-
A Comprehensive Framework for Building Highly Secure, Network-Connected Devices: Chip to App
Authors:
Khan Reaz,
Gerhard Wunder
Abstract:
The rapid expansion of connected devices has amplified the need for robust and scalable security frameworks. This paper proposes a holistic approach to securing network-connected devices, covering essential layers: hardware, firmware, communication, and application. At the hardware level, we focus on secure key management, reliable random number generation, and protecting critical assets. Firmware…
▽ More
The rapid expansion of connected devices has amplified the need for robust and scalable security frameworks. This paper proposes a holistic approach to securing network-connected devices, covering essential layers: hardware, firmware, communication, and application. At the hardware level, we focus on secure key management, reliable random number generation, and protecting critical assets. Firmware security is addressed through mechanisms like cryptographic integrity validation and secure boot processes. For secure communication, we emphasize TLS 1.3 and optimized cipher suites tailored for both standard and resource-constrained devices. To overcome the challenges of IoT, compact digital certificates, such as CBOR, are recommended to reduce overhead and enhance performance. Additionally, the paper explores forward-looking solutions, including post-quantum cryptography, to future-proof systems against emerging threats. This framework provides actionable guidelines for manufacturers and system administrators to build secure devices that maintain confidentiality, integrity, and availability throughout their lifecycle.
△ Less
Submitted 23 January, 2025;
originally announced January 2025.
-
Tracking UWB Devices Through Radio Frequency Fingerprinting Is Possible
Authors:
Thibaud Ardoin,
Niklas Pauli,
Benedikt Groß,
Mahsa Kholghi,
Khan Reaz,
Gerhard Wunder
Abstract:
Ultra-wideband (UWB) is a state-of-the-art technology designed for applications requiring centimeter-level localization. Its widespread adoption by smartphone manufacturer naturally raises security and privacy concerns. Successfully implementing Radio Frequency Fingerprinting (RFF) to UWB could enable physical layer security, but might also allow undesired tracking of the devices. The scope of thi…
▽ More
Ultra-wideband (UWB) is a state-of-the-art technology designed for applications requiring centimeter-level localization. Its widespread adoption by smartphone manufacturer naturally raises security and privacy concerns. Successfully implementing Radio Frequency Fingerprinting (RFF) to UWB could enable physical layer security, but might also allow undesired tracking of the devices. The scope of this paper is to explore the feasibility of applying RFF to UWB and investigates how well this technique generalizes across different environments. We collected a realistic dataset using off-the-shelf UWB devices with controlled variation in device positioning. Moreover, we developed an improved deep learning pipeline to extract the hardware signature from the signal data. In stable conditions, the extracted RFF achieves over 99% accuracy. While the accuracy decreases in more changing environments, we still obtain up to 76% accuracy in untrained locations.
△ Less
Submitted 8 January, 2025;
originally announced January 2025.
-
Formal Verification of Permission Voucher
Authors:
Khan Reaz,
Gerhard Wunder
Abstract:
Formal verification is a critical process in ensuring the security and correctness of cryptographic protocols, particularly in high-assurance domains. This paper presents a comprehensive formal analysis of the Permission Voucher Protocol, a system designed for secure and authenticated access control in distributed environments. The analysis employs the Tamarin Prover, a state-of-the-art tool for s…
▽ More
Formal verification is a critical process in ensuring the security and correctness of cryptographic protocols, particularly in high-assurance domains. This paper presents a comprehensive formal analysis of the Permission Voucher Protocol, a system designed for secure and authenticated access control in distributed environments. The analysis employs the Tamarin Prover, a state-of-the-art tool for symbolic verification, to evaluate key security properties such as authentication, confidentiality, integrity, mutual authentication, and replay prevention. We model the protocol's components, including trust relationships, secure channels, and adversary capabilities under the Dolev-Yao model. Verification results confirm the protocol's robustness against common attacks such as message tampering, impersonation, and replay. Additionally, dependency graphs and detailed proofs demonstrate the successful enforcement of security properties like voucher authenticity, data confidentiality, and key integrity. The study identifies potential enhancements, such as incorporating timestamp-based validity checks and augmenting mutual authentication mechanisms to address insider threats and key management challenges. This work highlights the advantages and limitations of using the Tamarin Prover for formal security verification and proposes strategies to mitigate scalability and performance constraints in complex systems.
△ Less
Submitted 18 December, 2024;
originally announced December 2024.
