FPGA implementation of an optimized A5/3 encryption algorithm

The radio link connecting users to network services is one of the most sensitive parts of mobile networks. This wireless channel is not protected physically to prevent unauthorized access to the carried information. Therefore, network providers use a security mechanism mainly based on cryptographic algorithms. For example, data protection (confidentiality) in the second and third generations of mobile networks is ensured using the A5/3 encryption algorithm (f8 function) standardized by the Third Generation Partnership Project (3GPP). In this work, we defined two main objectives for obtaining an optimized architecture of the A5/3 algorithm. The first one focuses on the optimization of the algorithm’s kernel (the KASUMI block cipher) by simplifying its internal architecture. The second one aims at the optimization of the A5/3 algorithm using a single block of the simplified KASUMI, unlike the standard A5/3 algorithm based on five blocks of the basic KASUMI. As a result, good performance has been achieved by considering the tradeoff between high throughput and required hardware logic resources compared to previous works. The proposed architecture was implemented on several Xilinx Virtex Field Programmable Gate Arrays (FPGA) technology devices. The synthesis results obtained after place and route have demonstrated the feasibility and efficiency of our solution. This promising technique can be applied to provide real-time data protection on embedded applications of mobile networks.     

An efficient stream structure for broadcasting the encrypted XML data in mobile wireless broadcast channels

In mobile wireless broadcast networks, XML data is encrypted before it is sent over the broadcast channel in order to ensure the confidentiality of XML data. In these networks, mobile clients must not have access to all the XML data; rather they should have access to some parts of the XML data that are relevant to them and to which they are authorized to have access. In this paper, a new encrypted XML data stream structure is proposed which supports the confidentiality of XML data over the broadcast channel. In our proposed stream structure, the size of encrypted XML data stream is reduced by grouping the paths, XML nodes, texts, and attributes together. The proposed structure includes several indexes to skip from irrelevant data over the broadcast channel. The experimental results demonstrate that the use of our proposed stream structure efficiently disseminates XML data in mobile wireless broadcast networks in a secure manner and the indexes in our proposed stream structure improve the performance of XML query processing over the encrypted XML data stream.

     

If you haven’t read the book…

If you do not have the time to read that excellent book Implementing IPsec, Making Security Work on VPNs, Intranets and Extranets (Kaufman, E. and Newman, A., Wiley, 1999), perhaps you do have time to fine hone your learning curve and access a more potted version at http://csrc.nist.gov/ipsec. Firstly, let us remind ourselves about the security services that Ipsec provides: data origin authentication, connectionless integrity, replay protection, data confidentiality, limited traffic flow confidentiality and key negotiation and management.     

基于数字签名技术的网络通信安全研究

随着Internet的迅猛发展和广泛普及，对网络通信安全提出了更高的要求，而数字签名技术在保证数据的完整性、私有性和不可抵赖性方面起着极为重要的作用，占据特别重要的地位。文章介绍了数字签名技术和DES加密算法及其在网络通信安全中的应用，并设计了基于数字签名技术的网络安全通信方式。     

An efficient implementation of the Min-Min heuristic

Min—Min is a popular heuristic for scheduling tasks to heterogeneous computational resources, which has been applied either directly or as part of more sophisticated heuristics. However, for large scenarios such as grid computing platforms, the time complexity of a straightforward implementation of Min—Min, which is quadratic in the number of tasks, may be prohibitive. This has motivated the development of high performance computing (HPC) implementations, and the use of simpler heuristics for the sake of acceptable execution times. We propose a simple algorithm that implements Min—Min requiring only O(mn) operations for scheduling n tasks on m machines. Our experiments show, in practice, that a straightforward sequential implementation of this algorithm significantly outperforms other state of the art implementations of Min—Min, even compared to HPC implementations. In addition, the proposed algorithm is at least as suitable for parallelization as a direct implementation of Min—Min.     

无线传感网安全数据聚合研究

如何保障数据在聚合,计算和存储以及转发等过程中的数据机密性、完整性,是无线传感网安全研究的核心环节·针对这个核心环节首先分析了无线传感网数据聚合过程中面临的安全威胁,进而提出数据安全聚合的基本要求,在自组织环结构的基础上,提出了一种新的无线传感网数据安全聚合方案,并分析了该方案的性能及其安全性.     

