Security Properties Clause Examples

Security Properties. Mutual Entity Authentication [8] between N and HN . Mutual “Implicit” Key Authentication [8] between N and HN . Key Randomness, meaning that any successful key agreement should output a uniformly distributed session key amongst the set of all possible session keys [9].

Security Properties. In GKA protocols, the fault tolerance property is very crucial since it is necessary to detect and eliminate malicious participants from the key agreement group. In other words, even if there are malicious participants in the group, they should not be able to affect the key computation of honest participants. Early protocol examples with this property are [24–26]. In this regard, in ▇▇▇▇▇’▇ protocol [24], every participant keeps a verification matrix ▇▇▇. After the secret key distribution step, each participant checks the signature of other participants. According to the result, the verification list is marked and submitted to other participants. Afterwards, in the fault detection step, participants re-validate the verification matrix and remove the faulty participants from the key agreement group. Finally, GKA protocol is started from scratch with the remaining participants. Forward secrecy (also stated as Perfect forward secrecy) is also a substantial property that protects against the computation of group keys by malicious actors even if private keys are compromised. Forward secrecy is utilized in protocols presented in [4, 27, 28]. Dynamic group key operations in group key agreement protocols must provide forward and backward confidentiality properties defined in Section 2.1.1. Introduced by ▇▇▇▇▇ et al., KAP-PBC [11] protocol provides these properties within its dynamic operations. In join and leave operations, last participants in the group re-compute the GKA parameters. Therefore, joined participants cannot compute the former group keys, and leaving participants cannot generate the subsequent keys. Moreover, KAP-PBC provides ‘Partial Backward Confiden- tiality’ property, which enables the participants to compute the group keys just before joining the group.

Security Properties. The following security properties of the authentication protocols should be con- sidered. Password authentication protocols are very subject to replay, password guessing, and stolen-verifier attacks [9]. (1) Replay attack: A replay attack is an offensive action in which an adversary impersonates or deceives another legitimate participant through the reuse of information obtained in a protocol. (2) Guessing attack: A guessing attack involves an adversary simply (randomly or systematically) trying passwords, one at a time, in hope that the correct password is found. Ensuring that passwords are chosen from a sufficiently large space can resist exhaustive password searches. However, most users select passwords from a small subset of the full password space. Such weak passwords with low entropy are easily guessed by using so-called dictionary attack. (3) Stolen-verifier attack: In most applications, the server stores verifiers of users’ passwords (e.g., hashed passwords) instead of the clear text of pass- words. The stolen-verifier attack means that an adversary who steals a password-verifier from the server can use it directly to impersonate a legiti- mate user in a user authentication execution. Note that the main purpose of an authentication scheme against the stolen-verifier attack is to reduce the immediate danger to user authentication. In fact, an adversary who has a password-verifier may further mount a guessing attack. Password change protocols allow an authenticated user to change his/her password. Besides those attacks mentioned above, a password change protocol is very vulnerable to Denial-of-Service attacks [9]. (1) Denial-of-Service attack: A Denial-of-Service attack prevents or inhibits the normal use or management of communications facilities. This attack may be directed to a specific user. For example, an adversary may perform this attack to cause the server to reject the login of a specific user. In addition, the following security properties of session key agreement pro- tocols should be considered since they are often desirable in some environ- ments [10]. (1) Implicit key authentication: Implicit key authentication is the property ob- tained when identifying a party based on a shared session key, which assures that no other entity than the specifically identified entity can gain access to the session key. (2) Explicit key authentication: Explicit key authentication is the property ob- tained when both implicit key authentication and key con...

Security Properties. We discuss the security properties provided by Du et al. [7], Liu et al. [13], ▇▇▇▇▇ et al. [4], and TLPKA. These security properties include mutual authentication, explicit key authentication, resistance to the replay attack, resistance to the man in the middle attack, and resistance to the insider attack. The results of these security properties comparisons are shown in Table 1. From Table 1, we can see that TLPKA achieves all of these security properties while Du et al.’s scheme and Liu et al.’s scheme can not realize the security property of explicit key authentication. Furthermore, ▇▇▇▇▇ et al.’s scheme does not have most of these security properties.

Security Properties. The key derived from the group key agreement protocol needs to meet the following security features: 2.6.4.1 Group key secrecy: It simply means that the derived secret should not be derivable by a non-participant. 2.6.4.2 Forward key secrecy: ▇▇▇▇▇▇ knowing one of the current group keys, one should not be able to compute previous group keys.

Security Properties. We can classify security threats into two main categories according to the origin of the attack. We divide attacks in those originated from the external environment and in those from the internal environment. For instance consider a group of soldiers operating in a hostile environment, trying to keep their presence and mission totally unknown from the enemy, and the case where a soldier, member of the constructed network, is captured by the enemy who is now in position to attack from within. Another example, less extreme this time, is an ad- hoc network formed in a classroom during a test exam between the PDAs of the students and the teacher’s workstation. According to this scenario not only we must secure the network from an external intruder, but also from a student that wishes to exit the classroom in order to retrieve the solutions and then return in the classroom. In all those cases the badly behaving node must be expelled from the network in order to maintain network stability and proper functionality. Before moving into any further details, we need to outline the core characteristics of a network similar to the ones previously described.

