The use of Groebner bases in cryptanalysis of symmetric ciphers Algebraic attacks on symmetric ciphers often results in large systems of non-linear multivariate polynomial equations. Solving these equations is a complex task. There are many methods for doing this, but the most fundamental is by constructing Groebner bases for the system of polynomials. In an article by Jovan Dj. Golic, "Vectorial Boolean Functions and Induced Algebraic Equations" a general mathematical framework for algebraic cryptanalysis is developed. In short, the article concerns finding algebraic polynomial equations of low algebraic degree induced by vectorial Boolean functions. This thesis will investigate the framework and develop hopefully more efficient algorithms for constructing Groebner bases over Boolean polynomial rings.
There are different ways of attacking, or cryptanalysing, a cipher algorithm. Well known methods are e.g. linear cryptanalysis, differential cryptanalysis or plain brute force. The basis of this work comes from an attack method called Algebraic Attack or Algebraic Cryptanalysis. In short, an algebraic attack on a cipher algorithm is performed by breaking the cipher algorithm down into a system of algebraic equations, with the secret key bits as unknowns, plaintext and ciphertext as knowns, and other cipher dependent variables and constants. One then tries to find a simultaneous solution to the equations. The major problem with this method lies in solving the equations within an acceptable time frame, since the resulting multivariate equations, i.e. equations in several variables, are often highly non-linear and of high degree. But there are techniques for transforming this hard problem into a more feasible one. One technique is transforming the set of polynomial equations into a more suitable set of polynomials called a Groebner base. The notion of Groebner bases allows us to make use of results from abstract algebra, like Ideal theory and the relation to Affine varieties to help solve the equations in a hopefully more efficient way. Practical construction of Groebner bases belongs to the art of computational algebra, and algorithms will be implemented in several programming languages during the different phases of this project.
Algebraic attack, cryptanalysis, symmetric cipher, multivariate equations, linearization, Groebner, Buchberger algorithm, vectorial Boolean functions.
Groebner bases may seem like a superb tool, but the main problem is the computation time and memory consumption in constructing the Groebner bases. The general problem of constructing Groebner bases has high complexity. Thus, a seemingly benign looking system of polynomials in three or four variables of degree three or four may fail to terminate in a reasonable time. The original algorithm for constructing Groebner bases, namely the Buchberger algorithm can be improved, tweaked and be rendered more suitable to the specific problem at hand. In the case of this work, we will examine the construction of low degree Groebner bases from induced algebraic equations of binary multivariate polynomials and try to implement efficient algorithms for it.
The construction of Groebner bases is the fundamental tool for many complex problems. Finding new- or improving old algorithms for efficiently constructing Groebner bases are of great interest to many scientific disciplines. Regarding the discipline of algebraic cryptanalysis, increased and deeper knowledge in the use and construction of Groebner bases may be highly beneficial. Direct benefits may be the construction of stronger cryptographic algorithms which are more resistant to this type of attack.
Keystroke Dynamics: How typing characteristics differ from one application to another
One of the most important things before giving a person access to any resource is to identify or authenticate him first. A password is one way to do this. A user gives his username (claiming an identity) and then gives his password (ownership of the claimed identity).
However, there are some problems in using passwords. One of them is that long or short passwords can be forgotten if they have a random combination of various characters (difficult to memorize).Another problem with passwords that they can be guessed easily when they are just derived from dictionary words or even they can be stolen easily if they are written down by their owner. Tokens are a second approach to being authenticated through something you have, however they can be forgotten, lost or even stolen by attackers.
Biometrics is a third approach for identifying and authenticating people based on what they are. For example it is highly likely but not proven that everyone has a different fingerprints that can be used to differentiate one person from another one.
Biometrics can be divided into two categories, physiological and behavioral. The first category contains the features that are physically related to a person for example iris, fingerprints and retina. The second category contains the features that people have learned to do. More or less fixed manner examples on this category are walking (gait), writing a signature and typing on a keyboard (Keystroke Dynamics).
In this project we will look at keystroke dynamics as a method for authentication. By keystroke dynamics we mean the way that a person types. This can be characterized by timing when keys are pressed down or released up. it can also be characterized by pressure, angle of pressing the key and more in which case we need special hardware, e.g. a special keyboard or a camera. There are two types of keystroke dynamics. The first one is the static keystroke dynamics in which the data that is typed is fixed and also the time this information is typed in is fixed (during login time). The second one is continuous keystroke dynamics in which case the typing characteristics are analyzed during a complete session. The literature concerning keystroke dynamics is focusing more on the static type, while less literature can be found on continuous type. Many experiments in this field have a small error rate meaning that we can authenticate people in a good manner using keystroke dynamics.
The point is that we can authenticate people through their typing behavior. However we know in advance that the typing characteristics are different when a person uses a different application, a different keyboard or type in a different language. The mentioned topics raise a lot of open question related to keystroke dynamics. In this project we will try to find an answer to one of these questions: How typing characteristics differ from one application to another and do these differences interfere with the authentication process?
