Trustworthy ICT Research for the IT Security Industry.
A collaboration of IT Security Associations.
Supporting the competitiveness of the European IT Security market
and defining the research agenda.

News

JANUARY 2014: di.me

di.me -  integrated digital.me userware

dime transThe use of personal information for private and business life is a trend in our increasingly information-driven society. Since the rise of social media, individuals are revealing more personal data online than ever before. This data disclosure provides value to users, such as enhancing social contacts or obtaining personalized services and products. However, the existing social internet makes it difficult for using personal information in a controlled way while retaining privacy where required. The European project di.me has been investigating on a new paradigm to mitigate this risk and now it has opened its code. 

In 2010, a group of European research organizations and industrial companies started to investigate on a technology that would enable the user to share personal data in a controlled, trustworthy and intelligent way. The constituted cooperative project, digital.me, is aimed at researching on social technology that deeply incorporates user-control in design. The project’s approach is to develop a technical platform with the “di.me userware” as the central component.

The project consortium has developed the dime platform that incorporates new paradigms of social network and service development: Decentralization, Multiple Identity Management, Trust Management and Recommendations.

The project has recently ended up with the publication of the di.me code as Open Source. Di.me is, thus, extendible and the publication of its code enables developers to use it as a base for further initiatives.

web icon 32x32www.dime-project.eu

The researcher's view

simon thielDipl.-Inform Simon Thiel, Fraunhofer IAO, Germany
Technical coordinator of di.me project

 
 Does the initial motivation of di.me project come from a need of the industry or does it address a social concern?

The rise of social networks we've experienced in the past years left many questions open. Who is taking responsibility for my private data? How well is it protected? How can I know about 3rd parties able to access it? Will it be open to the government or sold to other companies? These questions are about having control on my private data. The concern di.me started with was to give the control back to the user.

In the beginning of the project, did you have any contact to industrial companies which could have become potential buyers or users of your developments?

With our project partners CAS, YellowMap and Telecom Italia we had potent stakeholders for exploiting the development in different markets directly in the consortium.

Do you think there is a gap between research and industry in the Europe ICT Security sector that makes it difficult for the researches to reach the market?

In my opinion, there is generally an inherent gap between public funded research and ready for market products. While it's clear that within a cooperative research project, the result cannot be a marked ready product, the efforts of the EC to make the best value of the projects outcome are very helpful and productive. From my experience a mixed consortium with partners from research and industry is very appropriate to achieve high quality results.

 

OpenSesame - Research of the Month October 2013

Opening backdoors on embedded devices (OpenSesame)

Networked embedded devices such as routers, switches, rewalls, sensors and actuators are
part of our critical infrastructure. These devices are often assembled and programmed overseas - beyond our control - and placed within our trusted networks or even used for military applications. But can we really trust them? There have been several incidents where backdoors have been found in the rmware (also on silicon) of these devices. Such a backdoor allows an adversary to gain (remote) access to the device.
OpenSesame addresses this problem by developing novel automated techniques to test the software and rmware of embedded devices for the presence of such backdoors. Standard protocol fuzzing techniques, such as feeding programs invalid or random data to test for
unexpected behaviour, are not very e ective as the chances of hitting the right input are tiny. Our approach consists of rst recovering the (read-protected) rmware from the device.
Having access to the rmware enables us to apply smarter techniques, such as symbolic execution, to detect the presence of backdoors in any possible execution path. This technique does not scale very well when addressing large computer programs. However, embedded devices with their smaller code bases are exactly the right target for symbolic execution.


Lead : Prof.dr. B.P.F. Jacobs (Radboud Universiteit Nijmegen

Intrinsic-ID Innovation of the Month November 2013

 

PUF on a stick 

After years of research in various projects, Intrinsic-ID a Philips spin-off realised another application of Physical Unclonable Functions (PUFs) in action. 

