The BRUTUS Automatic Cryptanalytic Framework: Testing CAESAR Authenticated Encryption Candidates for Weaknesses

This report summarizes our results from security analysis covering all 57 competitions for authenticated encryption: security, applicability, and robustness (CAESAR) first-round candidates and over 210 implementations. We have manually identified security issues with three candidates, two of which are more serious, and these ciphers have been withdrawn from the competition. We have developed a testing framework, BRUTUS, to facilitate automatic detection of simple security lapses and susceptible statistical structures across all ciphers. From this testing, we have security usage notes on four submissions and statistical notes on a further four. We highlight that some of the CAESAR algorithms pose an elevated risk if employed in real-life protocols due to a class of adaptive-chosen-plaintext attacks. Although authenticated encryption with associated data are often defined (and are best used) as discrete primitives that authenticate and transmit only complete messages, in practice, these algorithms are easily implemented in a fashion that outputs observable ciphertext data when the algorithm has not received all of the (attacker-controlled) plaintext. For an implementor, this strategy appears to offer seemingly harmless and compliant storage and latency advantages. If the algorithm uses the same state for secret keying information, encryption, and integrity protection, and the internal mixing permutation is not cryptographically strong, an attacker can exploit the ciphertext–plaintext feedback loop to reveal secret state information or even keying material. We conclude that the main advantages of exhaustive, automated cryptanalysis are that it acts as a very necessary sanity check for implementations and gives the cryptanalyst insights that can be used to focus more specific attack methods on given candidates.

Automated Feedback for 'Fill in the Gap' Programming Exercises

Timely feedback is a vital component in the learning process. It is especially important for beginner students in Information Technology since many have not yet formed an effective internal model of a computer that they can use to construct viable knowledge. Research has shown that learning efficiency is increased if immediate feedback is provided for students. Automatic analysis of student programs has the potential to provide immediate feedback for students and to assist teaching staff in the marking process. This paper describes a “fill in the gap” programming analysis framework which tests students’ solutions and gives feedback on their correctness, detects logic errors and provides hints on how to fix these errors. Currently, the framework is being used with the Environment for Learning to Programming (ELP) system at Queensland University of Technology (QUT); however, the framework can be integrated into any existing online learning environment or programming Integrated Development Environment (IDE)

Automated code checking

Most buildings constructed in Australia must comply with the Building Code of Australia (BCA). Checking for compliance against the BCA is a major task for both designers and building surveyors. This project carries out a prototype research using the EDM Model Checker and the SMC Model Checker for automated design checking against the Building Codes of Australia for use in professional practice. In this project, we develop a means of encoding design requirements and domain specific knowledge for building codes and investigate the flexibility of building models to contain design information. After assessing two implementations of EDM and SMC that check compliance against deemed-to-satisfy provision of building codes relevant to access by people with disabilities, an approach to automated code checking using a shared object-oriented database is established. This project can be applied in other potential areas – including checking a building design for non-compliance of many types of design requirements. Recommendations for future development and use in other potential areas in construction industries are discussed

Test architecture for prototyping automated dynamic airspace control

The automation of various aspects of air traffic management has many wide-reaching benefits including: reducing the workload for Air Traffic Controllers; increasing the flexibility of operations (both civil and military) within the airspace system through facilitating automated dynamic changes to en-route flight plans; ensuring safe aircraft separation for a complex mix of airspace users within a highly complex and dynamic airspace management system architecture. These benefits accumulate to increase the efficiency and flexibility of airspace use(1). Such functions are critical for the anticipated increase in volume of manned and unmanned aircraft traffic. One significant challenge facing the advancement of airspace automation lies in convincing air traffic regulatory authorities that the level of safety achievable through the use of automation concepts is comparable to, or exceeds, the accepted safety performance of the current system.

Automated Scheduler

Automated Scheduler is a prototype software tool that automatically prepares a construction schedule together with a 4D simulation of the construction process from a 3D CAD building model.

Automated code checking

Most buildings constructed in Australia must comply with the Building Code of Australia (BCA). Checking for compliance against the BCA is a major task for both designers and building surveyors. This project carries out a prototype research using the EDM Model Checker and the SMC Model Checker for automated design checking against the Building Codes of Australia for use in professional practice. In this project, we develop a means of encoding design requirements and domain specific knowledge for building codes and investigate the flexibility of building models to contain design information. After assessing two implementations of EDM and SMC that check compliance against deemed-to-satisfy provision of building codes relevant to access by people with disabilities, an approach to automated code checking using a shared object-oriented database is established. This project can be applied in other potential areas – including checking a building design for non-compliance of many types of design requirements. Recommendations for future development and use in other potential areas in construction industries are discussed.

Improved cryptanalysis of the Common Scrambling Algorithm Stream Cipher

This paper provides a fresh analysis of the widely-used Common Scrambling Algorithm Stream Cipher (CSA-SC). Firstly, a new representation of CSA-SC with a state size of only 89 bits is given, a significant reduction from the 103 bit state of a previous CSA-SC representation. Analysis of this 89-bit representation demonstrates that the basis of a previous guess-and-determine attack is flawed. Correcting this flaw increases the complexity of that attack so that it is worse than exhaustive key search. Although that attack is not feasible, the reduced state size of our representation makes it obvious that CSA-SC is vulnerable to several generic attacks, for which feasible parameters are given.