Showing papers on "Format-preserving encryption published in 2019"

Physical Layer Encryption for Industrial Ethernet in Gigabit Optical Links

Abstract: Industrial Ethernet is a technology widely spread in factory floors and critical infrastructures where a high amount of data need to be collected and transported. Fiber optic networks at gigabit rates fit well with that type of environment, where speed, system performance, and reliability are critical. In this paper, a new encryption method for high-speed optical communications suitable for such kinds of networks is proposed. This new encryption method consists of a symmetric streaming encryption of the 8b/10b data flow at physical coding sublayer level. It is carried out thanks to a format preserving encryption block cipher working in CTR (counter) mode. The overall system has been simulated and implemented in a field programmable gate array. Thanks to experimental results, it can be concluded that it is possible to cipher traffic at this physical level in a secure way. In addition, no overhead is introduced during encryption, getting minimum latency and maximum throughput.

A Novel Message-Preserving Scheme with Format-Preserving Encryption for Connected Cars in Multi-Access Edge Computing

Abstract: In connected cars with various electronic control unit (ECU) modules, Ethernet is used to communicate data received by the sensor in real time, but it is partially used alongside a controller area network (CAN) due to the cost. There are security threats in the CAN, such as replay attacks and denial-of-service attacks, which can disrupt the driver or cause serious damage, such as a car accident through malicious manipulation. Although several secure protocols for protecting CAN messages have been proposed, they carry limitations, such as combining additional elements for security or modifying CAN messages with a limited length. Therefore, in this paper, we propose a method for encrypting the data frame, including real data in the CAN message structure, using format-preserving encryption (FPE), which ensures that the plaintext and ciphertext have the same format and length. In this way, block ciphers such as AES-128 must be divided into two or three blocks, but FPE can be processed simultaneously by encrypting them according to the CAN message format, thus providing better security against denial-of-service attacks. Based on the 150 ms CAN message, a normal message was received from a malicious message injection of 180 ms or more for AES-128 and a malicious message injection of 100 ms or more for FPE. Finally, based on the proposed scheme, a CAN transmission environment is constructed for analyzing the encryption/decryption rate and the process of transmitting and processing the encrypted message for connected cars in multi-access edge computing (MEC). This scheme is compared with other algorithms to verify that it can be used in a real environment.

Privacy Analysis of Format-Preserving Data-Masking Techniques

Abstract: With the growing number of regulations and concerns regarding data privacy, there is an increasing need for protecting Personally Identifiable Information (PII). A widely-used approach to protect PII is to apply data-masking techniques in order to remove or hide the identities of the individuals referred to in the data under investigation. A particular class of data-masking techniques aims at preserving the format of the source data, so as to allow using encoded data where the corresponding source is expected, thereby minimising application changes to perform tasks such as statistical analysis or testing. Various encoding techniques are used to protect data privacy while preserving the format, including Format-Preserving Encryption (FPE) and masking out. Even though convenient, preserving the format of data might lead to re-identification attacks. In this paper, we discuss the vulnerabilities of data-masking techniques that preserve the format of data and analyse their security and privacy properties. We investigate two industrial datasets and quantify the potential data privacy leakage that could arise from using inappropriate data masking techniques.

Self-Synchronized Encryption for Physical Layer in 10Gbps Optical Links

Abstract: In this work a new self-synchronized encryption method for 10 Gigabit optical links is proposed and developed. Necessary modifications to introduce this kind of encryption in physical layers based on 64b/66b encoding, such as 10 GBase-R, have been considered. The proposed scheme encrypts directly the 64b/66b blocks by using a symmetric stream cipher based on an FPE (Format Preserving Encryption) block cipher operating in PSCFB (Pipelined Statistical Cipher Feedback) mode. One of the main novelties in this paper is the security analysis done for this mode. For the first time, an expression for the IND-CPA (Indistinguishability under Chosen-Plaintext Attack) advantage of any adversary over this scheme has been derived. Moreover, it has been concluded that this mode can be considered secure in the same way of traditional modes are. In addition, the overall system has been simulated and implemented in an FPGA (Field Programmable Gate Array). An encrypted optical link has been tested with Ethernet data frames, concluding that it is possible to cipher traffic at this level, getting maximum throughput and hiding traffic pattern from passive eavesdroppers.

