DSTC: DNS-based Strict TLS Configurations

Most TLS clients such as modern web browsers enforce coarse-grained TLS security configurations. They support legacy versions of the protocol that have known design weaknesses, and weak ciphersuites that provide fewer security guarantees (e.g. non Forward-Secrecy), mainly to provide backward compatibility. This opens doors to downgrade attacks, as is the case of the POODLE attack [18], which exploits the client's silent fallback to downgrade the protocol version to exploit the legacy version's flaws. To achieve a better balance between security and backward compatibility, we propose a DNS-based mechanism that enables TLS servers to advertise their support for the latest version of the protocol and strong ciphersuites (that provide Forward-Secrecy and Authenticated-Encryption simultaneously). This enables clients to consider prior knowledge about the servers' TLS configurations to enforce a fine-grained TLS configurations policy. That is, the client enforces strict TLS configurations for connections going to the advertising servers, while enforcing default configurations for the rest of the connections. We implement and evaluate the proposed mechanism and show that it is feasible, and incurs minimal overhead. Furthermore, we conduct a TLS scan for the top 10,000 most visited websites globally, and show that most of the websites can benefit from our mechanism

Secure Connectivity With Persistent Identities

In the current Internet the Internet Protocol address is burdened with two roles. It serves as the identifier and the locator for the host. As the host moves its identity changes with its locator. The research community thinks that the Future Internet will include identifier-locator split in some form. Identifier-locator split is seen as the solution to multiple problems. However, identifier-locator split introduces multiple new problems to the Internet. In this dissertation we concentrate on: the feasibility of using identifier-locator split with legacy applications, securing the resolution steps, using the persistent identity for access control, improving mobility in environments using multiple address families and so improving the disruption tolerance for connectivity. The proposed methods achieve theoretical and practical improvements over the earlier state of the art. To raise the overall awareness, our results have been published in interdisciplinary forums.Nykypäivän Internetissä IP-osoite on kuormitettu kahdella eri roolilla. IP toimii päätelaitteen osoitteena, mutta myös usein sen identiteetinä. Tällöin laitteen identiteetti muuttuu laitteen liikkuessa, koska laitteen osoite vaihtuu. Tutkimusyhteisön mielestä paikan ja identiteetin erottaminen on välttämätöntä tulevaisuuden Internetissä. Paikan ja identiteetin erottaminen tuo kuitenkin esiin joukon uusia ongelmia. Tässä väitöskirjassa keskitytään selvittämään paikan ja identiteetin erottamisen vaikutusta olemassa oleviin verkkoa käyttäviin sovelluksiin, turvaamaan nimien muuntaminen osoitteiksi, helpottamaan pitkäikäisten identiteettien käyttöä pääsyvalvonnassa ja parantamaan yhteyksien mahdollisuuksia selviytyä liikkumisesta usean osoiteperheen ympäristöissä. Väitöskirjassa ehdotetut menetelmät saavuttavat sekä teoreettisia että käytännön etuja verrattuna aiempiin kirjallisuudessa esitettyihin menetelmiin. Saavutetut tulokset on julkaistu eri osa-alojen foorumeilla

MySmartPi

Nowadays, accessing the Internet in a secure way in a big concern for many people due to the increase of cybersecurity attacks and the vulnerability of the data that is transferred online. In order to address such vulnerabilities, the use of a Virtual Private Network is really important. Not only for security reasons, but also to access resources of the network, such as printers, files or web pages. Considering that many people, especially IT students, have curiosity and enjoy creating their own technologies, this project aims to create a user manual to teach how people can create their own VPN server at home using a Raspberry Pi and to access their files and folders which are in the network. For that, tutorials were used and adapted in order to install the VPN server and NAS. In order to prove that the whole process was successful, some tools, such as, Wireshark, were used to show how the network traffic works once the VPN is used. The process was successful and many concepts were learnt and used such as Cryptography, Port forwarding, dynamic DNS, OpenVPN, etc

