Johannes Braun

Long term confidentiality: a survey

Sensitive electronic data may be required to remain confidential for long periods of time. Yet encryption under a computationally secure cryptosystem cannot provide a guarantee of long term confidentiality, due to potential advances in computing power or cryptanalysis. Long term confidentiality is ensured by information theoretically secure ciphers, but at the expense of impractical key agreement and key management. We overview known methods to alleviate these problems, whilst retaining some form of information theoretic security relevant for long term confidentiality.

Trust Views for the Web PKI

The steadily growing number of certification authorities (CAs) assigned to the Web Public Key Infrastructure (Web PKI) and trusted by current browsers imposes severe security issues. Apart from being impossible for relying entities to assess whom they actually trust, the current binary trust model implemented with the Web PKI makes each CA a single point of failure. In this paper, we present the concept of trust views to manage variable trust levels for exactly those CAs actually required by a relying entity. This reduces the set of trusted CAs and minimizes the risk to rely on malicious certificates issued due to CA failures or compromises.

CA trust management for the Web PKI

The steadily growing number of certification authorities (CAs) assigned to the Web Public Key Infrastructure (Web PKI) and trusted by current browsers imposes severe security issues. Apart from being impossible for relying entities to assess whom they actually trust, the current binary trust model implemented with the Web PKI makes each CA a single point of failure and creates an enormous attack surface. In this article, we present CA-TMS, a user-centric CA trust management system based on trust views. CA-TMS can be used by relying entities to individually reduce the attack surface. CA-TMS works by restricting the trust placed in CAs of the Web PKI to trusting in exactly those CAs actually required by a relying entity. This restriction is based on locally collected information and does not require the alteration of the existing Web PKI. CA-TMS is complemented by an optional reputation system that allows to utilize the knowledge of other entities while maintaining the minimal set of trusted CAs. Our evaluation of CA-TMS with real world data shows that an attack surface reduction by more than 95% is achievable.

The Potential of an Individualized Set of Trusted CAs: Defending against CA Failures in the Web PKI

The security of most Internet applications relies on underlying public key infrastructures (PKIs) and thus on an ecosystem of certification authorities (CAs). The pool of PKIs responsible for the issuance and the maintenance of SSL certificates, called the Web PKI, has grown extremely large and complex. Herein, each CA is a single point of failure, leading to an attack surface, the size of which is hardly assessable. This paper approaches the issue if and how the attack surface can be reduced in order to minimize the risk of relying on a malicious certificate. In particular, we consider the individualization of the set of trusted CAs. We present a tool called Rootopia, which allows to individually assess the respective part of the Web PKI relevant for a user. Our analysis of browser histories of 22 Internet users reveals, that the major part of the PKI is completely irrelevant to a single user. On a per user level, the attack surface can be reduced by more than 90%, which shows the potential of the individualization of the set of trusted CAs. Furthermore, all the relevant CAs reside within a small set of countries. Our findings confirm that we unnecessarily trust in a huge number of CAs, thus exposing ourselves to unnecessary risks. Subsequently, we present an overview on our approach to realize the possible security gains.

An efficient mobile PACE implementation

Many future electronic identity cards will be equipped with a contact-less interface. Analysts expect that a significant proportion of future mobile phones support Near Field Communication (NFC) technology. Thus, it is a reasonable approach to use the cell phone as mobile smart card terminal, which in particular supports the Password Authenticated Connection Establishment (PACE) protocol to ensure user consent and to protect the wireless interface between the mobile phone and the smart card. While there are efficient PACE implementations for smart cards, there does not seem to be an efficient and platform independent solution for mobile terminals. Therefore we provide a new implementation using the Java Micro Edition (Java ME), which is supported by almost all modern mobile phones. However, the benchmarks of our first, straightforward PACE implementation on an NFC-enabled mobile phone have shown that improvement is needed. In order to reach a user friendly performance we implemented an optimized version, which, as of now, is restricted to optimizations which can be realized using features of existing Java ME libraries. In the work at hand we present a review of the relevant algorithms and provide benchmarks of the corresponding arithmetic functions in different Java ME libraries. We discuss the different optimization approaches, introduce our optimized PACE implementation, and provide timings for a desktop PC and a mobile phone in comparison to the straightforward version. Finally, we investigate potential side channel attacks on the optimized implementation.

A Distributed Reputation System for Certification Authority Trust Management

In the current Web Public Key Infrastructure (Web PKI), few central instances have the power to make trust decisions. From a systems perspective, it has the side effect that every Certification Authority (CA) becomes a single point of failure (SPOF). In addition, trust is no individual matter per user, what makes trust decisions hard to revise. Hence, we propose a method to leverage Internet users and thus distribute CA trust decisions. However, the average user is unable to manually decide which incoming TLS connections are trustworthy and which are not. Therefore, we overcome this issue with a distributed reputation system that facilitates sharing trust opinions while preserving user privacy. We assess our methodology using real-world browsing histories. Our results exhibit a significant attack surface reduction with respect to the current Web PKI, and at the same time we only introduce a minimal overhead.

