Dylan Clarke

Deleting Secret Data with Public Verifiability

Existing software-based data erasure programs can be summarized as following the same one-bit-return protocol: the deletion program performs data erasure and returns either success or failure. However, such a one-bit-return protocol turns the data deletion system into a black box-the user has to trust the outcome but cannot easily verify it. This is especially problematic when the deletion program is encapsulated within a Trusted Platform Module (TPM), and the user has no access to the code inside. In this paper, we present a cryptographic solution that aims to make the data deletion process more transparent and verifiable. In contrast to the conventional black/white assumptions about TPM (i.e., either completely trust or distrust), we introduce a third assumption that sits in between: namely, “trust-but-verify”. Our solution enables a user to verify the correct implementation of two important operations inside a TPM without accessing its source code: i.e., the correct encryption of data and the faithful deletion of the key. Finally, we present a proof-of-concept implementation of the SSE system on a resource-constrained Java card to demonstrate its practical feasibility. To our knowledge, this is the first systematic solution to the secure data deletion problem based on a “trust-but-verify” paradigm, together with a concrete prototype implementation.

Cryptanalysis of the Dragonfly key exchange protocol

Dragonfly is a password authenticated key exchange protocol that has been submitted to the Internet engineering task force as a candidate standard for general internet use. The authors analysed the security of this protocol and devised an attack that is capable of extracting both the session key and password from an honest party. This attack was then implemented and experiments were performed to determine the time-scale required to successfully complete the attack.

Verifiable Classroom Voting: Where Cryptography Meets Pedagogy

In this paper, we propose – and have implemented – the first verifiable classroom voting system. The subject of secure classroom voting has so far received almost no attention from the security community. Though several commercial classroom voting systems have been available, none of them is verifiable. State-of-the-art verifiable voting protocols all rely on finding a set of trustworthy tallying authorities (who are essentially cryptographers and computer experts) in the first place, and hence are completely unsuitable for classroom voting. Our system design is based on “self-enforcing e-voting” – a new paradigm that was first presented at SPW’12 (Hao, Randell and Clarke). A self-enforcing e-voting scheme provides the same End-to-End (E2E) verifiability as other e-voting schemes but without involving any tallying authorities. The removal of tallying authorities brings several compelling advantages in real-world voting scenarios – here, classroom voting is just one example. We have piloted the use of the developed verifiable classroom voting system in real classroom teaching. Based on our preliminary trial experience, we believe the system is not only scientifically valuable, but also pedagogically useful.

E-Commerce with Rich Clients and Flexible Transactions

In this paper we describe an approach for implementing a shopping cart program using rich clients. We assume our client is not always connected to the server side during a purchase. We utilize the well known approach known as flexible transactions to afford a best effort approach to successfully complete a purchase order. Our approach is timely as commercial solutions for rich client technology (such as adobe air) is now a realistic proposition for many Internet application developers.

Assessing the attack resilience capabilities of a fortified primary-backup system

Primary-Backup service replication does not constrain that the service be built as a deterministic state machine. It is meant to tolerate crashes, not intrusions. We consider an approach, called FORTRESS, for adding intrusion-resilience capability to a primary-backup server system. It involves using proxies that block clients from directly accessing servers, and periodically randomizing the executables of proxies and servers. We argue that proxies and proactive randomization can offer sound defense against attacks including de-randomization attacks. Using simulations, we then compare the attack resilience that FORTRESS adds to a primary-backup server system with that attainable through state machine replication (SMR) that is fit only for deterministic services. A significant observation is that FORTRESS emerges to be more resilient than an SMR system of four server replicas that are diversely randomized at the start and are subject to proactive recovery throughout.

Analysis of issues and challenges of E-voting in the UK

Official trials were conducted of a number of e-voting systems in the UK in 2002/3 and 2007 during local government elections, yet none of these test systems were subsequently used in any further elections, and all trials were suspended in 2008. We describe these trials, concentrating on the second more extensive 2007 trial, and how their results were received. Based on these events, we consider the key challenges involved in introducing current e-voting systems into the present system of UK national and local elections, and what general implications this may have for achieving practical take-up of e-voting within the UK.

Proactive Fortification of Fault-Tolerant Services

We present an approach for incorporating intrusion resilience to replicated services, irrespective of the service replication used and of the fault types tolerated. The approach, termed as FORTRESS, involves fortifying a fault-tolerant service using proxies that block clients from accessing the servers directly, and periodically refreshing proxies and servers with diverse executables generated using code randomization. These two features make it hard for an attacker to compromise a server when no proxy has been compromised. An analytical evaluation establishes that if attackers cannot intrude servers without first having compromised a proxy, fortifying even a passively replicated service can offer greater resilience than building that service as a deterministic state machine and actively replicating it over diverse platforms. Finally, the FORTRESS architecture is presented where proactive code randomization is achieved by proactive replacement of server and proxy nodes. Examining the state transfer protocol executed during node replacement shows that the processing overhead per replacement is no more than the overhead for changing the leader or the primary replica in replication management.

FORTRESS: Adding Intrusion-Resilience to Primary-Backup Server Systems

Primary-backup replication enables arbitrary services, which need not be built as deterministic state machines, to be reliable against server crashes. Further, when the primary does not crash, the performance can be close to that of an un-replicated, 1-server system and is arguably far better than what state machine replication can offer. These advantages have made primary-backup replication a widely used technique in commercial provisioning of services, even though the technique assumes that residual software bugs in a server system can lead only to crashes and cannot result in state corruption. This assumption cannot hold against an attacker intent on exploiting vulnerabilities and corrupting the service state when attacks lead to intrusions. This paper presents a system, called FORTRESS, which can encapsulate a primary-backup system and safeguard it from being intruded. At its core, FORTRESS applies proactive obfuscation techniques in a manner appropriate to primary-backup replication and deploys proxy servers for additional defence. Gain in intrusion resilience is shown to be substantial when assessed through analytical evaluations and simulations for a range of attacker scenarios. Further, by implementing two web-based applications, the average performance drop is demonstrated to be in the order of tens of milliseconds even when obfuscation intervals are as small as tens of seconds.

Verifiable Classroom Voting in Practice

This article presents a verifiable classroom voting (VCV) system, which provides end-to-end verifiability without tallying authorities. VCV supports voting through mobile phones with constrained computing resources, and reports the tallying results instantly after voting is finished along with cryptographic proofs that enable the public to verify the tallying integrity.

End to End Security is Not Enough (Transcript of Discussion)

The idea behind this presentation originated when I was looking at e-voting. I was looking specifically at end-to-end systems, implementing them and considering what can go wrong. Now, there’s a bit of factionalization within e-voting research. A lot of people believe end-to-end verifiability is all you need for integrity. Then there’s a smaller faction who believe, “No, it’s more about reliability. It’s audit logs. It’s things like that.” I was giving some talks on this and one thing that came up a lot was the Estonian e-voting system. The Estonian system tends to get a lot of criticism in the literature because initially it wasn’t end-to-end verifiable, and there’s still debate about whether it is now, but on the other hand the Estonian system has some very nice things to do with logs and auditability in it, which I think maybe some other systems could learn from.