Reports and Papers Archive

Page Content

Browse All Papers »       Submit A Paper »

Defending against Password Exposure using Deceptive Covert Communication

CERIAS TR 2015-3
Mohammed H. Almeshekah, Mikhail J. Atallah and Eugene H. Spafford
Download: PDF

The use of deception to enhance security has showed promising result as a defensive technique. In this paper we present an authentication scheme that better protects users’ passwords than in currently deployed password-based schemes, without taxing the users’ memory or damaging the user-friendliness of the lo- gin process. Our scheme maintains comparability with traditional password- based authentication, without any additional storage requirements, giving service providers the ability to selectively enroll users and fall-back to traditional methods if needed. The scheme utilizes the ubiquity of smartphones; however, unlike previous proposals it does not require registration or connectivity of the phones used. In addition, no long-term secrets are stored in any user’s phone, mitigating the consequences of losing it. Our design significantly increases the difficulty of launching a phishing attack by automating the decisions of whether a website should be trusted and introducing additional risk at the adversary side of being detected and deceived. In addition, the scheme is resilient against Man-in-the-Browser (MitB) attacks and compromised client machines. We also introduce a covert communication between the user’s client and the service provider. This can be used to covertly and securely communicate the user context that comes with the use of this mechanism. The scheme also incorporate the use of deception that make it possible to dismantle a large-scale attack infrastructure before it succeeds. As an added feature, the scheme gives service providers the ability to have full-transaction authentication.

Added 2015-02-13

ErsatzPasswords – Ending Password Cracking

CERIAS TR 2015-2
Mohammed H. Almeshekah, Christopher N. Gutierrez, Mikhail J. Atallah and Eugene H. Spafford
Download: PDF

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications. When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However,when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatzpasswords — the “fake passwords”. When an attempt to login using these ersatzpasswords is detected an alarm will be triggered in the system that someone attempted to crack the password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

Added 2015-02-13

The Weakness of WinRAR Encrypted Archives to Compression Side-channel Attacks

CERIAS TR 2015-01
Kristine Arthur-Durett
Download: PDF

This paper explores the security of WinRAR encrypted archives.  Previous works concerning potential attacks against encrypted archives are studied and evaluated for practical implementation.  These attacks include passive actions examining the effects of compression ratios of archives and the files contained, the study of temporary artifacts and active man-in-the-middle attacks on communication between individuals.  An extensive overview of the WinRAR software and the functions implemented within it is presented to aid in understanding the intricacies of attacks against archives.
  Several attacks are chosen from the literature to execute on WinRAR v5.10.  Select file types are identified through the examination of compression ratios.  The appearance of a file in an archive is determined through both the appearance of substrings in the known area of an archive and the comparison of compression ratios.
  Finally, the author outlines a revised version of an attack that takes advantage of the independence between the compression and encryption algorithms.  While a previous version of this attack only succeeded in removing the encryption from an archive, the revised version is capable of fully recovering an original document from a encrypted compressed archive.  The advantages and shortcomings of these attacks are discussed and some countermeasures are briefly mentioned.

Added 2015-01-05

The Indiana Cybersecurity Services Center (INCSC): A Cost-Benefit Analysis for K-12 Schools

CERIAS TR 2014-9
Vargas Silva, Hans
Download: PDF

The aim of this thesis is to determine if there are greater benefits than costs associated in the participation of public K-12 school corporations in the Indiana Cybersecurity Services Center (INCSC). This thesis is an ex-ante cost-benefit analysis policy assessment of the INCSC. The study consisted of a sample of 6 school corporations from which 5 were classified as small and 1 was large. Three methods were considered for data collection; however conducting interviews was the most effective method due to the interaction with IT personnel from each organization in order to analyze current costs related to 4 areas of interest: (a) networking hardware; (b) Antivirus software; (c) computer hardware; (d) IT personnel. These costs were compared to those potential costs if products and/or services would be procured through the INCSC.

School corporations, with the goal to enhance their level of information security, would only receive benefit from participating in the INCSC when procuring networking equipment and Antivirus software. The author also recommends exploring the costs and legal implications of data breaches as well as considering insurance products.

—- Vargas Silva, Hans C. M.S. Purdue University, Decenber 2014. The Indiana Cybersecurity Services Center (INCSC): A Cost-Benefit Analysis for K-12 Schools. Mayor Professor: Melissa Dark.