-
Continuous Automatic Polarization Channel Stabilization from Heterodyne Detection of Coexisting Dim Reference Signals
Authors:
Joseph C. Chapman,
Muneer Alshowkan,
Kazi Reaz,
Tian Li,
Mariam Kiran
Abstract:
Quantum networking continues to encode information in polarization states due to ease and precision. The variable environmental polarization transformations induced by deployed fiber need correction for deployed quantum networking. Here we present a new method for automatic polarization compensation (APC) and demonstrate its performance on a metropolitan quantum network. Designing an APC involves…
▽ More
Quantum networking continues to encode information in polarization states due to ease and precision. The variable environmental polarization transformations induced by deployed fiber need correction for deployed quantum networking. Here we present a new method for automatic polarization compensation (APC) and demonstrate its performance on a metropolitan quantum network. Designing an APC involves many design decisions indicated by the diversity of previous solutions in the literature. Our design leverages heterodyne detection of wavelength-multiplexed dim classical references for continuous high-bandwidth polarization measurements used by newly developed multi-axis (non-)linear control algorithm(s) for complete polarization channel stabilization with no downtime. This enables continuous relatively high-bandwidth correction without significant added noise from classical reference signals. We demonstrate the performance of our APC using a variety of classical and quantum characterizations. Finally, we use C-band and L-band APC versions to demonstrate continuous high-fidelity entanglement distribution on a metropolitan quantum network with average relative fidelity of $0.94\pm0.03$ for over 30 hrs
△ Less
Submitted 22 November, 2024;
originally announced November 2024.
-
Advancements in UWB: Paving the Way for Sovereign Data Networks in Healthcare Facilities
Authors:
Khan Reaz,
Thibaud Ardoin,
Lea Muth,
Marian Margraf,
Gerhard Wunder,
Mahsa Kholghi,
Kai Jansen,
Christian Zenger,
Julian Schmidt,
Enrico Köppe,
Zoran Utkovski,
Igor Bjelakovic,
Mathis Schmieder,
Olaf Dressel
Abstract:
Ultra-Wideband (UWB) technology re-emerges as a groundbreaking ranging technology with its precise micro-location capabilities and robustness. This paper highlights the security dimensions of UWB technology, focusing in particular on the intricacies of device fingerprinting for authentication, examined through the lens of state-of-the-art deep learning techniques. Furthermore, we explore various p…
▽ More
Ultra-Wideband (UWB) technology re-emerges as a groundbreaking ranging technology with its precise micro-location capabilities and robustness. This paper highlights the security dimensions of UWB technology, focusing in particular on the intricacies of device fingerprinting for authentication, examined through the lens of state-of-the-art deep learning techniques. Furthermore, we explore various potential enhancements to the UWB standard that could realize a sovereign UWB data network. We argue that UWB data communication holds significant potential in healthcare and ultra-secure environments, where the use of the common unlicensed 2.4~GHz band-centric wireless technology is limited or prohibited. A sovereign UWB network could serve as an alternative, providing secure localization and short-range data communication in such environments.
△ Less
Submitted 8 August, 2024;
originally announced August 2024.
-
Expectation Entropy as a Password Strength Metric
Authors:
Khan Reaz,
Gerhard Wunder
Abstract:
The classical combinatorics-based password strength formula provides a result in tens of bits, whereas the NIST Entropy Estimation Suite give a result between 0 and 1 for Min-entropy. In this work, we present a newly developed metric -- Expectation entropy that can be applied to estimate the strength of any random or random-like password. Expectation entropy provides the strength of a password on…
▽ More
The classical combinatorics-based password strength formula provides a result in tens of bits, whereas the NIST Entropy Estimation Suite give a result between 0 and 1 for Min-entropy. In this work, we present a newly developed metric -- Expectation entropy that can be applied to estimate the strength of any random or random-like password. Expectation entropy provides the strength of a password on the same scale as an entropy estimation tool. Having an 'Expectation entropy' of a certain value, for example, 0.4 means that an attacker has to exhaustively search at least 40\% of the total number of guesses to find the password.
△ Less
Submitted 18 March, 2024;
originally announced April 2024.
