Today, TLS is widely used for achieving a secure communication system. And TLS is used PKI for server authentication and/or client authentication. However, its PKI environment, which is called as “multiple trust anchors environment,” causes the problem that the verifier has to maintain huge number of CA certificates in the ubiquitous network because the increase of terminals connected to the network brings the increase of CAs. However, most of terminals in the ubiquitous network will not have enough memory to hold such huge number of CA certificates. Therefore, another PKI environment, “cross certification environment”, is useful for the ubiquitous network. But, because current TLS is designed for the multiple trust anchors model, TLS cannot work efficiently on the cross-certification model. This paper proposes a TLS implementation method to support the cross certification model efficiently. Our proposal reduces the size of exchanged messages between the TLS client and the TLS server during the handshake process. Therefore, our proposal is suitable for implementing TLS in the terminals that do not have enough computing power and memory in ubiquitous network.

抄録全体を表示

Security protocol provides communication security for the internet. One of the important features of it is authentication with key exchange. Its correctness is a requirement of the whole of the communication security. In this paper, we introduce three attack models realized as their attack scenarios, and provide an authentication-protocol checker for applying three attack-scenarios based on the models. We also utilize it to check two popular security protocols: Secure SHell (SSH) and Secure Socket Layer/ (SSL/TLS).

抄録全体を表示

The evolution of Internet, the growth of Internet users and the new enabled technological capabilities place new requirements to form the Future Internet. Many features improvements and challenges were imposed to build a better Internet, including securing roaming of data and services over multiple administrative domains. In this research, we propose a multi-domain access control infrastructure to authenticate and authorize roaming users through the use of the Diameter protocol and EAP. The Diameter Protocol is a AAA protocol that solves the problems of previous AAA protocols such as RADIUS. The Diameter EAP Application is one of Diameter applications that extends the Diameter Base Protocol to support authentication using EAP. The contributions in this paper are: 1) first implementation of Diameter EAP Application, called DiamEAP, capable of practical authentication and authorization services in a multi-domain environment, 2) extensibility design capable of adding any new EAP methods, as loadable plugins, without modifying the main part, and 3) provision of EAP-TLS plugin as one of the most secure EAP methods. DiamEAP Server basic performances were evaluated and tested in a real multi-domain environment where 200 users attempted to access network using the EAP-TLS method during an event of 4 days. As evaluation results, the processing time of DiamEAP using the EAP-TLS plugin for authentication of 10 requests is about 20ms while that for 400 requests/second is about 1.9 second. Evaluation and operation results show that DiamEAP is scalable and stable with the ability to handle more than 6 hundreds of authentication requests per second without any crashes. DiamEAP is supported by the AAA working group of the WIDE Project.

抄録全体を表示

The Internet of Things (IoT) is defined as a global infrastructure for the Information Society, enabling advanced services by interconnecting (physical and virtual) things based on, existing and evolving, interoperable information and communication technologies by ITU-T. Data may be communicated in low-power and lossy environments, which causes complicated security issues. Furthermore, concerns are raised over access of personally identifiable information pertaining to IoT devices, network and platforms. Security and privacy concerns have been main barriers to implement IoT, which needs to be resolved appropriate security and privacy measures. This paper describes security threats and privacy concerns of IoT, surveys current studies related to IoT and identifies the various requirements and solutions to address these security threats and privacy concerns. In addition, this paper also focuses on major global standardization activities for security and privacy of Internet of Things. Furthermore, future directions and strategies of international standardization for theInternet of Thing's security and privacy issues will be given. This paper provides guidelines to assist in suggesting the development and standardization strategies forward to allow a massive deployment of IoT systems in real world.

抄録全体を表示

AAA (Authentication, Authorization, and Accounting) is one of the important functions indispensable for providing services on the Internet. Diameter Base Protocol was standardized in IETF as a successor of RADIUS, which is a widely used AAA protocol in the current Internet. Diameter solves the problems that RADIUS has such as support of multiple realms, reliable and secure message transport, and failover. There are several open source implementations of Diameter Base Protocol. However, none of them completely conforms to the specification. The first contribution of freeDiameter is that it is an open source of Diameter Base Protocol that completely conforms to the specification. It is written in C and based on a BSD-like license. In the Diameter architecture, a particular service on Diameter Base Protocol is defined as a Diameter application such as Diameter EAP application for WiFi network access control. The second contribution of freeDiameter is that the software architecture of freeDiameter makes it easy to implement Diameter applications as additional plug-ins. freeDiameter has already been distributed through our home page. freeDiameter with Diameter EAP application has been used in our laboratory for WiFi network access. It was also used for network control in the WIDE camp held in September 2010 for four days in which approximately 200 researchers attended. There was no problem on freeDiameter. This is good evidence of the stability of freeDiameter.

