In this work, we analyze privacy and security aspects of encryption modes, padding schemes
and order of padding of messages in TLS during encrypted communication between client and
web-application on the server. We show that using padding schemes to pad all packets to
hide message sizes during communication without considering underlying encryption modes and
padding methodology is not safe .
UNIT II COMMUNICATION IN DISTRIBUTED SYSTEM 10
System Model – Inter process Communication – the API for internet protocols – External data representation and Multicast communication. Network virtualization: Overlay networks. Case study: MPI Remote Method Invocation And Objects: Remote Invocation – Introduction – Request-reply protocols – Remote procedure call – Remote method invocation. Case study: Java RMI – Group communication – Publish-subscribe systems – Message queues – Shared memory approaches – Distributed objects – Case study: Enterprise Java Beans -from objects to components.
Elgamal signature for content distribution with network codingijwmn
Network coding is a slightly new forwarding technique which receives various applications in traditional
computer networks, wireless sensor networks and peer-to-peer systems. However, network coding is
inherently vulnerable to pollution attacks by malicious nodes in the network. If any fake node in the
network spreads polluted packets, the pollution of packets will spread quickly since the output of (even an)
honest node is corrupted if at least one of the incoming packets is corrupted. There have been adapted a
few ordinary signature schemes to network coding that allows nodes to check the validity of a packet
without decoding. In this paper, we propose a scheme uses ElGamal signature in network coding. Our
scheme makes use of the linearity property of the packets in a coded system, and allows nodes to check the
integrity of the packets received easily.
UNIT II COMMUNICATION IN DISTRIBUTED SYSTEM 10
System Model – Inter process Communication – the API for internet protocols – External data representation and Multicast communication. Network virtualization: Overlay networks. Case study: MPI Remote Method Invocation And Objects: Remote Invocation – Introduction – Request-reply protocols – Remote procedure call – Remote method invocation. Case study: Java RMI – Group communication – Publish-subscribe systems – Message queues – Shared memory approaches – Distributed objects – Case study: Enterprise Java Beans -from objects to components.
Elgamal signature for content distribution with network codingijwmn
Network coding is a slightly new forwarding technique which receives various applications in traditional
computer networks, wireless sensor networks and peer-to-peer systems. However, network coding is
inherently vulnerable to pollution attacks by malicious nodes in the network. If any fake node in the
network spreads polluted packets, the pollution of packets will spread quickly since the output of (even an)
honest node is corrupted if at least one of the incoming packets is corrupted. There have been adapted a
few ordinary signature schemes to network coding that allows nodes to check the validity of a packet
without decoding. In this paper, we propose a scheme uses ElGamal signature in network coding. Our
scheme makes use of the linearity property of the packets in a coded system, and allows nodes to check the
integrity of the packets received easily.
A Novel Method for Preventing Selective Jamming Attacks in Wireless NetworksIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
A cryptographic hash function, H is a function that transforms a string of any length to
a fixed length string. Cryptography is basically used for data security. Encryption is an
ancient concept. It has been using since the great king Julius Seger. As far as data
manipulation speed increases with time those encryption methods are becoming easy
to understand. So a more hard method is inventing day by day.
a message digest is a cryptographic hash function containing a string of digits created by a one-way hashing formula. Message digests are designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message. In this paper, we have explained the hashing algorithm of MD5 and also proposed how to use it for file transmission and for hashing any string.
Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...Roberto Rigolin F. Lopes
This paper describes an exploratory study on how to generate sequences of QoS-constrained messages to challenge the underlying store-and-forward mechanisms in tactical networks. The messages come from Command and Control (C2) systems deployed at the tactical edge and the goal is to create reproducible flow of messages with a certain degree of entropy (randomness). Given a mission/operation, we assume that the user-facing services from C2 systems are related to each other and reuse a stochastic model to generate the sequence of messages; here called QoS-constrained dataflows. We studied the system behavior dealing with three different sequences of messages (A1, A2 and A3) to illustrate the computation of metrics using cross-layer contextual information and to highlight the importance of testing tactical systems with different loads. We also compute metrics to characterize the dataflows such as time in the queue, minimum datarate, number of expired messages and so on. Moreover, we used three disruptions patterns in the network to study the sequence of messages being divided in groups so to illustrate and support general conclusions about dataflow characterization. We claim that our methodology can get closer and closer to the performance bounds of store-and-forward mechanisms in tactical networks and can be reproduced by other researchers for quantitative comparisons.
