On-line Ciphers and the Hash-CBC Constructions

We initiate a study of on-line ciphers. These are ciphers that can take input plaintexts of large and varying lengths and will output the i th block of the ciphertext after having processed only the first i blocks of the plaintext. Such ciphers permit length-preserving encryption of a data stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates, including CBC with fixed IV. We then provide two constructions, HCBC1 and HCBC2, based on a given block cipher E and a family of computationally AXU functions. HCBC1 is proven secure against chosen-plaintext attacks assuming that E is a PRP secure against chosen-plaintext attacks, while HCBC2 is proven secure against chosen-ciphertext attacks assuming that E is a PRP secure against chosen-ciphertext attacks.     

Key-Dependent Message Security: Generic Amplification and Completeness

Key-dependent message (KDM) secure encryption schemes provide secrecy even when the attacker sees encryptions of messages related to the secret-key sk. Namely, the scheme should remain secure even when messages of the form f(sk) are encrypted, where f is taken from some function class $\mathcal{F}$ . A KDM amplification procedure takes an encryption scheme which satisfies $\mathcal{F}$ -KDM security, and boosts it into a $\mathcal{G}$ -KDM secure scheme, where the function class $\mathcal{G}$ should be richer than $\mathcal{F}$ . It was recently shown by Brakerski et al. (TCC 2011) and Barak et al. (EUROCRYPT 2010) that a strong form of amplification is possible, provided that the underlying encryption scheme satisfies some special additional properties. In this work, we prove the first generic KDM amplification theorem which relies solely on the KDM security of the underlying scheme without making any other assumptions. Specifically, we show that an elementary form of KDM security against functions in which each output bit either copies or flips a single bit of the key (a.k.a. projections) can be amplified into KDM security with respect to any function family that can be computed in arbitrary fixed polynomial-time. Furthermore, our amplification theorem and its proof are insensitive to the exact setting of KDM security, and they hold in the presence of multiple-keys and in the symmetric-key/public-key and the CPA/CCA cases. As a result, we can amplify the security of most known KDM constructions, including ones that could not be amplified before. Finally, we study the minimal conditions under which full-KDM security (with respect to all functions) can be achieved. We show that under strong notion of KDM security, the existence of fully homomorphic encryption which allows to encrypt the secret-key (i.e., “cyclic-secure”) is not only sufficient for full-KDM security, as shown by Barak et al., but also necessary. On the other hand, we observe that for standard KDM security, this condition can be relaxed by adopting Gentry’s bootstrapping technique (STOC 2009) to the KDM setting.     

Network-controlled mobility within radio access networks based onWLAN technologies

This article presents a network-controlled approach of user terminal mobility within anIP based WirelessLAN Access Network. In a first part, this article makes a review of the mobility support, on the subject of emergingWLAN technologies asHIPERLAN/2 andIEEE 802.11, on the one hand, and, regardingIP networks as currently studied withinIETF, on the other hand. Both types ofIP mobility protocols are presented, either global mobility protocols such as MobileIP, or local mobility management protocols (micro mobility). In the next part, the overall principles of our mobility management approach are explained; this approach is based on the implementation of a new network entity dedicated to the control of user terminal mobility. The last part details a practical implementation of this approach. The implementation is carried out on the basis of Hierarchical MobileIPv6 (HMIPv6). The experimental results confirm the importance to carefully plan and control the user terminal mobility within largeIP based Access Networks, as this brings benefit to the user as well as to the operator.     

Mobility-awareness in group key management protocols within MANETs

Several sensitive applications deployed within wireless networks require group communications. A high level of security is often required in such applications, like military or public security applications. The most suitable solution to ensure security in these services is the deployment of a group key management protocol, adapted to the characteristics ofManets, especially to mobility of nodes. In this paper, we present theOmct (Optimized Multicast Cluster Tree) algorithm for dynamic clustering of multicast group, that takes into account both nodes localization and mobility, and optimizes the energy and bandwidth consumptions. Then, we show how we integrateOmct within our group key management protocolBalade, in a sequential multi-source model. The integration ofBalade andOmct allows an efficient and fast key distribution process, validated through simulations, by applying various models of mobility (individual mobility and group mobility). The impact of the mobility model on the performance and the behaviour of the group key management protocolBalade coupled withOmct, is also evaluated.     

Application level active network (alan) server management architecture

This paper presents the details of the policy-based security and resource management architecture for Application Level Active Network (alan) servers.alan is an active network architecture which enables deployment of user-customised processes (proxylets), which enhance the existing services or introduce new services to the end-user, on the select group of servers in anip network. The issues of security and resource management in this scenario are of crucial importance so as to efficiently facilitate and control the resource consumption of user-specified processes on the active servers, as well as to protect the server platforms from unauthorised proxylet deployment or malevolent behaviour. The architecture allowing efficient resource and security control is presented in this paper, including detaileduml diagrams capturing the management functionality, as well as a set of concrete management policies for thealan scenario. The examplexml policies are also given, and the deployment of this architecture in real-life trials is described. This development forms a part of a larger management architecture foralan-enabled networks developed in the context of theist projectandroid (Active Network DistRibuted Open Infrastructure Development).     

Strong and privacy-friendly management of federated identities for service provision over UMTS

Mobile subscribers who wish to mutually authenticate to service providers on the Internet utilize existing identity management mechanisms, such as Microsoft .net passport, overlooking the existing trust relationship between the subscriber and the 3G mobile operator and increasing network resources consumption, in an environment that requires security mechanisms that are as lightweight as possible. Furthermore, knowledge as well as the possession of an item, does not distinguish a person uniquely, revealing an inherent security weakness of pin authentication mechanisms. This paper proposes a protocol (3GbioId) for implementing strong identity management for Internet applications over 3G mobile networks. 3GBioId introduces biometrics, as well as the principles of the Liberty Alliance, into the 3G mobile security architecture, targeting to a more effective, secure and lightweight identity management alternative to the existing protocols. The results of a security, privacy, performance, usability and complexity evaluation indicate 3GbioId’s benefits and limits.     

Quark: A Lightweight Hash

The need for lightweight (that is, compact, low-power, low-energy) cryptographic hash functions has been repeatedly expressed by professionals, notably to implement cryptographic protocols in RFID technology. At the time of writing, however, no algorithm exists that provides satisfactory security and performance. The ongoing SHA-3 Competition will not help, as it concerns general-purpose designs and focuses on software performance. This paper thus proposes a novel design philosophy for lightweight hash functions, based on the sponge construction in order to minimize memory requirements. Inspired by the stream cipher Grain and by the block cipher KATAN (amongst the lightest secure ciphers), we present the hash function family Quark, composed of three instances: u-Quark, d-Quark, and s-Quark. As a sponge construction, Quark can be used for message authentication, stream encryption, or authenticated encryption. Our hardware evaluation shows that Quark compares well to previous tentative lightweight hash functions. For example, our lightest instance u-Quark conjecturally provides at least 64-bit security against all attacks (collisions, multicollisions, distinguishers, etc.), fits in 1379 gate-equivalents, and consumes on average 2.44 μW at 100 kHz in 0.18 μm ASIC. For 112-bit security, we propose s-Quark, which can be implemented with 2296 gate-equivalents with a power consumption of 4.35 μW.     

Securing communications overAtm networks: the remoteAtm private networks interconnection example

When remoteAtm sites communicate through anAtm public network, a number of security problems arise, such as hacking, eavesdropping and traffic tampering. This paper proposes three contributions to these security problems. Firstly, risks due toAtm technology usage are detailed. Secondly, a survey of existing techniques aiming at securingAtm communications is presented with emphasis on theAtm Forum’s security specifications. Thirdly, a new solution called Safe (which stands for Solution for anAtm Frequent communications Environment) developed in the Démostène project is described. Safe realizes both firewall’s filtering functions and communications protection over theAtm network. The main idea of Safe is to use signaling (Uni 3.1) as a means to exchange security information over the network. This idea has been implemented and introduced to theAtm Forum.     

WLAN standards and evolutions

Wireless Local Area Networks technologies have known an important technological and commercial development. Multiplicity of standards and variety of domains of use make necessary to compose with different technologies that can be seen either as concurrent or complementary. In this article, after positioning the different types of wireless networks (IEEE 802.11, HomeRF,HIPERLAN/2, Bluetooth) for mass market and professional applications destination, some generalities are briefly reminded such as centralised and ad-hoc architectures, regulatory constraints in the 2.45 and 5GHZ frequency bands used forWLAN, typical ranges, mobility and security features and limitations. Then the differentIEEE (802.11, 802.11a et 802.11b) andETSI (HIPERLAN/2) standards are described in details as well as their foreseen evolutions. It appears that 802.11 family of standards would take benefit of the currently existing products to evolve smoothly while integrating new features (broadband 802.11a physical layer, necessary radio features to meet European regulatory requirements, future introduction of Quality of Service schemes…). In the meantime,HIPERLAN/2 which has been specified as a complete system already supports most of those important features and is able to be adapted to various kinds of higher network layers. Lastly, it is shown that interworking schemes between 3G cellular systems andWLAN currently under investigations in 3GPP andETSI BRAN should permit in the future to easily operate wide area and multi-access technology based mobile networks.     

