Near Field Communications is the RFID-based standard being built into mobile phones to allow them greater interaction with the physical world. NFC-enabled handsets can be used to pay for bus or train journeys, replacing existing contact less cards. They can read tags embedded in (Smart) posters that trigger a URL to be loaded or a phone number to be called.

At the recently concluded EUSecWest Conference in London Collin Mulliner demonstrated two most interesting hacks which involved replacing the NFC tag on a vending machine, and spoofing a URI in a Smart Poster to connect the user to somewhere other than they wished.

Sean Comeau conducted this interview with Collin Mulliner. The complete interview is available on this link. I am copying few interesting questions here.

…

Sean Comeau: What new threats exist against NFC services and phones?

Collin Mulliner: I’ve basically analyzed THE NFC phone available in Europe (the Nokia 6131 NFC) and found that it allows spoofing of RFID tag content. This is quite interesting since some of the European systems exactly use the part that is spoofable. I’ve also done some fuzzing on the Nokia 6131 NFC and found some smaller bugs.

I’ve also conducted a small survey of NFC systems that are in use in Germany and Austria. This should be quite interesting.

Sean Comeau: What kinds of things are possible when you can spoof tags?

Collin Mulliner: All of these attacks are based on the exploitation of the trust the user has in the RFID/NFC tags (e.g. because the user has used the system for some time and he know what to expect - if everything looks ok he will believe it is ok).

So now if an attack can tamper with these tags (there are multiple ways to do this - e.g. through using a sticky tag on top of the original tag or by modifying the original tag) the user can be tricked into doing things that are bad for him.

There are multiple SMS-based services in the field. These can be attacked because we can spoof the phone number so the SMS is send to a other phone number then the user expects (e.g. premium rate number - other attacks are possible too :-).

….

Sean Comeau: Have you been in contact with any members of the NFC member companies regarding these issues and if so what response have you received?

Collin Mulliner: I have extensive contact with Nokia. They already started fixing the spoofing issues. Nokia seems to care a lot about the issues I reported.

Our fellow CRYPTOcrat, Jan Brands, an expert in NFC security has generously provided few comments for this blog. Please find these comments in the “Comments” section below. Jan also sent us the link to the complete presentation about the experiment performed by Mulliner. It seems the experiment much more than the details given in the interview. You can download the presentation from this link.

Dr. Adam J. Elbirt will soon be unveiling his new book titled “Understanding and Applying Cryptography and Data Security” and has graciously provided us a snippet of what the book is all about. Here is what Dr Adam wrote to us.

There are numerous books available that present cryptography and data security concepts from a variety of perspectives. While useful as reference texts when examining specifics of cryptographic algorithm and protocol implementation, these texts tend to be written from a mathematics perspective versus engineering and computer science viewpoints. Even books such as Applied Cryptography, by Bruce Schneier, are not truly suited to classroom environments though they are written to be accessible to those with a less formal mathematics background. Moreover, mathematics-based books fail to provide real-world examples that span the implementation domains of hardware, software, and embedded systems. This book describes cryptography and data security from the “how do I implement the algorithms and protocols” point of view, with relevant examples and homework problems that will be coded in software languages, such as assembly and C, as well as hardware description languages, such as VHDL and Verilog, to evaluate implementation results. The goal of these implementation comparisons is to provide students with a feel for what they may encounter in actual job situations, examining tradeoffs between code size, hardware logic resource requirements, memory usage, speed and throughput, power consumption, etc.

I am sure this book will be useful to many of us. If you wish to pre-order the book here is the link to its home on amazon’s website.

Dr. Adam is a long time CRYPTOcrat and an expert in NTRU Cryptosystems. He is currently serving as an Assistant Professor at University of Massachusetts Lowell.

Here is the link to Dr. Adam’s profile on Linkedin. We do look forward to seeing this book published soon. Here is wishing Dr. Adam from all of us at CRYPTOcrats a grand success for his new book and many more to come.

Updated statistics available as of 26 June 2008 and can be found under About US section here.