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...cscpconf
In this paper, we have taken out the concern of security on a Medium Access Control layer
implementing Assured Neighbor based Security Protocol to provide the authentication,
confidentiality and taking in consideration High speed transmission by providing security in
parallel manner in both Routing and Link Layer of Mobile Ad hoc Networks. We basically
divide the protocol into two different segments as the first portion concentrates, based on
Routing layer information; we implement the scheme for the detection and isolation of the
malicious nodes. The trust counter for each node is maintained which actively increased and
decreased considering the trust value for the packet forwarding. The threshold level is defined differencing the malicious and non malicious nodes. If the value of the node in trust counter lacks below the threshold value then the node is considered as malicious. The second part focus on providing the security in the link layer, the security is provided using CTR (Counter) approach for authentication and encryption. Hence simulating the results in NS-2, we come to conclude that the proposed protocol can attain high packet delivery over various intruders while attaining low delays and overheads.
A Novel Method for Preventing Selective Jamming Attacks in Wireless NetworksIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
A cryptographic hash function, H is a function that transforms a string of any length to
a fixed length string. Cryptography is basically used for data security. Encryption is an
ancient concept. It has been using since the great king Julius Seger. As far as data
manipulation speed increases with time those encryption methods are becoming easy
to understand. So a more hard method is inventing day by day.
a message digest is a cryptographic hash function containing a string of digits created by a one-way hashing formula. Message digests are designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message. In this paper, we have explained the hashing algorithm of MD5 and also proposed how to use it for file transmission and for hashing any string.
Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...Roberto Rigolin F. Lopes
This paper describes an exploratory study on how to generate sequences of QoS-constrained messages to challenge the underlying store-and-forward mechanisms in tactical networks. The messages come from Command and Control (C2) systems deployed at the tactical edge and the goal is to create reproducible flow of messages with a certain degree of entropy (randomness). Given a mission/operation, we assume that the user-facing services from C2 systems are related to each other and reuse a stochastic model to generate the sequence of messages; here called QoS-constrained dataflows. We studied the system behavior dealing with three different sequences of messages (A1, A2 and A3) to illustrate the computation of metrics using cross-layer contextual information and to highlight the importance of testing tactical systems with different loads. We also compute metrics to characterize the dataflows such as time in the queue, minimum datarate, number of expired messages and so on. Moreover, we used three disruptions patterns in the network to study the sequence of messages being divided in groups so to illustrate and support general conclusions about dataflow characterization. We claim that our methodology can get closer and closer to the performance bounds of store-and-forward mechanisms in tactical networks and can be reproduced by other researchers for quantitative comparisons.
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...cscpconf
In this paper, we have taken out the concern of security on a Medium Access Control layer
implementing Assured Neighbor based Security Protocol to provide the authentication,
confidentiality and taking in consideration High speed transmission by providing security in
parallel manner in both Routing and Link Layer of Mobile Ad hoc Networks. We basically
divide the protocol into two different segments as the first portion concentrates, based on
Routing layer information; we implement the scheme for the detection and isolation of the
malicious nodes. The trust counter for each node is maintained which actively increased and
decreased considering the trust value for the packet forwarding. The threshold level is defined differencing the malicious and non malicious nodes. If the value of the node in trust counter lacks below the threshold value then the node is considered as malicious. The second part focus on providing the security in the link layer, the security is provided using CTR (Counter) approach for authentication and encryption. Hence simulating the results in NS-2, we come to conclude that the proposed protocol can attain high packet delivery over various intruders while attaining low delays and overheads.
Client server computing in mobile environments part 2Praveen Joshi
Client server computing in mobile environments. Versatile, Message based, Modular Infrastructure intended to improve usability, flexibility, interoperability and scalability as compared to Centralized, Mainframe, time sharing computing.
Intended to reduce Network Traffic.
