The BRUTUS Automatic Cryptanalytic Framework: Testing CAESAR Authenticated Encryption Candidates for Weaknesses

This report summarizes our results from security analysis covering all 57 competitions for authenticated encryption: security, applicability, and robustness (CAESAR) first-round candidates and over 210 implementations. We have manually identified security issues with three candidates, two of which are more serious, and these ciphers have been withdrawn from the competition. We have developed a testing framework, BRUTUS, to facilitate automatic detection of simple security lapses and susceptible statistical structures across all ciphers. From this testing, we have security usage notes on four submissions and statistical notes on a further four. We highlight that some of the CAESAR algorithms pose an elevated risk if employed in real-life protocols due to a class of adaptive-chosen-plaintext attacks. Although authenticated encryption with associated data are often defined (and are best used) as discrete primitives that authenticate and transmit only complete messages, in practice, these algorithms are easily implemented in a fashion that outputs observable ciphertext data when the algorithm has not received all of the (attacker-controlled) plaintext. For an implementor, this strategy appears to offer seemingly harmless and compliant storage and latency advantages. If the algorithm uses the same state for secret keying information, encryption, and integrity protection, and the internal mixing permutation is not cryptographically strong, an attacker can exploit the ciphertext–plaintext feedback loop to reveal secret state information or even keying material. We conclude that the main advantages of exhaustive, automated cryptanalysis are that it acts as a very necessary sanity check for implementations and gives the cryptanalyst insights that can be used to focus more specific attack methods on given candidates.

WHIRLBOB, the Whirlpool Based Variant of STRIBOB: Lighter, Faster, and Constant Time

WHIRLBOB, also known as STRIBOBr2, is an AEAD (Authenticated Encryption with Associated Data) algorithm derived from STRIBOBr1 and the Whirlpool hash algorithm. WHIRLBOB/STRIBOBr2 is a second round candidate in the CAESAR competition. As with STRIBOBr1, the reduced-size Sponge design has a strong provable security link with a standardized hash algorithm. The new design utilizes only the LPS or ρ component of Whirlpool in flexibly domain-separated BLNK Sponge mode. The number of rounds is increased from 10 to 12 as a countermeasure against Rebound Distinguishing attacks. The 8 ×8 - bit S-Box used by Whirlpool and WHIRLBOB is constructed from 4 ×4 - bit “MiniBoxes”. We report on fast constant-time Intel SSSE3 and ARM NEON SIMD WHIRLBOB implementations that keep full miniboxes in registers and access them via SIMD shuffles. This is an efficient countermeasure against AES-style cache timing side-channel attacks. Another main advantage of WHIRLBOB over STRIBOBr1 (and most other AEADs) is its greatly reduced implementation footprint on lightweight platforms. On many lower-end microcontrollers the total software footprint of π+BLNK = WHIRLBOB AEAD is less than half a kilobyte. We also report an FPGA implementation that requires 4,946 logic units for a single round of WHIRLBOB, which compares favorably to 7,972 required for Keccak / Keyak on the same target platform. The relatively small S-Box gate count also enables efficient 64-bit bitsliced straight-line implementations. We finally present some discussion and analysis on the relationships between WHIRLBOB, Whirlpool, the Russian GOST Streebog hash, and the recent draft Russian Encryption Standard Kuznyechik.

Cybersecurity Test-Bed for IEC 61850 based Smart Substations

With the development and deployment of IEC 61850 based smart substations, cybersecurity vulnerabilities of supervisory control and data acquisition (SCADA) systems are increasingly emerging. In response to the emergence of cybersecurity vulnerabilities in smart substations, a test-bed is indispensable to enable cybersecurity experimentation. In this paper, a comprehensive and realistic cyber-physical test-bed has been built to investigate potential cybersecurity vulnerabilities and the impact of cyber-attacks on IEC 61850 based smart substations. This test-bed is close to a real production type environment, and has the ability to carry out end-to-end testing of cyber-attacks and physical consequences. A fuzz testing approach is proposed for detecting IEC 61850 based intelligent electronic devices (IEDs) and validated in the proposed test-bed.

