Aikaterini Mitrokotsa | Chalmers University of Technology (original) (raw)
Papers by Aikaterini Mitrokotsa
Knowledge management : concepts, methodologies, tools and applications / Murray Jennex, editor.
Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many ... more Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many access control and payment schemes. In this work, we present distance-bounding protocols, how these can deter relay attacks, and the security models formalizing these protocols. We show several pitfalls making existing protocols insecure (or at least, vulnerable, in some cases). Then, we introduce the SKI protocol which enjoys resistance to all popular attack-models and features provable security. As far as we know, this is the first protocol with such all-encompassing security guarantees.
Distance-bounding is a practical solution aiming to prevent relay attacks. The main challenge whe... more Distance-bounding is a practical solution aiming to prevent relay attacks. The main challenge when designing such protocols is maintaining their inexpensive cryptographic nature, whilst being able to protect against as many, if not all, of the classical threats posed in their context. Moreover, in distancebounding, some subtle security shortcomings related to the PRF (pseudorandom function) assumption and ingenious attack techniques based on observing verifiers' outputs have recently been put forward. Also, the recent terrorist-fraud by Hancke somehow recalls once more the need to account for noisy communications in the security analysis of distance-bounding. In this paper, we attempt to incorporate the lessons taught by these new developments in our distance-bounding protocol design. The result is a new class of protocols, with increasing levels of security, accommodating the latest advances 3 ; at the same time, we preserve the lightweight nature of the design throughout the whole class.
We consider a Bayesian statistician (B) communicating with an untrusted third party (A). B wants ... more We consider a Bayesian statistician (B) communicating with an untrusted third party (A). B wants to convey useful answers to the queries of A, but without revealing private information. For example, we may want to give statistics about how many people suffer from a disease, but without revealing whether a particular person has it. This requires us to strike a good balance between utility and privacy. In this extended abstract, we summarise our results on the inherent privacy and robustness properties of Bayesian inference [1]. We formalise and answer the question of whether B can select a prior distribution so that a computationally unbounded A cannot obtain private information from queries. Our setting is as follows:
Distance-bounding is a practical solution to be used in security-sensitive contexts, mainly to pr... more Distance-bounding is a practical solution to be used in security-sensitive contexts, mainly to prevent relay attacks. But subtle security shortcomings related to the PRF (pseudorandom function) assumption and ingenious attack techniques based on observing verifiers' outputs have recently been put forward. In this extended abstract, we survey some of these security concerns and attempt to incorporate the lessons taught by these new developments in ideas of distance-bounding protocol design.
This book constitutes the refereed proceedings of the International ECML/PKDD Workshop on Privacy... more This book constitutes the refereed proceedings of the International ECML/PKDD Workshop on Privacy and Security Issues in Data Mining and Machine Learning, PSDML 2010, held in Barcelona, Spain, in September 2010. The 11 revised full papers presented were carefully reviewed and selected from 21 submissions. The papers range from data privacy to security applications, focusing on detecting malicious behavior in computer systems.
From contactless payments to remote car unlocking, many applications are vulnerable to relay atta... more From contactless payments to remote car unlocking, many applications are vulnerable to relay attacks. Distance bounding protocols are the main practical countermeasure against these attacks. At FSE 2013, we presented SKI as the first family of provably secure distance bounding protocols. At LIGHTSEC 2013, we presented the best attacks against SKI. In this paper, we present the security proofs. More precisely, we explicate a general formalism for distance-bounding protocols. Then, we prove that SKI and its variants is provably secure, even under the real-life setting of noisy communications, against the main types of relay attacks: distance-fraud and generalised versions of mafiaand terrorist-fraud. For this, we reinforce the idea of using secret sharing, combined with the new notion of a leakage scheme. In view of resistance to mafia-frauds and terrorist-frauds, we present the notion of circularkeying for pseudorandom functions (PRFs); this notion models the employment of a PRF, with possible linear reuse of the key. We also use PRF masking to fix common mistakes in existing security proofs/claims.