Secure Data Sharing with Confidentiality,Integrity and Access Control in Cloud Environment

Cloud storage is an incipient technology in today’s world. Lack of security in cloud environment is one of the primary challenges faced these days. This scenario poses new security issues and it forms the crux of the current work. The current study proposes Secure Interactional Proof System (SIPS) to address this challenge. This methodology has a few key essential components listed herewith to strengthen the security such as authentication, confidentiality, access control, integrity and the group of components such as AVK Scheme (Access List, Verifier and Key Generator). It is challenging for every user to prove their identity to the verifier who maintains the access list. Verification is conducted by following Gulliou-Quisquater protocol which determines the security level of the user in multi-step authentication process. Here, RSA algorithm performs the key generation process while the proposed methodology provides data integrity as well as confidentiality using asymmetric encryption. Various methodological operations such as time consumption have been used as performance evaluators in the proposed SIPS protocol. The proposed solution provides a secure system for firm data sharing in cloud environment with confidentiality, authentication and access control. Stochastic Timed Petri (STPN) Net evaluation tool was used to verify and prove the formal analysis of SIPS methodology. This evidence established the effectiveness of the proposed methodology in secure data sharing in cloud environment.     

Designing irregular parallel algorithms with mutual exclusion and lock-free protocols

Irregular parallel algorithms pose a significant challenge for achieving high performance because of the difficulty predicting memory access patterns or execution paths. Within an irregular application, fine-grained synchronization is one technique for managing the coordination of work; but in practice the actual performance for irregular problems depends on the input, the access pattern to shared data structures, the relative speed of processors, and the hardware support of synchronization primitives. In this paper, we focus on lock-free and mutual exclusion protocols for handling fine-grained synchronization. Mutual exclusion and lock-free protocols have received a fair amount of attention in coordinating accesses to shared data structures from concurrent processes. Mutual exclusion offers a simple programming abstraction, while lock-free data structures provide better fault tolerance and eliminate problems associated with critical sections such as priority inversion and deadlock. These synchronization protocols, however, are seldom used in parallel algorithm designs, especially for algorithms under the SPMD paradigm, as their implementations are highly hardware dependent and their costs are hard to characterize. Using graph-theoretic algorithms for illustrative purposes, we show experimental results on two shared-memory multiprocessors, the IBM pSeries 570 and the Sun Enterprise 4500, that irregular parallel algorithms with efficient fine-grained synchronization may yield good performance.     

移动通信系统的安全性研究

目前人们频繁地使用移动通信进行信息交流,通信系统中信息的安全性以及网络资源使用的安全性将变得越来越重要。着重研究了移动通信系统的安全。首先对3G安全体系机构作了详细的分析,概述了3G的安全威胁,安全原则、目标和要求,分析了3G的安全特征,对3G接入网络中的认证和密钥协商、数据机密性服务、数据完整性服务等机制进行了探讨。然后,对3G加密算法KASUMI算法作了研究,详细介绍了算法的原理和构成,并对KASUMI算法进行了程序仿真。     

Applying the group signature for entity authentication in distributed grid computing networks

The paper describes the problem of unauthorized access to the data processed in distributed grid computing networks. Existing implementations of entity authentication mechanisms in grid systems are analyzed, and their disadvantages are considered. An approach to the use of group signature schemes, which prevents unauthorized access to a computing environment and provides the integrity of transferred data, is proposed.     

FPGA implementation of an enhanced chaotic-KASUMI block cipher

The radio link is a broadcast channel used to transmit data over mobile networks. Because of the sensitivity of this network part, a security mechanism is used to ensure users’ information. For example, the third generation of mobile network security is based on the KASUMI block cipher, which is standardized by the Third Generation Partnership Project (3GPP). This work proposes an optimized and enhanced implementation of the KASUMI block cipher based on a chaotic generator. The purpose is to develop an efficient ciphering algorithm with better performance and good security robustness while preserving the standardization. The proposed design was implemented on several Xilinx Virtex Field Programmable Gate Arrays (FPGA) technologies. The synthesis results and a comparison with previous works prove the performance improvement of the proposed cipher block in terms of throughput, used hardware logic resources, and resistance against most cryptanalysis attacks.     