Evolution of Format Preserving Encryption on IoT Devices: FF1+

Abstract: The Internet of Things (IoT) is a network of interconnected low-power sensing devices designed to interact and communicate with each other. To avoid compromising user privacy, it is necessary to encrypt these channels. We introduce Format Preserving Encryption (FPE), a modern cryptosystem that allows full customization of the ciphertext, while offering comparable security to AES. To gauge the performance of FPE, we compare the NIST-approved FF1 algorithm against several symmetric and asymmetric encryption schemes on a Raspberry Pi 3. While suitable for small plaintexts, FF1 breaks down for longer character strings. We propose a modified algorithm, FF1+, that implements dynamic round selection and key scheduling. Significant performance improvements are observed in our results, thus demonstrating FF1+ as a viable cryptosystem for IoT devices.

A Generalized Format Preserving Encryption Framework Using MDS Matrices

Abstract: The construction SPF, presented in Inscrypt-2016, was the first known substitution permutation network (SPN)–based format preserving encryption (FPE) algorithm. In this work, we present a new family of SPN-based FPE algorithms “eSPF” that significantly improves the performance and flexibility of SPF. The eSPF uses a MDS matrix instead of the binary matrix used in SPF. The optimal diffusion of MDS matrix leads to an efficient and secure design. However, this change leads to violations in the message format. To mitigate this, we propose a discarding algorithm to drop the symbols that are not the elements of the format thus preserving it. In this work, we propose the general framework of eSPF and then show how our construction can be adapted under different use cases. We provide detailed analysis of eSPF for four popular concrete instantiations—digits , alphabets, case-insensitive alphanumeric, and case-sensitive alphanumeric. We provide security and performance analysis for all these use cases. We also compare our construction with existing FPE algorithms like FFX and SPF and show that the proposed design is approx ten times faster than FFX for most of the practical applications.

A Secure Collaborative Module on Distributed SDN

Abstract: Stability and security are the most important two release requirements of a modern application development process. As the number of users of an application increases, the network traffic grows. This results in an increase in the server load as well as the threats. If this traffic is not nicely controlled the user would experience a mitigation in application’s performance. To provide a continuous and secure service, the load on the system must be optimally distributed among multiple servers. In the literature, there are various algorithms that are proposed to balance the load on a system. In this study, we introduce a load balancing module for a generic web application to distribute the load optimally using Software Defined Networking (SDN) controllers. The proposed system employs a round-robin scheme for server allocation and implements an open-source SDN controller that runs inside a docker container. To provide reliability, the web application is developed using the ReactJS and NodeJS. The privacy and data confidentiality is provided by using the NISTs new format preserving encryption standard. The proposed method is suitable for real world applications as shown in the performance profiling that we carried using Openload toolset.

JPEG Encryption with File Format Preservation and File Size Reduction

Abstract: We present a novel format preserving JPEG encryption scheme, which also losslessly reduces the files size by compressing the quantized DC coefficients. The main idea behind this paper is to introduce additional lossless compression as a part of format preserving encryption to reduce the redundancy as well as encryption. The result reduces the encrypted file size up to 3.2%.

Novel Encryption Method of GPS Information in Image File Using Format-Preserving Encryption

Abstract: Global Positioning System (GPS) information is stored in EXchangeable Image File Format (EXIF) in the image file. It is considered personal information; therefore, sharing it without the owner’s consent could lead to personal information disclosure. GPS information is embedded on the images uploaded by many people on social network services or stored in the Cloud. Images must be encrypted to prevent GPS information from being disclosed. However, there are no existing methods to encrypt them in EXIF. Using block cipher for encryption can exceed the tag value range of EXIF. In this paper, we propose a method to encrypt the GPS information of an image file using Format-Preserving Encryption, which preserves the length and format of the plaintext. We confirmed that GPS information can be secured by encrypting it in image files.