The evolution of wireless network technologies and the recent advances in mobile computing hardwa... more The evolution of wireless network technologies and the recent advances in mobile computing hardware have made possible the introduction of various applications in mobile ad hoc networks. Not only is the infrastructure of these networks inherently vulnerable but they have increased requirements regarding their security as well. As intrusion prevention mechanisms, such as encryption and authentication, are not sufficient regarding security, we need a second line of defense, Intrusion Detection. The focus of this paper is on anomaly detection techniques in order to exploit their main advantage of being able to detect unknown attacks. First, we briefly describe intrusion detection systems and then we suggest a distributed schema applicable to mobile ad hoc networks. This anomaly detection mechanism is based on a neural network and is evaluated for packet dropping attacks using features selected from the MAC layer. The performance of the proposed architecture is evaluated under different traffic conditions and mobility patterns.
Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15, 2015
Journal of Computer Security, 2015
Lecture Notes in Computer Science, 2014
Differential privacy formalises privacy-preserving mechanisms that provide access to a database. ... more Differential privacy formalises privacy-preserving mechanisms that provide access to a database. We pose the question of whether Bayesian inference itself can be used directly to provide private access to data, with no modification. The answer is affirmative: under certain conditions on the prior, sampling from the posterior distribution can be used to achieve a desired level of privacy and utility. To do so, we generalise differential privacy to arbitrary dataset metrics, outcome spaces and distribution families. This allows us to also deal with non-i.i.d or non-tabular datasets. We prove bounds on the sensitivity of the posterior to the data, which gives a measure of robustness. We also show how to use posterior sampling to provide differentially private responses to queries, within a decisiontheoretic framework. Finally, we provide bounds on the utility and on the distinguishability of datasets. The latter are complemented by a novel use of Le Cam's method to obtain lower bounds. All our general results hold for arbitrary database metrics, including those for the common definition of differential privacy. For specific choices of the metric, we give a number of examples satisfying our assumptions.
Lecture Notes in Computer Science, 2014
Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many ... more Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many access control and payment schemes. In this work, we present distance-bounding protocols, how these can deter relay attacks, and the security models formalizing these protocols. We show several pitfalls making existing protocols insecure (or at least, vulnerable, in some cases). Then, we introduce the SKI protocol which enjoys resistance to all popular attack-models and features provable security. As far as we know, this is the first protocol with such all-encompassing security guarantees.
This paper examines the robustness and privacy properties of Bayesian estimators under a general ... more This paper examines the robustness and privacy properties of Bayesian estimators under a general set of assumptions. These assumptions generalise the concept of differential privacy to arbitrary outcome spaces and distribution families. We demonstrate our results with a number of examples where they hold. We then prove general bounds on the change of the posterior distribution due to changes in the data. Finally, we prove finite sample bounds for privacy under a strong adversarial model.
This book constitutes the refereed proceedings of the International ECML/PKDD Workshop on Privacy... more This book constitutes the refereed proceedings of the International ECML/PKDD Workshop on Privacy and Security Issues in Data Mining and Machine Learning, PSDML 2010, held in Barcelona, Spain, in September 2010. The 11 revised full papers presented were carefully reviewed and selected from 21 submissions. The papers range from data privacy to security applications, focusing on detecting malicious behavior in computer systems.
Many applications involve agents sharing a resource, such as networks or services. When agents ar... more Many applications involve agents sharing a resource, such as networks or services. When agents are honest, the system functions well and there is a net profit. Unfortunately, some agents may be malicious, but it may be hard to detect them. We consider the intrusion response problem of how to permanently blacklist agents, in order to maximise expected profit. This is not trivial, as blacklisting may erroneously expel honest agents. Conversely, while we gain information by allowing an agent to remain, we may incur a cost due to malicious behaviour. We present an efficient algorithm (HIPER) for making near-optimal decisions for this problem. Additionally, we derive three algorithms by reducing the problem to a Markov decision process (MDP). Theoretically, we show that HIPER is near-optimal. Experimentally, its performance is close to that of the full MDP solution, when the (stronger) requirements of the latter are met.
