To see the other types of publications on this topic, follow the link: Cryptographic information security tool.
Dissertations / Theses on the topic 'Cryptographic information security tool'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 40 dissertations / theses for your research on the topic 'Cryptographic information security tool.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Gutmann, Peter. "The Design and Verification of a Cryptographic Security Architecture." Thesis, University of Auckland, 2000. http://hdl.handle.net/2292/2310.
Full textAbstract:
A cryptographic security architecture constitutes the collection of hardware and software which protects and controls the use of encryption keys and similar cryptovariables. This thesis presents a design for a portable, flexible high-security architecture based on a traditional computer security model. Behind the API it consists of a kernel implementing a reference monitor which controls access to security-relevant objects and attributes based on a configurable security policy. Layered over the kernel are various objects which abstract core functionality such as encryption and digital signature capabilities, certificate management and secure sessions and data enveloping (email encryption). The kernel itself uses a novel design which bases its security policy on a collection of filter rules enforcing a cryptographic module-specific security policy. Since the enforcement mechanism (&e kernel) is completely independent of the policy database (the filter rules), it is possible to change the behaviour of the architecture by updating the policy database without having to make any changes to the kernel itself. This clear separation of policy and mechanism contrasts with current cryptographic security architecture approaches which, if they enforce controls at all, hardcode them into the implementation, making it difficult to either change the controls to meet application-specific requirements or to assess and verify them. To provide assurance of the correctness of the implementation, this thesis presents a design and implementation process which has been selected to allow the implementation to be verified in a manner which can reassure an outsider that it does indeed function as required. In addition to producing verification evidence which is understandable to the average user, the verification process for an implementation needs to be fully automated and capable of being taken down to the level of running code, an approach which is currently impossible with traditional methods. The approach presented here makes it possible to perform verification at this level, something which had previously been classed as "beyond Al" (that is, not achievable using any known technology). The versatility of the architecture presented here has been proven through its use in implementations ranging from l6-bit microcontrollers through to supercomputers, as well as a number of unusual areas such as security modules in ATMs and cryptographic coprocessors for general-purpose computers.<br>Note: Updated version of the thesis now published as Gutmann, P (2004). Cryptographic security architecture: design and verification. New York: Springer. ISBN 9780387953876.
2
Erkan, Ahmet. "An Automated Tool For Information Security Management System." Master's thesis, METU, 2006. http://etd.lib.metu.edu.tr/upload/12607783/index.pdf.
Full textAbstract:
This thesis focuses on automation of processes of Information Security
Management System. In accordance with two International Standards, ISO/IEC
27001:2005 and ISO/IEC 17799:2005, to automate the activities required for a
documented ISMS as much as possible helps organizations. Some of the well
known tools in this scope are analyzed and a comparative study on them including
&ldquo<br>InfoSec Toolkit&rdquo<br>, which is developed for this purpose in the thesis scope, is given.
&ldquo<br>InfoSec Toolkit&rdquo<br>is based on ISO/IEC 27001:2005 and ISO 17799:2005. Five
basic integrated modules constituting the &ldquo<br>InfoSec Toolkit&rdquo<br>are &ldquo<br>Gap Analysis
Module&rdquo<br>, &ldquo<br>Risk Module&rdquo<br>, &ldquo<br>Policy Management Module&rdquo<br>, &ldquo<br>Monitoring Module&rdquo<br>and &ldquo<br>Query and Reporting Module&rdquo<br>. In addition a research framework is proposed
in order to assess the public and private organizations&rsquo<br>information security
situation in Turkey.
3
Dyer, Kevin Patrick. "Novel Cryptographic Primitives and Protocols for Censorship Resistance." PDXScholar, 2015. https://pdxscholar.library.pdx.edu/open_access_etds/2489.
Full textAbstract:
Internet users rely on the availability of websites and digital services to engage in political discussions, report on newsworthy events in real-time, watch videos, etc. However, sometimes those who control networks, such as governments, censor certain websites, block specific applications or throttle encrypted traffic. Understandably, when users are faced with egregious censorship, where certain websites or applications are banned, they seek reliable and efficient means to circumvent such blocks. This tension is evident in countries such as a Iran and China, where the Internet censorship infrastructure is pervasive and continues to increase in scope and effectiveness.
An arms race is unfolding with two competing threads of research: (1) network operators' ability to classify traffic and subsequently enforce policies and (2) network users' ability to control how network operators classify their traffic. Our goal is to understand and progress the state-of-the-art for both sides. First, we present novel traffic analysis attacks against encrypted communications. We show that state-of-the-art cryptographic protocols leak private information about users' communications, such as the websites they visit, applications they use, or languages used for communications. Then, we investigate means to mitigate these privacy-compromising attacks. Towards this, we present a toolkit of cryptographic primitives and protocols that simultaneously (1) achieve traditional notions of cryptographic security, and (2) enable users to conceal information about their communications, such as the protocols used or websites visited. We demonstrate the utility of these primitives and protocols in a variety of real-world settings. As a primary use case, we show that these new primitives and protocols protect network communications and bypass policies of state-of-the-art hardware-based and software-based network monitoring devices.
4
Partala, J. (Juha). "Algebraic methods for cryptographic key exhange." Doctoral thesis, Oulun yliopisto, 2015. http://urn.fi/urn:isbn:9789526207445.
Full textAbstract:
Abstract Cryptographic key exchange is an integral part of modern cryptography. Such schemes allow two parties to derive a common secret key over a public channel without a priori shared information. One of the most successful key agreement schemes is the one suggested by Diffie and Hellman in their seminal work on public key cryptography. In this thesis, we give an algebraic generalization of the Diffie-Hellman scheme called AGDH utilizing its implicit algebraic properties. The generalization is based on the problem of computing homomorphic images from an algebra to another. Appropriately, we call this problem the homomorphic image problem (HIP). We also devise an authenticated key exchange protocol that is secure in the Canetti-Krawczyk model assuming the infeasibility of the decision HIP (DHIP). For the secure instantiation of the scheme, we consider symmetric encryption schemes that are homomorphic over an algebraic operation. We derive a condition for the encryption scheme to be homomorphic key agreement capable. We show that whenever this condition is satisfied, the induced DHIP is computationally infeasible based on the security of the encryption scheme. To show that there are such schemes, we give a description of one such that the infeasibility of the DHIP follows from a weaker version of the McEliece generator matrix pseudorandomness assumption and the learning parity with noise (LPN) problem. We also study algebraic methods for generating suitable structures for the devised scheme. Since the platform structure requires a large set of homomorphisms, we consider classes of algebras for which this is the case. In particular, we concentrate on a class of algebras satisfying the left distributivity (LD) property. We formulate a non-associative generalization of the conjugacy search problem (CSP) called partial CSP (PCSP) for left conjugacy closed left quasigroups. We show that the feasibility of the HIP on LD left quasigroups depends on the PCSP. Application of this problem leads to a non-associative variant of the Anshel-Anshel-Goldfeld key agreement scheme. We also formulate different versions of the PCSP and show several relative hardness results related to them. Finally, we study more closely the PCSP for a class of conjugacy closed loops of order p2, where p is a prime. We show that the hardness of the PCSP depends on the number of generators for the conjugator and on that of conjugacy equation pairs. Based on the weakest variant of the PCSP, we devise a symmetric blind decryption scheme on these loops and show that it satisfies perfect secrecy against passive adversaries<br>Tiivistelmä Kryptografiset avaintenvaihtomenetelmät ovat eräs modernin kryptografian tärkeimmistä osista. Näiden menetelmien avulla pystytään sopimaan ilman aiempaa tiedonvaihtoa yhteisestä salaisesta avaimesta käyttämällä julkista kanavaa. Diffie-Hellman -avaintenvaihto on yksi parhaiten tunnetuista ja eniten käytetyistä menetelmistä. Tässä työssä tarkastellaan kyseisen menetelmän yleistämistä perustuen sen algebrallisiin ominaisuuksiin. Johdettu yleistys perustuu vaikeuteen löytää annetun alkion homomorfinen kuva, jota työssä kutsutaan homomorfisen kuvan ongelmaksi (HIP). Lisäksi suunnitellaan autentikoitu avaintenvaihtoprotokolla, joka on turvallinen Canetti-Krawczyk -mallissa olettaen että homomorfisen kuvan ongelman päätösversio (DHIP) on laskennallisesti vaikea. Menetelmän turvallista toteuttamista varten tarkastellaan symmetrisen avaimen salausmenetelmiä, jotka ovat homomorfisia joidenkin algebrallisten operaatioiden yli. Työssä johdetaan symmetrisen avaimen salainten ominaisuus, kyvykkyys homomorfiseen avaintenvaihtoon, joka takaa että aikaansaatu DHIP on laskennallisesti vaikea. Lisäksi rakennetaan symmetrinen menetelmä, joka toteuttaa kyseisen ehdon. Menetelmän turvallisuus perustuu tavallista heikompaan oletukseen McEliece-generaattorimatriisin pseudosatunnaisuudesta sekä pariteetin oppimisongelman häiriölliseen versioon (LPN). Työssä tarkastellaan lisäksi menetelmiä soveltuvien algebrallisten rakenteiden generointiin. Koska menetelmä vaatii suuren joukon homomorfismeja, tarkastellaan rakenteita, joille tämä ehto pätee. Erityisesti keskitytään ns. vasemmalta distributiivisiin (LD) rakenteisiin. Työssä määritellään epäassosiatiivinen yleistys konjugointiongelman hakuversiolle (CSP) konjugoinnin suhteen suljettuille vasemmille kvasiryhmille. Tätä yleistystä kutsutaan osittaiseksi CSP:ksi (PCSP). Työssä osoitetaan, että vasemmalta distributiivisissa vasemmissa kvasiryhmissä homomorfisen kuvan ongelman vaikeus liittyy läheisesti PCSP:hen. Lisäksi tätä ongelmaa sovelletaan määrittämään epäassosiatiivinen variantti Anshel-Anshel-Goldfeld -avaintenvaihtomenetelmästä. Lisäksi tarkastellaan PCSP:n erilaisia versioita ja niiden suhteellista laskennallista kompleksisuutta. PCSP:tä tarkastellaan tarkemmin konjugoinnin suhteen suljetuissa luupeissa, joiden kertaluku on p2, missä p on alkuluku. Työssä osoitetaan, että PCSP:n vaikeus riippuu konjugoijan generaattoreiden sekä konjugaatioyhtälöiden lukumäärästä. Käyttämällä hyväksi näitä tuloksia ja erityisesti PCSP:n helpointa versiota, laaditaan symmetrisen avaimen salausmenetelmä, joka tukee ns. sokeaa salauksenpurkua. Lisäksi osoitetaan, että menetelmä takaa täydellisen salassapidon passiivisia hyökkäyksiä vastaan
