[taler-anastasis] branch master updated (1e979a1 -> 7727711)

[gnunet]

This is an automated email from the git hooks/post-receive script.

dennis-neufeld pushed a change to branch master
in repository anastasis.

    from 1e979a1  tables/figures business model, appendix
     new 4c4824f  worked on related work - hash functions
     new 0ea337b  worked on related work - thesis
     new 7727711  related work

The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 doc/thesis/bibliothek.bib   | 76 +++++++++++++++++++++++++++++++++++++++++++++
 doc/thesis/related_work.tex | 76 +++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 146 insertions(+), 6 deletions(-)

diff --git a/doc/thesis/bibliothek.bib b/doc/thesis/bibliothek.bib
index 18bad7c..f4a3200 100644
--- a/doc/thesis/bibliothek.bib
+++ b/doc/thesis/bibliothek.bib
@@ -124,3 +124,79 @@
   year=2018,
   publisher={Multidisciplinary Digital Publishing Institute}
 }
+@book{midata,
+  title={Applied Approach to Privacy and Security for the Internet of Things},
+  author={Parag Chatterjee, Emmanuel Benoist and Asoke Nath},
+  year={in print},
+  publisher={IGI Global}
+}
+@Inbook{Preneel1999,
+  author={Preneel, Bart},
+  editor={Damg{\aa}rd, Ivan Bjerre},
+  title={The State of Cryptographic Hash Functions},
+  bookTitle={Lectures on Data Security: Modern Cryptology in Theory and 
Practice},
+  year=1999,
+  publisher={Springer Berlin Heidelberg},
+  address={Berlin, Heidelberg},
+  pages={158},
+  abstract={This paper describes the state of the art for cryptographic hash 
functions. Different definitions are compared, and the few theoretical results 
on hash functions are discussed. A brief overview is presented of the most 
important constructions, and some open problems are presented.},
+  isbn={978-3-540-48969-6},
+  doi={10.1007/3-540-48969-X_8},
+  url={https://doi.org/10.1007/3-540-48969-X_8}
+}
+@article{SG2012,
+  title={Cryptographic hash functions: a review},
+  author={Sobti, Rajeev and Geetha, G},
+  journal={International Journal of Computer Science Issues (IJCSI)},
+  volume={9},
+  number={2},
+  pages={462},
+  year=2012,
+  publisher={International Journal of Computer Science Issues (IJCSI)}
+}
+@article{BCK1996,
+  title={Message authentication using hash functions: The HMAC construction},
+  author={Bellare, Mihir and Canetti, Ran and Krawczyk, Hugo},
+  journal={RSA Laboratories’ CryptoBytes},
+  volume={2},
+  number={1},
+  pages={12--15},
+  year=1996
+}
+@inproceedings{krawczyk2010,
+  title={Cryptographic extraction and key derivation: The HKDF scheme},
+  author={Krawczyk, Hugo},
+  booktitle={Annual Cryptology Conference},
+  pages={631--648},
+  year={2010},
+  organization={Springer}
+}
+@inproceedings{BDK2016,
+  title={Argon2: new generation of memory-hard functions for password hashing 
and other applications},
+  author={Biryukov, Alex and Dinu, Daniel and Khovratovich, Dmitry},
+  booktitle={2016 IEEE European Symposium on Security and Privacy (EuroS\&P)},
+  pages={292--302},
+  year={2016},
+  organization={IEEE}
+}
+@book{trimberger2012,
+  title={Field-programmable gate array technology},
+  author={Trimberger, Stephen M},
+  year={2012},
+  publisher={Springer Science \& Business Media}
+}
+@misc{madurawe2006,
+  title={Alterable application specific integrated circuit (ASIC)},
+  author={Madurawe, Raminda Udaya},
+  year={2006},
+  month=jun # "~20",
+  publisher={Google Patents},
+  note={US Patent 7,064,579}
+}
+@article{stamp2003,
+  title={Once upon a time-memory tradeoff},
+  author={Stamp, Mark},
+  journal={San Jose State University, Department of Computer Science},
+  year={2003}
+}
+
diff --git a/doc/thesis/related_work.tex b/doc/thesis/related_work.tex
index 6406aee..ab9ece5 100644
--- a/doc/thesis/related_work.tex
+++ b/doc/thesis/related_work.tex
@@ -1,16 +1,80 @@
 \section{Related work}
+\subsection{Prerequisites}
+This chapter explains some important cryptographic functions and why they are 
useful for Anastasis.
+
+\subsubsection{Hash function}
+Hash functions "compress a string of arbitrary length to a string of fixed 
length [...]" \cite{Preneel1999}. The output of a hash function often is called 
a "hash".  Hash functions in general should be very fast to compute. 
Cryptographic hash functions need to fulfil additional security requirements 
which are called:
+\begin{itemize}
+       \item pre-image resistance
+       \item second pre-image resistance
+       \item collision resistance
+\end{itemize}
+Pre-image resistance, also called "one way property", means that for a given 
hash function H and a hash value H(x), it is computationally infeasible to find 
x \cite{SG2012}.
+The second pre-image resistance is described by following: For a given hash 
function H and a hash value H(x), it is computationally infeasible to find x 
and x' such that H(x) = H(x') \cite{SG2012}.
+The definition of collision resistance slightly differs from the second 
pre-image resistance: For a given hash function H, it is computationally 
infeasible to find a pair (x,y) such that H(x) = H(y) \cite{SG2012}.\\
+
+There are several applications for cryptographic hash functions. For example 
you can store the hash value of a pass-phrase instead of the pass-phrase itself 
in a computer to protect the pass-phrase. Another important application is 
verification of message integrity: Before and after transmission of a message 
you can calculate the hash values of it and compare them to determine if the 
message changed during transmission.
+
+In Anastasis we use SHA-512 for hashing data.
+
+\subsubsection{HMAC}
+When it comes to integrity of messages during communication of two parties 
over an insecure channel Keyed-Hash Message Authentication Codes (HMAC) are 
used as check values. An HMAC function is based on a hash function and takes 
two arguments, a key K and a message M:
+HMAC\textsubscript{K}(M) = H(K $\oplus$ opad,H(K $\oplus$ ipad, M)) with 
"ipad" and "opad" being constants which fill up the key K to the blocksize of 
the hash function \cite{BCK1996}. The blocksize of a modern hash function like 
SHA-512 is 64 Byte.\\
+In Anastasis we use HMACs to achieve verifiability.
+
+\subsubsection{HKDF}
+A HKDF is a key derivation function (KDF) based on a HMAC. A KDF "is a basic 
and essential component of crypto-
+graphic systems: Its goal is to take a source of initial keying material, 
usually containing some good amount of randomness, but not distributed 
uniformly or for which an attacker has some partial knowledge, and derive from 
it one or more cryptographically strong secret keys" \cite{krawczyk2010}.\\
+Anastasis uses HKDFs to derive symmetric keys for encryption purposes.
+
+\subsubsection{Argon2}
+Hash functions like SHA-512 are very fast to compute. Therefor passwords 
stored in a hashed form are vulnerable to dictionary attacks with new hardware 
architectures like FPGAs \cite{trimberger2012} and dedicated ASIC 
\cite{madurawe2006} modules. But those architectures "experience difficulties 
when operating on large amount of memory" \cite{BDK2016}.\\
+Argon2 is a memory-hard function that won the Password Hashing Competition in 
2015. It minimizes time-memory tradeoff \cite{stamp2003} and thus maximizes the 
costs to implement an ASIC for given CPU computing time \cite{BDK2016}. Aside 
from the fact that Argon2 makes dictionary attacks much harder, we use Argon2 
for another feature too: Memory-hard schemes like Argon2 are very useful for 
key derivation from low-entropy sources \cite{BDK2016}.\\
+Argon2 is used in Anastasis to derive an identifier for the user from some 
low-entropy material.
+
 
