Pub Date : 2013-07-29DOI: 10.5220/0004524103630370
Patrick Lacharme, E. Cherrier, C. Rosenberger
Biometric recognition is more and more employed in authentication and access control of various applications. Biometric data are strongly linked with the user and do not allow revocability nor diversity, without an adapted post-processing. Cancelable biometrics, including the very popular algorithm BioHashing, is used to cope with the underlying privacy and security issues. The principle is to transform a biometric template in a BioCode, in order to enhance user privacy and application security. These schemes are used for template protection of several biometric modalities, as fingerprints or face and the robustness is generally related to the hardness to recover the original biometric template by an impostor. In this paper, we propose to use genetic algorithms to approximate the original biometric feature and spoof the authentication system. We show through experimental results on fingerprints the efficiency of the proposed attack on the BioHashing algorithm, by approximating the original FingerCode, given the seed and the corresponding BioCode.
{"title":"Preimage attack on BioHashing","authors":"Patrick Lacharme, E. Cherrier, C. Rosenberger","doi":"10.5220/0004524103630370","DOIUrl":"https://doi.org/10.5220/0004524103630370","url":null,"abstract":"Biometric recognition is more and more employed in authentication and access control of various applications. Biometric data are strongly linked with the user and do not allow revocability nor diversity, without an adapted post-processing. Cancelable biometrics, including the very popular algorithm BioHashing, is used to cope with the underlying privacy and security issues. The principle is to transform a biometric template in a BioCode, in order to enhance user privacy and application security. These schemes are used for template protection of several biometric modalities, as fingerprints or face and the robustness is generally related to the hardness to recover the original biometric template by an impostor. In this paper, we propose to use genetic algorithms to approximate the original biometric feature and spoof the authentication system. We show through experimental results on fingerprints the efficiency of the proposed attack on the BioHashing algorithm, by approximating the original FingerCode, given the seed and the corresponding BioCode.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"355 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115984634","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.1007/978-3-662-44788-8_19
Massimiliano Albanese, S. Jajodia, A. Singhal, Lingyu Wang
{"title":"An efficient approach to assessing the risk of zero-day vulnerabilities","authors":"Massimiliano Albanese, S. Jajodia, A. Singhal, Lingyu Wang","doi":"10.1007/978-3-662-44788-8_19","DOIUrl":"https://doi.org/10.1007/978-3-662-44788-8_19","url":null,"abstract":"","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131360642","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004523005000505
S. Trabelsi, Hana Bouafif
In Social Network websites, the users can report the bad behaviors of other users. In order to do so, they can create a kind of escalation ticket called abuse report in which they detail the infraction made by the “bad” user and help the website moderator to decide on a penalty. Today Social Networks count billions of users, the handling of the abuse reports is no more executed manually by moderators; they currently rely on some algorithms that automatically block the “bad” users until a moderator takes care of the case. In this paper we purport to demonstrate how such algorithms are maliciously used by attackers to illegally block innocent victims. We also propose to automate such an attack to demonstrate the big damage that can be caused in current social network websites. We also took the case study of Facebook as proof of concept.
{"title":"Abusing social networks with abuse reports: A coalition attack for social networks","authors":"S. Trabelsi, Hana Bouafif","doi":"10.5220/0004523005000505","DOIUrl":"https://doi.org/10.5220/0004523005000505","url":null,"abstract":"In Social Network websites, the users can report the bad behaviors of other users. In order to do so, they can create a kind of escalation ticket called abuse report in which they detail the infraction made by the “bad” user and help the website moderator to decide on a penalty. Today Social Networks count billions of users, the handling of the abuse reports is no more executed manually by moderators; they currently rely on some algorithms that automatically block the “bad” users until a moderator takes care of the case. In this paper we purport to demonstrate how such algorithms are maliciously used by attackers to illegally block innocent victims. We also propose to automate such an attack to demonstrate the big damage that can be caused in current social network websites. We also took the case study of Facebook as proof of concept.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132268932","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004529603870394
Borja Sanz, I. Santos, Xabier Ugarte-Pedrero, Carlos Laorden, J. Nieves, P. G. Bringas
The usage of mobile phones has increased in our lives because they offer nearly the same functionality as a personal computer. Besides, the number of applications available for Android-based mobile devices has increased. Android application distribution is based on a centralized market where the developers can upload and sell their applications. However, as it happens with any popular service, it is prone to misuse and, in particular, malware writers can use this market to upload their malicious creations. In this paper, we propose a new method that, based upon several features that are extracted from the AndroidManifest file of the legitimate applications, builds an anomaly detection system able to detect malware.
