Each year, the world renowned Royal Holloway University of London (RHUL) Information Security Group (ISG) invites potential, current and past students to join the weekend conference and meet with well regarded security researchers and experts from academia, UK government and the industries. Part of the tradition is to to have dinner at the wonderfull and well-preserved Founder’s Building (1881).
I felt very honoured to be explicitely invited to present part of my MSc thesis results in such well regarded environment.
Colin Walter, Director of Distance Learning, ISG: “As our top project students this year, it is my great pleasure to invite you each to give a short presentation at the next annual summer school for students and alumni of the distance learning MSc in Information Security, to be held at Royal Holloway on Sat/Sun 7-8 September 2013.”
Conference topics included risk management and information security accreditation programs, e-crime and bot net behaviour, cloud encryption and key management aspects, various communication protocols analysis as well as latest developments in side channel attack resistance.
Certificate revocation checking
Keith Vella Licari, currently with Deloitte Malta, provided insights into its master thesis on certificate revocation checking protocols. He discovered shortcomings which demand for improvement in the way certificate checking is currently done.
| CRL | OCSP | Lightweight OCSP |
| Can easily become large and unwieldy |
Ambiguous answer (good|revoked|unknown) |
Pre-produced responses |
| Timeliness (delay until next update) |
Only definitive answers are digitally signed |
Only definitive answers are digitally signed |
| Scalability (self-inflicted DDoS) |
Optional protection against replay attacks |
No protection against replay attacks |
Table 1 provides an overview of the issues of the protocols subject to analysis. In order to provide improvement over the findings, Keith has formally proposed an alternative protocol (RSDP). He is currently asking for torough peer review of its proposal. I encourage readers, affiliated to either OWASP or hacking-lab.com to take on the challenge.
Defense by Nature
David Naccache, cryptographer and professor at the Université Panthéon-Assas in Paris and member of the École normale supérieure Computer Laboratory, presented current research focusing on improvement of resistance to side-channel attacks. The study aimed to improve resistance for communication between of-the-shelf controllers/CPUs and memory parts. The approach taken basically involves transmission of empirically identified “fake” values along with the data to camouflage the communication emission.
The concept lends it an idea from nature where animals which share a common predator mimic the look-a-like of a poisonous counter-part (Müllerian mimicry) to get away disregarded. Some would actually call that approach “Security by Obscurity”. However, applying the technique to emission channels basically allows masking the leaked information to appear to be something else. All under the assumption the attacker and the designed have comparable analytical capabilities in terms of probes sensitivity and measurement equipment sampling rate. Thus, the approach could allow for better resistance of standard electronic components on the price of some factors larger memory than really needed.
References
Slides and videos will be pusblished soon. Check http://www.isg.rhul.ac.uk/dl/weekendconference2013/sunday.html
Leave a Reply