5
Besson, Loïc. "Design, analysis and implementation of cryptographic symmetric encryption algorithms on FPGA." Electronic Thesis or Diss., université Paris-Saclay, 2021. http://www.theses.fr/2021UPASG104.
Full textAbstract:
Cette thèse explore différents aspects de construction d'algorithmes de chiffrement symétrique. Les travaux portent sur le design et l'implémentation d'algorithmes de chiffrement par blocs dits légers, ainsi que sur les fonctions éponges permettant de réaliser du chiffrement authentifié. Le but recherché dans les deux notions est de définir des solutions permettant de garantir des bornes de sécurité similaires à celles des algorithmes standards de la littérature cryptographique tout en obtenant des performances et un ratio débit sur surface utilisée le meilleur possible. La première partie étudie les algorithmes de chiffrement par blocs légers et les différentes techniques existantes pour développer un nouvel algorithme avec les propriétés souhaitées. Nous définissons également un nouveau mode d'opération permettant de garantir une sécurité équivalente à celle des modes d'opération standardisés par le NIST ou l'ANSSI tout en offrant la possibilité d'une application n'échangeant pas de vecteur d'initialisation. Pour finir, après une comparaison des différents modes d'opération ainsi que les permutations existantes dans la littérature, le but est de définir les meilleurs candidats possibles selon le cas d'usage<br>This work studies several aspects of design and implementation of symmetric cryptography. The focus was brought on two different kinds of construction, namely lightweight block ciphers and sponge functions providing authenticated encryption. For both the goal is to define solutions ensuring similar security bounds as standards algorithms while achieving good performances towards throughput and low area occupation. The first part of this thesis focuses on the state-of-the art in designing block ciphers and which parameters and construction may lead to the desired performances. We then define a new mode of operation achieving the same security margins as the mode of operation standardized by the NIST and the ANSSI while allowing application where the initialization vector cannot be sent to both correspondents. The second half is based on the study of sponge functions, from the SHA-3 competition to the NIST LWC standardization process, of both mode of operation and permutation to achieve the best performances as possible for different use cases
6
Gudlaugsson, Rúnar. "Using security protocols to extend the FiLDB architecture." Thesis, University of Skövde, Department of Computer Science, 2002. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-640.
Full textAbstract:
<p>With the escalating growth of e-commerce in today’s society, many e-commerce sites have emerged that offer products on the Internet. To be able to verify orders from customers, some sites require sensitive information from their customers such as credit card details that is stored in their databases. The security of these sites has become the concern of many and it is a common opinion among the public that such sites cannot be trusted.</p><p>The FiLDB architecture presents an interesting approach for increasing the security of Internet connected databases. This approach is, in short, based on firewall protection; one external firewall protecting an external network, which in turn is connected to an internal network, which was protected by a internal firewall. A database is kept on each network. There are however few issues that are unsolved in the FiLDB architecture. One of them and the problem that is covered in this report is how a user could securely insert, modify and fetch sensitive data into the internal database which stores the sensitive data.</p><p>In this work a few selected cryptographic protocols are studied by evaluating them with respect to five security criteria: confidentiality, authentication, integrity, key management and nonrepudiation. The initial selection of cryptographic protocols is mainly based on applicability in e-commerce systems. Based on the evaluation, one of the protocols is chosen to be implemented with the FiLDB architecture and then the extended architecture was evaluated.</p><p>This project shows that, by integrating a security protocol into architectures such as the FiLDB, the security of the system can be increased substantially.</p>
7
Puteaux, Pauline. "Analyse et traitement des images dans le domaine chiffré." Thesis, Montpellier, 2020. http://www.theses.fr/2020MONTS119.
Full textAbstract:
Durant cette dernière décennie, la sécurité des données multimédia, telles que les images, les vidéos et les données 3D, est devenue un problème majeur incontournable. Avec le développement d’Internet, de plus en plus d’images sont transmises sur les réseaux et stockées sur le cloud. Ces données visuelles sont généralement à caractère personnel ou peuvent avoir une valeur marchande. Ainsi, des outils informatiques permettant d’assurer leur sécurité ont été développés.Le but du chiffrement est de garantir la confidentialité visuelle des images en rendant aléatoire leur contenu. Par ailleurs, pendant la transmission ou l'archivage des images chiffrées, il est souvent nécessaire de les analyser ou de les traiter sans connaître leur contenu original, ni la clé secrète utilisée pendant la phase de chiffrement. Ce sujet de thèse propose de se pencher sur cette problématique. En effet, de nombreuses applications existent telles que le partage d’images secrètes, l'insertion de données cachées dans des images chiffrées, l’indexation et la recherche d’images dans des bases de données chiffrées, la recompression d'images crypto-compressées, ou encore la correction d’images chiffrées bruitées.Dans un premier axe de recherche, nous présentons tout d’abord une nouvelle méthode d’insertion de données cachées haute capacité dans le domaine chiffré. Dans la plupart des approches de l’état-de-l’art, les valeurs des bits de poids faible sont remplacées pour réaliser l’insertion d’un message secret. Nous prenons ces approches à contre-pied en proposant de prédire les bits de poids fort. Ainsi, une charge utile nettement supérieure est obtenue, tout en conservant une haute qualité de l’image reconstruite. Par la suite, nous montrons qu’il est en effet possible de traiter récursivement tous les plans binaires d’une image pour réaliser l’insertion de données cachées dans le domaine chiffré.Dans un second axe de recherche, nous expliquons comment exploiter des mesures statistiques (entropie de Shannon et réseau neuronal convolutif) dans des blocs de pixels de petite taille (i.e. avec peu d’échantillons) pour différencier un bloc en clair d’un bloc chiffré dans une image. Nous utilisons alors cette analyse dans une application à la correction d’images chiffrées bruitées.Enfin, le troisième axe de recherche développé dans ces travaux de thèse porte sur la recompression d’images crypto-compressées. Dans le domaine clair, les images JPEG peuvent être recompressées avant leur transmission sur des réseaux bas débit, mais l’opération est bien plus complexe dans le domaine chiffré. Nous proposons alors une méthode de recompression des images JPEG crypto-compressées directement dans le domaine chiffré et sans connaître la clé secrète, en s’appuyant sur un décalage binaire des coefficients réorganisés<br>During the last decade, the security of multimedia data, such as images, videos and 3D data, has become a major issue. With the development of the Internet, more and more images are transmitted over networks and stored in the cloud. This visual data is usually personal or may have a market value. Thus, computer tools have been developed to ensure their security.The purpose of encryption is to guarantee the visual confidentiality of images by making their content random. Moreover, during the transmission or archiving of encrypted images, it is often necessary to analyse or process them without knowing their original content or the secret key used during the encryption phase. This PhD thesis proposes to address this issue. Indeed, many applications exist such as secret images sharing, data hiding in encrypted images, images indexing and retrieval in encrypted databases, recompression of crypto-compressed images, or correction of noisy encrypted images.In a first line of research, we present a new method of high-capacity data hiding in encrypted images. In most state-of-the-art approaches, the values of the least significant bits are replaced to achieve the embedding of a secret message. We take the opposing view of these approaches by proposing to predict the most significant bits. Thus, a significantly higher payload is obtained, while maintaining a high quality of the reconstructed image. Subsequently, we showed that it was possible to recursively process all bit planes of an image to achieve data hiding in the encrypted domain.In a second line of research, we explain how to exploit statistical measures (Shannon entropy and convolutional neural network) in small pixel blocks (i.e. with few samples) to discriminate a clear pixel block from an encrypted pixel block in an image. We then use this analysis in an application to correct noisy encrypted images.Finally, the third line of research developed in this thesis concerns the recompression of crypto-compressed images. In the clear domain, JPEG images can be recompressed before transmission over low-speed networks, but the operation is much more complex in the encrypted domain. We then proposed a method for recompressing crypto-compressed JPEG images directly in the encrypted domain and without knowing the secret key, using a bit shift of the reorganized coefficients
8
Granlund, Henrik. "Integration of SVRS into the modelling tool GOAT." Thesis, Linköping University, Department of Computer and Information Science, 2009. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-51131.