-
ASOP: A Sovereign and Secure Device Onboarding Protocol for Cloud-based IoT Services
Authors:
Khan Reaz,
Gerhard Wunder
Abstract:
The existing high-friction device onboarding process hinders the promise and potentiality of Internet of Things (IoT). Even after several attempts by various device manufacturers and working groups, no widely adopted standard solution came to fruition. The latest attempt by Fast Identity Online (FIDO) Alliance promises a zero touch solution for mass market IoT customers, but the burden is transfer…
▽ More
The existing high-friction device onboarding process hinders the promise and potentiality of Internet of Things (IoT). Even after several attempts by various device manufacturers and working groups, no widely adopted standard solution came to fruition. The latest attempt by Fast Identity Online (FIDO) Alliance promises a zero touch solution for mass market IoT customers, but the burden is transferred to the intermediary supply chain (i.e. they have to maintain infrastructure for managing keys and digital signatures called `Ownership Voucher' for all devices). The specification relies on a `Rendezvous Server' mimicking the notion of Domain Name System (DNS) server'. This essentially means resurrecting all existing possible attack scenarios associated with DNS, which include Denial of Service (DoS) attack, and Correlation attack. `Ownership Voucher' poses the risk that some intermediary supply chain agents may act maliciously and reject the transfer of ownership or sign with a wrong key. Furthermore, the deliberate use of the weak elliptic curve SECP256r1/SECP384r1 (also known as NIST P-256/384) in the specification raises questions. We introduce ASOP: a sovereign and secure device onboarding protocol for IoT devices without blindly trusting the device manufacturer, supply chain, and cloud service provider. The ASOP protocol allows onboarding an IoT device to a cloud server with the help of an authenticator owned by the user. This paper outlines the preliminary development of the protocol and its high-level description. Our `zero-trust' and `human-in-the-loop' approach guarantees that the device owner does not remain at the mercy of third-party infrastructures, and it utilises recently standardized post-quantum cryptographic suite (CRYSTALS) to secure connection and messages.
△ Less
Submitted 18 March, 2024;
originally announced March 2024.
-
Experimental decoy-state asymmetric measurement-device-independent quantum key distribution over a turbulent high-loss channel
Authors:
Kazi Reaz,
Md Mehdi Hassan,
Adrien Green,
Noah Crum,
George Siopsis
Abstract:
Real-world BB84 Quantum Key Distribution (QKD) systems utilize imperfect devices that introduce vulnerabilities to their security, known as side-channel attacks. Measurement-Device-Independent (MDI) QKD authorizes an untrusted third party to make measurements and removes all side-channel attacks. The typical implementations of MDI-QKD employ near symmetric channels which are difficult to realize p…
▽ More
Real-world BB84 Quantum Key Distribution (QKD) systems utilize imperfect devices that introduce vulnerabilities to their security, known as side-channel attacks. Measurement-Device-Independent (MDI) QKD authorizes an untrusted third party to make measurements and removes all side-channel attacks. The typical implementations of MDI-QKD employ near symmetric channels which are difficult to realize physically in many practical scenarios such as when asymmetric channel losses are present, normally a consequence of the communication environment. Maritime and satellite-based communications are two such instances in which the channels are characterized by continuously changing losses in different channels. In this work, we perform asymmetric MDI-QKD in a laboratory environment with simulated turbulence using an Acousto-Optic Modulator (AOM) to interrogate the performance of free-space quantum communication. Under turbulent conditions, scattering and beam wandering cause intensity fluctuations which decrease the detected signal-to-noise ratio. Using the 7-intensity optimization method proposed by Wang et al., coupled with Prefixed-Threshold Real-time Selection (P-RTS), we demonstrate enhancement in the secure key rate under turbulent conditions for finite-size decoy-state MDI QKD. Furthermore, we show that P-RTS can yield considerably higher secure key rates for a wide range of atmospheric channel parameters.
△ Less
Submitted 7 November, 2023;
originally announced November 2023.
