We present a related family of authentication and digital signature protocols based on symmetric ... more We present a related family of authentication and digital signature protocols based on symmetric cryptographic primitives which perform substantially better than previous constructions. Previously, one-time digital signatures based on hash functions involved hundreds of hash function computations for each signature; we show that given online access to a timestamping service, we can sign messages using only two computations of a hash function. Previously, techniques to sign infinite streams involved one such one-time ...
ABSTRACT Interconnected computing systems, in various forms, will soon permeate our lives, realiz... more ABSTRACT Interconnected computing systems, in various forms, will soon permeate our lives, realizing the Internet of Things (IoT) and allowing us to enjoy novel, enhanced services that promise to improve our everyday life. Nevertheless, this new reality introduces significant challenges in terms of performance, scaling, usability and interoperability. Leveraging the benefits of Service Oriented Architectures (SOAs) can help alleviate many of the issues that developers, implementers and end-users alike have to face in the context of the IoT. This work presents Node.DPWS, a novel implementation of the Devices Profile for Web Services (DPWS) based on the Node.js platform. As such, Node.DPWS is the first DPWS library being made available to Node.js developers and can be used to deploy lightweight, efficient and scalable Web Services over heterogeneous nodes, including devices with limited resources. A performance evaluation on typical embedded devices validates the benefits of Node.DPWS compared to alternative DPWS toolkits.
Interconnected computing systems, in various forms, are expected to permeate our lives, realizing... more Interconnected computing systems, in various forms, are expected to permeate our lives, realizing the vision of the Internet of Things (IoT) and allowing us to enjoy novel, enhanced services that promise to improve our everyday lives. Nevertheless, this new reality also introduces significant challenges in terms of performance, scaling, usability and interoperability. Leveraging the benefits of Service Oriented Architectures (SOAs) can help alleviate many of the issues that developers, implementers and end-users have to face in the context of the IoT. This work presents Node.DPWS, a novel implementation of the Devices Profile for Web Services (DPWS) based on the Node.js platform. Node.DPWS can be used to deploy lightweight, efficient and scalable Web Services over heterogeneous nodes, including devices with limited resources. The performance of the presented work is evaluated on typical embedded devices, including comparisons with implementations created using alternative DPWS toolk...
Password hashing is the common approach for maintaining users' password-related information t... more Password hashing is the common approach for maintaining users' password-related information that is later used for authentication. A hash for each password is calculated and maintained at the service provider end. When a user logins the service, the hash of the given password is computed and contrasted with the stored hash. If the two hashes match, the authentication is successful. However, in many cases the passwords are just hashed by a cryptographic hash function or even stored in clear. These poor password protection practises have lead to efficient attacks that expose the users' passwords. PBKDF2 is the only standardized construction for password hashing. Other widely used primitives are bcrypt and scrypt. The low variety of methods derive the international cryptographic community to conduct the Password Hashing Competition (PHC). The competition aims to identify new password hashing schemes suitable for widespread adoption. It started in 2013 with 22 active submissions...
Embedded systems are routinely deployed in critical infrastructures nowadays, therefore their sec... more Embedded systems are routinely deployed in critical infrastructures nowadays, therefore their security is increasingly important. The above, combined with the pressing requirement of deploying massive numbers of low-cost and low– energy embedded devices, stimulated the evolution of lightweight cryptography and other green-computing security mechanisms. New crypto-primitives are being proposed that offer moderate security and produce compact hardware and software implementations. In this paper, we present a lightweight authenticated encryption scheme based on the integrated hardware implementation of the lightweight block cipher PRESENT and the lightweight hash function SPONGENT. The presented combination of a cipher and a hash function is appropriate for implementing authenticated encryption schemes which are commonly utilized in one-way and mutual authentication protocols. We exploit their inner structure to discover hardware elements usable by both primitives, thus reducing the ci...