Full textAbstract:
<p>This document is the final report to the thesis executed by Henrik Granlund at the University of Linköping. The thesis is a practical assignment which includes an extension of the currently existing modelling tool GOAT. The extension regards to a integration of the internet based security database, the SHIELDS SVRS. The report goes through an overview of how GOAT is designed and later also the parts that has been extended. There after follows a summary and discussion about the work.</p>
9
Kondamudi, Harini. "Web Service for Knowledge Management Information Tool (KMIT) Hotline module and its Security." FIU Digital Commons, 2010. http://digitalcommons.fiu.edu/etd/262.
Full textAbstract:
This thesis presents the development of a Web Service for the Hotline module of the Knowledge Management Information Tool (KMIT), a tool that is custom built for the decontamination & decommissionin (D&D) community of the Department Of Energy (DOE). The Hotline module allows interested users to post problems to specific areas of interest in the field of D&D. Various clients working with DOE and KMIT want to display the latest published problems of KMIT Hotline search in their own applications on a regular basis. Considering one of the major benefits of Web Services is the ease of integration of one piece of software with another, the Hotline Service is successfully developed and can be plugged into client’s applications by adding a reference to it. In such a distributed environment, messages can flow from node to node, through firewalls, onto the internet and through various intermediaries. This introduces a variety of message security threats. The research for this thesis included a study of the various security risks and scenarios. Appropriate security model is designed and is successfully implemented. Hotline Service can authenticate the client and ensure confidentiality making the service secure to communicate with
10
Rehana, Jinat. "Model Driven Development of Web Application with SPACE Method and Tool-suit." Thesis, Norwegian University of Science and Technology, Department of Telematics, 2010. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-10905.
Full textAbstract:
Enterprise level software development using traditional software engineeringapproaches with third-generation programming languages is becoming morechallenging and cumbersome task with the increased complexity of products,shortened development cycles and heightened expectations of quality. MDD(Model Driven Development) has been counting as an exciting and magicaldevelopment approach in the software industry from several years. The ideabehind MDD is the separation of business logic of a system from its implementationdetails expressing problem domain using models. This separation andmodeling of problem domain simplify the process of system design as well asincrease the longevity of products as new technologies can be adopted easily.With appropriate tool support, MDD shortens the software development lifecycle drastically by automating a significant portion of development steps.MDA (Model Driven Architecture) is a framework launched by OMG (ObjectManagement Group) to support MDD. SPACE is an engineering methodfor rapid creation of services, developed at NTNU (Norwegian University ofScience and Technology) which follows MDA framework. Arctis and Ramsesare tool suits, also developed at NTNU to support SPACE method. Severalsolutions have been developed on Arctis tool suit covering several domainslike mobile services, embedded systems, home automation, trust managementand web services.This thesis presents a case study on the web application domain with Arctis,where the underlying technologies are AJAX (asynchronous JavaScriptand XML), GWT (Google Web Toolkit) framework and Java Servlet. Inorder to do that, this thesis contributes building up some reusable buildingblocks with Arctis tool suit. This thesis also describes a use case scenario touse those building blocks. This thesis work tries to implement the specifiedsystem and evaluates the resulting work.
11
Bengtsson, Johan, and Peter Brinck. "Design and Implementation of an Environment to Support Development of Methods for Security Assessment." Thesis, Linköping University, Department of Electrical Engineering, 2008. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-11307.
Full textAbstract:
<p>There is no debate over the importance of IT security. Equally important is the research on security assessment; methods for evaluating the security of IT systems. The Swedish Defense Research Agency has for the last couple of years been conducting research on the area of security assessment. To verify the correctness of these methods, tools are implemented.</p><p>This thesis presents the design and implementation of an environment to support and aid future implementations and evaluations of security assessment methods. The aim of this environment, known as the New Tool Environment, NTE, is to assist the developer by facilitating the more time consuming parts of the implementation. A large part of this thesis is devoted to the development of a database solution, which results in an object/relational data access layer.</p>
12
Prykhodko, S. B. "Application of Nonlinear Stochastic Differential Systems for Data Protection in Audio and Graphics Files." Thesis, Sumy State University, 2015. http://essuir.sumdu.edu.ua/handle/123456789/41209.
Full textAbstract:
Data protection in audio and graphics files is one of the significant problems in information security area. This problem is usually solved with cryptographic methods in computer systems, but new solutions are still being searched for. Application of nonlinear stochastic differential systems (SDSs) is one of such new methods [1].
13
Bista, Sulabh. "Assessing the Physical Security of IDFs with PSATool: a Case Study." Digital Commons @ East Tennessee State University, 2015. https://dc.etsu.edu/etd/2605.
Full textAbstract:
PSATool is a checklist-based, web-based application for assessing the physical security of Intermediate Distribution Frameworks. IDFs, or wiring closets, are an integral if often neglected component of information security. Earlier work by Timbs (2013) identified 52 IDF-related security requirements based on federal and international standards for physical security. PSATool refines Timbs’ prototype application for IDF assessment, extending it with support for mobile-device-based data entry.
PSATool was used to assess 25 IDFs at a regional university, a college and a manufacturing corporation, with an average of 9 minutes per assessment. Network managers and assessors involved in the assessments characterized PSATool as suitable for creating assessments, usable by IT department personnel, and accurate, in terms of its characterizations of IDF status.
14
Marcos, Conca Alexandre. "A Solution to Selecting Cyber-Security Software Tools for an Organization Using Security Controls." Thesis, KTH, Elkraftteknik, 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-205272.
