HUT - TML - Studies - Tik-110.501 - Introduction of topics

TML / Studies / Tik-110.501 / Topics

Seminar on Network Security
Introduction of the topics and some material for the session of
Encryption schemes in mobile security

Public-key Broadcast Encryption
Tutor: Helger Lipmaa
We look at the next scenario. A server broadcasts some content, encrypted once by using her public encryption key, to the clients, who have prepaid for the services. Every legitimate client has his own secret decryption key, that can be used to decrypt the broadcast. It should be impossible for a collusion of less than k clients (pirates), for some fixed sufficiently big k, to create a new decryption key that cannot be traced back to themselves. Several more or less efficient protocols are known for this, including Boneh-Franklin (Crypto '99). Unfortunately, the latter is impractical.
REQUIRES:
Knowledge about public-key cryptosystems and error-correcting codes, skills in reading mathematical texts, ambitions to do high-level research.
TARGET:
To improve upon Boneh-Franklin scheme, if possible.
LITERATURE:

D. Boneh and M. Franklin, "An efficient public key traitor tracing scheme", Crypto '99. Available from http://crypto.stanford.edu/~dabo/abstracts/traitors.html

D. Boneh and J. Shaw, "Collusion secure fingerprinting for digital data", IEEE Trans. on Information Theory, 1998. Available from http://crypto.stanford.edu/~dabo/abstracts/finger.html

Fast Public-key Cryptosystems
Tutor: Helger Lipmaa
Mobile devices have restricted resources. Even the newer Palm Pilots are too slow for the standard public-key cryptosystems like RSA. However, lately several fast cryptosystems have been proposed. The goal of this topic is to make a survey, backed---if possible---with an actual optimized implementation, of the NTRU and the braid groups based cryptosystems, comparing encryption/decryption performance, key generation performance and memory requirements to those of RSA and elliptic curve cryptosystems.
REQUIRES:
Skills in reading mathematical text, experience in optimizing, strong mathematical background.
TARGET:
A survey, based on actual implementations.
LITERATURE:
Birman, Ko, Lee, "A new approach to the word and conjugacy problems in the braid groups", Advances in Mathematics, 1998. Available from http://www.math.columbia.edu/~jb/papers.html

Ki Hyoung Ko, Sang Jin Lee, Jung Hee Cheon, Jae Woo Han, Ju-sung Kang, Choonsik Park, "New Public-key Cryptosystem using Braid Groups", Crypto '2000. Available from http://knot.kaist.ac.kr/~sjlee/#Publications

Hoffstein, Pipher, Silverman, "NTRU: A Public Key Cryptosystem", a submission to the IEEE P1363A standards group. Available from http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html#HPS

NTRU website, http://www.ntru.com/technology, has introduction to fast implementations of NTRU.

WTLS failure
Tutor: Catharina Candolin
When the WAP Consortium designed the WTLS protocol, they simply modified the TLS protocol to suit the needs of a wireless environment. However, these modifications introduced several weaknesses into the protocol.
The topic requires a thorough analysis of the WTLS protocol, as well as a discussion of how this affects WAP security in general.
LITERATURE
Saarinen, M-J, Attacks against the WAP WTLS protocol, University of Jyväskylä

RFC 2246, The TLS protocol

WAP Forum: WAP WTLS, Wireless Application Protocol Wireless Transport Layer Security Specification

Khare, R., W* Effect considered harmful, http://www.freeprotocols.org/harmOfWap/IEEE-L7-WAP-BIG.html

Design principles of KASUMI
Tutor: Kaisa Nyberg
KASUMI block cipher has been adopted as the core algorithm for the third generation mobile network integrity and confidentiality algorithms. The task in this topic is to study and review the mathematical fundaments on which the security of KASUMI. Special attention is been paid to achieve resistance against linear and differential attack. A couple of good papers by Mituru Matsui, the co-designer of KASUMI, is available on this topic, which suits best to a mathematically oriented student.
SOME BACKGROUND TO THE DESIGN AND EVALUATION WORK
The development of standardised 3GPP confidentiality and integrity algorithms was a major task that was to be conducted within a very short time period. There was a need for strong algorithms with a high degree of confidence, and the ETSI SAGE group decided on the following strategies for the work:
Start with a cryptographic core based upon a public known block cipher that had already undergone extensive evaluation. Mitsubishi Electronic Corporation from Japan offered the MISTY1 algorithm for use in 3GPP. ETSI SAGE and 3GPP TSG SA3 agreed to select this design as the starting point for the work. MISTY1 was published at the Fast Software Encryption conference in 1997. The specifications of MISTY1 can be found at http://www.mitsubishi.com/ghp_japan/misty/index.htm
Expand the design team with experts outside the ETSI SAGE group.
Invite interested manufacturers to participate in the design and evaluation process using their own cryptographic expertise.
Perform additional evaluation by inviting several leading researchers for independent review of the final design. Based upon the 3GPP requirements and the work conducted by the task force, a modified version of MISTY1 was developed and named KASUMI. KASUMI is the cryptographic engine of the 3GPP encryption and integrity algorithms f8 and f9.

