An investigation into graph isomorphism based zero-knowledge proofs.

Ayeh, Eric

12 1900

Zero-knowledge proofs protocols are effective interactive methods to prove a node's identity without disclosing any additional information other than the veracity of the proof. They are implementable in several ways. In this thesis, I investigate the graph isomorphism based zero-knowledge proofs protocol. My experiments and analyses suggest that graph isomorphism can easily be solved for many types of graphs and hence is not an ideal solution for implementing ZKP.

Graph isomorphism

security protocol

zero-knowledge proofs

Measuring and Understanding TTL Violations in DNS Resolvers

Bhowmick, Protick

02 January 2024

The Domain Name System (DNS) is a scalable-distributed caching architecture where each DNS records are cached around several DNS servers distributed globally. DNS records include a time-to-live (TTL) value that dictates how long the record can be stored before it's evicted from the cache. TTL holds significant importance in aspects of DNS security, such as determining the caching period for DNSSEC-signed responses, as well as performance, like the responsiveness of CDN-managed domains. On a high level, TTL is crucial for ensuring efficient caching, load distribution, and network security in Domain Name System. Setting appropriate TTL values is a key aspect of DNS administration to ensure the reliable and efficient functioning of the Domain Name System. Therefore, it is crucial to measure how TTL violations occur in resolvers. But, assessing how DNS resolvers worldwide handle TTL is not easy and typically requires access to multiple nodes distributed globally. In this work, we introduce a novel methodology for measuring TTL violations in DNS resolvers leveraging a residential proxy service called Brightdata, enabling us to evaluate more than 27,000 resolvers across 9,500 Autonomous Systems (ASes). We found that 8.74% arbitrarily extends TTL among 8,524 resolvers that had atleast five distinct exit nodes. Additionally, we also find that the DNSSEC standard is being disregarded by 44.1% of DNSSEC-validating resolvers, as they continue to provide DNSSEC-signed responses even after the RRSIGs have expired. / Master of Science / The Domain Name System (DNS) works as a global phonebook for the internet, helping your computer find websites by translating human-readable names into numerical IP addresses. This system uses a smart caching system spread across various servers worldwide to store DNS records. Each record comes with a time-to-live (TTL) value, essentially a timer that decides how long the information should stay in the cache before being replaced. TTL is crucial for both security and performance in the DNS world. It plays a role in securing responses and determines the responsiveness of load balancing schemes employed at Content Delivery Networks (CDNs). In simple terms, TTL ensures efficient caching, even network load, and overall security in the Domain Name System. For DNS to work smoothly, it's important to set the right TTL values and the resolvers to strictly honor the TTL. However, figuring out how well DNS servers follow these rules globally is challenging. In this study, we introduce a new way to measure TTL violations in DNS servers using a proxy service called Brightdata. This allows us to check over 27,000 servers across 9,500 networks. Our findings reveal that 8.74% of these servers extend TTL arbitrarily. Additionally, we discovered that 44.1% of servers that should be following a security standard (DNSSEC) are not doing so properly, providing signed responses even after they are supposed to expire. This research sheds light on how DNS servers around the world extend TTL and the potential performance and security risks involved.

DNS

Network Measurement

Web Security Protocol

Verification and validation of security protocol implementations

O'Shea, Nicholas

January 2010

Security protocols are important and widely used because they enable secure communication to take place over insecure networks. Over the years numerous formal methods have been developed to assist protocol designers by analysing models of these protocols to determine their security properties. Beyond the design stage however, developers rarely employ formal methods when implementing security protocols. This may result in implementation flaws often leading to security breaches. This dissertation contributes to the study of security protocol analysis by advancing the emerging field of implementation analysis. Two tools are presented which together translate between Java and the LySa process calculus. Elyjah translates Java implementations into formal models in LySa. In contrast, Hajyle generates Java implementations from LySa models. These tools and the accompanying LySa verification tool perform rapid static analysis and have been integrated into the Eclipse Development Environment. The speed of the static analysis allows these tools to be used at compile-time without disrupting a developer’s workflow. This allows us to position this work in the domain of practical software tools supporting working developers. As many of these developers may be unfamiliar with modelling security protocols a suite of tools for the LySa process calculus is also provided. These tools are designed to make LySa models easier to understand and manipulate. Additional tools are provided for performance modelling of security protocols. These allow both the designer and the implementor to predict and analyse the overall time taken for a protocol run to complete. Elyjah was among the very first tools to provide a method of translating between implementation and formal model, and the first to use either Java for the implementation language or LySa for the modelling language. To the best of our knowledge, the combination of Elyjah and Hajyle represents the first and so far only system which provides translation from both code to model and back again.

Using human interactive security protocols to secure payments

Chen, Bangdao

January 2012

We investigate using Human Interactive Security Protocols (HISPs) to secure payments. We start our research by conducting extensive investigations into the payment industry. After interacting with different payment companies and banks, we present two case studies: online payment and mobile payment. We show how to adapt HISPs for payments by establishing the reverse authentication method. In order to properly and thoroughly evaluate different payment examples, we establish two attack models which cover the most commonly seen attacks against payments. We then present our own payment solutions which aim at solving the most urgent security threats revealed in our case studies. Demonstration implementations are also made to show our advantages. In the end we show how to extend the use of HISPs into other domains.

005.82

A proposed security protocol for data gathering mobile agents

Al-Jaljouli, Raja, Computer Science & Engineering, Faculty of Engineering, UNSW

January 2006

We address the security issue of the data which mobile agents gather as they are traversing the Internet. Our goal is to devise a security protocol that truly secures the data which mobile agents gather. Several cryptographic protocols were presented in the literature asserting the security of gathered data. Formal verification of the protocols reveals unforeseen security flaws, such as truncation or alteration of the collected data, breaching the privacy of the gathered data, sending others data under the private key of a malicious host, and replacing the collected data with data of similar agents. So the existing protocols are not truly secure. We present an accurate security protocol which aims to assert strong integrity, authenticity, and confidentiality of the gathered data. The proposed protocol is derived from the Multi-hops protocol. The protocol suffers from security flaws, e.g. an adversary might truncate/ replace collected data, or sign others data with its own private key without being detected. The proposed protocol refines the Multi-hops protocol by implementing the following security techniques: utilization of co-operating agents, scrambling the gathered offers, requesting a visited host to clear its memory from any data acquired as a result of executing the agent before the host dispatches the agent to the succeeding host in the agent???s itinerary, and carrying out verifications on the identity of the genuine initiator at the early execution of the agent at visited hosts, in addition to the verifications upon the agent???s return to the initiator. The proposed protocol also implements the common security techniques such as public key encryption, digital signature, etc. The implemented security techniques would rectify the security flaws revealed in the existing protocols. We use STA, an infinite-state exploration tool, to verify the security properties of a reasonably small instance of the proposed protocol in key configurations. The analysis using STA reports no attack. Moreover, we carefully reason the correctness of the security protocol for a general model and show that the protocol would be capable of preventing or at least detecting the attacks revealed in the existing protocols.

Mobile agents

security protocol

formal methds

information security

ENERGY EFFICIENT SECURITY FOR WIRELESS SENSOR NETWORKS

Moh'd, Abidalrahman

18 June 2013

This thesis presents two main achievements. The first is a novel link-layer encryption protocol for wireless sensor networks. The protocol design aims to reduce energy consumption by reducing security-related communication overhead. This is done by merging security-related data of consecutive packets. The merging is based on simple mathematical operations. It helps to reduce energy consumption by eliminating the requirement to transmit security-related fields in the packet. The protocol is named the Compact Security Protocol and is referred to as C-Sec. In addition to energy savings, the C-Sec protocol also includes a unique security feature of hiding the packet header information. This feature makes it more difficult to trace the flow of wireless communication, and helps to minimize the effect of replay attacks. The C-Sec protocol is rigorously tested and compared with well-known related protocols. Performance evaluations demonstrate that C-Sec protocol outperforms other protocols in terms of energy savings. The protocol is evaluated with respect to other performance metrics including queuing delay and error probability. The C-Sec operation requires fast encryption, which leads to a second major contribution: The SN-Sec, a 32-bit RISC secure wireless sensor platform with hardware cryptographic primitives. The security vulnerabilities in current WSNs platforms are scrutinized and the main approaches to implementing their cryptographic primitives are compared in terms of security, time, and energy efficiency. The SN-Sec secures these vulnerabilities and provides more time and energy efficiency. The choice of cryptographic primitives for SN-Sec is based on their compatibility with the constrained nature of WSNs and their security. The AES implementation has the best data-path and S-Box design in the literature. All SHA family members are implemented and compared to choose the most compatible with WSN constraints. An efficient elliptic-curve processor design is proposed. It has the least mathematical operations compared to elliptic-curve processors proposed for WSNs in the literature. It also exploits parallelism among mathematical operations to compute elliptic-curve point multiplication with minimal amount of clock cycles. SN-Sec is implemented using VHDL. Experimental results using synthesis for Spartan-6 low-power FPGA shows that the proposed design has very reasonable computational time and energy consumption.

Energy efficiency

Security protocol

Wireless Sensor Networks

Encryption Primitives

A Peer to Peer Security Protocol for the Internet of Things : Secure Communication for the SensibleThings Platform

Zhang, Hao

January 2014

With the rapid development of the Internet connected technologies and applications, people are keen on embracing the convenience and practi-­‐‑ calities they brings. As all kinds of technologies improve, the Internet of Things matures and is able to provide more advanced services to people, which connects a variety of devices, systems and applications beyond traditional machine-­‐‑to-­‐‑machine. However, it covers a variety of devices, protocols and applications, which makes it much more complex than a normal network. Nevertheless, equipped with appropriate security solutions, the Internet of Things is promising to bring us more conven-­‐‑ iences and be widely applied in our daily life. And like the main appli-­‐‑ cation areas, wireless sensor networks with a frequent but short com-­‐‑ munication character, it requires an efficient and flexible protocol to protect the information. To protect the traffic of the Internet of Things is the focal point of this research work. Although many protocols for the Internet have been put forward, it is still not enough to meet the increas-­‐‑ ingly complex requirements from applications. Many of them are not efficient enough to adapt the device diversity and timely communica-­‐‑ tion environment. This research work is trying to address this problem, by proposing a peer-­‐‑to-­‐‑peer security protocol to satisfy this varied environment. Secure communication is implemented on an open sourced platform for the Internet of Things. The philosophy of the platform it implemented on is also inherited to this protocol and the implementation. It avoids unnecessary handshakes between entities, which makes it more efficient in a wireless sensor network. Modulariza-­‐‑ tion and unit test are adapted in implementation to enhance the robust of the system. Its dynamic security level adjustment feature satisfies the realistic demand on one platform this protocol is implemented on. Finally, with a comparison test and an analysis using the BAN logic, the result shows that the proposed protocol is efficient to meet the specific goals and applicable for the platform. / SensibleThings Platform

Security Protocol

Internet of Things

Peer to Peer

Cryptograph

Fuzzy Authorization for Cloud Storage

Zhu, Shasha

January 2013

It is widely accepted that OAuth is the most popular authorization scheme adopted and implemented by industrial and academic world, however, it is difficult to adapt OAuth to the situation in which online applications registered with one cloud party intends to access data residing in another cloud party. In this thesis, by leveraging Ciphertext-Policy Attribute Based Encryption technique and Elgamal-like mask over the protocol, we propose a reading authorization scheme among diverse clouds, which is called fuzzy authorization, to facilitate an application registered with one cloud party to access to data residing in another cloud party. More importantly, we enable the fuzziness of authorization thus to enhance the scalability and flexibility of file sharing by taking advantage of the innate connections of Linear Secret-Sharing Scheme and Generalized Reed Solomon code. Furthermore, by conducting error checking and error correction, we eliminate operation of satisfying a access tree. In addition, the automatic revocation is realized with update of TimeSlot attribute when data owner modifies the data. We prove the security of our schemes under the selective-attribute security model. The protocol flow of fuzzy authorization is implemented with OMNET++ 4.2.2 and the bi-linear pairing is realized with PBC library. Simulation results show that our scheme can achieve fuzzy authorization among heterogeneous clouds with security and efficiency.

Authorization

Cloud Storage

Security Protocol

CP-ABE

Fuzzy

A proposed security protocol for data gathering mobile agents

Al-Jaljouli, Raja, Computer Science & Engineering, Faculty of Engineering, UNSW

January 2006

We address the security issue of the data which mobile agents gather as they are traversing the Internet. Our goal is to devise a security protocol that truly secures the data which mobile agents gather. Several cryptographic protocols were presented in the literature asserting the security of gathered data. Formal verification of the protocols reveals unforeseen security flaws, such as truncation or alteration of the collected data, breaching the privacy of the gathered data, sending others data under the private key of a malicious host, and replacing the collected data with data of similar agents. So the existing protocols are not truly secure. We present an accurate security protocol which aims to assert strong integrity, authenticity, and confidentiality of the gathered data. The proposed protocol is derived from the Multi-hops protocol. The protocol suffers from security flaws, e.g. an adversary might truncate/ replace collected data, or sign others data with its own private key without being detected. The proposed protocol refines the Multi-hops protocol by implementing the following security techniques: utilization of co-operating agents, scrambling the gathered offers, requesting a visited host to clear its memory from any data acquired as a result of executing the agent before the host dispatches the agent to the succeeding host in the agent???s itinerary, and carrying out verifications on the identity of the genuine initiator at the early execution of the agent at visited hosts, in addition to the verifications upon the agent???s return to the initiator. The proposed protocol also implements the common security techniques such as public key encryption, digital signature, etc. The implemented security techniques would rectify the security flaws revealed in the existing protocols. We use STA, an infinite-state exploration tool, to verify the security properties of a reasonably small instance of the proposed protocol in key configurations. The analysis using STA reports no attack. Moreover, we carefully reason the correctness of the security protocol for a general model and show that the protocol would be capable of preventing or at least detecting the attacks revealed in the existing protocols.

Mobile agents

security protocol

formal methds

information security

Prostředky pro analýzu kryptografických protokolů / Tools for analyzing security protocols

Duchovič, Adam

January 2011

This thesis is focused on tools which are used to analyzed security protocols. In the beginning of the thesis key goals of security protocols are mentioned and also basic attacks on them are illustrated. Subsequently basic verification techniques, specification languages and verification tools are described. Next part of thesis contains description of protocols in common syntax. Then the main standards used for evaluation of information security products are mentioned. In the end of thesis two well-known verification tools – AVISPA and Scyther - are described and compared to designed methodology of comparing verification tools and their outputs.