Only 6 months ago few of us got together and decided to have a web representation for our CRYPTOcrats group. Ever since that time in Dec’07 we have been growing up in numbers and I am happy to report some membership statistics now. Its quite interesting to see that such a specialized group got this great response and the credit goes to all of you members (CRYPTOcrats).

There are two distinct views* of the statistics. One is based on the profile of the members that shows the varied mix of people we have in the group. The other one is based on their geographical locations again quite varied and it is really nice to see that we are known in so many parts of the world now.

1. CRYPTOcrats and their job function

There is a strong representation of Architects, Developers and Researchers on the group. It is also nice to see that quite a few CEOs & CTOs bring business leader level perspective to the group.

2. CRYPTOcrats and their geographical locations

There is strong representation from India, however, this includes few members who are presently working in other parts of the word. Followed by India there is a strong representation from US and France. Quite interestingly lots of the senior CRYPTOcrats come from US & France and will soon be contributing to this website. We would look forward to having more representation from Israel, Switzerland and UK where lots of good work in Security and Cryptography is taking place.

Read the rest of this entry »

Contributed by Abhishek

This might be of interest to some of you. There is a contest held by NVIDIA, the Graphics Card leader, to experience the power of their GPUs by way of using NVIDIA CUDA™ Technology. CUDA is the world’s only C language environment that provides access to processing power of NVIDIA GPUs. This enables developers to utilize NVIDIA GPUs to solve the most complex computation-intensive challenges such as oil and gas exploration, financial risk management, product design, medical imaging, and scientific research.

The CUDA Contest welcomes all types of mainstream stand alone applications or plug-ins, running in Windows, Linux or MacOS environments, but is looking to reward innovative, useful apps that make the best use of the GPU processing power. Scientific applications are excluded. I thought this could be of interest to the CRYPTOcrats if they would like to test/verify their algorithms or even do cryptanalysis.

Find below the flyer of this competition. You can contact NVIDIA directly or use the comments section if you need more information.

In continuation to Part 1…

Suppose, the security of server can’t be breached this still does not solve the problem in entirety. The problem that exists now can be formally stated as “Even if current information can be safe guarded, records of past behavior can be extremely valuable since the historical data can be used to estimate willingness to pay.” Varian [8] was first to address this problem. Let’s understand this problem with one example.

Cheating by the seller in subsequent auctions

Refer to the illustration above. Suppose you participate in an on line second price auction for a single item on some website. You put bid $1000. Second Highest bid is $750, you win and pay $750. Next day there is an auction for same item on same website, again you bid $1000 and but now the second highest bid is $999. It’s then quite possible that web site has used your previous bid.

To avoid certain manipulations in auctions, most desirable properties are as follows:

• No coalition of players should be able to know your private values and manipulate output of the auction.
• Only winner and payment should be disclosed.
• Even after auction is closed, your private values should not be revealed.
• Protocol should be publicly verifiable.
• Nobody should be able to deny what he has bid.

To achieve the above properties, the bidders themselves calculate the output of an auction. Secure Multi Party Computation (MPC) and cryptography play important role in this.

MPC deals with evaluation of a function ‘f’, which has ‘n’ inputs, each of which is with one agent. Secure MPC protocol is designed for evaluating this function in such a way that, there is no information about the inputs of the function is leaked by the protocol. Let us say, two millionaires wish to decide who is richer between them with out revealing their actual wealth. Yao [9] proposed the protocol for solving this problem, which will decide the richer among these two millionaires, at the end of the protocol without any one knowing the actual wealth of the other. This is one example of Secure MPC.

With advent of Internet, the design of secure auctions has become a important and challenging task. By secure auction, we mean the security of the bids even after evaluation of the auction. Researchers have used Secure-MPC, trusted third party homomorphic encryptions for designing the auctions over web. (Note: Homomorphic encryption:- If (m₁, c₁) and (m₂, c₂) are plain text - cipher text pairs, then c₁ X c₂ is cipher text of m₁ X m₂. For example, RSA, El-Gamal encryption scheme are homomorphic encryption schemes.)