Intégrationfr de la signature numérique au protocole SSL/TLS

Ssl/tls is currently the most deployed security protocol on the Internet,Ssl/tls provides end-to-end secure communications between two entities with authentication and data protection. However, what is missing from the protocol is a way to provide the non-repudiation service. In this paper, we describe a generic implementation of the non-repudiation service as an optional module in theSsl/tls protocol. This approach provides both parties with evidence that the transaction has taken place and a clear separation with application design and development. We discuss the motivation for our approach and our proposed architecture.     

Business opportunities throughUMTS-WLAN networks

This article outlines the economic feasibility of mobile operators that combine nationwide mobility with 3G networks and hot spot coverage withWLANS, WLANS are based onHIPERLAN/2 architecture and theUMTS network exploitswCDMA/FDD technology. The evaluated business scenarios are focused on two different deployment areas, in terms of demographic characteristics and mobile penetration: a large and a small European country. The business case spans 2002 to 2011 withUMTS’ roll-out year in 2002 andWLAN’s in 2004, covering indoor hot-spot areas (stations, airports, stadiums, etc.) where demand is high. The demand for thisUMTS-WLAN roaming case is evaluated based on observations from Europe’s current mobile market and its evolution. Usage scenarios of different service packages corresponding to both residential and business markets have been taken into account. Direct investments and operational costs as well as revenue streams from traffic have been calculated. The methodology and the tool developed inACTS-TERA [1] andIST-TONIC [2] projects have been utilized for this case study. Economic conclusions have been derived, presented and discussed using key profitability factors. Profitability for all scenarios and business profiles has been calculated, presented and discussed. It includes a sensitivity analysis in order to identify the major opportunities and threats, for specific service sets as well as critical parameters and uncertainties. A wide audience from mobile operators and service providers to retail companies interested in entering the 3G market, can exploit this information.     

Bandwidth sharing under the assured forwarding Per-Hop behavior

The DiffServ’s Assured Forwarding (af) Per-Hop Behavior (phb) Group defines a differentiated forwarding of packets in four independent classes, each class having three levels of drop precedence. Specific end-to-end services based on thisphb are still being defined. A particular type of service that could assure a given rate to a traffic aggregate has been outlined elsewhere. In such a service, a fair distribution of bandwidth is one of the main concerns. This paper presents experimental work carried out to evaluate howaf distributes bandwidth among flows under different load conditions and traffic patterns. We focused on the effect that marking mechanisms have on bandwidth sharing among flows within a singleaf class. The traffic types we used includeudp flows, individual and aggregatedtcp flows, mix oftcp andudp, tcp sessions with heterogeneous round-trip times, as well as color-blind and color-aware re-marking at the aggregation point fortcp flows. Tests were performed on real and simulated networks. We have found certain conditions under whichaf distributes bandwidth fairly among nonadaptiveudp flows andtcp aggregates. Finally, we evaluate a basic rule for setting the parameters of the two-rate Three-Color Marker conditioning algorithm (trtcm) in order to achieve a better bandwidth distribution fortcp flows.     

A countermeasure againstDDOS attacks using active networks technologies

A Distributed Denial of Service (DDoCS) attack consumes the resources of a remote host or network by sending a massive amount ofIP packets from many distributed hosts. It is a pressing problem on the Internet as demonstrated by recent attacks on major e-commerce servers andISPs. Since the attack is distributed and the attack tools evolve at a rapid and alarming rate, an effective solution must be formulated using a distributed and adaptive approach. In this paper, we propose a countermeasure againstDDoCS attacks using a method we call Active Shaping. Our method employs the Active Networks technologies, which incorporates programmability into network nodes. The Active Networks technology enables us to deter congestion and bandwidth consumption of the backbone network caused byDDoCS attacks, and to prevent our system from dropping packets of legitimate users mistakenly. This paper introduces the concept of our method, system design and evaluates the effectiveness of our method using a prototype.     

Public-Coin Parallel Zero-Knowledge for NP

We show that, assuming the existence of collision-resistant hash functions, every language in NP has a constant-round public-coin zero-knowledge argument that remains secure under unbounded parallel composition (a.k.a. parallel zero knowledge.) Our protocol is a variant of Barak’s zero-knowledge argument (FOCS 2001), and has a non-black-box simulator. This result stands in sharp contrast with the recent result by Pass, Tseng and Wikstrom (Crypto 2010) showing that only languages in BPP have public-coin parallel zero-knowledge arguments with black-box simulators.     

Optimisation de la quantification vectorielle codée par treillis: application au codage des paramètres LSF

Speech coders operating at low bit rates necessitate efficient encoding of the linear predictive coding (Lpc) coefficients. Line spectral Frequencies (Lsf) parameters are currently one of the most efficient choices of transmission parameters for theLpc coefficients. In this paper, an optimized trellis coded vector quantization (Tcvq) scheme for encoding theLsf parameters is presented. When the selection of a proper distortion measure is the most important issue in the design and operation of the encoder, an appropriate weighted distance measure has been used during theTcvq construction process. We further applied the optimizedTcvq system for encoding theLsf parameters of the us Federal Standard (Fs1016) 4.8 kbps speech coder. At lower bit rates, objective and subjective evaluation results show that the incorporatedLsf tcvq encoder performs better than the 34 bits/frameLsf scalar quantizer used originally in the fs1016 coder. The subjective tests reveal also that the 27 bit/frame scheme produces equivalent perceptual quality to that when theLsf parameters are unquantized.     

An evaluation oftcp with explicit congestion notification

We study the effect of Explicit Congestion Notification (ecn) ontcp for relatively large but finite file transfers inip networks, and compare it to other congestion avoidance mechanisms, namely Drop Tail (dt) and Random Early Detection (red). We use simulation to measuretcp performance for transfers initiated by a varying number of end hosts. In contrast to previous work, we focus on situations in which all nodes in the network operate uniformly under the same mechanism (dt orred orecn). Our results show that under such uniform conditionsecn does not necessarily lead to significant improvement intcp goodput, although in no case does it lead to an actual degradation in performance. Our results also show that, withecn, tcp flows benefit from lower overhead for unsuccessful transmissions. Furthermore, lockouts are largely avoided. In other words, in an all-ecn network resources are shared more fairly. Finally, we show that global synchronization is no longer an issue, and argue that currenttcp versions have essentially solved the problem, regardless of the queue management scheme employed.     

Enhancing Attribute-Based Encryption with Attribute Hierarchy

Attribute-based encryption (ABE) has been envisioned as a promising cryptographic primitive for realizing secure and flexible access control. However, ABE is being criticized for its high scheme overhead as extensive pairing operations are usually required. In this paper, we focus on improving the efficiency of ABE by leveraging a previously overlooked fact, i.e., the often-found hierarchical relationships among the attributes that are inherent to many access control scenarios. As the first research effort along this direction, we coin the notion of hierarchical ABE (HABE), which can be viewed as the generalization of traditional ABE in the sense that both definitions are equal when all attributes are independent. We further give a concrete HABE construction considering a tree hierarchy among the attributes, which is provably secure. More importantly, our construction exhibits significant improvements over the traditional ABE when attribute hierarchies exist.     

Iterative successive interference cancellation for multi-user DS/CDMA detectors in multipath channels

This paper deals with uplink Direct-Sequence Code Division Multiple Access (DS-CDMA) transmissions over mobile radio channels. A new interference cancellation scheme for multiuser detection, calledSIC/RAKE, is presented. It is based on a modified multistage Successive Interference Cancellation (sic) structure that enables efficient detection in multipath propagation environments, thanks to a single userRAKE receiver incorporated in each unit of thesic structure. Furthermore, a modified version of thesic structure, calledSIC/MMSE, that ensures convergence to theMMSE detector rather than to the decorrelating detector has been suggested. The convergence of theSIC/RAKE andSIC/MMSE methods is proved. Simulation results for the Universal Mobile Telecommunication System (UMTS) have been carried out for flat fading Rayleigh multipath channels, showing that the proposed detector is resistant to the near-far effect and that low performance loss is obtained compared to the single-user bound.