Long-term Non-repudiation and Accountable Certificate Management
Tutor: Helger Lipmaa
One of the crucial applications of cryptography is to guarantee long-term non-repudiation of digital signatures, so that they could could replace the pencil signatures in many critical and high-budget applications. An example here is a long-term bank loan. For this, one needs accountable certificate management and time-stamping, which would not base on the trust on some central authority. I and my coauthors have published recently several papers on this subject, but a coherent survey is still missing.
REQUIRES:
Skills in reading mathematical text.
TARGET:
To write a survey of recent research in accountable certificate management and time-stamping.
LITERATURE:
(Available from http://www.tml.hut.fi/~helger/cuculus/)

Ahto Buldas, Peeter Laud, Helger Lipmaa, Jan Villemson, "Time-Stamping with Binary Linking Schemes", Crypto '98.

Ahto Buldas, Helger Lipmaa, Berry Schoenmakers, "Optimally Efficient Accountable Time-Stamping", Public Key Cryptography '2000.

Ahto Buldas, Peeter Laud, Helger Lipmaa, "Accountable Certificate Management using Undeniable Attestations", ACM CCS 2000.

Attacks against A5
Tutor: Kaisa Nyberg
The purpose of this topic is to give an overview of the most important attacks on the (alleged) A5/1 stream cipher algorithm, which is used in the GSM system to encrypt the digitized speech over the air interface between the mobile terminal and the base station.
At least the attacks by Golic (1997) and by Biryukov-Shamir (1999) should be covered. The student is expected to have (or to acquire) some knowledge about commonly used stream cipher components such as linear feedback shift registers.
Biryukov-Shamir:
"A5/1 is the strong version of the encryption algorithm used by about 100 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication. The best published attacks against it require between 2^40 and 2^45 steps. This level of security makes it vulnerable to hardware-based attacks by large organizations, but not to software-based attacks on multiple targets by hackers.
In this paper we describe a new attack on A5/1, which is based on subtle flaws in the tap structure of the registers, their noninvertible clocking mechanism, and their frequent resets. The attack can find the key in less than a second on a single PC with 128 MB RAM and two 73 GB hard disks, by analysing the output of the A5/1 algorithm in the first two minutes of the conversation. The attack requires a one time parallelizable data preparation stage whose complexity can be traded-off between 2^37 and 2^48 steps. The attack was verified with an actual implementation, except for the preprocessing stage which was extensively sampled rather than completely executed.
Remark: The attack is based on the unofficial description of the A5/1 algorithm at http://www.scard.org. Discrepancies between this description and the real algorithm may affect the validity or performance of our attack."

Key management in ad-hoc networks
Tutor: Tuomas Aura
Required prior skills:
Some knowledge of cryptography and key exchange protocols (can you explain Diffie-Hellman?) and sufficient interest to read theoretical papers is needed.
Ad-hoc networks are formed on demand and without any pre-existing infrastructure such as trusted servers. Key exchange in ad-hoc networks takes often place between the members of a group - as opposed to between a server and a client - and is authenticated with a manually distributed shared secret. The shared secret may be a weak one such as a password or a short random number. Hence, there are two problems to solve: (1) efficient group key exchange and (2) protection against password guessing attacks.
Two approaches to the group key exchange:

Giuseppe Ateniese and Michael Steiner and Gene Tsudik, New multiparty authentication services and key agreement protocols, IEEE Journal on Selected Areas in Communications, 18 (4), April 2000, pp. 628-640.
Mike Burmester and Yvo Desmedt, A secure and efficient conference key distribution system, Advances in Cryptology - EUROCRYPT '94, Lecture notes in Computer Science 950, Perugia, Italy, May 1994, Springer 1994, pp. 275--286.

Protecting passwords

Steven M. Bellovin and Michael Merrit, Encrypted key exchange: password-based protocols secure against dictionary attacks, Proc. 1992 IEEE Symposium on Research in Security and Privacy, Oakland, CA USA, May 1992, IEEE Computer Society Press 1992, pp. 72--84.

I can provide the above and some related articles that necessary for this work. The seminar paper should describe the above protocols and other related work. The aim should be to show show how password authentication can be combined with a group key exchange protocol.

This page is maintained by Network Security teaching staff, E-mail: netsec@tml.hut.fi.
The page has been last updated on August 29, 2000
URL: http://www.tml.hut.fi/Opinnot/Tik-110.501/2000/intro/encryption.html