Added 2014-12-31

DBMask: Fine-Grained Access Control on Encrypted Relational Databases

CERIAS TR 2013-21
Mohamed Nabeel, Muhammad I. Sarfraz, Jianneng Cao, Elisa Bertino
Download: PDF

For efficient data management and economic benefits, organizations are increasingly moving towards the paradigm of “database as a service” where their data are managed by a database management system (DBMS) hosted in a public cloud. However, data are the most valuable asset in an organization, and inappropriate data disclosure puts the organization’s business at risk. Therefore, data are usually encrypted in order to preserve their confidentiality. Past research has extensively investigated query processing on encrypted data. However, a naive encryption scheme negates the benefits provided by the use of a DBMS. In particular, past research efforts do not have adequately addressed flexible access control on encrypted data at different granularity levels which is critical when data are shared among different users and applications. Previous access control approaches in the best case only support as minimum granularity level the table column, by which the authorization is associated with an entire column within a table. Other approaches only support access control granularity at the database level, meaning that authorizations are associated with the entire database, and thus either a user can access the entire database or cannot access any data item. In this paper, we propose DBMask, a novel solution that supports fine-grained access control, including row and cell level access control, when evaluating SQL queries on encrypted data. Our solution does not require modification to the database engine, and thus maximizes the reuse of the existing DBMS infrastructures. Our experimental results show that our solution is efficient and scalable to large datasets.

Added 2014-12-22

Privacy in Social Messaging and Identity Management

CERIAS TR 2014-8
Ruchith Fernando
Download: PDF

Messaging systems, where a user maintains a set of contacts and broadcasts messages to them, are very common. In a situation where a user only sends messages directly to a set of online contacts, a contact might miss a message if it is not available to receive it directly from the user. This work addresses the problem of a trusted contact’s obtaining a message that it missed, from other trusted contacts of the user, while maintaining the anonymity of all participating contacts. A protocol is presented to facilitate this communication. An experimental framework is developed to evaluate various possible configurations of the entities involved.

The techniques developed to address the above problem are extended to address the problem of a user’s authenticating with a service provider while ensuring that multiple sessions are unlinkable. The proposed approach achieves this by setting up an authenticated secure channel between the user and the service provider. Information exchanged for the setup of this secure channel is unique over multiple authentications. The proposed protocol is further enhanced to accommodate service provider policies that use credentials with relationship constraints among them. In such cases, the service provider will not be able to analyze and identify sets of users who authenticate with different credential subsets. The proposed credential revocation scheme allows an identity provider to revoke user credentials without compromising user privacy, even while relying on a public channel. Moreover, these protocols do not require the identity provider to remain online during authentication and revocation. Finally, details on how to adapt the proposed identity management system to privately manage healthcare records is presented as an application of the proposed system.

Added 2014-11-16

Assured Information Sharing Life Cycle

Joshi, A. ; Kargupta, H. ; Yesha, Y. ; Sachs, J. ; Bertino, E. ; Ninghui Li ; Clifton, C. ; Spafford

This paper describes our approach to assured information sharing. The research is being carried out under a MURI 9Multiuniversity Research Initiative) project funded by the air force office of scientific research (AFOSR). The main objective of our project is: define, design and develop an assured information sharing lifecycle (AISL) that realizes the DoD’s information sharing value chain. In this paper we describe the problem faced by the department of defense and our solution to developing an AISL system.

Added 2014-10-31

Audlib: a configurable, high-fidelity application audit mechanism

Benjamin A. Kuperman Eugene H. Spafford

In this paper, we introduce Audlib, an extendable tool for generating security-relevant information on Unix systems. Audlib is a wrapper environment that generates application level audit information from existing executable programs. Audlib is not a detection system, instead it is designed to supplement existing audit systems and work transparently with them. Audlib records information that is not presently available from existing kernel-level audit sources. Here, we describe the design of the Audlib framework and the information it provides. We compare auditing the actions of a web server with Audlib to existing kernel audit sources and show that we have 2–4 times the throughput of Linux auditd and less than half the performance overhead of Solaris BSM while collecting detailed information about the server’s execution. Although Audlib is focused on recording security information, this technique can be used to collect data for a wide variety of purposes including profiling, dependency analysis, and debugging. Copyright © 2010 John Wiley & Sons, Ltd.