{"title":"Instance-based anomaly method for Android malware detection","authors":"Borja Sanz, I. Santos, Xabier Ugarte-Pedrero, Carlos Laorden, J. Nieves, P. G. Bringas","doi":"10.5220/0004529603870394","DOIUrl":"https://doi.org/10.5220/0004529603870394","url":null,"abstract":"The usage of mobile phones has increased in our lives because they offer nearly the same functionality as a personal computer. Besides, the number of applications available for Android-based mobile devices has increased. Android application distribution is based on a centralized market where the developers can upload and sell their applications. However, as it happens with any popular service, it is prone to misuse and, in particular, malware writers can use this market to upload their malicious creations. In this paper, we propose a new method that, based upon several features that are extracted from the AndroidManifest file of the legitimate applications, builds an anomaly detection system able to detect malware.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115260818","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004534104350443
F. Legendre, Gilles Dequen, M. Krajecki
This paper deals with logical cryptanalysis of hash functions. They are commonly used to check data integrity and to authenticate protocols. These functions compute, from an any-length message, a fixed-length bit string, usually named digest. This work defines an experimental framework, that allows, thanks to the propositional formalism, to study cryptosystems at the bit level through corresponding instances of the SAT problem. Thus, we show that some internal words of popular hashing functions MD⋆ and SHA-⋆ are not as random as expected and provide some convincing elements to explain this phenomenon by the use of round constants. Because this presents several weaknesses, we show how to detect and exploit these ones through an application based on logical cryptanalysis. As a result we show equivalences, and quasi-equivalences between digits and explain how we inverse reduced-step versions of MD5 and SHA-1.
{"title":"From a logical approach to internal states of Hash functions how SAT problem can help to understand SHA-⋆ and MD⋆","authors":"F. Legendre, Gilles Dequen, M. Krajecki","doi":"10.5220/0004534104350443","DOIUrl":"https://doi.org/10.5220/0004534104350443","url":null,"abstract":"This paper deals with logical cryptanalysis of hash functions. They are commonly used to check data integrity and to authenticate protocols. These functions compute, from an any-length message, a fixed-length bit string, usually named digest. This work defines an experimental framework, that allows, thanks to the propositional formalism, to study cryptosystems at the bit level through corresponding instances of the SAT problem. Thus, we show that some internal words of popular hashing functions MD⋆ and SHA-⋆ are not as random as expected and provide some convincing elements to explain this phenomenon by the use of round constants. Because this presents several weaknesses, we show how to detect and exploit these ones through an application based on logical cryptanalysis. As a result we show equivalences, and quasi-equivalences between digits and explain how we inverse reduced-step versions of MD5 and SHA-1.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"29 3","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120909553","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004505102960304
S. Rass
Proofs of retrievability (POR) are interactive protocols that allow a verifier to check the consistent existence and availability of data residing at a potentially untrusted storage provider, e.g., a cloud. While most POR protocols strictly refer to static files, i.e., content that is read-only, dynamic PORs shall achieve the same security guarantees (existence, consistency and the possibility to retrieve the data) for content that is subject to an unlimited number of (legitimate) modifications. This work discusses how to construct such a dynamic proof of retrievability from chameleon hashes (trapdoor commitments). Like standard POR constructions, the presented scheme is sentinel-based and does audit queries via spot checking mechanism. Unlike previous schemes, however, a-posteriori insertions of new sentinels throughout the lifetime of the file is supported. This novel feature is apparently absent in any other POR scheme in the literature. Moreover, the system is designed for compatibility with XML structured data files.