ELLIPTIC CURVE CRYPTOGRAPHY

In this article main points of ECC’s application and structure  is reviewed.Here is described the main advantages of ECC. The aim of this article is to systematize information on the practical application of elliptic curves,its general terms ,affect the topic of ECC popularity.Another interesting part of article is the question of patents,in most of Certicoms patents. Assuring fact is that the question of ECC is discovered by ECC Workshop, since 1997  were hold  a series of conferences on the ECC theme.The last one takes place in 2013 year. Since the first ECC workshop, held 1997 in Waterloo, the ECC conference series has broadened its scope beyond elliptic curve cryptography and now covers a wide range of areas within modern cryptography.The table in the end of article compares key sizes,and main points of ECC and RSA.The conclusion is that  ECC provides much more confidence use than first-generation public key cryptography systems. Equations based on elliptic curves is easy to perform, and extremely difficult to reverse and it is in demand.В этой статье выложены основные точки приложения эллиптической криптографии и ее структура.Цель этой статьи систематизировать информацию о практическом приминении эллиптических кривых ,ее основных  понятий, затронуть тему популярности эллиптических кривых. Другая интересная часть статьи это вопрос о патентировании, в большинстве это патенты  Certicom. Обнадеживающим фактом является то,что вопрос эллиптической криптографии раскрывается  «ECC Workshop» ,с 1997 была проведена серия конференций.Последняя конференция была проведена в 2013 году.С первого семинара, которая состоялась в 1997 году в Ватерлоо, серии  конференций  расширили свою сферу за пределы эллиптической криптографии и в настоящее время охватывает широкий спектр областей в современной криптографии.Таблица в конце статьи сравнивает размеры ключей,основных положений РСА и эллиптической криптографии.Вывод состоит в том,что эллиптическая криптография  обеспечивает гораздо большую  секретность,чем использование криптографии с открытым ключом. Уравнения , основанные на эллиптических кривых легки в использовании , и их  трудно  реверсировать,они пользуются спросом.Розглянуто структуру еліптичної криптографії, її вигляд,основне застосування. Схарактеризовано основні переваги використання еліптичної криптографії з-поміж РСА та іншими. Викладено основні історичні дати про цю гілку криптографії. Зібрано основні дані про патенти, що її стосуються —запропонованих NIST. Надано порівняння РСА та еліптичної криптографії у вигляді таблиці. Вважалось,що еліптичні криві матимуть успіх у криптографії через деякі їх властивості, такі як довжина ключа, менша вибагливість до продуктивності, надійності. Еліптичні криві використовуються для передачі даних по TLS, SSH, смарт-картах, Bitcoin,C++, Apple's i Message service. Зараз питанням еліптичних кривих активно займаються керуючий комітет «ECC Workshops» на чолі з Tanja Lange (Technische Universiteit Eindhoven, Netherlands), Chair Alfred Menezes (University of Waterloo, Canada , Christof Paar (Ruhr — Universität Bochum, Germany), Scott Vanstone ( University of Waterloo, Canada). ECC Workshop — це щорічні семінари, присвячені вивченню еліптичної криптографії та суміжних їй областей. С першого семінару в 1997 р. в Ватерлоо конференція з еліптичних кривих розширила свою сферу діяльності за межі еліптичної криптографії і наразі охоплює широкий спектр в областях сучасної криптографії

An integrated security Protocol communication scheme for Internet of Things using the Locator/ID Separation Protocol Network