Biometrics, Authentication, Identification, Keystroke Dynamics, Duration, Latency, Neural Network.
Many experiments which are done to investigate the keystroke dynamics as an authentication method have a low error rate between(1.17% and 5%) in which we can rely on such kinds of experiments to authenticate people. Some of the previous studies have proven that keystroke dynamic authentication is resistance against some type of attacks like shoulder sniffing but still weak against some attacks in which the attacker
has feedback about the typing characteristics of the legitimate person. Not a lot of research has been done on how different applications affect the typing characteristics of the user. One of the publications of Furnell is discussing the effect of different application in the keystroke dynamics field. It is important to know if we can still depend on keystroke dynamics to authenticate people when they run different applications. There might be a large difference in typing characteristics when chatting on MSN compared to writing a program in Java. You need to think, to analyze and then to type when you are writing a Java program while in MSN chatting the situation is different. Furthermore when you are writing a Java program you will use much more special characters than when you are writing a formal letter using Microsoft Word. Our target in this project is to investigate this problem, and try to assure the stability of keystroke dynamics techniques.
Keystroke Dynamics will strengthen the security of the system. Even after logging into the system, the user needs to know how to type. The typing rhythm should match with the legitimate users typing rhythm. And even when the user switch to another application, the system must has the ability to authenticate the user without any problem. There is a high demand to agree on a certain template to be used in order to authenticate a user regardless which application is used.
In this project we want to investigate the following two research questions:
• How are typing characteristics different from one application to another and where are the similarities?
• How we can benefit from the results of those differences and similarities to generate a reliable template to authenticate a user regardless which application is used?
• Is it possible to authenticate a person based on one general template or we need a set of application dependent templates?
• Is it possible to say that the typing characteristics in application X are more stable than in application Y?
Other minor questions will arise like:
• How we can design an experiment to measure the differences in typing characteristics?
• How many participants should we have?
• Which applications should be chosen?
Hopefully this project will come up with results in how some different applications affect the ability to recognize people using Keystroke Dynamics. In other words we are going to design an experiment to measure differences in typing characteristics when a user try to use different kinds of applications. If the changing of the application do not significantly impact the recognizing process or if it would be possible to do some special processing according to what the application is, there should be no problems using a Keystroke dynamics to authenticate user regardless which application he used. This of course will strengthen the reliability of Keystroke Dynamics as an authentication method.
Forensic Analysis of Physical Memory and Page FileWith the passage of time, the field of computer forensics is maturing and the traditional methodology of disk forensics has now become a standard. In the same manner volatile data forensics is also getting serious attention from forensic investigators and researchers. Physical memory is an integral part of volatile data forensics. It can provide a forensic examiner with wealth of information like passwords, encrypted keys, typed commands, web addresses, shared and executable files, currently running processes and terminated processes, open ports and active connections. This thesis explores the forensic analysis of physical memory and page file in search of sensitive data using freely available tools. Experiments are carried out in virtual environment on XP and Vista operating systems. The immediate purpose of this thesis is to study the impact of increased memory size on the retention of sensitive data in today’s computers. We will also explore the capabilities and limitations of the currently available memory and page file analysis tools.
The technology is developing rapidly in the field of computer industry. The data processing ability has increased, capacity to store data in digital format has expanded dramatically and the access to information has been made easy and most of all these facilities are becoming cheaper for the common people. This trend has also raised a concern in security professionals to keep sensitive and private data like passwords and credit card numbers secure as long as it is being processed in physical memory and to discard it securely when no longer needed to keep it away from adversaries and criminals. In this research work we will do the forensics of physical memory and page file in search of sensitive data. Data retention in physical memory is influenced by operating system (system software), applications processing the data and the underlying hardware of the computer. Experiments will be conducted in virtual environment using VMware incorporating both physical memory and page file. Different scenarios will be established in windows operating system environment that will closely resemble real world situations. The whole analysis will be conducted using the freely available tools on internet.
When a digital crime occurs, the main focus of the forensic examiners is to acquire and analyze non volatile data from the suspect machines. But this approach is no longer applicable due to the following reasons. 1. In today’s end user computers the hard disk data storing capacities has increased dramatically. 500 GB is a normal capacity in today’s computers. The same is the case with physical memory in today’s computers. 2 to 4 GB of physical memory is a normal standard in current end user computers. And when this amount of data in physical memory is incorporated with the swapped data in page file on hard disk, the prospects of finding the required results are even higher. Therefore it is not a wise idea to ignore physical memory of such huge capacities in digital crime investigations. 2. All transient data and volatile information such as network connections, chat logs, command histories, process information and open files that reside in physical memory will be lost if the “pull the plug” approach is followed. 3. Some times evidence can be resident only in memory. For example there are many malware programs that rum directly from physical memory without being installed on the hard disk thus leaving no trace on the hard disk. 4. In case of traditional disk forensics if the acquired evidence is encrypted then physical memory is the next immediate place where we can find keys for the encrypted data. The importance of physical memory forensics is obvious from these points but it is still in the stage of infancy and requires more serious attention. The currently available tools and methods for the analysis of memory evidence are limited and require a lot of attention compared to the importance of sensitive data in memory. The available free tools on the internet from different authors are limited in functionality and scope especially when physical memory is incorporated with page file in search of finding the evidence. The currently available tools should be practically tested by practical examples. This will show us not only their efficiency and ability but also their trust worthiness in a court of law.