Self-Synchronized Encryption Using an FPE Block Cipher for Gigabit Ethernet

Abstract: In this work, a new solution for self-synchronized encryption in physical layer at Gigabit Ethernet optical links is proposed. The solution is based in the block cipher operating mode called PSCFB (Pipelined Statistical Cipher Feedback) using as underlying PRF (Pseudo Random Function) an FPE (Format Preserving Encryption) block cipher. Thanks to this structure is possible to encrypt 8b/10b Ethernet symbols preserving its coding properties at Physical layer in an optical Gigabit Ethernet interface. The IND-CPA (Indistinguishability under Chosen-Plaintext Attack) advantage is analysed for the first time concluding that this mode can be considered secure in the same way as traditional encryption modes are. In addition it provides self-synchronization while keeping an encryption throughput near 100%. Finally, the proposed mechanism has been simulated and synthetized in an FPGA (Field Programmable Gate Array) electronic device.

Format preserving encryption utilizing a key version

Abstract: In one example, a system for format preserving encryption utilizing a key version can include a processor, and a memory resource storing instructions executable by the processor to determine a quantity of significant bits for a value to be encrypted, mask the value to include the quantity of significant bits, perform format preserving encryption on the masked value to generate an encrypted value, and append a key version to the encrypted value.

Blockchain system based on Zero Knowledge Proofs with Format-Preserving Encryption and control method thereof

Abstract: Disclosed in the present invention are a blockchain system based on zero-knowledge proof with format-preservation encryption and a control method thereof. In the present invention, data to be kept private due to privacy protection and the like among data to be registered in a blockchain network as a transaction are encrypted through the format-preservation encryption, the data to be kept private that are encrypted by the format-preservation encryption and publicly available data are registered in the blockchain network as a transaction. Therefore, a problem that data may be searched only by knowing a hash value since a key value of the existing block is composed of hash values can be solved by encrypting some content using the format-preservation encryption, so that monitoring data can be protected by using the zero-knowledge proof.

Genetic-based Key Splitting Algorithm for the Two Layered Protection Scheme

Abstract: Database as a service is one of the important services provided by Cloud Computing. Recently, a Two Layered Protection Scheme for securing the database has been proposed. The scheme employs two symmetric key encryption algorithms, the Order Preserving Encryption and Format Preserving Encryption. Each of the two encryption algorithms uses a different encryption key that is derived from Key Splitting module. Key Splitting module generates two keys from a Main Key by using a randomized algorithm. Randomized algorithm does not guarantee that the generated keys are always different because the resulting keys depend on the generated random numbers. Hence, in order to increase the security of the Two Layered Protection Scheme, a Genetic based Key Splitting algorithm is proposed. The purpose of the proposed algorithm is to generate the best random two keys that have maximum difference so that the two keys cannot be derived from each other. Simulation results have shown that the proposed algorithm generates random keys with maximum difference.

Confidential ADS-B

Abstract: Automatic dependent surveillance-broadcast (ADS-B) technology offers significant safety and efficiency benefits to the growing worldwide air transport industry. Its use is widespread and continues to grow as countries near or pass their equipage deadlines. As an interoperable extension of air traffic control radar beacon system (ATCRBS) and Mode S, Mode S - Extended Squitter (Mode S-ES) is a widely used ADS-B protocol which is void of security features generally found in modern information transmission systems. The historical and future requirements for interoperability among air surveillance systems also cause difficulty in implementing modern security technology. Many proposals exist for ADS-B security protocols which have sound technology but sacrifice interoperability. By decomposing security principles to focus only on the requirement for confidentiality, we devise a confidential subprotocol for Mode S-ES which is lightweight and interoperable while using industry standard cryptography. The use of format preserving encryption (FPE) with unidirectional asymmetric cryptography allows users who require confidentiality to fully participate in ADS-B without impacting those who do not.

Key Management for protection of health care Data of Multi-user using Access control in Cloud Environment

Abstract: Storing an organization’s database at an external service provider has become extremely common. This popular practice is called as Database Outsourcing, in which, data encryption, crypto key, and access control are very important security issues, especially if the data owner wishes to publish his data for external use. In this paper, implementation & present performance of statistical analysis of approaches for encrypting/decrypting data using FPE, FF1 with less computation and resource time, implementation of access control through selective encryption and providing secure access and sharing services for multi user’s data using key distribution in the client side and access control lists is discussed. The primary goal of this paper is no requirement of re-distribution of keys or re-encryption of data for any administrative actions (updating access rights or adding/deleting users).