Table of Content

    15 January 2019, Volume 5 Issue 1
    Survey on the Satisfaction of Internet Security of Chinese Netizens in 2018
    2019, 5(1):  2-13. 
    Asbtract ( )   PDF (5494KB) ( )  
    Related Articles | Metrics
    The Taxonomy Towards the Security Application of Cryptography
    2019, 5(1):  14-22. 
    Asbtract ( )   PDF (1569KB) ( )  
    References | Related Articles | Metrics
    Cryptography plays an important fundamental role in cyber security. Applying cryptography in computer and network systems to implement security services has improved the security of cyber space. The application of cryptography in cyber space, requires the consideration of the view of cryptography from the point of view of computer and network security, to establish the relationship between rigorous but abstract cryptography and complex but concrete information systems. This paper discusses the taxonomy of the secure application of cryptography, by analyzing the influences among data, systems, and entities. We attempt to answer the question: when cryptography theory is ready, which technical issues shall be solved towards the secure application of cryptography in computer and network systems? We list the following issues: 1) choose suitable cryptographic algorithms, work modes and cryptographic protocols, 2) maintain reasonable cryptographic keys, 3) generate secure random numbers, 4) implement and deploy cryptographic protocols correctly, 5) bind cryptographic keys to entities, 6) ensure the security of cryptographic keys, and 7) enforce the use control of cryptographic computations. Based on the related works, we describe each of these technical issues detailedly.
    Application Security of Block Cipher Mode of Operation
    2019, 5(1):  23-28. 
    Asbtract ( )   PDF (1145KB) ( )  
    References | Related Articles | Metrics
    The block cipher mode of operation has a nearly perfect theoretical system—as long as the underlying block cipher is secure, the upper mode of operation can be proved to be secure. However, there is a huge gap between theory and reality. In reality, various application security issues have repeatedly appeared. This paper focuses on a series of problems including IV misuse, online attack, RUP problem, padding oracle attack, birthday attack, etc. IV misuse means the IV value which produced by programmers doesn't meet the random strength in cryptography. This problem can be avoided by using the noncebased schemes. The data in some mode of operations is processed online. Therefore, the operations will suffer block-wise attack, which is also called online attack. The solution is to use the authenticatd encryption mode which is secure online. The RUP problem means the operations output unverified plaintext, which doesn't satisfy data integrity. Abed and Ashur et al. have improved relevant mode of operation to solve this problem. Padding oracle attack means the enemy using error messages which are returned by the receiver to attack the operations. To avoid such attack, the authenticatd encryption mode can be used. The birthday attack takes advantage of the collision in the middle state of the block cipher mode to forge. The secure strength of the block cipher whose block length is 64 bits will be reduced to 32 bits due to this attack, which is un-secure for them. Therefore, we'd better design the mode of operations which is beyond birthday bound. In this paper, we will analyze the causes of the above problems, the research status and solutions in detail. Finally, we will give some useful suggestions.
    On the Development of the Practical Security of Public Key Cryptosystems
    2019, 5(1):  29-38. 
    Asbtract ( )   PDF (1500KB) ( )  
    References | Related Articles | Metrics
    Public key cryptography is an important primitive in the era of internet, and also is an important tool for protecting the data and communication in cyberspace. Currently, the three basic public key cryptographic algorithms, namely, public key encryption, digital signature and key exchange, are extensively used in various kinds of data systems and network protocols. In this paper, we introduce the definitions and security notions of the three basic public key cryptographic algorithms, especially the development of security notions from theory to practice; we also introduce several representative public key cryptosystems, for example, schemes which are considered as milestones, such as RSA encryption and RSA signature; efficient and practical schemes, such as the CramerShoup hybrid encryption scheme; standardized schemes, such as RSAOAEP, NTRU, DSA; and promising schemes with postquantum security, such as Kyber and Frodo. We hope that the paper will benefit the researchers in the area of public key cryptology.
    Design, Implementation and Testing of Random Number Generators
    2019, 5(1):  39-49. 
    Asbtract ( )   PDF (1862KB) ( )  
    References | Related Articles | Metrics
    Random number generator (RNG) is indispensable for modern cryptography. The unpredictability of the generated random number provides basic security for cryptographic applications, such as cryptographic algorithms and security protocols. Once the quality of the random number cannot satisfy the security requirements as expected, it may lead to the existing of serious security risks in these applications. In this paper, it gives a systematic investigation and summary for the studies of RNGs from the view of design, and testing. On the design and implementation aspect, we introduce the researches on the hardware TRNGs and software TRNGs. On the testing aspect, it includes the research progress of RNG (blackbox) statistical tests, entropy estimation and online tests.