Physical memory forensics is an evolving field of research. Since the operating systems from Microsoft are closed source therefore it requires even more attention from the researchers and forensics practitioners. This master thesis will try to answer the following questions. What is the current state of physical memory forensics?What are the currently available physical memory forensics tools?Have the currently available tools the ability and scope to analyze the physical memory and page file in currently available end user computers? Can we extract sensitive data from physical memory and page file of machines running windows XP and Vista?
This thesis work will contribute to the knowledge and understanding of physical memory and page file forensics both theoretically and practically by experiments. A state of the art in the field of physical memory and swap space analysis on windows systems will be provided. This will help both forensic professionals and researchers to get more understanding of this emerging area. A Summary of the currently available tools for the analysis of physical memory and page file will be provided with their features. To see the strength of the available tools, experiments will be conducted on selected tools on different scenarios in virtual environments. This will not only give an idea to the researchers working on windows systems but also forensic practitioners will benefit from this. Finally and importantly from this research work we will get an idea of how long physical memory and page file can maintain sensitive data and the influence of operating system and applications on data retention in different states of computer.
Visualizing Digital EvidenceAs technology advances and the usage of digital devices (computers, cellular phones, PDAs etc.) increases the use of digital forensics is becoming more important. When working with digital evidence it can be cumbersome to analyze large data sets such as large cases with several gigabytes of data distributed across multiple hosts and networks. The purpose of visualizing digital evidence is to provide better understanding of the digital evidence and to enable more efficient analysis. Because of advanced techniques for wiping/deleting, encrypting and hiding data, visualizing digital evidence is not an easy task. There exist tools (i.e. The Coronerís Toolkit, The Sleuth Kit among other tools) and techniques (self-organizing maps) for extraction and presentation of digital evidence. A tool developed by Emmanouil Vlastos and Ahmed Patel presents digital evidence in 3D which will be used (among other tools) in a survey in this thesis.
In this project, we will perform a survey of existing tools and methods for visualizing digital evidence. The survey will include a comparative analysis using a set of predefined criteria, and we will also evaluate the tools and methods through practical experiments. The experiments will consist of analyzing a data set that will be created for this thesis and a data set that is publicly available. Finally, we will investigate new tools for visualizing digital evidence and propose a prototype for visualizing digital evidence based on digital crime scene investigations.
The Use of Frequent Episodes in Intrusion Detection
System and network audit allows capturing large amounts of data. These
audit data may contain evidences of intrusions, and thus, can be used in
intrusion detection. But the audit trails contains lots of events, and
only a few of them may indicate intrusions. To extract necessary
information, we can use data mining techniques.
Intrusion detection systems (IDSs) now are trade-offs, particularly,
between speed and accuracy. Misuse-based IDSs do not recognize unknown
attacks while anomaly-based IDSs produce many false alarms. In this paper,
we describe a new hybrid intrusion detection system, which uses frequent
episodes as the common data structure.
Our IDS will combine misuse and anomaly approaches by using hierarchical
frequency which we will introduce. The IDS will be constructed only on
frequent episode discovery, matching, and pruning algorithms. The anomaly
and misuse modules are supposed to be symmetric in our work. We believe
that the IDS will be at least as efficient as today’s IDSs.
Public/Subscribe (PubSub) paradigm Public/Subscribe (PubSub) paradigm is a powerful abstraction for building distributed applications and message distribution networks, and seems to be well suited model for the type of communication which takes place at a tactical/mobile level in military operations. Because of the hostile environment such networks have to operate in, they have to have good information security properties, including intrusion tolerance. A successful intrusion in tactical command and control networks can have a substantial damage on the ongoing military operation, making it a highly valuable enemy target.
Most previous work on information distribution in MANETs focuses on how to distribute the information and minimize the amount of data to be sent on the network, and not on security issues introduced by an intruder.
During this master project we have performed an analysis of the intrusion tolerance of the PubSub based MANET, i.e. the capability of a system to fulfill its mission in a timely manner, even when the network is under different types of attacks. The analysis shows that the PubSub protocol is vulnerable to some attacks performed by an intruder in the network.
To deal with those vulnerabilities we have proposed enhancements to the protocol to make it more robust and immune to these attacks. By implementing the proposed enhancements we show that the PubSub protocol can be made very robust against the different types of attacks studied in this thesis. These properties make the protocol suited for usage in communication networks which operate in hostile environments.