Confidential smart-sensing framework in the IoT era

With the revolution of the Internet technology, smart-sensing applications and the Internet of Things (IoT) are coupled in critical missions. Wireless sensor networks (WSNs), for example, present the main enabling technology in IoT architectures and extend the spectrum of their smart applications. However, this technology has limited resources and suffers from several vulnerabilities and security issues. Since the wireless networks used by this technology are deployed in open areas, several challenges are faced by the service provider in terms of privacy and the quality of service. Encryption can be a good solution to preserve confidentiality and privacy, but it raises serious problems concerning time latency and performance. In this paper, we propose agile framework that enables authentication, confidentiality and integrity while collecting the sensed data by using elliptic curve cryptography.     

How to Trap the Network Intruder

Abstract

There is a level of sensitivity to almost all data, but what is most important — keeping sensitive data sensitive or guaranteeing the integrity of the data? When it comes to sensitivity or integrity, access control models have provided several options. Yet, wouldn't a combination of access control models provide a more desirable result than just settling for one? Is it possible to have a slice of data sensitivity with a dollop of data integrity? In finding the answer to this question it must be understood exactly what an access control model is and, in terms of sensitivity and integrity, which models provide the best security.     

GS<Superscript>3</Superscript>: a Grid Storage System with Security Features

Technological trend and the advent of worldwide networks, such as the Internet, made computing systems more and more powerful, increasing both processing and storage capabilities. In Grid computing infrastructures, the data storage subsystem is physically distributed among several nodes and logically shared among several users. This highlights the necessity of a) availability for authorized users only, b) confidentiality, and c) integrity of information and data: in one term security. In this work we face the problem of data security in Grid, by proposing a lightweight cryptography algorithm combining the strong and highly secure asymmetric cryptography technique (RSA) with the symmetric cryptography (AES). The proposed algorithm, we named Grid secure storage system (GS³), has been implemented on top of the Grid file access library (GFAL) of the gLite middleware, in order to provide a file system service with cryptography capability and POSIX interface. The choice of implementing GS³ as a file system, the GS3FS, allows to protect the file system structure also, and to overcome the well-known problem of file rewriting in gLite/GFAL environments. In the specification of the GS3FS, particular care is addressed on providing a usable user interface and on implementing a file system that has low impact on the middleware. The final result is the introduction of a new storage Grid service into the gLite middleware, whose overall characteristics are never offered before, at the best of authors’ knowledge. The paper describes and details both the GS³ algorithm and its implementation; the performance of such implementation are evaluated discussing the obtained results and possible application scenarios in order to demonstrate its effectiveness and usefulness.     

Efficient implementation of globally-aware network flow control

Network flow control mechanisms that are aware of global conditions potentially can achieve higher performance than flow control mechanisms that are only locally aware. Owing to high implementation overhead, globally-aware flow control mechanisms in their purest form are seldom adopted in practice, leading to less efficient simplified implementations. In this paper, we propose an efficient implementation of a globally-aware flow control mechanism, called Critical Bubble Scheme, for k-ary n-cube networks. This scheme achieves near-optimal performance with the same minimal buffer requirements of globally-aware flow control and can be further generalized to implement the general class of buffer occupancy-based network flow control. We prove deadlock freedom of the proposed scheme and exploit its use in handling protocol-induced deadlocks in on-chip environments. We evaluate the proposed scheme using both synthetic traffic and real application loads. Simulation results show that the proposed scheme can reduce the buffer access component of packet latency by as much as 62% over locally-aware flow control, and improve average packet latency by 18.8% and overall execution time by 7.2% in full system simulation.     

Healing on the cloud: Secure cloud architecture for medical wireless sensor networks

There has been a host of research works on wireless sensor networks (WSN) for medical applications. However, the major shortcoming of these efforts is a lack of consideration of data management. Indeed, the huge amount of high sensitive data generated and collected by medical sensor networks introduces several challenges that existing architectures cannot solve. These challenges include scalability, availability and security. Furthermore, WSNs for medical applications provide useful and real information about patients’ health state. This information should be available for healthcare providers to facilitate response and to improve the rescue process of a patient during emergency. Hence, emergency management is another challenge for medical wireless sensor networks. In this paper, we propose an innovative architecture for collecting and accessing large amount of data generated by medical sensor networks. Our architecture overcomes all the aforementioned challenges and makes easy information sharing between healthcare professionals in normal and emergency situations. Furthermore, we propose an effective and flexible security mechanism that guarantees confidentiality, integrity as well as fine-grained access control to outsourced medical data. This mechanism relies on Ciphertext Policy Attribute-based Encryption (CP-ABE) to achieve high flexibility and performance. Finally, we carry out extensive simulations that allow showing that our scheme provides an efficient, fine-grained and scalable access control in normal and emergency situations.     

