Youngjoo Shin

Decentralized group key management for dynamic networks using proxy cryptography

Decentralized group key management mechanisms offer beneficial solutions to enhance the scalability and reliability of a secure multicast framework by confining the impact of a membership change in a local area. However, many of the previous decentralized solutions reveal the plain text to the intermediate relaying proxies,or require the key distribution center to coordinate secure group communications between subgroups. In this study, we propose a decentralized group key management scheme that features a mechanism allowing a service provider to deliver the group key to valid members in a distributed manner using the proxy cryptography. In the proposed scheme, the key distribution center is eliminated while data confidentiality of the transmitted message is provided during the message delivery process. The proposed scheme can support a secure group communication in dynamic network environments where there is no trusted central controller for the whole network and the network topology changes frequently.

A Survey of Secure Data Deduplication Schemes for Cloud Storage Systems

Data deduplication has attracted many cloud service providers (CSPs) as a way to reduce storage costs. Even though the general deduplication approach has been increasingly accepted, it comes with many security and privacy problems due to the outsourced data delivery models of cloud storage. To deal with specific security and privacy issues, secure deduplication techniques have been proposed for cloud data, leading to a diverse range of solutions and trade-offs. Hence, in this article, we discuss ongoing research on secure deduplication for cloud data in consideration of the attack scenarios exploited most widely in cloud storage. On the basis of classification of deduplication system, we explore security risks and attack scenarios from both inside and outside adversaries. We then describe state-of-the-art secure deduplication techniques for each approach that deal with different security issues under specific or combined threat models, which include both cryptographic and protocol solutions. We discuss and compare each scheme in terms of security and efficiency specific to different security goals. Finally, we identify and discuss unresolved issues and further research challenges for secure deduplication in cloud storage.

Pre-authentication for fast handoff in wireless mesh networks with mobile APs

Wireless mesh networks can extend the network service region by just adding APs. However wireless mesh networks also have the same security problems as the traditional wireless LAN. Until now, many methods have been proposed to solve the authentication problem, particularly for the fast handoff, in the traditional wireless LAN. However, previous methods are not efficient to the wireless mesh network with mobile APs because they just considered static APs. In this paper, we propose a new pre-authentication method for the wireless mesh network with mobile APs. We adapted the neighbor graph method of previous schemes for the compatibility. However, our method is suitable to the wireless mesh network by applying a Du et als key distribution. Furthermore, we present a formal analysis about our method by using a logic based formal analysis method.

An Efficient Proactive Key Distribution Scheme for Fast Handoff in IEEE 802.11 Wireless Networks

Supporting user mobility is one of the most challenging issues in wireless networks. Recently, as the desires for the user mobility and high-quality multimedia services increase, fast handoff among base stations comes to a center of quality of connections. Therefore, minimizing re-authentication latency during handoff is crucial for supporting various promising real-time applications such as Voice over IP (VoIP) on public wireless networks. In this study, we propose an enhanced proactive key distribution scheme for fast and secure handoff based on IEEE 802.11i authentication mechanism. The proposed scheme reduces the handoff delay by reducing 4-way handshake to 2-way handshake between an access point and a mobile station during the re-authentication phase. Furthermore, the proposed scheme gives little burden over the proactive key pre-distribution scheme while satisfying 802.11i security requirements.

Scalable and efficient approach for secure group communication using proxy cryptography

Multicast is a scalable solution for group communications. In order to offer security for multicast applications, a group key has to be changed whenever a member joins or leaves the group. This incurs 1-affects-n problem, which is a constraint on scalability. Decentralized approaches solve the scalability problem by dividing a group into several subgroups that use independent group keys. These approaches, however, introduce new challenges: problem of trusting third party and inefficiency of data delivery. Proxy encryption is a good approach to solve the problem of trusting third party. In this paper, we propose a novel secure multicast scheme using the proxy cryptography. The proposed scheme provides not only scalability but also data transmission efficiency by dynamic subgrouping of group members while intermediate data-relaying third parties are not required to be trusted.