 \subsection{Secret sharing}
-Secret splitting, also known as secret sharing, is a well-known technique for 
distributing a secret amongst multiple recipients. This is achieved by 
assigning a share of the secret to each recipient. By combining a sufficient 
number of those shares, it is possible to reconstruct the secret.
-Regarding secret sharing there are several interesting approaches. For 
example, the algorithm "Shamir's Secret Sharing" „divide[s] data D into n 
pieces in such a way that D is easily reconstruct able from any k pieces, but 
even complete knowledge of k - 1 pieces reveals absolutely no information about 
D“ \cite{shamir_sharing}.
+Secret splitting, also known as secret sharing, is a technique for 
distributing a secret amongst multiple recipients. This is achieved by 
assigning a share of the secret to each recipient. By combining a sufficient 
number of those shares, it is possible to reconstruct the secret.
+In a secret sharing theme the recipients of a share often are called 
\textit{players}. The figure who gives a share of the secret to the players is 
called \textit{dealer}.
+
+\subsubsection{Shamir's Secret Sharing}
+The algorithm "Shamir's Secret Sharing" is one of the most well known secret 
sharing scheme. It „divide[s] data D into n pieces in such a way that D is 
easily reconstructible from any k pieces, but even complete knowledge of k - 1 
pieces reveals absolutely no information about D“ \cite{shamir_sharing}.\\
 Shamir’s simple secret sharing scheme has two key limitations. First, it 
requires a trusted dealer who initially generates the secret to be distributed, 
and second the shares are not verifiable during reconstruction. Therefore, 
malicious shareholders could submit corrupt shares to prevent the system from 
reconstructing the secret -- without these corrupt shareholders being 
detectable as malicious. Furthermore, the dealer distributing the shares could 
be corrupt and distribute some incons [...]
+
+\subsubsection{Verifiable Secret Sharing}
 Verifiability can be achieved by using so called commitment schemes like the 
Pederson commitment. It allows „to distribute a secret to n persons such that 
each person can verify that he has received correct information about the 
secret without talking with other persons“ \cite{pedersen_sharing_0}. In his 
paper „A Practical Scheme for Non-interactive Verifiable Secret Sharing“, Paul 
Feldman  combines the two algorithms above. His algorithm for verifiable secret 
sharing, short VSS, allows  [...]
-Distributed key generation algorithms, short DKG, solve the problem of needing 
a trustworthy dealer by relying on a threshold of honest persons. Contrary to 
the above-mentioned schemes, in distributed key generation algorithms every 
participant is involved in key generation.
-The Pederson DKG is such „a secret sharing scheme without a mutually trusted 
authority“ \cite{pedersen_sharing_5.2}. Basically, this DKG works as follows: 
First, each involved party generates a pre-secret and distributes it to all 
parties using the verifiable secret sharing scheme of Feldman. Afterwards, each 
party recombines the received shares, including its own pre-secret, to a share 
of the main secret. The main secret can be reconstructed by summing up each 
recombination of the share [...]
+
+\subsubsection{Distributed Key Generation}
+Distributed key generation algorithms, short DKG, solve the problem of needing 
a trustworthy dealer by relying on a threshold of honest persons. Contrary to 
the above-mentioned schemes, in distributed key generation algorithms every 
participant is involved in key generation.\\
+The Pederson DKG is such „a secret sharing scheme without a mutually trusted 
authority“ \cite{pedersen_sharing_5.2}. Basically, this DKG works as follows: 
First, each involved party generates a pre-secret and distributes it to all 
parties using the verifiable secret sharing scheme of Feldman. Afterwards, each 
party recombines the received shares, including its own pre-secret, to a share 
of the main secret. The main secret can be reconstructed by summing up each 
recombination of the share [...]
+
+\subsubsection{MIDATA}
+MIDATA is a project that aims to give patients back control over their medical 
data and to enable them to share their data only with those they trust. In case 
the patient lost his device running the MIDATA application and his 
MIDATA-password, MIDATA build in a key recovery system using the Shamir Secret 
Sharing Scheme mentioned above. In their case a few "persons working at MIDATA 
have generated a public-private key pair (Recovery key) on their own computer. 
They keep the private recover [...]
+In our opinion the security of MIDATA is broken in two ways:
+\begin{enumerate}
+       \item The password is constructed at the server, not at the patients 
device. An administrator of the server can read the recovered password.
+       \item It is not clear which channel the persons working for MIDATA use 
for their decisions and activities regarding the key recovery. The channel 
could be vulnerable. For example, an attacker could illegitimately trigger a 
recovery process via e-mail if it is the chosen channel.
+\end{enumerate}
+
+
+\subsubsection{Key sharing in Anastasis}
 For Anastasis we do not need a DKG because the dealer is the user himself and 
therefore, he is fully trustworthy. But we need verifiability. In our case we 
achieve verifiability by using HMACs. Furthermore, for our purposes the 
above-mentioned algorithms are inadequate because we are dealing with a 
manageable number of sharing parties and we need a more flexible solution. 
 