2014 IEEE International Workshop on Information Forensics and Security (WIFS), 2014
In this paper, we study the security of two recently proposed privacy-preserving biometric authen... more In this paper, we study the security of two recently proposed privacy-preserving biometric authentication protocols that employ packed somewhat homomorphic encryption schemes based on ideal lattices and ring-LWE, respectively. These two schemes have the same structure and have distributed architecture consisting of three entities: a client server, a computation server, and an authentication server. We present a simple attack algorithm that enables a malicious computation server to learn the biometric templates in at most 2N´τ queries, where N is the bit-length of a biometric template and τ the authentication threshold. The main enabler of the attack is that a malicious computation server can send an encryption of the inner product of the target biometric template with a bitstring of his own choice, instead of the securely computed Hamming distance between the fresh and stored biometric templates. We also discuss possible countermeasures to mitigate the attack using private information retrieval and signatures of correct computation.
Lecture Notes in Computer Science, 2014
Biometric authentication establishes the identity of an individual based on biometric templates (... more Biometric authentication establishes the identity of an individual based on biometric templates (e.g. fingerprints, retina scans etc.). Although biometric authentication has important advantages and many applications, it also raises serious security and privacy concerns. Here, we investigate a biometric authentication protocol that has been proposed by Bringer et al. and adopts a distributed architecture (i.e. multiple entities are involved in the authentication process). This protocol was proven to be secure and privacy-preserving in the honest-but-curious (or passive) attack model. We present an attack algorithm that can be employed to mount a number of attacks on the protocol under investigation. We then propose an improved version of the Bringer et al. protocol that is secure in the malicious (or active) insider attack model and has forward security.
Lecture Notes in Computer Science, 2014
In biometric authentication protocols, a user is authenticated or granted access to a service if ... more In biometric authentication protocols, a user is authenticated or granted access to a service if her fresh biometric trait matches the reference biometric template stored on the service provider. This matching process is usually based on a suitable distance which measures the similarities between the two biometric templates. In this paper, we prove that, when the matching process is performed using a specific family of distances (which includes distances such as the Hamming and the Euclidean distance), then information about the reference template is leaked. This leakage of information enables a hill-climbing attack that, given a sample that matches the template, could lead to the full recovery of the biometric template (i.e. centre search attack) even if it is stored encrypted. We formalise this "leakage of information" in a mathematical framework and we prove that centre search attacks are feasible for any biometric template defined in Z n q , pq ě 2q after a number of authentication attempts linear in n. Furthermore, we investigate brute force attacks to find a biometric template that matches a reference template, and hence can be used to run a centre search attack. We do this in the binary case and identify connections with the set-covering problem and sampling without replacement.
Computers & Security, 2014
ABSTRACT In many cases, we can only have access to a service by proving we are sufficiently close... more ABSTRACT In many cases, we can only have access to a service by proving we are sufficiently close to a particular location (e.g., in automobile or building access control). In these cases, proximity can be guaranteed through signal attenuation. However, by using additional transmitters an attacker can relay signals between the prover and the verifier. Distance-bounding protocols are the main countermeasure against such attacks; however, such protocols may leak information regarding the location of the prover and/or the verifier who run the distance-bounding protocol. In this paper, we consider a formal model for location privacy in the context of distance-bounding. In particular, our contributions are threefold: we first define a security game for location privacy in distance bounding; secondly, we define an adversarial model for this game, with two adversary classes; finally, we assess the feasibility of attaining location privacy for distance-bounding protocols. Concretely, we prove that for protocols with a beginning or a termination, it is theoretically impossible to achieve location privacy for either of the two adversary classes, in the sense that there always exists a polynomially-bounded adversary winning the security game. However, for so-called limited adversaries, who cannot see the location of arbitrary provers, carefully chosen parameters do, in practice, enable computational location privacy.
