|
Jefferson's WheelSecurity Research at the University of Virginia |
Congratulations to Yan Huang for winning an Honorable Mention at the University of Virginia Engineering Research Symposium (UVERS) for his poster on privacy-preserving biometric matching.
The poster is here: [PDF (13MB)]
Jonathan Burket, Patrick Mutchler, Michael Weaver, and Muzzammil Zaveri will present GuardRails: A (Nearly) Painless Solution to Insecure Web Applications at the RubyNation conference in Reston (near Washington, DC), on April 2.
With web applications continuing to grow in popularity and frameworks becoming simpler to use, creating a web application is easier than ever. While building an application may be straightforward, ensuring that it is secure requires both a deep understanding of subtle security vulnerabilities as well as tedious and careful insertion of security checks. We propose GuardRails, an open source source-to-source tool for Ruby on Rails applications that adds extra layers of security to web applications with only minimal effort from the developer. GuardRails works by attaching security policies to the data itself. These policies are automatically enforced throughout the application, without the need for the developer to write large amounts of code. Our system helps prevent against a variety of security vulnerabilities from CrossSite Scripting to faulty access controls without requiring the developer to have a sophisticated knowledge of web security.
Our paper on using lattice ciphers for low-power public-key encryption targeted to RFID tags is now available. Yu Yao will present the paper in Wuxi, China in April.
Yu Yao, Jiawei Huang, Sudhanshu Khanna, abhi shelat, Benton Highsmith Calhoun, John Lach, and David Evans. A Sub-0.5V Lattice-Based Public-Key Encryption Scheme for RFID Platforms in 130nm CMOS. 2011 Workshop on RFID Security (RFIDsec’11 Asia)
Wuxi, China. 6-8 April 2011.
Abstract: Implementing public-key cryptography on passive RFID tags is very challenging due to the limited die size and power available. Typical public-key algorithms require complex logical components such as modular exponentiation in RSA. We demonstrate the feasibility of implementing public-key encryption on low-power, low cost passive RFID tags to large-scale private identification. We use Oded Regev’s Learning-With-Error (LWE) cryptosystem, which is provably secure under the hardness assumption of classic lattice problems. The advantage of using the LWE cryptosystem is its intrinsic computational simplicity (the main operation is modular addition). We leverage the low speed of RFID application by using circuit design with supply voltage close to transistor threshold (Vt) to lower power. This paper presents protocols for using the LWE cipher to provide private identification, evaluates a design for implementing those protocols on passive RFID tags, and reports on simulation experiments that demonstrate the feasibility of this approach.
Full paper (19 pages): [PDF]