1,559 research outputs found
KALwEN: a new practical and interoperable key management scheme for body sensor networks
Key management is the pillar of a security architecture. Body sensor networks (BSNs) pose several challenges–some inherited from wireless sensor networks (WSNs), some unique to themselves–that require a new key management scheme to be tailor-made. The challenge is taken on, and the result is KALwEN, a new parameterized key management scheme that combines the best-suited cryptographic techniques in a seamless framework. KALwEN is user-friendly in the sense that it requires no expert knowledge of a user, and instead only requires a user to follow a simple set of instructions when bootstrapping or extending a network. One of KALwEN's key features is that it allows sensor devices from different manufacturers, which expectedly do not have any pre-shared secret, to establish secure communications with each other. KALwEN is decentralized, such that it does not rely on the availability of a local processing unit (LPU). KALwEN supports secure global broadcast, local broadcast, and local (neighbor-to-neighbor) unicast, while preserving past key secrecy and future key secrecy (FKS). The fact that the cryptographic protocols of KALwEN have been formally verified also makes a convincing case. With both formal verification and experimental evaluation, our results should appeal to theorists and practitioners alike
Chip and Skim: cloning EMV cards with the pre-play attack
EMV, also known as "Chip and PIN", is the leading system for card payments
worldwide. It is used throughout Europe and much of Asia, and is starting to be
introduced in North America too. Payment cards contain a chip so they can
execute an authentication protocol. This protocol requires point-of-sale (POS)
terminals or ATMs to generate a nonce, called the unpredictable number, for
each transaction to ensure it is fresh. We have discovered that some EMV
implementers have merely used counters, timestamps or home-grown algorithms to
supply this number. This exposes them to a "pre-play" attack which is
indistinguishable from card cloning from the standpoint of the logs available
to the card-issuing bank, and can be carried out even if it is impossible to
clone a card physically (in the sense of extracting the key material and
loading it into another card). Card cloning is the very type of fraud that EMV
was supposed to prevent. We describe how we detected the vulnerability, a
survey methodology we developed to chart the scope of the weakness, evidence
from ATM and terminal experiments in the field, and our implementation of
proof-of-concept attacks. We found flaws in widely-used ATMs from the largest
manufacturers. We can now explain at least some of the increasing number of
frauds in which victims are refused refunds by banks which claim that EMV cards
cannot be cloned and that a customer involved in a dispute must therefore be
mistaken or complicit. Pre-play attacks may also be carried out by malware in
an ATM or POS terminal, or by a man-in-the-middle between the terminal and the
acquirer. We explore the design and implementation mistakes that enabled the
flaw to evade detection until now: shortcomings of the EMV specification, of
the EMV kernel certification process, of implementation testing, formal
analysis, or monitoring customer complaints. Finally we discuss
countermeasures
Side-Information Coding with Turbo Codes and its Application to Quantum Key Distribution
Turbo coding is a powerful class of forward error correcting codes, which can
achieve performances close to the Shannon limit. The turbo principle can be
applied to the problem of side-information source coding, and we investigate
here its application to the reconciliation problem occurring in a
continuous-variable quantum key distribution protocol.Comment: 3 pages, submitted to ISITA 200
Towards practicalization of blockchain-based decentralized applications
Blockchain can be defined as an immutable ledger for recording transactions, maintained in a distributed network of mutually untrusting peers. Blockchain technology has been widely applied to various fields beyond its initial usage of cryptocurrency. However, blockchain itself is insufficient to meet all the desired security or efficiency requirements for diversified application scenarios. This dissertation focuses on two core functionalities that blockchain provides, i.e., robust storage and reliable computation. Three concrete application scenarios including Internet of Things (IoT), cybersecurity management (CSM), and peer-to-peer (P2P) content delivery network (CDN) are utilized to elaborate the general design principles for these two main functionalities. Among them, the IoT and CSM applications involve the design of blockchain-based robust storage and management while the P2P CDN requires reliable computation. Such general design principles derived from disparate application scenarios have the potential to realize practicalization of many other blockchain-enabled decentralized applications.