Knowledge management : concepts, methodologies, tools and applications / Murray Jennex, editor.
Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many ... more Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many access control and payment schemes. In this work, we present distance-bounding protocols, how these can deter relay attacks, and the security models formalizing these protocols. We show several pitfalls making existing protocols insecure (or at least, vulnerable, in some cases). Then, we introduce the SKI protocol which enjoys resistance to all popular attack-models and features provable security. As far as we know, this is the first protocol with such all-encompassing security guarantees.
Distance-bounding is a practical solution aiming to prevent relay attacks. The main challenge whe... more Distance-bounding is a practical solution aiming to prevent relay attacks. The main challenge when designing such protocols is maintaining their inexpensive cryptographic nature, whilst being able to protect against as many, if not all, of the classical threats posed in their context. Moreover, in distancebounding, some subtle security shortcomings related to the PRF (pseudorandom function) assumption and ingenious attack techniques based on observing verifiers' outputs have recently been put forward. Also, the recent terrorist-fraud by Hancke somehow recalls once more the need to account for noisy communications in the security analysis of distance-bounding. In this paper, we attempt to incorporate the lessons taught by these new developments in our distance-bounding protocol design. The result is a new class of protocols, with increasing levels of security, accommodating the latest advances 3 ; at the same time, we preserve the lightweight nature of the design throughout the whole class.
We consider a Bayesian statistician (B) communicating with an untrusted third party (A). B wants ... more We consider a Bayesian statistician (B) communicating with an untrusted third party (A). B wants to convey useful answers to the queries of A, but without revealing private information. For example, we may want to give statistics about how many people suffer from a disease, but without revealing whether a particular person has it. This requires us to strike a good balance between utility and privacy. In this extended abstract, we summarise our results on the inherent privacy and robustness properties of Bayesian inference [1]. We formalise and answer the question of whether B can select a prior distribution so that a computationally unbounded A cannot obtain private information from queries. Our setting is as follows:
Distance-bounding is a practical solution to be used in security-sensitive contexts, mainly to pr... more Distance-bounding is a practical solution to be used in security-sensitive contexts, mainly to prevent relay attacks. But subtle security shortcomings related to the PRF (pseudorandom function) assumption and ingenious attack techniques based on observing verifiers' outputs have recently been put forward. In this extended abstract, we survey some of these security concerns and attempt to incorporate the lessons taught by these new developments in ideas of distance-bounding protocol design.
This book constitutes the refereed proceedings of the International ECML/PKDD Workshop on Privacy... more This book constitutes the refereed proceedings of the International ECML/PKDD Workshop on Privacy and Security Issues in Data Mining and Machine Learning, PSDML 2010, held in Barcelona, Spain, in September 2010. The 11 revised full papers presented were carefully reviewed and selected from 21 submissions. The papers range from data privacy to security applications, focusing on detecting malicious behavior in computer systems.
From contactless payments to remote car unlocking, many applications are vulnerable to relay atta... more From contactless payments to remote car unlocking, many applications are vulnerable to relay attacks. Distance bounding protocols are the main practical countermeasure against these attacks. At FSE 2013, we presented SKI as the first family of provably secure distance bounding protocols. At LIGHTSEC 2013, we presented the best attacks against SKI. In this paper, we present the security proofs. More precisely, we explicate a general formalism for distance-bounding protocols. Then, we prove that SKI and its variants is provably secure, even under the real-life setting of noisy communications, against the main types of relay attacks: distance-fraud and generalised versions of mafiaand terrorist-fraud. For this, we reinforce the idea of using secret sharing, combined with the new notion of a leakage scheme. In view of resistance to mafia-frauds and terrorist-frauds, we present the notion of circularkeying for pseudorandom functions (PRFs); this notion models the employment of a PRF, with possible linear reuse of the key. We also use PRF masking to fix common mistakes in existing security proofs/claims.