抄録全体を表示

While the Secure Socket Layer or (SSL/TLS) is assumed to provide secure communications over the Internet, many web applications utilize basic or digest authentication of Hyper Text Transport Protocol (HTTP) over SSL/TLS. Namely, in the scheme, there are two different authentication schemes in a session. Since they are separated by a layer, these are not convenient for a web application. Moreover, the scheme may also cause problems in establishing secure communication. Then we provide a scheme of authentication binding between SSL/TLS and HTTP without modifying SSL/TLS protocols and its implementation, and we show the effectiveness of our proposed scheme.

抄録全体を表示

The L-band Digital Aeronautical Communications System (LDACS), the worldwide first true integrated Communication, Navigation and Surveillance (CNS) system, is in the process of being standardized at the International Civil Aviation Organization (ICAO) and the Internet Engineering Task Force (IETF). The cellular system is considered a successor to the 30-years old Very High Frequency (VHF) Datalink mode 2 system (VDLm2) and intended for communications related to the safety and regularity of flight. With the initial rollout planned in the near future, the finalization of all its aspects, including security is of utmost importance. While previous works presented a cybersecurity architecture for LDACS, including a Public Key Infrastructure (PKI), certificates, a Mutual Authentication and Key Establishment (MAKE) procedure, as well as usage of established keys for protecting its user- and control-data plane, the protocol for secure LDACS handovers between cells has not been established. The objective of this work is to present a secure handover procedure for LDACS, fulfilling all security and performance requirements for data- and voice communications via LDACS.

抄録全体を表示

The author constructed a medical image network system using open source software that took security into consideration. This system was enabled for search and browse with a WWW browser, and images were stored in a DICOM server. In order to realize this function, software was developed to fill in the gap between the DICOM protocol and HTTP using PHP language. The transmission speed was evaluated by the difference in protocols between DICOM and HTTP. Furthermore, an attempt was made to evaluate the convenience of medical image access with a personal information terminal via the Internet through the high-speed mobile communication terminal. Results suggested the feasibility of remote diagnosis and application to emergency care.

抄録全体を表示

近年，各種業務に関わる情報システムは増加する一方である．これらの情報システムが，個別にユーザ情報を保存し，連携することなく独立にユーザ認証を行うと，利用者の利便性が低下し，安易なパスワードを利用するなどの回避策を採る傾向が強まり，情報システムのセキュリティに対して悪影響を生じる．このような悪影響を避けるため，情報システムの認証統合は重要である．同時に，ネットワーク上のセキュリティの懸念の増大に伴って，利用者と情報システムの安全な通信路の確保が必須となってきている．本論文では，認証統合および安全な通信路の確保の双方に対応したウェブホスティングサービスの構築と運用について述べる．

抄録全体を表示

The success and scale of the Internet and its protocol IP has spurred emergent distributed technologies such as fog/edge computing and new application models based on distributed containerized microservices. The Internet of Things and Connected Communities are poised to build on these technologies and models and to benefit from the ability to communicate in a peer-to-peer (P2P) fashion. Ubiquitous sensing, actuating and computing implies a scale that breaks the centralized cloud computing model. Challenges stemming from limited IPv4 public addresses, the need for transport layer authentication, confidentiality and integrity become a burden on developing new middleware and applications designed for the network's edge. One approach - not reliant on the slow adoption of IPv6 - is the use of virtualized overlay networks, which abstract the complexities of the underlying heterogeneous networks that span the components of distributed fog applications and middleware. This paper describes the evolution of the design and implementation of IP-over-P2P (IPOP) - from its purist P2P inception, to a pragmatic hybrid model which is influenced by and incorporates standards. The hybrid client-server/P2P approach allows IPOP to leverage existing robust and mature cloud infrastructure, while still providing the characteristics needed at the edge. IPOP is networking cyber infrastructure that presents an overlay virtual private network which self-organizes with dynamic membership of peer nodes into a scalable structure. IPOP is resilient to partitioning, supports redundant paths within its fabric, and provides software defined programming of switching rules to utilize these properties of its topology.