The evolution of embedded systems and their applications in every daily activity, derive the deve... more The evolution of embedded systems and their applications in every daily activity, derive the development of lightweight cryptography. Widely used crypto-libraries are too large to fit on constrained devices, like sensor nodes. Also, such libraries provide redundant functionality as each lightweight and ultra-lightweight application utilizes a limited and specific set of crypto-primitives and protocols. In this paper we present the ULCL crypto-library for embedded systems. It is a compact software cryptographic library, optimized for space and performance. The library is a collection of open source ciphers (27 overall primitives). We implement a common lightweight API for utilizing all primitives and a user-friendly API for users that aren’t familiar with cryptographic applications. One of the main novelties is the configurable compilation process. A user can compile the exact set of crypto-primitives that are required to implement a lightweight application. The library is implemente...
The need to manage embedded systems, brought forward by the wider adoption of pervasive computing... more The need to manage embedded systems, brought forward by the wider adoption of pervasive computing, is particularly vital in the context of secure and safety-critical applications. This work presents RT-SPDM, a framework for the real-time management of devices populating ambient environments. The proposed frame-work utilizes a formally validated approach to reason the composability of heter-ogeneous embedded systems, evaluate their current security, privacy and de-pendability levels based on pre-defined metrics, and manage them in real-time. An implementation of Event Calculus is used in the Jess rule engine in order to model the ambient environment context and the rule-based management proce-dure. The reasoning process is modeled as an agent’s behavior and applied on an epistemic multi-agent reasoner for ambient intelligence applications. Agents mon-itor distinct embedded systems and are deployed as OSGi bundles to enhance the real-time management of embedded devices. A Service Orie...
Embedded Systems account for a wide range of products and are employed in various heterogeneous d... more Embedded Systems account for a wide range of products and are employed in various heterogeneous domains, including but not limited to: industrial systems (e.g. manufacturing plants), critical environments (e.g. military and avionics) nomadic environments (e.g. personal wearable nodes), private spaces (e.g. residences) and public infrastructures (e.g. airports). These devices often need to access, store, manipulate and/or communicate sensitive or even critical information, making the security of their resources and services an imperative concern in their design. The problem is exacerbated by their resource constraints, their diversified application settings, frequently requiring unattended operation in physically insecure environments and dynamic network formulation, in conjunction with the ever-present need for smaller size and lower production costs. This paper provides an overview of the challenges in Embedded Systems security, pertaining to node hardware and software as well as r...
Parallel programming utilizing Graphics Processing Units (GPUs) is a well-tried practice for dras... more Parallel programming utilizing Graphics Processing Units (GPUs) is a well-tried practice for drastically reducing the computation time in computation intensive domains. Security tools are an indicative example of this application of GPUs. In this paper a lightweight and efficient GPU accelerated hashing and hash lookup mechanism is presented, utilizing the CUDA General Purpose GPU (GPGPU) toolkit. The core of the system computes the digests of files using a CUDA-optimized SHA-3 hashing mechanism. The digests are stored in a data structure so that integrity and/or file-matching checks take place, depending on the application scenario. Work includes a comparative analysis for three types of data structures (hash table, tree, and array) to identify the most appropriate for this specific domain. Several applications of the system are identified, including anti-malware intrusion detection, network malware monitoring, disk image verification and duplicate files identification. We develop ...
2014 6th International Conference on New Technologies, Mobility and Security (NTMS), 2014
ABSTRACT The procedure to prove that a system-of-systems is composable and secure is a very diffi... more ABSTRACT The procedure to prove that a system-of-systems is composable and secure is a very difficult task. Formal methods are mathematically-based techniques used for the specification, development and verification of software and hardware systems. This paper presents a model-based framework for dynamic embedded system composition and security evaluation. Event Calculus is applied for modeling the security behavior of a dynamic system and calculating its security level with the progress in time. The framework includes two main functionalities: composition validation and derivation of security and performance metrics and properties. Starting from an initial system state and given a series of further composition events, the framework derives the final system state as well as its security and performance metrics and properties. We implement the proposed framework in an epistemic reasoner, the rule engine JESS with an extension of DECKT for the reasoning process and the JAVA programming language.
