93 research outputs found
Count Me If You Can: Enumerating QUIC Servers Behind Load Balancers
QUIC is a new transport protocol over UDP which is recently became an IETF RFC. Our security analysis of the Connection ID mechanism in QUIC reveals that the protocol is underspecified. This allows an attacker to count the number of server instances behind a middlebox, e.g., a load balancer. We found 4/15 (~25%) implementations vulnerable to our enumeration attack. We then concretely describe how an attacker can count the number of instances behind a load balancer that either uses Round Robin or Hashing
Report Dagstuhl Seminar 10402 - Working Group on Fundamental Limits and Opportunities
This working group investigated first steps towards finding a theoretical foundation for inter-vehicle communication. The main outcome is a sketch of a roadmap for future work in this direction
P2KMV: A Privacy-preserving Counting Sketch for Efficient and Accurate Set Intersection Cardinality Estimations
In this paper, we propose P2KMV, a novel privacy-preserving counting sketch, based on the k minimum values algorithm. With P2KMV, we offer a versatile privacy-enhanced technology for obtaining statistics, following the principle of data minimization, and aiming for the sweet spot between privacy, accuracy, and computational efficiency. As our main contribution, we develop methods to perform set operations, which facilitate cardinality estimates under strong privacy requirements. Most notably, we propose an efficient, privacy-preserving algorithm to estimate the set intersection cardinality. P2KMV provides plausible deniability for all data items contained in the sketch. We discuss the algorithm's privacy guarantees as well as the accuracy of the obtained estimates. An experimental evaluation confirms our analytical expectations and provides insights regarding parameter choices
Eclipsing Ethereum Peers with False Friends
Ethereum is a decentralized Blockchain system that supports the execution of
Turing-complete smart contracts. Although the security of the Ethereum
ecosystem has been studied in the past, the network layer has been mostly
neglected. We show that Go Ethereum (Geth), the most widely used Ethereum
implementation, is vulnerable to eclipse attacks, effectively circumventing
recently introduced (Geth v1.8.0) security enhancements. We responsibly
disclosed the vulnerability to core Ethereum developers; the corresponding
countermeasures to our attack where incorporated into the v1.9.0 release of
Geth. Our false friends attack exploits the Kademlia-inspired peer discovery
logic used by Geth and enables a low-resource eclipsing of long-running, remote
victim nodes. An adversary only needs two hosts in distinct /24 subnets to
launch the eclipse, which can then be leveraged to filter the victim's view of
the Blockchain. We discuss fundamental properties of Geth's node discovery
logic that enable the false friends attack, as well as proposed and implemented
countermeasures.Comment: Extended version of the original publication in: 2019 IEEE European
Symposium on Security and Privacy Workshops (EuroS&PW
Trau, SCHAU, wem? - V-IDS oder eine andere Sicht der Dinge
Die ständig wachsende Flut der in einem Netzwerk anfallenden sicherheitsrelevanten
Daten macht in zunehmendem Maße neue Darstellungsformen notwendig.
Nur so können diese Daten ausreichend schnell und in angemessenem Umfang erfassbar
und beherrschbar bleiben. Wesentlich schneller und intuitiver als reinen Text
können wir den Inhalt von Bildern erfassen, grafische Darstellungen machen Geschehnisse
in der Regel leichter erfassbar. Informationen können zusätzlich stärker verdichtet
dargestellt werden, ohne dass der transportierte Inhalt darunter leidet. Die Darstellung
von Sicherheitsdaten in grafischer Form steht derzeit noch sehr am Anfang, es
gibt wenig Erfahrung, welche Darstellungen mehr und welche weniger geeignet sind.
V-IDS soll Grundlagen legen für eine dynamische, dreidimensionale Darstellung solcher
Daten. Es soll ein einfaches Experimentieren mit verschiedenen und neuartigen
Darstellungen ermöglichen. Damit können dann vorhandene und zukünftige Ideen einfach
und ohne längere Entwicklungszeit prototypisch umgesetzt und bewertet werden
Ovid: Message-based Automatic Contact Tracing
The Covid-19 pandemic created various new challenges for our societies.
Quickly discovering new infections using automated contact tracing without endangering privacy of the general public is one of these.
Most discussions concerning architectures for contact tracing applications revolved around centralized against decentralized approaches.
In contrast, the system proposed in this work builds on the idea of message-based contact tracing to inform users of their risk.
Our main contribution is the combination of a blind-signature approach to verify infections with an anonymous postbox service.
In our evaluation we analyze all components in our system for performance and privacy, as well as security.
We derive parameters for operating our system in a pandemic scenario
- …