Extended Generalized Feistel Networks using Matrix Representation

International audienceWhile Generalized Feistel Networks have been widely studied in the literature as a building block of a block cipher, we propose in this paper a unified vision to easily represent them through a matrix representation. We then propose a new class of such schemes called Extended Generalized Feistel Networks well suited for cryptographic applications. We instantiate those proposals into two particular constructions and we finally analyze their security

The Eris hybrid cipher

An earlier paper by the same author (IACR Eprint 2008/473) suggested combining a block cipher and a stream cipher to get a strong hybrid cipher. This paper proposes a specific cipher based on those ideas, using the HC-128 stream cipher and a tweakable block cipher based on Serpent

Nonlinearity of the Round Function

In the paper we present the results which enable to calculate the nonlinearity of round functions with quite large dimensions e.g. 32x32 bits, which are used in some block ciphers. This can be applied to improve the resistance of these ciphers against linear cryptanalysis. The involved method of calculating the nonlinearity is rested on the notion of multi-dimensional Walsh transform. At the end we give the application to linear cryptanalysis of the TGR block cipher

Quantum Attacks on Type-1 Generalized Feistel Schemes

Generalized Feistel schemes (GFSs) are extremely important and extensively researched cryptographic schemes. In this paper, we investigate the security of Type-1 GFS in quantum circumstances. On the one hand, in the qCCA setting, we give a new quantum polynomial-time distinguisher on $(d^2-1)$-round Type-1 GFS with branches $d\geq3$, which extends the previous results by $(d-2)$ rounds. This leads to a more efficient analysis of type-1 GFS, that is, the complexity of some previous key-recovery attacks is reduced by a factor of $2^{\frac{(d-2)k}{2}}$, where $k$ is the key length of the internal round function. On the other hand, for CAST-256, which is a certain block cipher based on Type-1 GFS, we give a 17-round quantum distinguisher in the qCPA setting. Based on this, we construct an $r (r>17)$-round quantum key-recovery attack with complexity $O(2^{\frac{37(r-17)}{2}})$

Web Browser Extension for Page Analysis

Cílem téhle práce je vytvořit rozšiřující modul webové prohlížeče se zaměřením na technologií WebExtensions. Rozšiřující modul umožní uživateli odeslat detaily o aktuálně zobrazené webové stránce a jejím textovém obsahu do serverové aplikace provádějící další analýzu a zobrazení výsledku. Rozšiřují modul je realizován pomocí technologie Extension APIs, ale je také podporován ve webových prohlížečích založených na WebExtensions. Komunikace mezi rozšiřujícím modulem a serverem je realizována pomocí XMLHttpRequest. Serverová aplikace je realizována v jazyce PHP.The purpose of this thesis is to create a WebExtensions oriented module for a web browser. An extension module allows the user to submit details about the currently displayed web page and text content to a server application for thorough analysis and displaying the result. It is built on ExtensionAPIs, but is also supported in WebExtensions based web browsers. The communication between the extension module and the server is realized by XMLHttpRequest and the server application itself is implemented in PHP.

IP traceback marking scheme based DDoS defense.

