Classification and analysis of vulnerabilities of modern information systems from classical and quantum attacks
DOI:
https://doi.org/10.30837/rt.2022.4.211.01Keywords:
post-quantum cryptography, encryption scheme, security protocol, security model, AKE protocol, PAKE protocolAbstract
Recent advances in quantum technology and the potential that practical quantum computers may become a reality in the future have led to renewed interest in developing cryptographic technologies that are secure against conventional and quantum attacks. Currently, virtually all asymmetric cryptographic schemes in use are threatened by the potential development of powerful quantum computers. Post-quantum cryptography is one of main the ways to combat this threat. Its security is based on the complexity of mathematical problems that are currently considered unsolvable efficiently, even with the help of quantum computers. The security of information systems is ensured through protection against various threats that use system vulnerabilities. Security protocols are the building blocks of secure communication. They implement security mechanisms to provide security services. Security protocols are considered abstract when analyzed, but may have additional vulnerabilities in implementation. This work contains a holistic study of security protocols. Basics of security protocols, taxonomy of attacks on security protocols and their implementation are considered, as well as various methods and models of protocol security analysis. In particular, the differences between information-theoretic and computational security, computational and symbolic models are specified. In addition, an overview of the computational security models for Authenticated Key Exchange (AKE) and Password Authentication Key Exchange (PAKE) protocols is provided. The most important security models for the AKE and PAKE protocols were also described. With the emergence of new technologies that may have different security requirements, as well as with increased opportunities for competition, there is always a need to develop new protocols. Thus, the purpose of this article is to review, classify, analyze, and research the vulnerabilities of information systems from classical, quantum, and special attacks, performed taking into account the forecast regarding the possibilities of attacks on post-quantum cryptographic transformations; studying security assessment models for existing cryptographic protocols, as well as reviewing and benchmarking security models and providing suggestions for protection against existing potential attacks.
References
John Preuß Mattsson, Ben Smeets and Erik Thormarker Quantum-Resistant Cryptography. Ericsson Security Research. [Електронний ресурс]. Режим доступу: https://arxiv.org/ftp/arxiv/papers/2112/2112.00399.pdf.
M. Bishop, Introduction to computer security. Prentice Hall PTR, 2004.
W. Stallings. Cryptography and Network Security: Principles and Practice, 6th ed. Pearson Education, 2014.
S. Gritzalis, D. Spinellis Cryptographic protocols over open distributed systems: A taxonomy of flaws and related protocol analysis tools, in Safe Comp 97. Springer London, 1997, pp. 123–137. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/978-1-4471-0997-6.
A. J. Menezes, P. C. Van Oorschot, S. A. Vanstone, Handbook of applied cryptography. CRC press, 1996.
M. Toorani Cryptanalysis of a new protocol of wide use for email with perfect forward secrecy // Security and Communication Networks, vol. 8, no. 4, pp. 694-701, 2015.
R. Bird, I. Gopal, et al. Systematic design of a family of attack-resistant authentication protocols, Selected Areas in Communications // IEEE Journal on, vol. 11, no. 5, pp. 679–693, Jun 1993.
C. Boyd, A. Mathuria. Protocols for authentication and key establishment // Springer Science & Business Media, 2003.
M. Toorani. On vulnerabilities of the security association // IEEE 802.15.6 standard, in Financial Cryptography and Data Security, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2015, vol. 8976, pp. 245–260.
M. Toorani, A. Beheshti. Solutions to the GSM security weaknesses // Proceedings of the Second International Conference on Next Generation Mobile Applications, Services, and Technologies (NGMAST’08), Sept 2008, pp. 576–581.
H. Xia, J. C. Brustoloni. Hardening web browsers against man-in-the-middle and eavesdropping attacks // Proceedings of the 14th International Conference on World Wide Web. New York, 2005, pp. 489–498. [Електронний ресурс]. Режим доступу: http://doi.acm.org/10.1145/1060745.1060817.
S. Murdoch, S. Drimer, R. Anderson, M. Bond Chip and pin is broken // Security and Privacy (SP), 2010 IEEE Symposium on, May 2010, pp. 433–446.
M. Toorani. Cryptanalysis of a robust key agreement based on public key authentication // Security and Communication Networks, vol. 9, no. 1, pp. 19–26, 2016.
B. S. Kaliski. An unknown key-share attack on the MQV key agreement protocol // ACM Transactions on Information and System Security (TISSEC), vol. 4, no. 3, pp. 275–288, 2001.
S. Blake-Wilson, A. Menezes. Unknown key-share attacks on the station-to-station (sts) protocol // Public Key Cryptography, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 1999, vol. 1560, pp. 154–170. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/3-540-49162-7 12.
L. Gong Variations on the themes of message freshness and replay // Proceedings of the Computer Security Foundations Workshop VI, vol. 6. Citeseer, 1993, pp. 131–126.
