1. science
2. computer science
3. cryptography

The School of Electrical Engineering
and Computer Science (EECS)
CS/ECE Advanced Network Security
Dr. Attila Altay Yavuz
Topic 1.1 Course and Project Overview (1)
Advanced Network Security
Dr. Attila Altay Yavuz
Fall 2014
1
High-Level Objectives
• Broad understanding of technology trends, security and privacy problems
• Recognize key security and privacy challenges, list common threats and
vulnerabilities on modern systems
• Advanced Network Security Primitives
•
One-way hash chain, use of multiple root chains,
•
Relate keys in a special manner
– Merkle hash tree and its applications,
•
Classic algorithmic trick of all times  O(Log_2(n))
– Bloom filters
•
Is it there?
– Secret sharing
•
A beautiful crypto classic
– Rabin’s information dispersal
•
Resistance against erasure and disruption
OSU EECS
2
High-Level Objectives (Cont’)
• Denial-of-Service (DoS) attacks counter measures.
– Hash-based puzzles against connection depletion attacks
– Variant client-server puzzle methods
– Client-server puzzle outsourcing with Discrete-Logarithm Problem (DLP)
– Message specific puzzles for DoS resiliency in Wireless Sensor Networks (WSNs)
– Using broadcast environment to revert client-server puzzles (patents!)
• Authentication Methods
– Authentication and integrity are the first requirement for all IoTS applications!
– Broadcast Authentication Methods
– Going beyond Message Authentication Codes and Standard Signatures
– Levering time factor: TESLA
– Hash Chains and Signatures: EMSS
OSU EECS
3
High-Level Objectives (Cont’)
• One-time and Multiple-time Signatures
– Fastest authentication methods around, but with enormous signature and keys
– Bins and Balls (BiBa)
– Hash-to-Obtain Subset (HORSs)
– Again play with time factor, but in a different way!
• Time-Valid HORS
• Trade-off between security and performance
• Applications to Smart-Grid/Power Grid, Inter-car Networks and Comparison
– How to distribute multiple-time public keys?
– Packet loss problems: Chained public keys?
– Bandwidth and storage issues?
– Comparison to ECDSA type approaches, hardware-acceleration methods
OSU EECS
4
High-Level Objectives (Cont’)
• Code Dissemination in Wireless Sensors
– Start with one, spread to the others
– Hope-by-hope secure code sensor programming
– Dos Resistance, a different game with many little 8-bit devices
• Authentication and Integrity for Low-end Devices
–
–
–
–
Backbone of IoTS
Normal crypto will kill battery, literally, 1000 times faster!
Sensors can be compromised and physically attacked
Develop advanced schemes to resist:
• Active adversaries stealing your keys
• Very little battery, 16 KB memory, 8-bit processor, tiny antenna!
• HaSAFSS
• BAF
• ETA
OSU EECS
5
Grading
• Homeworks, %20 (potentially two)
• In-class paper presentation, %15 (subject to change)
– See potential topics at the webpage,
• Survey/Scouting, %20
– Select a topic from “In-class presentation” sub-section at webpage
• Research Project, %40
– A good progress can remove survey/scouting!
– Either select one of given topics, or propose your own project
– Your preference + your skill set, team effort versus individual work
– Deliverables will depend on the type of the project
– Please let me know if you will continue this course by 10.08.2014
• Class attendance/participation %5
OSU EECS
6
Project Topics: Overview
• Cloud Computing (3 topics)
– Privacy-preserving Searches for data outsourcing
•
Searchable Encryption
– Privacy-preserving Access for data outsourcing
•
Oblivious RAM
– Privacy-preserving Operations for computation outsourcing
•
Outsourcing linear optimization problems
• Internet of Things and Systems (1 topic)
– Scalable and practical key management and provisioning
•
Self-certified cryptography and its implementation
• Digital Forensics (1 topic)
– Compromise-resilient and compact signatures
•
Security improvement and implementation
OSU EECS
7
Project Topics: Overview (Cont’)
• Wireless Sensor Networks
– Detection of Node Replication Attacks
•
Design, Comparison and Analysis of Algorithms
• Encryption Methods for Medical Security
– Analyze and compare suitable encryption methods for medical databases
• Recent Progresses on Proof-of-Retrievability and Implementation
• Side-Channel Attacks on Medical Devices and Cyber Physical Systems
– Scouting Oriented
OSU EECS
8
Project Topics: Requirement (Generic)
•
Requirement and Background
•
Recommended: Knowledge on basic security and crypto concepts
– Symmetric key crypto, public key crypto, differences & similarities
– Cryptographic hash functions, Message Authentication Codes, block ciphers (AES, DES)
– RSA, DSA, Diffie-Hellman Key Exchange, DLP
•
Good programming skills
– C/C++, Ability to use data structure packages from open source libraries, open-hash table stack
– Java, C# and/or Python for some projects (no need to be Guru, use high-level)
•
Familiarity with basic Linux environment, compile/link etc.