Communication is using RPC or SQL
In remote sensor arrange messages are exchanged between the different source and goal matches agreeably such way that multi-jump parcel transmission is utilized. These information bundles are exchanged from the middle of the road hub to sink hub by sending a parcel to goal hubs. Where each hub overhears transmission close neighbor hub. To dodge this we propose novel approach with proficient steering convention i.e. most brief way directing and conveyed hub steering calculation. Proposed work additionally concentrates on Automatic Repeat Request and Deterministic Network coding. We spread this work by the end to end message encoding instrument. To upgrade hub security match shrewd key era is utilized, in which combined conveying hub is allocated with combine key to making secure correspondence. End to end. We dissect both single and numerous hubs and look at basic ARQ and deterministic system coding as strategies for transmission.
Data Link Layer
The main goal of this layer is providing reliability to the layers above it.
3.1 DLL Design Issues
What are the services provided by DLL?
3.2 Error Detection and Correction
Adding redundancy in order to find and correct errors.
3.3 DLL Protocols
xxx
3.4 Sliding Window Protocols
xxx
3.5 Protocol Specification and Verification
xxx.
3.6 Examples
Enhancing Cloud Computing Security for Data Sharing Within Group Membersiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
Dear students get fully solved assignments
Send your semester & Specialization name to our mail id :
help.mbaassignments@gmail.com
or
call us at : 08263069601
Dear students get fully solved assignments
Send your semester & Specialization name to our mail id :
help.mbaassignments@gmail.com
or
call us at : 08263069601
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Exploiting tls to disrupt privacy of web application's traffic
1. Exploiting TLS to disrupt privacy
of traffic in web-application
Sandipan Biswas
MT12018
Advisors: Dr. Somitra Sanadhya & Dr. Donghoon Chang
2. Thesis committee
Dr. Somitra Sanadhya, IIIT Delhi (Chair)
Dr. Shweta Agrawal, IIT Delhi (External Examiner)
Dr. Debajyoti Bera, IIIT Delhi (Internal Examiner)
3. Agenda
• Motivation
• Previous Work
• Chen et. al. mitigation
• Liu et. al. mitigation
• Example of k-indistinguishability
• Our Contribution
• Effect of padding in TLS on k-indistinguishability
• Effect of padding in WPA2 on k-indistinguishability
• Further Work
• Mitigation
• Conclusion
• References
5. Side channel attacks
• Side channel attacks on web-application’s have
been studied based on observable attributes of
traffic
Attributes include packet sizes , timing of packets
etc.
Encryption is there to maintain confidentiality but
sizes of packets are still visible by eavesdropper
To hide sizes padding is an option!
But how should it be done?
6. 6
Example (cont.) – Search Engine
•S value for each character entered as:
a b c d e f g
509 504 502 516 499 504 502
h i j k l m n
509 492 517 499 501 503 488
o p q r s t
509 525 494 498 488 494
u v w x y z
503 522 516 491 502 501
• First keystroke: •Second keystroke:
First
Keystroke
Second Keystroke
a b c d
a 509 487 493 501 497
b 504 516 488 482 481
c 502 501 488 473 477
d 516 543 478 509 499
Unique s value 12 out of 1616 out of 16
In reality, it may take
more than two
keystrokes to
uniquely identify an
input string.
Leak out users’ private information:
the input string
7. Two Conflicting Goals
7
• To prevent such side-channel attack, we face two
seemingly conflicting goals,
•Privacy protection:
Remove the difference of packet sizes
• Cost:
Minimize the cost or overhead (padding, processing…)
•Trade-off:
Between two objectives
8. Chen et. al. (IEEE S&P 2010)
Authors tried mitigation with padding approaches
random padding : pad x bytes, and x [0, )
round padding : pad to the next multiple of
Inferred that such application-agnostic approach is
not feasible
9. Liu. et. al. (PETS 2012)
Introduced K-indistinguishability
Grouped packets in size of atleast k
Reduced padding cost while achieving privacy
All packets corresponding to same group have same
size
Formal model for quantifying the amount of privacy
protection provided by traffic padding solutions.
