My UW
|
UW Search
Computer Science Home Page
|
 |
|
Computer Security and Cryptography Reading Group
November 2004 List
Monday, November 8, 2004
2:30 PM - 3:30 PM
3331 CS
|
Adrian Perrig
Leendert van Doorn
Arvind Seshadri, Adrian Perrig, Leendert van Doorn, Pradeep Khosla
CMU / CMU / IBM / CMU
SWATT: SoftWare-based ATTestation for Embedded Devices
Oakland'04
URL: http://www.ece.cmu.edu/~adrian/projects/swatt.pdf
We expect a future where we are surrounded by
embedded devices, ranging from Java-enabled cell
phones to sensor networks and smart appliances. An
adversary can compromise our privacy and safety by
maliciously modifying the memory contents of these
embedded devices. In this paper, we propose a
SoftWare-based ATTestation technique (SWATT) to
verify the memory contents of embedded devices and
establish the absence of malicious changes to the
memory contents. SWATT does not need physical access
to the device's memory, yet provides memory content
attestation similar to TCG or NGSCB without
requiring secure hardware. SWATT can detect any
change in memory contents with high probability,
thus detecting viruses, unexpected configuration
settings, and Trojan Horses. To circumvent SWATT, we
expect that an attacker needs to change the hardware
to hide memory content changes. We present an
implementation of SWATT in off-the-shelf sensor
network devices, which enables us to verify the
contents of the program memory even while the sensor
node is running.
|
Monday, November 15, 2004
2:30 PM - 3:30 PM
3331 CS
|
Reiner Sailer
Leendert van Doorn
Reiner Sailer, Trent Jaeger, Xiaolan Zhang, Leendert van Doorn
IBM TJ Watson
Attestation-based policy enforcement for remote access
CCS'04
URL: http://doi.acm.org/10.1145/1030083.1030125
Intranet access has become an essential function for
corporate users. At the same time, corporation's
security administrators have little ability to
control access to corporate data once it is released
to remote clients. At present, no confidentiality or
integrity guarantees about the remote access clients
are made, so it is possible that an attacker may
have compromised a client process and is now
downloading or modifying corporate data. Even though
we have corporate-wideaccess control over remote
users, the access control approach is currently
insufficient to stop these malicious processes. We
have designed and implemented a novel system that
empowers corporations to verify client integrity
properties and establish trust upon the clientpolicy
enforcement before allowing clients (remote) access
to corporate Intranet services. Client integrity is
measured using a Trusted Platfor m Module (TPM), a
new security technology that is becoming broadly
available on client systems, and our system uses
these measurementsfor access policy decisions enfor
ced upon the client's processes. We have implemented
a Linux 2.6 prototype system that utilizes the TPM
measurement and attestation, existing Linux network
control (Netfilter), and existing corporatepolicy
management tools in the Tivoli Access Manager to
control remote client access to corporate data. This
prototype illustrates that our solution integrates
seamlessly into scalable corporate policy management
and introduces only a minor performance overhead.
|
Monday, November 22, 2004
2:30 PM - 3:30 PM
3331 CS
|
Tadayoshi Kohno
Tadayoshi Kohno
UCSD
Attacking and repairing the winZip encryption scheme
CCS'04
URL: http://doi.acm.org/10.1145/1030083.1030095
WinZip is a popular compression utility for
Microsoft Windows computers, the latest version of
which is advertised as having "easy-to-use AES
encryption to protect your sensitive data." We
exhibit several attacks against WinZip's new
encryption method, dubbed "AE-2" or "Advanced
Encryption, version two." We then discuss secure
alternatives. Since at a high level the underlying
WinZip encryption method appears secure (the core is
exactly Encrypt-then-Authenticate using AES-CTR and
HMAC-SHA1), and since one of our attacks was made
possible because of the way that WinZip Computing,
Inc. decided to fix a different security problem
with its previous encryption method AE-1, our
attacks further underscore the subtlety of designing
cryptographically secure software.
|
Monday, November 29, 2004
2:30 PM - 3:30 PM
3331 CS
|
Hugo Krawczyk
Technion
The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)
CRYPTO'01
URL: http://www.springerlink.com/link.asp?id=gc8dp8f8v5kkjj7m
We study the question of how to generically compose
symmetric encryption and authentication when
building "secure channels" for the protection of
communications over insecure networks. We show that
any secure channels protocol designed to work with
any combination of secure encryption (against chosen
plaintext attacks) and secure MAC must use the
encrypt-then-authenticate method. We demonstrate
this by showing that the other common methods of
composing encryption and authentication, including
the authenticate-then-encrypt method used in SSL,
are not generically secure. We show an example of an
encryption function that provides (Shannon's)
perfect secrecy but when combined with any MAC
function under the authenticate-then-encrypt method
yields a totally insecure protocol (for example,
finding passwords or credit card numbers transmitted
under the protection of such protocol becomes an
easy task for an active attacker). The same applies
to the encrypt-and-authenticate method used in SSH.
On the positive side we show that the
authenticate-then-encrypt method is secure if the
encryption method in use is either CBC mode (with an
underlying secure block cipher) or a stream cipher
(that xor the data with a random or pseudorandom
pad). Thus, while we show the generic security of
SSL to be broken, the current practical
implementations of the protocol that use the above
modes of encryption are safe.
|
< Back to the Sec & Crypto reading group page
Created and maintained by Mihai Christodorescu ( http://www.cs.wisc.edu/~mihai)
Created: Wed Aug 13 10:30:10 CDT 2003
Last modified: Fri Jul 02 10:08:55 2004
|
|
|
 |