On forward secrecy in one-round key exchange

Most one-round key exchange protocols provide only weak forward secrecy at best. Furthermore, one-round protocols with strong forward secrecy often break badly when faced with an adversary who can obtain ephemeral keys. We provide a characterisation of how strong forward secrecy can be achieved in one-round key exchange. Moreover, we show that protocols exist which provide strong forward secrecy and remain secure with weak forward secrecy even when the adversary is allowed to obtain ephemeral keys. We provide a compiler to achieve this for any existing secure protocol with weak forward secrecy.

Towards a provably secure DoS-Resilient key exchange protocol with perfect forward secrecy

Just Fast Keying (JFK) is a simple, efficient and secure key exchange protocol proposed by Aiello et al. (ACM TISSEC, 2004). JFK is well known for its novel design features, notably its resistance to denial-of-service (DoS) attacks. Using Meadows’ cost-based framework, we identify a new DoS vulnerability in JFK. The JFK protocol is claimed secure in the Canetti-Krawczyk model under the Decisional Diffie-Hellman (DDH) assumption. We show that security of the JFK protocol, when reusing ephemeral Diffie-Hellman keys, appears to require the Gap Diffie-Hellman (GDH) assumption in the random oracle model. We propose a new variant of JFK that avoids the identified DoS vulnerability and provides perfect forward secrecy even under the DDH assumption, achieving the full security promised by the JFK protocol.

A forward and backward secure key management in wireless sensor networks for PCS/SCADA

Process Control Systems (PCSs) or Supervisory Control and Data Acquisition (SCADA) systems have recently been added to the already wide collection of wireless sensor networks applications. The PCS/SCADA environment is somewhat more amenable to the use of heavy cryptographic mechanisms such as public key cryptography than other sensor application environments. The sensor nodes in the environment, however, are still open to devastating attacks such as node capture, which makes designing a secure key management challenging. In this paper, a key management scheme is proposed to defeat node capture attack by offering both forward and backward secrecies. Our scheme overcomes the pitfalls which Nilsson et al.'s scheme suffers from, and is not more expensive than their scheme.

Listening to late discovery adoption and donor offspring stories : adoption, ethics and implications for contemporary donor insemination practices

For most of the 20th Century a ‘closed’ system of adoption was practised throughout Australia and other modern Western societies. This ‘closed’ system was characterised by sealed records; amended birth certificates to conceal the adoption, and prohibited contact with all biological family. Despite claims that these measures protected these children from the taint of illegitimacy the central motivations were far more complex, involving a desire to protect couples from the stigma of infertility and to provide a socially acceptable family structure (Triseliotis, Feast, & Kyle, 2005; Marshall & McDonald, 2001). From the 1960s significant evidence began to emerge that many adopted children and adults were experiencing higher incidences of psychological difficulties, characterised by problems with psychological adjustment, building self-esteem and forming a secure personal identity. These difficulties became grouped under the term ‘genealogical bewilderment’. As a result, new policies and practices were introduced to try to place the best interests of the child at the forefront. These changes reflected new understandings of adoption; as not only an individual process but also as a social and relational process that continues throughout life. Secrecy and the withholding of birth information are now prohibited in the overwhelming majority of all domestic adoptions processed in Australia (Marshall & McDonald, 2001). One little known consequence of this ‘closed’ system of adoption was the significant number of children who were never told of their adoptive status. As a consequence, some have discovered or had this information disclosed to them, as adults. The first study that looked at the late discovery of genetic origins experiences was conducted by the Post Adoption Resource Centre in New South Wales in 1999. This report found that the participants in their study expressed feelings of disbelief, confusion, anger, sorrow and loss. Further, the majority of participants continued to struggle with issues arising from this intentional concealment of their genetic origins (Perl & Markham, 1999). A second and more recent study (Passmore, Feeney & Foulstone, 2007) looked at the issue of secrecy in adoptive families as part of a broader study of 144 adult adoptees. This study found that secrecy and/or lies or misinformation on the part of adoptive parents had negative effects on both personal identity and relationships with others. The authors noted that those adoptees who found out about their adoption as adults were ‘especially likely to feel a sense of betrayal’ (p.4). Over recent years, stories of secrecy and late discovery have also started to emerge from sperm donor conceived adults (Spencer, 2007; Turner & Coyle, 2000). Current research evidence shows that although a majority of couples during the donor assisted conception process indicate that they intend to tell the offspring about their origins, as many as two-thirds or more of couples continue to withhold this information from their children (Akker, 2006; Gottlieb, A. McWhinnie, 2001; Salter-Ling, Hunter, & Glover, 2001). Why do they keep this secret? Infertility involves a range of complex factors that are often left unresolved or poorly understood by those choosing insemination by donor as a form of family building (Schaffer, J. A., & Diamond, R., 1993). These factors may only impact after the child is born, when resemblance talk becomes most pronounced. Resemblance talk is an accepted form of public discourse and a social convention that legitimises the child as part of the family and is part of the process of constructing the child’s identity within the family. Couples tend to become focused on resemblance as this is where they feel most vulnerable, and the lack of resemblance to the parenting father may trigger his sense of loss (Becker, Butler, & Nachtigall, 2005).

