12 research outputs found
A Key Recovery Attack on Error Correcting Code Based a Lightweight Security Protocol
One of the interesting types of RFID application is RFID searching which aims to hear a specific RFID tag from a large group of tags, i.e. ability of detecting whether a target RFID tag is nearby. Very recently, a lightweight protocol using error-correcting codes has been proposed by Chen et al. to provide a solution to needs in this field. The authors give a detailed analysis of their protocol in terms of security, privacy, communication overhead, hardware cost and they claim that it is a realizable scheme with fulfilling security and privacy requirements. In this study, however, we investigate security of this protocol and clearly demonstrate its security flaws that completely allow an adversary to exploit the system. In particular, by using linear properties of error correcting coding we firstly describe a tag tracing attack that undermines untraceability property which is one its design objectives. Then along with its implementation details we present a key recovery attack that reduces dramatically search space of a tag\u27s secret key and show that an adversary can compromise it in practical time by only querying this tag for several times. As an illustrative example we retrieve the secret key of the protocol in two hours for the adopted linear block code C(47,24,11) which is one of the suggested codes
Security and Privacy of Radio Frequency Identification
Tanenbaum, A.S. [Promotor]Crispo, B. [Copromotor
On the Security of HB# against a Man-in-the-Middle Attack
At EuroCrypt ’08, Gilbert, Robshaw and Seurin proposed HB# to improve on HB+ in terms of transmission cost and security against man-in-the-middle attacks. Although the security of HB# is formally proven against a certain class of man- in-the-middle adversaries, it is only conjectured for the general case. In this paper, we present a general man-in-the-middle attack against HB# and Random-HB#, which can also be applied to all anterior HB-like protocols, that recovers the shared secret in 225 or 220 authentication rounds for HB# and 234 or 228 for Random-HB#, depending on the parameter set. We further show that the asymptotic complexity of our attack is polynomial under some conditions on the parameter set which are met on one of those proposed in [8]
On solving LPN using BKW and variants Implementation and Analysis
The Learning Parity with Noise problem (LPN) is appealing in cryptography as it is considered to remain hard in the post-quantum world. It is also a good candidate for lightweight devices due to its simplicity. In this paper we provide a comprehensive analysis of the existing LPN solving algorithms, both for the general case and for the sparse secret scenario. In practice, the LPN-based cryptographic constructions use as a reference the security parameters proposed by Levieil and Fouque. But, for these parameters, there remains a gap between the theoretical analysis and the practical complexities of the algorithms we consider. The new theoretical analysis in this paper provides tighter bounds on the complexity of LPN solving algorithms and narrows this gap between theory and practice. We show that for a sparse secret there is another algorithm that outperforms BKW and its variants. Following from our results, we further propose practical parameters for different security levels
Distributed Group Authentication for RFID Supply Management
We investigate an application of Radio Frequency Identification (RFID) referred to in the literature as group scanning, in which an RFID reader device interrogates several RFID tags to establish “simultaneous” presence of a group of tags. Our goal is to study the group scanning problem in strong adversarial settings and show how group scanning can be used in distributed applications for supply chain management.
We present a security framework for group scanning and give a formal description of the attending security requirements. Our model is based on the Universal Composability framework and supports re-usability
(through modularity of security guarantees). We propose two novel protocols that realize group scanning in this security model, based on off-the-shelf components such as low-cost (highly optimized) pseudorandom functions, and show how these can be integrated into RFID supply-chain management system
Optimization of LPN Solving Algorithms
In this article we focus on constructing an algorithm that automatizes the generation of LPN solving algorithms from the considered parameters. When searching for an algorithm to solve an LPN instance,
we make use of the existing techniques and optimize their use. We formalize an LPN algorithm as a path in a graph G and our algorithm is searching for the optimal paths in this graph. The results bring improvements over the existing work by a factor from 2^8 to 2^{10}, i.e. we improve the results of the covering code from ASIACRYPT\u2714. Furthermore, we propose concrete practical codes and a method to find good codes
On Solving Lpn using BKW and Variants
The Learning Parity with Noise problem (LPN) is appealing in cryptography as it is considered to remain hard in the post-quantum world. It is also a good candidate for lightweight devices due to its simplicity. In this paper we provide a comprehensive analysis of the existing LPN solving algorithms, both for the general case and for the sparse secret scenario. In practice, the LPN-based cryptographic constructions use as a reference the security parameters proposed by Levieil and Fouque. But, for these parameters, there remains a gap between the theoretical analysis and the practical complexities of the algorithms we consider. The new theoretical analysis in this paper provides tighter bounds on the complexity of LPN solving algorithms and narrows this gap between theory and practice. We show that for a sparse secret there is another algorithm that outperforms BKW and its variants. Following from our results, we further propose practical parameters for different security levels
Enhancing trustability in MMOGs environments
Massively Multiplayer Online Games (MMOGs; e.g., World of Warcraft), virtual worlds
(VW; e.g., Second Life), social networks (e.g., Facebook) strongly demand for more
autonomic, security, and trust mechanisms in a way similar to humans do in the real
life world. As known, this is a difficult matter because trusting in humans and organizations
depends on the perception and experience of each individual, which is difficult to
quantify or measure. In fact, these societal environments lack trust mechanisms similar
to those involved in humans-to-human interactions. Besides, interactions mediated
by compute devices are constantly evolving, requiring trust mechanisms that keep the
pace with the developments and assess risk situations.
