580 Hits in 9.0 sec

Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation [article]

David Kaloper-Mersinjak, Hannes Mehnert, Anil Madhavapeddy, Peter Sewell, Apollo-University Of Cambridge Repository, Apollo-University Of Cambridge Repository, J Jung, T Holz
We present nqsb-TLS, the result of our re-engineered approach to security protocol specification and implementation that addresses these root causes.  ...  Transport Layer Security (TLS) implementations have a history of security flaws.  ...  In this sense, it is at least not quite so broken as some secure software has been. In turn, this indicates that our approach has value.  ... 
doi:10.17863/cam.41243 fatcat:sq7jezrivbco3fffplmyb6x4yy

Will You Trust This TLS Certificate?

Martin Ukrop, Lydia Kraus, Vashek Matyas
2020 Digital Threats: Research and Practice  
Flawed TLS certificates are not uncommon on the Internet. While they signal a potential issue, in most cases they have benign causes (e.g., misconfiguration or even deliberate deployment).  ...  This adds fuzziness to the decision on whether to trust a connection or not.  ...  We are particularly grateful to Nikos Mavrogiannopoulos, Matúš Nemec and Tobias Fiebig for insightful comments, Heider Wahsheh for research help and to Vlasta Šťavová, Agáta Kružíková and Martina Olliaro  ... 
doi:10.1145/3419472 fatcat:pigwxjopqngfhhctet5sfn7bje

Continuous Formal Verification of Amazon s2n [chapter]

Andrey Chudnov, Nathan Collins, Byron Cook, Joey Dodds, Brian Huffman, Colm MacCárthaigh, Stephen Magill, Eric Mertens, Eric Mullen, Serdar Tasiran, Aaron Tomb, Eddy Westbrook
2018 Lecture Notes in Computer Science  
We describe formal verification of s2n, the open source TLS implementation used in numerous Amazon services.  ...  We describe the proof itself and the technical decisions that enabled integration into development.  ...  a context in which the specification and implementation are already structurally quite similar.  ... 
doi:10.1007/978-3-319-96142-2_26 fatcat:tefiqbkw7rdj7b23utmxg2uwia

Some Security Issues in SCALANCE Wireless Industrial Networks

Marius Cristea, Bogdan Groza, Mihai Iacob
2011 2011 Sixth International Conference on Availability, Reliability and Security  
We show some vulnerabilities in both situations, in particular some weaknesses in the authentication protocol from their web-based configuration interface and an attack which halts the communication by  ...  We discuss some security weaknesses of Scalance wireless access points and clients. These devices, developed by Siemens, are commonly used for wireless communication in network control systems.  ...  The lesson that can be learned from this is that HTTP should be disabled, or a stronger and correctly implemented authentication protocol should be used. III.  ... 
doi:10.1109/ares.2011.74 dblp:conf/IEEEares/CristeaGI11 fatcat:kt5tcpoxfbdtvdzqbicexgbe54

A security analysis of the Internet Chess Club

J. Black, M. Cochran, R. Gardner
2006 IEEE Security and Privacy  
For a fee, anyone can play against incomprehensibly strong masters, take lessons, listen to lectures, participate in simultaneous exhibitions, play in tournaments, and so forth.  ...  The thrust of this paper is to examine the security aspects of ICC. We exhibit attacks in two distinct domains: the timestamping mechanism and the communication protocol. More specifically,  ...  Acknowledgements We would like to thank David Wagner, Yoshi Kohno, Jing Deng, and Douglas Sicker for their comments and suggestions.  ... 
doi:10.1109/msp.2006.2 fatcat:ppe5xdmwlncrpe4xiyrj4gmta4

SoK: An Analysis of Protocol Design: Avoiding Traps for Implementation and Deployment [article]

Tobias Fiebig, Franziska Lichtblau, Florian Streibelt, Thorben Krueger, Pieter Lexis, Randy Bush, Anja Feldmann
2016 arXiv   pre-print
A classical example is insufficiently strict authentication requirements in a protocol specification.  ...  Today's Internet utilizes a multitude of different protocols. While some of these protocols were first implemented and used and later documented, other were first specified and then implemented.  ...  One example for broken VRF is accidentally announcing a BGP full table into the VRF engine.  ... 
arXiv:1610.05531v1 fatcat:vaybjuis7rcnrnhlaetdhql6au

The impact of quantum computing on real-world security: A 5G case study [article]

Chris J Mitchell
2019 arXiv   pre-print
This leads naturally to the specification of a series of simple, phased, recommended changes intended to ensure that the security of 5G (as well as 3G and 4G) is not badly damaged if and when large scale  ...  This involves considering how cryptography is used in 5G, and how the security of the system would be affected by the advent of quantum computing.  ...  I would like to particularly thank Martin Albrecht and Karl Norrman for their helpful advice and corrections. Of course, all remaining errors remain my responsibility alone.  ... 
arXiv:1911.07583v3 fatcat:jh7bh6u2erasplemwwcnmcww3q

Research and Innovation Action for the Security of the Internet of Things: The SerIoT Project [chapter]

