Distinguishability of Public Keys and Experimental Validation: The McEliece Public-Keyed Cryptosystem

Unknown Date

As quantum computers continue to develop, they pose a threat to cryptography since many popular cryptosystems will be rendered vulnerable. This is because the security of most currently used asymmetric systems requires the computational hardness of the integer factorization problem, the discrete logarithm or the elliptic curve discrete logarithm problem. However, there are still some cryptosystems that resist quantum computing. We will look at code-based cryptography in general and the McEliece cryptosystem specifically. Our goal is to understand the structure behind the McEliece scheme, including the encryption and decryption processes, and what some advantages and disadvantages are that the system has to offer. In addition, using the results from Courtois, Finiasz, and Sendrier's paper in 2001, we will discuss a digital signature scheme based on the McEliece cryptosystem. We analyze one classical algebraic attack against the security analysis of the system based on the distinguishing problem whether the public key of the McEliece scheme is generated from a generating matrix of a binary Goppa code or a random binary matrix. The idea of the attack involves solving an algebraic system of equations and we examine the dimension of the solution space of the linearized system of equations. With the assistance from a paper in 2010 by Faugere, Gauthier-Umana, Otmani, Perret, Tillich, we will see the parameters needed for the intractability of the distinguishing problem. / Includes bibliography. / Thesis (M.S.)--Florida Atlantic University, 2015. / FAU Electronic Theses and Dissertations Collection

Coding theory

Combinatorial analysis

Data encryption (Computer science)

Information theory

McEliece, Robert J. -- Influence

Public key cryptography

Defining the Information Security Posture: An Empirical Examination of Structure, Integration, and Managerial Effectiveness

Young, Randall Frederick

08 1900

The discipline of information security management is still in its infancy as evidenced by the lack of empirical scholarly work in this area. Most research within the information security domain focuses on specific technologies and algorithms and how it impacts the principles of confidentiality, integrity, and availability. But, an important area receiving little attention is the antecedents of effective information security management at the organizational level (Stanton, Guzman, Stam & Caldera, 2003). The little empirical research that has been conducted in this area has shown that information security management in many organizations is poor (Baskerville, 1993; Shimeall & McDermott, 1999). Several researchers have identified the need for methods to measure the organization-wide information security posture of organizations (Eloff & Von Solms, 2000; James, 1996). This dissertation attempts to measure the organization-wide information security posture by examining benchmark variables that assess role, planning orientation, and performance structure within the organization. Through this conceptualization of an organization's information security posture, a means is presented to measure overall information security and how it impacts the effective utilization of information security strategies. The presence of the dependent variable, effectiveness, gives academics and practitioners a success measure which can guide more effective decision making in the information security domain. An additional aim of this dissertation is to empirically examine the influence of management practices and decisions on effective use of information security strategies within the organization. The issues of centralization versus decentralization of information security activities will be evaluated along with its impact on information security posture of organizations and the effectiveness of the organization's information security strategies. Data was collected from 119 IT and information security executives. Results show that how the organization structures information security activities is not correlated with more effective utilization of information security strategies. Meanwhile, the organization's information security posture is significantly correlated with more effective utilization of information security strategies. The implications of this research is discussed.

recovery

centralization

Information security

decentralization

prevention

deterrence

detection

Computer networks -- Security measures.

Computer security -- Management.

Side-Channel Analysis: Countermeasures and Application to Embedded Systems Debugging

