The access privileges in distributed systems can be effectively organized as a partial-order hierarchy that consists of distinct security classes, and the access rights are often designated with certain temporal restrictions. The time-bound hierarchical key assignment problem is to assign distinct cryptographic keys to distinct security classes according to their privileges so that users from a higher class can use their class key to derive the keys of lower classes, and these keys are time-variant with respect to sequentially allocated temporal units called time slots. In this paper, we present the involved principle, survey the state of the art, and particularly, look into two representative approaches to time-bound hierarchical key assignment for in-depth case studies.

Fast Handover for Hierarchical Mobile IPv6 (F-HMIPv6) that combines advantages of Fast Handover for Mobile IPv6 (FMIPv6) and Hierarchical Mobile IPv6 (HMIPv6) achieves the superior performance in terms of handover latency and signaling overhead compared with previously developed mobility protocols. However, without being secured, F-HMIPv6 is vulnerable to various security threats. In 2007, Kang and Park proposed a security scheme, which is seamlessly integrated into F-HMIPv6. In this paper, we reveal that Kang-Park's scheme cannot defend against the Denial of Service (DoS) and redirect attacks while largely relying on the group key. Then, we propose an Enhanced Security Scheme for F-HMIPv6 (ESS-FH) that achieves the strong key exchange and the key independence as well as addresses the weaknesses of Kang-Park's scheme. More importantly, it enables fast handover between different MAP domains. The proposed scheme is formally verified based on BAN-logic, and its handover latency is analyzed and compared with that of Kang-Park's scheme.

In this letter, we propose an energy efficient hybrid architecture, the Hybrid MAC-based Robust Architecture (HMR), for wireless sensor networks focusing on MAC layer's scheduling and adaptive security suite as a security sub layer. A hybrid MAC layer with TDMA and CSMA scheduling is designed to prolong network life time, and the multi-channel TDMA based active/sleep scheduling is presented. We also present the security related functionalities needed to employ a flexible security suite to packets dynamically. Implementation and testbed of the proposed framework based on IEEE 802.15.4 are shown as well.

Many applications of wireless sensor networks (WSNs) require secure group communications. The WSNs are normally operated in unattended, harsh, or hostile environment. The adversaries may easily compromise some sensor nodes and abuse their shared keys to inject false sensing reports or modify the reports sent by other nodes. Once a malicious node is detected, the group key should be renewed immediately for the network security. Some strategies have been proposed to develop the group rekeying protocol, but most of existing schemes are not suitable for sensor networks due to their high overhead and poor scalability. In this paper, we propose a new group rekeying protocol for hierarchical WSNs with renewable network devices. Compared with existing schemes, our rekeying method possesses the following features that are particularly beneficial to the resource-constrained large-scale WSNs: (1) robustness to the node capture attack, (2) reactive rekeying capability to malicious nodes, and (3) low communication and storage overhead.

In 2006 EPCglobal and the International Organization for Standards (ISO) ratified the EPC Class-1 Generation-2 (Gen-2) and the ISO 18000-6C standards , respectively. These efforts represented major advancements in the direction of universal standardization for low-cost RFID tags. However, a cause for concern is that security issues do not seem to be properly addressed. In this paper, we propose a new lightweight RFID tag-reader mutual authentication scheme for use under the EPCglobal framework. The scheme is based on previous work by Konidala and Kim . We attempt to mitigate the weaknesses observed in the original scheme and, at the same time, consider other possible adversarial threats as well as constraints on low-cost RFID tags requirements.

Trusted Network Connect provides the functionality of the platform authentication and integrity verification which is crucial for enhancing the security of authentication protocols. However, applying this functionality directly to concrete authentications is susceptible to unknown attacks and efficiency degradation. In this paper, we propose TWMAP, a novel authentication protocol for WLAN Mesh networks in a trusted environment which completed the platform authentication and integrity verification during the user authentication. And, the Schnorr asymmetric signature scheme is utilized to reduce the overhead of the client. The security properties of the new protocol are examined using the Universally Composable Security model. The analytic comparisons and simulation results show that the new protocol is very efficient in both computing and communication costs.

In this paper, we propose an anonymous routing protocol, LOPP, to protect the originator's location privacy in Delay/Disruption Tolerant Network (DTN). The goals of our study are to minimize the originator's probability of being localized (Pl) and maximize the destination's probability of receiving the message (Pr). The idea of LOPP is to divide a sensitive message into k segments and send each of them to n different neighbors. Although message fragmentation could reduce the destination's probability to receive a complete message, LOPP can decrease the originator's Pl. We validate LOPP on a real-world human mobility dataset. The simulation results show that LOPP can decrease the originator's Pl by over 54% with only 5.7% decrease in destination's Pr. We address the physical localization issue of DTN, which was not studied in the literature.

This paper proposes a hardware-based parallel pattern matching engine using a memory-based bit-split string matcher architecture. The proposed bit-split string matcher separates the transition table from the state table, so that state transitions towards the initial state are not stored. Therefore, total memory requirements can be minimized.

We consider the use of the additive white Gaussian noise channel to achieve information theoretically secure oblivious transfer. A protocol for this primitive that ensures the correctness and privacy for players is presented together with the signal design. We also study the information theoretic efficiency of the protocol, and some more practical issues where the parameter of the channel is unknown to the players.

Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. While a generic brute-force adversary running in 2t steps gives a theoretical lower bound of t bits on the ciphertext overhead for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t-bit gap essential for achieving IND-CCA security? We close the gap by proposing an IND-CCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while retaining the minimal overhead.

An anonymous password-authenticated key exchange (anonymous PAKE) protocol is designed to provide both password-only authentication and user anonymity against a semi-honest server, who follows the protocol honestly. Very recently, Yang and Zhang have proposed a new anonymous PAKE (NAPAKE) protocol that is claimed efficient compared to the previous constructions. In this paper, we propose a very-efficient anonymous PAKE (called, VEAP) protocol that provides the most efficiency among their kinds in terms of computation and communication costs. The VEAP protocol guarantees semantic security of session keys in the random oracle model under the chosen target CDH problem, and unconditional user anonymity against a semi-honest server. If the pre-computation is allowed, both the user and the server are required to compute only one modular exponentiation, respectively. Surprisingly, this is the same computation cost of the well-known Diffie-Hellman protocol that does not provide authentication at all. In addition, we extend the VEAP protocol in two ways: the first is designed to reduce the communication costs of the VEAP protocol and the second shows that stripping off anonymity parts from the VEAP protocol results in a new PAKE protocol.

The security level of an internet protocol television (IPTV) digital right management (DRM) system ultimately relies on protection of secret keys. Well known devices for the key protection include smartcards and battery backup SRAMs (BB-SRAMs); however, these devices could be vulnerable to various physical attacks. In this paper, we propose a secure and cost-effective design of a cryptographic system on chip (SoC) that integrates the BB-SRAM with a cell-based design technique. The proposed SoC provides robust safeguard against the physical attacks, and satisfies high-speed and low-price requirements of IPTV set-top boxes. Our implementation results show that the maximum encryption rate of the SoC is 633 Mb/s. In order to verify the data retention capabilities, we made a prototype chip using 0.18 µm standard cell technology. The experimental results show that the integrated BB-SRAM can reliably retain data with a 1.4 µA leakage current.

Tweakable pseudorandom permutations have wide applications such as the disk sector encryption, and the underlying primitive for efficient MACs and authenticated encryption schemes. Goldenberg et al. showed constructions of a tweakable pseudorandom permutation based on the Feistel structure. In this paper, we explore the possibility of designing tweakable pseudorandom permutations based on the Generalized Feistel Structure. We show that tweakable pseudorandom permutations can be obtained without increasing the number of rounds compared to the non-tweakable versions. We also present designs that take multiple tweaks as input.

