CS/ECE Advanced Network Security Dr. Attila Altay Yavuz

The School of Electrical Engineeringand Computer Science (EECS)

CS/ECE Advanced Network Security

Dr. Attila Altay Yavuz

Topic 1.1 Course and Project Overview (1)

Advanced Network Security Dr. Attila Altay Yavuz 1Fall 2014

OSU EECS

• Broad understanding of technology trends, security and privacy problems

• Recognize key security and privacy challenges, list common threats and vulnerabilities on modern systems

• Advanced Network Security Primitives• One-way hash chain, use of multiple root chains,

• Relate keys in a special manner

– Merkle hash tree and its applications,• Classic algorithmic trick of all times O(Log_2(n))

– Bloom filters • Is it there?

– Secret sharing• A beautiful crypto classic

– Rabin’s information dispersal• Resistance against erasure and disruption

2

High-Level Objectives

OSU EECS

• Denial-of-Service (DoS) attacks counter measures.– Hash-based puzzles against connection depletion attacks

– Variant client-server puzzle methods

– Client-server puzzle outsourcing with Discrete-Logarithm Problem (DLP)

– Message specific puzzles for DoS resiliency in Wireless Sensor Networks (WSNs)

– Using broadcast environment to revert client-server puzzles (patents!)

• Authentication Methods– Authentication and integrity are the first requirement for all IoTS applications!

– Broadcast Authentication Methods– Going beyond Message Authentication Codes and Standard Signatures

– Levering time factor: TESLA

– Hash Chains and Signatures: EMSS

3

High-Level Objectives (Cont’)

OSU EECS

• One-time and Multiple-time Signatures– Fastest authentication methods around, but with enormous signature and keys

– Bins and Balls (BiBa)

– Hash-to-Obtain Subset (HORSs)

– Again play with time factor, but in a different way!• Time-Valid HORS• Trade-off between security and performance

• Applications to Smart-Grid/Power Grid, Inter-car Networks and Comparison– How to distribute multiple-time public keys?

– Packet loss problems: Chained public keys?

– Bandwidth and storage issues?

– Comparison to ECDSA type approaches, hardware-acceleration methods

4

High-Level Objectives (Cont’)

OSU EECS

• Code Dissemination in Wireless Sensors– Start with one, spread to the others

– Hope-by-hope secure code sensor programming

– Dos Resistance, a different game with many little 8-bit devices

• Authentication and Integrity for Low-end Devices– Backbone of IoTS

– Normal crypto will kill battery, literally, 1000 times faster! – Sensors can be compromised and physically attacked

– Develop advanced schemes to resist:

• Active adversaries stealing your keys

• Very little battery, 16 KB memory, 8-bit processor, tiny antenna!

• HaSAFSS

• BAF

• ETA

5

High-Level Objectives (Cont’)

OSU EECS

• Homeworks, %20 (potentially two)

• In-class paper presentation, %15 (subject to change)

– See potential topics at the webpage,

• Survey/Scouting, %20

– Select a topic from “In-class presentation” sub-section at webpage

• Research Project, %40

– A good progress can remove survey/scouting!

– Either select one of given topics, or propose your own project

– Your preference + your skill set, team effort versus individual work

– Deliverables will depend on the type of the project

– Please let me know if you will continue this course by 10.08.2014

• Class attendance/participation %5

6

Grading

OSU EECS

• Cloud Computing (3 topics)

– Privacy-preserving Searches for data outsourcing

• Searchable Encryption

– Privacy-preserving Access for data outsourcing

• Oblivious RAM

– Privacy-preserving Operations for computation outsourcing

• Outsourcing linear optimization problems

• Internet of Things and Systems (1 topic)

– Scalable and practical key management and provisioning

• Self-certified cryptography and its implementation

• Digital Forensics (1 topic)

– Compromise-resilient and compact signatures

• Security improvement and implementation

7

Project Topics: Overview

OSU EECS

• Wireless Sensor Networks

– Detection of Node Replication Attacks

• Design, Comparison and Analysis of Algorithms

• Encryption Methods for Medical Security

– Analyze and compare suitable encryption methods for medical databases

• Recent Progresses on Proof-of-Retrievability and Implementation

• Side-Channel Attacks on Medical Devices and Cyber Physical Systems

– Scouting Oriented

8

Project Topics: Overview (Cont’)

OSU EECS

• Requirement and Background

• Recommended: Knowledge on basic security and crypto concepts

– Symmetric key crypto, public key crypto, differences & similarities

– Cryptographic hash functions, Message Authentication Codes, block ciphers (AES, DES)

– RSA, DSA, Diffie-Hellman Key Exchange, DLP

• Good programming skills

– C/C++, Ability to use data structure packages from open source libraries, open-hash table stack

– Java, C# and/or Python for some projects (no need to be Guru, use high-level)

• Familiarity with basic Linux environment, compile/link etc.

