the design, development and experimental evaluation of a secure mobile cryptographic provider, designed as a mobile service provided in a smartphone. The proposed solution is designed for Android-Based smartphones and supports on-demand Bluetooth-enabled cryptographic operations, including standard digital signatures. The addressed mobile cryptographic provider can be used by applications running on Windows-enabled computing devices, requesting digital signatures. The solution relies on the secure storage of private keys related to X509v3 public certificates and Android-based secure elements (SEs). With the materialized solution, an application running in a Windows computing device can request standard digital signatures of documents, transparently executed remotely by the smartphone regarded as a standard cryptographic provider

Securing Multi-Application Smart Cards by Security-by-Contract

La tecnología de Java Card ha evolucionado hasta el punto de permitir la ejecución de servidores y clientes Web en una tarjeta inteligente. Sin embargo, desarrollos concretos de tarjetas inteligentes multiaplicación no son aún muy corrientes dado el modelo de negocio de descarga asíncrona y actualización de aplicaciones por diferentes partes que requiere que el control de las interacciones entre las aplicaciones sea hecho después de la expedición de la tarjeta. Los modelos y técnicas de seguridad actuales no soportan dicho tipo de evolución en la tartjeta. Un enfoque prometedor para resolver este problema parece ser la idea de Seguridad-mediante-Contrato (SxC). SxC es un entorno en el que se hace obligatorio que cualquier modificación de una aplicación tras la expedición de la tarjeta traiga consigo una especificación de su comportamiento en lo que concierne a seguridad, llamado contrato. Este se debe ajustar a la política de seguridad de la tarjeta multiaplicación. A causa de los recursos limitados de estos dispositivos, el enfoque de SxC puede ser aplicado a diferentes niveles de abstracción, según un jerarquía de modelos la cual proporciona beneficios en términos de complejidad computacional o expresividad del lenguaje. El nivel de más detalle (mayor expresividad) requiere algoritmos demasiado complejos para ser ejecutados en la tarjeta, por lo que es necesario enviar datos de forma privada a una tercera parte de confianza que será la responsable de realizar la comparación del contrato y la política de la tarjeta (proceso llamado Comparación Contrato-Política) con objeto de decidir si la modificación se ajusta a la política de seguridad o no; es decir, si el cambio es aceptable según el comportamiento esperado por la tarjeta y expresado en su política. El propósito del proyecto es desarrollar un sistema el cual resuelva el problema de externalizar el proceso de Comparación Contrato-Política a una entidad externa para tarjetas inteligentes multiaplicación de Java. Este sistema debe garantizar una comunicación segura entre la tarjeta y alguna tercera parte de confianza sobre un medio inseguro. La comunicación tiene que ser segura en términos de autenticación, integridad y confidencialidad. Lograr este objetivo requiere resolver problemas tales como la gestión de identidades y claves y el uso de funciones criptográficas para hacer segura la comunicación de datos privados almacenados en la tarjeta inteligente. Es por ello que los objetivos del proyecto son: Diseñar un sistema que resuelva el problema, implementar un prototipo que demuestre la validez del sistema y validar el prototipo y valorar su idoneidad en cuestión de espacio