Results 1  10
of
13
StegoTorus: A camouflage proxy for the Tor anonymity system
, 2012
"... Internet censorship by governments is an increasingly common practice worldwide. Internet users and censors are locked in an arms race: as users find ways to evade censorship schemes, the censors develop countermeasures for the evasion tactics. One of the most popular and effective circumvention too ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
(Show Context)
Internet censorship by governments is an increasingly common practice worldwide. Internet users and censors are locked in an arms race: as users find ways to evade censorship schemes, the censors develop countermeasures for the evasion tactics. One of the most popular and effective circumvention tools, Tor, must regularly adjust its network traffic signature to remain usable. We present StegoTorus, a tool that comprehensively disguises Tor from protocol analysis. To foil analysis of packet contents, Tor’s traffic is steganographed to resemble an innocuous cover protocol, such as HTTP. To foil analysis at the transport level, the Tor circuit is distributed over many shorterlived connections with perpacket characteristics that mimic coverprotocol traffic. Our evaluation demonstrates that StegoTorus improves the resilience of Tor to fingerprinting attacks and delivers usable performance.
The twistaugmented technique for key exchange
 In PKC ’06, LNCS 3958
, 2006
"... Abstract. Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a DiffieHellman ..."
Abstract

Cited by 18 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a DiffieHellman key exchange. However, formal proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to derive other keys. Whereas this is a quite simple tool, it is not easy to use in practice —or it is easy to misuse it—. In addition, in many standards, the acronym PRF (PseudoRandom Functions) is used for several tasks, and namely the randomness extraction. While randomness extractors and pseudorandom functions are a priori distinct tools, we first study whether such an application is correct or not. We thereafter study DHkey exchange, in the cases of prime subgroups of Z ⋆ p (and namely where p is a safeprime) and of elliptic curves, since in IPSec, for example, only these groups are considered. We present very efficient and provable randomness extraction techniques for these groups under the DDH assumption. In the special case of elliptic curves, we present a new technique —the socalled ’TwistAUgmented’ technique — an alternative to randomness extractors which exploits specific properties of some elliptic curves. We finally compare the efficiency of this method with other solutions.
Elligator: Ellipticcurve points indistinguishable from uniform random strings
"... Censorshipcircumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorshipcircumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unbloc ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
Censorshipcircumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorshipcircumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deeppacket inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, ellipticcurve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits. This paper introduces highsecurity highspeed ellipticcurve systems in which ellipticcurve points are encoded so as to be indistinguishable from uniform random strings. 1.
Key Derivation and Randomness Extraction
 In Crypto ’05
, 2005
"... Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Di#eHellman key exch ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Di#eHellman key exchange. However, proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to derive other keys.
A Formal Treatment of Backdoored Pseudorandom Generators
"... We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited fo ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor. We show that backdoored PRGs are equivalent to publickey encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives. We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi). 1
F.: Kleptographic weaknesses in BenalohTuinstra protocol
 in: 2nd International Conference on Systems and Networks CommunicationsICSNC '06, IEEE Comput. Soc
, 2006
"... ..."
(Show Context)
TapDance: EndtoMiddle Anticensorship without Flow Blocking
"... In response to increasingly sophisticated statesponsored Internet censorship, recent work has proposed a new approach to censorship resistance: endtomiddle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of th ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
In response to increasingly sophisticated statesponsored Internet censorship, recent work has proposed a new approach to censorship resistance: endtomiddle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of the network, at large ISPs outside the censoring country. In this paper, we focus on two technical obstacles to the deployment of certain endtomiddle schemes: the need to selectively block flows and the need to observe both directions of a connection. We propose a new construction, TapDance, that removes these requirements. TapDance employs a novel TCPlevel technique that allows the anticensorship station at an ISP to function as a passive network tap, without an inline blocking component. We also apply a novel steganographic encoding to embed control messages in TLS ciphertext, allowing us to operate on HTTPS connections even under asymmetric routing. We implement and evaluate a TapDance prototype that demonstrates how the system could function with minimal impact on an ISP’s network operations. 1
On a New Formal Proof Model for RFID Location Privacy (Extended Version ⋆)
"... Abstract. We discuss a recently proposed formal proof model for RFID location privacy. We show that protocols which intuitively and in several other models are considered not to be location private, are provably location private in this model. Conversely, we also show that protocols which obviously ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We discuss a recently proposed formal proof model for RFID location privacy. We show that protocols which intuitively and in several other models are considered not to be location private, are provably location private in this model. Conversely, we also show that protocols which obviously are location private, are not considered location private in this model. Specifically, we prove a protocol in which every tag transmits the same constant message to not be location private in the proposed model. Then we prove a protocol in which a tag’s identity is transmitted in clear text to be weakly location private in the model. Finally, we consider a protocol with known weaknesses with respect to location privacy and show it to be location private in the model.
Fault Attack on Elliptic Curve with Montgomery Ladder Implementation
"... In this paper, we present a new fault attack on elliptic curve scalar product algorithms. This attack is tailored to work on the classical Montgomery ladder method when the ycoordinate is not used. No weakness has been reported so far on such implementations, which are very efficient and were promo ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
In this paper, we present a new fault attack on elliptic curve scalar product algorithms. This attack is tailored to work on the classical Montgomery ladder method when the ycoordinate is not used. No weakness has been reported so far on such implementations, which are very efficient and were promoted by several authors. But taking into account the twist of the elliptic curves, we show how, with few faults (around one or two faults), we can retrieve the full secret exponent even if classical countermeasures are employed to prevent fault attacks. It turns out that this attack has not been anticipated as the security of the elliptic curve parameters in most standards can be strongly reduced. Especially, the attack is meaningful on some NIST or SECG parameters.
Errata 20080910. Fault Attack on Elliptic Curve with Montgomery Ladder Implementation
"... In this paper, we present a new fault attack on elliptic curve scalar product algorithms. This attack is tailored to work on the classical Montgomery ladder method when the ycoordinate is not used. No weakness has been reported so far on such implementations, which are very efficient and were promo ..."
Abstract
 Add to MetaCart
(Show Context)
In this paper, we present a new fault attack on elliptic curve scalar product algorithms. This attack is tailored to work on the classical Montgomery ladder method when the ycoordinate is not used. No weakness has been reported so far on such implementations, which are very efficient and were promoted by several authors. But taking into account the twist of the elliptic curves, we show how, with few faults (around one or two faults), we can retrieve the full secret exponent even if classical countermeasures are employed to prevent fault attacks. It turns out that this attack has not been anticipated as the security of the elliptic curve parameters in most standards can be strongly reduced. Especially, the attack is meaningful on some NIST or SECG parameters.