智能移动系统的网络安全研究

随着移动技术的发展,越来越多人员已经不仅在办公室处理日常事务,他们已开始使用手机、PDA和笔记本等移动终端通过公共通信网络访问单位内部的资源和应用.但是,这种通过公共网络接入也给单位网络引入了新的安全威胁,而传统的终端VPN已经满足不了现有的智能手机/平板电脑等移动终端的安全接入需求：一方面,如何保证在开放网络中保障移动终端用户身份和接入安全、数据保密性以及移动通信传输过程的一致性和完整性等安全要求;另一方面,由于移动终端容易丢失,如何保证移动终端内存储数据的安全性.因此,本文对基于Android架构的移动系统安全体系及所面临的安全威胁进行阐述并提出一些相应的防范措施.     

Application-oriented ping-pong benchmarking: how to assess the real communication overheads

Moving data between processes has often been discussed as one of the major bottlenecks in parallel computing—there is a large body of research, striving to improve communication latency and bandwidth on different networks, measured with ping-pong benchmarks of different message sizes. In practice, the data to be communicated generally originates from application data structures and needs to be serialized before communicating it over serial network channels. This serialization is often done by explicitly copying the data to communication buffers. The message passing interface (MPI) standard defines derived datatypes to allow zero-copy formulations of non-contiguous data access patterns. However, many applications still choose to implement manual pack/unpack loops, partly because they are more efficient than some MPI implementations. MPI implementers on the other hand do not have good benchmarks that represent important application access patterns. We demonstrate that the data serialization can consume up to 80 % of the total communication overhead for important applications. This indicates that most of the current research on optimizing serial network transfer times may be targeted at the smaller fraction of the communication overhead. To support the scientific community, we extracted the send/recv-buffer access patterns of a representative set of scientific applications to build a benchmark that includes serialization and communication of application data and thus reflects all communication overheads. This can be used like traditional ping-pong benchmarks to determine the holistic communication latency and bandwidth as observed by an application. It supports serialization loops in C and Fortran as well as MPI datatypes for representative application access patterns. Our benchmark, consisting of seven micro-applications, unveils significant performance discrepancies between the MPI datatype implementations of state of the art MPI implementations. Our micro-applications aim to provide a standard benchmark for MPI datatype implementations to guide optimizations similarly to the established benchmarks SPEC CPU and Livermore Loops.     

面向隐私保护的无线传感器网络细粒度访问控制协议

针对无线传感器网络访问控制中的用户身份隐私保护和数据安全问题,提出了一种适用于多用户、隐私保护的访问控制协议。该协议采用属性基加密算法和分布式访问控制模式,使用属性证书、数字签名和门限机制,实现了用户的付费访问、细粒度访问控制和匿名访问,并保证了数据传输机密性和查询命令完整性。协议分析和协议比较表明,传感器节点的计算、存储和通信开销较小,方便实现用户和传感器节点动态加入,能更好地适应付费无线传感器网络的访问控制需求。     

Medical image security and EPR hiding using Shamir's secret sharing scheme

Medical applications such as telediagnosis require information exchange over insecure networks. Therefore, protection of the integrity and confidentiality of the medical images is an important issue. Another issue is to store electronic patient record (EPR) in the medical image by steganographic or watermarking techniques. Studies reported in the literature deal with some of these issues but not all of them are satisfied in a single method. A medical image is distributed among a number of clinicians in telediagnosis and each one of them has all the information about the patient's medical condition. However, disclosing all the information about an important patient's medical condition to each of the clinicians is a security issue. This paper proposes a (k, n) secret sharing scheme which shares medical images among a health team of n clinicians such that at least k of them must gather to reveal the medical image to diagnose. Shamir's secret sharing scheme is used to address all of these security issues in one method. The proposed method can store longer EPR strings along with better authenticity and confidentiality properties while satisfying all the requirements as shown in the results.