Giuseppe Cattaneo

Algorithm engineering

Algorithm Engineering is concerned with the design, analysis, implementation, tuning, debugging and experimental evaluation of computer programs for solving algorithmic problems. It provides methodologies and tools for developing and engineering efficient algorithmic codes and aims at integrating and reinforcing traditional theoretical approaches for the design and analysis of algorithms and data structures.

An Extensible Framework for Efficient Secure SMS

Nowadays, Short Message Service (SMS) still represents the most used mobile messaging service. SMS messages are used in many different application fields, even in cases where security features, such as authentication and confidentiality between the communicators, must be ensured. Unfortunately, the SMS technology does not provide a built-in support for any security feature. This work presents SEESMS (Secure Extensible and Efficient SMS), a software framework written in Java which allows two peers to exchange encrypted and digitally signed SMS messages. The communication between peers is secured by using public-key cryptography. The key-exchange process is implemented by using a novel and simple security protocol which minimizes the number of SMS messages to use. SEESMS supports the encryption of a communication channel through the ECIES and the RSA algorithms. The identity validation of the contacts involved in the communication is implemented through the RSA, DSA and ECDSA signature schemes. SEESMS is able to certify the phone number of the peers using the framework. Additional cryptosystems can be coded and added to SEESMS as plug-ins. Special attention has been devoted to the implementation of an efficient framework in terms of energy consumption and execution time. This efficiency is obtained in two steps. First, all the cryptosystems available in the framework are implemented using mature and fully optimized cryptographic libraries. Second, an experimental analysis was conducted to determine which combination of cryptosystems and security parameters were able to provide a better trade-off in terms of speed/security and energy consumption. This experimental analysis has also been useful to expose some serious performance issues affecting the cryptographic libraries which are commonly used to implement security features on mobile devices.

A Novel Anti-forensics Technique for the Android OS

In recent years traditional mobile-phones, used only to make calls and send text messages, have evolved into even more versatile and powerful devices (smart phones, tablets, etc.). These devices use a NAND flash memory type to store data, due to it being a memory that has been optimized for the fast updating of data. These flash memory drives usually contain sensitive data that could be a possible danger to the users privacy. This paper proposes a new anti-forensics technique for mobile devices with the Android OS. The technique makes it possible to modify and erase, securely and selectively, the digital evidence on an Android device without having to use any cryptographic primitives or make any file system changes. While the use of cryptographic primitives or changes to the file system create considerable suspicion in a forensic analysis, the proposed technique uses simple software tools commonly used in *nix-like OSes such as the Android OS.

A Forensic Analysis of Images on Online Social Networks

The Web 3.0 is approaching fast and the Online Social Networks (OSNs) are becoming more and more pervasive in today daily activities. A subsequent consequence is that criminals are running at the same speed as technology and most of the time highly sophisticated technological machineries are used by them. Images are often involved in illicit or illegal activities, with it now being fundamental to try to ascertain as much as information on a given image as possible. Today, most of the images coming from the Internet flow through OSNs. The paper analyzes the characteristics of images published on some OSNs. The analysis mainly focuses on how the OSN processes the uploaded images and what changes are made to some of the characteristics, such as JPEG quantization table, pixel resolution and related metadata. The experimental analysis was carried out in June-July 2011 on Facebook, Badoo and Google+. It also has a forensic value: it can be used to establish whether an image has been downloaded from an OSN or not.

SPEECH: Secure Personal End-to-End Communication with Handheld

Nowadays, there is a strong trend toward the integration of public communication networks. This is especially the case of the mobile phone networks and the Internet, which are becoming increasingly interconnected as to create a single unified network. One of the possible consequences of this integration is that the security issues, which already exist within each of these networks, become even more menacing in such an enlarged context. The possibility to operate voice calls is one of the most popular services that run on these networks. At the time of this writing, the user who calls another user by means of a mobile phone or a desktop computer equipped with Voice-over-IP software is subject to several threats. In this paper, we examine some of these threats and present SPEECH, a software system for making “secure” calls by using Windows Mobile 2003 powered handheld devices and a wireless data communication channel.

