Design and analysis of group key exchange protocols

A group key exchange (GKE) protocol allows a set of parties to agree upon a common secret session key over a public network. In this thesis, we focus on designing efficient GKE protocols using public key techniques and appropriately revising security models for GKE protocols. For the purpose of modelling and analysing the security of GKE protocols we apply the widely accepted computational complexity approach. The contributions of the thesis to the area of GKE protocols are manifold. We propose the first GKE protocol that requires only one round of communication and is proven secure in the standard model. Our protocol is generically constructed from a key encapsulation mechanism (KEM). We also suggest an efficient KEM from the literature, which satisfies the underlying security notion, to instantiate the generic protocol. We then concentrate on enhancing the security of one-round GKE protocols. A new model of security for forward secure GKE protocols is introduced and a generic one-round GKE protocol with forward security is then presented. The security of this protocol is also proven in the standard model. We also propose an efficient forward secure encryption scheme that can be used to instantiate the generic GKE protocol. Our next contributions are to the security models of GKE protocols. We observe that the analysis of GKE protocols has not been as extensive as that of two-party key exchange protocols. Particularly, the security attribute of key compromise impersonation (KCI) resilience has so far been ignored for GKE protocols. We model the security of GKE protocols addressing KCI attacks by both outsider and insider adversaries. We then show that a few existing protocols are not secure against KCI attacks. A new proof of security for an existing GKE protocol is given under the revised model assuming random oracles. Subsequently, we treat the security of GKE protocols in the universal composability (UC) framework. We present a new UC ideal functionality for GKE protocols capturing the security attribute of contributiveness. An existing protocol with minor revisions is then shown to realize our functionality in the random oracle model. Finally, we explore the possibility of constructing GKE protocols in the attribute-based setting. We introduce the concept of attribute-based group key exchange (AB-GKE). A security model for AB-GKE and a one-round AB-GKE protocol satisfying our security notion are presented. The protocol is generically constructed from a new cryptographic primitive called encapsulation policy attribute-based KEM (EP-AB-KEM), which we introduce in this thesis. We also present a new EP-AB-KEM with a proof of security assuming generic groups and random oracles. The EP-AB-KEM can be used to instantiate our generic AB-GKE protocol

Intelligent Web Crawling using Semantic Signatures

The quantity of test that is added to the web in the digital form continues to grow and the quest for tools that can process this huge amount of data to retrieve the data of our interest is an ongoing process. Moreover, observing these large volumes of data over a period of time is a tedious task for any human being. Text mining is very helpful in performing these kinds of tasks. Text mining is a process of observing patterns in the text data using sophisticated statistical measures both quantitatively and qualitatively. Using these text mining techniques and the power of the internet and its technologies, we have developed a tool that retrieves documents concerning topics of interest, which utilizes novel and sensitive classification tools.;This thesis presents an intelligent web crawler, named Intel-Crawl. This tool identifies web pages of interest without the user\u27s guidance or monitoring. Documents of interest are logged (by URL or file name). This package uses automatically generated semantic signatures to identify documents with content of interest. The tool also produces a vector that is a quantification of a document\u27s content based on the semantic signatures. This provides a rich and sensitive characterization of the document\u27s content. Documents are classified according to content and presented to the user for further analysis and investigation.;Intel-Crawl may be applied to any area of interest. It is likely to be very useful in areas such as law enforcement, intelligence gathering, and monitoring changes in web site contents over time. It is well-suited for scrutinizing the web activity of large collection of web pages pertaining to similar content. The utility of Intel-Crawl is demonstrated in various situations using different parameters and classification techniques

Chip and Skim: cloning EMV cards with the pre-play attack

EMV, also known as "Chip and PIN", is the leading system for card payments worldwide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. We have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a "pre-play" attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card). Card cloning is the very type of fraud that EMV was supposed to prevent. We describe how we detected the vulnerability, a survey methodology we developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and our implementation of proof-of-concept attacks. We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit. Pre-play attacks may also be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer. We explore the design and implementation mistakes that enabled the flaw to evade detection until now: shortcomings of the EMV specification, of the EMV kernel certification process, of implementation testing, formal analysis, or monitoring customer complaints. Finally we discuss countermeasures

Efficient Stochastic Methods: Profiled Attacks Beyond 8 Bits

Template attacks and stochastic models are among the most powerful side-channel attacks. However, they can be computationally expensive when processing a large number of samples. Various compression techniques have been used very successfully to reduce the data dimensionality prior to applying template attacks, most notably Principal Component Analysis (PCA) and Fisher’s Linear Discriminant Analysis (LDA). These make the attacks more efficient computationally and help the profiling phase to converge faster. We show how these ideas can also be applied to implement stochastic models more efficiently, and we also show that they can be applied and evaluated even for more than eight unknown data bits at once.This is the author accepted manuscript. The final version is available from Springer via http://dx.doi.org/10.1007/978-3-319-16763-3_