We propose an FPGA-based high-speed search system for cryptosystems that employ a passphrase-based security scheme. We first choose PGP as an example of such cryptosystems, clear several hurdles for high throughputs and manage to develop a high-speed search system for it. As a result we achieve a throughput of 1.1 105 passphrases per second, which is 38 times the speed of the fastest software. Furthermore we can do many flexible passphrase generations in addition to a simple brute force one because we assign the passphrase generation operation to software. In fact we implement a brute force and a dictionary-based ones, and get the same maximum throughput as above in both cases. We next consider the speed of passphrase generation in order to apply our system to other cryptosystems than PGP, and implement a hardware passphrase generator to achieve higher throughputs. In the PGP case, the very heavy iteration of hashing, 1025 times in our case, lowers the total throughput linearly, and makes the figure 1.1 105 suffice. In other cases without any such iteration structure, we have to generate even more passphrases, for example 108 per second. That can easily exceed the generation speed that software can offer and thus we conclude that it is now necessary to place the passphrase generation in hardware instead of in software.

A Multi-Property-Preserving (MPP) hash function is a hash function that simultaneously preserves several security properties of the underlying compression function. The Merkle-Damgård with a Permutation (MDP) was shown to preserve unforgeability and pseudorandom oracle property. In this paper, we consider the most basic security properties of hash functions, namely collision resistance, second-preimage resistance, and preimage-resistance. We first show which of these properties are preserved by MDP in the dedicated-key setting. We also identify the properties preserved by four variants of MDP, and five other variants of Merkle-Damgård iterated hash functions. As a result, for the ten hash functions we analyze, we obtain their complete MPP characteristics.

Motivated by the fact that the existing FMIPv6 security scheme has several weaknesses in terms of security and efficiency, we propose a security-enhanced fast mobile IPv6 in this letter. Based on the concept of a secret key-based CGA (Cryptographically Generated Address), we show how to establish a new security association between the MN and AR (Access Router) whenever a handover occurs. We also show that the proposed scheme is robust against several types of security attacks feasible with the existing scheme. Our scheme is more efficient in that it requires fewer public key operations.

Information theoretic security is an important security notion in cryptography as it provides a true lower bound for attack complexities. However, in practice attacks often have a higher cost than the information theoretic bound. In this paper we study the relationship between information theoretic attack costs and real costs. We show that in the information theoretic model, many well-known and commonly used hash functions such as MD5 and SHA-256 fail to be preimage resistant.

Trapdoor commitment schemes are widely used for adding valuable properties to ordinary signatures or enhancing the security of weakly secure signatures. In this letter, we propose a trapdoor commitment scheme based on RSA function, and prove its security under the hardness of the integer factoring. Our scheme is very efficient in computing a commitment. Especially, it requires only three multiplications for evaluating a commitment when e=3 is used as a public exponent of RSA function. Moreover, our scheme has two useful properties, key exposure freeness and strong trapdoor opening, which are useful for designing secure chameleon signature schemes and converting a weakly secure signature to a strongly secure signature, respectively.

In this paper, we propose an area-efficient design of Advanced Encryption Standard (AES) processor by applying a new common-expression-elimination (CSE) method to the sub-functions of various transformations required in AES. The proposed method reduces the area cost of realizing the sub-functions by extracting the common factors in the bit-level XOR/AND-based sum-of-product expressions of these sub-functions using a new CSE algorithm. Cell-based implementation results show that the AES processor with our proposed CSE method has significant area improvement compared with previous designs.

A scan chain is one of the most important testing techniques, but it can be used as side-channel attacks against a cryptography LSI. We focus on scan-based attacks, in which scan chains are targeted for side-channel attacks. The conventional scan-based attacks only consider the scan chain composed of only the registers in a cryptography circuit. However, a cryptography LSI usually uses many circuits such as memories, micro processors and other circuits. This means that the conventional attacks cannot be applied to the practical scan chain composed of various types of registers. In this paper, a scan-based attack which enables to decipher the secret key in an AES cryptography LSI composed of an AES circuit and other circuits is proposed. By focusing on bit pattern of the specific register and monitoring its change, our scan-based attack eliminates the influence of registers included in other circuits than AES. Our attack does not depend on scan chain architecture, and it can decipher practical AES cryptography LSIs.