Joanna Domanska, Erol Gelenbe, Tadek Czachorski, Anastasis Drosou, Dimitrios Tzovaras
2018 Communications in Computer and Information Science  
IoT platforms and devices, honeypots, SDN routers and operator's controller) in order to offer a secure SerIoT platform that can be used to implement secure IoT platforms and networks anywhere and everywhere  ...  Thus, this paper describes the H2020 project "Secure and Safe Internet of Things" (SerIoT) which will optimize the information security in IoT platforms and networks in a holistic, cross-layered manner  ...  In addition, cyber-physical aspects are quite relevant in ITS and a security breach can generate not only loss of data but also risks to physical safety, including possible loss of life.  ... 
doi:10.1007/978-3-319-95189-8_10 fatcat:fv4zav2pqzfpvonhnhnfaau3sa

Anatomy of Threats to The Internet of Things

Imran Makhdoom, Mehran Abolhasan, Justin Lipman, Ren Ping Liu, Wei Ni
2018 IEEE Communications Surveys and Tutorials  
In the end, we propose a composite guideline for the development of an IoT security framework based on industry best practices and also highlight lessons learned, pitfalls and the open research challenges  ...  Such reliance on IoT is resulting in a significant amount of data to be generated, collected, processed and analyzed. The big data analytics is no doubt beneficial for business development.  ...  However, at the same time, implementation and practice of security measures should not be so complicated that users avoid and go around them.  ... 
doi:10.1109/comst.2018.2874978 fatcat:5qkflaozurb4nctkfrwswnbce4

Security of Symmetric Encryption against Mass Surveillance [chapter]

Mihir Bellare, Kenneth G. Paterson, Phillip Rogaway
2014 Lecture Notes in Computer Science  
In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security.  ...  We formalize security notions to capture this goal and then offer both attacks and defenses.  ...  The specification requires this 8-byte value to be unique for each TLS record encrypted under a fixed key, and suggests that the TLS Record Protocol sequence number may be used.  ... 
doi:10.1007/978-3-662-44371-2_1 fatcat:k7wqqsx3mffyvkooo7ttgoairy

A State-of-the-Art Review on the Security of Mainstream IoT Wireless PAN Protocol Stacks

Georgios Kambourakis, Constantinos Kolias, Dimitrios Geneiatakis, Georgios Karopoulos, Georgios Michail Makrakis, Ioannis Kounelis
2020 Symmetry  
Protocol stacks specifically designed for the Internet of Things (IoT) have become commonplace.  ...  Considering the still heterogeneous nature of the majority of IoT protocols, a major concern is to find common references for investigating and analyzing their security and privacy threats.  ...  If so, the receiver needs to re-synchronize the RLC, typically via the teach-in procedure described in the following.  ... 
doi:10.3390/sym12040579 fatcat:3ajcbbciondlrjnv73fwzph5pu

Web Service Composition

Angel Lagares Lemos, Florian Daniel, Boualem Benatallah
2015 ACM Computing Surveys  
Yet, the use and integration of Web services into composite services or applications, which is a highly sensible and conceptually non-trivial task, is still not unleashing its full magnitude of power.  ...  This article establishes such a framework and reviews the state of the art in service composition from an unprecedented, holistic perspective.  ...  One of the most popular approaches in this respect is the Transport Layer Security protocol [Dierks 2008 ] (TLS, formerly known as SSL), a cryptographic protocol used to secure connections over the Internet  ... 
doi:10.1145/2831270 fatcat:7guhotzxiffnxnygbwdufogr4q

Killed by Proxy: Analyzing Client-end TLS Interception Software

Xavier de Carné de Carnavalet, Mohammad Mannan
2016 Proceedings 2016 Network and Distributed System Security Symposium   unpublished
We set out to analyze such proxies as there are known problems in other (more matured) TLS processing engines, such as browsers and common TLS libraries.  ...  To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the middle of the host's communications.  ...  The first author is supported in part by a Vanier Canada Graduate Scholarship (CGS).  ... 
doi:10.14722/ndss.2016.23374 fatcat:65omf46arbb7vargwijnkibtg4

TLS on Android – Evolution over the last decade [article]

Marten Oltrogge, Universität Des Saarlandes
Schutz gegen solche Angriffe bieten Protokolle wie Transport Layer Security (TLS) und Hypertext Transfer Protocol Secure (HTTPS), deren fehlerhafter Einsatz jedoch zu ebenso gravierenden Unsicherheiten  ...  in Kontext setzt.  ...  When offering security solutions, we have to keep in mind that developers usually do not have a strong security focus and are not TLS experts, therefore, choosing and implementing secure solutions must  ... 
doi:10.22028/d291-36083 fatcat:2yc4gy2ya5gwzm7ear52xxd32m

Mind Your Language(s): A Discussion about Languages and Security

Eric Jaeger, Olivier Levillain
2014 2014 IEEE Security and Privacy Workshops  
IEEE Security and Privacy Workshops  ...  Through illustrations and discussions, it advocates for a different vision of well-known mechanisms and is intended to provide some food for thoughts regarding languages and development tools.  ...  In essence, it provides no requirements, and it would be unreasonable to expect anything about clone -and more so facing various implementations.  ... 
doi:10.1109/spw.2014.29 dblp:conf/sp/JaegerL14 fatcat:iqyj2bwqavawpk2krlnj4fk7ua
« Previous Showing results 1 — 15 out of 580 results