4,983 research outputs found
Hardware-based Security for Virtual Trusted Platform Modules
Virtual Trusted Platform modules (TPMs) were proposed as a software-based
alternative to the hardware-based TPMs to allow the use of their cryptographic
functionalities in scenarios where multiple TPMs are required in a single
platform, such as in virtualized environments. However, virtualizing TPMs,
especially virutalizing the Platform Configuration Registers (PCRs), strikes
against one of the core principles of Trusted Computing, namely the need for a
hardware-based root of trust. In this paper we show how strength of
hardware-based security can be gained in virtual PCRs by binding them to their
corresponding hardware PCRs. We propose two approaches for such a binding. For
this purpose, the first variant uses binary hash trees, whereas the other
variant uses incremental hashing. In addition, we present an FPGA-based
implementation of both variants and evaluate their performance
THRIVE: Threshold Homomorphic encryption based secure and privacy preserving bIometric VErification system
In this paper, we propose a new biometric verification and template
protection system which we call the THRIVE system. The system includes novel
enrollment and authentication protocols based on threshold homomorphic
cryptosystem where the private key is shared between a user and the verifier.
In the THRIVE system, only encrypted binary biometric templates are stored in
the database and verification is performed via homomorphically randomized
templates, thus, original templates are never revealed during the
authentication stage. The THRIVE system is designed for the malicious model
where the cheating party may arbitrarily deviate from the protocol
specification. Since threshold homomorphic encryption scheme is used, a
malicious database owner cannot perform decryption on encrypted templates of
the users in the database. Therefore, security of the THRIVE system is enhanced
using a two-factor authentication scheme involving the user's private key and
the biometric data. We prove security and privacy preservation capability of
the proposed system in the simulation-based model with no assumption. The
proposed system is suitable for applications where the user does not want to
reveal her biometrics to the verifier in plain form but she needs to proof her
physical presence by using biometrics. The system can be used with any
biometric modality and biometric feature extraction scheme whose output
templates can be binarized. The overall connection time for the proposed THRIVE
system is estimated to be 336 ms on average for 256-bit biohash vectors on a
desktop PC running with quad-core 3.2 GHz CPUs at 10 Mbit/s up/down link
connection speed. Consequently, the proposed system can be efficiently used in
real life applications
On an almost-universal hash function family with applications to authentication and secrecy codes
Universal hashing, discovered by Carter and Wegman in 1979, has many
important applications in computer science. MMH, which was shown to be
-universal by Halevi and Krawczyk in 1997, is a well-known universal
hash function family. We introduce a variant of MMH, that we call GRDH,
where we use an arbitrary integer instead of prime and let the keys
satisfy the
conditions (), where are
given positive divisors of . Then via connecting the universal hashing
problem to the number of solutions of restricted linear congruences, we prove
that the family GRDH is an -almost--universal family of
hash functions for some if and only if is odd and
. Furthermore, if these conditions are
satisfied then GRDH is -almost--universal, where is
the smallest prime divisor of . Finally, as an application of our results,
we propose an authentication code with secrecy scheme which strongly
generalizes the scheme studied by Alomair et al. [{\it J. Math. Cryptol.} {\bf
4} (2010), 121--148], and [{\it J.UCS} {\bf 15} (2009), 2937--2956].Comment: International Journal of Foundations of Computer Science, to appea
Faster 64-bit universal hashing using carry-less multiplications
Intel and AMD support the Carry-less Multiplication (CLMUL) instruction set
in their x64 processors. We use CLMUL to implement an almost universal 64-bit
hash family (CLHASH). We compare this new family with what might be the fastest
almost universal family on x64 processors (VHASH). We find that CLHASH is at
least 60% faster. We also compare CLHASH with a popular hash function designed
for speed (Google's CityHash). We find that CLHASH is 40% faster than CityHash
on inputs larger than 64 bytes and just as fast otherwise
LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed
Running off-site software middleboxes at third-party service providers has
been a popular practice. However, routing large volumes of raw traffic, which
may carry sensitive information, to a remote site for processing raises severe
security concerns. Prior solutions often abstract away important factors
pertinent to real-world deployment. In particular, they overlook the
significance of metadata protection and stateful processing. Unprotected
traffic metadata like low-level headers, size and count, can be exploited to
learn supposedly encrypted application contents. Meanwhile, tracking the states
of 100,000s of flows concurrently is often indispensable in production-level
middleboxes deployed at real networks.
We present LightBox, the first system that can drive off-site middleboxes at
near-native speed with stateful processing and the most comprehensive
protection to date. Built upon commodity trusted hardware, Intel SGX, LightBox
is the product of our systematic investigation of how to overcome the inherent
limitations of secure enclaves using domain knowledge and customization. First,
we introduce an elegant virtual network interface that allows convenient access
to fully protected packets at line rate without leaving the enclave, as if from
the trusted source network. Second, we provide complete flow state management
for efficient stateful processing, by tailoring a set of data structures and
algorithms optimized for the highly constrained enclave space. Extensive
evaluations demonstrate that LightBox, with all security benefits, can achieve
10Gbps packet I/O, and that with case studies on three stateful middleboxes, it
can operate at near-native speed.Comment: Accepted at ACM CCS 201
MoPS: A Modular Protection Scheme for Long-Term Storage
Current trends in technology, such as cloud computing, allow outsourcing the
storage, backup, and archiving of data. This provides efficiency and
flexibility, but also poses new risks for data security. It in particular
became crucial to develop protection schemes that ensure security even in the
long-term, i.e. beyond the lifetime of keys, certificates, and cryptographic
primitives. However, all current solutions fail to provide optimal performance
for different application scenarios. Thus, in this work, we present MoPS, a
modular protection scheme to ensure authenticity and integrity for data stored
over long periods of time. MoPS does not come with any requirements regarding
the storage architecture and can therefore be used together with existing
archiving or storage systems. It supports a set of techniques which can be
plugged together, combined, and migrated in order to create customized
solutions that fulfill the requirements of different application scenarios in
the best possible way. As a proof of concept we implemented MoPS and provide
performance measurements. Furthermore, our implementation provides additional
features, such as guidance for non-expert users and export functionalities for
external verifiers.Comment: Original Publication (in the same form): ASIACCS 201
- …