Migrating to Post-Quantum Cryptography: a Framework Using Security Dependency Analysis

Quantum computing is emerging as an unprecedented threat to the current state of widely used cryptographic systems. Cryptographic methods that have been considered secure for decades will likely be broken, with enormous impact on the security of sensitive data and communications in enterprises worldwide. A plan to migrate to quantum-resistant cryptographic systems is required. However, migrating an enterprise system to ensure a quantum-safe state is a complex process. Enterprises will require systematic guidance to perform this migration to remain resilient in a post-quantum era, as many organisations do not have staff with the expertise to manage this process unaided. This paper presents a comprehensive framework designed to aid enterprises in their migration. The framework articulates key steps and technical considerations in the cryptographic migration process. It makes use of existing organisational inventories and provides a roadmap for prioritising the replacement of cryptosystems in a post-quantum context. The framework enables the efficient identification of cryptographic objects, and can be integrated with other frameworks in enterprise settings to minimise operational disruption during migration. Practical case studies are included to demonstrate the utility and efficacy of the proposed framework using graph theoretic techniques to determine and evaluate cryptographic dependencies.Comment: 21 Page

Implementation and performance analysis of identity-based authentication in wireless sensor networks

The use of Wireless Sensor Networks (WSNs) in different fields of our life has increased for several recent years. It would be used in applications such as military, human-centric, environmental monitoring, and robotics for remote data collection. Compared to traditional networks, WSNs present more challenges and issues due to their limited energy and bandwidth. This major restriction causes WSNs to be vulnerable under serious security threats, such as Denial of Service (DOS), Jamming, and Man-In-The-Middle (MITM). Until last few years, security solutions for WSNs were concentrated based on symmetric encryption algorithms to prepare authentication since, Public Key Infrastructure (PKI) has fallen from grace due to sensor nodes resource constraints. Despite more efficiency of symmetric cryptography than PKI in terms of energy, symmetric cryptosystems have some drawbacks such as key management. In addition, Public Key Cryptography (PKC) with resource hungry algorithm is not suitable for sensor node authentication. Recent researches on implementation of authentication mechanisms in WSNs show that, still sensor nodes suffer due to lack of a safe, fast, and lightweight authentication technique. This project focuses on secure sensor node authentication using Identity-Based Cryptography (IBC) in WSN. The proposed scheme uses Elliptic Curves Digital Signature Algorithm (ECDSA) with 224 bits key length to present a safe and lightweight authentication in compare to other pairing based algorithms. Additionally, the proposed scheme improves the security level of authentication between sensor nodes. Finally, this project implements and evaluates the proposed scheme using several parameters such as security, time, CPU, and memory requirements to measure the effectiveness of proposed scheme

Privacy-preserving authentication and key management for cooperative intelligent transportation systems

Car accidents kill or injure millions of people. Cooperative Intelligent Transportation Systems (C-ITS) can increase road safety and reduce accidents through the application of information and communication technologies for communicating vehicles. However, C-ITS applications are vulnerable to potential cyber-attacks involving message manipulation, where messages may be altered intentionally or fake messages sent, compromising the safety goals. Cryptographic techniques can be used to solve this, but this must be done in a way that preserves driver privacy, so that unauthorized surveillance and tracking of drivers is not possible. This research develops a secure conditional privacy-preserving authentication scheme for C-ITS applications

Information Security and Privacy: 28th Australasian Conference, ACISP 2023, Brisbane, QLD, Australia, July 5–7, 2023, Proceedings

This book constitutes the refereed proceedings of the 28th Australasian Conference on Information Security and Privacy, ACISP 2023, held in Brisbane, QLD, Australia, during July 5-7, 2023.The 27 full papers presented were carefully revised and selected from 87 submissions. The papers present and discuss different aspects of symmetric-key cryptography, public-key cryptography, post-quantum cryptography, cryptographic protocols, and system security

Anomaly Detection in Key-Management Activities Using Metadata: A Case Study and Framework

Large scale enterprise networks often use Enterprise Key-Management (EKM) platforms for unified management of cryptographic keys. Monitoring access and usage patterns of EKM Systems (EKMS) may enable detection of anomalous (possibly malicious) activity in the enterprise network that is not detectable by other means. Analysis of enterprise system logs has been widely studied (for example at the operating system level). However, to the best of our knowledge, EKMS metadata has not been used for anomaly detection. In this paper, we present a framework for anomaly detection based on EKMS metadata. The framework involves automated outlier rejection, normal heuristics collection, automated anomaly detection, and system notification and integration with other security tools. This is developed through investigation of EKMS metadata, determining characteristics to extract for dataset generation, and looking for patterns from which behaviors can be inferred. For automated labeling and detection, a deep learning-based model is applied to the generated datasets: Long Short-Term Memory (LSTM) auto-encoder neural networks with specific parameters. This generates heuristics based on categories of behavior. As a proof of concept, we simulated an enterprise environment, collected the EKMS metadata, and deployed this framework. Our implementation used QuintessenceLabs EKMS. However, the framework is vendor neutral. The results demonstrate that our framework can accurately detect all anomalous enterprise network activities. This approach could be integrated with other enterprise information to enhance detection capabilities. Further, our proposal can be used as a general-purpose framework for anomaly detection and diagnosis