Internet of Things communication is mainly based on a machine-to-machine pattern, where devices are globally addressed and identified. However, as the number of connected devices increase, the burdens on the network infrastructure increase as well. The major challenges are the size of the routing tables and the efficiency of the current routing protocols in the Internet backbone. To address these problems, an Internet Engineering Task Force (IETF) working group, along with the research group at Cisco, are still working on the Locator/ID Separation Protocol as a routing architecture that can provide new semantics for the IP addressing, to simplify routing operations and improve scalability in the future of the Internet such as the Internet of Things. Nonetheless, The Locator/ID Separation Protocol is still at an early stage of implementation and the security Protocol e.g. Internet Protocol Security (IPSec), in particular, is still in its infancy. Based on this, three scenarios were considered: Firstly, in the initial stage, each Locator/ID Separation Protocol-capable router needs to register with a Map-Server. This is known as the Registration Stage. Nevertheless, this stage is vulnerable to masquerading and content poisoning attacks. Secondly, the addresses resolving stage, in the Locator/ID Separation Protocol the Map Server (MS) accepts Map-Request from Ingress Tunnel Routers and Egress Tunnel Routers. These routers in trun look up the database and return the requested mapping to the endpoint user. However, this stage lacks data confidentiality and mutual authentication. Furthermore, the Locator/ID Separation Protocol limits the efficiency of the security protocol which works against redirecting the data or acting as fake routers. Thirdly, As a result of the vast increase in the different Internet of Things devices, the interconnected links between these devices increase vastly as well. Thus, the communication between the devices can be easily exposed to disclosures by attackers such as Man in the Middle Attacks (MitM) and Denial of Service Attack (DoS). This research provided a comprehensive study for Communication and Mobility in the Internet of Things as well as the taxonomy of different security protocols. It went on to investigate the security threats and vulnerabilities of Locator/ID Separation Protocol using X.805 framework standard. Then three Security protocols were provided to secure the exchanged transitions of communication in Locator/ID Separation Protocol. The first security protocol had been implemented to secure the Registration stage of Locator/ID separation using ID/Based cryptography method. The second security protocol was implemented to address the Resolving stage in the Locator/ID Separation Protocol between the Ingress Tunnel Router and Egress Tunnel Router using Challenge-Response authentication and Key Agreement technique. Where, the third security protocol had been proposed, analysed and evaluated for the Internet of Things communication devices. This protocol was based on the authentication and the group key agreement via using the El-Gamal concept. The developed protocols set an interface between each level of the phase to achieve security refinement architecture to Internet of Things based on Locator/ID Separation Protocol. These protocols were verified using Automated Validation Internet Security Protocol and Applications (AVISPA) which is a push button tool for the automated validation of security protocols and achieved results demonstrating that they do not have any security flaws. Finally, a performance analysis of security refinement protocol analysis and an evaluation were conducted using Contiki and Cooja simulation tool. The results of the performance analysis showed that the security refinement was highly scalable and the memory was quite efficient as it needed only 72 bytes of memory to store the keys in the Wireless Sensor Network (WSN) device

Protection of Information and Communications in Distributed Systems and Microservices

Distributed systems have been a topic of discussion since the 1980s, but the adoption of microservices has raised number of system components considerably. With more decentralised distributed systems, new ways to handle authentication, authorisation and accounting (AAA) are needed, as well as ways to allow components to communicate between themselves securely. New standards and technologies have been created to deal with these new requirements and many of them have already found their way to most used systems and services globally. After covering AAA and separate access control models, we continue with ways to secure communications between two connecting parties, using Transport Layer Security (TLS) and other more specialised methods such as the Google-originated Secure Production Identity Framework for Everyone (SPIFFE). We also discuss X.509 certificates for ensuring identities. Next, both older time- tested and newer distributed AAA technologies are presented. After this, we are looking into communication between distributed components with both synchronous and asynchronous communication mechanisms, as well as into the publish/subscribe communication model popular with the rise of the streaming platform. This thesis also explores possibilities in securing communications between distributed endpoints and ways to handle AAA in a distributed context. This is showcased in a new software component that handles authentication through a separate identity endpoint using the OpenID Connect authentication protocol and stores identity in a Javascript object-notation formatted and cryptographically signed JSON Web Token, allowing stateless session handling as the token can be validated by checking its signature. This enables fast and scalable session management and identity handling for any distributed system