Pointers for Further Reading

Some of the important1 research papers are:

1. Franklin and Reiter [3]. They have proposed use of multiple servers for conducting auction. The bid is submitted partially to each server. Unless security of 1/3^rd of the servers is vulnerable, the auction is secured.

2. Nurmi and Saroma [7] has generalized Yao’s protocol for secure Vickrey auction.

3. Naor [6] : Used Auction Issuer (AI). AI is semi-trusted third party.

4. Kikuchi [5], Abe [1] have proposed secure auction protocols based on homomorphic encryptions.

5. Felix Brandt [2] has designed many auctions using homomorphic encryptions. In his auction protocols, all the bidder compute output of the auction.

Conclusion

We saw in this article, what are the privacy issues in the online auction design. We also saw what secure auction design is and what the expected properties from an auction protocol are. We have seen some of the references for secure auction design. For concise technical summary on the topic, interested readers may refer to my talk [4].

References

[1] Masayuki Abe and Koutarou Suzuki. M+1 st price auction using homomorphic encryption. In PKC ‘02: Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems, pages 115-124, London, UK, 2002. Springer-Verlag.

[2] Felix Brandt. How to obtain full privacy in auctions. International Journal of Information Security., 5(4):201-216, 2006.

[3] Matthew K. Franklin and Michael K. Reiter. The design and implementation of a secure auction service. IEEE Trans. Software. Eng., 22(5):302-312, 1996.

[4] Sujit Gujar and Y Narahari. Some issues in auctions with manipulative players. Technical report, Dept of CSA, Indian Institute of Science, March 2007.

Available at http://people.csa.iisc.ernet.in/sujit/docs/perspective-reort.pdf.

[5] Hiroaki Kikuchi. (m+1)st-price auction protocol. In FC ‘01: Proceedings of the 5th International Conference on Financial Cryptography, pages 351-363, London, UK, 2002. Springer-Verlag.

[6] Moni Naor, Benny Pinkas, and Reuban Sumner. Privacy preserving auctions and mechanism design. In EC ‘99: Proceedings of the 1st ACM conference on Electronic commerce, pages 129-139, New York, NY, USA, 1999. ACM Press.

[7] Hannu Nurmi and Arto Salomaa. Cryptographic protocols for vickrey auctions. In Group Decision and Negotiation, pages 363-373. Springer Netherlands, 1993.

[8] H. R. Varian. Economic mechanism design for computerized agents. In 1st USENIX Workshop on Electronic Commerce, 1995.

[9] Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In In Proceedings of 23rd Annual Symposium on Foundations of Computer Science, FOCS’82, pages 160-164, 1982.

…………………………………………………………………………………………………………………………………………..

Author:

Sujit P Gujar a long time CRYPTOcrat. More information about Sujit on this link.

Author:

Sujit P Gujar a long time CRYPTOcrat. More information about Sujit on this link.

Abstract:

In this article, I will talk about what are auctions, what are important issues in online auctions and why cryptography plays an important role in it. I will also provide pointers for technical details n privacy preserving auctions.

Auctions are popular mechanisms used for buying or selling different items through a bidding process. Before going into detail about privacy issues in auctions, I will explain what are two important types of auctions are available. Consider a case where there is a seller who wishes to sell a single unit of an indivisible (that is, the item has to be allocated single piece). There are multiple buyers for this item. For example, auction for an antique painting, auction for oil drilling rights over a region. Each bidder/buyer has maximum willingness to pay. This is referred as valuation or type information of an agent. This information is private to the agents. The auctioneer has to specify what are allocation rules and payment rules. Though there exist plenty of varieties of auctions, the most popular are:

First price auction

Potential buyers submit sealed bids and the highest bidder is awarded the item. The winning bidder pays the price that he or she has bid.

Second Price Auction

This is also called the Vickrey auction. Potential buyers submit sealed bids and the highest bidder is awarded the item. The winning bidder pays a price equal to the second highest bid (which is also the highest losing bid). In first price auction, intelligent bidders, will not bid their valuations. But, Vickrey has shown that in second price auction everybody should bid there maximum willingness to pay.