Anomaly Detection in the Key-Management Interoperability Protocol Using Metadata

Large scale enterprise networks often use Enterprise Key-Management (EKM) platforms for unified management of cryptographic keys. In such a system, requests and responses commonly use the Key Management Interoperability Protocol (KMIP) format. The KMIP client and server use Transport Layer Security (TLS) to negotiate a mutually-authenti cated connection. Although KMIP traffic is encrypted, monitoring traffic and usage patterns of EKM Systems (EKMS) may enable detection of anomalous (possibly malicious) activity in the enterprise network that is notdetectable by other means. Metadata analysis of enterprise system traffic has been widely studied (for example at the TLS protocol level). However, KMIP metadata in EKMS has not been used for anomaly detection. In this paper, wepresent a framework for automated outlier rejection and anomaly detection. This involves investigati on of KMIP metadata, determining characteristics to extract for dataset generation, and looking for patt erns from which behaviors can be inferred. For automated labeling and detection, a deep learning-based model is applied to thegenerated datasets: Long Short-Term Memory (LSTM) auto-encoder neural networks with specific parameters. As aproof of concept, we simulated an enterprise environment, collected relevant KMIP metadata, and deployed this framework. Although our implementati on used Quintessence Labs EKMS, the framework we proposed is vendorneutral. The experimental results (Precision, Recall, F1 = 1.0) demonstrate that our framework can accurately detectall anomalous enterprise network activities. This approach could be integrated with other enterprise information toenhance detection capabilities. Our proposal can be used as a general-purpose framework for anomaly detecti on and diagnosis.</p

Broadcast Authentication in Latency-Critical Applications: On the Efficiency of IEEE 1609.2

Standards such as the American IEEE 1609, European ETSI ITS-G5, and Japanese ARIB STD-T109 aim to establish Cooperative Intelligent Transportation Systems (C-ITS) by enabling Vehicular Ad-Hoc Networks (VANETs). In VANETs, vehicles communicate with other vehicles and roadside infrastructure to support latency-critical applications which increase driver awareness of the surroundings. This should result in improved safety and possibly optimizing traffic. However, to secure VANET communications against message manipulation or replaying, security standards such as IEEE 1609.2 and ETSI TS 103 097 are proposed. In this work, we implement the cryptographic primitives recommended in the IEEE 1609.2 standard to authenticate low latency safety critical messages. We evaluate the effect of the implementation using metrics such as CPU clock cycles per operation, average computation time in milliseconds, and message size in bits. We perform a simulation presenting a high-density highway scenario for the above mentioned C-ITS standards. For each standard, we evaluate the number of safety messages that can be successfully received within 100 ms latency. We show how and to what extent the authentication overhead of latency-critical messages may impact on driver safety. Under an assumed traffic scenario, we show that a crash is possible, as a result of the evaluated authentication delay. We show that the recommended algorithms with specific parameters can be a potential solution for low latency safety-critical applications in a large scale scenario

The Security of '2FLIP' Authentication Scheme for VANETs: Attacks and Rectifications

Wireless broadcast transmission enables Inter-vehicle or Vehicle-to-Vehicle (V2V) communication among nearby vehicles and with nearby fixed equipment, referred to as Road Side Units (RSUs). The vehicles and RSUs within transmission range establish a self-organizing network called Vehicular Ad-hoc Network (VANET). The V2V communication in VANETs is vulnerable to cyber attacks involving message manipulation. Thus, mechanisms should be applied to ensure both the authenticity and integrity of the data broadcast. However, due to privacy concerns, it is important to avoid the use of identifiers that may aid tracking and surveillance of drivers. This is a serious constraint on authentication mechanisms. Recently, Wang et&amp;#x00A0;al. [1] proposed A Two-Factor Lightweight Privacy Preserving Authentication Scheme for VANET named 2FLIP. They claim that their scheme includes a secure system-key update protocol to restore the whole system when necessary and further that this resists an adversary obtaining any information about the updated system-key. In this paper, we show that this is incorrect: 2FLIP does not provide perfect forward secrecy. This results in a known-key attack, as well as message forgery attack by an external adversary who may be an unregistered vehicle user. This external adversary can generate valid anonymous messages and further, they cannot be traced. The 2FLIP scheme is efficient, so we propose a modification to improve the security. We provide a formal security proof to show that our proposal is indeed provably secure. We demonstrate the efficiency of our proposal by conducting extensive performance analysis. We believe the enhanced system-key update protocol will be useful for application by researchers and designers in current and future VANET authentication schemes.</p

Authentication strategies in vehicular communications:a taxonomy and framework

In intelligent vehicular networks, vehicles have enhanced sensing capabilities and carry computing and communication platforms to enable new versatile systems known as Vehicular Communication (VC) systems. Vehicles communicate with other vehicles and with nearby fixed equipment to support different applications, including those which increase driver awareness of the surroundings. This should result in improved safety and may optimize traffic. However, VC systems are vulnerable to cyber attacks involving message manipulation. Research aimed at tackling this problem has resulted in the proposal of multiple authentication protocols. Several existing survey papers have attempted to classify some of these protocols based on a limited set of characteristics. However, to date there is no generic framework to support the comparison of these protocols and provide guidance for design and evaluation. Most existing classifications either use computation complexity of cryptographic techniques as a criterion, or they fail to make connections between different important aspects of authentication. This paper provides such a framework, proposing a new taxonomy to enable a consistent means of classifying authentication schemes based upon seven main criteria. The main contribution of this study is a framework to enable protocol designers and investigators to adequately compare and select authentication schemes when deciding on particular protocols to implement in an application. Our framework can be applied in design, making choices appropriate for the intended context in both intra-vehicle and inter-vehicle communications. We demonstrate the application of our framework using two different types of case study: individual analysis and hypothetical design. Additionally, this work makes several related contributions. We present the network model, outline the applications, list the communication patterns and the underlying standards, and discuss the necessity of using cryptography and key management in VC systems. We also review the threats, authentication, and privacy requirements in vehicular networks