Amir HerzbergUniversity of Connecticut | UConn · Department of Computer Science and Engineering
Amir Herzberg
Professor
About
282
Publications
193,244
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
9,003
Citations
Introduction
Current main research directions:
- Secure inter-domain routing (Internet)
- Secure Public Key Infrastructure
- The Modular Security Specifications (MoSS) Framework (for analysis of security & applied crypto protocols)
- Anonymous messaging
- Secure cyber-physical systems, esp. for power networks
- Stealthy (sensor/microbot) networking, eps. underwater
Additional affiliations
June 2002 - January 2022
March 2014 - July 2014
January 1996 - January 2001
Publications
Publications (282)
Before the adoption of Route Origin Validation (ROV), prefix and subprefix hijacks were the most effective and common attacks on BGP routing. Recent works show that ROV adoption is increasing rapidly; with sufficient ROV adoption, prefix and subprefix attacks become ineffective. We study this changing landscape and in particular the Autonomous Syst...
We present BGP-iSec, an enhancement of the BGP-sec protocol for securing BGP, the Internet's inter-domain routing protocol. BGP-iSec ensures additional and stronger security properties , compared to BGPsec, without significant extra overhead. The main improvements are: (i) Security for partial adoption: BGP-iSec provides significant security benefi...
This is a (draft) of a textbook which introduces applied cryptography, as a foundation to cybersecurity. The goal is to provide sufficient depth and scope to suffice as the only/main text in cryptography for students who specialize in other areas of cybersecurity (e.g., secure networking), and a useful foundations to more advanced courses in crypto...
Popular instant messaging applications such as WhatsApp and Signal provide end-to-end encryption for billions of users. They rely on a centralized, application-specific server to distribute public keys and relay encrypted messages between the users. Therefore, they prevent passive attacks but are vulnerable to some active attacks. A malicious or ha...
Traditional botnet attacks leverage large and distributed numbers of compromised internet-connected devices to target and overwhelm other devices with internet packets. With increasing consumer adoption of high-wattage internet-facing "smart devices", a new "power botnet" attack emerges, where such devices are used to target and overwhelm power gri...
Applied cryptographic protocols have to meet a rich set of security requirements under diverse environments and against diverse adversaries. However, currently used security specifications, based on either simulation [11, 27] (e.g., ‘ideal functionality’ in UC) or games [8, 29], are monolithic, combining together different aspects of protocol requi...
We investigate an understudied threat: networks of stealthy routers (S-Routers) , relaying messages to a hidden destination . The S-Routers relay communication along a path of multiple short-range, low-energy hops, to avoid remote localization by triangulation. Mobile devices called Interceptors can detect communication by an S-Router, but only whe...
Introduction to Public Key Infrastructure (PKI), mainly, X.509.
People who use secure messaging apps are vulnerable to a hacked or malicious server unless they manually complete an authentication ceremony. In this article, we describe the usability challenges of the authentication ceremony and research to improve it. We conclude with recommendations for service providers and directions for research.
We study and extend Route Origin Validation (ROV), the basis for the IETF defenses of interdomain routing. We focus on two important hijack attacks: subprefix hijacks and non-routed prefix hijacks. For both attacks, we show that, with partial deployment, ROV provides disappointing security benefits. We also present a new attack, superprefix hijacks...
Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries. In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a co...
Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries. In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a co...
This is an early draft of part II of the Foundations of Cybersecurity; this part focuses on Network Security.
It is an early draft and I post it here mostly since it already contains quite a few useful exercises. I am beginning slowly to add content; the chapter on Denial of Service, in particular, may already be of some use. I will also post the...
Public Key Infrastructure - lecture set 8 from the course `Foundations of CyberSecurity - part I, applied cryptography'. Lecture notes as well as other presentations available from the `Foundations of CyberSecurity' project on researchgate. Comments, errors, missing/outdated materials - let me know, thanks.
A lecture covering the TLS and SSL protocols, mainly focusing on the handshake protocol. To be used with the lecture notes (also in researchgate) - part of Foundations of Cybersecurity project.