•
Willingness to learn existing crypto libraries to build algorithms
–
•
MIRACL, Number Theoretical Library (NTL), individual packages of researchers
Self-motivated and independent research and development (it is your work, your success!)
OSU EECS
9
Project Topics: Requirement (Generic)
• Deadlines and Sync. Up
• Bi-weekly mini-updates indicating progress is recommended for projects
– 3 paragraphs indicating achievements, problems, next steps (only team representative)
• Office hours: Monday 4:00 pm – 5:30 pm
• Project Selection: 10.08.2014
– Self-proposals have one more week, see website for details
• Interim Report: 11.07.2014
• Final Report and Software-Package: 12.11.2014
– Project presentation summarizing results
– Research report
– Transferable software under Linux, VM ready (hopefully for Winter 2014)
– See website for further details
OSU EECS
10
Challenge: Privacy versus Data Utilization Dilemma
Sensitive data!
Client
Storage on the cloud
(encrypted)
Outsource the data
Standard Encryption
SEARCH?
ANALYZE?
CAN’T SEARCH!
CAN’T ANALYZE!
IMPACT
11
Searchable Encryption (Generic Framework)


Efficient Privacy Enhancing Technologies for Big Data Analytics
 Role: Co-PI / Budget: $1,000,000 (2014-2017)
Client
Cloud
Searchable Encryption: Search on encrypted data without decrypting it
f1
fn
. . .
c1
Extract keywords
. . .
w1
wn
t1
. . .
cn
Data
Structure
. . .
tn
Trapdoors
t1
. . .
Searchable
Representation
tn
Search keyword: w 1  t1
t1
f1
Update file: fi  (zi,V)
12
(zi,V)
c1
Project Topics: Searchable Encryption
• Understand, implement, validate important SSE schemes on real-data
Dynamic Symmetric Searchable Encryption by Microsoft Research
Seny Kamara and Charalampos Papamanthou. Parallel and Dynamic Searchable Symmetric Encryption, Financial
Cryptography 2013 (FC 2013)
Dynamic Symmetric Searchable Encryption by IBM Research and Academia
David Cash, Joseph Jaeger, Stanislaw Jarecki, Charanjit Jutla, Hugo Krawczyk, Marcel Rosu, Michael Steiner.
Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation , NDSS 2014.
Work of Dr. Elaine Shi by UMD (code will be potentially provided , in C#)
Dynamic Symmetric Searchable Encryption by Robert Bosch (optional)
My work on high-security DSSE
Static Symmetric Searchable Encryption (optional)
Reza Curtmola, Juan Garay, Seny Kamara, and Rafail Ostrovsky. Searchable symmetric encryption: improved definitions
and efficient constructions. In Proceedings of the 13th ACM conference on Computer and comm. security (CCS '06).
OSU EECS
13
Project Topics: Searchable Encryption
• Group Size: 3 student (+1 if other project may be merged)
– Students considering security research, or Winter 2014:Applied crypto class
• Required Background:
– C/C++ programming, ability to use data structure packages from open source libraries
– C# or Java for certain algorithms (use existing libraries, no need to be Guru)
– Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random
Functions: Leverage existing crypto libraries to use those primitives with data structures
– Knowledge on basic data structures: Red-black trees, hash tables, linked list, ability to
implement them with open source C/C++ libraries
•
Each member will be responsible for an algorithm, skill sets and selected
algorithm will be decided
• Implementation results will be tested on ENRON public data set
OSU EECS
14
Oblivious Random Access Memory (ORAM)
• SSE, homomorphic encryption, differential privacyasa
–
Operations under encryption
•
ACCESS to the encrypted data also leaks info!
•
Example: Any SSE algorithm leaks “access pattern”
– Same tag for keyword returns same file
– Adversary knows we access certain files in certain pattern!
•
Problem: The sequence of storage locations accessed by the client can leak a significant amount of
sensitive information. Demonstrated that by observing accesses to an encrypted email repository, an
adversary can infer as much as 80% of the search queries .
Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu: Access Pattern disclosure on
Searchable Encryption: Ramification, Attack and Mitigation. NDSS 2012
OSU EECS
15
Oblivious Random Access Memory (ORAM)
• Guessing actions in critical situations
• Q1, Q2, Q3 sequence followed by a buy/sell in market, no need for decryption!
• Reverse Engineering and Software Privacy
• Accessing certain memory location leaks information about software!
– Reverse engineering in cloud computing
• A valid method is using hardware key to protect the validity of the software;
hardware key cannot be duplicated
• The memory access between the HW and SW components can leak information
• Attacker can deceive or skip the checking with the HW component
OSU EECS
16
Project Topics: ORAM
• Understand, implement, validate important ORAM schemes on real-data
Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas.
Path ORAM: An extremely simple oblivious RAM protocol. In Proceedings of the 2013 ACM SIGSAC
conference on Computer & communications security (CCS '13).
https://github.com/nathanwolfe/dropbox-oram
•
Emil Stefanov, Elaine Shi, ObliviStore: High Performance Oblivious Distributed Cloud Data Store
In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP '13) .
– Code in C#
•
Emil Stefanov, Elaine Shi, Dawn Song, Towards Practical Oblivious RAM, NDSS 2012, San Diego,
CA, USA.
– Code in C#
OSU EECS
17
Project Topics: ORAM
• Group Size: 1 student
– Students considering security research, or Winter 2014:Applied crypto class
• Required Background:
– C# or Python programming, or ability to use software packages from existing libraries
– Network programming experience (e.g., with Java or C#), preferable!
– Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random
– Knowledge on basic data structures: Red-black trees, hash tables, linked list
• Prepare a survey ORAM methods, advantages/disadvantages, theory comp.
• Performance measurements and comparison with different libraries,
• Presentation describing evolution an best results of ORAM, with measurements
• Possible integration with SSE team, especially if Bosch scheme works
OSU EECS
18
Towards Secure and Reliable Vehicular IoTs (Title)
• Transformative Technology: Vehicular IoT
– Autonomous driving, Car2-X, reduced accident and energy use
• Vital Research Need and Big Challenge
– IEEE 1609.2, NHTSA Aug. 2014: “Authenticate 3000 message per sec.”
– Authentication: Secure, safe (delay-awareness), reliable, scalable
– State of art cannot meet these requirements [IEEE 1609.2, NHTSA]
• Develop and deploy new and practical authentication methods
– Minimum end-to-end cypto delay, compact signature/key
– Scalable, high reliability via time-valid framework
– Developed several novel digital signatures
– Several concrete crypto schemes are planned for next three years
– Maximum performance via vehicular capable hardware acceleration
• On-field experiments with real-vehicles, situational-awareness
19
Towards Secure and Reliable Vehicular IoTs
Transformative Technology: Vehicular Networks
• Command and control mechanisms are crucial for distributed
systems such as vehicular networks
• These mechanisms are time, safety and security critical.
Requirements:
 Extremely fast processing of messages (a few ms).
 Authentication and integrity of messages must be
guaranteed.
 Security must be scalable (e.g., key management).
 Accidents
 Pedestrians in danger
Current Technology Limitations:
 Asymmetric crypto is as of not yet feasible due to high computation,
memory and communication costs.
ECDSA has been shown be to slow
Symmetric crypto is unscalable due to key management issues.
Resource-constrained platforms involved
 Sensors on lights, mobile devices of pedestrian
OSU EECS
20
Secure Inter-car Communication
• Further Methods and Limitations:
• Signature Amortization: Traditional signatures are slow, but what about signing a
group of packages?
• Buffer packages and sign together, faster and signing each
– Real-time authentication, no time to buffer packages!
• One-time Signatures (hash-based): Just relying crypto hash, they are the fastest
methods known to date.
– One-time signature  One-time public key
– Re-distribute a new public key each time, bandwidth killer!
– Enormous signatures and public keys
•
Packet size = 128 bits, signature size = 5 KB
OSU EECS
21
Secure Inter-car Communication
• Playing with Time (TESLA&EMSS): Introduce asymmetry with time.
– Details will come later, but caveat is: It requires package buffering!
• Observation: To prevent collision in real-time, we need a couple of ms
• Remain secure a couple of minutes is enough!
