DOCSLIB.ORG

The Evolution of Authenticated Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Evolution of Authenticated Encryption The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Those who’ve worked with me on AE: Mihir Bellare Workshop on Real-World Cryptography John Black Thursday, 10 January 2013 Ted Krovetz Stanford, California, USA Chanathip Namprempre Tom Shrimpton David Wagner 1/40 Traditional View (~2000) Of Symmetric Goals K K Sender Receiver Privacy Authenticity (confidentiality) (data-origin authentication) Encryption Authenticated Encryption Message scheme Achieve both of these aims Authentication Code (MAC) IND-CPA [Goldwasser, Micali 1982] Existential-unforgeability under ACMA [Bellare, Desai, Jokipii, R 1997] [Goldwasser, Micali, Rivest 1984, 1988], [Bellare, Kilian, R 1994], [Bellare, Guerin, R 1995] 2/40 Needham-Schroeder Protocol (1978) Attacked by Denning-Saco (1981) Practioners never saw a b IND-CPA as S encryption’s goal A . B . NA {N . B . s . {s . A} } 1 A b a 2 a b {s . A} A 3 b B 4 {NB}s 5 {NB -1 }s 3/40 Add redundancy No authenticity for any S = f (P) CBC ~ 1980 Doesn’t work Beyond CBC MAC: regardless of how you compute unkeyed checksums don’t work even the (unkeyed) checksum S = R(P1, …, Pn) with IND-CCA or NM-CPA schemes (Wagner) [An, Bellare 2001] 4/40 Add more arrows PCBC 1982 Doesn’t work See [Yu, Hartman, Raeburn 2004] The Perils of Unauthenticated Encryption: Kerberos Version 4 for real-world attacks 5/40 Add yet more stuff iaPCBC [Gligor, Donescu 1999] Doesn’t work Promptly broken by Jutla (1999) & Ferguson, Whiting, Kelsey, Wagner (1999) 6/40 Emerging understanding that: - We’d like to get authenticity as an adjunct to privacy - Ad hoc ways to try to get it cheaply don’t work ~2000 Similar realization, earlier, in the PK world - [Bleichenbacher 1998] – Attack on PKCS #1 - Reaction: IND-CPA security not enough - CCA1 security [Naor-Yung 1990] - CCA2 security [Rackoff-Simon 1991] - Non-malleability [Dolev-Dwork-Naor 1991] - Signcryption [Zheng 1997] (very different motivation) 7/40 AE Def ined [Bellare, R 2000] – “Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography” [Katz, Yung 2000] – “Unforgeable encryption and chosen ciphertext secure modes of operation” coins M Enc C C Dec M or ^ K K 1. Privacy IND-CPA, as defined in [BDJR97]: IND-CPA 2. Authenticity The only ciphertexts C an adversary can name that will decrypt to an M ^ are those obtained by an Enc(·) call Integrity of ciphertexts [Bellare Namprempre 2000] “Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm” 8/40 AE Def ined M || EncK () EncK ($ ) C C A [Bellare, Desai, Jokipii, R 1997] priv Enc () Enc ($||) Adv (A) = Pr[A K 1] - Pr[A K 1] P 9/40 AE Def ined M EncK () C A C* [Bellare, Desai, Jokipii, R 1997] priv Enc () Enc ($||) Adv (A) = Pr[A K 1] - Pr[A K 1] P auth EncK () * * * Adv (A) = Pr[A C : no query returned C and DecK (C ) ^ ] P [Bellare, R 2000] [Katz, Yung 2000] 10/40 Generic Composition [Bellare, Namprempre 2000] of an IND-CPA encryption scheme and a PRF M M M EncK MACL MACL EncK C T EncK MACL C C T Encrypt-and-MAC MAC-then-Encrypt EncryptP-then -MAC 11/40 RPC Mode [Katz, Yung 2000] M1 M2 M3 M4 start i M1 i+1 M2 i+2 M3 i+3 M4 i+4 end i+5 EK EK EK EK EK EK i C0 C1 C2 C3 C4 C5 • Blockcipher-based AE using ~1.33 m + 2 calls • Fully parallelizable 12/40 IAPM Mode [Jutla 2001] Encryption Modes with Almost Free Message Integrity Illustration from [Jutla 2001] • Blockcipher-based AE using m + 1 calls • Fully parallelizable [Gligor, Donescu 2001] • Plaintext a multiple of blocksize. Padding will up |C| for many other AE designs • ~ lg mmax additional calls for key setup • Multiple blockcipher keys • Need for random r 13/40 OCB Mode (later “OCB1”) [R, Bellare, Black, Krovetz 2001] Z [i] = R gi L Checksum = M[1] M[m-1] C[m]0*Y[m] • Arbitrary-length messages; no padding • Efficient offset calculations • Single blockcipher key • Cheap key setup (one blockcipher call) • m + 2 blockcipher calls 14/40 Urgent Real-World Need for AE • 802.11 standard ratified in 1999 Uses WEP security – RC4 with a CRC-32 checksum for integrity • Fatal attacks soon emerge: - [Fluhrer, Mantin, Shamir 2001] Weaknesses in the key scheduling algorithm of RC4 - [Stubblefield, Ioannidis, Rubin 2001] Using the Fluhrer, Mantin, Shamir attack to break WEP - [Borisov, Goldberg, Wagner 2001] Intercepting mobile communications: the insecurity of 802.11 - [Cam-Winget, Housley, Wagner, Walker 2003] Security flaws in 802.11 data links protocols • WEP WPA (uses TKIP) WPA2 (uses CCM) - Draft solutions based on OCB - Politics +patent-avoidance: CCM developed [Whiting, Housley, Ferguson 2002] - Standardized in IEEE 802.11 – then NIST 15/40 Definitional Issues N coins N M Enc C C Dec M AD AD or ^ K K 1) Move the coins “out” and make Enc deterministic [RBBK01] 2) Add in “associated data” [R02] 16/40 All-in-one definition [R, Shrimpton 2006] AEAD Also uses ind from random bits [RBBK00] N, AD, M EncK (,,) $ (,, ) C C A M ^ ^ (,, ) DecK (,,) N, AD, C aead EncK DecK $ ^ Adv (A) = Pr[A 1] - Pr[A 1] P A may not - Repeat an N in an enc query - Ask a dec query (N, AD, C) after C is returned by an (N, AD, ) enc query 17/40 IND vs. IND$ N, AD, M N, AD, M Enc Fake Enc $ C Enc($) vs. C $ A A IND IND$ • Overshooting the “right” goal X • Easier to prove schemes meet • Tightly implies other notion • Conceptually simpler Anonymity • Gives you more which-key concealing A names i; • real: use Ki • fake: use K IND anonymity IND$ 18/40 Nonce-Based Generic Composition M M AD AD M N AD N N EncK MACL EncK MACL C T EncK MACL C C T Encrypt-and-MAC MAC-then-Encrypt Encrypt-then-MAC P P P 19/40 [Whiting, Housley, Ferguson 2002] NIST SP 800-38C RFC 3610, 4309, 5084 CCM 20/40 Functions COUNT and FORMAT 21/40 [Whiting, Housley, Ferguson 2002] NIST SP 800-38C RFC 3610, 4309, 5084 [R, Wagner 2003] “A Critique of CCM” CCM • About 2m+2 blockcipher calls • Half non-parallelizable • Word alignment disrupted • Can’t preprocess static AD • Not online • Provably secure [Jonsson 2002] • Widely standardized & used • Parameter q {2,3,4,5,6,7,8}, byte length of byte length of • Simple to implement longest message, determines • Only forward direction of cipher used nonce length of t =15-q 22/40 [McGrew, Viega 2004] (Follows CWC [Kohno, Viega, Whiting 2004]) NIST SP 800-38D:2007 RFC 4106, 5084, 5116, 5288, 5647 ISO 19772:2009 GCM • Provably secure • Efficient in HW • Widely standardized & used • Good in SW with AES-NI, PCMULDQ, or tables • Parallelizable, online • Static AD can be preprocessed • About m+1 blockcipher calls • Only forward direction of blockcipher used • Poor key agility (table-based implementation)• “Reflected-bit” convention • Can’t use short tags [Ferguson 05] • |N|96 not handled well • Not so good in SW • Published proof buggy [Iwata, 2012] • Timing attacks? (if table-based) 23/40 In terms of [KR11], following tweakable blockcipher [RBBK01,LRW02,R04] [LRW02] OCB = M1 M2 M3 M4 24/40 In terms of [KR11], following tweakable blockcipher [RBBK01,LRW02,R04] [LRW02] OCB = M1 M2 M3 M410 * 25/40 [KR11] Making the Tweakable Blockcipher ~ N i EK (X) = EK (XD) D with D= Initial + li L ~ N i * * EK (X) = EK (XD) with D= Initial + li L ~N i $ $ EK (X) = EK (XD) with D= Initial + li L ~ N i * $ *$ EK (X) = EK (XD) with D= Initial + li L ~ i EK (X) = EK (XD) with D= li L ~ i * * EK (X) = EK (XD) with D= li L 127-|N| 128 a(0) = 0 Nonce = 0 1 N L = EK (0 ) Top = Nonce & 1122 06 ntz (i) li = 4 a(i) a(i) = a(i-1) 2 122 6 * Bottom = Nonce & 1 1 li = 4 a(i)+1 $ Ktop = EK (Top) li = 4 a(i)+2 *$ Stretch = Ktop || (Ktop (Ktop << 8)) li = 4 a(i)+3 Initial = (Stretch << Bottom) [1..128] 26/40 [KR11] Software Performance Mode 4KB cpb Intel Core x86 i7 – “Sandy Bridge” CCM 5.14 64-bit OS, using AES/GCM NIs GCM 2.95 