Francisco Rico-Novella

Balanced batch LKH: new proposal, implementation and performance evaluation

Perfect secrecy can only be achieved in multicast groups by ciphering data sent to the group with a different key every time a member joins or leaves the group. A key server must send the new key to all the remaining members so bandwidth efficiency concerns appear. Logical key tree algorithms reduce the number of messages to be sent, but in many scenarios, rekeying after each membership change has no sense. Batch rekeying algorithms are proposed as a solution to these problems. However such methods need to maintain the logical key tree balanced all the time on order to achieve maximum bandwidth efficiency. This paper presents a new technique for multicast batch rekeying. This technique reallocates the tree nodes in order to keep the tree balanced all the time.

Improved LKH for batch rekeying in multicast groups

Storage, delivery and update of cryptographic keys are the most important items to study in multicast security. Traditionally a centralized trusted third party called the key server (KS) performs these actions. Different works have been presented that address the issue of minimizing storage for KS and required bandwidth for updating keys. Our research group has been working in a method for multicast rekeying using a broadcast encryption technique and pseudo-random functions in order to reduce number of sent messages for rekeying and minimize the number of keys to store by the KS. We apply this technique to batch rekeying and present performance evaluation for different benchmark scenarios. We conclude that the technique is suitable for group joining and leaving and in some cases performs better behavior than other existing methods.

Efficient Certificate Path Validation and Its Application in Mobile Payment Protocols

Certification path validation is a complex task that implies high computational cost. In this process is necessary to verify the binding between the owner of the certificate and his public key. In SET protocol, the customer and merchant require to verify the certification path of their certificates to trust each other. The customer and merchant carry out several cryptographic operations to complete SET protocol including the authentication process. Because mobile devices are limited in terms of processing and storage capacities, it is relevant to reduce the computational cost required by the cryptographic operations. In this paper, we apply TRUTHC (Trust Relationship Using Two Hash Chains) to reduce the computational cost of cryptographic operations carried out by the customer and merchant to complete the certification path validation. In addition, we compare the results using RSA and ECDSA protocols, with a typical PKI.

Group Rekeying Algorithm Using Pseudo-random Functions and Modular Reduction

The grid is one of the most evident examples of cooperation between a group of network entities. If secure transactions want to be supported within this group a secret key shared by all these entities is needed. The session key should be sent to all authorized users and updated every time the grid group changes. This is the only way of achieving perfect forward and backward secrecy. Traditionally these actions are performed by a centralized trusted third party called the Key Server (KS). Different works for minimizing the storage need for KS and reducing the required bandwidth for updating keys have been presented. We present a method for group rekeying using pseudo-random functions and modular reduction. This method minimizes the number of keys to store by the KS and reduces the required bandwidth for updating the keying material.

Study of mobile payment protocols and its performance evaluation on mobile devices

Mobile payment protocols must provide security services (e.g., authentication, authorisation, integrity, privacy and non-repudiation), but the features of mobile devices make it a difficult task, especially when the service requires to perform public key operations. It is very well known, that the public key operations require high execution time of the CPU and battery consumption. In this paper, we computed the computational cost required by each entity in five mobile payment protocols. In addition, we computed the transmission time of each message among different entities. The exchange of message was done using Bluetooth technology. The performance evaluation of each mobile payment protocol defines its feasibility according with the whole time expending during the protocol considering its computational cost and transmission time.

Reducing the computational cost of certification path validation in mobile payment

PKI can improve security of mobile payments but its complexity has made difficult its use in such environment. Certificate path validation is complex in PKI. This demands some storage and processing capacities to the verifier that can exceed the capabilities of mobile devices. In this paper, we propose TRUTHC to reduce computational cost of mobile payment authentication. TRUTHC replaces verification operations with hash operations. Results show a better reduction of the cost with ECDSA than with RSA

Mobile Payment Protocol for Micropayments: Withdrawal and Payment Anonymous

This paper presents an efficient and practical protocol to carry out micropayments, based on the use of anonymous mobile cash, that provides anonymity and unlinkability to customers. The mobile cash used in the protocol can be of different value and denomination. It is official after a bank signs it with a specific private key. The bank stores the relation between the mobile cashs value and its corresponding public key. The scheme prevents double spending and forgery attacks. A mobile device that supports Java applications and Bluetooth technology is required. Through the use of pseudonym certificates customers can be authenticated using WTLS protocol without disclosing personal information. The protocol requires a low computational cost.

Security Improvement of Two Dynamic ID-based Authentication Schemes by Sood-Sarje-Singh

In 2010, Sood-Sarje-Singh proposed two dynamic ID-based remote user authentication schemes. The first schemeis a security improvement of Liao et al.’s scheme and the second scheme is a security improvement of Wang etal.’s scheme. In both cases, the authors claimed that their schemes can resist many attacks. However, we find thatboth schemes have security flaws. In addition, their schemes require a verification table and time-synchronization,making the schemes unfeasible and unsecured for electronic services. In order to remedy the security flaws ofSood et al.’s schemes, we propose a robust scheme which resists the well-known attacks and achieves all thedesirable security goals.

Efficient remote user authentication scheme using smart cards

In 2009, Kim-Chung proposed a secure remote user authentication scheme. In this paper, we show that Kim-Chung|s scheme does not establish a session key. Moreover, the scheme requires time-synchronisation. In order to remedy these drawbacks, this paper proposes an improvement scheme which fulfils all the security requirements for a remote user authentication scheme. Security analysis proved that the improved scheme resists the typical attacks. Furthermore, the analysis of computational cost and storage capacity demonstrated that the scheme is feasible for a practical implementation.

A practical solution for distribution rights protection in multicast environments

One of the main problems that remain to be solved in pay-per-view Internet services is copyright protection. As in almost every scenario, any copyright protection scheme has to deal with two main aspects: protect the true content authors from those who may dishonestly claim ownership of intellectual property rights and prevent piracy by detecting the authorized (but dishonest) users responsible of illegal redistribution of copies. The former aspect can be solved with watermarking techniques while for the latter, fingerprinting mechanisms are the most appropriate ones. In internet services such as Web-TV or near video on-demand where multicast is used, watermarking can be directly applied. On the other hand, multicast fingerprinting has been seldom studied because delivering different marked content for different receivers seems a contradiction with multicast basics. In this paper we present a solution to prevent unauthorized redistribution of content in multicast scenarios. The system is based on a trusted soft-engine embedded in the receiver and co-managed by the content distributor. The trusted soft-engine is responsible of the client-side multicast key management functions. It only will allow the decryption and displaying of the actual data if it has previously inserted a fingerprinting mark with the identity of the decoder. Upon finding a pirate copy of any multicast delivered content, this mark can be used to unambiguously reveal the identity of the receiver that decoded the content from which the pirate copies are made.