• Existing methods offer significantly longer security, by being very expensive
•
Time-Valid Security: A security/performance trade-off for fast authentication
– (sk,PK) = 2^k bit security, |PK,sk| = n bits
– Use m <n bits for (sk,PK)
– Smaller signature size, less transmission, much faster processing (less bit to work on)
– Less security, but a couple of minutes is enough!
OSU EECS
22
Secure Inter-car Communication
• Playing with Time (TESLA&EMSS): Introduce asymmetry with time.
– Details will come later, but caveat is: It requires package buffering!
• Observation: To prevent collision in real-time, we need only a couple of ms
• Remain secure a couple of minutes is enough!
• Existing methods offer significantly longer security, by being very expensive
•
Time-Valid Security: A security/performance trade-off for fast authentication
– (sk,PK) = 2^k bit security, |PK,sk| = n bits
– Use m <n bits for (sk,PK)
– Smaller signature size, less transmission, much faster processing (less bit to work on)
– Less security, but a couple of minutes is enough!
OSU EECS
23
Secure Inter-car Communication
• Limitations of Time-Valid Approach
• Each signature scheme has its own security/key length balance
– Factorization, DLP, Lattices, …
– Requires a good theoretical estimation for acceptable security = cryptanalysis
• Shorter signature = Shorter public keys
– Remember one-time signatures?
– Re-distribute public keys from time to time
•
First gained but then lost bandwidth (still ok)
– Chaining public keys
– Packet loss issues
• A public key distribution and synchronization framework is needed
OSU EECS
24
Project Topics: New TV-Signatures
• 1) I identified very fast signatures for you:
– Ed25519
a) Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.. High-speed high-security
Signatures, In Cryptographic Hardware and Embedded Systems , CHES 2011 - 13th International Workshop,
Nara, Japan, September 28 - October 1, 2011. Proceedings, pages 124–142, 2011.
b) Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.
High-speed high-security signatures. Journal of Cryptographic Engineering, 2(2):77–89, 2012.
– Efficient and Tiny Authentication (ETA)
Attila Altay Yavuz. ETA: efficient and tiny and authentication for heterogeneous wireless systems. In Proc.
of the sixth ACM conference on Security and privacy in wireless and mobile networks, WiSec ’13, pages 67–72,
New York, NY, USA, 2013. ACM
– Rapid Authentication (RA)
Attila Altay Yavuz. An efficient real-time broadcast authentication scheme for command and control messages.
Information Forensics and Security, IEEE Transactions on, 9(10):1733–1742, Oct 2014.
OSU EECS
25
Project Topics: New TV-Signatures
– NTRU Signature
Jeff Hoffstein, Nick Howgrave-Graham, Jill Pipher, and William Whyte. Practical lattice-based cryptography:
Ntruencrypt and ntrusign. Information Security and Cryptography, pages 349–390. Springer Berlin Heidelberg,
2010.
– Signcryption
Y. Zheng. Digital signcryption or how to achieve cost(signature & encryption) << cost(signature) +
cost(encryption). In Proceedings of Advances in Cryptology (CRYPTO ’97), pages 165–179, 1997.
–
Schnorr Signature
Gregory Neven, Nigel P. Smart, and Bogdan Warinschi. Hash function requirements for schnorr signatures. J.
Mathematical Cryptology, 3(1):69–87, 2009.
OSU EECS
26
Project Topics: New TV-Signatures
• 2) Realize Signatures with Efficient Crypto Libraries under TV-framework
– MIRACL, NTL
– Varying (SK,PK) sizes with different security parameters
– Guideline about key sizes?
A. K. Lenstra and E. R. Verheul. Selecting cryptographic key sizes. Journal of Cryptology, 14(4):255–293, 2001.
Lenstra stuff
– Detailed timing measurements
• 3) Time-Valid Framework with PK Distribution
– Minimize PK distribution, hash chains are used:
Q. Wang, H. Khurana, Y. Huang, and K. Nahrstedt. Time valid one-time signature for time-critical
multicast data authentication. In INFOCOM 2009, IEEE, April 2009..
–
Consider packet loss, chaining properties, do measurements
OSU EECS
27
Project Topics: New TV-Signatures
• Group Size: 2-3 student
– Students considering security research, or Winter 2014:Applied crypto class
• Required Background:
– C/C++ or Java programming, or ability to use software packages from existing libraries
– Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random
– Knowledge on PKC-cryptography (e.g., RSA, DSA)
• 2 students work on implementation for given algorithms
• 1 student work on updating Lenstra’s results as much as possible
• All re-iterate experiments with public key chaining
• Final report and presentation
OSU EECS
28