In the IoT application, blockchain-based decentralized data management is capable of handling faulty nodes, as designed in the cybersecurity application. But an important issue lies in the interaction between external network and blockchain network, i.e., external clients must rely on a relay node to communicate with the full nodes in the blockchain. Compromization of such relay nodes may result in a security breach and even a blockage of IoT sensors from the network. Therefore, a censorship-resistant blockchain-based decentralized IoT management system is proposed. Experimental results from proof-of-concept implementation and deployment in a real distributed environment show the feasibility and effectiveness in achieving censorship resistance.
The CSM application incorporates blockchain to provide robust storage of historical cybersecurity data so that with a certain level of cyber intelligence, a defender can determine if a network has been compromised and to what extent. The CSM functions can be categorized into three classes: Network-centric (N-CSM), Tools-centric (T-CSM) and Application-centric (A-CSM). The cyber intelligence identifies new attackers, victims, or defense capabilities. Moreover, a decentralized storage network (DSN) is integrated to reduce on-chain storage costs without undermining its robustness. Experiments with the prototype implementation and real-world cyber datasets show that the blockchain-based CSM solution is effective and efficient.
The P2P CDN application explores and utilizes the functionality of reliable computation that blockchain empowers. Particularly, P2P CDN is promising to provide benefits including cost-saving and scalable peak-demand handling compared with centralized CDNs. However, reliable P2P delivery requires proper enforcement of delivery fairness. Unfortunately, most existing studies on delivery fairness are based on non-cooperative game-theoretic assumptions that are arguably unrealistic in the ad-hoc P2P setting. To address this issue, an expressive security requirement for desired fair P2P content delivery is defined and two efficient approaches based on blockchain for P2P downloading and P2P streaming are proposed. The proposed system guarantees the fairness for each party even when all others collude to arbitrarily misbehave and achieves asymptotically optimal on-chain costs and optimal delivery communication
FlexiChain 2.0: NodeChain Assisting Integrated Decentralized Vault for Effective Data Authentication and Device Integrity in Complex Cyber-Physical Systems
Distributed Ledger Technology (DLT) has been introduced using the most common
consensus algorithm either for an electronic cash system or a decentralized
programmable assets platform which provides general services. Most established
reliable networks are unsuitable for all applications such as smart cities
applications, and, in particular, Internet of Things (IoT) and Cyber Physical
Systems (CPS) applications. The purpose of this paper is to provide a suitable
DLT for IoT and CPS that could satisfy their requirements. The proposed work
has been designed based on the requirements of Cyber Physical Systems.
FlexiChain is proposed as a layer zero network that could be formed from
independent blockchains. Also, NodeChain has been introduced to be a
distributed (Unique ID) UID aggregation vault to secure all nodes' UIDs.
Moreover, NodeChain is proposed to serve mainly FlexiChain for all node
security requirements. NodeChain targets the security and integrity of each
node. Also, the linked UIDs create a chain of narration that keeps track not
merely for assets but also for who authenticated the assets. The security
results present a higher resistance against four types of attacks. Furthermore,
the strength of the network is presented from the early stages compared to
blockchain and central authority. FlexiChain technology has been introduced to
be a layer zero network for all CPS decentralized applications taking into
accounts their requirements. FlexiChain relies on lightweight processing
mechanisms and creates other methods to increase security
Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy
The critical role played by email has led to a range of extension protocols
(e.g., SPF, DKIM, DMARC) designed to protect against the spoofing of email
sender domains. These protocols are complex as is, but are further complicated
by automated email forwarding -- used by individual users to manage multiple
accounts and by mailing lists to redistribute messages. In this paper, we
explore how such email forwarding and its implementations can break the
implicit assumptions in widely deployed anti-spoofing protocols. Using
large-scale empirical measurements of 20 email forwarding services (16 leading
email providers and four popular mailing list services), we identify a range of
security issues rooted in forwarding behavior and show how they can be combined
to reliably evade existing anti-spoofing controls. We show how this allows
attackers to not only deliver spoofed email messages to prominent email
providers (e.g., Gmail, Microsoft Outlook, and Zoho), but also reliably spoof
email on behalf of tens of thousands of popular domains including sensitive
domains used by organizations in government (e.g., state.gov), finance (e.g.,
transunion.com), law (e.g., perkinscoie.com) and news (e.g.,
washingtonpost.com) among others
- …