This is a presentation which covers the second part of the Public-Key Cyptography chapter in `Foundations of Cyber-Security, part I : applied cryptography'. Lecture notes and other presentation available in the researchgate project.
This is lecture set 4 for the course `introduction to cybersecurity, part I: applied crypto'. The lecture notes are also available as ResearchGate project. Corrections, comments and suggestions on the lecture and on the notes would be appreciated!
PKC part I - Key Exchange; Lecture set 5 in course `Foundations of CyberSecurity, part I : applied crypto'. The lecture notes are also available as ResearchGate project. Corrections, comments and suggestions on the lecture and on the notes would be appreciated!
Foundations of CyberSecurity, part II: Network Security,
Lecture Set 3: TCP/IP Stack Security: Poisoning, Injecting, and more
Covers:
Link-layer Security and Poisoning
Internet Protocol (IP) Security
IPsec
IP Spoofing
Fragmentation attacks
DNS poisoning
DNSSEC
Transport Layer Security
TCP injections and related attacks
Quic security
In this lecture set we discuss cryptographic hash functions, their properties, and (some of) their many applications, including: integrity (hash-block, blockchain), hash-then-sign, randomness, and more. The presentation should be most useful together with the course's lecture notes. Feedback appreciated.
Denial-of-service (DoS) attacks, which prevent legitimate users from accessing the system by flooding it with traffic or causing it to crash, are often used to disrupt network or computation services. We present QuicR, an adaptation of the QUIC protocol that is resilient to congestion and bandwidth-denial-of-service attacks. Specifically, QuicR use...
QuicR: QUIC Resiliency to BW-DoS Attacks
Denial-of-service (DoS) attacks, which prevent legitimate users from accessingthe system by flooding it with traffic or causing it to crash, are often used to disrupt net-work or computation services. We present QuicR, an adaptation of the QUIC protocol thatis resilient to congestion and bandwidth-denial-of...
This is the second lecture set in the course `Introduction to cyber security', part I - applied crypto. The lecture notes are available (and pretty often updated) in my researchgate project.
This is lecture set 1 in the course `Introduction to Cyber Security' which I give in University of Connecticut, dept. of Computer Science and Engineering; see lecture notes and exercises (available in ResearchGate). This is work-in-progress and there are many comments and mistakes, please use with caution; corrections and suggestions are appreciate...
Note: this entry contains both presentation and paper.
BGP is a gaping security hole in today’s Internet, as
evidenced by numerous Internet outages and blackouts, repeated
traffic hijacking, and surveillance incidents. To protect against
prefix hijacking, the Resource Public Key Infrastructure (RPKI)
has been standardized. Yet, despite Herculean e...
Cyber physical systems (CPS) typically contain multiple control loops, where the controllers use actuators to trigger a physical process, based on sensor readings. Attackers typically coordinate attack with multiple corrupted devices; defenses often focus on detecting this abnormal communication.
We present the first provably-covert channel from a...
Strict regulations and security practices of critical cyber-physical systems, such as nuclear plants, require complete isolation between their data-acquisition zone and their safety and security zones. Isolation methods range from firewall devices, to 'data diodes' that only allow one-way communication.
In this work we explore a possible threat byp...
Mix networks are a key technology to achieve network anonymity and private messaging, voting and database lookups. However, simple mix network designs are vulnerable to malicious mixes, which may drop or delay packets to facilitate traffic analysis attacks. Mix networks with prov-able robustness address this drawback through complex and expensive p...
Lecture on spam and phishing, mostly focused on email. Covers SPF, DKIM, DMARC and more.
Included in part II (Network security) of `Foundations of Cybersecurity'.
With the recent emergence of efficient zero-knowledge (ZK) proofs for general circuits, while efficient zero-knowledge proofs of algebraic statements have existed for decades, a natural challenge arose to combine algebraic and non-algebraic statements. Chase et al. (CRYPTO 2016) proposed an interactive ZK proof system for this cross-domain problem....