    Security Enhancement of Certificate Services in Public Key Infrastructures
    2019, 5(1):  50-58. 
    Asbtract ( )   PDF (1686KB) ( )  
    References | Related Articles | Metrics
    Based on public key cryptography, public key infrastructures (PKIs) provide security services for a range of network activities, such as authentication, data integrity, data source authentication, etc. Besides, PKIs build the foundation of many Internet security protocols, including SSL/TLS. A certification authority (CA) is the fullytrusted party in a PKI system, and is responsible for issuing digital certificate for an entity after validating the entity's identity information. A certification is capable for identifying a person or a server, in which the security attributes of the subject may be included. However, in recent years, fraudulent certificates appear frequently, which bringing the vulnerabilities to PKI-based applications. Fraudulent certificates may appear if a CA didn't validate the entity's information carefully, or it wasn't built with adequate security property. In order to solve these problems, security enhancements of PKI systems are proposed. In this paper, we analyze the security problems of CAs and discuss existing security enhancements of certificate services in PKI systems.
    Security Analysis on the Implementations of SingleSignOn Protocols
    2019, 5(1):  59-67. 
    Asbtract ( )   PDF (1791KB) ( )  
    References | Related Articles | Metrics
    Web applications rely on the authentication to ensure the security of systems and protect the users' privacy. The single-sign-on (SSO) services, provided by the identity service providers (IdP), allow the Web applicatioins to integrate the authentication directly, instead of maintaining and protecting the users' credentials by themselves. Moreover, SSO systems make it easier for users to visit multiple applications, for example, each user only needs to maintain one credential, and completes the authentication at the chosen IdP. However, various vulnerabilities have been found in the implementations of SSO systems. In this paper, we analyze three mainstream SSO protocols, namely, OAuth 2.0, OpenID-Connect and SAML, and provide the common process for SSO systems. Based on the goals of adversaries and the ability of each participant, we propose four attack scenarios, and present seven security assumptions that should be satisfied in SSO systems. The analysis on existing attacks demonstrate that at least one assumption has been broken for each vulnerability. Our work help to design, implement and analyze secure SSO services.
    Advances in Cryptographic Key Protection
    2019, 5(1):  68-74. 
    Asbtract ( )   PDF (1234KB) ( )  
    References | Related Articles | Metrics
    In order to achieve the security functionality of cryptographic algorithms, we need to ensure the security of cryptographic keys, i.e., no attacker can access the cryptographic keys. However, there are various attacks access the cryptographic keys on computers that implement cryptographic algorithms and perform cryptographic operations, including system attacks and physical attacks. This paper surveys the attacks that steal cryptographic keys and other sensitive data on computers. We analyze the cryptographic key protections including various solutions based on registers, caches, CPU features, and online central servers and data security techniques on top of protected cryptographic keys, in terms of security, performance and applicability. Finally, we discuss and prospect the research direction of cryptographic key protection in the future.
    Technology Overview of Side Channel Analysis
    2019, 5(1):  75-87. 
    Asbtract ( )   PDF (3479KB) ( )  
    References | Related Articles | Metrics
    Along with more and more different kinds of cipher devices are suffered from the physical security threat of side channel analysis, the side channel analysis has been paid more attention. Based on the difference of the side channel information used, this paper classifies and introduces the side channel analysis technology, including the powerelectromagnetic(EM) analysis and timing analysis. In recent years, due to the widespread use of cache in modern CPUs, cache attacks have become a hot topic of side channel research. Since cache attacks require time data collection, we classify cache attacks as a type of timing analysis attack. At last, we introduce some important examples of side channel analysis in recent years, and analyze the attacking methods and degree of implementation difficulties.
    High-Performance Cryptographic Computations in GPUs
    2019, 5(1):  88-96. 
    Asbtract ( )   PDF (2085KB) ( )  
    References | Related Articles | Metrics
    Cryptology is an important foundation and tool of network security. In recent years, with the continuous and rapid development of big data industry, ecommerce and cloud computing, the amount of users, traffic volumes and the corresponding cryptographic calculations faced by various service providers are also rapidly rising. In response to this situation, researchers began to break the conventional pattern that cryptographic algorithms were implemented by CPUs, ASICs, and FPGAs, migrate them to various parallel computing platforms, such as graphics processing units (GPUs). Driven by huge demand of graphics rendering, artificial intelligence, etc., GPUs gain more than ten times of the computing power promotion over the last decade. Such performance advantages help the GPUbased cryptography implementations outperform others by a wide margin, and give them great potential. This paper summarizes the current progress of the GPUbased cryptography implementation, and gives a brief analysis of its development tendency.