A Cyber-Physical Security Analysis of Synchronous-Islanded Microgrid Operation

Cyber-security research in the field of smart grids is often performed with a focus on either the power and control domain or the Information and Communications Technology (ICT) domain. The characteristics of the power equipment or ICT domain are commonly not collectively considered. This work provides an analysis of the physical effects of cyber-attacks on microgrids – a smart grid construct that allows continued power supply when disconnected from a main grid. Different types of microgrid operations are explained (connected, islanded and synchronous-islanding) and potential cyber-attacks and their physical effects are analyzed. A testbed that is based on physical power and ICT equipment is presented to validate the results in both the physical and ICT domain.

Pre-Processing Power Traces with a Phase-Sensitive Detector

As cryptographic implementations are increasingly subsumed as functional blocks within larger systems on chip, it becomes more difficult to identify the power consumption signatures of cryptographic operations amongst other unrelated processing activities. In addition, at higher clock frequencies, the current decay between successive processing rounds is only partial, making it more difficult to apply existing pattern matching techniques in side-channel analysis. We show however, through the use of a phase-sensitive detector, that power traces can be pre-processed to generate a filtered output which exhibits an enhanced round pattern, enabling the identification of locations on a device where encryption operations are occurring and also assisting with the re-alignment of power traces for side-channel attacks.

On the Security of Balanced Encoding Countermeasures

Most cryptographic devices should inevitably have a resistance against the threat of side channel attacks. For this, masking and hiding schemes have been proposed since 1999. The security validation of these countermeasures is an ongoing research topic, as a wider range of new and existing attack techniques are tested against these countermeasures. This paper examines the side channel security of the balanced encoding countermeasure, whose aim is to process the secret key-related data under a constant Hamming weight and/or Hamming distance leakage. Unlike previous works, we assume that the leakage model coefficients conform to a normal distribution, producing a model with closer fidelity to real-world implementations. We perform analysis on the balanced encoded PRINCE block cipher with simulated leakage model and also an implementation on an AVR board. We consider both standard correlation power analysis (CPA) and bit-wise CPA. We confirm the resistance of the countermeasure against standard CPA, however, we find with a bit-wise CPA that we can reveal the key with only a few thousands traces.

Modelling Duqu 2.0 Malware using Attack Trees with Sequential Conjunction

In this paper we identify requirements for choosing a threat modelling formalisation for modelling sophisticated malware such as Duqu 2.0. We discuss the gaps in current formalisations and propose the use of Attack Trees with Sequential Conjunction when it comes to analysing complex attacks. The paper models Duqu 2.0 based on the latest information sourced from formal and informal sources. This paper provides a well structured model which can be used for future analysis of Duqu 2.0 and related attacks.

IEEE C37.118-2 Synchrophasor Communication Framework

Synchrophasors have become an important part of the modern power system and numerous applications have been developed covering wide-area monitoring, protection and control. Most applications demand continuous transmission of synchrophasor data across large geographical areas and require an efficient communication framework. IEEE C37.118-2 evolved as one of the most successful synchrophasor communication standards and is widely adopted. However, it lacks a predefined security mechanism and is highly vulnerable to cyber attacks. This paper analyzes different types of cyber attacks on IEEE C37.118-2 communication system and evaluates their possible impact on any developed synchrophasor application. Further, the paper also recommends an efficent security mechanism that can provide strong protection against cyber attacks. Although, IEEE C37.118-2 has been widely adopted, there is no clear understanding of the requirements and limitations. To this aim, the paper also presents detailed performance evaluation of IEEE C37.118-2 implementations which could help determine required resources and network characteristics before designing any synchrophasor application.