• Willingness to learn existing crypto libraries to build algorithms– MIRACL, Number Theoretical Library (NTL), individual packages of researchers

• Self-motivated and independent research and development (it is your work, your success!)

9

Project Topics: Requirement (Generic)

OSU EECS

• Deadlines and Sync. Up

• Bi-weekly mini-updates indicating progress is recommended for projects

– 3 paragraphs indicating achievements, problems, next steps (only team representative)

• Office hours: Monday 4:00 pm – 5:30 pm

• Project Selection: 10.08.2014

– Self-proposals have one more week, see website for details

• Interim Report: 11.07.2014

• Final Report and Software-Package: 12.11.2014

– Project presentation summarizing results

– Research report

– Transferable software under Linux, VM ready (hopefully for Winter 2014)

– See website for further details

10

Project Topics: Requirement (Generic)

Challenge: Privacy versus Data Utilization Dilemma

Client

Storage on the cloudSensitive data!

Outsource the data

SEARCH? ANALYZE?

(encrypted)

Standard Encryption

CAN’T SEARCH!CAN’T ANALYZE!

11

IMPACT

Searchable Encryption (Generic Framework)

12

Efficient Privacy Enhancing Technologies for Big Data Analytics Role: Co-PI / Budget: $1,000,000 (2014-2017)

Searchable Encryption: Search on encrypted data without

decrypting it

f1 fn

Client Cloud

. .

.c1 cn. .

.Extract keywords

w1 wn. . .

t1

Data Structu

ret1 tn. . .

Searchable Representation

Search keyword: w1 t1

Trapdoors

tn. . .

t1

Update file: fi (zi,V)

(zi,V)

c1

f1

OSU EECS

• Understand, implement, validate important SSE schemes on real-data

Dynamic Symmetric Searchable Encryption by Microsoft Research

Seny Kamara and Charalampos Papamanthou. Parallel and Dynamic Searchable Symmetric Encryption, Financial Cryptography 2013 (FC 2013)

Dynamic Symmetric Searchable Encryption by IBM Research and Academia

David Cash, Joseph Jaeger, Stanislaw Jarecki, Charanjit Jutla, Hugo Krawczyk, Marcel Rosu, Michael Steiner. 

Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation , NDSS 2014.

Work of Dr. Elaine Shi by UMD (code will be potentially provided , in C#)

Dynamic Symmetric Searchable Encryption by Robert Bosch (optional)

My work on high-security DSSE

Static Symmetric Searchable Encryption (optional)

Reza Curtmola, Juan Garay, Seny Kamara, and Rafail Ostrovsky. Searchable symmetric encryption: improved definitions and efficient constructions.

In Proceedings of the 13th ACM conference on Computer and comm. security (CCS '06).

13

Project Topics: Searchable Encryption

OSU EECS

• Group Size: 3 student (+1 if other project may be merged)

– Students considering security research, or Winter 2014:Applied crypto class

• Required Background:

– C/C++ programming, ability to use data structure packages from open source libraries

– C# or Java for certain algorithms (use existing libraries, no need to be Guru)

– Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random Functions: Leverage existing

crypto libraries to use those primitives with data structures

– Knowledge on basic data structures: Red-black trees, hash tables, linked list, ability to

implement them with open source C/C++ libraries

• Each member will be responsible for an algorithm, skill sets and selected algorithm will be decided

• Implementation results will be tested on ENRON public data set

14

Project Topics: Searchable Encryption

OSU EECS

• SSE, homomorphic encryption, differential privacyasa

– Operations under encryption

• ACCESS to the encrypted data also leaks info!

• Example: Any SSE algorithm leaks “access pattern”

– Same tag for keyword returns same file

– Adversary knows we access certain files in certain pattern!

• Problem: The sequence of storage locations accessed by the client can leak a significant amount of sensitive information.

Demonstrated that by observing accesses to an encrypted email repository, an adversary can infer as much as 80% of the search

queries .

Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu: Access Pattern disclosure on

Searchable Encryption: Ramification, Attack and Mitigation. NDSS 2012

15

Oblivious Random Access Memory (ORAM)

OSU EECS

• Guessing actions in critical situations

• Q1, Q2, Q3 sequence followed by a buy/sell in market, no need for decryption!

• Reverse Engineering and Software Privacy

• Accessing certain memory location leaks information about software!– Reverse engineering in cloud computing

• A valid method is using hardware key to protect the validity of the software; hardware key cannot be duplicated

• The memory access between the HW and SW components can leak information

• Attacker can deceive or skip the checking with the HW component

16

Oblivious Random Access Memory (ORAM)

OSU EECS

• Understand, implement, validate important ORAM schemes on real-data

Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas.

Path ORAM: An extremely simple oblivious RAM protocol. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications

security (CCS '13).

https://github.com/nathanwolfe/dropbox-oram

• Emil Stefanov, Elaine Shi, ObliviStore: High Performance Oblivious Distributed Cloud Data Store In Proceedings of the 2013 IEEE

Symposium on Security and Privacy (SP '13) .

– Code in C#

• Emil Stefanov, Elaine Shi, Dawn Song, Towards Practical Oblivious RAM, NDSS 2012, San Diego,

CA, USA.

– Code in C#

17

Project Topics: ORAM

OSU EECS

• Group Size: 1 student

– Students considering security research, or Winter 2014:Applied crypto class

• Required Background:

– C# or Python programming, or ability to use software packages from existing libraries

– Network programming experience (e.g., with Java or C#), preferable!

– Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random

– Knowledge on basic data structures: Red-black trees, hash tables, linked list

• Prepare a survey ORAM methods, advantages/disadvantages, theory comp.

• Performance measurements and comparison with different libraries,

• Presentation describing evolution an best results of ORAM, with measurements

• Possible integration with SSE team, especially if Bosch scheme works

18

Project Topics: ORAM

19

• Transformative Technology: Vehicular IoT – Autonomous driving, Car2-X, reduced accident and energy use

• Vital Research Need and Big Challenge– IEEE 1609.2, NHTSA Aug. 2014: “Authenticate 3000 message per

sec.”

– Authentication: Secure, safe (delay-awareness), reliable, scalable

– State of art cannot meet these requirements [IEEE 1609.2, NHTSA]

• Develop and deploy new and practical authentication methods– Minimum end-to-end cypto delay, compact signature/key

– Scalable, high reliability via time-valid framework

– Developed several novel digital signatures

– Several concrete crypto schemes are planned for next three years

– Maximum performance via vehicular capable hardware acceleration

• On-field experiments with real-vehicles, situational-awareness

Towards Secure and Reliable Vehicular IoTs (Title)

OSU EECS 20

Transformative Technology: Vehicular Networks • Command and control mechanisms are crucial for

distributed systems such as vehicular networks• These mechanisms are time, safety and security critical.

Requirements: Extremely fast processing of messages (a few ms). Authentication and integrity of messages must be guaranteed. Security must be scalable (e.g., key management).

Accidents Pedestrians in danger

Current Technology Limitations: Asymmetric crypto is as of not yet feasible due to high computation, memory and communication costs.

ECDSA has been shown be to slow Symmetric crypto is unscalable due to key management issues.Resource-constrained platforms involved

Sensors on lights, mobile devices of pedestrian

Towards Secure and Reliable Vehicular IoTs

OSU EECS

• Further Methods and Limitations:

• Signature Amortization: Traditional signatures are slow, but what about signing a group of packages?

• Buffer packages and sign together, faster and signing each

– Real-time authentication, no time to buffer packages!

• One-time Signatures (hash-based): Just relying crypto hash, they are the fastest methods known to date.

– One-time signature One-time public key

– Re-distribute a new public key each time, bandwidth killer!

– Enormous signatures and public keys

• Packet size = 128 bits, signature size = 5 KB

21

Secure Inter-car Communication

OSU EECS

• Playing with Time (TESLA&EMSS): Introduce asymmetry with time.

– Details will come later, but caveat is: It requires package buffering!

• Observation: To prevent collision in real-time, we need a couple of ms

• Remain secure a couple of minutes is enough!

• Existing methods offer significantly longer security, by being very expensive

• Time-Valid Security: A security/performance trade-off for fast authentication

– (sk,PK) = 2^k bit security, |PK,sk| = n bits

– Use m <n bits for (sk,PK)

– Smaller signature size, less transmission, much faster processing (less bit to work on)

– Less security, but a couple of minutes is enough!

