Cryptanalysis of the security applications and protocols

Posted by Amit | Security | Sunday 21 September 2008 11:35 am

I recently read an article about “NFC to emerge as the next big change for the mobile market”. The article refers the analyst report from Juniper research titled “Mobile Payment Markets: Contactless NFC 2008-2013″. Highlights from the report are

  • Global mobile subscribers with NFC phones will reach 700 million by 2013.
  • The market is currently dominated by FeliCa-enabled phones on Japanese mobile networks, where about 50 million FeliCa-enabled phones have been shipped to date.
  • North America, Western Europe and Far East & China will be the leading regions by 2013, with each region having annual shipments in excess of 25% of total NFC phone shipments.

The analyst doesn’t miss out on quoting that the issues gating the commercial success of NFC are only the un-availability of NFC phones with users & NFC readers with merchants.

One of the most popular operators in Europe carried out NFC trails recently and expressed satisfaction and has decided to roll our NFC based services.

Sometime back I posted an article about attacking the NFC phones; this report brings me to another issue I would like to focus. Weather or not NFC technology becomes successful only time will tell. In the meanwhile, now that the standard is already frozen, my question is shouldn’t such standards go through an exhaustive Cryptanalysis phase to explore the weaknesses before wider deployment? If they do can someone provide more insight into how that is done. With a number of private players entering in the High Performance Computing domain; such systems could also be used to explore strengths and weaknesses of soon to be deployed or already deployed security protocols/ mechanisms.

I believe we have members on this forum who are experts in the security side of NFC and on the other hand also the members who are experts in using HPC Clusters for such Cryptanalysis. It would be nice to hear back from both sides about requirement and usefulness of Cryptanalysis in such application and information on how that can be achieved.

NAC market picking up

Posted by Mayuresh | Security | Friday 20 June 2008 7:08 am

I am sure many of you, who are working or worked with NAC vendors, would love to hear this. After a lot of talk about NAC market being dead, Infonetics has taken a fresh view of NAC market and predicts strong forecast ahead. Ref: Reports of NAC’s death have been greatly exaggerated; market up 16% in 1Q08

According to the research report, NAC market jumped 16% in 1Q08 to $62.7 million which means $10 million more over the previous quarter.

Though NAC market is still dominated by out-of-band appliances mainly from Cisco and Juniper, Infonetics predicts shift towards Ethernet switch based NAC appliances and in-line (bump in the wire) products. It predicts that purpose-built products from Consentry Networks and Nevis Networks will make up 25% of the NAC market. Being an ex-Nevis employee, I am really happy to know this and wish that it happens!!

Comments welcome!!

Service providers to patrol internet ?

Posted by Mayuresh | Security | Wednesday 18 June 2008 9:14 am

AT&T is planning to offer security services to inspect and stop malicious traffic before entering the corporate network.
Ref: http://www.mercurynews.com/business/ci_9593411

In all these years service providers are always looked upon as just thick pipes that do their best to get every piece of data to customers. Fundamental question that arises here is should they be allowed to look into the traffic passing through their network? One of the intended use is to stop spams before reaching the corporate networks. According to AT&T, 80% of emails that it delivers is spam. Argument looks very attractive and seems logical to stop all digital debris, malicious content at backbone itself.

But what if ISPs misuse this power. There are endless possibilities. With so many sophisticated solutions available today, it’s not hard to dig more to characterize behavior of subscribers which then can be used for targeted content OR to keep particular traffic away. Remember Comcast delaying BitTorrent traffic generated enough flames!! This needs to be studied deeply from legal aspects.

Nevertheless, I feel this would open lot of opportunities for security vendors who are struggling to sell in crowded enterprise market.

Comments welcome!!

Attacking NFC Mobile Phones at EUSecWest

Posted by Amit | Security | Tuesday 10 June 2008 7:15 am

Near Field Communications is the RFID-based standard being built into mobile phones to allow them greater interaction with the physical world. NFC-enabled handsets can be used to pay for bus or train journeys, replacing existing contact less cards. They can read tags embedded in (Smart) posters that trigger a URL to be loaded or a phone number to be called.