Secure proof of storage with deduplication for cloud storage systems

Explosion of multimedia content brings forth the needs of efficient resource utilization using the state of the arts cloud computing technologies such as data deduplication. In the cloud computing environments, achieving both data privacy and integrity is the challenging issue for data outsourcing service. Proof of Storage with Deduplication (POSD) is a promising solution that addresses the issue for the cloud storage systems with deduplication enabled. However, the validity of the current POSD scheme stands on the strong assumption that all clients are honest in terms of generating their keys. We present insecurity of this approach under new attack model that malicious clients exploit dishonestly manipulated keys. We also propose an improved POSD scheme to mitigate our attack.

Decentralized Server-aided Encryption for Secure Deduplication in Cloud Storage

Cloud storage provides scalable and low cost resources featuring economies of scale based on multi-tenant architecture. As the amount of data outsourced grows explosively, data deduplication, a technique that eliminates data redundancy, becomes essential. However, deduplication leads to problems with data confidentiality, thereby necessitating secure deduplication solutions. Server-aided encryption schemes have been proposed to achieve the strongest confidentiality but with the cost of managing a key server (KS). Previous schemes, however, are based on a centralized KS that uses only a single secret key assuming a single KS in the system. In cloud storage where multi-tenancy and scalability are crucial, such schemes degrade not only the effectiveness of deduplication but also the scalability with increasing users. In this paper, we extend server-aided encryption to a decentralized setting that consists of multiple KSs. The key idea of our proposed scheme is to construct an inter-KS deduplication algorithm, by which a cloud storage service provider can perform deduplication over ciphertexts from different KSs within a tenant or across tenants. This way, our scheme simultaneously offers flexibility of KS management and cross-tenant deduplication over encrypted data. The novelty of the approach is using a decentralized architecture that does not require any centralized entities for the coordination or pre-sharing of secrets among KSs. Therefore, it allows cloud storage services to offer high deduplication efficiency and scalability while preserving strong data confidentiality. We show the result of performance analysis on the proposed scheme by conducting extensive experiments. In addition, our security analysis demonstrate that the proposed scheme satisfies all desired security properties.

MiGuard : Detecting and Guarding against Malicious Iframe through API Hooking

Recently, client-side attacks through the Microsoft Internet Explorer have increased. In this paper, we present a method to detect and block malware programs resulting from successful malicious iframe attacks. This method can detect malware program execution through distinguishing API sequences of normal execution and abnormal API sequences resulting from an exploit using Win32 API hooks. We implemented MiGuard (Guard against malicious iframes) and performed experiments. The evaluation results indicate that our approach can effectively detect and block malicious iframes. We also believe that our research can help prevent threats of malicious iframes.

An Efficient Stream Cipher for Resistive RAM

Resistive Random Access Memory (RRAM) is considered as one of the most competitive candidate for next-generation embedded system memories but data security for it has not yet been studied in detail. Since data security of embedded system is becoming more and more important nowadays, we think that it is necessary to study about data encryption for RRAM. In this paper, we studied data encryption candidates for RRAM and conducted several stream ciphers performance experiments for RRAM. As a consequence, we showed that Trivium is the most suitable stream cipher algorithm for RRAM. Also, we analyzed the experimental results.

Unveiling Hardware-based Data Prefetcher, a Hidden Source of Information Leakage

Data prefetching is a hardware-based optimization mechanism used in most of the modern microprocessors. It fetches data to the cache before it is needed. In this paper, we present a novel microarchitectural attack that exploits the prefetching mechanism. Our attack targets Instruction pointer (IP)-based stride prefetching in Intel processors. Stride prefetcher detects memory access patterns with a regular stride, which are likely to be found in lookup table-based cryptographic implementations. By monitoring the prefetching activities near the lookup table, attackers can extract sensitive information such as secret keys from victim applications. This kind of leakage from prefetching has never been considered in the design of constant time algorithm to prevent side-channel attacks. We show the potential of the proposed attack by applying it against the Elliptic Curve Diffie-Hellman (ECDH) algorithm built upon the latest version of OpenSSL library. To the best of our knowledge, this is the first microarchitectural side-channel attack exploiting the hardware prefetching of modern microprocessors.