Secure communications for critical infrastructure control systems

Dawson, Robert Edward

January 2008

In March 2000, 1 million litres of raw sewage was released into the water system of Maroochy Shire on Queensland’s sunshine coast. This environmental disaster was caused by a disgruntled ex-contractor using a radio transmitter to illicitly access the electronically controlled pumps in the control system. In 2007 CNN screened video footage of an experimental attack against a electrical generator. The attack caused the generator to shake and smoke, visually showing the damage caused by cyber attack. These attacks highlight the importance of securing the control systems which our critical infrastructures depend on. This thesis addresses securing control systems, focusing on securing the communications for supervisory control and data acquisition (SCADA) systems. We review the architectures of SCADA systems and produce a list of the system constraints that relate to securing these systems. With these constraints in mind, we survey both the existing work in information and SCADA security, observing the need to investigate further the problem of secure communications for SCADA systems. We then present risk modelling techniques, and model the risk in a simple SCADA system, using the ISM, a software tool for modelling information security risk. In modelling the risk, we verify the hypothesis that securing the communications channel is an essential part of an effective security strategy for SCADA systems. After looking at risk modelling, and establishing the value of securing communications, we move on to key management for SCADA systems. Appropriate key management techniques are a crucial part of secure communications, and form an important part of the contributions made in this work. We present a key management protocol that has been designed to run under the constraints specific to SCADA systems. A reductionist security proof is developed for a simplified version of the protocol, showing it is secure in the Bellare Rogaway model.

可搜尋式加密和密文相等性驗證 / Searchable encryption and equality test over ciphertext

黃凱彬, Huang, Kaibin

Unknown Date

本文深入探討許多基於公開金鑰密碼和通行碼的密文運算方案。首先第一個主題是「公開金鑰密碼」，從其基本架構和安全定義開始，透過文獻探討逐步地討論公開金鑰密碼學的各項特性、以及討論公開金鑰密碼中兩個常見的密文運算：同態加密系統和可交換性加密系統。同態運算是針對同一把公鑰加密的不同密文間的運算：兩個以同一把公鑰加密的密文可以在不解密的前提下進行運算，進而成為另一個合法密文。這個密文運算的結果等同於兩個明文做運算後再以該公鑰加密。可交換性加密系統是一個容許重複的加密系統：已用甲方公鑰加密的密文可以再度用乙方公鑰再加密，進而之成一個多收件者的密文。第一個主題圍繞著這兩個密文運算的技巧討論相關的加密方案。接下來第二個研究的的主題是「基於公開金鑰密碼之密文相等性驗證」，「密文相等性驗證」是密文運算中一個基礎但重要的功能，經授權的測試者可以在不解密密文的前提下，驗證兩個加密後的訊息是否相等。此外，除了相等或不相等之外，測試者無法得知密文中的其他訊息。「基於公開金鑰密碼之密文相等性驗證」相當於在「公開金鑰密碼」的基礎上，再加上「授權」和「密文相等性驗證」的功能。其中「授權」的範圍和「授權」的設計，直接影響到該方案的實用性及安全性，本文提出三個關於「授權」的主題：「單一密文授權」、「相容性授權」和「語意安全授權」。第三個研究主題是「 可搜尋式加密系統」， 常被應用於以下情境：使用者一個檔案及數個「關鍵字」進行加密，然後儲存在雲端伺服器上。當使用者想要對加密檔案進行關鍵字搜尋時，他可以自訂幾個想搜尋的「關鍵字」並對雲端伺服器發出搜尋要求。在收到搜尋要求後，雖然關鍵字都是加密儲存，仍可利用「可搜尋式加密」技巧將符合關鍵字搜尋的檔案傳回給收件者。整個過程中檔案和關鍵字都被加密保護，伺服器無法得知其儲存及搜尋內容。本文提出兩個「 可搜尋式加密系統」，分別是「子集合式多關鍵字可搜尋式加密系統」和「基於通行碼的可搜尋式加密系統」 。 / This dissertation addresses the research about ciphertext computation skills over public key encryption and password-authenticated cryptosystems. The first topic is related to the public key encryption, the framework and security notions for public key encryption are revised; and two common ciphertext-computable public key encryptions including homomorphic encryption and commutative encryption are following discussed. The homomorphic encryption denotes computations over ciphertexts encrypted using the same public key. The homomorphic operation over ciphertexts may be equal to the encryption of a new message computed between two original messages. In terms of commutative encryption, it stands for a repeated encryption system that Alice’s ciphertext can be duplicated encrypted using Bob’s public key. A dual-receiver ciphertext will appear after the commutative encryption. Following, based on the public key encryption, the second topic focuses on the public key encryption with equality test schemes, the basic and fundamental ciphertext computation. Briefly, the user-authorized testers are able to verify the equivalence between messages hidden in ciphertexts after they acquire trapdoors from ciphertext receivers; and the ciphertexts were never decrypted in the whole equality testing process. The scope and architecture of the authorization directly influence the application and security for equality test schemes. Three authorizations including “cipher-bound authorization”, “compatible authorization” and “semantic secure authorization” will be proposed. The third topic is keyword search. It works in the following scenario: a user outsources encrypted files and encrypted keywords on a cloud file storage system; then, when needed, the user is able to request a search query to the file server, which is corresponding to some encrypted keywords. Although files and keywords are encrypted, the server is still able to verify the match-up and return related files to the user. Two researches about keyword search are proposed: the subset multi-keyword search based on public key encryption, and the password-authenticated keyword search.