OCB 0.87 Encryption Time (cpb) message length (bytes) 27/40 See the OCB homepage www.cs.ucdavis.edu/~rogaway/ocb for more platforms and data, +reference code 28/40 [KR11] Utility of Implementations for Understanding What’s Fast / Desirable int ae_encrypt( ae_ctx *ctx, const void *nonce, const void *pt, Word-Oriented int pt_len, 1 1 15 const void *ad, ¿ À ¿ LFSRs int ad_len, [Chakraborty, Sarkar 2008] A B C D void *ct, © don’t help void *tag, int final); C D B A’ Incremental API impacts processing of final chunks 6 128 X = HK (X) K K 8 ¿ Stretch-then-Shift 128 128 hash does help 29/40 Utility of Theory for Designing Fast / Correct Schemes • Modes as efficient as OCB can’t be designed without a supporting theory • Errors are expected without a supporting theory Broken within days by Rogaway and by Donescu, Gligor, and Wagner http://www.nsa.gov/research/tech_transfer/ fact_sheets/dual_counter_mode.shtml 30/40 OCB • Fastest provably-secure blockcipher-based construction for SW • Parallelizable, online, ~ m+1.02 blockcipher calls • Blockcipher used in the forward and backward direction • There are faster de novo approaches • Security only to the birthday bound • Patents • Limited misuse resistance • Nonce reuse • Tag truncation • Incremental-decrypt exploit 31/40 [R, Shrimpton 2006] Nonce Repetitions One form of misuse • If N is a nonce, you get what an AE delivers • If N gets reused, all that leaks is repetitions: - authenticity is undamaged - privacy damaged to the extent unavoidable—repetitions of (N, AD, M) revealed 32/40 [R, Shrimpton 2006] Nonce-Reuse-Resistant AE N, AD, M EncK (,,) $ (, ,) C C A M ^ DecK (,,) ^ (, ,) N, AD, C A may not ask queries that would trivially result in a win 33/40 [R, Shrimpton 2006] Deterministic AE vector N, AD, M EncK (,) $ (, ) C C A M
Load more

Recommended publications
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption
    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
    [Show full text]
  • Implementation and Analysis of Key Reinstallation Attack
    International Journal of Innovations in Engineering and Technology (IJIET) http://dx.doi.org/10.21172/ijiet.133.21 Implementation and Analysis of Key Reinstallation Attack Saba Khanum1, Ishita kalra2 1Department of Information Technology, MSIT, Janakpuri, New Delhi, India 2Department of Computer Science and Engineering, MSIT, Janakpuri, New Delhi, India Abstract- The objective of the paper is to implement and analyzed the impact of Key Reinstallation Attack (popularly dubbed as KRACK) on debian based machines. The paper elucidates on the capture of packets through the attack without being a part of the network and affecting the target machines with the help of an attack machine placed inside the network. It basically exploits the nonce of the network which ultimately paves way to the execution of the attack. The issue tends to gather more eyeballs as it affects all devices using Wi-Fi through WPA2 protocol. Hence, the catastrophe complimented along the attack is severe. The analysis of the impact is carried on by analyzing the type of packets visible as well as captured during the course of the implementation. Here, we have created a python script which identifies whether the targeted machine is vulnerable to KRACK or not and corresponding to that the packet capture starts and ultimately, the impact is measured. Keywords – KRACK, weakness, WPA2, attack, security I. INTRODUCTION The presence of the bug has been detected in the cryptographic nonce of the WPA2 and can be used to clone a connected party to reinstall a used key. The presence of the nonce is specifically intended to prevent reuse, but in this particular case, it gives malicious users the opportunity to replay, decrypt, or forge packets, ultimately enabling them to access all previously considered encrypted information without actually being part of the network.