At the recently concluded EUSecWest Conference in London Collin Mulliner demonstrated two most interesting hacks which involved replacing the NFC tag on a vending machine, and spoofing a URI in a Smart Poster to connect the user to somewhere other than they wished.

Sean Comeau conducted this interview with Collin Mulliner. The complete interview is available on this link. I am copying few interesting questions here.

Sean Comeau: What new threats exist against NFC services and phones?

Collin Mulliner: I’ve basically analyzed THE NFC phone available in Europe (the Nokia 6131 NFC) and found that it allows spoofing of RFID tag content. This is quite interesting since some of the European systems exactly use the part that is spoofable. I’ve also done some fuzzing on the Nokia 6131 NFC and found some smaller bugs.

I’ve also conducted a small survey of NFC systems that are in use in Germany and Austria. This should be quite interesting.

Sean Comeau: What kinds of things are possible when you can spoof tags?

Collin Mulliner: All of these attacks are based on the exploitation of the trust the user has in the RFID/NFC tags (e.g. because the user has used the system for some time and he know what to expect – if everything looks ok he will believe it is ok).

So now if an attack can tamper with these tags (there are multiple ways to do this – e.g. through using a sticky tag on top of the original tag or by modifying the original tag) the user can be tricked into doing things that are bad for him.

There are multiple SMS-based services in the field. These can be attacked because we can spoof the phone number so the SMS is send to a other phone number then the user expects (e.g. premium rate number – other attacks are possible too :-) .

….

Sean Comeau: Have you been in contact with any members of the NFC member companies regarding these issues and if so what response have you received?

Collin Mulliner: I have extensive contact with Nokia. They already started fixing the spoofing issues. Nokia seems to care a lot about the issues I reported.

Our fellow CRYPTOcrat, Jan Brands, an expert in NFC security has generously provided few comments for this blog. Please find these comments in the “Comments” section below. Jan also sent us the link to the complete presentation about the experiment performed by Mulliner. It seems the experiment much more than the details given in the interview. You can download the presentation from this link.

Soon to be published book authored by a fellow CRYPTOcrat

Posted by Amit | Security | Monday 9 June 2008 9:16 am

Dr. Adam J. Elbirt will soon be unveiling his new book titled “Understanding and Applying Cryptography and Data Security” and has graciously provided us a snippet of what the book is all about. Here is what Dr Adam wrote to us.

There are numerous books available that present cryptography and data security concepts from a variety of perspectives. While useful as reference texts when examining specifics of cryptographic algorithm and protocol implementation, these texts tend to be written from a mathematics perspective versus engineering and computer science viewpoints. Even books such as Applied Cryptography, by Bruce Schneier, are not truly suited to classroom environments though they are written to be accessible to those with a less formal mathematics background. Moreover, mathematics-based books fail to provide real-world examples that span the implementation domains of hardware, software, and embedded systems. This book describes cryptography and data security from the “how do I implement the algorithms and protocols” point of view, with relevant examples and homework problems that will be coded in software languages, such as assembly and C, as well as hardware description languages, such as VHDL and Verilog, to evaluate implementation results. The goal of these implementation comparisons is to provide students with a feel for what they may encounter in actual job situations, examining tradeoffs between code size, hardware logic resource requirements, memory usage, speed and throughput, power consumption, etc.

I am sure this book will be useful to many of us. If you wish to pre-order the book here is the link to its home on amazon’s website.

Dr. Adam is a long time CRYPTOcrat and an expert in NTRU Cryptosystems. He is currently serving as an Assistant Professor at University of Massachusetts Lowell.

Here is the link to Dr. Adam’s profile on Linkedin. We do look forward to seeing this book published soon. Here is wishing Dr. Adam from all of us at CRYPTOcrats a grand success for his new book and many more to come.

soccerine Wordpress Theme