Show simple item record

dc.contributor.authorZhu, Bo
dc.date.accessioned2015-01-16 13:59:29 (GMT)
dc.date.available2015-01-16 13:59:29 (GMT)
dc.date.issued2015-01-16
dc.date.submitted2015
dc.identifier.urihttp://hdl.handle.net/10012/9078
dc.description.abstractAlong with the fast growth of networks and mobile devices, cloud computing has become one of the most attractive and effective technologies and business solutions nowadays. Increasing numbers of organizations and customers are migrating their businesses and data to the cloud due to the flexibility and cost-efficiency of cloud systems. Preventing unauthorized access of sensitive data in the cloud has been one of the biggest challenges when designing a secure cloud system, and it strongly relies on the chosen authentication and encryption algorithms for providing authenticity and confidentiality, respectively. This thesis investigates various aspects of authentication and encryption algorithms for securing cloud systems, including authenticated encryption modes of operation, block ciphers, password hashing algorithms, and password-less/two-factor authentication mechanisms. Improving Authenticated Encryption Modes. The Galois/Counter Mode (GCM) is an authenticated encryption mode of operation for block ciphers. It has been widely adopted by many network standards and protocols that protect the security of cloud communications, such as TLS v1.2, IEEE 802.1AE and IPsec. Iwata et al. recently found a flaw in GCM's original proofs for non-96-bit nonce cases, and then presented new security bounds for GCM. The new bounds imply that the success probabilities of adversaries for attacking GCM are much larger than the originally expected ones. We propose a simple change to repair GCM. When applied, it will improve the security bounds by a factor of about $2^{20}$ while maintaining most of the original proofs. Analyzing Polynomial-Based Message Authentication Codes. We investigate attacks on polynomial-based message authentication code (MAC) schemes including the one adopted in GCM. We demonstrate that constructing successful forgeries of these MAC schemes does not necessarily require hash collisions. This discovery removes certain restrictions in the attacks previously proposed by Procter and Cid. Moreover, utilizing a special design of GCM for processing non-96-bit nonces, we turn these forgery attacks into birthday attacks, which will significantly increase their success probabilities. Therefore, by considering the birthday attacks and the security proof flaw found by Iwata et al., cloud system designers should avoid using GCM with non-96-bit nonces if they do not revise the design of GCM. Analyzing Block Ciphers. We propose a new framework for analyzing symmetric-key ciphers by guessing intermediate states to divide ciphers into small components. This framework is suitable for lightweight ciphers with simple key schedules and block sizes smaller than key lengths. Using this framework, we design new attacks on the block cipher family KATAN. These attacks can recover the master keys of 175-round KATAN32, 130-round KATAN48 and 112-round KATAN64 faster than exhaustive search, and thus reach many more rounds than the existing attacks. We also provide new attacks on 115-round KATAN32 and 100-round KATAN48 in order to demonstrate that this new kind of attack can be more time-efficient and memory-efficient than the existing ones. Designing Password Hashing Algorithms. Securely storing passwords and deriving cryptographic keys from passwords are also crucial for most secure cloud system designs. However, choices of well-studied password hashing algorithms are extremely limited, as their security requirements and design principles are different from common cryptographic primitives. We propose two practical password hashing algorithms, Pleco and Plectron. They are built upon well-understood cryptographic algorithms, and combine the advantages of symmetric-key and asymmetric-key primitives. By employing the Rabin cryptosystem, we prove that the one-wayness of Pleco is at least as strong as the hard problem of integer factorization. In addition, both password hashing algorithms are designed to be sequential memory-hard, in order to thwart large-scale password searching using parallel hardware, such as GPUs, FPGAs, and ASICs. Designing Password-less/Two-Factor Authentication Mechanisms. Motivated by a number of recent industry initiatives, we propose Loxin, an innovative solution for password-less authentication for cloud systems and web applications. Loxin aims to improve on passwords with respect to both usability and security. It utilizes push message services for mobile devices to initiate authentication transactions based on asymmetric-key cryptography, and enables users to access multiple services by using pre-owned identities, such as email addresses. In particular, the Loxin server cannot generate users' authentication credentials, thereby eliminating the potential risk of credential leakage if the Loxin server gets compromised. Furthermore, Loxin is fully compatible with existing password-based authentication systems, and thus can serve as a two-factor authentication mechanism.en
dc.language.isoenen
dc.publisherUniversity of Waterlooen
dc.subjectauthenticationen
dc.subjectencryptionen
dc.subjectcloud computingen
dc.subjectGalois/Counter Modeen
dc.subjectGCMen
dc.subjectpassword hashingen
dc.subjecttwo-factoren
dc.subjectmeet-in-the-middleen
dc.subjectMITMen
dc.subjectKATANen
dc.titleAnalysis and Design of Authentication and Encryption Algorithms for Secure Cloud Systemsen
dc.typeDoctoral Thesisen
dc.pendingfalse
dc.subject.programElectrical and Computer Engineeringen
uws-etd.degree.departmentElectrical and Computer Engineeringen
uws-etd.degreeDoctor of Philosophyen
uws.typeOfResourceTexten
uws.peerReviewStatusUnrevieweden
uws.scholarLevelGraduateen


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record


UWSpace

University of Waterloo Library
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4883

All items in UWSpace are protected by copyright, with all rights reserved.

DSpace software

Service outages