10. Padding Options
10
473 477 478 (c) c
477 477 478 (c) d
478 499 478 (d) b
499 499 509 (d) d
501 509 509 (c) a
509 509 509 (d) c
S Value Padding (Prefix) char
Option 1 Option 2
PPTP:
Padding group
11. 11
PPTP Components - Interaction
Internet
• Interaction:
• action a:
• Atomic user input that triggers traffic
• A keystroke, a mouse click ..
• action-sequence a:
• A sequence of actions with known relationship
• Consecutive keystrokes, a serial of mouse clicks
•action-set Ai:
•A collection of all ith action in a set of action-
sequence
User Input Observed Directional Packet Sizes
a: 801→, ←54, ←509, 60→
00: 812→, ←54, ←505, 60→,
813→, ←54, ←507, 60→
•Example 1:
•Three actions:
•a1 = input ‘a’
•a2 = input first ‘0‘
•a3 = input second ‘0’
• Two action-sequences:
• a1 = (a)
• a2 = (0,0)
• Two action-sets:
•A1 = {a,0} (0 as first keystroke)
•A2 = {0} (0 as second keystroke)
Ref: Liu. et. al. slides
12. 12
PPTP Components - Observation
Internet
User Input Observed Directional Packet Sizes
a: 801→, ←54, ←509, 60→
00: 812→, ←54, ←505, 60→,
813→, ←54, ←507, 60→
•Example 2:
• Three flow-vectors:
•v1 = (509)
•v2 = (505)
•v3 = (507)
•Two vector-sequences:
•v1 = (v1)
•v2 = (v2, v3)
•Two vector-sets:
• V1 = {(509),(505)}
•V2 = {(507)}
•Observation:
• flow-vector v:
•A sequence of flows (flow: a directional packet
size)
•Correspond to an action
•vector-sequence v:
• A sequence of flow-vectors
•Correspond to an equal-length action-sequence
•vector-set Vi:
•A collection of all ith flow-vectors in a set of vector-
sequence
•Correspond to an action-set
Ref: Liu. et. al. slides
13. 13
Privacy and Cost
Flow-Vector v (Flow s) Action a
s1 a1
s2 a2
… …
sn an
Quasi-ID Sensitive Attribute
•k-indistinguishability: Given a vector-action set VA
•Padding group :
any S⊆VA satisfying all the pairs in S have identical flow-vectors and no S’ ⊃S can satisfy this property
•We say VA satisfies k-indistinguishability (k is an integer) if the cardinality of every padding
group is no less than k
•SVSD case (Single-Vector Single-Dimension):
•Every action-sequence and flow-vector are of length one.
•Assume: all actions are independent and each action
triggers only a single packet used to identify the action.
• Goal of privacy protection:
•Upon observing any flow-vector in the traffic, the
eavesdropper cannot determine which action in the table
(vector-action set) has triggered this flow-vector.
Ref: Liu. et. al. slides
14. 14
Ceiling Padding (cont.)
•Generalization.
• Grouping and breaking:
• Unique aspect:
•Padding can only increase packet size but cannot decrease it or replace it with a
range of values.
•Dominant-vector:
•Given a vector-set V, the dominant-vector is the flow-vector in which every
flow is no smaller than the corresponding flow of any vector in V .
•Ceiling padding:
•Given a vector-set V, a ceiling-padded group in V is a padding group which
each flow-vector is padded to the dominant-vector.
•V is ceiling-padded if all the padding groups are ceiling padded.
Ceiling Padding:
Partition a vector-action
set into padding groups,
and then pad the flow-
vectors to the dominant
value to render them
indistinguishable.
Ref: Liu. et. al. slides
15. Example on k-indistinguishability
Assume 4 action sequence
a1={a,b} , a2={b,c} , a3={c,a} , a4={a,d }
Note that: a1 and a4 have same prefix for second keystroke . Prefix is
“a”.
Corresponding vector sequences are :
v1 = {509, 487} , v2= {504, 482} , v3={502, 501} , v4={509, 497}
Vector-set can be formed as V1 = {509,504, 502 509} , V2 = {487,
482, 501, 497}.
Similarly Action-Set : A1 = {a, b, c, a} ,A2 = { b, c , a, d}.