C. J. Mitchell, L. Chen. Comments on the s/key user authentication scheme // ACM SIGOPS Operating Systems Review, vol. 30, no. 4, pp. 12–16, Oct. 1996.
M. Eian, S. F. Mjølsnes. The modeling and comparison of wireless network denial of service attacks // Proceedings of the 3rd ACM SOSP Workshop on Networking, Systems, and Applications on Mobile Handhelds (MobiHeld’11), 2011, pp. 7:1–7:6. [Електронний ресурс]. Режим доступу: http://doi.acm.org/10.1145/2043106.2043113.
A. Shamir, R. Rivest, L. Adleman Mental poker // The Mathematical Gardner. Springer US, 1981, pp. 37–43. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/978-1-4684-6686-7.
M. Naor, M. Yung Public-key cryptosystems provably secure against chosen ciphertext attacks // Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (STOC’90). New York, NY, USA: ACM, 1990, pp. 427–437.
C. Rackoff, D. R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack // Advances in Cryptology – CRYPTO’91, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 1992, vol. 576, pp. 433–444.
E. Biham, A. Shamir. Differential cryptanalysis of des-like cryptosystems // Advances in Cryptology-CRYPTO’90, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 1991, vol. 537, pp. 2–21. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/3-540-38424-3.
H. Wu, B. Preneel. Differential cryptanalysis of the stream ciphers Py, Py6 and Pypy // Advances in Cryptology – EUROCRYPT 2007, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2007, vol. 4515, pp. 276–290. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/978-3-540-72540-4.
M. Matsui, A. Yamagishi. A new method for known plaintext attack of feal cipher, in Advances in Cryptology – EUROCRYPT’92, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 1993, vol. 658, pp. 81–91. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/3-540-47555-9.
G. Bard. Algebraic cryptanalysis // Springer Science & Business Media, 2009.
E. Biham, O. Dunkelman, N. Keller. New combined attacks on block ciphers // Fast Software Encryption, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2005, vol. 3557, pp. 126–144. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/11502760.
B. Zhu, G. Gong. Multidimensional meet-in-the-middle attack and its applications to katan32/48/64 // Cryptography and Communications, vol. 6, no. 4, pp. 313–333, 2014.
L. Knudsen, D. Wagner. Integral cryptanalysis // Fast Software Encryption, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2002, vol. 2365, pp. 112–127. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/3-540-45661-9.
E. Biham. New types of cryptanalytic attacks using related keys // Advances in Cryptology – EUROCRYPT’93, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 1994, vol. 765, pp. 398–409. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/3-540-48285-7.
M. Hell, T. Johansson, L. Brynielsson An overview of distinguishing attacks on stream ciphers // Cryptography and Communications, vol. 1, no. 1, pp. 71–94, 2009.
M. Bellare, A. Desai, D. Pointcheval, P. Rogaway. Relations among notions of security for public-key encryption schemes // Advances in Cryptology – CRYPTO’98, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 1998, vol. 1462, pp. 26–45. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/BFb0055718.
M. Bellare, P. Rogaway. Optimal asymmetric encryption – how to encrypt with RSA // Advances in Cryptology – EUROCRYPT’94, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 1995, vol. 950, pp. 92–111.
J. Katz, Y. Lindell. Introduction to modern cryptography. Chapman & Hall / CRC, 2008.
D. A. Osvik, A. Shamir, E. Tromer. Cache attacks and countermeasures: The case of AES // Topics in Cryptology – CT-RSA 2006, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2006, vol. 3860, pp. 1–20.
R. Cramer, I. Damgard, J. B. Nielsen. Secure multiparty computation and secret sharing – an information theoretic approach. Book Draft, 2013.
W. Diffie, M. Hellman. New directions in cryptography // IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, Nov 1976.
M. Bellare, P. Rogaway. Entity authentication and key distribution // Advances in Cryptology – CRYPTO’93, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 1994, vol. 773, pp. 232–249. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/3-540-48329-2.
R. Canetti, H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels // Advances in Cryptology – EUROCRYPT’01, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2001, vol. 2045, pp. 453–474. [Електронний ресурс]. Режим доступу: http://dx.doi.org/10.1007/3-540-44987-6.
C. Cremers. Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK // Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ser. ASIACCS’11. New York, NY, USA: ACM, 2011, pp. 80–91.
B. LaMacchia, K. Lauter, A. Mityagin. Stronger security of authenticated key exchange // Provable Security, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2007, vol. 4784, pp. 1–16.
D. Dolev, A. C. Yao. On the security of public key protocols // IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, Mar 1983.
M. Toorani Security Protocols in a NutShell, Department of Informatics, University of Bergen, Norway, arXiv preprint arXiv:1605.09771, 2016. [Електронний ресурс]. – Режим доступу: https://arxiv.org/pdf/1605.09771.pdf.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