Added 2014-10-31

Reverse-safe authentication protocol for secure USB memories

Kyungroul Lee, Kangbin Yim, andEugene H. Spafford

USB memory devices are both portable and easily accessible, and have thus become one of the most popular forms of external storage device. However, if a USB device is lost, stolen, or hacked, it may lead to leakage of critical information. It is a logical outcome that malicious individuals will try to steal their colleagues’ USB memories. Consequently, various USB products with built-in security functions have been developed. To our knowledge, there has been little or no security analysis and comparison of these devices. This paper explores technological and architectural approaches to secure USB memories while analyzing their vulnerabilities, especially for resistance to reverse engineering attacks on the authentication protocols and data decryption. In this analysis, we classify vulnerabilities of these devices into 12 categories to summarize the current security situations on USB memories. Additionally, we derive a more secure authentication protocol based on our analysis. It is expected for secure USB products, including USB memory devices, to be revised with enhanced authentication protocols as a result of this effort. Copyright © 2012 John Wiley & Sons, Ltd.

Added 2014-10-31

Future Biometric Systems and Privacy

Shimon Modi and Eugene H. Spafford
Added 2014-10-31

New ventures help developers in fight against security flaws

Eugene H. Spafford

Two new ventures are aimed at helping web and software developers reduce the number of security vulnerabilities in their software.

The Interpolique framework from Recursion Ventures – set up by Dan Kaminsky, Michael Tiffany and Henry Bar-Levav – aims to help web developers eliminate vulnerabilities to SQL injection and cross-site scripting attacks.

A key method is to convert input from users into Base64, which means that any code or SQL instructions added by users cannot be executed. The framework also includes an extension to MySQL to decode the Base64 strings.

At the moment, the framework is experimental and Recursion is seeking feedback. In the meantime, Kaminsky has suggested using stored procedures or prepared SQL statements as a first line of defence. More info at:

Meanwhile, Veracode has updated its SecurityReview cloud-based application-security-testing service that allows developers to upload code and get back information about vulnerabilities and suggestions for fixing the problems. The new version offers additional APIs and reference integrations that support popular Java, .Net, C/C++, ColdFusion and PHP development environments.

Added 2014-10-31

USACM's policy role

Eugene H. Spafford
Added 2014-10-31

A distributed requirements management framework for legal compliance and accountability

Travis D. Breauxa, Annie I. Antóna, Eugene H. Spafford

Increasingly, new regulations are governing organizations and their information systems. Individuals responsible for ensuring legal compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. While software controls provide assurances that business processes adhere to specific requirements, such as those derived from government regulations, there is little support to manage these requirements and their relationships to various policies and regulations. We propose a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. We illustrate the framework within the context of a concrete healthcare scenario in which obligations incurred from the Health Insurance Portability and Accountability Act (HIPAA) are delegated and refined into software requirements. Additionally, we show how auditing mechanisms can be integrated into the framework and how auditors can certify that specific chains of delegation and refinement decisions comply with government regulations.

Added 2014-10-31

Data for Cybersecurity Research: Process and “Wish List”

Jean Camp, Lorrie Cranor, Nick Feamster, Joan Feigenbaum, Stephanie Forrest, Dave Kotz, Wenke Lee, P

This document identifies data needs of the security research community. This document is in response to a request for a “data wish list”. Because specific data needs will evolve in conjunction with evolving threats and research problems, we augment the wish list with commentary about some of the broader issues for data usage. We divide this document into two parts. Section 1 provides background on data collection as often practiced today and a few of its uses. Section 2 identifies the need for a process for ongoing data sharing with the research community, and then provides the wish list itself.

Added 2014-10-31

Planning and Integrating Deception into Computer Security Defenses∗

CERIAS TR 2014-7
Mohammed H. Almeshekah and Eugene H. Spafford
Download: PDF

Deceptive techniques played a prominent role in many hu- man conflicts throughout history. Digital conflicts are no different as the use of deception has found its way to com- puting since at least the 1980s. However, many computer defenses that uses deception were ad-hoc attempts to incor- porate deceptive elements in them. In this paper, we present a model that can be used to plan and integrate deception in computer security defenses. We present an overview of why deception fundamentally works and what are the essen- tial principles in using such techniques. We investigate the unique advantages deception-based mechanisms bring to tra- ditional computer security defenses. Furthermore, we show how our model can be used to incorporate deception to many part of computer systems and discuss how we can use such techniques effectively. A successful deception should present plausible alternative(s) to the truth and these should be de- signed to exploit specific adversaries’ biases. We investigate these biases and discuss how can they be used by presenting a number of examples.

Added 2014-10-31