Full textAbstract:
In the last decade, cyber-threats have evolved dramatically, forcing organizations yearafter year to use increasingly sophisticated security measures, security software amongothers. This has led to a huge increase in the number of security tools available in theindustry. The result of the increase is that that companies often do not know in whichsoftware to invest in order to meet their security needs. The purpose of this thesis isto address this problem by developing a solution that helps companies to choose theright security software based on their security needs and that allows to do the selectionprocess in a systematic and reliable way.The solution proposed in the thesis builds on interviews with experts in information security,data collection from the literature and Internet and on a case study. The solutionconsists of rstly an investigate method with which it is possible to categorize any securitytool according to the list of cyber-security controls proposed by CIS Critical SecurityControls (CSC), which were chosen after a comparative study with other publicly availablecontrols because they are actionable, relevant and updated frequently. Secondly,the solution proposes a user-friendly web tool that has been developed to allow the usersto visualize the collected information for comparison. The visualization tool will helpthe users to select the security tools in which the company could be interested to investin. The visualization is done in a simple way and the CSCs that would be covered areshown together with the gaps and the overlaps of the selected tools. In order to verifythe viability of the solution that was developed with real data, the project includes acase study with a representative set of security tools. The case study facilitates thecomprehension of the process undertaken and shows how this method could be appliedin a real case scenario.<br>Under det senaste decenniet har cyberhot utvecklats dramatiskt. Hotet tvingar organisationeratt år efter år använda allt mer sofistikerade säkerhetsåtgärder, bland annatsäkerhetsmjukvara. Detta har lett till en enorm ökning av antalet av säkerhetsverktygsom finns i branschen. Resultatet av ökningen är att företag ofta inte vet i vilken programvarade borde investera i för att möta sina säkerhetsbehov. Syftet med dennarapporten är att ta itu med detta problem genom att utveckla en lösning som hjälperföretag att välja rätt säkerhetsprogramvara baserat på deras säkerhetsbehov och somgör urvalsprocessen på ett systematiskt och tillförlitligt sätt.Den lösning som föreslås i rapporten bygger på intervjuer med experter inom informationssäkerhet, datainsamling från litteraturen och Internet och på en fallstudie. Lösningenbestår först av en utredningsmetod med vilken det är möjligt att kategorisera vilketsäkerhetsverktyg som helst enligt listan över cybersäkerhetskontroller som publiceras avCIS Critical Security Controls (CSC). CSC valdes efter en jämförande studie som inkluderadeandra allmänt tillgängliga förteckningar över kontrollerna, eftersom CSC kontrollerär genomförbara, relevanta och uppdateras ofta. För det andra föreslår lösningen ettanvändarvänligt webbverktyg som har utvecklats för att göra det möjligt för användareatt visualisera den insamlade informationen för jämförelse. Visualiseringsverktyget kommeratt hjälpa användarna välja säkerhetsverktyg som företaget kan vara intresseradeav att investera i. Visualiseringen sker på ett enkelt sätt och CSCs som omfattas visastillsammans med de luckor och överlappningar som finns i den valda programvaran.För att bekräfta genomförbarhet för den lösning som utvecklats med verkliga data,omfattar projektet en fallstudie med ett representativt urval av säkerhetsverktyg. Fallstudienunderlättar förståelsen för klassificeringen och urvalsprocessen genom att visahur denna metod skulle kunna tillämpas i ett verkligt fall.
15
Van, Os Rob. "SOC-CMM: Designing and Evaluating a Tool for Measurement of Capability Maturity in Security Operations Centers." Thesis, Luleå tekniska universitet, Datavetenskap, 2016. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-59591.
Full textAbstract:
This thesis addresses the research gap that exists in the area of capability maturity measurement for Security Operations Centers (SOCs). This gap is due to the fact that there is very little formal research done in this area. To address this gap in a scientific manner, a multitude of research methods is used. Primarily, a design research approach is adopted that combines guiding principles for the design of maturity models with basic design science theory and a step by step approach for executing a design science research project. This design research approach is extended with interviewing techniques, asurvey and multiple rounds of evaluation. The result of any design process is an artefact. In this case, the artefact is a self-assessment tool that can be used to establish the capability maturity level of the SOC. This tool was named the SOC-CMM (Security Operations Center Capability Maturity Model). In this tool, maturity is measured across 5 domains: business, people, process, technology and services. Capability is measured across 2 domains: technology and services. The tool provides visual output of results using web diagrams and bar charts. Additionally, an alignment with the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) was also implemented by mapping services and technologies to NIST CSF phases. The tool was tested in several rounds of evaluation. The first round of evaluation was aimed at determining whether or not the setup of the tool would be viable to resolve the research problem. The second round of evaluation was a so-called laboratory experiment performed with several participants in the research. The goal of this second round was to determine whether or not the acreated artefact sufficiently addressed the research question. In this experiment it was determined that the artefact was indeed appropriate and mostly accurate, but that some optimisations were required. These optimisations were implemented and subsequently tested in a third evaluation round. The artefact was then finalised. Lastly, the SOC-CMM self-assessment tool was compared to the initial requirements and research guidelines set in this research. It was found that the SOC-CMM tool meets the quality requirements set in this research and also meets the requirements regarding design research. Thus, it can be stated that a solution was created that accurately addresses the research gap identified in this thesis. The SOC-CMM tool is available from http://www.soc-cmm.com/
16
Johansson, Richard, and Heino Otto Engström. "Topic propagation over time in internet security conferences : Topic modeling as a tool to investigate trends for future research." Thesis, Linköpings universitet, Institutionen för datavetenskap, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-177748.
Full textAbstract:
When conducting research, it is valuable to find high-ranked papers closely related to the specific research area, without spending too much time reading insignificant papers. To make this process more effective an automated process to extract topics from documents would be useful, and this is possible using topic modeling. Topic modeling can also be used to provide topic trends, where a topic is first mentioned, and who the original author was. In this paper, over 5000 articles are scraped from four different top-ranked internet security conferences, using a web scraper built in Python. From the articles, fourteen topics are extracted, using the topic modeling library Gensim and LDA Mallet, and the topics are visualized in graphs to find trends about which topics are emerging and fading away over twenty years. The result found in this research is that topic modeling is a powerful tool to extract topics, and when put into a time perspective, it is possible to identify topic trends, which can be explained when put into a bigger context.
17
Al, Awadi Wali. "An Assessment of Static and Dynamic malware analysis techniques for the android platform." Thesis, Edith Cowan University, Research Online, Perth, Western Australia, 2015. https://ro.ecu.edu.au/theses/1635.
Full textAbstract:
With Smartphones becoming an increasingly important part of human life, the security of these devices is very much at stake. The versatility of these phones and their associated applications has fostered an increasing number of mobile malware attacks.
The purpose of the research was to answer the following research questions:
1. What are the existing methods for analysing mobile malware?
2. How can methods for analysing mobile malware be evaluated?
3. What would comprise a suitable test bed(s) for analysing mobile malware?
The research analyses and compares the various tools and methods available for compromising the Android OS and observing the malware activity before and after its installation onto an Android emulator. Among several available tools and methods, the approach made use of online scanning engines to perform pre installation of mobile malware analysis and the AppUse (Android Pentest Platform Unified Standalone Environment) tool to perform post installation.
Both the above approaches facilitate better analysis of mobile malware before and after being installed onto the mobile device. This is because, with malware being the root cause of many security breaches, the developed mobile malware analysis allows future security practitioners in this field to determine if newly developed applications are malicious and, if so, what would their effect be on the target. In addition, the AppUse tool can allow security practitioners to first establish the behaviour of post installed malware infections onto the Android emulator then be able to effectively eliminate malware from individual systems as well as the Google Play Store. Moreover, mobile malware analysis can help with a successful incident response, assisting with mitigating the loss of intellectual property, personal information as well as other critical private data. It can strive to limit the damage of a security breach or to reduce the scope of damage of an attack.
The basic structure of the research work began with a dynamic analysis, followed by a static analysis:
a) Mobile malware were collected and downloaded from the Contagio website to compromise an Android emulator,
b) Mobile malware were uploaded onto five online scanning engines for dynamic analysis to perform pre installation analysis, and
c) AppUse tool was implemented and used for static analysis to perform post installation analysis by making use of its: a. Android emulator and, b. JD-GUI and Dex2Jar tools.
The findings were that the AppUse methodology used in the research was successful but the outcome was not as anticipated. This was because the installed malicious applications on the Android emulator did not generate the derived behavioural reports; instead, only manifest files in xml format. To overcome this issue, JD-GUI and Dex2Jar tools were used to manually generate the analysis results from the Android emulator to analyse malware behaviour.
The key contribution of this research work is the proposal of a dynamic pre-installation and a static post-installation analysis of ten distinct Android malware samples. To our knowledge, no research has been conducted on post installation of mobile malware analysis and this is the first research that uses the AppUse tool for mobile malware analysis.
18
Sundmark, Thomas. "Improvement and Scenario-Based Evaluation of the eXtended Method for Assessment of System Security." Thesis, Linköping University, Department of Electrical Engineering, 2008. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-16555.