Ping Yan.Thesis submitted in: December 2004.Thesis (M.Phil.)--Chinese University of Hong Kong, 2005.Includes bibliographical references (leaves 93-100).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.iiiChapter 1 --- INTRODUCTION --- p.1Chapter 1.1 --- The Problem --- p.1Chapter 1.2 --- Research Motivations and Objectives --- p.3Chapter 1.3 --- The Rationale --- p.8Chapter 1.4 --- Thesis Organization --- p.9Chapter 2 --- BACKGROUND STUDY --- p.10Chapter 2.1 --- Distributed Denial of Service Attacks --- p.10Chapter 2.1.1 --- Taxonomy of DoS and DDoS Attacks --- p.13Chapter 2.2 --- IP Traceback --- p.17Chapter 2.2.1 --- Assumptions --- p.18Chapter 2.2.2 --- Problem Model and Performance Metrics --- p.20Chapter 2.3 --- IP Traceback Proposals --- p.24Chapter 2.3.1 --- Probabilistic Packet Marking (PPM) --- p.24Chapter 2.3.2 --- ICMP Traceback Messaging --- p.26Chapter 2.3.3 --- Logging --- p.27Chapter 2.3.4 --- Tracing Hop-by-hop --- p.29Chapter 2.3.5 --- Controlled Flooding --- p.30Chapter 2.4 --- DDoS Attack Countermeasures --- p.30Chapter 2.4.1 --- Ingress/Egress Filtering --- p.33Chapter 2.4.2 --- Route-based Distributed Packet Filtering (DPF) --- p.34Chapter 2.4.3 --- IP Traceback Based Intelligent Packet Filtering --- p.35Chapter 2.4.4 --- Source-end DDoS Attack Recognition and Defense --- p.36Chapter 2.4.5 --- Classification of DDoS Defense Methods --- p.38Chapter 3 --- ADAPTIVE PACKET MARKING SCHEME --- p.41Chapter 3.1 --- Scheme Overview --- p.41Chapter 3.2 --- Adaptive Packet Marking Scheme --- p.44Chapter 3.2.1 --- Design Motivation --- p.44Chapter 3.2.2 --- Marking Algorithm Basics --- p.46Chapter 3.2.3 --- Domain id Marking --- p.49Chapter 3.2.4 --- Router id Marking --- p.51Chapter 3.2.5 --- Attack Graph Reconstruction --- p.53Chapter 3.2.6 --- IP Header Overloading --- p.56Chapter 3.3 --- Experiments on the Packet Marking Scheme --- p.59Chapter 3.3.1 --- Simulation Set-up --- p.59Chapter 3.3.2 --- Experimental Results and Analysis --- p.61Chapter 4 --- DDoS DEFENSE SCHEMES --- p.67Chapter 4.1 --- Scheme I: Packet Filtering at Victim-end --- p.68Chapter 4.1.1 --- Packet Marking Scheme Modification --- p.68Chapter 4.1.2 --- Packet Filtering Algorithm --- p.69Chapter 4.1.3 --- Determining the Filtering Probabilities --- p.70Chapter 4.1.4 --- Suppressing Packets Filtering with did Markings from Nearby Routers --- p.73Chapter 4.2 --- Scheme II: Rate Limiting at the Sources --- p.73Chapter 4.2.1 --- Algorithm of the Rate-limiting Scheme --- p.74Chapter 4.3 --- Performance Measurements for Scheme I & Scheme II . --- p.77Chapter 5 --- CONCLUSION --- p.87Chapter 5.1 --- Contributions --- p.87Chapter 5.2 --- Discussion and Future Work --- p.91Bibliography --- p.10

Diseño de un Sistema de Criptografía Asimétrica para dotar Seguridad de Confidencialidad e Integridad a las Comunicaciones SMTP y SFTP para Scharff Logística Integrada S.A.