-
Experimental free-space quantum key distribution over a turbulent high-loss channel
Authors:
Md Mehdi Hassan,
Kazi Reaz,
Adrien Green,
Noah Crum,
George Siopsis
Abstract:
Free-space quantum cryptography plays an integral role in realizing a global-scale quantum internet system. Compared to fiber-based communication networks, free-space networks experience significantly less decoherence and photon loss due to the absence of birefringent effects in the atmosphere. However, the atmospheric turbulence contributes to deviation in transmittance distribution, which introd…
▽ More
Free-space quantum cryptography plays an integral role in realizing a global-scale quantum internet system. Compared to fiber-based communication networks, free-space networks experience significantly less decoherence and photon loss due to the absence of birefringent effects in the atmosphere. However, the atmospheric turbulence contributes to deviation in transmittance distribution, which introduces noise and channel loss. Several methods have been proposed to overcome the low signal-to-noise ratio. Active research is currently focused on establishing secure and practical quantum communication in a high-loss channel, and enhancing the secure key rate by implementing bit rejection strategies when the channel transmittance drops below a certain threshold. By simulating the atmospheric turbulence using an acousto-optical-modulator (AOM) and implementing the prefixed-threshold real-time selection (P-RTS) method, our group performed finite-size decoy-state Bennett-Brassard 1984 (BB84) quantum key distribution (QKD) protocol for 19 dB channel loss. With better optical calibration and efficient superconducting nano-wire single photon detector (SNSPD), we have extended our previous work to 40 dB channel loss characterizing the transmittance distribution of our system under upper moderate turbulence conditions.
△ Less
Submitted 2 May, 2023;
originally announced May 2023.
-
ComPass: Proximity Aware Common Passphrase Agreement Protocol for Wi-Fi devices Using Physical Layer Security
Authors:
Khan Reaz,
Gerhard Wunder
Abstract:
Secure and scalable device provisioning is a notorious challenge in Wi-Fi. WPA2/WPA3 solutions take user interaction and a strong passphrase for granted. However, the often weak passphrases are subject to guessing attacks. Notably, there has been a significant rise of cyberattacks on Wi-Fi home or small office networks during the COVID-19 pandemic. This paper addresses the device provisioning prob…
▽ More
Secure and scalable device provisioning is a notorious challenge in Wi-Fi. WPA2/WPA3 solutions take user interaction and a strong passphrase for granted. However, the often weak passphrases are subject to guessing attacks. Notably, there has been a significant rise of cyberattacks on Wi-Fi home or small office networks during the COVID-19 pandemic. This paper addresses the device provisioning problem in Wi-Fi (personal mode) and proposes ComPass protocol to supplement WPA2/WPA3. ComPass replaces the pre-installed or user-selected passphrases with automatically generated ones. For this, ComPass employs Physical Layer Security and extracts credentials from common random physical layer parameters between devices. Two major features make ComPass unique and superior compared to previous proposals: First, it employs phase information (rather than amplitude or signal strength) to generate the passphrase so that it is robust, scaleable, and impossible to guess. Our analysis showed that ComPass generated passphrases have 3 times more entropy than human generated passphrases (113-bits vs. 34-bits). Second, ComPass selects parameters such that two devices bind only within a certain proximity (less than 3m), hence providing practically useful in-build PLS-based authentiation. ComPass is available as a kernel module or as full firmware.
△ Less
Submitted 27 April, 2021; v1 submitted 11 March, 2021;
originally announced March 2021.
-
The Effect of Varying Co layer thickness on the Time-Temperature Characteristics of Co/Sb Semimetal Embedded Magnetic Nanoparticles
Authors:
M. R. Madden,
T. Alshammary,
B. Grove,
J. Phillips,
K. Reaz,
S. Hensley,
G. G. Kenning
Abstract:
We report the effect of varying cobalt thickness on the temperature-dependent time decay of the electrical resistance of Co/Sb multilayer samples. We find that for a given temperature, a five fold change in the Co thickness produces a 100 fold change in the characteristic decay time of the resistance. We find that the characteristic decay time, as a function of temperature, follows an Arrhenius la…
▽ More
We report the effect of varying cobalt thickness on the temperature-dependent time decay of the electrical resistance of Co/Sb multilayer samples. We find that for a given temperature, a five fold change in the Co thickness produces a 100 fold change in the characteristic decay time of the resistance. We find that the characteristic decay time, as a function of temperature, follows an Arrhenius law. During deposition, the Co evolves single domain magnetic nanoparticles, on the Sb, in either a Volmer-Weber or Stranski-Krastanov growth mode. This metastable state is then encased in 2.5 nm of Sb producing an embedded nanoparticle system. Scanning Tunneling Microscopy (STM) measurements taken before sample aging (annealing at a given temperature for enough time to complete the resistance decay) and after aging show that these nanoparticles undergo morphological transformations during aging. These transformations lead to well defined time dependent decays in both the magnetization and the electrical resistance, making this material an excellent candidate for an electronic time-temperature sensor.
△ Less
Submitted 19 December, 2014;
originally announced December 2014.