Full textAbstract:
<p>This master’s thesis consists of a scenario-based evaluation of an IT-security assessment method known as the eXtendedMethod for Assessment of System Security (XMASS), as well as an assessment of a real-world network using the softwareimplementation of this method known as the Security AssessmeNT Application (SANTA).This thesis also describes a number of improvements made to the software implementation, some which could also be addedto the method itself. These were performed during the preparation of the assessment but had no effect on the outcome.The evaluation showed that the method and implementation contained a number of flaws in the way the filtering effect ofthe traffic mediators of a network, such as network-based firewalls, was implemented. When it comes to the assessment ofthe real-world network it was seen that the network, given the supplied information regarding the software and hardwaresetup of its entities, appeared to be sufficiently secure to handle the transmission of data at the lowest classification level(Restricted). However, as with almost all security assessments, this does not mean that the network is guaranteed to besecure enough; it just indicates that, given the information specified, the network has the potential of being sufficientlysecure.The main conclusion of this thesis is that the way XMASS and SANTA calculates the effect of filtering traffic mediatorsshould be looked into and improved to increase the usability of the tool. The method can however still be used in its currentstate, but requires the individual(s) performing the assessment to be aware of the drawbacks of the current implementationand thus compensate for these when producing the input for the assessment method.</p>
19
Kubík, Pavel. "Kryptovirologie." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2008. http://www.nusl.cz/ntk/nusl-235983.
Full textAbstract:
This thesis is focused on a relatively new branch of computer security called Cryptovirology. It uses cryptography and its principles in conjunction with designing and writing malicious codes (e.g. computer viruses, trojan horses, worms). Techniques such as viral propagation through computer networks, capabilities of current viruses and similar threats are described. Beside cryptography and computer viruses, design of the cryptovirus and methods of a cryptoviral extortion attack along with their related potential are also analyzed below in this paper. As a proof of the concept in the given area of cryptovirology, a demonstrational computer program was written. The program was implemented with the respect to the satisfaction of the essentials set to the cryptovirus.
20
Pech, Jan. "Aplikace zákona a vyhlášky o kybernetické bezpečnosti na úřadech státní správy." Master's thesis, Vysoká škola ekonomická v Praze, 2016. http://www.nusl.cz/ntk/nusl-203989.
Full textAbstract:
The thesis is focused on the Czech act no. 181/2014 Sb., on cyber security and subsequent regulations, introduces origin and importance of act, defines the state administration´s office which identifies important information systems according to regulations, and subsequently thesis detailed analyses act and regulation on cyber security in relation to the defined state administration´s office. Keynote of this thesis is show the real application of identified obligations of the act and regulation to the defined state administration´s office, especially a design, implementation and management of organizational and technical security measures, including the evaluation of real impact on information security. To achieve the set goals author of this thesis uses the analysis of legislation, and draws own conclusions from author´s position of a security technologist who actively participated in the design security policy, and implementation and management of security tools. The benefit of this thesis is complex overview of the security employees work at defined state administration´s office, overview of the real fulfilment obligations of the act and regulation of cybernetic security, and ultimately this thesis brings ideas for further development of technical security tools. This thesis can brings benefit to other important information systems administrators as a set of processes, proposals and recommendation for their own information security management system. This thesis is structurally divided into four main parts. The first theoretical part introduces origin, importance and impact of the act on state and private organizations. The second analytical part analyses act and subsequent regulations in relation to the defined state administration´s office. The third practical part shows the real application of organizational and technical security measures. The fourth last part evaluates the real impact of measures on information security.
21
Strachová, Zuzana. "Implementace nástroje pro řízení kybernetické bezpečnosti." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2021. http://www.nusl.cz/ntk/nusl-444573.
Full textAbstract:
The thesis is focused on the implementation of a software tool to increase the effectiveness of cyber security management. The tool is implemented in a company preparing to be classified as a part of critical information infrastructure. Based on the customer's requirements, a suitable cyber security management tool is selected. Subsequently, I propose a methodology for implementing the tool, which I immediately apply. The output of the work is an implemented tool, risk analysis and security documentation required by law.
22
Chailloux, André. "Quantum coin flipping and bit commitment : optimal bounds, pratical constructions and computational security." Thesis, Paris 11, 2011. http://www.theses.fr/2011PA112121/document.
Full textAbstract:
L'avènement de l'informatique quantique permet de réétudier les primitives cryptographiques avec une sécurité inconditionnelle, c'est à dire sécurisé même contre des adversaires tout puissants. En 1984, Bennett et Brassard ont construit un protocole quantique de distribution de clé. Dans ce protocole, deux joueurs Alice et Bob coopèrent pour partager une clé secrète inconnue d'une tierce personne Eve. Ce protocole a une sécurité inconditionnelle et n'a pasd'équivalent classique.Dans ma thèse, j'ai étudié les primitives cryptographiques à deux joueurs où ces joueurs ne se font pas confiance. J'étudie principalement le pile ou face quantique et la mise-en-gage quantique de bit. En informatique classique, ces primitivessont réalisables uniquement avec des hypothèses calculatoires, c'est-à-dire en supposant la difficulté d'un problème donné. Des protocoles quantiques ont été construits pour ces primitives où un adversaire peut tricher avec une probabilité constante strictement inférieure à 1, ce qui reste impossible classiquement. Néanmoins, Lo et Chau ont montré l'impossibilité de créer ces primitives parfaitement même en utilisant l'informatique quantique. Il reste donc à déterminer quelles sont les limites physiques de ces primitives.Dans une première partie, je construis un protocole quantique de pile ou face où chaque joueur peut tricher avec probabilité au plus 1/racine(2) + eps pour tout eps > 0. Ce résultat complète un résultat de Kitaev qui dit que dans un jeu de pile ou face quantique, un joueur peut toujours tricher avec probabilité au moins 1/racine(2). J'ai également construit un protocole de mise-en-gage de bit quantique optimal où un joueur peut tricher avec probabilité au plus 0,739 + eps pour tout eps > 0 puis ai montré que ce protocole est en fait optimal. Finalement, j'ai dérivé des bornes inférieures et supérieures pour une autre primitive: la transmission inconsciente, qui est une primitive universelle.Dans une deuxième partie, j'intègre certains aspects pratiques dans ces protocoles. Parfois les appareils de mesure ne donnent aucun résultat, ce sont les pertes dans la mesure. Je construis un protocole de lancer de pièce quantique tolérant aux pertes avec une probabilité de tricher de 0,859. Ensuite, j'étudie le modèle dispositif-indépendant où on ne suppose plus rien sur les appareils de mesure et de création d'état quantique.Finalement, dans une troisième partie, j'étudie ces primitives cryptographiques avec un sécurité computationnelle. En particulier, je fais le lien entre la mise en gage de bit quantique et les protocoles zero-knowledge quantiques<br>Quantum computing allows us to revisit the study of quantum cryptographic primitives with information theoretic security. In 1984, Bennett and Brassard presented a protocol of quantum key distribution. In this protocol, Alice and Bob cooperate in order to share a common secret key k, which has to be unknown for a third party that has access to the communication channel. They showed how to perform this task quantumly with an information theoretic security; which is impossible classically.In my thesis, I study cryptographic primitives with two players that do not trust each other. I study mainly coin flipping and bit commitment. Classically, both these primitives are impossible classically with information theoretic security. Quantum protocols for these primitives where constructed where cheating players could cheat with probability stricly smaller than 1. However, Lo, Chau and Mayers showed that these primitives are impossible to achieve perfectly even quantumly if one requires information theoretic security. I study to what extent imperfect protocols can be done in this setting.In the first part, I construct a quantum coin flipping protocol with cheating probabitlity of 1/root(2) + eps for any eps > 0. This completes a result by Kitaev who showed that in any quantum coin flipping protocol, one of the players can cheat with probability at least 1/root(2). I also constructed a quantum bit commitment protocol with cheating probability 0.739 + eps for any eps > 0 and showed that this protocol is essentially optimal. I also derived some upper and lower bounds for quantum oblivious transfer, which is a universal cryptographic primitive.In the second part, I study some practical aspects related to these primitives. I take into account losses than can occur when measuring a quantum state. I construct a Quantum Coin Flipping and Quantum Bit Commitment protocols which are loss-tolerant and have cheating probabilities of 0.859. I also construct these primitives in the device independent model, where the players do not trust their quantum device. Finally, in the third part, I study these cryptographic primitives with information theoretic security. More precisely, I study the relationship between computational quantum bit commitment and quantum zero-knowledge protocols
23
Fan, Yang, Hidehiko Masuhara, Tomoyuki Aotani, Flemming Nielson, and Hanne Riis Nielson. "AspectKE*: Security aspects with program analysis for distributed systems." Universität Potsdam, 2010. http://opus.kobv.de/ubp/volltexte/2010/4136/.