SECR3T: Secure End-to-End Communication over 3G Telecommunication Networks

Nowadays the use of video conference tools from mobile devices is becoming more widespread. Unfortunately, solutions based only on the security features inherited from the operator infrastructure cannot be blindly trusted. Therefore, the need for secure communication tools is rapidly increasing. Currently, voice and video communication tools are considered unreliable when used in either a mobile context or under poor signal strength conditions. This is particularly true for IP connections routed on the Packet-Switched Domain (PSD) over 3G mobile networks. This paper presents the design and the implementation of SECR3T (Secure End-to-End Communication over 3G Telecommunication Networks), a fully-fledged secure communication system for mobile devices based on the native Circuit-Switched Domain (CSD) of 3G networks. To the authors knowledge, this is the first solution for secure communication over the CSD of 3G networks. The security schemes implemented by SECR3T include mutual end-to-end authentication as well as data encryption. The adopted end-to-end security mechanisms have been embedded within the native 3G-324M protocol and do not require any form of interaction with the mobile network operator. Relying on the CSD, SECR3T provides a better QoS with respect to the PSD based solutions for 3G networks. It also requires less power consumption as the user is registered once on the Base Station (BS), with the handset not having to implement any heavy keep-alive protocols. In order to prove the effectiveness of the adopted strategy, a prototype was implemented to compare its performance with the well-known PSD solutions. Subsequently, the authors experimentally evaluated the security strengths and the impacts produced on the user experience with respect to traditional tools using CSD.

Maintaining dynamic minimum spanning trees: An experimental study

We report our findings on an extensive empirical study on the performance of several algorithms for maintaining minimum spanning trees in dynamic graphs. In particular, we have implemented and tested several variants of the polylogarithmic algorithm by Holm et al., sparsification on top of Fredericksons algorithm, and other (less sophisticated) dynamic algorithms. In our experiments, we considered as test sets several random, semi-random and worst-case inputs previously considered in the literature together with inputs arising from real-world applications (e.g., a graph of the Internet Autonomous Systems).

Engineering a secure mobile messaging framework

It is quite usual in the world of scientific software development to use, as black boxes, algorithmic software libraries without any prior assessment of their efficiency. This approach relies on the assumption that the experimental performance of these libraries, although correct, will match the theoretical expectation of their algorithmic counterparts. In this paper we discuss the case of SEESMS (Secure Extensible and Efficient SMS). It is a software framework that allows two peers to exchange encrypted and digitally signed SMS messages. The cryptographic part of SEESMS is implemented on top of the Java BC library (The Legion of Bouncy Castle, 2010), a widely used open-source library. The preliminary experimentations conducted on SEESMS, discussed in Castiglione et al. (2010), revealed some unexpected phenomena like the ECDSA-based cryptosystem being generally and significantly slower than the RSA-based equivalent. In this paper, we analyze these phenomena by profiling the code of SEESMS and expose the issues causing its bad performance. Then, we apply some algorithmic and programming optimizations techniques. The resulting code exhibits a significant performance boost with respect to the original implementation, and requires less memory in order to be run.

Visualization of cryptographic protocols with GRACE

In this paper we present GRACE (graphical representation and animation for cryptography education), a Java-based educational tool that can be used to help in teaching and understanding of cryptographic protocols. The tool adopts an active learning model that engages the learner by asking him to describe, in an exemplification of a real-world scenario, cryptographic protocols using simple primitives whose effects are visualized by means of animated sequences. To this end, the GRACE interface offers the learner the choice of several cryptographic and non-cryptographic related operations with their respective visualizations. By executing a series of these operations in the proper order, a teacher is able to provide a visual introductory description of several protocols. Moreover, since some of the cryptographic operations are not just simulated but concretely implemented, it can be used by students to see which elaborations are performed by each operation of a cryptographic protocol, and their effects on the represented scenario. GRACE comes equipped with the implementation of several cryptographic primitives and cryptosystems. Additional primitives and cryptosystems can easily be plugged in the system. Visualizations prepared with GRACE can be edited, navigated and saved in a file for playback. We also present the results of an experimental lesson taught in the Security on Communication Networks undergraduate course at the University of Salerno during the fall 2004 semester using GRACE. A copy of GRACE and some demo lessons featuring the visualization of some cryptographic protocols are available at http://www.dia.unisa.it/research/grace.

On the Construction of a False Digital Alibi on the Android OS

Digital evidence can determine either the conviction or acquittal of a suspect. In the latter case, such information constitutes a digital alibi. It has been recently shown how it is possible to set up a common PC in order to produce digital evidence in an automatic and systematic manner. Such traces are indistinguishable post-mortem from those left by human activity, thus being exploitable to forge a digital alibi. Modern smart phones are becoming more and more similar to PCs, due both to their computational power as well as their capacity to produce digital evidence, local or remote, which can assume a probative value. However, smart phones are still substantially different from common PCs, with OS limitations, lack of tools and so on, thus making it difficult to adopt the same techniques proposed for PCs to forge a digital alibi on a mobile device. In this paper novel techniques to create a false digital alibi on a smart phone equipped with the Android OS are presented. In particular, it is possible to simulate human interaction with a mobile device using a software automation, with the produced traces being indistinguishable post-mortem from those left by a real user. Moreover, it will be shown that advanced computer skills are not required to forge a digital alibi on an Android device, since some of the presented techniques can be easily carried out by non-savvy users. This emphasizes how the probative value of digital evidence should always be evaluated together with traditional investigation techniques.