342 research outputs found
Quantum cryptography: a practical information security perspective
Quantum Key Exchange (QKE, also known as Quantum Key Distribution or QKD)
allows communicating parties to securely establish cryptographic keys. It is a
well-established fact that all QKE protocols require that the parties have
access to an authentic channel. Without this authenticated link, QKE is
vulnerable to man-in-the-middle attacks. Overlooking this fact results in
exaggerated claims and/or false expectations about the potential impact of QKE.
In this paper we present a systematic comparison of QKE with traditional key
establishment protocols in realistic secure communication systems.Comment: 5 pages, new title, published version, minor changes onl
e-EMV: Emulating EMV for Internet payments using Trusted Computing technology v-2
The introduction of EMV-compliant payment cards, with their
improved cardholder verification and card authentication capabilities,
has resulted in a dramatic reduction in the levels of fraud seen at
Point of Sale (PoS) terminals across Europe. However, this reduction
has been accompanied by an alarming increase in the level of fraud
associated with Internet-based Card Not Present (CNP) transactions.
This increase is largely attributable to the weaker authentication pro-
cedures involved in CNP transactions. This paper shows how the
functionality associated with EMV-compliant payment cards can be
securely emulated in software on platforms supporting Trusted Com-
puting technology. We describe a detailed system architecture encom-
passing user enrollment, card deployment (in the form of software),
card activation, and subsequent transaction processing. Our proposal
is compatible with the existing EMV transaction processing architec-
ture, and thus integrates fully and naturally with already deployed
EMV infrastructure. We show that our proposal, which effectively
makes available the full security of PoS transactions for Internet-based
CNP transactions, has the potential to significantly reduce the oppor-
tunity for fraudulent CNP transactions
Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis
In this paper, we demonstrate how the staged roll out of Trusted
Computing technology, beginning with ubiquitous client-side Trusted
Platform Modules (TPMs), can be used to enhance the security of
Internet-based Card Not Present (CNP) transactions. This approach can be
seen as an alternative to the proposed mass deployment of unconnected
card readers in the provision of CNP transaction authorisation. Using
TPM functionality (and the new PC architecture that will evolve around
it) we demonstrate how TPM-enabled platforms can integrate with SSL, 3-D
Secure and server-side SET. We highlight how the use of TPM
functionality, as is currently being deployed in the marketplace, is not
a panacea for solving all the problems associated with CNP transactions.
In this instance, a more holistic
approach requiring additional Trusted Computing components incorporating
Operating System, processor and chipset support is required to combat
the threat of malware
Challenges for Trusted Computing
This article identifies and discusses some of the key challenges that need to
be addressed if the vision of Trusted Computing is to become reality. Topics
addressed include issues with setting up and maintaining the PKI required
to support the full set of Trusted Computing functionality, the practical
use and verification of attestation evidence, and backwards compatibility,
usability and compliance issues
A Cryptographic Tour of the IPsec Standards
In this article, we provide an overview of cryptography and cryptographic key management as they are specified in IPsec, a popular suite of standards for providing communications security and network access control for Internet communications. We focus on the latest generation of the IPsec standards, recently published as Request for Comments 4301β4309 by the Internet Engineering Task Force, and how they have evolved from earlier versions of the standards
Related Randomness Attacks for Public Key Encryption
Abstract. Several recent and high-profile incidents give cause to believe that randomness failures of various kinds are endemic in deployed cryptographic systems. In the face of this, it behoves cryptographic researchers to develop methods to immunise β to the extent that it is possible β cryptographic schemes against such failures. This paper considers the practically-motivated situation where an adversary is able to force a public key encryption scheme to reuse random values, and functions of those values, in encryption computations involving adversarially chosen public keys and messages. It presents a security model appropriate to this situation, along with variants of this model. It also provides necessary conditions on the set of functions used in order to attain this security notation, and demonstrates that these conditions are also sufficient in the Random Oracle Model. Further standard model constructions achieving weaker security notions are also given, with these constructions having interesting connections to other primitives including: pseudo-random functions that are secure in the related key attack setting; Correlated Input Secure hash functions; and public key encryption schemes that are secure in the auxiliary input setting (this being a special type of leakage resilience)
A Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System
The HIVE hidden volume encryption system was proposed by Blass et al. at ACM-CCS 2014. Even though HIVE has a security proof, this paper demonstrates an attack on its implementation that breaks the main security property claimed for the system by its authors, namely plausible hiding against arbitrary-access adversaries. Our attack is possible because of the HIVE implementation\u27s reliance on the RC4 stream cipher to fill unused blocks with pseudorandom data. While the attack can be easily eliminated by using a better pseudorandom generator, it serves as an example of why RC4 should be avoided in all new applications and a reminder that one has to be careful when instantiating primitives
On the Cryptographic Fragility of the Telegram Ecosystem
Telegram is a popular messenger with more than 550 million monthly active users and a large ecosystem of different clients. Telegram has its own bespoke transport layer security protocol, MTProto 2.0. This protocol was recently subjected to a detailed study by Albrecht et al. (IEEE S&P 2022). They gave attacks on the protocol and its implementations, along with a security proof for a modified version of the protocol. We complement that study by analysing a range of third-party client implementations of MTProto 2.0. We report practical replay attacks for the Pyrogram, Telethon and GramJS clients, and a more theoretical timing attack against the MadelineProto client. We show how vulnerable third-party clients can affect the security of the entire ecosystem, including official clients. Our analysis reveals that many third-party clients fail to securely implement MTProto 2.0. We discuss the reasons for these failures, focussing on complications in the design of MTProto 2.0 that lead developers to omit security-critical features or to implement the protocol in an insecure manner. We also discuss changes that could be made to MTProto 2.0 to remedy this situation. Overall, our work highlights the cryptographic fragility of the Telegram ecosystem
- β¦