Jesus Diaz

Cryptanalysis of a one round chaos-based Substitution Permutation Network

The interleaving of chaos and cryptography has been the aim of a large set of works since the beginning of the nineties. Many encryption proposals have been introduced to improve conventional cryptography. However, many of possess serious problems according to the basic requirements for the secure exchange of information. In this paper we highlight some of the main problems of chaotic cryptography by means of the analysis of a very recent chaotic cryptosystem based on a one round Substitution Permutation Network. More specifically, we show that it is not possible to avoid the security problems of that encryption architecture just by including a chaotic system as the core of the derived encryption system. Highlights? The security problems of one round Substitution Permutation Networks are discussed. ? The problems of considering unimodal maps as the core of cryptosystems are analysed. ? The cryptanalysis of an specific permutation-only cipher is performed.

A formal methodology for integral security design and verification of network protocols

HighlightsAn iterative methodology for verifying communication protocols, combining formal and informal analysis, is presented.When security flaws are detected, it provides feedback for easing their resolution.Three case studies with real protocols are introduced to show the benefits of such methodology.The first two case studies (MANA III and WEPs Shared Key Authentication) show how some weaknesses could have been detected.The third case study shows the complete process of verification of a new protocol for obtaining digital identities. In this work we propose a methodology for incorporating the verification of the security properties of network protocols as a fundamental component of their design. This methodology can be separated in two main parts: context and requirements analysis along with its informal verification; and formal representation of protocols and the corresponding procedural verification. Although the procedural verification phase does not require any specific tool or approach, automated tools for model checking and/or theorem proving offer a good trade-off between effort and results. In general, any security protocol design methodology should be an iterative process addressing in each step critical contexts of increasing complexity as result of the considered protocol goals and the underlying threats. The effort required for detecting flaws is proportional to the complexity of the critical context under evaluation, and thus our methodology avoids wasting valuable system resources by analyzing simple flaws in the first stages of the design process. In this work we provide a methodology in coherence with the step-by-step goals definition and threat analysis using informal and formal procedures, being our main concern to highlight the adequacy of such a methodology for promoting trust in the accordingly implemented communication protocols. Our proposal is illustrated by its application to three communication protocols: MANA III, WEPs Shared Key Authentication and CHAT-SRP.

Non-conventional Digital Signatures and Their Implementations—A Review

The current technological scenario determines a profileration of trust domains, which are usually defined by validating the digital identity linked to each user. This validation entails critical assumptions about the way users’ privacy is handled, and this calls for new methods to construct and treat digital identities. Considering cryptography, identity management has been constructed and managed through conventional digital signatures. Nowadays, new types of digital signatures are required, and this transition should be guided by rigorous evaluation of the theoretical basis, but also by the selection of properly verified software means. This latter point is the core of this paper. We analyse the main non-conventional digital signatures that could endorse an adequate tradeoff between security and privacy. This discussion is focused on practical software solutions that are already implemented and available online. The goal is to help security system designers to discern identity management functionalities through standard cryptographic software libraries.

On the Difficult Tradeoff Between Security and Privacy: Challenges for the Management of Digital Identities

The deployment of security measures can lead in many occasions to an infringement of users’ privacy. Indeed, nowadays we have many examples about surveillance programs or personal data breaches in online service providers. In order to avoid the latter problem, we need to establish security measures that do not involve a violation of privacy rights. In this communication we discuss the main challenges when conciliating information security and users’ privacy.

On securing online registration protocols: Formal verification of a new proposal

The deployment of Internet based applications calls for adequate users management procedures, being online registration a critical element. In this respect, Email Based Identification and Authentication (EBIA) is an outstanding technique due to its usability. However, it does not handle properly some major issues which make it unsuitable for systems where security is of concern. In this work we modify EBIA to propose a protocol for users registration. Moreover, we assess the security properties of the protocol using the automatic protocol verifier ProVerif. Finally, we show that the modifications applied to EBIA are necessary to ensure security since, if they are removed, attacks on the protocol are enabled. Our proposal keeps the high usability features of EBIA, while reaching a reasonable security level for many applications. Additionally, it only requires minor modifications to current Internet infrastructures.

Review of the Main Security Threats and Challenges in Free-Access Public Cloud Storage Servers

The twenty-first century belongs to the world of computing, specially as a result of the so-called cloud computing. This technology enables ubiquitous information management and thus people can access all their data from any place and at any time. In this landscape, the emergence of cloud storage has had an important role in the last 5 years. Nowadays, several free-access public cloud storage services make it possible for users to have a free backup of their assets and to manage and share them, representing a low-cost opportunity for Small and Medium Enterprises (SMEs). However, the adoption of cloud storage involves data outsourcing, so a user does not have the guarantee about the way her data will be processed and protected. Therefore, it seems necessary to endow public cloud storage with a set of means to protect users’ confidentiality and privacy, to assess data integrity and to guarantee a proper backup of information assets. Along this paper, we discuss the main challenges to achieve such a goal, underlining the set of functionalities already implemented in the most popular public cloud storage services.

Privacy in e-Shopping Transactions: Exploring and Addressing the Trade-Offs

The huge growth of e-shopping has brought convenience to customers, increased revenue to merchants and financial entities and evolved to possess a rich set of functionalities and requirements (e.g., regulatory ones). However, enhancing customer privacy remains to be a challenging problem; while it is easy to create a simple system with privacy, this typically causes loss of functions.

Encrypted Cloud: A Software Solution for the Secure Use of Free-Access Cloud Storage Services.

Cloud services provide a means to ease information storage and sharing. In the case of Small and Medium Enterprises, this represents a great opportunity to deploy platforms for data exchange without the high costs of traditional Information Technology solutions. Nonetheless, the adoption of the cloud implies a risk in terms of the security and privacy of the stored information assets. This risk is even more relevant when we opt for free cloud storage services. In this work we present Encrypted Cloud, a solution to endow users of free cloud storages with a mechanism to encrypt their information before uploading it. Since data sharing is a must for cloud users, Encrypted Cloud also enables the exchange of cryptographic keys in a secure way. Encrypted Cloud assumes a zero-trust context and correspondingly incorporates a thorough integrity verification protocol. Finally, Encrypted Cloud acts as a central entry point upon multiple free cloud storage services. This being the case, our tool enables users to allocate their resources in multiple cloud storages, and it also makes it possible to define a data redundancy policy.

Fair and Accountable Anonymity for the Tor Network.

The balance between security and privacy is a must for the adequate construction of e-democracy. For such a goal, information and communication networks should not be hardened at the cost of lessening privacy protection mechanisms. In addition, the deployment of such mechanisms should not pave the way for performing malicious activities. This call for security-privacy trade-offs is specially relevant in the general scope of the anonymizing networks, and in the specific case of the Tor network. Indeed, general security attacks are based on anonymous network access, which makes service providers to ban this kind of connections even when they are initiated by legitimate users. In this communication we apply group and blind signatures to address this dilemma, allowing the incorporation of access controls to the Tor network. Our procedure is enhanced by a protocol for denouncing illegitimate actions without eroding users’ privacy.

Methodological Security Verification of a Registration Protocol

In this work, we apply a secure protocol design methodology to a protocol based on a recently proposed email-based registration protocol. With this task, we aim to emphasize the need of incorporating such techniques as a main component of the protocol design process, not just as a desirable feature. The process herein described highlights the advantages in terms of the obtained security guarantees added to the final design, and also helps in the endeavor of further evaluating the applied methodology and the analyzed protocol.