Vector-Action Set : VA1 = {V1, A1}, VA2 = {V2,A2},
VA1 = {(a ,509),(b, 504) (c, 502), (a, 509)}
VA2 = {(b, 487), (c, 482), (a, 501), (d , 497)}
16. Example Continued
Action Original
Packet Size
a 509
b 511
c 508
Action Original Packet
Size
Prefix
b 487 a
c 482 b
a 501 c
d 497 a
After grouping , Simple SVSD on 1st table : SVA1 = {(c, 508), (b, 511), (a, 509)}, PVA1
={(c,511), (b, 511), (a,511)}[Padding].
After SVMD and padding: SVA2 = {(c, 482),(b, 487), (d,497),(a, 501)},
PVA2 = {(c,501), (a, 501), (b, 501)(d, 501)}
Note: Partition of a Vector Action set should be done such that their prefix is in same
padding group in previous Vector Action set
For same input string two flows corresponding to {a , b} and {a, d } is
{511, 501},{511,501} respectively.
Thus it maintains 3-indistingishability.
17. Our Objective
To break k-indistinguishability of traffic
Our objective is to infer the input which caused
the given packet size
Note the packet’s contents are encrypted using
standard TLS1.2
18. Our Assumptions
We assume k-indistinguishibility is already
implemented at server
All possible vector action sets possible are fed to
padding algorithms by Liu. et. al(PETS ‘12).
Attacker is somehow aware of packet sizes before
padding
We have also assumed that Bit-padding(10*) is
used
Padding is done after MAC is generated(This is
valid since in TLS such model is followed)
We assume either counter mode and CBC mode is
used for encryption.
19. Revisiting TLS Record Protocol
We consider Bit-Padding as an option
in Step 5
Plaintext Size MAC Padding
PAD
20. Earlier attacks on TLS MEE construction
Padding oracle attack by Vaudenay et. al.
(Eurocrypt’02)
Password Interception in a SSL/TLS Channel by Canvel
et. al.(Crypto ‘03)
Tag size does matter: Attacks and proofs for the TLS
record protocol by Paterson et. al.(ASIACRYPT’11)
Plaintext-recovery attacks against Datagram TLS by
AlFardan et. al. (NDSS ‘12)
Lucky13:Related Chosen ciphertext attack on TLS by
AlFardan et. al.(IEEE S&P ‘13)
21. Our contribution
In our work we analyze the security and privacy
aspects of
Encryption modes
Padding scheme
Order of padding in TLS and WPA2
We propose a truncation based chosen ciphertext
attack on TLS1.2
We exploit MAC-PAD-Encrypt construction in TLS
record protocol
We also explore similar construction in CCMP
protocol in WPA2 as well as in TLS1.2
22. When CTR mode is used in TLS
Let’s take an example of 3-indistinguishability
Possible packets are grouped in a group of 3
Now if padding is applied to make packets
indistinguishable , all packets size will be same
Attacker’s objective is to distinguish between {a,b,c}
based on packet size of the response from server
We consider Bit-padding scheme of the form 10*
23. After Padding
•We assume MAC tag generated is of 32 byte
•Padding is done using Bit-padding
Plaintext size + MAC
24. After Encryption..
After encryption, packets are sent from client to
server
Attacker can sniff packets.
Attacker can also modify ciphertexts and send it to
server
Server responds to client based on ciphertext
received
If ciphertext is wrongly padded or MAC verification
fails etc. server responds with error message
25. How to distinguish packets?
• We propose a bit truncation based chosen
ciphertext attack
• Attacker chooses packet having maximum padding
in group having padding size let’s say d
• Attacker can truncate d-1 bits from each packet
such that server generates error message for
intended packet and none for others
• Based on error message sent back to client
attacker can guess which input correspond to this
particular packet
26. Effects of truncation on ciphertext
Let’s say for any i’th packet having size si in group attacker does
truncation. Also assume s is maximum size of packet in group
Attacker truncates d-1 bits from each of packets in the group
d
If (s-si-1) (d-1) i.e message has more padding than truncated bits.