In VW/MMOGs, it is widely recognized that users develop trust relationships from their
in-world interactions with others. However, these trust relationships end up not being
represented in the data structures (or databases) of such virtual worlds, though they
sometimes appear associated to reputation and recommendation systems. In addition,
as far as we know, the user is not provided with a personal trust tool to sustain his/her
decision making while he/she interacts with other users in the virtual or game world.
In order to solve this problem, as well as those mentioned above, we propose herein a
formal representation of these personal trust relationships, which are based on avataravatar
interactions. The leading idea is to provide each avatar-impersonated player
with a personal trust tool that follows a distributed trust model, i.e., the trust data is
distributed over the societal network of a given VW/MMOG.
Representing, manipulating, and inferring trust from the user/player point of view certainly
is a grand challenge. When someone meets an unknown individual, the question
is “Can I trust him/her or not?”. It is clear that this requires the user to have access to
a representation of trust about others, but, unless we are using an open source VW/MMOG,
it is difficult —not to say unfeasible— to get access to such data. Even, in an open
source system, a number of users may refuse to pass information about its friends, acquaintances,
or others. Putting together its own data and gathered data obtained from
others, the avatar-impersonated player should be able to come across a trust result
about its current trustee. For the trust assessment method used in this thesis, we use
subjective logic operators and graph search algorithms to undertake such trust inference
about the trustee. The proposed trust inference system has been validated using
a number of OpenSimulator (opensimulator.org) scenarios, which showed an accuracy
increase in evaluating trustability of avatars.
Summing up, our proposal aims thus to introduce a trust theory for virtual worlds, its
trust assessment metrics (e.g., subjective logic) and trust discovery methods (e.g.,
graph search methods), on an individual basis, rather than based on usual centralized
reputation systems. In particular, and unlike other trust discovery methods, our methods
run at interactive rates.MMOGs (Massively Multiplayer Online Games, como por exemplo, World of Warcraft),
mundos virtuais (VW, como por exemplo, o Second Life) e redes sociais (como por exemplo,
Facebook) necessitam de mecanismos de confiança mais autónomos, capazes de
assegurar a segurança e a confiança de uma forma semelhante à que os seres humanos
utilizam na vida real. Como se sabe, esta não é uma questão fácil. Porque confiar em
seres humanos e ou organizações depende da percepção e da experiĂŞncia de cada indivĂduo,
o que Ă© difĂcil de quantificar ou medir Ă partida. Na verdade, esses ambientes
sociais carecem dos mecanismos de confiança presentes em interacções humanas presenciais.
Além disso, as interacções mediadas por dispositivos computacionais estão em
constante evolução, necessitando de mecanismos de confiança adequados ao ritmo da
evolução para avaliar situações de risco.
Em VW/MMOGs, é amplamente reconhecido que os utilizadores desenvolvem relações
de confiança a partir das suas interacções no mundo com outros. No entanto, essas relações
de confiança acabam por não ser representadas nas estruturas de dados (ou bases
de dados) do VW/MMOG especĂfico, embora Ă s vezes apareçam associados Ă reputação
e a sistemas de reputação. Além disso, tanto quanto sabemos, ao utilizador não lhe
é facultado nenhum mecanismo que suporte uma ferramenta de confiança individual
para sustentar o seu processo de tomada de decisĂŁo, enquanto ele interage com outros
utilizadores no mundo virtual ou jogo. A fim de resolver este problema, bem como
os mencionados acima, propomos nesta tese uma representação formal para essas relações
de confiança pessoal, baseada em interacções avatar-avatar. A ideia principal
é fornecer a cada jogador representado por um avatar uma ferramenta de confiança
pessoal que segue um modelo de confiança distribuĂda, ou seja, os dados de confiança
sĂŁo distribuĂdos atravĂ©s da rede social de um determinado VW/MMOG.
Representar, manipular e inferir a confiança do ponto de utilizador/jogador, é certamente
um grande desafio. Quando alguĂ©m encontra um indivĂduo desconhecido, a
pergunta é “Posso confiar ou não nele?”. É claro que isto requer que o utilizador tenha
acesso a uma representação de confiança sobre os outros, mas, a menos que possamos
usar uma plataforma VW/MMOG de cĂłdigo aberto, Ă© difĂcil — para nĂŁo dizer impossĂvel
— obter acesso aos dados gerados pelos utilizadores. Mesmo em sistemas de código
aberto, um número de utilizadores pode recusar partilhar informações sobre seus amigos,
conhecidos, ou sobre outros. Ao juntar seus prĂłprios dados com os dados obtidos de
outros, o utilizador/jogador representado por um avatar deve ser capaz de produzir uma
avaliação de confiança sobre o utilizador/jogador com o qual se encontra a interagir.
Relativamente ao método de avaliação de confiança empregue nesta tese, utilizamos
lógica subjectiva para a representação da confiança, e também operadores lógicos da
lĂłgica subjectiva juntamente com algoritmos de procura em grafos para empreender
o processo de inferência da confiança relativamente a outro utilizador. O sistema de
inferência de confiança proposto foi validado através de um número de cenários Open-Simulator (opensimulator.org), que mostrou um aumento na precisão na avaliação da
confiança de avatares.
Resumindo, a nossa proposta visa, assim, introduzir uma teoria de confiança para mundos
virtuais, conjuntamente com métricas de avaliação de confiança (por exemplo, a
lógica subjectiva) e em métodos de procura de caminhos de confiança (com por exemplo,
através de métodos de pesquisa em grafos), partindo de uma base individual, em
vez de se basear em sistemas habituais de reputação centralizados. Em particular, e ao
contrário de outros métodos de determinação do grau de confiança, os nossos métodos
sĂŁo executados em tempo real