Moreno, Carlos

January 2013

Side-Channel Analysis plays an important role in cryptology, as it represents an important class of attacks against cryptographic implementations, especially in the context of embedded systems such as hand-held mobile devices, smart cards, RFID tags, etc. These types of attacks bypass any intrinsic mathematical security of the cryptographic algorithm or protocol by exploiting observable side-effects of the execution of the cryptographic operation that may exhibit some relationship with the internal (secret) parameters in the device. Two of the main types of side-channel attacks are timing attacks or timing analysis, where the relationship between the execution time and secret parameters is exploited; and power analysis, which exploits the relationship between power consumption and the operations being executed by a processor as well as the data that these operations work with. For power analysis, two main types have been proposed: simple power analysis (SPA) which relies on direct observation on a single measurement, and differential power analysis (DPA), which uses multiple measurements combined with statistical processing to extract information from the small variations in power consumption correlated to the data. In this thesis, we propose several countermeasures to these types of attacks, with the main themes being timing analysis and SPA. In addition to these themes, one of our contributions expands upon the ideas behind SPA to present a constructive use of these techniques in the context of embedded systems debugging. In our first contribution, we present a countermeasure against timing attacks where an optimized form of idle-wait is proposed with the goal of making the observable decryption time constant for most operations while maintaining the overhead to a minimum. We show that not only we reduce the overhead in terms of execution speed, but also the computational cost of the countermeasure, which represents a considerable advantage in the context of devices relying on battery power, where reduced computations translates into lower power consumption and thus increased battery life. This is indeed one of the important themes for all of the contributions related to countermeasures to side- channel attacks. Our second and third contributions focus on power analysis; specifically, SPA. We address the issue of straightforward implementations of binary exponentiation algorithms (or scalar multiplication, in the context of elliptic curve cryptography) making a cryptographic system vulnerable to SPA. Solutions previously proposed introduce a considerable performance penalty. We propose a new method, namely Square-and-Buffered- Multiplications (SABM), that implements an SPA-resistant binary exponentiation exhibiting optimal execution time at the cost of a small amount of storage --- O(\sqrt(\ell)), where \ell is the bit length of the exponent. The technique is optimal in the sense that it adds SPA-resistance to an underlying binary exponentiation algorithm while introducing zero computational overhead. We then present several new SPA-resistant algorithms that result from a novel way of combining the SABM method with an alternative binary exponentiation algorithm where the exponent is split in two halves for simultaneous processing, showing that by combining the two techniques, we can make use of signed-digit representations of the exponent to further improve performance while maintaining SPA-resistance. We also discuss the possibility of our method being implemented in a way that a certain level of resistance against DPA may be obtained. In a related contribution, we extend these ideas used in SPA and propose a technique to non-intrusively monitor a device and trace program execution, with the intended application of assisting in the difficult task of debugging embedded systems at deployment or production stage, when standard debugging tools or auxiliary components to facilitate debugging are no longer enabled in the device. One of the important highlights of this contribution is the fact that the system works on a standard PC, capturing the power traces through the recording input of the sound card.

cryptography

embedded systems

embedded systems security

side-channel analysis

timing attacks

power analysis

spa-resistant implementations

embedded systems debugging

Electrical and Computer Engineering

Information security issues facing internet café users.

Kgopa, Alfred Thaga.

January 2013

M. Tech. Business Information Systems / Although owners of Internet cafés extend the freedom to have Internet access to the community, they fail to tighten their computer security to safeguard the private information of their customers. This dissertation provides a conceptual framework for improving information security in the Internet Café, to help and ensure data privacy, data integrity, risk management and information security (IS) behaviour. The study investigated the information security issues that are faced by users of Internet cafés and explored the effects of these issues. The framework shows how users can improve their physical security to reach higher standards of information privacy over the Internet.

Data protection -- South Africa.

Computer security -- South Africa.

Bankinių apmokėjimų pranešimų perdavimo sauga / Bank transfer payments messaging security