A Sulfur Oxygenase from the Haloalkaliphilic Bacterium Thioalkalivibrio paradoxus with atypically low Reductase Activity

Sequence comparisons showed that the sulfur oxygenase reductase (SOR) of the haloalkaliphilic bacterium Thioalkalivibrio paradoxus Arh 1 (TpSOR) is branching deeply within dendrograms of these proteins (29 to 34% identity). A synthetic gene encoding TpSOR expressed in Escherichia coli resulted in a protein 14.7 ± 0.9 nm in diameter and an apparent molecular mass of 556 kDa. Sulfite and thiosulfate were formed from elemental sulfur in a temperature range of 10 to 98°C (optimum temperature ≈ 80°C) and a pH range of 6 to 11.5 (optimum pH ≈ 9; 308 ± 78 U/mg of protein). Sulfide formation had a maximum specific activity of 0.03 U/mg, or <1% of the corresponding activity of other SORs. Hence, reductase activity seems not to be an integral part of the reaction mechanism. TpSOR was most active at NaCl or glycine betaine concentrations of 0 to 1 M, although 0.2% of the maximal activity was detected even at 5 M NaCl and 4 M betaine. The melting point of TpSOR was close to 80°C, when monitored by circular dichroism spectroscopy or differential scanning fluorimetry; however, the denaturation kinetics were slow: 55% of the residual activity remained after 25 min of incubation at 80°C. Site-directed mutagenesis showed that the active-site residue Cys44 is essential for activity, whereas alanine mutants of the two other conserved cysteines retained about 0.5% residual activity. A model of the sulfur metabolism in T. paradoxus is discussed. IMPORTANCE Sulfur oxygenase reductases (SORs) are the only enzymes catalyzing an oxygen-dependent disproportionation of elemental sulfur and/or polysulfides to sulfite, thiosulfate, and hydrogen sulfide. SORs are known from mesophilic and extremophilic archaea and bacteria. All SORs seem to form highly thermostable 24-subunit hollow spheres. They carry a low-potential mononuclear nonheme iron in the active site and an indispensable cysteine; however, their exact reaction mechanisms are unknown. Typically, the reductase activity of SORs is in the range of 5 to 50% of the oxygenase activity, but mutagenesis studies had so far failed to identify residues crucial for the reductase reaction. We describe here the first SOR, which is almost devoid of the reductase reaction and which comes from a haloalkaliphilic bacterium.

On the Security of Encrypted Secret Sharing

Sensitive electronic data must often be kept confidential over very long periods of time. Known solutions such as conventional encryption, cascaded encryption, and information theoretic schemes suffer from several weaknesses or serious disadvantages that we shortly discuss. We present a method for combining arbitrary encryption algorithms. The scheme has the following properties: (1) It is a (k, n)-threshold scheme, i.e. only k=n of then applied algorithms are needed for decryption. (2) The schemes effective bit security is the sum of the lengths of the k shortest keys. (3) Under adaptive chosen plaintext attacks, this security level remains intact until at least k algorithms are compromised. (4) Under adaptive chosen chipertext attacks, the security level decreases with each compromised algorithm at most by the corresponding key length. (5) The scheme increases the effective key lengths of repeatedly applied encryption algorithms.

LINCOS: A Storage System Providing Long-Term Integrity, Authenticity, and Confidentiality

The amount of digital data that requires long-term protection of integrity, authenticity, and confidentiality grows rapidly. Examples include electronic health records, genome data, and tax data. In this paper we present the secure storage system LINCOS, which provides protection of integrity, authenticity, and confidentiality in the long-term, i.e., for an indefinite time period. It is the first such system. It uses the long-term integrity scheme COPRIS, which is also presented here and is the first such scheme that does not leak any information about the protected data. COPRIS uses information-theoretic hiding commitments for confidentiality-preserving integrity and authenticity protection. LINCOS uses proactive secret sharing for confidential storage of secret data. We also present implementations of COPRIS and LINCOS. A special feature of our LINCOS implementation is the use of quantum key distribution and one-time pad encryption for information-theoretic private channels within the proactive secret sharing protocol. The technological platform for this is the Tokyo QKD Network, which is one of worlds most advanced networks of its kind. Our experimental evaluation establishes the feasibility of LINCOS and shows that in view of the expected progress in quantum communication technology, LINCOS is a promising solution for protecting very sensitive data in the cloud.

How to Avoid the Breakdown of Public Key Infrastructures

Recent attacks and publications have shown the vulnerability of hierarchical Public Key Infrastructures PKIs and the fatal impact of revoked Certification Authority CA certificates in the PKIX validity model. Alternative validity models, such as the extended shell and the chain model, improve the situation but rely on independent proofs of existence, which are usually provided using time-stamps. As time-stamps are validated using certificates, they suffer from the same problems as the PKI they are supposed to protect. Our solution to this problem is abandoning time-stamps and providing proof of existence using Forward Secure Signatures FSS. In particular, we present different possibilities to use the chain model together with FSS, resulting in schemes that include the necessary proofs of existence into the certificates themselves.