22

Secure Inter-car Communication

OSU EECS

• Playing with Time (TESLA&EMSS): Introduce asymmetry with time.

– Details will come later, but caveat is: It requires package buffering!

• Observation: To prevent collision in real-time, we need only a couple of ms

• Remain secure a couple of minutes is enough!

• Existing methods offer significantly longer security, by being very expensive

• Time-Valid Security: A security/performance trade-off for fast authentication

– (sk,PK) = 2^k bit security, |PK,sk| = n bits

– Use m <n bits for (sk,PK)

– Smaller signature size, less transmission, much faster processing (less bit to work on)

– Less security, but a couple of minutes is enough!

23

Secure Inter-car Communication

OSU EECS

• Limitations of Time-Valid Approach

• Each signature scheme has its own security/key length balance

– Factorization, DLP, Lattices, …

– Requires a good theoretical estimation for acceptable security = cryptanalysis

• Shorter signature = Shorter public keys

– Remember one-time signatures?

– Re-distribute public keys from time to time

• First gained but then lost bandwidth (still ok)

– Chaining public keys

– Packet loss issues

• A public key distribution and synchronization framework is needed

24

Secure Inter-car Communication

OSU EECS

• 1) I identified very fast signatures for you:

– Ed25519

a) Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.. High-speed high-security

Signatures, In Cryptographic Hardware and Embedded Systems , CHES 2011 - 13th International Workshop,

Nara, Japan, September 28 - October 1, 2011. Proceedings, pages 124–142, 2011.

b) Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.

High-speed high-security signatures. Journal of Cryptographic Engineering, 2(2):77–89, 2012.

– Efficient and Tiny Authentication (ETA)

Attila Altay Yavuz. ETA: efficient and tiny and authentication for heterogeneous wireless systems. In Proc.

of the sixth ACM conference on Security and privacy in wireless and mobile networks, WiSec ’13, pages 67–72,

New York, NY, USA, 2013. ACM

– Rapid Authentication (RA)

Attila Altay Yavuz. An efficient real-time broadcast authentication scheme for command and control messages.

Information Forensics and Security, IEEE Transactions on, 9(10):1733–1742, Oct 2014.

25

Project Topics: New TV-Signatures

OSU EECS

– NTRU Signature

Jeff Hoffstein, Nick Howgrave-Graham, Jill Pipher, and William Whyte. Practical lattice-based cryptography:

Ntruencrypt and ntrusign. Information Security and Cryptography, pages 349–390. Springer Berlin Heidelberg,

2010.

– Signcryption

Y. Zheng. Digital signcryption or how to achieve cost(signature & encryption) << cost(signature) +

cost(encryption). In Proceedings of Advances in Cryptology (CRYPTO ’97), pages 165–179, 1997.

– Schnorr Signature

Gregory Neven, Nigel P. Smart, and Bogdan Warinschi. Hash function requirements for schnorr signatures. J.

Mathematical Cryptology, 3(1):69–87, 2009.

26

Project Topics: New TV-Signatures

OSU EECS

• 2) Realize Signatures with Efficient Crypto Libraries under TV-framework

– MIRACL, NTL

– Varying (SK,PK) sizes with different security parameters

– Guideline about key sizes?

A. K. Lenstra and E. R. Verheul. Selecting cryptographic key sizes. Journal of Cryptology, 14(4):255–293, 2001. Lenstra stuff

– Detailed timing measurements

• 3) Time-Valid Framework with PK Distribution

– Minimize PK distribution, hash chains are used:

Q. Wang, H. Khurana, Y. Huang, and K. Nahrstedt. Time valid one-time signature for time-critical multicast data

authentication. In INFOCOM 2009, IEEE, April 2009..

– Consider packet loss, chaining properties, do measurements

27

Project Topics: New TV-Signatures

OSU EECS

• Group Size: 2-3 student

– Students considering security research, or Winter 2014:Applied crypto class

• Required Background:

– C/C++ or Java programming, or ability to use software packages from existing libraries

– Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random

– Knowledge on PKC-cryptography (e.g., RSA, DSA)

• 2 students work on implementation for given algorithms

• 1 student work on updating Lenstra’s results as much as possible

• All re-iterate experiments with public key chaining

• Final report and presentation

28

Project Topics: New TV-Signatures