Hence padding part will contain at least 1 in its starting position.MAC
will be valid after padding removal
If (s-si-1) < (d-1) i.e message has less padding than truncated bits and
hence padding will be assumed from MAC part . This will generate
invalid MAC error.
Attacker can infer from this error that the packet generating no error is
the intended one.
27. Attack on example..
For our example first we can try to identify c.
To identify c truncate 3 bits from all packets
including packet corresponding to c
Post truncation padding part of c is left with 1 in
LSB
Hence during padding removal MAC portion is not
corrupted leading to no error
However for other packets part of MAC is being
stripped off while padding removal leading to
invalid MAC error
28. When user keystroke is “a”
509+32(MAC)
Truncate Last
3 bits
3(PAD)
Invalid
Decryption
A’(Corrupted) MAC
Wrong
padding
MAC
verification
According to Bit-padding , pad is
stripped starting from LSB until “1”
encountered
29. When user keystroke is “b”
511+32(MAC)
Truncate Last
3 bits
1(PAD)
Invalid
Decryption
B’(Corrupted) MAC
Wrong
padding
MAC
verification
508+32(MAC) 1(PAD)2 bit
30. When user keystroke is “c”
508+32(MAC)
Truncate Last
3 bits
1
Valid
Decryption
C(Non
Corrupted)
MAC
Right
padding
MAC
verification
000
31. In case of CBC mode
Unlike CTR mode in case of CBC mode we cannot
do bit based truncation, rather we employ block
based truncation techniques to identify inputs
Attacker can truncate block wise from all packets
in such a way that they can distinguish between
packets based on error generated at server
For a group of packets having size S={257,101,129}
33. In case of WPA2
WPA2 is standard in wireless networks(IEEE 802.11i)
It provides confidentiality , Integrity of packets
Uses AES-CCMP : Counter Mode + CBC-MAC
Underlying block cipher is AES
An authenticated encryption scheme
AES-CCM is also recommended cipher-suite in TLS
34. CCMP protocol in WPA2
MSDU
MPDU MPDU MPDU
Fragmentation
CCMP processing
Encrypted MPDU
Priority Queue
Transmission
MSDU: MAC Service Data Unit
MPDU:MAC Protocol Data Unit
35. CCMP with padding
MAC Header Plaintext Data
MAC Header CCMP Header Plaintext Data
Authenticated Data
MAC Header CCMP Header Plaintext Data1st Block PAD PAD
MICMAC Header CCMP Header Plaintext Data
MICMAC Header CCMP Header Encrypted Data
CBC-MAC
PAD
PAD
Encryption in Counter mode
36. Problems in CCMP
Since counter mode is used no assumption of
padding is done
If padding is done after Message Integrity Code
generation, it can lead to similar privacy breach
Attacker can carry out similar chosen ciphertext
attack on CCMP too
37. Mitigations
If padding was done before MAC is calculated then
it would not have been possible to carry such
attack
PAD-MAC-Encrypt is a better option
Always use authenticated padding
Even if authenticated padding is not used , add a
field for PAD length in header and authenticate
along with others. This will prevent unauthorized
modification of messages and pad.
38. Further work
Yet to implement proposed attacks
Need to find other modes of operation vulnerable
to this attack
Other possible vulnerable modes could be AES-
GCM used in TLS , SSH etc.
Need to explore other padding schemes apart
from Bit-padding
39. Conclusions
Traffic indistinguishability is a hard problem
Indifference to underlying
Padding schemes
Encryption modes
MAC calculation procedure can cause such privacy
preserving schemes to break.
Schemes to make traffic anonymous not only has
to be application agnostic and efficient , also care
needs to be taken how the scheme affects the
underlying cryptographic operation
40. References
Chen, S., Wang, R., Wang, X., and Zhang, K. Side-
channel leaks in web applications :A reality today,
a challenge tomorrow. In IEEE Symposium on
Security and Privacy (2010)
Liu, W. M., Wang, L., Ren, K., Cheng, P., and
Debbabi, M. k-indistinguishable traffic padding in
web applications. In Privacy Enhancing
Technologies (2012)
T. Dierks, E. R. The Transport Layer Security(TLS)
Protocol. http://www.rfc-editor.org/rfc/rfc5246.Txt
,2008.