密文運算

公開金鑰密碼

安全證明

密文相等性驗證

可搜尋式加密

基於通行碼的認證系統

Ciphertext computation

Public key encryption

Security proof

Equality test

Searchable encryption

Password-authenticated systems

Elliptic Curve Cryptography for Lightweight Applications.

Hitchcock, Yvonne Roslyn

January 2003

Elliptic curves were first proposed as a basis for public key cryptography in the mid 1980's. They provide public key cryptosystems based on the difficulty of the elliptic curve discrete logarithm problem (ECDLP) , which is so called because of its similarity to the discrete logarithm problem (DLP) over the integers modulo a large prime. One benefit of elliptic curve cryptosystems (ECCs) is that they can use a much shorter key length than other public key cryptosystems to provide an equivalent level of security. For example, 160 bit ECCs are believed to provide about the same level of security as 1024 bit RSA. Also, the level of security provided by an ECC increases faster with key size than for integer based discrete logarithm (dl) or RSA cryptosystems. ECCs can also provide a faster implementation than RSA or dl systems, and use less bandwidth and power. These issues can be crucial in lightweight applications such as smart cards. In the last few years, ECCs have been included or proposed for inclusion in internationally recognized standards. Thus elliptic curve cryptography is set to become an integral part of lightweight applications in the immediate future. This thesis presents an analysis of several important issues for ECCs on lightweight devices. It begins with an introduction to elliptic curves and the algorithms required to implement an ECC. It then gives an analysis of the speed, code size and memory usage of various possible implementation options. Enough details are presented to enable an implementer to choose for implementation those algorithms which give the greatest speed whilst conforming to the code size and ram restrictions of a particular lightweight device. Recommendations are made for new functions to be included on coprocessors for lightweight devices to support ECC implementations Another issue of concern for implementers is the side-channel attacks that have recently been proposed. They obtain information about the cryptosystem by measuring side-channel information such as power consumption and processing time and the information is then used to break implementations that have not incorporated appropriate defences. A new method of defence to protect an implementation from the simple power analysis (spa) method of attack is presented in this thesis. It requires 44% fewer additions and 11% more doublings than the commonly recommended defence of performing a point addition in every loop of the binary scalar multiplication algorithm. The algorithm forms a contribution to the current range of possible spa defences which has a good speed but low memory usage. Another topic of paramount importance to ECCs for lightweight applications is whether the security of fixed curves is equivalent to that of random curves. Because of the inability of lightweight devices to generate secure random curves, fixed curves are used in such devices. These curves provide the additional advantage of requiring less bandwidth, code size and processing time. However, it is intuitively obvious that a large precomputation to aid in the breaking of the elliptic curve discrete logarithm problem (ECDLP) can be made for a fixed curve which would be unavailable for a random curve. Therefore, it would appear that fixed curves are less secure than random curves, but quantifying the loss of security is much more difficult. The thesis performs an examination of fixed curve security taking this observation into account, and includes a definition of equivalent security and an analysis of a variation of Pollard's rho method where computations from solutions of previous ECDLPs can be used to solve subsequent ECDLPs on the same curve. A lower bound on the expected time to solve such ECDLPs using this method is presented, as well as an approximation of the expected time remaining to solve an ECDLP when a given size of precomputation is available. It is concluded that adding a total of 11 bits to the size of a fixed curve provides an equivalent level of security compared to random curves. The final part of the thesis deals with proofs of security of key exchange protocols in the Canetti-Krawczyk proof model. This model has been used since it offers the advantage of a modular proof with reusable components. Firstly a password-based authentication mechanism and its security proof are discussed, followed by an analysis of the use of the authentication mechanism in key exchange protocols. The Canetti-Krawczyk model is then used to examine secure tripartite (three party) key exchange protocols. Tripartite key exchange protocols are particularly suited to ECCs because of the availability of bilinear mappings on elliptic curves, which allow more efficient tripartite key exchange protocols.

Elliptic curve (EC)

elliptic curve cryptosystem (ECC)

discrete logarithm problem (DLP)

speed

code size

memory usage

ram usage

fixed curve

random curve

Pollard's rho method

Canetti-Krawczyk proof model

key exchange protocols

security proof

tripartite key exchange

pairings

password-based authentication

point addition

projective coordinates

Jacobian coordinates

Chudnovsky Jacobian coordinates

modified Jacobian coordinates

binary method

simultaneous multiple exponentiation

two-in-one scalar multiplication

coprocessor

smart card

lightweight device

simple power analysis (spa)

side channel attack

equivalent security.