Full textAbstract:
Enforcing security policies to distributed systems is difficult, in particular, when a system contains untrusted components. We designed AspectKE*, a distributed AOP language based on a tuple space, to tackle this issue. In AspectKE*, aspects can enforce access control policies that depend on future behavior of running processes. One of the key language features is the predicates and functions that extract results of static program analysis, which are useful for defining security aspects that have to know about future behavior of a program. AspectKE* also provides a novel variable binding mechanism for pointcuts, so that pointcuts can uniformly specify join points based on both static and dynamic information about the program. Our implementation strategy performs fundamental static analysis at load-time, so as to retain runtime overheads minimal. We implemented a compiler for AspectKE*, and demonstrate usefulness of AspectKE* through a security aspect for a distributed chat system.
24
Brejla, Tomáš. "Návrh koncepce prevence ztráty dat." Master's thesis, Vysoká škola ekonomická v Praze, 2011. http://www.nusl.cz/ntk/nusl-114106.
Full textAbstract:
This work deals with the making of conception of implementation of processes and software tools designed to ensure sensitive data leakage prevention from the organization infrastructure. The structure consists of three key parts. The first one describes theoretical basis of the work. It explains what is the data loss prevention, what it comes from, why it is necessary to deal with it and what its goals are. It also describes how this fits into the whole area of corporate ICT security environment. There are defined all the risks associated with leakage of sensitive data and there are also defined possible solutions and problems that are associated with these solutions. The first part also analyzes the current state of data loss prevention in organizations. They are divided according to their size and for each group there is a list of the most common weaknesses and risks. It is evaluated how the organizations currently solve prevention of data loss and how they cover this issue from both a procedural point of view and in terms of software tools. The second part focuses directly on the software tools. It is characterized the principle of operation of these systems and it is explained their network architecture. There are described and evaluated current trends in the development of the data loss prevention tools and it is outlined possible further development. They are divided into different categories depending on what features they offer and how these categories cover the needs of organizations. At the end of the second part there are compared the software solutions from leading vendors in the market against actual experience, focusing on their strengths and weaknesses. The third part presents the core content. IT joins two previous sections and the result is the creation of the overall concept of the implementation of data loss prevention with focus on breakdown by several different levels -- processes, time and size of the company. At the beginning of this third section it is described what precedes the implementation of data loss prevention, and what the organizations should be careful of. It is defined by how and what the organizations should set their own expectations for the project could be manageable. The main point is the creation of a procedure of data loss prevention implementation by creating a strategy, choice of solutions, to the implementation of this solution and related processes. The end of the third part deals with the legal and personnel issues which are with the implementation of DLP very closely related. There are made recommendations based on analysis of the law standards and these recommendations are added to the framework approach of HR staff. At the very end there are named benefits of implementing data loss prevention, and the created concept is summarized as a list of best practices.
25
Berrios-Ayala, Mark. "Brave New World Reloaded: Advocating for Basic Constitutional Search Protections to Apply to Cell Phones from Eavesdropping and Tracking by Government and Corporate Entities." Honors in the Major Thesis, University of Central Florida, 2013. http://digital.library.ucf.edu/cdm/ref/collection/ETH/id/1547.
Full textAbstract:
Imagine a world where someone’s personal information is constantly compromised, where federal government entities AKA Big Brother always knows what anyone is Googling, who an individual is texting, and their emoticons on Twitter. Government entities have been doing this for years; they never cared if they were breaking the law or their moral compass of
human dignity. Every day the Federal government blatantly siphons data with programs from the original ECHELON to the new series like PRISM and Xkeyscore so they can keep their tabs on issues that are none of their business; namely, the personal lives of millions. Our allies are taking note; some are learning our bad habits, from Government Communications Headquarters’ (GCHQ) mass shadowing sharing plan to America’s Russian inspiration, SORM. Some countries are following the United States’ poster child pose of a Brave New World like order of global events. Others like Germany are showing their resolve in their disdain for the rise of tyranny. Soon, these new found surveillance troubles will test the resolve of the American Constitution and its nation’s strong love and tradition of liberty. Courts are currently at work to resolve how current concepts of liberty and privacy apply to the current conditions facing the privacy of society. It remains to be determined how liberty will be affected as well; liberty for the United States of America, for the European Union, the Russian Federation and for the people of the World in regards to the extent of privacy in today’s blurred privacy expectations.<br>B.S.<br>Bachelors<br>Health and Public Affairs<br>Legal Studies
26
Fujdiak, Radek. "Analýza a optimalizace datové komunikace pro telemetrické systémy v energetice." Doctoral thesis, Vysoké učení technické v Brně. Fakulta elektrotechniky a komunikačních technologií, 2017. http://www.nusl.cz/ntk/nusl-358408.
Full textAbstract:
Telemetry system, Optimisation, Sensoric networks, Smart Grid, Internet of Things, Sensors, Information security, Cryptography, Cryptography algorithms, Cryptosystem, Confidentiality, Integrity, Authentication, Data freshness, Non-Repudiation.
27
Mahapatra, Manas. "Performance Analysis of CUDA and OpenCL by Implementation of Cryptographic Algorithms." Thesis, 2015. http://ethesis.nitrkl.ac.in/6818/1/Performance__Mahapatra_2015.pdf.
Full textAbstract:
This paper presents a Performance Analysis of CUDA and OpenCL. Three different cryptographic algorithms, i.e. DES, MD5, and SHA-1 have been selected as the benchmarks for extensive analysis of the performance gaps between the two.Our results show that, on the average scenario, CUDA performs 27% better than OpenCL while in the best case scenario it takes over OpenCL by 30%. As far as the optimal number of threads per block goes, 256 threads per block is the most performant choice,proving that the CUDA architecture is able to deal with an increased pressure on the register file without problems as CUDA scores 4.5 times over OpenCL in terms of stability.
28
Pereira, Vitor Manuel Parreira. "Integrated Verification of Cryptographic Security Proofs and Implementations." Doctoral thesis, 2020. https://hdl.handle.net/10216/127089.
Full text
29
Pereira, Vitor Manuel Parreira. "Integrated Verification of Cryptographic Security Proofs and Implementations." Tese, 2020. https://hdl.handle.net/10216/127089.
Full text
30
Nag, Kaustav, and Mihir Birua. "Implementing Symmetric Cryptographic Techniques in Online fee Payment System of NIT Rourkela." Thesis, 2012. http://ethesis.nitrkl.ac.in/3534/1/thesis(108CS008%26108CS042).pdf.
Full textAbstract:
Cryptography protects the information in network and reduces the risk of security breaches from hackers. One of its most important applications is in the financial sector and the e-commerce over the Internet which requires secure handling of data during transactions. The online fee payment system of NIT Rourkela has serious vulnerabilities which makes it prone to attacks by hackers. In this project our objective is to highlight the various drawbacks in the system and to suggest ways to eliminate those flaws using symmetric cryptographic techniques which encrypts data at sender side and decrypts ciphertext at receiver side using the same shared key.
31
Tong-XuanWei and 衛彤軒. "Security Analysis on Quantum Cryptographic Protocols Based on Quantum Information Theory." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/79505488113490413997.
Full text
32
Naidu, Poluru Praveen Kumar. "Tool to exploit Heartbleed Vulnerability." Thesis, 2015. http://ethesis.nitrkl.ac.in/7200/1/Tool_Naidu_2015.pdf.
Full textAbstract:
OpenSSL is an open-source library that is used to communicate data through a secure protocol known as TLS. TLS is used for secure communication over a channel widely over the internet for various applications both desktop and web like web browsers, emails, chat applications. In April 2014 a security bug called as heartbleed [1] was found which is very catastrophic that sensitive information like cookies, session data, and even private keys of the server. This vulnerability allows stealing of the contents of the RAM by anyone on the Internet. This also allows the attackers to extract the private keys from the server which can be used to decrypt the HTTPS traffic by doing a man-in-the-middle attack [2] and eavesdrop on sensitive data and also to impersonate another user. In this thesis report we study the heartbleed vulnerability in depth, propose a method to exploit the vulnerability and develop a tool to exploit.