Miškelevičius, Andrius

25 August 2010

Šiais laikais daugelis bankinių atsiskaitymų vyksta elektroninėje erdvėje. Operatyvumas bei patogumas per kelis dešimtmečius bankines sistemas integravo į viso pasaulio verslą. Vis populiarėjant e. komercijai elektroninės bankininkystės sistemos integravosi į WEB aplikacijas, kuriomis gali naudotis visi elektroninės erdvės vartotojai. Atsiskaitymai elektroninėje erdvėje sukuria didelę pridėtinę vertę visai ekonomikai tačiau dėl didelio panaudojimo masto išaugo ir opios saugumo grėsmės. Dėl piktavališkų veiksmų el.erdvėje per metus padaroma žala siekia 1 trilijoną dolerių, dėl šių patiriamų didelių nuostolių mažėja investicijos į naujų technologijų diegimą ko pasėkoje dar labiau sumažėja saugos lygis. Bankinių apmokėjimų programinė įranga, kuri apdoroja bankinius atsiskaitymus yra laikoma atskira sistemos dalimi, į kurią ji yra integruota. Ši posistemė lanksčiai ir paprastai integruojasi į bendrą sistemą ir efektyviai atlieka svarbias funkcijas susijusias su apmokėjimų apdorojimu. Bankinių apmokėjimų sistema skirta, operatyviai bei lanksčiai apdoroti mokėjimus bei apie įvykusius apmokėjimus informuoti tiek siuntėją, tiek ir gavėją. / Nowadays, many banking payments takes place in cyberspace. Timeliness and convenience through several decades integrated banking systems in the business world. However e.commerce popularity integrated electronic banking systems into Web applications that are available to all users of electronic space. Payments in cyberspace creates significant added value to the economy as a whole but on a large spread banking systems increase sensitive security threat. The hostile actions in e.space damage per year increase to 1 trillion dollars, for the losses incurred by major reduction in investment in new technologies it resulting in further decrease in the level of safety. All IT professionals can help create a safer online space, because the future of electronic payments become more closely associated with our business and life. The purpose of this work is to analyze banking systems safety and threats. In this work I designed and tested several banking systems and choose the best security solutions, to reduce security threats of electronic payments.

Informatics Engineering

Bankinės sistemos

Bankiniai apmokėjimai

Bakinių apmokėjimų pranešimų sauga

Banks payments systems security

Bank transfers security

Side-Channel Analysis: Countermeasures and Application to Embedded Systems Debugging

Moreno, Carlos

January 2013

Side-Channel Analysis plays an important role in cryptology, as it represents an important class of attacks against cryptographic implementations, especially in the context of embedded systems such as hand-held mobile devices, smart cards, RFID tags, etc. These types of attacks bypass any intrinsic mathematical security of the cryptographic algorithm or protocol by exploiting observable side-effects of the execution of the cryptographic operation that may exhibit some relationship with the internal (secret) parameters in the device. Two of the main types of side-channel attacks are timing attacks or timing analysis, where the relationship between the execution time and secret parameters is exploited; and power analysis, which exploits the relationship between power consumption and the operations being executed by a processor as well as the data that these operations work with. For power analysis, two main types have been proposed: simple power analysis (SPA) which relies on direct observation on a single measurement, and differential power analysis (DPA), which uses multiple measurements combined with statistical processing to extract information from the small variations in power consumption correlated to the data. In this thesis, we propose several countermeasures to these types of attacks, with the main themes being timing analysis and SPA. In addition to these themes, one of our contributions expands upon the ideas behind SPA to present a constructive use of these techniques in the context of embedded systems debugging. In our first contribution, we present a countermeasure against timing attacks where an optimized form of idle-wait is proposed with the goal of making the observable decryption time constant for most operations while maintaining the overhead to a minimum. We show that not only we reduce the overhead in terms of execution speed, but also the computational cost of the countermeasure, which represents a considerable advantage in the context of devices relying on battery power, where reduced computations translates into lower power consumption and thus increased battery life. This is indeed one of the important themes for all of the contributions related to countermeasures to side- channel attacks. Our second and third contributions focus on power analysis; specifically, SPA. We address the issue of straightforward implementations of binary exponentiation algorithms (or scalar multiplication, in the context of elliptic curve cryptography) making a cryptographic system vulnerable to SPA. Solutions previously proposed introduce a considerable performance penalty. We propose a new method, namely Square-and-Buffered- Multiplications (SABM), that implements an SPA-resistant binary exponentiation exhibiting optimal execution time at the cost of a small amount of storage --- O(\sqrt(\ell)), where \ell is the bit length of the exponent. The technique is optimal in the sense that it adds SPA-resistance to an underlying binary exponentiation algorithm while introducing zero computational overhead. We then present several new SPA-resistant algorithms that result from a novel way of combining the SABM method with an alternative binary exponentiation algorithm where the exponent is split in two halves for simultaneous processing, showing that by combining the two techniques, we can make use of signed-digit representations of the exponent to further improve performance while maintaining SPA-resistance. We also discuss the possibility of our method being implemented in a way that a certain level of resistance against DPA may be obtained. In a related contribution, we extend these ideas used in SPA and propose a technique to non-intrusively monitor a device and trace program execution, with the intended application of assisting in the difficult task of debugging embedded systems at deployment or production stage, when standard debugging tools or auxiliary components to facilitate debugging are no longer enabled in the device. One of the important highlights of this contribution is the fact that the system works on a standard PC, capturing the power traces through the recording input of the sound card.