Efficient, portable template attacks

Template attacks recover data values processed by tamper-resistant devices from side-channel waveforms, such as supply-current fluctuations (power analysis) or electromagnetic emissions. They first profile a device to generate multivariate statistics of the waveforms emitted for each of a set of known processed values, which then identify maximum-likelihood candidates of unknown processed values during an attack. We identify several practical obstacles arising in the implementation of template attacks, ranging from numerical errors to the incompatibility of templates across different devices, and propose and compare several solutions. We identify pooled covariance matrices and prior dimensionality reduction through Fisher's Linear Discriminant Analysis as particularly efficient and effective, especially where many attack traces can be acquired. We evaluate alternative algorithms not only for the task of recovering key bytes from a hardware implementation of the Advanced Encryption Standard; we even reconstruct the value transferred by an individual byte-load instruction, with success rates reaching 85% (or a guessing entropy of less than a quarter bit remaining) after 1000 attack traces, thereby demonstrating direct eavesdropping of 8-bit parallel data lines. Using different devices during the profiling and attack phase can substantially reduce the effectiveness of template attacks. We demonstrate that the same problem can also occur across different measurement campaigns with the same device and that DC offsets (e.g. due to temperature drift) are a significant cause. We improve the portability of template parameters across devices by manipulating the DC content of the eigenvectors that form the projection matrix used for dimensionality reduction of the waveforms

Template attacks on different devices

Template attacks remain a most powerful side-channel technique to eavesdrop on tamper-resistant hardware. They use a profiling step to compute the parameters of a multivariate normal distribution from a training device and an attack step in which the parameters obtained during profiling are used to infer some secret value (e.g. cryptographic key) on a target device. Evaluations using the same device for both profiling and attack can miss practical problems that appear when using different devices. Recent studies showed that variability caused by the use of either different devices or different acquisition campaigns on the same device can have a strong impact on the performance of template attacks. In this paper, we explore further the effects that lead to this decrease of performance, using four different Atmel XMEGA 256 A3U 8-bit devices. We show that a main difference between devices is a DC offset and we show that this appears even if we use the same device in different acquisition campaigns. We then explore several variants of the template attack to compensate for these differences. Our results show that a careful choice of compression method and parameters is the key to improving the performance of these attacks across different devices. In particular we show how to maximise the performance of template attacks when using Fisher's Linear Discriminant Analysis or Principal Component Analysis. Overall, we can reduce the entropy of an unknown 8-bit value below 1.5 bits even when using different devices.Omar Choudary is a recipient of the Google Europe Fellowship in Mobile Security, and this research is supported in part by this Google Fellowship. The opinions expressed in this paper do not represent the views of Google unless otherwise explicitly stated.This is the author accepted manuscript. The final version is available from Springer at http://link.springer.com/chapter/10.1007%2F978-3-319-10175-0_13

Laminar Combined Convection from a Nonisothermal Spining Cone: An Integral Approach

A widely used method for the solution of various problems dealing with laminar boundary layer flows is that originated by T. von Karman and K. Pohlhausen some forty years ago. The basic idea on which their so-called integral method rests is to satisfy, for a given set of boundary conditions, prandtl’s boundary layer equations o the average in contrast to what are commonly called “exact” solutions, the latter I reality being numerical integrations of Prandtl’s equation. For two dimensional flows and certain flows with rotational symmetry δ is, in fact, the only dependent variable as long as dissipation effects are negligible and no transfer of heat takes place. It is the account of such differences that strongly affects the accuracy of the integral method and forms the basis for the thesis problem. Our main conjecture, forming the basis for the thesis, is that such accuracy depends fundamentally on a proper account of the various generating mechanism for a given flow property

Understanding the Theory and Use of Resistive Welding Technology for Fiber-Reinforced Thermoplastic Composite Structures in Automotive Applications

Transportation accounts for 14% of global greenhouse gas emissions. With a projected rise in GDP for more than half of the global population, the demand for transportation is only going to increase sharply. It is essential to reduce the overall weight of the automobile and ensure that its constituent materials are being reused with the minimal energy consumption during treatment and conversion. This is especially critical for the heaviest components in an automobile – its structure and closures. In this regard, carbon fiber reinforced composites have high light-weighting potential for automotive structures. However, most OEMs use thermoset polymers as matrix material, which are not recyclable. This has led to a great push towards the use of thermoplastics as matrix material in the future. A key issue associated with this possibility is the need for an optimal joining mechanism – since while structural adhesives are the most common joining mechanism used at present, most of these adhesives are thermoset polymers themselves that are also expensive and have longer curing time. Additionally, when used with thermoplastic matrix materials, these adhesives bring forth the problem of compatibility. The ability to be joined in fast, strong and repeatable methods is crucial for automotive structures, given that a typical body structure has between 150-400 individual parts, and their timely and strong joining is essential to ensure their applicability for mass production. In this context, the ability to be fusion bonded (or welded) is one of the key advantages of FRTPCs over thermoset composites. Welding thermoplastic reinforced composites can be segregated into three major categories: resistive implant welding (RIW), vibration welding, and electromagnetic welding. Resistive implant welding is an attractive technology due to faster cycle times, lower cost, higher design freedom, and ease of automation. Most research till date primarily focuses on processing and optimizing RIW joints for FRTPCs with high-performance polymer matrix materials that are typically used in aerospace. This dissertation primarily focuses on understanding the processability and optimizing RIW joint for FRTPC materials with engineering-grade polymers. Moreover, research to date also predominantly uses only lap shear strength to characterize these joints. However, this is not enough to adequately understand the mechanical behavior of welded joints. In this dissertation, both lap shear and peel strength were experimentally evaluated, and finite element models were created to simulate these joints under large non-linear loads such as crash tests. This exercise provided in-depth insights into effects on the component-level performance of resistive implant welded structures and their behaviors in large deformation load cases such as crash tests