20 research outputs found
Automated Cryptographic Analysis of the Pedersen Commitment Scheme
Aiming for strong security assurance, recently there has been an increasing
interest in formal verification of cryptographic constructions. This paper
presents a mechanised formal verification of the popular Pedersen commitment
protocol, proving its security properties of correctness, perfect hiding, and
computational binding. To formally verify the protocol, we extended the theory
of EasyCrypt, a framework which allows for reasoning in the computational
model, to support the discrete logarithm and an abstraction of commitment
protocols. Commitments are building blocks of many cryptographic constructions,
for example, verifiable secret sharing, zero-knowledge proofs, and e-voting.
Our work paves the way for the verification of those more complex
constructions.Comment: 12 pages, conference MMM-ACNS 201
Machine-Checked Formalisation and Verification of Cryptographic Protocols
PhD ThesisAiming for strong security assurance, researchers in academia and industry focus
their interest on formal verification of cryptographic constructions. Automatising
formal verification has proved itself to be a very difficult task, where the main
challenge is to support generic constructions and theorems, and to carry out the
mathematical proofs.
This work focuses on machine-checked formalisation and automatic verification of cryptographic protocols. One aspect we covered is the novel support for
generic schemes and real-world constructions among old and novel protocols: key exchange schemes (Simple Password Exponential Key Exchange, SPEKE), commitment
schemes (with the popular Pedersen scheme), sigma protocols (with the Schnorr’s
zero-knowledge proof of knowledge protocol), and searchable encryption protocols
(Sophos).
We also investigated aspects related to the reasoning of simulation based proofs,
where indistinguishability of two different algorithms by any adversary is the crucial
point to prove privacy-related properties. We embedded information-flow techniques
into the EasyCrypt core language, then we show that our effort not only makes some
proofs easier and (sometimes) fewer, but is also more powerful than other existing
techniques in particular situations
cyberaCTIve: a STIX-based Tool for Cyber Threat Intelligence in Complex Models
Cyber threat intelligence (CTI) is practical real-world information that is
collected with the purpose of assessing threats in cyber-physical systems
(CPS). A practical notation for sharing CTI is STIX. STIX offers facilities to
create, visualise and share models; however, even a moderately simple project
can be represented in STIX as a quite complex graph, suggesting to spread CTI
across multiple simpler sub-projects. Our tool aims to enhance the STIX-based
modelling task in contexts when such simplifications are infeasible. Examples
can be the microgrid and, more in general, the smart grid.Comment: 11 pages, 8 figures, technical repor
An Overview of Cyber Security and Privacy on the Electric Vehicle Charging Infrastructure
Electric vehicles (EVs) are key to alleviate our dependency on fossil fuels.
The future smart grid is expected to be populated by millions of EVs equipped
with high-demand batteries. To avoid an overload of the (current) electricity
grid, expensive upgrades are required. Some of the upgrades can be averted if
users of EVs participate to energy balancing mechanisms, for example through
bidirectional EV charging. As the proliferation of consumer Internet-connected
devices increases, including EV smart charging stations, their security against
cyber-attacks and the protection of private data become a growing concern. We
need to properly adapt and develop our current technology that must tackle the
security challenges in the EV charging infrastructure, which go beyond the
traditional technical applications in the domain of energy and transport
networks. Security must balance with other desirable qualities such as
interoperability, crypto-agility and energy efficiency. Evidence suggests a gap
in the current awareness of cyber security in EV charging infrastructures. This
paper fills this gap by providing the most comprehensive to date overview of
privacy and security challenges To do so, we review communication protocols
used in its ecosystem and provide a suggestion of security tools that might be
used for future research.Comment: 12 pages, 5 tables, 3 figure
Analyzing and Patching SPEKE in ISO/IEC
Simple password exponential key exchange (SPEKE) is a well-known password authenticated key exchange protocol that has been used in Blackberry phones for secure messaging and Entrust's TruePass end-to-end web products. It has also been included into international standards such as ISO/IEC 11770-4 and IEEE P1363.2. In this paper, we analyze the SPEKE protocol as specified in the ISO/IEC and IEEE standards. We identify that the protocol is vulnerable to two new attacks: an impersonation attack that allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, and a key-malleability attack that allows a man-in-the-middle to manipulate the session key without being detected by the end users. Both attacks have been acknowledged by the technical committee of ISO/IEC SC 27 and ISO/IEC 11770-4 revised as a result. We propose a patched SPEKE called P-SPEKE and present a formal analysis in the Applied Pi Calculus using ProVerif to show that the proposed patch prevents both attacks. The proposed patch has been included into the latest revision of ISO/IEC 11770-4 published in 2017
ValuED: A Blockchain-based Trading Platform to EncourageStudent Engagement in Higher Education
The provision of higher education has been changing ever more quickly in the UK and worldwide, as a result of technological, economic, and geopolitical factors. The Covid-19 pandemic has accelerated such changes. The “student experience”—the interaction of students with their institution and with each other—has been changing accordingly, with less face-to-face contact. In this work, we have explored a way to improve student engagement in higher education. We describe “ValuED”, a blockchain-based trading platform using a cryptocurrency. It allows students both to buy and sell goods and services within their university community and to be rewarded for academic engagement. ValuED involves a reputation system to further incentivise participants. We describe the implementation and piloting of this platform and draw conclusions for its future use. The platform’s source code is publicly available
cyberaCTIve: a STIX-based Tool for Cyber Threat Intelligence in Complex Models
Cyber threat intelligence (CTI) is practical real-world information that is collected with the purpose of assessing threats in cyber-physical systems (CPS). A practical notation for sharing CTI is STIX. STIX offers facilities to create, visualise and share models; however, even a moderately simple project can be represented in STIX as a quite complex graph, suggesting to spread CTI across multiple simpler sub-projects. Our tool aims to enhance the STIX-based modelling task in contexts when such simplifications are infeasible. Examples can be the microgrid and, more in general, the smart grid