cryptography

embedded systems

embedded systems security

side-channel analysis

timing attacks

power analysis

spa-resistant implementations

embedded systems debugging

Electrical and Computer Engineering

Data-centric security : towards a utopian model for protecting corporate data on mobile devices

Mayisela, Simphiwe Hector

January 2014

Data-centric security is significant in understanding, assessing and mitigating the various risks and impacts of sharing information outside corporate boundaries. Information generally leaves corporate boundaries through mobile devices. Mobile devices continue to evolve as multi-functional tools for everyday life, surpassing their initial intended use. This added capability and increasingly extensive use of mobile devices does not come without a degree of risk - hence the need to guard and protect information as it exists beyond the corporate boundaries and throughout its lifecycle. Literature on existing models crafted to protect data, rather than infrastructure in which the data resides, is reviewed. Technologies that organisations have implemented to adopt the data-centric model are studied. A utopian model that takes into account the shortcomings of existing technologies and deficiencies of common theories is proposed. Two sets of qualitative studies are reported; the first is a preliminary online survey to assess the ubiquity of mobile devices and extent of technology adoption towards implementation of data-centric model; and the second comprises of a focus survey and expert interviews pertaining on technologies that organisations have implemented to adopt the data-centric model. The latter study revealed insufficient data at the time of writing for the results to be statistically significant; however; indicative trends supported the assertions documented in the literature review. The question that this research answers is whether or not current technology implementations designed to mitigate risks from mobile devices, actually address business requirements. This research question, answered through these two sets qualitative studies, discovered inconsistencies between the technology implementations and business requirements. The thesis concludes by proposing a realistic model, based on the outcome of the qualitative study, which bridges the gap between the technology implementations and business requirements. Future work which could perhaps be conducted in light of the findings and the comments from this research is also considered.

Computer security

Computer networks -- Security measures

Mobile computing -- Security measures

The implementation of integrated security systems: case study of the industrial sector of Harare-Zimbabwe

Musonza, Dimax

02 1900

Text in English / Industrial sites in Harare contribute significantly to the economy of Zimbabwe. Harare is the capital city of Zimbabwe and therefore has significant manufacturing and commercial activity. The protection of industrial sites is very important because of the presence of valuable assets and operations. Therefore the main purpose of deploying security measures at industry premises is to create a safe and secure environment for the business functions. Security management is consequently an important element of an industrial organisation’s continuity. The implementation of integrated security systems was examined to some extent within this study. The size and nature of industrial facilities influenced this study to view integrated security systems as more effective than stand-alone security measures. The study sought to investigate the various aspects associated with the implementation. The purposes of the research included the following: • Examine current practices, benefits, shortcomings in the implementation of integrated security systems; • Critically evaluate the security management aspects required for the implementation ofintegrated security systems; • Investigate successes and failures associated with integrated security systems and how implementation can be improved; • Examine and identify factors necessary for a best practice approach to integrated security systems; and • Determine a methodology for the effective implementation of integrated security systems. Additionally the study briefly examined how security systems integration can assist in reducing the problem of connivance to theft at receiving and dispatch points at industrial facilities. The report is divided into five chapters. Chapter 1 covers the research problem, Chapter 2 deals with the research methods while Chapter 3 has insightful information from literature review. Chapter 4 presents the data and how it was analysed. Lastly Chapter 5 has findings, recommendations and conclusions. The study used the mixed-method approach. This approach includes both qualitative and quantitative research in order to gain a more in-depth understanding of the research problem. The methods of data collection were site visits, interviews and questionnaires. The sample was drawn from a cross-section of sites within the industrial areas of Workington, Southerton, Willowvale, Graniteside, Msasa and few outside industries in the vicinity of Harare. A total of 11 sites were observed. The interviews consisted of 30 participants who were mainly security practitioners at management level as well as some non-security managers. In addition, a total of 102 respondents participated in this study by completing the questionnaire. The majority of the respondents were security practitioners who were the main focus of the study. The findings support the various aspects of the implementation of integrated security systems. The conclusions emanating from the statistical analysis of the collected data included the following: • The critical assets for protection at industrial facilities are infrastructure, products, revenue, people and other movable items or equipment; • The main threat sources are from outsiders, crime syndicates and employees; • Security systems suitable for integration are CCTV, electronic access control, alarms, personnel, policies and procedures backed by information communication technologies. • Security should be functionally integrated with other departments which include Information Technology, Human Resources, Finance, Operations and Marketing; • The preferred mode of linkage was established to be fibre optic on a local area or wide area network using intranet or internet; • The key players in the integration were found to be security practitioners, top management, IT specialist, system suppliers, installers and operators; • The implementation process consists of security policy, survey, system design, procurement, installation, training, operating, review and upgrade; • Factors necessary for best practice include system purpose, availability of resources, top management commitment, skills, and feasibility to implement; • The benefits are mainly improved effectiveness, easy of monitoring, improved outlook and record keeping; • The most significant challenges are system breakdown, sabotage and power outage; and • Connivance to theft can be mitigated by a combination of staff rotation, dedicated CCTV, spot checks, undercover surveillance and functional integration. area network using intranet or internet; • The key players in the integration were found to be security practitioners, top management, IT specialist, system suppliers, installers and operators; • The implementation process consists of security policy, survey, system design, procurement, installation, training, operating, review and upgrade; • Factors necessary for best practice include system purpose, availability of resources, top management commitment, skills, and feasibility to implement; • The benefits are mainly improved effectiveness, easy of monitoring, improved outlook and record keeping; • The most significant challenges are system breakdown, sabotage and power outage; and • Connivance to theft can be mitigated by a combination of staff rotation, dedicated CCTV, spot checks, undercover surveillance and functional integration. / Security Risk Management / M. Tech. (Security Management)

658.47096891

Towards a unified fraud management and digital forensic framework for mobile applications

Bopape, Rudy Katlego

06 1900

Historically, progress in technology development has continually created new opportunities for criminal activities which, in turn, have triggered the need for the development of new security-sensitive systems. Organisations are now adopting mobile technologies for numerous applications to capitalise on the mobile revolution. They are now able to increase their operational efficiency as well as responsiveness and competitiveness and, most importantly, can now meet new, growing customers’ demands. However, although mobile technologies and applications present many new opportunities, they also present challenges. Threats to mobile phone applications are always on the rise and, therefore, compel organisations to invest money and time, among other technical controls, in an attempt to protect them from incurring losses. The computerisation of core activities (such as mobile banking in the banking industry, for example) has effectively exposed organisations to a host of complex fraud challenges that they have to deal with in addition to their core business of providing services to their end consumers. Fraudsters are able to use mobile devices to remotely access enterprise applications and subsequently perform fraudulent transactions. When this occurs, it is important to effectively investigate and manage the cause and findings, as well as to prevent any future similar attacks. Unfortunately, clients and consumers of these organisations are often ignorant of the risks to their assets and the consequences of the compromises that might occur. Organisations are therefore obliged, at least, to put in place measures that will not only minimise fraud but also be capable of detecting and preventing further similar incidents. The goal of this research was to develop a unified fraud management and digital forensic framework to improve the security of Information Technology (IT) processes and operations in organisations that make available mobile phone applications to their clients for business purposes. The research was motivated not only by the increasing reliance of organisations on mobile applications to service their customers but also by the fact that digital forensics and fraud management are often considered to be separate entities at an organisational level. This study proposes a unified approach to fraud management and digital forensic analysis to simultaneously manage and investigate fraud that occurs through the use of mobile phone applications. The unified Fraud Management and Digital Forensic (FMDF) framework is designed to (a) determine the suspicious degree of fraudulent transactions and (b) at the same time, to feed into a process that facilitates the investigation of incidents. A survey was conducted with subject matter experts in the banking environment. Data was generated through a participatory self-administered online questionnaire. Collected data was then presented, analysed and interpreted quantitatively and qualitatively. The study found that there was a general understanding of the common fraud management methodologies and approaches throughout the banking industry and the use thereof. However, while many of the respondents indicated that fraud detection was an integral part of their processes, they take a rather reactive approach when it comes to fraud management and digital forensics. Part of the reason for the reactive approach is that many investigations are conducted in silos, with no central knowledge repository where previous cases can be retrieved for comparative purposes. Therefore, confidentiality, integrity and availability of data are critical for continued business operations. To mitigate the pending risks, the study proposed a new way of thinking that combines both components of fraud management and digital forensics for an optimised approach to managing security in mobile applications. The research concluded that the unified FMDF approach was considered to be helpful and valuable to professionals who participated in the survey. Although the case study focused on the banking industry, the study appears to be instrumental in informing other types of organisations that make available the use of mobile applications for their clients in fraud risk awareness and risk management in general. / Computing / M. Sc. (Computing)