2013 ACS International Conference on Computer Systems and Applications (AICCSA), 2013
ABSTRACT Utilizing multi-cores is now the norm in order to increase performance while also saving... more ABSTRACT Utilizing multi-cores is now the norm in order to increase performance while also saving energy. The need to break the physical limits of uniprocessing (by branch prediction or RAW dependencies etc.) while being cost and power effective at the same time were the motivation for the scientific and industrial communities to focus on multi-processor architectures. However, the parallelization of existing applications has very frequently proved to be a cumbersome task and in many cases the parallel application is slower than the original serial one. This work demonstrates the parallelization of one high-end bioinformatics application (multiple sequence alignment for amino acids or nucleotide sequences “MAFFT”) as well as a novel security application (fingerprinting recognition “NBIS”) on a highly parallel, yet a very low cost, system. We initially demonstrate the method for parallelizing the applications and then we focus on the end performance. One application is significantly accelerated when the 7 cores of the system are utilized whereas the other cannot get any gain when being ported to more than one cores; we also demonstrate certain optimization techniques. We believe that this paper can act as a guideline for programmers that need to port their serial code to a parallel machine.
2013 23rd International Conference on Field programmable Logic and Applications, 2013
ABSTRACT Encryption algorithms utilized in mobile communication systems have been under attack si... more ABSTRACT Encryption algorithms utilized in mobile communication systems have been under attack since their introduction, and many of these attacks have been successful in practical settings. One such example, A5/1 used in GSM, was attacked using “Rainbow Tables”, i.e. pre-computed tables that trade long offline computation and large storage for runtime efficiency when cracking the code. Traditionally, Rainbow Tables were used to reverse password hashes. Their application against A5/1 opened up a new domain of exploitation. In this paper, we present an FPGA-based architecture for the efficient creation of Rainbow Tables for the A5/3 block cipher that is used in 2nd and 3rd generation mobile communication systems. The overall goal is to extract the encryption key, provided we have a ciphertext block under a known plaintext attack. The presented architecture exploits the parallelism in the Rainbow Table creation process, and using a Virtext5 LX330T achieves speedups around 9x and 550x for one and 64 compute engines respectively. We show that due to the limited available memory in our experimental setup, our approach achieves high success rates for a key space reduced to 242. We then demonstrate how we can seamlessly extend the proposed architecture to efficiently create much larger Rainbow Tables for the full key-space.
We present a related family of authentication and digital signature protocols based on symmetric ... more We present a related family of authentication and digital signature protocols based on symmetric cryptographic primitives which perform substantially better than previous constructions. Previously, one-time digital signatures based on hash functions involved hundreds of hash function computations for each signature; we show that given online access to a timestamping service, we can sign messages using only two computations of a hash function. Previously, techniques to sign infinite streams involved one such one-time ...
ABSTRACT Interconnected computing systems, in various forms, will soon permeate our lives, realiz... more ABSTRACT Interconnected computing systems, in various forms, will soon permeate our lives, realizing the Internet of Things (IoT) and allowing us to enjoy novel, enhanced services that promise to improve our everyday life. Nevertheless, this new reality introduces significant challenges in terms of performance, scaling, usability and interoperability. Leveraging the benefits of Service Oriented Architectures (SOAs) can help alleviate many of the issues that developers, implementers and end-users alike have to face in the context of the IoT. This work presents Node.DPWS, a novel implementation of the Devices Profile for Web Services (DPWS) based on the Node.js platform. As such, Node.DPWS is the first DPWS library being made available to Node.js developers and can be used to deploy lightweight, efficient and scalable Web Services over heterogeneous nodes, including devices with limited resources. A performance evaluation on typical embedded devices validates the benefits of Node.DPWS compared to alternative DPWS toolkits.
Interconnected computing systems, in various forms, are expected to permeate our lives, realizing... more Interconnected computing systems, in various forms, are expected to permeate our lives, realizing the vision of the Internet of Things (IoT) and allowing us to enjoy novel, enhanced services that promise to improve our everyday lives. Nevertheless, this new reality also introduces significant challenges in terms of performance, scaling, usability and interoperability. Leveraging the benefits of Service Oriented Architectures (SOAs) can help alleviate many of the issues that developers, implementers and end-users have to face in the context of the IoT. This work presents Node.DPWS, a novel implementation of the Devices Profile for Web Services (DPWS) based on the Node.js platform. Node.DPWS can be used to deploy lightweight, efficient and scalable Web Services over heterogeneous nodes, including devices with limited resources. The performance of the presented work is evaluated on typical embedded devices, including comparisons with implementations created using alternative DPWS toolk...
Password hashing is the common approach for maintaining users' password-related information t... more Password hashing is the common approach for maintaining users' password-related information that is later used for authentication. A hash for each password is calculated and maintained at the service provider end. When a user logins the service, the hash of the given password is computed and contrasted with the stored hash. If the two hashes match, the authentication is successful. However, in many cases the passwords are just hashed by a cryptographic hash function or even stored in clear. These poor password protection practises have lead to efficient attacks that expose the users' passwords. PBKDF2 is the only standardized construction for password hashing. Other widely used primitives are bcrypt and scrypt. The low variety of methods derive the international cryptographic community to conduct the Password Hashing Competition (PHC). The competition aims to identify new password hashing schemes suitable for widespread adoption. It started in 2013 with 22 active submissions...
Embedded systems are routinely deployed in critical infrastructures nowadays, therefore their sec... more Embedded systems are routinely deployed in critical infrastructures nowadays, therefore their security is increasingly important. The above, combined with the pressing requirement of deploying massive numbers of low-cost and low– energy embedded devices, stimulated the evolution of lightweight cryptography and other green-computing security mechanisms. New crypto-primitives are being proposed that offer moderate security and produce compact hardware and software implementations. In this paper, we present a lightweight authenticated encryption scheme based on the integrated hardware implementation of the lightweight block cipher PRESENT and the lightweight hash function SPONGENT. The presented combination of a cipher and a hash function is appropriate for implementing authenticated encryption schemes which are commonly utilized in one-way and mutual authentication protocols. We exploit their inner structure to discover hardware elements usable by both primitives, thus reducing the ci...
The evolution of embedded systems and their applications in every daily activity, derive the deve... more The evolution of embedded systems and their applications in every daily activity, derive the development of lightweight cryptography. Widely used crypto-libraries are too large to fit on constrained devices, like sensor nodes. Also, such libraries provide redundant functionality as each lightweight and ultra-lightweight application utilizes a limited and specific set of crypto-primitives and protocols. In this paper we present the ULCL crypto-library for embedded systems. It is a compact software cryptographic library, optimized for space and performance. The library is a collection of open source ciphers (27 overall primitives). We implement a common lightweight API for utilizing all primitives and a user-friendly API for users that aren’t familiar with cryptographic applications. One of the main novelties is the configurable compilation process. A user can compile the exact set of crypto-primitives that are required to implement a lightweight application. The library is implemente...
The need to manage embedded systems, brought forward by the wider adoption of pervasive computing... more The need to manage embedded systems, brought forward by the wider adoption of pervasive computing, is particularly vital in the context of secure and safety-critical applications. This work presents RT-SPDM, a framework for the real-time management of devices populating ambient environments. The proposed frame-work utilizes a formally validated approach to reason the composability of heter-ogeneous embedded systems, evaluate their current security, privacy and de-pendability levels based on pre-defined metrics, and manage them in real-time. An implementation of Event Calculus is used in the Jess rule engine in order to model the ambient environment context and the rule-based management proce-dure. The reasoning process is modeled as an agent’s behavior and applied on an epistemic multi-agent reasoner for ambient intelligence applications. Agents mon-itor distinct embedded systems and are deployed as OSGi bundles to enhance the real-time management of embedded devices. A Service Orie...
Embedded Systems account for a wide range of products and are employed in various heterogeneous d... more Embedded Systems account for a wide range of products and are employed in various heterogeneous domains, including but not limited to: industrial systems (e.g. manufacturing plants), critical environments (e.g. military and avionics) nomadic environments (e.g. personal wearable nodes), private spaces (e.g. residences) and public infrastructures (e.g. airports). These devices often need to access, store, manipulate and/or communicate sensitive or even critical information, making the security of their resources and services an imperative concern in their design. The problem is exacerbated by their resource constraints, their diversified application settings, frequently requiring unattended operation in physically insecure environments and dynamic network formulation, in conjunction with the ever-present need for smaller size and lower production costs. This paper provides an overview of the challenges in Embedded Systems security, pertaining to node hardware and software as well as r...
Parallel programming utilizing Graphics Processing Units (GPUs) is a well-tried practice for dras... more Parallel programming utilizing Graphics Processing Units (GPUs) is a well-tried practice for drastically reducing the computation time in computation intensive domains. Security tools are an indicative example of this application of GPUs. In this paper a lightweight and efficient GPU accelerated hashing and hash lookup mechanism is presented, utilizing the CUDA General Purpose GPU (GPGPU) toolkit. The core of the system computes the digests of files using a CUDA-optimized SHA-3 hashing mechanism. The digests are stored in a data structure so that integrity and/or file-matching checks take place, depending on the application scenario. Work includes a comparative analysis for three types of data structures (hash table, tree, and array) to identify the most appropriate for this specific domain. Several applications of the system are identified, including anti-malware intrusion detection, network malware monitoring, disk image verification and duplicate files identification. We develop ...
2014 6th International Conference on New Technologies, Mobility and Security (NTMS), 2014
ABSTRACT The procedure to prove that a system-of-systems is composable and secure is a very diffi... more ABSTRACT The procedure to prove that a system-of-systems is composable and secure is a very difficult task. Formal methods are mathematically-based techniques used for the specification, development and verification of software and hardware systems. This paper presents a model-based framework for dynamic embedded system composition and security evaluation. Event Calculus is applied for modeling the security behavior of a dynamic system and calculating its security level with the progress in time. The framework includes two main functionalities: composition validation and derivation of security and performance metrics and properties. Starting from an initial system state and given a series of further composition events, the framework derives the final system state as well as its security and performance metrics and properties. We implement the proposed framework in an epistemic reasoner, the rule engine JESS with an extension of DECKT for the reasoning process and the JAVA programming language.
2013 ACS International Conference on Computer Systems and Applications (AICCSA), 2013
ABSTRACT Utilizing multi-cores is now the norm in order to increase performance while also saving... more ABSTRACT Utilizing multi-cores is now the norm in order to increase performance while also saving energy. The need to break the physical limits of uniprocessing (by branch prediction or RAW dependencies etc.) while being cost and power effective at the same time were the motivation for the scientific and industrial communities to focus on multi-processor architectures. However, the parallelization of existing applications has very frequently proved to be a cumbersome task and in many cases the parallel application is slower than the original serial one. This work demonstrates the parallelization of one high-end bioinformatics application (multiple sequence alignment for amino acids or nucleotide sequences “MAFFT”) as well as a novel security application (fingerprinting recognition “NBIS”) on a highly parallel, yet a very low cost, system. We initially demonstrate the method for parallelizing the applications and then we focus on the end performance. One application is significantly accelerated when the 7 cores of the system are utilized whereas the other cannot get any gain when being ported to more than one cores; we also demonstrate certain optimization techniques. We believe that this paper can act as a guideline for programmers that need to port their serial code to a parallel machine.
2013 23rd International Conference on Field programmable Logic and Applications, 2013
ABSTRACT Encryption algorithms utilized in mobile communication systems have been under attack si... more ABSTRACT Encryption algorithms utilized in mobile communication systems have been under attack since their introduction, and many of these attacks have been successful in practical settings. One such example, A5/1 used in GSM, was attacked using “Rainbow Tables”, i.e. pre-computed tables that trade long offline computation and large storage for runtime efficiency when cracking the code. Traditionally, Rainbow Tables were used to reverse password hashes. Their application against A5/1 opened up a new domain of exploitation. In this paper, we present an FPGA-based architecture for the efficient creation of Rainbow Tables for the A5/3 block cipher that is used in 2nd and 3rd generation mobile communication systems. The overall goal is to extract the encryption key, provided we have a ciphertext block under a known plaintext attack. The presented architecture exploits the parallelism in the Rainbow Table creation process, and using a Virtext5 LX330T achieves speedups around 9x and 550x for one and 64 compute engines respectively. We show that due to the limited available memory in our experimental setup, our approach achieves high success rates for a key space reduced to 242. We then demonstrate how we can seamlessly extend the proposed architecture to efficiently create much larger Rainbow Tables for the full key-space.
Uploads
Papers by Harry Manifavas