Mitigating sandwich attacks against a secure key management scheme in wireless sensor networks for PCS/SCADA

Alzaid et al. proposed a forward & backward secure key management scheme in wireless sensor networks for Process Control Systems (PCSs) or Supervisory Control and Data Acquisition (SCADA) systems. The scheme, however, is still vulnerable to an attack called the sandwich attack that can be launched when the adversary captures two sensor nodes at times t1 and t2, and then reveals all the group keys used between times t1 and t2. In this paper, a fix to the scheme is proposed in order to limit the vulnerable time duration to an arbitrarily chosen time span while keeping the forward and backward secrecy of the scheme untouched. Then, the performance analysis for our proposal, Alzaid et al.’s scheme, and Nilsson et al.’s scheme is given.

Generic one round group key exchange in the standard model

Minimizing complexity of group key exchange (GKE) protocols is an important milestone towards their practical deployment. An interesting approach to achieve this goal is to simplify the design of GKE protocols by using generic building blocks. In this paper we investigate the possibility of founding GKE protocols based on a primitive called multi key encapsulation mechanism (mKEM) and describe advantages and limitations of this approach. In particular, we show how to design a one-round GKE protocol which satisfies the classical requirement of authenticated key exchange (AKE) security, yet without forward secrecy. As a result, we obtain the first one-round GKE protocol secure in the standard model. We also conduct our analysis using recent formal models that take into account both outsider and insider attacks as well as the notion of key compromise impersonation resilience (KCIR). In contrast to previous models we show how to model both outsider and insider KCIR within the definition of mutual authentication. Our analysis additionally implies that the insider security compiler by Katz and Shin from ACM CCS 2005 can be used to achieve more than what is shown in the original work, namely both outsider and insider KCIR.

Design and analysis of group key exchange protocols

A group key exchange (GKE) protocol allows a set of parties to agree upon a common secret session key over a public network. In this thesis, we focus on designing efficient GKE protocols using public key techniques and appropriately revising security models for GKE protocols. For the purpose of modelling and analysing the security of GKE protocols we apply the widely accepted computational complexity approach. The contributions of the thesis to the area of GKE protocols are manifold. We propose the first GKE protocol that requires only one round of communication and is proven secure in the standard model. Our protocol is generically constructed from a key encapsulation mechanism (KEM). We also suggest an efficient KEM from the literature, which satisfies the underlying security notion, to instantiate the generic protocol. We then concentrate on enhancing the security of one-round GKE protocols. A new model of security for forward secure GKE protocols is introduced and a generic one-round GKE protocol with forward security is then presented. The security of this protocol is also proven in the standard model. We also propose an efficient forward secure encryption scheme that can be used to instantiate the generic GKE protocol. Our next contributions are to the security models of GKE protocols. We observe that the analysis of GKE protocols has not been as extensive as that of two-party key exchange protocols. Particularly, the security attribute of key compromise impersonation (KCI) resilience has so far been ignored for GKE protocols. We model the security of GKE protocols addressing KCI attacks by both outsider and insider adversaries. We then show that a few existing protocols are not secure against KCI attacks. A new proof of security for an existing GKE protocol is given under the revised model assuming random oracles. Subsequently, we treat the security of GKE protocols in the universal composability (UC) framework. We present a new UC ideal functionality for GKE protocols capturing the security attribute of contributiveness. An existing protocol with minor revisions is then shown to realize our functionality in the random oracle model. Finally, we explore the possibility of constructing GKE protocols in the attribute-based setting. We introduce the concept of attribute-based group key exchange (AB-GKE). A security model for AB-GKE and a one-round AB-GKE protocol satisfying our security notion are presented. The protocol is generically constructed from a new cryptographic primitive called encapsulation policy attribute-based KEM (EP-AB-KEM), which we introduce in this thesis. We also present a new EP-AB-KEM with a proof of security assuming generic groups and random oracles. The EP-AB-KEM can be used to instantiate our generic AB-GKE protocol.