抄録全体を表示

To realize connected and/or self-driving vehicles for a mobility environment, it requires an authentication mechanism to prevent spoofing of on-board units of the vehicle and a mechanism to prevent eavesdropping and tampering of communication data between an on-board unit and servers in the cloud. Considering the huge number of vehicles in the system, an authentication method is required to mitigate the complexity of operation and management for the number of vehicles. In this paper, we propose a data utilization system that securely stores in-vehicle LAN data, which consist of control data flowing inside a vehicle, in the cloud in real time, and provides this information securely to third parties such as vehicle users, car dealers, and non-life insurance companies. The system uses ID-based cryptography as a mutual authentication method between on-board units and the data collection servers, and uses a key generated from the ID of an on-board unit to ease the key management. We integrate the management information of the vehicle and the authentication key of the vehicle in the system, and thus reduces the complexity of the operation and the key management.

抄録全体を表示

本学では2016年から学内無線LANの整備を始め，エリアの拡大やLMSの利用率向上に伴い，学内無線LANの利用者も増加した．その結果，無線接続に関するトラブルも増加したが，電波の干渉やローミングの影響と思われるトラブルの対策は困難であった．そこで，AP毎の接続数やローミング履歴を可視化できるシステムを作成して得られたデータから様々な対策を実施してきた．本論文では実施した対策と学内無線LANの冗長化について述べる．

抄録全体を表示

本記事に「抄録」はありません。

抄録全体を表示

Webサービスの安心・安全を支える裏方として，本稿では通信技術，特にSSL/TLSの概説を行う。SSL/TLSは，顔の見えないインターネット上で，通信相手の認証，通信の機密性と完全性を提供する。安全性の豊富な研究に基づく最新版TLS1.3の完成と，常時SSL化/完全HTTPS化の普及により，通信の安全性の観点では，これらは成熟した技術群と見える。それでは，なぜ，世の中からフィッシング被害は無くならないのだろう。実は，SSL/TLSをさらに下支えする，PKI（公開鍵基盤）という技術的，社会的な仕組みが存在し，今まさに，PKIが提供する価値に変革が求められているのである。本稿では，SSL/TLSとPKIに関する歴史と仕組みを概説し，今まさに起こりつつある変化についても紹介する。

抄録全体を表示

This paper presents new key correlations of the keystream bytes generated from RC4 and their application to plaintext recovery on WPA-TKIP. We first observe new key correlations between two bytes of the RC4 key pairs and a keystream byte in each round, and provide their proofs. We refer to these correlations as iterated RC4 key correlations since two bytes of the RC4 key pairs are iterated every 16 rounds. We then extend the existing attacks by Isobe et al. at FSE 2013 and AlFardan et al. at USENIX Security 2013, 0and finally propose an efficient attack on WPA-TKIP. We refer to the proposed attack as chosen plaintext recovery attack (CPRA) since it chooses the best approach for each byte from a variety of the existing attacks. In order to recover the first 257 bytes of a plaintext on WPA-TKIP with success probability of at least 90%, CPRA requires approximately 2³⁰ ciphertexts, which are approximately half the number of ciphertexts for the existing attack by Paterson et al. at FSE 2014.

抄録全体を表示

本記事に「抄録」はありません。

抄録全体を表示

As encryption technology has become more widely used, attackers have begun to use techniques that increase the stealth nature of their attacks based on the assumption that encrypted communications are being used. As an example, some threat actors, including Lazarus, have been reported to use a sophisticated technique, named “FakeTLS”. This is a method that aims to avoid detection and blocking by Deep Packet Inspection (DPI) by disguising its appearance as

(TLS) communication. In this study, based on the FakeTLS method used by Lazarus, we attempted to distinguish whether TLS communication is spoofed or not without decrypting the communication content. We have created a dataset of normal TLS and FakeTLS based on command output results, which attackers often collect in the early stages of an intrusion. FakeTLS data were encrypted with algorithms often used by threat actors. For some algorithms, we reproduced exactly the same algorithms as Lazarus's methods. We collected the features based on the Shannon entropy and randomness testings from the encrypted part of the TLS communications and constructed a classifier named TLS Lie Detector using novelty detection methods. Our experimental results showed that the classifier can detect lies with an F0.5 score of 0.88, an F1 score of 0.78, an F2 score of 0.70, and a Matthews correlation coefficient of 0.74. In particular, our proposed method could completely detect FakeTLS using weak encryption algorithms.

抄録全体を表示