Online Auction

With the advent of the Internet era, on line auctions are widely used. As the security of the servers is continuously being challenged by hackers and malicious users, some of the players may be able to breach the security and gain some knowledge of the private information of the other players. This type of manipulation is possible by both sellers and buyers. A seller can profitably cheat by examining bids before auction clears and submitting an extra bid under false identity. This type of bidding is called shill bidding. In the case of first price auctions, the seller does not have any advantage to report shill bid as either shill bid wins and trade does not happen or winner pays whatever he has bid. In the case of the second price auction, submitting true type information (that is true bid) is a dominant strategy, irrespective of others’ bids. So if the buyer gets access to the other bids in Vickrey auction, his strategy is not going change. Thus, there is no need to study cheating by the seller in the first price auctions and the cheating by the buyer in the second price auction. However, cheating is possible in the following two scenarios:

1. Manipulative Seller in second Price Auction
2. Manipulative Buyers in first Price Auction

The Case of a Manipulative Seller in Second Price Auction

A seller can profitably cheat in a second price auction. For example, if the bidders in an eBay auction each use a proxy bidder (essentially creating a second-price auction), then the seller may be able to break into the eBay’s server, observe the maximum price that a bidder is willing to pay, and then extract this price by submitting a shill bid just below it using a false identity.

Here is an example to explain this case

Cheating by a seller

Refer to the illustration above. Suppose Mr. C announces an online second price auction for selling an indivisible item. Ms. H participates in this auction and bids her valuation $1000. Mr. C breaks the server before auction is closed and finds out the highest bid by Ms. H and places a shill bid of $999. Ms. H has no option but to pay $999.

The Case of Manipulative Buyers in a First Price Auction

We now consider the case in which the seller is honest, but there is a chance that some of the buyers will cheat and examine the others’ bids before submitting their own (or, alternatively, they will revise their bid before the auction clears).

Here is an example to explain this case

Cheating by a buyer

Refer to the illustration above. Mr. A announces an online first price auction for selling an indivisible item. Ms. H participates in this auction. She has a valuation $1000 for the item and bids $700 in anticipation of maximizing her utility. Ms. C, her competitor who has valuation $730, breaks the server before the auction is closed and finds out the highest bid by Ms. H and places her own bid as $701. Ms C. will win the object, though she has lower valuation.

The above discussion clearly highlights the importance of security and particularly cryptography in auction design. Cryptography can play a bigger role than just solving the problems mentioned above.

Let’s break here for now and we shall continue this discussion in the next part of this article.

To be concluded…

Well.. Ok.. I promise this will be a short-n-quick one and we SHALT have the article series as planned..

However, this NEWS just shocked me so could not resist of sharing with you all. It won’t be wrong to say most of us would have used OpenSSL package at least once during their professional life as a security developer. It is as good as a cult for many. (If you haven’t and don’t know don’t miss out on the opportunity to do so now. Here is the link to know more OpenSSL.)

I for one have been using openssl since the days it used to be called SSLeay, so that should be far back as 1997. It’s a masterpiece really! One of the most widely used and well supported packages in the Security/Crypto community.

Returning from my strong sentimental attachment to OpenSSL back to the reason for this post. Here is the link that describes the OpenSSL Random Number Generator issue. Friends at SecurityFocus.com has some more details about who is affected by this vulnerability. Here is the link. The issue seriously affects the uniqueness of the keys generated on Debian making them predictable.

I think this brings us back to one of the earlier topics about Personalization of Private Keys.

Did any of you get affected? Any thoughts? Do write in your experiences in the comments section.

In this article, the Author will talk about what are auctions, what are important issues in online auctions and why Cryptography plays an important role in it. He will also provide pointers for technical details in privacy preserving auctions.

The article is authored by Sujit P Gujar who is a long time CRYPTOcrat (http://www.linkedin.com/pub/5/401/925) and he is currently a research scholar at Indian Institute of Sciences, Bangalore, India.