    [Show full text]
  • Patent-Free Authenticated-Encryption As Fast As OCB
    Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f.
    [Show full text]
  • Modes of Operation for Compressed Sensing Based Encryption
    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
    [Show full text]
  • Authenticated Encryption Mode IAPM Using SHA-3'S Public Random
    Authenticated Encryption Mode IAPM using SHA-3’s Public Random Permutation Charanjit Jutla IBM T. J. Watson Research Center New York 10598 Abstract. We study instantiating the random permutation of the block- cipher mode of operation IAPM (Integrity-Aware Parallelizable Mode) with the public random permutation of Keccak, on which the draft stan- dard SHA-3 is built. IAPM and the related mode OCB are single-pass highly parallelizable authenticated-encryption modes, and while they were originally proven secure in the private random permutation model, Kurosawa has shown that they are also secure in the public random per- mutation model assuming the whitening keys are uniformly chosen with double the usual entropy. In this paper, we show a general composabil- ity result that shows that the whitening key can be obtained from the usual entropy source by a key-derivation function which is itself built on Keccak. We stress that this does not follow directly from the usual indifferentiability of key-derivation function constructions from Random Oracles. We also show that a simple and general construction, again employing Keccak, can also be used to make the IAPM scheme key- dependent-message secure. Finally, implementations on modern AMD-64 architecture supporting 128-bit SIMD instructions, and not supporting the native AES instructions, show that IAPM with Keccak runs three times faster than IAPM with AES. 1 Introduction Symmetric key encryption of bulk data is usually performed using either a stream cipher or a block cipher. A long message is divided into small fixed-size blocks and encryption is performed by either a stream-cipher mode or a block-cipher mode employing a cryptographic primitive that operates on blocks.
    [Show full text]
  • Secret-Key Encryption Introduction
    Secret-Key Encryption Introduction • Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message • History of encryption dates back to 1900 BC • Two types of encryption • secret-key encryption : same key for encryption and decryption • pubic-key encryption : different keys for encryption and decryption • We focus on secret-key encryption in this chapter Substitution Cipher • Encryption is done by replacing units of plaintext with ciphertext, according to a fixed system. • Units may be single letters, pairs of letters, triplets of letters, mixtures of the above, and so forth • Decryption simply performs the inverse substitution. • Two typical substitution ciphers: • monoalphabetic - fixed substitution over the entire message • Polyalphabetic - a number of substitutions at different positions in the message Monoalphabetic Substitution Cipher • Encryption and decryption Breaking Monoalphabetic Substitution Cipher • Frequency analysis is the study of the frequency of letters or groups of letters in a ciphertext. • Common letters : T, A, E, I, O • Common 2-letter combinations (bigrams): TH, HE, IN, ER • Common 3-letter combinations (trigrams): THE, AND, and ING Breaking Monoalphabetic Substitution Cipher • Letter Frequency Analysis results: Breaking Monoalphabetic Substitution Cipher • Bigram Frequency Analysis results: Breaking Monoalphabetic Substitution Cipher • Trigram Frequency analysis results: Breaking Monoalphabetic Substitution Cipher • Applying the partial mappings… Data Encryption Standard (DES) • DES is a block cipher - can only encrypt a block of data • Block size for DES is 64 bits • DES uses 56-bit keys although a 64-bit key is fed into the algorithm • Theoretical attacks were identified. None was practical enough to cause major concerns.