+
 \subsection{Authentication}
-Anastasis is using standard authentication procedures to authorize its users. 
There are several authentication methods available, a short overview of the 
methods is presented here. Password authentication is the most widely used 
authentication procedure. But as studies show the procedure has its problems 
\cite{authentication_methods_review}. The handling of the passwords is done 
poorly, like storage or transmission. Additionally, the user must remember his 
password, therefore the passwor [...]
-To build a secure authentication procedure, today multifactor authentication 
is the standard \cite{multifactor_authentication}. Multifactor authentication 
combines multiple authentication procedures, to enhance the security of the 
system. For Anastasis we are building a multifactor authentication system, 
which combines a wide range of authentication methods to provide authenticity.
+Anastasis is using standard authentication procedures to authorize its users. 
There are several authentication methods available, a short overview of the 
methods is presented here. 
+
+\subsubsection{Password authentication}
+Password authentication is the most widely used authentication procedure. But 
as studies show the procedure has its problems 
\cite{authentication_methods_review}. The handling of the passwords is done 
poorly, like storage or transmission. Additionally, the user must remember his 
password, therefore the password is limited to the capabilities of the user. 
+
+\subsubsection{SMS authentication}
+Another way to authenticate is SMS authentication. The most popular use case 
is the mobile TAN used to authorize online banking transactions. But SMS is no 
longer considered secure. The SMS authentication relies on the security of the 
mobile network, which has different possible attacks \cite{rieck_detection}. 
There are also specialized mobile Trojans which are used to eavesdrop these 
messages.\\
+Instead of using SMS one can also use other forms of messages such as email or 
physical mail. They all face the threat of interception. 
+
+\subsubsection{Biometric authentication}
+Another way of authenticating is the biometric approach \cite{biometric_auth}. 
Biometric authentication is based on "something you are", like your iris or 
your fingerprint. There are also threats against biometric authentication. 
There are documented attacks against fingerprint and iris scan authentication. 
For example, a member of the German CCC e.V. was able to generate replicas from 
Angela Merkel's iris and Ursula von der Leyen's fingerprint \cite{ccc_merkel}. 
+
+\subsubsection{Multi-factor authentication}
+To build a secure authentication procedure, today multi-factor authentication 
is the standard \cite{multifactor_authentication}. Multi-factor authentication 
combines multiple authentication procedures, to enhance the security of the 
system. For Anastasis we are building a multi-factor authentication system, 
which combines a wide range of authentication methods to provide authenticity.
 
 

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.