{"title":"Dynamic proofs of retrievability from Chameleon-Hashes","authors":"S. Rass","doi":"10.5220/0004505102960304","DOIUrl":"https://doi.org/10.5220/0004505102960304","url":null,"abstract":"Proofs of retrievability (POR) are interactive protocols that allow a verifier to check the consistent existence and availability of data residing at a potentially untrusted storage provider, e.g., a cloud. While most POR protocols strictly refer to static files, i.e., content that is read-only, dynamic PORs shall achieve the same security guarantees (existence, consistency and the possibility to retrieve the data) for content that is subject to an unlimited number of (legitimate) modifications. This work discusses how to construct such a dynamic proof of retrievability from chameleon hashes (trapdoor commitments). Like standard POR constructions, the presented scheme is sentinel-based and does audit queries via spot checking mechanism. Unlike previous schemes, however, a-posteriori insertions of new sentinels throughout the lifetime of the file is supported. This novel feature is apparently absent in any other POR scheme in the literature. Moreover, the system is designed for compatibility with XML structured data files.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121485648","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004501000390050
A. Ferrante, Jelena Milosevic, Marija Janjusevic
Designing an embedded system is a complex process that involves working both on hardware and on software. Designers often optimize the systems that they design for specific applications; an optimal system is the one that can execute the desired set of applications with the required performances at the lowest possible cost. Cost may be expressed in different ways such as, for example, energy consumption and/or silicon area. Security is being, in the common practice, disregarded during this phase and inserted in later stages of the design process, thus obtaining non optimal and/or non safe systems. In this paper we propose a design methodology for embedded systems that integrate the choice of suitable design solutions into the early stages of the design process. The main purpose of this methodology is to provide a way to evaluate security as an additional optimization parameter. Along with a description of the methodology, in this paper we also show a case study that explains how the methodology can be applied and that proves its effectiveness.
{"title":"A security-enhanced design methodology for embedded systems","authors":"A. Ferrante, Jelena Milosevic, Marija Janjusevic","doi":"10.5220/0004501000390050","DOIUrl":"https://doi.org/10.5220/0004501000390050","url":null,"abstract":"Designing an embedded system is a complex process that involves working both on hardware and on software. Designers often optimize the systems that they design for specific applications; an optimal system is the one that can execute the desired set of applications with the required performances at the lowest possible cost. Cost may be expressed in different ways such as, for example, energy consumption and/or silicon area. Security is being, in the common practice, disregarded during this phase and inserted in later stages of the design process, thus obtaining non optimal and/or non safe systems. In this paper we propose a design methodology for embedded systems that integrate the choice of suitable design solutions into the early stages of the design process. The main purpose of this methodology is to provide a way to evaluate security as an additional optimization parameter. Along with a description of the methodology, in this paper we also show a case study that explains how the methodology can be applied and that proves its effectiveness.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"78 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122353919","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004526101580169
Boaz Catane, A. Herzberg
We present novel security requirements for second price auctions and a simple, efficient and practical protocol that provably maintains these requirements. Novel requirements are needed because commonly used requirements, such as the indistinguishability-based secrecy requirement of encryption schemes presented by (Goldwasser and Micali, 1982), do not fit properly in the second price auctions context. Additionally, the presented protocol uses a trustworthy supervisor that checks if the auctioneer deviated from the protocol and fines him accordingly. By making sure the expected utility of the auctioneer when deviating from the protocol is lower than his expected utility when abiding by the protocol we ascertain that a rational auctioneer will abide by the protocol. This allows the supervisor to optimize by performing (computationally-intensive) inspections of the auctioneer with only low probability.
{"title":"Secure second price auctions with a rational auctioneer","authors":"Boaz Catane, A. Herzberg","doi":"10.5220/0004526101580169","DOIUrl":"https://doi.org/10.5220/0004526101580169","url":null,"abstract":"We present novel security requirements for second price auctions and a simple, efficient and practical protocol that provably maintains these requirements. Novel requirements are needed because commonly used requirements, such as the indistinguishability-based secrecy requirement of encryption schemes presented by (Goldwasser and Micali, 1982), do not fit properly in the second price auctions context. Additionally, the presented protocol uses a trustworthy supervisor that checks if the auctioneer deviated from the protocol and fines him accordingly. By making sure the expected utility of the auctioneer when deviating from the protocol is lower than his expected utility when abiding by the protocol we ascertain that a rational auctioneer will abide by the protocol. This allows the supervisor to optimize by performing (computationally-intensive) inspections of the auctioneer with only low probability.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125060726","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004533904270434
Gerardo Reynaga, S. Chiasson
Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHA) are challenge-response tests used on the web to distinguish human users from automated bots (von Ahn et al., 2004). In this paper, we present an exploratory analysis of the results obtained from a user study and a heuristic evaluation of captchas on smartphones; we aimed to identify opportunities and guide improvements for captchas on smartphones. Results showed that existing captcha schemes face effectiveness and user satisfaction problems. Among the more severe problems found were the need to often zoom and pan, and too small control buttons. Based on our results, we present deployment and design guidelines for captchas on smartphones.