Contextual Intrusion Alerts for SCADA Networks

The complexity of modern SCADA networks and their associated cyber-attacks requires an expressive but flexible manner for representing both domain knowledge and collected intrusion alerts with the ability to integrate them for enhanced analytical capabilities and better understanding of attacks. This paper proposes an ontology-based approach for contextualized intrusion alerts in SCADA networks. In this approach, three security ontologies were developed to represent and store information on intrusion alerts, Modbus communications, and Modbus attack descriptions. This information is correlated into enriched intrusion alerts using simple ontology logic rules written in Semantic Query-Enhanced Web Rules (SQWRL). The contextualized alerts give analysts the means to better understand evolving attacks and to uncover the semantic relationships between sequences of individual attack events. The proposed system is illustrated by two use case scenarios.

Investigation into DCT Feature Selection for Visual Lip-Based Biometric Authentication

This paper investigated using lip movements as a behavioural biometric for person authentication. The system was trained, evaluated and tested using the XM2VTS dataset, following the Lausanne Protocol configuration II. Features were selected from the DCT coefficients of the greyscale lip image. This paper investigated the number of DCT coefficients selected, the selection process, and static and dynamic feature combinations. Using a Gaussian Mixture Model - Universal Background Model framework an Equal Error Rate of 2.20% was achieved during evaluation and on an unseen test set a False Acceptance Rate of 1.7% and False Rejection Rate of 3.0% was achieved. This compares favourably with face authentication results on the same dataset whilst not being susceptible to spoofing attacks.

Variable Window Power Spectral Density Attack

Side channel attacks permit the recovery of the secret key held within a cryptographic device. This paper presents a new EM attack in the frequency domain, using a power spectral density analysis that permits the use of variable spectral window widths for each trace of the data set and demonstrates how this attack can therefore overcome both inter-and intra-round random insertion type countermeasures. We also propose a novel re-alignment method exploiting the minimal power markers exhibited by electromagnetic emanations. The technique can be used for the extraction and re-alignment of round data in the time domain.

Design of an OFDM Physical Layer Encryption Scheme

This paper presents a new encryption scheme implemented at the physical layer of wireless networks employing orthogonal frequency-division multiplexing (OFDM). The new scheme obfuscates the subcarriers by randomly reserving several subcarriers for dummy data and resequences the training symbol by a new secure sequence. Subcarrier obfuscation renders the OFDM transmission more secure and random, while training symbol resequencing protects the entire physical layer packet, but does not affect the normal functions of synchronization and channel estimation of legitimate users while preventing eavesdroppers from performing these functions. The security analysis shows the system is robust to various attacks by analyzing the search space using an exhaustive key search. Our scheme is shown to have a better performance in terms of search space, key rate and complexity in comparison with other OFDM physical layer encryption schemes. The scheme offers options for users to customize the security level and key rate according to the hardware resource. Its low complexity nature also makes the scheme suitable for resource limited devices. Details of practical design considerations are highlighted by applying the approach to an IEEE 802.11 OFDM system case study.

Bursaphelenchus pinophilus Brzeski & Baujard, 1997 (Nematoda: Parasitaphelenchinae) associated with nematangia on Pityogenes bidentatus (Herbst, 1783) (Coleoptera: Scolytinae), from the Czech Republic

The occurrence of Bursaphelenchus species in the Czech Republic is poorly known, the first report of the genus being made by Kubátová et al. (2000) who reported the association of B. eremus with the hyphomycetous microfungus, Esteya vermicola, and the bark beetle, Scolytus intricatus, collected from Quercus robur, in central Bohemia. To date, four other species have been reported from the country, namely B. fungivorus (Braasch et al., 2002), B. hofmanni (see Braasch, 2001), B. mucronatus (see Braasch, 2001) and B. vallesianus (Gaar et al., 2006). More recently, a survey for Bursaphelenchus species associated with bark- and wood-boring insects in the Czech Republic identified B. pinophilus Brzeski & Baujard, 1997 from the Moravia region. Although this represents a new country record, it was also associated with nematangia on the hind wings of a new insect vector. A total of 404 bark- and wood-boring insects were collected from declining or symptomatic trees and screened for the presence of Bursaphelenchus. Bark and longhorn beetles were captured manually after debarking parts of the trunk displaying symptoms of insect attacks. Longhorn beetle larvae were also collected together with logs cut from the trunk. Logs were kept at room temperature in the laboratory until insect emergence. Each adult insect was individually dissected in water and examined for nematodes. All nematodes resembling dauer juveniles of Bursaphelenchus were collected and identified by molecular characterisation using a region of ribosomal DNA (rDNA) containing the internal transcribed spacer regions ITS1 and ITS2. ITS-RFLP analyses using five restriction enzymes (AluI, HaeIII, HinfI, MspI, RsaI) were performed to generate the species-specific profile according to Burgermeister et al. (2009). Species identification was also confirmed by morphological data after culture of the dauers on Botrytis cinerea Pers. ex Ft., growing in 5% malt extract agar. During this survey, only species belonging to the Curculionidae, subfamily Scolytinae, revealed the presence of nematodes belonging to Bursaphelenchus. Dauers of this genus were found aggregated under the elytra in nematangia formed at the root of the hind wings (Fig. 1). The dauers were identified from 12 individuals of Pityogenes bidentatus (Herbst, 1783) (Coleoptera: Scolytinae) collected under the bark of Pinus sylvestris trunks. Each insect carried ca 10-100 dauers. The ITS-RFLP patterns of the dauers so obtained confirmed the identification of B. pinophilus associated with this insect species. Bursaphelenchus pinophilus has been found mainly in Europe and has been reported from various countries such as Poland (Brzeski & Baujard, 1997), Germany (Braasch, 2001), and Portugal (Penas et al., 2007). The recent detection of this species associated with dead P. koraiensis in Korea (Han et al., 2009) expands its geographical distribution and potential importance. It has been found associated only with Pinus species, but very little is known about the insect vector. The bark beetle, Hylurgus ligniperda, was initially suggested as the insect vector by Pe-nas et al. (2006), although the nematode associated with this insect was later reclassified as B. sexdentati by morphological and molecular analysis (Penas et al., 2007). According to the literature, P. bidentatus has been cited as a vector of Ektaphelenchus sp. (Kakuliya, 1966) in Georgia, and an unidentified nematode species in Spain (Roberston et al., 2008). Interestingly, B. pinophilus was found in the nematangia formed at the root of the hind wings of P. bidentatus. Although this phenomenon is not so common in other Bursaphelenchus species, B. rufipennis has been found recently in such a structure on the hind wings of the insect Dendroctonus rufipennis (Kanzaki et al., 2008). Although other nematode species (e.g., Ektaphelenchus spp.) are frequently found associated within the same nematangia (see Kanzaki et al., 2008), in this particular case, only dauers of B. pinophilus were identified. The association between B. pinophilus and P. bidentatus represents the first report of this biological association and the association with the Scolytinae strengthens the tight and specific links between this group of Bursaphelenchus species and members of the Scolytinae (Ryss et al., 2005).

Methodologies for traffic profiling in communication networks

Internet Tra c, Internet Applications, Internet Attacks, Tra c Pro ling, Multi-Scale Analysis abstract Nowadays, the Internet can be seen as an ever-changing platform where new and di erent types of services and applications are constantly emerging. In fact, many of the existing dominant applications, such as social networks, have appeared recently, being rapidly adopted by the user community. All these new applications required the implementation of novel communication protocols that present di erent network requirements, according to the service they deploy. All this diversity and novelty has lead to an increasing need of accurately pro ling Internet users, by mapping their tra c to the originating application, in order to improve many network management tasks such as resources optimization, network performance, service personalization and security. However, accurately mapping tra c to its originating application is a di cult task due to the inherent complexity of existing network protocols and to several restrictions that prevent the analysis of the contents of the generated tra c. In fact, many technologies, such as tra c encryption, are widely deployed to assure and protect the con dentiality and integrity of communications over the Internet. On the other hand, many legal constraints also forbid the analysis of the clients' tra c in order to protect their con dentiality and privacy. Consequently, novel tra c discrimination methodologies are necessary for an accurate tra c classi cation and user pro ling. This thesis proposes several identi cation methodologies for an accurate Internet tra c pro ling while coping with the di erent mentioned restrictions and with the existing encryption techniques. By analyzing the several frequency components present in the captured tra c and inferring the presence of the di erent network and user related events, the proposed approaches are able to create a pro le for each one of the analyzed Internet applications. The use of several probabilistic models will allow the accurate association of the analyzed tra c to the corresponding application. Several enhancements will also be proposed in order to allow the identi cation of hidden illicit patterns and the real-time classi cation of captured tra c. In addition, a new network management paradigm for wired and wireless networks will be proposed. The analysis of the layer 2 tra c metrics and the di erent frequency components that are present in the captured tra c allows an e cient user pro ling in terms of the used web-application. Finally, some usage scenarios for these methodologies will be presented and discussed.

Diversity and biology of polychaeta of Diopatra Genus

Os anelídeos poliquetas são elementos importantes em ambientes estuarinos e costeiros, pela sua elevada biodiversidade e abundância e pelo papel que têm nas cadeias tróficas. Algumas espécies são intensivamente exploradas para serem utilizadas como isco na pesca desportiva e profissional, como é o caso de Diopatra neapolitana. Apesar da importância económica, existem poucos estudos sobre a sua biologia e ecologia. No decorrer deste estudo foram identificadas duas outras espécies do género Diopatra em Portugal: D. marocensis, inicialmente descrita para a costa de Marrocos e cuja distribuição actual se sabe estender-se a toda a costa Portuguesa e Norte de Espanha e, D. micrura, espécie nova para a ciência. O presente estudo tem como objectivos principais estudar a diversidade e reprodução do género Diopatra, bem como a capacidade de regeneração da espécie D. neapolitana. Este trabalho aborda a distribuição espacial de D. marocensis ao longo da costa Portuguesa e descreve a espécie D. micrura, uma nova espécie do género Diopatra Audouin and Milne Edwards, 1833. As três espécies coabitam em águas transicionais, onde as espécies D. micrura e D. marocensis facilmente se confundem com juvenis de D. neapolitana. Foi realizada uma comparação morfológica e genética entre as três espécies. A espécie D. neapolitana coexiste em algumas áreas da Ria de Aveiro com a D. marocensis. Apesar destas duas espécies apresentarem padrões reprodutivos muito diferentes, Maio a Agosto é o período principal para a reprodução de ambas as espécies. D. neapolitana apresenta um desenvolvimento larvar planctónico, e os óocitos presentes na cavidade celómica são esverdeados e apresentam um diâmetro de 40-240 μm (média = 164.39±40.79 μm) e as fêmeas contêm no celoma milhares de óocitos. Contrariamente, a espécie D. marocensis reproduz-se por desenvolvimento directo no interior do tubo parental. Os óocitos observados no celoma são amarelos com um diâmetro entre 180 e 740 μm (média = 497.65 ± 31.38 μm) e o seu número varia entre 44 e 624 (276.85 ± 161.54). Por seu turno, o número de ovos observados no interior dos tubos varia entre 75 e 298, com um diâmetro entre 600 e 660 μm, e o número de larvas entre 60 e 194. A proporção machos: fêmeas foi de 1:1 para a população de D. neapolitana e entre 1:2 e 1:4 para a população de D. marocensis, em que as fêmeas dominam a população durante todo o ano. O estudo da capacidade de regeneração da espécie D. neapolitana, avaliada a partir de experiências de laboratório, revelou que esta espécie é capaz de sobreviver à perda de alguns setígeros. Durante a captura de D. neapolitana para vender como isco são normalmente cortados mais de 20 setígeros e de acordo com os nossos resultados a extremidade posterior que fica no tubo não é capaz de regenerar a extremidade anterior; a espécie consegue no entanto recuperar de ataques por predadores.