You can find more information about Sujit on his website here: http://people.csa.iisc.ernet.in/sujit

For easier reading this soon to be published article is split into two parts.

Gnidaer yppah ;) 

Maintaining the DRM thread here is my primer on CPRM;

In this era of computers, Digital Media (data, audio, video and other digital contents) storage and safety had never been so important be it for the users of personal computer or for other digital consumer devices such as Pen drives, USB disc, Personal Media devices. As for the Personal Media Devices (PMD) such as Personal Media Players (PMP) the requirement is the ability to store and move the legitimate content across systems. And with more popular techniques this move-ability is linked to the media and the content. From the users perspective he needs this unlimited and unrestricted access to his digital media content. However, many a times implementing a perfect scheme which will provide a seamless play-anywhere and play-unlimited capability is infeasible. Besides, while there is an expected legitimate use of this content there are various new ways devised everyday to break these content protection schemes to enable free use of protected content. The economics behind digital content protection/playback is huge and easily falls in the figure of multi-billion dollars every year. The copyright holders and publishers own the large portion of this multi-billion dollar pie and look up to the Crypto/Security enthusiast community to help them countering the problems of piracy. Various standardized and proprietary content protection (Digital Rights Management - DRM) schemes have been proposed on this topic which have been successful a large extent. One of them is “CPRM - Content Protection for Recordable Media”.

CPRM is simply a hardware based technology which controls copying, moving and deletion of digital media on computers and digital players. CPRM imposes restrictions through built in mechanisms in storage media. CPRM was developed by The 4C Entity consisting of IBM, Intel, Matsushita and Toshiba. The 4C Entity, LLC, Licensor of Content Protection for Recordable Media has defined the CPRM specifications. These specifications contain all cryptographic methods to protect digital media or entertainment content when recorded on physical media. The current cryptographic methods presently used are Cryptomeria cipher (C2) algorithm for symmetric encryption. CPRM specification is based on key management for interchangeable media, content encryption and how digital media is being renewed. C2 is a block cipher. The 4C Entity has defined it and has the license. C2 is successor to CSS (Content Scramble System) and mainly designed for CPRM for DRM restricted digital media and devices. The C2 symmetric key algorithm is a 10-round Feistel cipher. It has a key size of 56 bits and a block size of 64 bits.

The 4C Entity provides development or facsimile keys for the product which uses CPRM technology. CPRM is mainly implemented in Secure Digital Card and used to incorporate digital tags into storage media viz. recordable CDs (CD-R, CD-RW) and flash memory cards for MP3 players, etc. CPRM specifications have been mainly defined for DVD drives, portable ATA storage and Secure Digital (SD) memory cards. CPRM requires a table of secret device keys which should be embedded into every licensed device and media key block (MKB) which should be stored on every recordable media. CPRM complaint devices can also generate a media key by performing operations on MKB. In the case of a DVD/CD the MKB is permanently burnt into the control data area hidden within the disc’s lead-in area. Lead-in area is normally near the center of the disc and usually not accessible by users. This will prevent users from deleting or modifying MKB. Generally, disc manufacturers embed a media identifier or media ID into each piece of recordable media, which can not be deleted. Media ID specifies the type of media and it’s manufacturer and also includes a 40-bit serial number that uniquely identifies the disc. This helps to uniquely identify the disc which helps CPRM to bind the data to the media on which it is recorded. Each volume of content is also identified by a secret 64-bit title key that is stored on the disc in encrypted form. This key can only be decrypted by a 56-bit disc specific media unique key that in turn is calculated from the media key and the media ID. The title key which is needed in order to read or write content is thus bound to both content and media. Media ID doesn’t need to be kept secret as it can not be physically altered.

In nutshell, CPRM mainly binds copyrighted materials to the physical media. It allows discs to be recorded and played back on different devices but doesn’t let protected content to be copied to another piece of media. As for how successful CPRM has been could make a good debate, however, it still widely adopted by hardware manufacturers. For now I shall leave you with this much.

- Abhishek Anurag