{"title":"The usability of CAPTCHAs on smartphones","authors":"Gerardo Reynaga, S. Chiasson","doi":"10.5220/0004533904270434","DOIUrl":"https://doi.org/10.5220/0004533904270434","url":null,"abstract":"Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHA) are challenge-response tests used on the web to distinguish human users from automated bots (von Ahn et al., 2004). In this paper, we present an exploratory analysis of the results obtained from a user study and a heuristic evaluation of captchas on smartphones; we aimed to identify opportunities and guide improvements for captchas on smartphones. Results showed that existing captcha schemes face effectiveness and user satisfaction problems. Among the more severe problems found were the need to often zoom and pan, and too small control buttons. Based on our results, we present deployment and design guidelines for captchas on smartphones.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132502060","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004509600740085
Ioannis Chionis, Maria Chroni, Stavros D. Nikolopoulos
Software watermarking involves embedding a unique identifier or, equivalently, a watermark value, within a software to discourage software theft; towards the embedding process, several graph theoretic watermarking algorithmic techniques encode the watermark values as graph structures and embed them in application programs. Recently, we presented an efficient codec system for encoding a watermark number w as a reducible permutation graph F[π∗] through the use of self-inverting permutations π∗. In this paper, we propose a dynamic watermarking model for embedding the watermark graph F[π∗] into an application program P. The main idea behind the proposed watermarking model is a systematic use of appropriate calls of specific functions of the program P. More precisely, our model uses the dynamic call-graph G(P, Ikey) of the program P, taken by the specific input Ikey, and the graph F[π∗], and produces the watermarked program P∗ having the following key property: its dynamic call-graph G(P∗, Ikey) and the reducible permutation graph F[π∗] are isomorphic graphs. Within this idea the program P∗ is produced by only altering appropriate real-calls of specific functions of the input program P. Moreover, the proposed watermarking model incorporates such properties which cause it resilient to attacks.
{"title":"A dynamic watermarking model for embedding reducible permutation graphs into software","authors":"Ioannis Chionis, Maria Chroni, Stavros D. Nikolopoulos","doi":"10.5220/0004509600740085","DOIUrl":"https://doi.org/10.5220/0004509600740085","url":null,"abstract":"Software watermarking involves embedding a unique identifier or, equivalently, a watermark value, within a software to discourage software theft; towards the embedding process, several graph theoretic watermarking algorithmic techniques encode the watermark values as graph structures and embed them in application programs. Recently, we presented an efficient codec system for encoding a watermark number w as a reducible permutation graph F[π<sup>∗</sup>] through the use of self-inverting permutations π<sup>∗</sup>. In this paper, we propose a dynamic watermarking model for embedding the watermark graph F[π<sup>∗</sup>] into an application program P. The main idea behind the proposed watermarking model is a systematic use of appropriate calls of specific functions of the program P. More precisely, our model uses the dynamic call-graph G(P, I<inf>key</inf>) of the program P, taken by the specific input I<inf>key</inf>, and the graph F[π<sup>∗</sup>], and produces the watermarked program P<sup>∗</sup> having the following key property: its dynamic call-graph G(P<sup>∗</sup>, I<inf>key</inf>) and the reducible permutation graph F[π<sup>∗</sup>] are isomorphic graphs. Within this idea the program P<sup>∗</sup> is produced by only altering appropriate real-calls of specific functions of the input program P. Moreover, the proposed watermarking model incorporates such properties which cause it resilient to attacks.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132216891","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: