Subversion-resilient signature schemes

We provide a formal treatment of security of digital signatures against subversion attacks (SAs). Our model of subversion generalizes previous work in several directions, and is inspired by the proliferation of software attacks (e.g., malware and buffer overflow attacks), and by the recent revelations of Edward Snowden about intelligence agencies trying to surreptitiously sabotage cryptographic algorithms. The main security requirement we put forward demands that a signature scheme should remain unforgeable even in the presence of an attacker applying SAs (within a certain class of allowed attacks) in a fully-adaptive and continuous fashion. Previous notions---e.g., security against algorithm-substitution attacks introduced by Bellare et al. (CRYPTO '14) for symmetric encryption---were non-adaptive and non-continuous. In this vein, we show both positive and negative results for constructing subversion-resilient signature schemes. -- Negative results. As our main negative result, we show that a broad class of randomized schemes is unavoidably insecure against SAs, even if using just a single bit of randomness. This improves upon earlier work that was only able to attack schemes with larger randomness space. When designing our attack we consider undetectability to be an explicit adversarial goal, meaning that the end-users (even the ones knowing the signing key) should not be able to detect that the signature scheme was subverted. -- Positive results. We complement the above negative results by showing that signature schemes with unique signatures are subversion-resilient against all attacks that meet a basic undetectability requirement. A similar result was shown by Bellare et al. for symmetric encryption, who proved the necessity to rely on stateful schemes; in contrast unique signatures are stateless, and in fact they are among the fastest and most established digital signatures available. We finally show that it is possible to devise signature schemes secure against arbitrary tampering with the computation, by making use of an un-tamperable cryptographic reverse firewall (Mironov and Stephens-Davidowitz, EUROCRYPT '15), i.e., an algorithm that "sanitizes" any signature given as input (using only public information). The firewall we design allows to successfully protect so-called re-randomizable signature schemes (which include unique signatures). While our study is mainly theoretical, due to its strong practical motivation, we believe that our results have important implications in practice and might influence the way digital signature schemes are selected or adopted in standards and protocols

Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol

Specification-based intrusion detection (SB-ID) is a suitable approach to monitor Building Automation Systems (BASs) because the correct and non-compromised functioning of the system is well understood. Its main drawback is that the creation of specifications often require human intervention. We present the first fully automated approach to deploy SB-ID at network level. We do so in the domain of BASs, specifically, the BACnet protocol (ISO 16484-5). In this protocol, properly certified devices are demanded to have technical documentation stating their capabilities. We leverage on those documents to create specifications that represent the expected behavior of each device in the network. Automated specification extraction is crucial to effectively apply SB-ID in volatile environments such as BACnet networks, where new devices are often added, removed, or replaced. In our experiments, the proposed algorithm creates specifications with both precision and recall above 99.5%. Finally, we evaluate the capabilities of our detection approach using two months (80GB) of BACnet traffic from a real BAS. Additionally, we use synthetic traffic to demonstrate attack detection in a controlled environment. We show that our approach not only contributes to the practical feasibility of SB-ID in BASs, but also detects stealthy and dangerous attacks

Privacy and Big Data: The Need for a Multi-Stakeholder Approach for Developing an Appropriate Privacy Regulation in the Age of Big Data

This paper presents a multi-stakeholder approach for developing an appropriate privacy regulation in the age of big data. We develop our argument in five steps, starting (1) with a review of the current academic debate on privacy regulation. We analyze a dysfunctional mutual excludability between the suggestions of the supporters of a regulation orchestrated by governments, and the supporters of internet self-regulation. (2) To over-come this conflict, we argue that the framework for developing an appropriate privacy regulation should not only focus on formal and procedural aspects (e.g., who might develop and implement it) but should also include some important substantial aspects to protect users and promote socially beneficial big data applications. (3) After examining substantive aspects of a functional privacy regulation, we examine how the process leading to an appropriate regulation might be organized. In addition, we discuss how an organization might be designed to conduct this process. In our argument, stakeholder dialogues and an independent “privacy organization” are relevant parameters. (4) We discuss the potential structure of a privacy organization that might conduct multi-stakeholder-dialogues as a preliminary step. This organization could then govern and monitor the implementation of a privacy regulation that was defined by the stakeholder dialogues. (5) Finally, we discuss our findings and suggestions.Dieser Beitrag stellt einen Multi-Stakeholder-Ansatz vor, um eine funktionale Regulierung für den Datenschutz im Big-Data-Zeitalter zu entwickeln. Die Argumentation wird in fünf Schritten entwickelt: (1) Zuerst wird die aktuelle internationale akademische Debatte hinsichtlich des Zusammenspiels von Big Data und Datenschutz kurz skizziert. Dieser Beitrag arbeitet einen für die Regulierung dysfunktionalen Konflikt zwischen den Vorschlägen der Befürworter einer staatlichen Regulierung und den Anhängern einer Internet-Selbstregulierung heraus. (2) Ein Ansatz für eine geeignete Regulierung der Privatsphäre sollte nicht ausschließlich formal-rechtliche Aspekte berücksichtigen, wie z. B. wer die Regulierung entwickeln und umsetzen sollte, sondern auch materielle Aspekte berücksichtigen, um Nutzer zu schützen und die gesellschaftlichen Vorteile von Big-Data-Anwendungen zu fördern. (3) Hierauf aufbauend präsentiert dieser Beitrag formal-rechtliche Überlegungen, wie eine geeignete materiell-rechtliche Regulierung erreicht werden kann. In diesem Zusammenhang wird diskutiert, wie eine Organisation gestaltet werden kann, um diesen Prozess zu unterstützen. Hierfür sind Stakeholder-Dialoge und eine unabhängige „Privacy Organization“ erforderlich. (4) Im Anschluss präsentiert dieser Aufsatz, wie die Organisationsstruktur einer „Privacy Organization“ geschaffen sein kann und wie diese als einen ersten Schritt einen Multi-Stakeholder-Dialog durchführen kann. Diese Organisation kann auch die Umsetzung der durch die Stakeholder-Dialoge gefundene Regulierung begleiten und überwachen. (5) Abschließend werden die Erkenntnisse und Vorschläge dieses Beitrages diskutiert