    [Show full text]
  • OCB: a Bock-Cipher Mode of Operation for Efficient Authenticated Encryption
    OCB: A Bock-Cipher Mode of Operation for Efficient Authenticated Encryption Phillip Rogaway UC Davis This work done at Chiang Mai University [email protected] http://www.cs.ucdavis.edu/~rogaway Mihir Bellare John Black Ted Krovetz UC San Diego University of Nevada UC Davis CCS-8 — Philadelphia, USA — November 8, 2001 Slide 1 Principal Goals of Symmetric Cryptography Privacy What the Adversary sees tells her nothing of significance about the underlying message M that the Sender sent Authenticity The Receiver is sure that the string he receives was sent (in exactly this form) by the Sender Authenticated Encryption Achieves both privacy and authenticity C C* Nonce M M K Adversary K or invalid K K Sender Receiver Slide 2 Why Authenticated Encryption? • Efficiency By merging privacy and authenticity one can achieve efficiency difficult to achieve if handling them separately. • Easier-to-correctly-use abstraction By delivering strong security properties one may minimize encryption-scheme misuse. Slide 3 Easier to correctly use because stronger security properties Idealized encryption OCB Authenticated encryption [Bellare, Rogaway] IND-CPA + auth of ciphertexts [Katz,Yung] [Bellare, Namprempre] IND-CCA = NM-CCA CTR, CBC$ [Goldwasser, Micali] IND-CPA [Bellare, Desai, Jokipii, Rogaway] ECB Slide 4 Right or Wrong? It depends on what definition E satisfies K A . R K A A B EK (A . B . RA . RB .sk) EK (RB) Slide 5 Folklore approach. See Generic Composition [Bellare, Namprempre] and [Krawczyk] Traditional approach to authenticated encryption for
    [Show full text]
  • Global Journal of Engineering Science And
    [Arslan, 6(3): March 2019] ISSN 2348 – 8034 DOI- 10.5281/zenodo.2599921 Impact Factor- 5.070 GLOBAL JOURNAL OF ENGINEERING SCIENCE AND RESEARCHES PRIVACY PRESERVING SECURITY MECHANISM FOR IOT BASED DISTRIBUTED SMART HEALTHCARE SYSTEM Farrukh Arslan School of Electrical and Computer Engineering, Purdue University, USA ABSTRACT Data security and privacy are one of the key concerns in the Internet of Things (IoT). Usage of IOT is increasing in the society day-by-day, and security challenges are becoming more and more severe. From a data perspective, IOT data security plays a major role. Some of the sensitive data such as criminal record, military information, the medical record of the patients, etc. Due to the size and other features of IOT, it is almost impossible to create an efficient centralized authentication system. The proposed system focused on IoT security for distributed medical record to provide perimeter security to the patient. Building trust in distributed environments without the need for authorities is a technological advance that has the potential to change many industries, the IOT is one among them. Furthermore, it protects data integrity and availability. It improves the accessibility of data by using the indexing method along with the blockchain. Moreover, it facilitate the utility of tracking the previous history of the patient record using the hyper ledger with authorization. Keywords: security, Internet of Things, Health-care, Block chain, Hyper ledger. I. INTRODUCTION Amount of information grows day by day but the security of the data is not maintained properly. Nowadays blockchain technology is very useful in IOT field such as smart cities, smart home system as well as it provides security [1].
    [Show full text]
  • CMU-CS-17-118 July 2017
    Secure Large-Scale Outsourced Services Founded on Trustworthy Code Executions Bruno Vavala CMU-CS-17-118 July 2017 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Faculty of Sciences University of Lisbon 1749-16 Lisbon, Portugal Thesis Committee: Peter Steenkiste, Co-Chair Nuno Neves, University of Lisbon, Co-Chair Anupam Datta Vyas Sekar Antonia Lopes, University of Lisbon Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science Copyright c 2017 Bruno Vavala This research was sponsored by Fundac¸ao˜ para a Cienciaˆ e Tecnologia (Portuguese Foundation for Science and Technology) through the Carnegie Mellon Portugal Program under grant SFRH/BD/51562/2011 (until August 2016) and the Information and Communication Technology Institute at Carnegie Mellon University, by FCT through project UID/CEC/00408/2013 (LaSIGE), by the EC through project FP7-607109 (SEGRID) and project H2020-643964 (SUPERCLOUD). The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the Portuguese government, the U.S. government or any other entity. Keywords: Trusted Computing, Cloud Security, Trusted Execution Abstraction, Execution Integrity, Code Identity, Large-scale Data, TPM, Intel SGX, Efficient Execution Verification, Passive Replication, Service Availability This work was partially supported by the Fundac¸ao˜ para a Cienciaˆ e Tecnologia (FCT) through research grant SFRH/BD/51562/2011 (until August 2016) and through project UID/CEC/00408/2013 (LaSIGE), by the Informa- tion and Communication Technology Institute at Carnegie Mellon University, by the EC through project FP7-607109 (SEGRID) and project H2020-643964 (SUPERCLOUD).