El correo electrónico se ha convertido en uno de los métodos de comunicación más importantes para cualquier persona y organización. Sin embargo, los estándares actuales de la industria no ponen énfasis en la seguridad del correo electrónico. Los correos electrónicos pueden ser interceptados fácilmente por otros. Potencialmente, cada correo electrónico no cifrado enviado a través de una red o almacenado en un servidor de correo electrónico puede leerse, copiarse o modificarse. Existe una gran necesidad de entrega segura de correo electrónico. Algunos proveedores de servicios de correo electrónico, como Google, tomaron algunas medidas para mejorar la protección de la privacidad basada en el protocolo https. La principal motivación para https es evitar las escuchas telefónicas y los ataques de hombre en el medio. Esto, proporciona autenticación del sitio web de Gmail y el servidor web asociado con el que se está comunicando, y proporciona cifrado bidireccional de las comunicaciones entre una computadora cliente y el servidor de Gmail. En la práctica, esta es una garantía razonable de que uno se está comunicando con el servidor de Gmail con el que está destinado a comunicarse, así como también asegurar que el contenido de las comunicaciones entre el usuario y el servidor de Gmail no pueda ser leído o falsificado por ningún tercero. Sin embargo, https solo evita que los correos electrónicos sean rastreados durante la transmisión de red. No impide que los administradores del servidor de correo electrónico, o cualquier otra persona que pueda acceder a varios servidores de correo electrónico para leer los mensajes de correo electrónico, porque https no es un cifrado de extremo a extremo. La organización en la que se basa este trabajo tiene más de 30 años en el mercado con las comunicaciones por correo electrónico y SFTP. La tesis identificó problemas de comunicación por correo electrónico y otros protocolos sin asegurar la data enviada, así como en quiénes debían tener acceso a los datos; además, se encontró problemas en la confidencialidad e integridad en la información enviada; finalmente, se requería un diseño de un sistema criptográfico para dotar de seguridad las comunicaciones y así tener acceso a la información desde cualquier lugar, dispositivo, y cualquier momento. La tesis analizó las opciones en el mercado y determinó el uso del estándar PGP como la solución más adecuada para el proyecto.Email has become one of the most important communication methods for any person and organization. However, current industry standards do not emphasize email security. Emails can be intercepted by others easily. Potentially, every not encrypted email sent over a network or stored on an email server can be read, copied, or modified. There is a great need for safe email delivery. Some email service providers, such as Google, took some steps to improve privacy protection based on the https protocol. The main motivation for https is to prevent wiretapping and the attacks of man in the middle. This provides authentication of the Gmail website and the associated web server with which you are communicating, and provides bidirectional encryption of communications between a client computer and the Gmail server. In practice, this is a reasonable guarantee that one is communicating with the Gmail server with which it is destined to communicate, as well as ensuring that the content of the communications between the user and the Gmail server cannot be read or falsified by any third party. However, https only prevents emails from being tracked during network transmission. It does not prevent email server administrators, or anyone else who can access multiple email servers to read email messages, because https is not end to end encryption. The organization on which this work is based, has been in the market for email and SFTP communications for more than 30 years. The thesis identified communication problems by email and other protocols without securing the data sent, as well as who should have access to the data; Furthermore, confidentiality and integrity problems were found in the information sent. Finally, a cryptographic system design is required to provide security for communications and thus have access to information from any place, device, and at any time. The thesis analyzed the options in the market and determined the use of the PGP standard as the most suitable solution for the project.Tesi

Distributed authentication for resource control

This thesis examines distributed authentication in the process of controlling computing resources. We investigate user sign-on and two of the main authentication technologies that can be used to control a resource through authentication and providing additional security services. The problems with the existing sign-on scenario are that users have too much credential information to manage and are prompted for this information too often. Single Sign-On (SSO) is a viable solution to this problem if physical procedures are introduced to minimise the risks associated with its use. The Generic Security Services API (GSS-API) provides security services in a manner in- dependent of the environment in which these security services are used, encapsulating security functionality and insulating users from changes in security technology. The un- derlying security functionality is provided by GSS-API mechanisms. We developed the Secure Remote Password GSS-API Mechanism (SRPGM) to provide a mechanism that has low infrastructure requirements, is password-based and does not require the use of long-term asymmetric keys. We provide implementations of the Java GSS-API bindings and the LIPKEY and SRPGM GSS-API mechanisms. The Secure Authentication and Security Layer (SASL) provides security to connection- based Internet protocols. After finding deficiencies in existing SASL mechanisms we de- veloped the Secure Remote Password SASL mechanism (SRP-SASL) that provides strong password-based authentication and countermeasures against known attacks, while still be- ing simple and easy to implement. We provide implementations of the Java SASL binding and several SASL mechanisms, including SRP-SASL