Secure data aggregation in wireless sensor networks

A Wireless Sensor Network (WSN) is a set of sensors that are integrated with a physical environment. These sensors are small in size, and capable of sensing physical phenomena and processing them. They communicate in a multihop manner, due to a short radio range, to form an Ad Hoc network capable of reporting network activities to a data collection sink. Recent advances in WSNs have led to several new promising applications, including habitat monitoring, military target tracking, natural disaster relief, and health monitoring. The current version of sensor node, such as MICA2, uses a 16 bit, 8 MHz Texas Instruments MSP430 micro-controller with only 10 KB RAM, 128 KB program space, 512 KB external ash memory to store measurement data, and is powered by two AA batteries. Due to these unique specifications and a lack of tamper-resistant hardware, devising security protocols for WSNs is complex. Previous studies show that data transmission consumes much more energy than computation. Data aggregation can greatly help to reduce this consumption by eliminating redundant data. However, aggregators are under the threat of various types of attacks. Among them, node compromise is usually considered as one of the most challenging for the security of WSNs. In a node compromise attack, an adversary physically tampers with a node in order to extract the cryptographic secrets. This attack can be very harmful depending on the security architecture of the network. For example, when an aggregator node is compromised, it is easy for the adversary to change the aggregation result and inject false data into the WSN. The contributions of this thesis to the area of secure data aggregation are manifold. We firstly define the security for data aggregation in WSNs. In contrast with existing secure data aggregation definitions, the proposed definition covers the unique characteristics that WSNs have. Secondly, we analyze the relationship between security services and adversarial models considered in existing secure data aggregation in order to provide a general framework of required security services. Thirdly, we analyze existing cryptographic-based and reputationbased secure data aggregation schemes. This analysis covers security services provided by these schemes and their robustness against attacks. Fourthly, we propose a robust reputationbased secure data aggregation scheme for WSNs. This scheme minimizes the use of heavy cryptographic mechanisms. The security advantages provided by this scheme are realized by integrating aggregation functionalities with: (i) a reputation system, (ii) an estimation theory, and (iii) a change detection mechanism. We have shown that this addition helps defend against most of the security attacks discussed in this thesis, including the On-Off attack. Finally, we propose a secure key management scheme in order to distribute essential pairwise and group keys among the sensor nodes. The design idea of the proposed scheme is the combination between Lamport's reverse hash chain as well as the usual hash chain to provide both past and future key secrecy. The proposal avoids the delivery of the whole value of a new group key for group key update; instead only the half of the value is transmitted from the network manager to the sensor nodes. This way, the compromise of a pairwise key alone does not lead to the compromise of the group key. The new pairwise key in our scheme is determined by Diffie-Hellman based key agreement.

Tensions in developing a secure collective information practice : the case of Agile Ridesharing

Many current HCI, social networking, ubiquitous computing, and context aware designs, in order for the design to function, have access to, or collect, significant personal information about the user. This raises concerns about privacy and security, in both the research community and main-stream media. From a practical perspective, in the social world, secrecy and security form an ongoing accomplishment rather than something that is set up and left alone. We explore how design can support privacy as practical action, and investigate the notion of collective information-practice of privacy and security concerns of participants of a mobile, social software for ride sharing. This paper contributes an understanding of HCI security and privacy tensions, discovered while “designing in use” using a Reflective, Agile, Iterative Design (RAID) method.