Security Properties. Though Section 5 describes schemes that are robust against arbitrary active adversaries, we argue that such an adversarial model is too restrictive for the automotive scenarios. Operations of our protocol and the architecture of the CAN bus restrict the actions of the adversary in our system. We argue that an active adversary cannot successfully perform any operation, except eavesdrop- ping, without detection. Consider the following 1. Modification of a packet - The properties of the CAN bus allow only one type of modification to the messages transmitted by the nodes. An ad- versary can flip a recessive bit ‘1’ to a dominant bit ‘0’ by transmitting a voltage, however not vice-versa. It can be verified that this simply results in a mismatched key at both parties. This can easily be detected by any key verification method. 2. Inserting messages for active nodes - An active node, executing a pair- wise session of the protocol, only accepts outputs on the bus that result from superposition of its own signals with that of the partner. Thus consider an adversary that attempts to compromise a session between nodeN1 and nodeN2 by inserting a ‘specific’ message for nodeN2. However, this requires that the adversary initiate a transmission from nodeN2. Assume that the message transmitted by the adversary is madv, and that by nodeN2 is mN2 . Thus the message recorded by nodeN2 is the logical AND of these messages, i. e. madv ∧ mN2 . However, as the adversary has no control over mN2 , it can- not insert a ‘specific’ packet. It can however choose and force bits to be 0. This can be detected by key verification. 3. Inserting messages for passive nodes - In the group protocols, nodes that have engaged in one pairwise session may update their local parame- ters based on the output of the future sessions. An adversary may falsely emulate such sessions. However, it can be demonstrated that the probability of ‘successfully’ inserting a n bit packet, i.e. a packet that is accepted as a . 4 valid input by the passive node, is less than 3 Theorem 3. Let the adversary activate the protocol of a passive node by inserting an arbitrary pair of strings b1, b2, where |b1| = |b2| = n, marked with the session identifier of the currently active nodes . T he passive nodes detect the adversary with a probability greater than 1 − 3

Security Properties. ‌ LiKe achieves the security properties listed below. Protection Against Leakage of Secret DA Information. The self-generated portion of the public key of each device is now bound to the identity of the generating party, via the string ωi. This smart feature is particularly useful when the information available on the DA are leaked to an adversary. Indeed, even if the adversary could know the partial private key of one of the two devices, it could not be able to impersonate any of them, being not aware of the remaining part of the private key [36]. To provide further insights, let us assume a scenario where the secret information of the IoT devices (i.e., their private keys) are created and stored on the DA, and they are leaked to the adversary (see, for instance, the case discussed in [32]). At the same time, let us assume that the adversary only has access to these information (e.g., by temporary reading or stealing the file), while it cannot get the private key of the DA, and neither its full control. Assuming the above-introduced challenging scenario, legacy certificate-based schemes (e.g., using X.509-ECDSA, and ECQV certificates) cannot continue to guarantee the security of the communications between IoT devices. Indeed, given that the security of the session keys generated between the devices using these schemes is fully based on the secrecy of the private keys, looking at the message exchange, the device can both reconstruct the session keys and impersonate any of the two devices in the network. Instead, when LiKe is adopted, being the full private key of the device composed by a part that is not known by the DA, the adversary still does not have the full information necessary to reconstruct the session keys already established or to predict future session keys that will be negotiated by the devices in the network. Thus, any tampering attempt by a malicious device would lead the two communicating parties to compute different preliminary session keys, thus causing irrecoverable errors when the authentication tags are exchanged and verified. Such powerful security features have been also formally verified via ProVerif (see Sec. V-B).

Security Properties. Security properties for systems and system assets are less well defined as those for information assets. In fact, it is common to define security controls and mechanisms instead of the particular properties that need to be preserved. In this section, we have collected a set of system security properties that are relevant in the context of Smart Grids. The properties availability and integrity have a slightly different meaning, if they are considered in the context of a system or system asset. A good definition for availability in the context of a system is given in IEEE Standard Glossary of Software Engineering Terminology, i.e. IEEE Std 610.12-1990 [12]: Note that the definition refers to a degree. This is relevant as the impact of the duration of unavailability can vary significantly. As security goals are defined at an early stage of the design phase it may be difficult to specifically quantify the degree of the desired system availability. In this document, we will therefor will only specify security goals on the system availability of a system or system assets if its disturbance has a direct severe impact on a certain interest of a stakeholder. System Availability is directly related to the properties robustness, and resilience that have been defined in SEGRID deliverable D4.1 [14]: As the latter two are more specific regarding the particular behaviour of the system or system asset during a cyber-attack (or disturbance), it is relevant to consider these properties in the context of the SEGRID project. As we define security goals based on the need to protect a certain interest of a stakeholder, it might however be difficult to distinguish whether a system (asset) needs to be robust or resilient. Regarding integrity in the context of a system, IEEE Std 610.12-1990 [12] also has a definition. This definition, however, is a slightly outdated as it focuses only on the prevention of unauthorized access. With integrity of a system, we currently mean that the system performs its intended function correctly. We will therefor use the definition from [15] and [16]: This definition does seem similar to what is typically meant with reliability. The definition of information security in the previous section also mentioned reliability as an additional property of information security. In ISO/IEC27000:2014 reliability is defined as: property of consistent intended behaviour and results. In IETF RFC 4949 a more specific definition is given [17]: We will typically refe...