33
Lee, Yin-Fu, and 李胤府. "A Study of Designing Technical Testing Tool for Information Security Management Systems." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/71408750726967001135.
Full textAbstract:
碩士<br>淡江大學<br>資訊管理學系碩士班<br>98<br>Many SMEs(Small and Medium-sized Enterprises) often confront difficulties of collecting and integrating related information of the implementation of ISMS controls due to budget, human resource or technology insufficiency. With the view to assisting SMEs, this research aims at developing a testing tool which is suitable for SMEs by integrating the related information in information systems for managing ISMS controls and internal auditing. This research implements “system development research methodology” based on developing a prototype system of technical testing tool of ISMS refining with depth personal interviews so as to explore the controls, which can be checked by using tool to gather related information in information systems within ISO 27001, and the needs as well as architectures of technical testing tool of ISMS.
The outcome of the depth personal interviews indicated that the controls, which can be checked by using tool to gather related information in information systems within ISO 27001, must have the feature that the systems should automatically generate records during the implementation of the controls. The architecture of a technical testing tool of ISMS can be divided into four sections: organization’s security policies, collection of testing data, analysis of testing data, and display of testing data. On one hand, the needs of technical testing tool of ISMS should comprise the capability of displaying and adjusting the organization’s security policies, on the other hand, the tool should automatically collect as well as integrate related information. The basic requirement of testing tool contains data analysis flexibility, present data graphically, and the best possible simplicity.
34
Lin, Yu-Lung, and 林裕倫. "An Approach to Assessment Model and Metric Tool of Information Security in EIP." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/45335754014214632666.
Full textAbstract:
碩士<br>東吳大學<br>資訊管理學系<br>99<br>Today, the Internet technology development and their applications have become increasingly popular. Hence, the WWW technology brings the rising of Enterprise Information Portal (EIP). However, providing a secure Enterprise Information Portal is one of essential quality of services (QoS) in Internet applications.
Focusing on the security of designing EIP, the purposes of this paper are to find out various risk facets based on ISO 27001 reference standards and the ISMS process and also utilize AHP model to validate the factors of each risk facet. Then we refine and validate required factors of each risk facet through 5 experts specialized in designing and implementing a secure EIP system. In addition , we can establish a information security assessment model of EIP and design its algorithm. Finally, we develop an Metric Tool and also perform experiments to verify and validate the information security of a selected EIP. According to the risk value, it can refine the risk level to verify and validate the security of EIP and propose related improving strategies. According to the experimental result, our proposed assessment model and Metric Tool of EIP information security can be served as the guidelines of implementing any a secure Web application.
35
WNAG, JIUNG-SHUNG, and 王俊雄. "The Study of “Broken Authentication” Information Security Topic Training Base on Open Source Lab Tool." Thesis, 2019. http://ndltd.ncl.edu.tw/handle/4uzy5b.
Full textAbstract:
碩士<br>國防大學<br>網路安全碩士班<br>107<br>Looking at the two major cyber attacks of the 2016 Mirai virus and the 2018 "Eternal Blue", they all exploited the weakness of the “Weak Password” and invaded the home network. The “Weak Password” has been classified by the OWASP organization in the “Identity Authentication Failure” risk of 2017 TOP10.
The purpose of this study aims to propose an effective training method for information security technology. The plan is to use a two-stage short-term training method, and we focus on designing the “Identity Authentication Failure” risk-related technical course to enable trainers to understand the relevant fields of expertise and technology. This study integrates the CTFd platform and OWASP Juice Shop as a learning and testing system to enhance the learning interest and practical ability of trainers, thereby enhancing the quality of the overall information staff.
Our study divides students into “experimental group” and “control group”. The online teaching materials and CTFd platform are used for learning and practice. The two-stage academic performance, test scores and questionnaire results are implemented to verify the short-term training effectiveness and student group learning differences. The experimental results show that the design and implementation of this study have achieved good results.
36
"Mapping for Healthier Communities: Using GIS Technology as a Tool for Addressing Food Security." Master's thesis, 2011. http://hdl.handle.net/2286/R.I.9214.
Full textAbstract:
abstract: At first glance, trends in increased hunger and obesity in the United States (US) would seem to represent the result of different causal mechanisms. The United States Department of Agriculture (USDA) reported that nearly 50 million Americans had experienced hunger in 2009. A year later, the Centers for Disease Control and Prevention published a report showing that 68% of the US population was either overweight or obese. Researchers have found that these contrasting trends are actually interrelated. Being so, it is imperative that communities and individuals experiencing problems with food security are provided better access to healthy food options. In response to the need to increase healthy food access, many farmers markets in the US have received funding from the USDA to accept vouchers from federal food security programs, such as the Supplemental Nutrition Assistance Program (SNAP). In Downtown Phoenix, Arizona, one organization accepting vouchers from several programs is the Phoenix Public Market. However, the mere existence of these programs is not enough to establish food security within a community: characteristics of the population and food environments must also be considered. To examine issues of food security and public health, this thesis utilizes geographical information systems (GIS) technology as a tool to analyze specific environments in order to inform program effectiveness and future funding opportunities. Utilizing methods from community-based participatory research (CBPR) and GIS, a mapping project was conducted in partnership with the Market to answer three questions: (1) what is the demographic makeup of the surrounding community? (2) What retailers around the Market also accept food security vouchers? And (3) where are food security offices (SNAP and WIC) located within the area? Both in terms of demographic characteristics and the surrounding food environment, the project results illustrate that the Market is embedded within a population of need, and an area where it could greatly influence community food security.<br>Dissertation/Thesis<br>M.A. Social Justice and Human Rights 2011
37
黃俊杰. "The Study of “ Insufficient Logging & Monitoring ”Information Security Topic Training Base on Open Source Lab Tool." Thesis, 2019. http://ndltd.ncl.edu.tw/handle/d43264.
Full textAbstract:
碩士<br>國防大學<br>網路安全碩士班<br>107<br>Due to the rapid development of modern software, a large number of insecure software and security loopholes hidden in the worldwide financial industry, medical industry, defense industry, energy industry and key infrastructures. We can prevent and reduce the risk of information security by providing relevant vulnerability information through the OWASP organization.
In order to construct the teaching material of the OWSAP 2017 TOP 10 “Record and Monitor Absence” related network weaknesses, and verify whether it can effectively achieve the training results, we worked with the research team and set up a short-term training to second-grade university students of the Chung Cheng Institute of Technology, National Defense University from April 18 to May 16, 2019. During the two-stage training process, we provided course material and videos, and constructed a learning platform for students. Students were divided into “experimental group” and “control group”. The two groups were mainly self-learning, but the experimental group added two additional “pre-course introduction” and “example explanation” courses.
This study integrates the CTFd platform and the OWASP Juice Shop as a learning and testing system, and implements two-stage academic scores, test scores and questionnaire results to verify the short-term training effectiveness and student group learning differences. The experimental results show that the design and implementation of this study have achieved good results.
38
BELLIZIA, DAVIDE. "Design methodologies for cryptographic hardware with countermeasures against side channel attacks." Doctoral thesis, 2018. http://hdl.handle.net/11573/1094643.
Full textAbstract:
Since the protection of sensible data is considered a major concern in modern devices, the importance of technological aspects have to be addressed properly. Although cryptographic algorithms are considered trustworthy in terms of cryptanalitic resilience, devices that implement such algorithms may not be physically secure. It has been proved that physical emissions in electronics devices can be related to devices' activity. Hence, hardware implementations of cryptographic algorithms have to deal with unavoidable physical emissions.The verification of robustness of an architecture with a given SCA has to deal with the evaluation of data-dependency of the target physical emission.
Attacks Exploiting Static Power (AESP) are a sub-class of PAAs that benefit of the data-dependency of the static currents. In my research activity, I demonstrated how AESP can be very powerful in recovering secret key even from dynamic PAA-protected implementations in nanometer technologies. Moreover, the temperature dependency of this side-channel has been evaluated, since each static current related phenomenon is strongly dependent from the working temperature of the device under attack. Making use of this additional dependency, it is possible to simplify the extraction of information through static power consumption. A multivariate analysis of static power consumption using the working-temperature as additional domain has been investigated, and a brand new profiled attack, Template Attack Exploiting Static Power (TAESP) has been presented. In addition, a new measurement setup for mounting AESP and TAESP has been proposed during the PhD. The proposed measurement setup makes use of only low-cost off-the-shelf components and featuring a control-loop for the working temperature of the device under attack. In this work, a DC pico-ammeter is used in place of the classical Digital Storage Oscilloscope (DSO) to measure static power consumption at steady state.