    [Show full text]
  • Optimizing Authenticated Encryption Algorithms
    Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáček Advisor: Ing. Milan Brož i Acknowledgement I would like to thank my advisor, Milan Brož, for his guidance, pa- tience, and helpful feedback and advice. Also, I would like to thank my girlfriend Ludmila, my family, and my friends for their support and kind words of encouragement. If I had more time, I would have written a shorter letter. — Blaise Pascal iii Abstract In this thesis, we look at authenticated encryption with associated data (AEAD), which is a cryptographic scheme that provides both confidentiality and integrity of messages within a single operation. We look at various existing and proposed AEAD algorithms and compare them both in terms of security and performance. We take a closer look at three selected candidate families of algorithms from the CAESAR competition. Then we discuss common facilities provided by the two most com- mon CPU architectures – x86 and ARM – that can be used to implement cryptographic algorithms efficiently.
    [Show full text]
  • On the Security of CTR + CBC-MAC NIST Modes of Operation – Additional CCM Documentation
    On the Security of CTR + CBC-MAC NIST Modes of Operation { Additional CCM Documentation Jakob Jonsson? jakob [email protected] Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode. This mode, proposed by Doug Whiting, Russ Housley, and Niels Ferguson, combines the CTR (“counter”) encryption mode with CBC-MAC message authentication and is based on a block cipher such as AES. We present concrete lower bounds for the security of CCM in terms of the security of the underlying block cipher. The conclusion is that CCM provides a level of privacy and authenticity that is in line with other proposed modes such as OCB. Keywords: AES, authenticated encryption, modes of operation. Note: A slightly different version of this paper will appear in the Proceedings from Selected Areas of Cryptography (SAC) 2002. 1 Introduction Background. Block ciphers are popular building blocks in cryptographic algo­ rithms intended to provide information services such as privacy and authenticity. Such block-cipher based algorithms are referred to as modes of operation. Exam­ ples of encryption modes of operation are Cipher Block Chaining Mode (CBC) [23], Electronic Codebook Mode (ECB) [23], and Counter Mode (CTR) [9]. Since each of these modes provides privacy only and not authenticity, most applica­ tions require that the mode be combined with an authentication mechanism, typically a MAC algorithm [21] based on a hash function such as SHA-1 [24]. For example, a popular cipher suite in SSL/TLS [8] combines CBC mode based on Triple-DES [22] with the MAC algorithm HMAC [26] based on SHA-1.
    [Show full text]
  • ATAES132A 32K AES Serial EEPROM Complete Data Sheet
    ATAES132A ATAES132A 32K AES Serial EEPROM Complete Data Sheet Features • Crypto Element Device with Secure Hardware-Based Key Storage • 32 kb Standard Serial EEPROM Memory – Compatible with the Microchip AT24C32D and the Microchip AT25320B – 16 User Zones of 2 kb Each • High-Security Features – AES Algorithm with 128-bit Keys – AES-CCM for Authentication – Message Authentication Code (MAC) Capability – Guaranteed Unique Die Serial Number – Secure Storage for up to Sixteen 128-bit Keys – Encrypted User Memory Read and Write – Internal High-Quality FIPS Random Number Generator (RNG) – 16 High-Endurance Monotonic EEPROM Counters • Flexible User Configured Security – User Zone Access Rights Independently Configured – Authentication Prior to Zone Access • Read/Write, Encrypted, or Read-Only User Zone Options • High-Speed Serial Interface Options – 10 MHz SPI (Mode 0 and 3) – 1 MHz Standard I2C Interface • 2.5V to 5.5V Supply Voltage Range • <250 nA Sleep Current • 8-pad UDFN and 8-lead SOIC Package Options • Temperature Range: -40°C to +85°C Applications • Easily Add Security by Replacing Existing Serial EEPROM • Authenticate Consumables, Components, and Network Access • Protect Sensitive Firmware • Securely Store Sensitive Data and Enable Paid-for Features • Prevent Contract Manufacturers from Overbuilding • Manage Warranty Claims • Securely Store Identity Data (i.e. Fingerprints and Pictures) © 2018 Microchip Technology Inc. Datasheet Complete DS40002023A-page 1 ATAES132A Description The Microchip ATAES132A is a high-security, Serial Electrically-Erasable and Programmable Read-Only Memory (EEPROM) providing both authentication and confidential nonvolatile data storage capabilities. Access restrictions for the 16 user zones are independently configured, and any key can be used with any zone.
    [Show full text]