Saturnus leverages the Hardware Intrinsic Security™ technology (HIS) developed and patented by Intrinsic-ID. HIS technology protects the secret keys used by Saturnus and adds an extra layer of protection.  Instead of keeping keys in software only, security is anchored in the hardware. Secret keys are extracted from the hardware properties of the smartcard chip in the USB token, like an `electronic fingerprint’ used to anchor the cloud data with the physical device.  Since the keys are not present when the device is switched off, a very high security level is achieved. HIS technology comes with reference credentials and a proven track record in the smartcard, government, automotive, networking and telecom industries.

Dropbox for your company: easy and secure

Saturnus is a combined software and hardware solution to protect your data in Dropbox. It's software runs on Android and Windows platforms. A smart token, enhanced with HIS*, provides security based on a hardware root of trust at the client site. 

Saturnus features

  • Encrypt your files before they leave the device on the way to Dropbox
  • Intuitive user interface to securely access and share files in the cloud
  • Blazingly fast
  • Automatic file synchronization
  • Transparent security, running in the background
  • Keep the key in your own hands
  • No backdoors,your data is safe from prying eyes

This is a great European new trustworthy ICT solution that applies some of the research funded in various European research projects. For more information, please go to :

http://www.intrinsic-id.com/press-releases/2013/pr-intrinsic-id-brings-a-new-level-of-data-security-to-dropbox-with-its-saturnus-secure-cloud-prod/

Interested in purchasing Saturnus or more information on the product : 

Saturnus Promotion Bundle includes one USB token and a 3 year license for Saturnus® for both Android 4.x and Windows 7 devices.

http://www.intrinsic-id.com/markets/enterprises-and-professionals/

For more information, contact the FIRE innovation partners info at trustworthyictonfire.com or reach out to Pim Tuyls of Intrinsic-ID.

PISA - Research of the month July 2013

PISA - Personal Information Security Assistant

The personal information security assistant (PISA) is focusing on the growing dependence of society on ICT has increased information security risks. PISA attempts to improve this by focusing on end-users. First, they are the weakest link, as they
lack resources and expertise that enterprises have. By strengthening them we remove a large
vulnerability in society. Second, they are early adopters of technology and drive change
bottom-up.
The approach is to help end-users perform risk-management. This is an iterative process of de ning goals, examining the threats against them, deciding how to act on them, and actually implementing these actions. Risk management is commonplace in enterprises, with demonstrated e ectiveness, but it is too complex for end-users. We will simplify it, creating a lightweight risk management process that is usable by end-users. For this PISA will (1) develop a simple but expressive risk ontology to represent risks. PISA will also (2) develop a repository
of end-user risks, and (3) design a secure tool that can answer questions about the end-users' risks (for example of online social networks) and suggest actions to reduce these togetherwith their cost. We will (4) perform experiments with prototypes on test subjects, to test
prototypes? usability, persuasiveness and e ectiveness in reducing risks. Finally PISA intends to (5) use the knowledge gained in these experiments to create one end-user risk management method that can be standardized.

Lead : Prof.dr. R.J. Wieringa (Universiteit Twente)
Partners: KPN, XS4All, CSC IT consultancy, Hyves.nl, ITUnited

 

SPION - Research of the month November 2012

Online Social Networks have become an important part of daily digital interactions for more than half a billion users around the world. The various personal information sharing practices that online social network providers promote have led to their success as innovative social interaction platforms. At the same time, these practices have raised much critique and concerns with respect to privacy and security from different stakeholders.

Studying and addressing these privacy and security concerns in online social networks is the research challenge that SPION is undertaking. It plans to tackle the responsibilization of individuals with the task of mitigating privacy and security concerns in online social networks by putting the focus on the responsibilities of service providers and stakeholder organizations. SPION explores ways in which the underlying social networking infrastructures and the organizations that run them can be made responsible and accountable for the relevant privacy and security concerns. We will also propose ways to develop and run SNS that are technically more secure and transparent to different stakeholders. The proposals will include mechanisms that fulfill the SNS user communities’ privacy needs.