A novel logic style named Delay-based Dynamic Differential Logic (DDDL or D3L) has been proposed as a new logic-level countermeasure against PAAs. The new logic style has been conceived to be implemented using only standard-cells, usually provided with each digital design kit. The D3L makes use of the Time Enclosed Logic (TEL) signaling, which has been recently demonstrated to outperform the conventional Return-to-Zero (RTZ) protocol in terms of security if mismatch effects are properly taken into account. The new library is presented with a template for 2-input Boolean operands and also a sequential gate is described. Simulations on the novel logic style are provided using a 40nm CMOS design kit, provided by STMicroelectronics. Since it is possible to easily design the D3L library using VHDL (or Verilog), an synthesizable description for two FPGAs (Xilinx Spartan-6 and Altera Cyclone-IV) has been formalized. Dynamic and static power attacks and evaluations have been practically performed on the Altera Cyclone-IV, using a 4-bit PRESENT-based crypto-core as case study, making also a comparison between D3L with other popular FPGA-compatible dual-rail pre-charge logic styles used to counteract PAAs.
During the research activity, also an analog approach in counteracting PAAs has been investigated. The analog-approach is not well explored in literature, but it offers several possibility and benefits in counteracting the steal of information through power consumption. Two countermeasure schemes based on a feedback-loop architecture and with a pure current-mode approach have been presented, named On-chip Current Equalizer (OCE) and improved On-chip Current Equalizer (iOCE). The purpose of OCE and iOCE is to maintain the current consumption constant neglecting the data-dependent activities that take place in the cryptographic circuit. OCE and iOCE aim to equalize the instantaneous current consumption as well as the energy per cycle.
An intense experimental activity regarding the test and security evaluation of the 65nm SERPAES prototype chip has been carried out during the PhD. The SERPAES, designed at our laboratory, contains five implementations of AES-128 block cipher and two full-custom designed prototype implementations of 4-bit data-path of the SERPENT block cipher. AES implementations are designed with RTL-level countermeasures, aiming to randomize the power consumption of the data-path. Experimental analysis of PAA-resilience on AES-4 core have been performed, giving actual and information theoretic security metrics. The protection scheme implemented on AES-4 is based on the adoption of the Secure Double Rate Register (SDRR), aiming to randomize the power consumption of combinational network and registers. In addition, an evaluation of the security and robustness to PAAs has been performed on the full-custom section of the SERPAES chip, containing two implementations of 4-bit data-path based on round-0 of the SERPENT block cipher. SERPENT-based cores are implemented using the following full-custom logics: Sense Amplifier-Based Logic (SABL) and improved Delay-based Dual-rail Pre-charge Logic (iDDPL). PAA evaluations on both cores have been carried out giving a fair comparison of state-of-the-art full-custom PAA-countermeasures. The comparison has been performed for different cases of capacitive unbalance, in order to measure the performance of both logic styles in tolerating capacitive mismatches.
39
Eloff, Corné. "Spatial technology as a tool to analyse and combat crime." Thesis, 2006. http://hdl.handle.net/10500/1193.
Full textAbstract:
This study explores the utilisation of spatial technologies as a tool to analyse and combat crime. The study deals specifically with remote sensing and its potential for being integrated with geographical information systems (GIS). The integrated spatial approach resulted in the understanding of land use class behaviour over time and its relationship to specific crime incidents per police precinct area.
The incorporation of spatial technologies to test criminological theories in practice, such as the ecological theories of criminology, provides the science with strategic value. It proves the value of combining multi-disciplinary scientific fields to create a more advanced platform to understand land use behaviour and its relationship to crime.
Crime in South Africa is a serious concern and it impacts negatively on so many lives. The fear of crime, the loss of life, the socio-economic impact of crime, etc. create the impression that the battle against crime has been lost. The limited knowledge base within the law enforcement agencies, limited logistical resources and low retention rate of critical staff all contribute to making the reduction of crime more difficult to achieve.
A practical procedure of using remote sensing technology integrated with geographical information systems (GIS), overlaid with geo-coded crime data to provide a spatial technological basis to analyse and combat crime, is illustrated by a practical study of the Tshwane municipality area. The methodology applied in this study required multi-skilled resources incorporating GIS and the understanding of crime to integrate the diverse scientific fields into a consolidated process that can contribute to the combating of crime in general.
The existence of informal settlement areas in South Africa stresses the socio-economic problems that need to be addressed as there is a clear correlation of land use data with serious crime incidents in these areas. The fact that no formal cadastre exists for these areas, combined with a great diversity in densification and growth of the periphery, makes analysis very difficult without remote sensing imagery. Revisits over time to assess changes in these areas in order to adapt policing strategies will create an improved information layer for responding to crime. Final computerised maps generated from remote sensing and GIS layers are not the only information that can be used to prevent and combat crime. An important recipe for ultimately successfully managing and controlling crime in South Africa is to strategically combine training of the law enforcement agencies in the use of spatial information with police science.
The researcher concludes with the hope that this study will contribute to the improved utilisation of spatial technology to analyse and combat crime in South Africa. The ultimate vision is the expansion of the science of criminology by adding an advanced spatial technology module to its curriculum.<br>Criminology<br>D.Litt. et Phil. (Criminology)
40
Molefe, Thato. "Qualitative evaluation of smallholder and organic farmer decision support tool (DST) and its improvement by inclusion of a disease management component." Thesis, 2011. http://hdl.handle.net/10413/8467.
Full textAbstract:
Historically, South Africans, particularly small-scale farmers have had little support and hence lack tools and information when faced with production decisions. Information plays an important role in enlightening people, raising their level of knowledge and in turn improving their standard of living and participation in decision making process. Research shows that Information Communication Technology (ICT) like Decision support tools (DSTs) plays an important role in systematic dissemination of information in agriculture, thus improving the quality of farmers’ decisions. Decision support tools provide up-to-date data, procedures and analytical capacity leading to better-informed decisions, especially in rural areas. A body of research is emerging around issues of effectiveness of DSTs for farmers in the developed world. However, few studies have focused on issues around effectiveness of these tools for farmers in the developing world, particularly for resource-limited farmers.
This study set out to evaluate the effectiveness of a new DST for organic and small-scale farmers with a group of extension officers and researchers in KwaZulu-Natal. As an extension to the DST, a crop disease management component linked to the DST was developed. The study also set to evaluate the effectiveness of the crop disease management component. Extension officers and researchers were purposively selected for this study because both groups play a major role as far as organising and disseminating information to organic and small-scale farmers is concerned.
This study identified key measures for effectiveness of DSTs and crop disease management guides using literature from the study. Two frameworks for measuring effectiveness were developed to evaluate the effectiveness of the new DST and its crop disease management component with the extension officers and researchers. Focus group discussions were used for data collection. The frameworks were used as a base for the focus group discussions. Focus groups were conducted to explore and establish whether in the light the groups (extension officers and researchers), the new DST and its crop disease management component are effective.
Results from the study revealed that extension officers and researchers felt that the DST and its crop disease management component are effective since they meet key measures for effectiveness identified in the framework. The groups agreed that the DST and its crop disease management component are relevant to small-scale farmers. They also agreed that the DST has the ability to improve access to information for small-scale farmers. Lastly, they also agreed that the DST and its crop disease management component are transparent (meaning flexible and user friendly) for small-scale farmers. Some of the areas for improvement identified by the groups included a need for information on pests and more diseases for the DST and the crop disease management component.
Although the groups felt that both the DST and crop disease management were effective, they strongly recommended a need for another study that will aim at developing a pest management component of the DST as this was clearly requested by groups in this study. Results of this study showed that half the respondents felt that the DST was easy enough to be used by small-scale farmers without help from extension officers, while the other half believed that small-scale farmers will still need the help of extension officers to show them how to use the DST. Government and other relevant institutions need to provide appropriate training for these farmers, making the DST useful to them.<br>Thesis (M.Agric)-University of KwaZulu-Natal, Pietermaritzburg, 2011.