The evolution of wireless network technologies and the recent advances in mobile computing hardwa... more The evolution of wireless network technologies and the recent advances in mobile computing hardware have made possible the introduction of various applications in mobile ad hoc networks. Not only is the infrastructure of these networks inherently vulnerable but they have increased requirements regarding their security as well. As intrusion prevention mechanisms, such as encryption and authentication, are not sufficient regarding security, we need a second line of defense, Intrusion Detection. The focus of this paper is on anomaly detection techniques in order to exploit their main advantage of being able to detect unknown attacks. First, we briefly describe intrusion detection systems and then we suggest a distributed schema applicable to mobile ad hoc networks. This anomaly detection mechanism is based on a neural network and is evaluated for packet dropping attacks using features selected from the MAC layer. The performance of the proposed architecture is evaluated under different traffic conditions and mobility patterns.
Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15, 2015
Journal of Computer Security, 2015
Lecture Notes in Computer Science, 2014
Differential privacy formalises privacy-preserving mechanisms that provide access to a database. ... more Differential privacy formalises privacy-preserving mechanisms that provide access to a database. We pose the question of whether Bayesian inference itself can be used directly to provide private access to data, with no modification. The answer is affirmative: under certain conditions on the prior, sampling from the posterior distribution can be used to achieve a desired level of privacy and utility. To do so, we generalise differential privacy to arbitrary dataset metrics, outcome spaces and distribution families. This allows us to also deal with non-i.i.d or non-tabular datasets. We prove bounds on the sensitivity of the posterior to the data, which gives a measure of robustness. We also show how to use posterior sampling to provide differentially private responses to queries, within a decisiontheoretic framework. Finally, we provide bounds on the utility and on the distinguishability of datasets. The latter are complemented by a novel use of Le Cam's method to obtain lower bounds. All our general results hold for arbitrary database metrics, including those for the common definition of differential privacy. For specific choices of the metric, we give a number of examples satisfying our assumptions.
Lecture Notes in Computer Science, 2014
Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many ... more Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many access control and payment schemes. In this work, we present distance-bounding protocols, how these can deter relay attacks, and the security models formalizing these protocols. We show several pitfalls making existing protocols insecure (or at least, vulnerable, in some cases). Then, we introduce the SKI protocol which enjoys resistance to all popular attack-models and features provable security. As far as we know, this is the first protocol with such all-encompassing security guarantees.
This paper examines the robustness and privacy properties of Bayesian estimators under a general ... more This paper examines the robustness and privacy properties of Bayesian estimators under a general set of assumptions. These assumptions generalise the concept of differential privacy to arbitrary outcome spaces and distribution families. We demonstrate our results with a number of examples where they hold. We then prove general bounds on the change of the posterior distribution due to changes in the data. Finally, we prove finite sample bounds for privacy under a strong adversarial model.
This book constitutes the refereed proceedings of the International ECML/PKDD Workshop on Privacy... more This book constitutes the refereed proceedings of the International ECML/PKDD Workshop on Privacy and Security Issues in Data Mining and Machine Learning, PSDML 2010, held in Barcelona, Spain, in September 2010. The 11 revised full papers presented were carefully reviewed and selected from 21 submissions. The papers range from data privacy to security applications, focusing on detecting malicious behavior in computer systems.
Many applications involve agents sharing a resource, such as networks or services. When agents ar... more Many applications involve agents sharing a resource, such as networks or services. When agents are honest, the system functions well and there is a net profit. Unfortunately, some agents may be malicious, but it may be hard to detect them. We consider the intrusion response problem of how to permanently blacklist agents, in order to maximise expected profit. This is not trivial, as blacklisting may erroneously expel honest agents. Conversely, while we gain information by allowing an agent to remain, we may incur a cost due to malicious behaviour. We present an efficient algorithm (HIPER) for making near-optimal decisions for this problem. Additionally, we derive three algorithms by reducing the problem to a Markov decision process (MDP). Theoretically, we show that HIPER is near-optimal. Experimentally, its performance is close to that of the full MDP solution, when the (stronger) requirements of the latter are met.