An Interdisciplinary Approach

SPION is approaching target audience’s needs as well as forms of responsibilization from a variety of disciplines. This target audience includes users, communities and organizations in Flanders. The project brings the proposed legal, technical, social, educational and economic mechanisms to mitigate these concerns to the attention of different stakeholders of online social networks.

Supporting Tools

The projecy is developing solutions that facilitate better decision making with respect to the target groups’ privacy and security concerns, to mitigate the risks, threats and concerns that are currently manifest in this domain, and, most importantly, create educational tools to raise the awareness of privacy-issues with youngsters. With the dissemination and application of the research results we expect to contribute to increasing awareness about privacy and security problems in online social networks.

For more information, visit the SPION website

Keccak - Research of the month October 2012

Research of the Month October 2012 : Keccak, the winner of the 5-year competition for the cryptographic hash algorythm Shah-3, illustrating the European competence of groundbreaking cryptographic expertise.

The US National Institute of Standards and Technology (NIST)  announced in October 2012 the winner of its five-year competition to select a new cryptographic hash algorithm, one of the fundamental tools of modern information security.

hash algorithm collage
Credit: K. Talbott/NIST with Shutterstock images
View hi-resolution image

The winning algorithm, Keccak (pronounced “catch-ack”), was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. The team’s entry beat out 63 other submissions that NIST received after its open call for candidate algorithms in 2007, when it was thought that SHA-2, the standard secure hash algorithm, might be threatened. Keccak will now become NIST’s SHA-3 hash algorithm.

Hash algorithms are used widely for cryptographic applications that ensure the authenticity of digital documents, such as digital signatures and message authentication codes. These algorithms take an electronic file and generate a short "digest," a sort of digital fingerprint of the content. A good hash algorithm has a few vital characteristics. Any change in the original message, however small, must cause a change in the digest, and for any given file and digest, it must be infeasible for a forger to create a different file with the same digest.

The NIST team praised the Keccak algorithm for its many admirable qualities, including its elegant design and its ability to run well on many different computing devices. The clarity of Keccak’s construction lends itself to easy analysis (during the competition all submitted algorithms were made available for public examination and criticism), and Keccak has higher performance in hardware implementations than SHA-2 or any of the other finalists.

“Keccak has the added advantage of not being vulnerable in the same ways SHA-2 might be,” says NIST computer security expert Tim Polk. “An attack that could work on SHA-2 most likely would not work on Keccak because the two algorithms are designed so differently.”

Polk says that the two algorithms will offer security designers more flexibility. Despite the attacks that broke other somewhat similar but simpler hash algorithms in 2005 and 2006, SHA-2 has held up well and NIST considers SHA-2 to be secure and suitable for general use.

What then will SHA-3 be good for? While Polk says it may take years to identify all the possibilities for Keccak, it immediately provides an essential insurance policy in case SHA-2 is ever broken. He also speculates that the relatively compact nature of Keccak may make it useful for so-called “embedded” or smart devices that connect to electronic networks but are not themselves full-fledged computers. Examples include sensors in a building-wide security system and home appliances that can be controlled remotely.

“The Internet as we know it is expanding to link devices that many people do not ordinarily think of as being part of a network,” Polk says. “SHA-3 provides a new security tool for system and protocol designers, and that may create opportunities for security in networks that did not exist before.”

(Source :  http://www.nist.gov/itl/csd/sha-100212.cfm)

For more on the SHA3 competition, see  http://csrc.nist.gov/groups/ST/hash/sha-3/index.html.

Free Joomla 2.5 Extensions Joomla module Joomla Plugin

Follow us on

Twitter 32x32Feed 32x32in 32x32

Twitter Stream

MyDigipass Login

Connect with MYDIGIPASS.COM

Fire Statistics

Research Institutes
58
Researchers
74
Research Projects
11