Anonymity and one-way authentication in key exchange protocols

Key establishment is a crucial cryptographic primitive for building secure communication channels between two parties in a network. It has been studied extensively in theory and widely deployed in practice. In the research literature a typical protocol in the public-key setting aims for key secrecy and mutual authentication. However, there are many important practical scenarios where mutual authentication is undesirable, such as in anonymity networks like Tor, or is difficult to achieve due to insufficient public-key infrastructure at the user level, as is the case on the Internet today. In this work we are concerned with the scenario where two parties establish a private shared session key, but only one party authenticates to the other; in fact, the unauthenticated party may wish to have strong anonymity guarantees. We present a desirable set of security, authentication, and anonymity goals for this setting and develop a model which captures these properties. Our approach allows for clients to choose among different levels of authentication. We also describe an attack on a previous protocol of Øverlier and Syverson, and present a new, efficient key exchange protocol that provides one-way authentication and anonymity.

On secrets, lies, and fiction : girls learning the art of survival

This chapter’s interest in fiction’s relationship to truth, lies, and secrecy is not so much a matter of how closely fiction resembles or mirrors the world (its mimetic quality), or what we can learn from fiction (its epistemological value). Rather, the concern is both literary and philosophical: a literary concern that takes into account how texts that thematise secrecy work to withhold and to disclose their secrets as part of the process of narrating and sequencing; and a philosophical concern that considers how survival is contingent on secrets and other forms of concealment such as lies, deception, and half-truths. The texts selected for examination are: Secrets (2002), Skim (2008), and Persepolis: The Story of a Childhood (2003). These texts draw attention to the ways in which the lies and secrets of the female protagonists are part of the intricate mechanism of survival, and demonstrate the ways in which fiction relies upon concealment and revelation as forms of truth-telling.

Identity and genetic origins : an ethical exploration of the late discovery of adoptive and donor-insemination offspring status

This thesis is an ethical and empirical exploration of the late discovery of genetic origins in two contexts, adoption and sperm donor-assisted conception. This exploration has two interlinked strands of concern. The first is the identification of ‘late discovery’ as a significant issue of concern, deserving of recognition and acknowledgment. The second concerns the ethical implications of late discovery experiences for the welfare of the child. The apparently simple act of recognition of a phenomenon is a precondition to any analysis and critique of it. This is especially important when the phenomenon arises out of social practices that arouse significant debate in ethical and legal contexts. As the new reproductive technologies and some adoption practices remain highly contested, an ethical exploration of this long neglected experience has the potential to offer new insights and perspectives in a range of contexts. It provides an opportunity to revisit developmental debate on the relative merit or otherwise of biological versus social influences, from the perspective of those who have lived this dichotomy in practise. Their experiences are the human face of the effects arising from decisions taken by others to intentionally separate their biological and social worlds, an action which has then been compounded by family and institutional secrecy from birth. This has been accompanied by a failure to ensure that normative standards and values are upheld for them. Following discovery, these factors can be exacerbated by a lack of recognition and acknowledgement of their concerns by family, friends, community and institutions. Late discovery experiences offer valuable insights to inform discussions on the ethical meanings of child welfare, best interests, parental responsibility, duty of care and child identity rights in this and other contexts. They can strengthen understandings of what factors are necessary for a child to be able to live a reasonably happy or worthwhile life.

Quantum key distribution in the classical authenticated key exchange framework

Key establishment is a crucial primitive for building secure channels in a multi-party setting. Without quantum mechanics, key establishment can only be done under the assumption that some computational problem is hard. Since digital communication can be easily eavesdropped and recorded, it is important to consider the secrecy of information anticipating future algorithmic and computational discoveries which could break the secrecy of past keys, violating the secrecy of the confidential channel. Quantum key distribution (QKD) can be used generate secret keys that are secure against any future algorithmic or computational improvements. QKD protocols still require authentication of classical communication, although existing security proofs of QKD typically assume idealized authentication. It is generally considered folklore that QKD when used with computationally secure authentication is still secure against an unbounded adversary, provided the adversary did not break the authentication during the run of the protocol. We describe a security model for quantum key distribution extending classical authenticated key exchange (AKE) security models. Using our model, we characterize the long-term security of the BB84 QKD protocol with computationally secure authentication against an eventually unbounded adversary. By basing our model on traditional AKE models, we can more readily compare the relative merits of various forms of QKD and existing classical AKE protocols. This comparison illustrates in which types of adversarial environments different quantum and classical key agreement protocols can be secure.