2014 IEEE International Workshop on Information Forensics and Security (WIFS), 2014
In this paper, we study the security of two recently proposed privacy-preserving biometric authen... more In this paper, we study the security of two recently proposed privacy-preserving biometric authentication protocols that employ packed somewhat homomorphic encryption schemes based on ideal lattices and ring-LWE, respectively. These two schemes have the same structure and have distributed architecture consisting of three entities: a client server, a computation server, and an authentication server. We present a simple attack algorithm that enables a malicious computation server to learn the biometric templates in at most 2N´τ queries, where N is the bit-length of a biometric template and τ the authentication threshold. The main enabler of the attack is that a malicious computation server can send an encryption of the inner product of the target biometric template with a bitstring of his own choice, instead of the securely computed Hamming distance between the fresh and stored biometric templates. We also discuss possible countermeasures to mitigate the attack using private information retrieval and signatures of correct computation.
Lecture Notes in Computer Science, 2014
Biometric authentication establishes the identity of an individual based on biometric templates (... more Biometric authentication establishes the identity of an individual based on biometric templates (e.g. fingerprints, retina scans etc.). Although biometric authentication has important advantages and many applications, it also raises serious security and privacy concerns. Here, we investigate a biometric authentication protocol that has been proposed by Bringer et al. and adopts a distributed architecture (i.e. multiple entities are involved in the authentication process). This protocol was proven to be secure and privacy-preserving in the honest-but-curious (or passive) attack model. We present an attack algorithm that can be employed to mount a number of attacks on the protocol under investigation. We then propose an improved version of the Bringer et al. protocol that is secure in the malicious (or active) insider attack model and has forward security.
Lecture Notes in Computer Science, 2014
In biometric authentication protocols, a user is authenticated or granted access to a service if ... more In biometric authentication protocols, a user is authenticated or granted access to a service if her fresh biometric trait matches the reference biometric template stored on the service provider. This matching process is usually based on a suitable distance which measures the similarities between the two biometric templates. In this paper, we prove that, when the matching process is performed using a specific family of distances (which includes distances such as the Hamming and the Euclidean distance), then information about the reference template is leaked. This leakage of information enables a hill-climbing attack that, given a sample that matches the template, could lead to the full recovery of the biometric template (i.e. centre search attack) even if it is stored encrypted. We formalise this "leakage of information" in a mathematical framework and we prove that centre search attacks are feasible for any biometric template defined in Z n q , pq ě 2q after a number of authentication attempts linear in n. Furthermore, we investigate brute force attacks to find a biometric template that matches a reference template, and hence can be used to run a centre search attack. We do this in the binary case and identify connections with the set-covering problem and sampling without replacement.
Computers & Security, 2014
ABSTRACT In many cases, we can only have access to a service by proving we are sufficiently close... more ABSTRACT In many cases, we can only have access to a service by proving we are sufficiently close to a particular location (e.g., in automobile or building access control). In these cases, proximity can be guaranteed through signal attenuation. However, by using additional transmitters an attacker can relay signals between the prover and the verifier. Distance-bounding protocols are the main countermeasure against such attacks; however, such protocols may leak information regarding the location of the prover and/or the verifier who run the distance-bounding protocol. In this paper, we consider a formal model for location privacy in the context of distance-bounding. In particular, our contributions are threefold: we first define a security game for location privacy in distance bounding; secondly, we define an adversarial model for this game, with two adversary classes; finally, we assess the feasibility of attaining location privacy for distance-bounding protocols. Concretely, we prove that for protocols with a beginning or a termination, it is theoretically impossible to achieve location privacy for either of the two adversary classes, in the sense that there always exists a polynomially-bounded adversary winning the security game. However, for so-called limited adversaries, who cannot see the location of arbitrary provers, carefully chosen parameters do, in practice, enable computational location privacy.