Fraud management

Digital forensics

Mobile applications

Mobile devices

Threats

Frameworks

Process models

Paradigms

005.35

Mobile apps

Mobile device forensics

Fraud -- Management

Cell phone systems -- Security measures

Implementação em software de criptografia baseada em emparelhamentos para redes de sensores usando o microcontrolador MSP430 / Software implementation of pairing based cryptography for sensor networks using the MSP430 microcontroller

Gouvêa, Conrado Porto Lopes, 1984-

05 December 2010

Orientador: Julio César López Hernández / Dissertação (mestrado) - Universidade Estadual de Campinas, Instituto de Computação / Made available in DSpace on 2018-08-16T09:36:03Z (GMT). No. of bitstreams: 1 Gouvea_ConradoPortoLopes_M.pdf: 1643588 bytes, checksum: 84895f14e5bab746796d6ca64e8287cf (MD5) Previous issue date: 2010 / Resumo: Redes de sensores sem fio têm se tornado populares recentemente e possuem inúmeras aplicações. Contudo, elas apresentam o desafio de como proteger suas comunicações utilizando esquemas criptográficos, visto que são compostas por dispositivos de capacidade extremamente limitada. Neste trabalho é descrita uma implementação eficiente em software, para redes de sensores sem fio, de duas tecnologias de criptografia pública: a Criptografia Baseada em Emparelhamentos (CBE) e a Criptografia de Curvas Elípticas (CCE). Nossa implementação foca a família de microcontroladores MSP430 de 16 bits, utilizada em sensores como o Tmote Sky e TelosB. Em particular, para a CBE, foram implementados algoritmos para o cálculo de emparelhamentos nas curvas MNT e BN sobre corpos primos; para a CCE, foi implementado o esquema de assinatura ECDSA sobre corpos primos para os níveis de segurança de 80 e 128 bits. As principais contribuições deste trabalho são um estudo aprofundado dos algoritmos de emparelhamentos bilineares e novas otimizações na aritmética de corpos primos para a MSP430, que consequentemente melhoram o desempenho dos criptossistemas de CBE e CCE em tal plataforma / Abstract: Wireless sensor networks have become popular recently and provide many applications. However, the deployment of cryptography in sensor networks is a challenging task, given their limited computational power and resource-constrained nature. This work presents an efficient software implementation, for wireless sensor networks, of two public-key systems: Pairing-Based Cryptography (PBC) and Elliptic Curve Cryptography (ECC). Our implementation targets the MSP430 microcontroller, which is used in some sensors including the Tmote Sky and TelosB. For the PBC, we have implemented algorithms for pairing computation on MNT and BN curves over prime fields; for the ECC, the signature scheme ECDSA over prime fields for the 80-bit and 128-bit security levels. The main contributions of this work are an in-depth study of bilinear pairings algorithms and new optimizations for the prime field arithmetic in the MSP430, which improves the running times of the PBC and ECC cryptosystems on the platform / Mestrado / Teoria da Computação / Mestre em Ciência da Computação

Criptografia

Cryptography

Computer networks - Security measures