An introduction to the basic cryptography involved in blockchains: digital signatures and hash functions. This can be useful as part of the `intro to cybersecurity' course (part I). The presentation was prepared for and presented as a tutorial in the Blockchain workshop, March 2019, ITAM (Mexico). No prior knowledge in crypto is required - this is...
This is introductory presentation about Denial of Service (DoS) attacks, presentation-set 4 in the Foundations of Cybersecurity project, part II: Network security.
With the recent emergence of efficient zero-knowledge (ZK) proofs for general circuits, while efficient zero-knowledge proofs of algebraic statements have existed for decades, a natural challenge arose to combine algebraic and non-algebraic statements. Chase et al. (CRYPTO 2016) proposed an interactive ZK proof system for this cross-domain problem....
An overview of my recent works on practical and secure anonymous messaging protocols, including AnonPoP, Miranda and AnNotify. These are joint works with Nethanel Gelerenter, Jamie Hayes, Hemi Leibowitz, Ania Piotrowska and George Danezis .
This is an improved version of the presentation (lecture) on public key infrastructure; I think it is already usable, although, there is yet much to improve, esp. related to advanced emerging PK schemes - I cover Certificate Transparency, but not deeply/clearly enough. I'll revise this when I prepare the corresponding chapter in the notes, but this...
Mix networks are a key technology to achieve network anonymity, private messaging, voting and database lookups. However, simple mix networks are vulnerable to malicious mixes, which may drop or delay packets to facilitate traffic analysis attacks. Mix networks with provable robustness address this drawback through complex and expensive proofs of co...
This paper presents a grass-root approach to issuing routing public key certificates, to secure inter-domain routing in the Internet.
Privacy, facilitated by a confluence of cryptography and decentralization, is one of the primary motivations for the adoption of cryptocurrencies like Bitcoin. Alas, Bitcoins privacy promise has proven illusory, and despite growing interest in privacy-centric blockchains, most blockchain users remain susceptible to privacy attacks that exploit netw...
This is lecture set 9 for the course `introduction to cybersecurity'. Updated Nov. 2018.
The lecture notes are also available as ResearchGate project; but this specific chapter will only be added in few months. Corrections, comments and suggestions on the lecture and on the notes would be appreciated!
We investigate an understudied threat: networks of stealthy routers (S-Routers), communicating across a restricted area. S-Routers use short-range, low-energy communication, detectable only by nearby devices. We examine algorithms to intercept S-Routers, using one or more mobile devices, called Interceptors. We focus on Destination-Search scenarios...
Performing Route Origin Validation (ROV) to filter BGP announcements, which contradict Route Origin Authorizations (ROAs) is critical for protection against BGP prefix hijacks. Recent works quantified ROV enforcing Autonomous Systems (ASes) using control-plane experiments. In this work we show that control-plane experiments do not provide accurate...
We introduce the Anonymous Post-Office Protocol (AnonPoP), a practical strongly-anonymous messaging system. Its design effectively combines known techniques such as (synchronous) mix-cascade and constant sending rate, with several new techniques including request-pool, bad-server isolation and per-epoch mailboxes. AnonPoP offers strong anonymity ag...
AnNotify is a scalable service for private, timely and low-cost on-line notifications, based on anonymous communication, sharding, dummy queries, and Bloom filters. We present the design and analysis of AnNotify, as well as an evaluation of its costs. We outline the design of AnNotify and calculate the concrete advantage of an adversary observing m...
The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners' public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI's deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fun...
We introduce the Anonymous Post-Office Protocol (Anon-PoP), a practical strongly-anonymous messaging system. Its design effectively combines known techniques such as (synchronous) mix-cascade and constant sending rate, with several new techniques including request-pool, bad-server isolation and per-epoch mailboxes. AnonPoP offers strong anonymity a...
Network Address Translation (NAT) routers aggregate the flows of multiple devices behind a single IP address. NAT routers 'hide' the original IP address. This is often viewed as a privacy feature, making it harder to identify the communication of individuals devices behind the NAT. De-NAT is the reverse process: of re-identifying communication flow...
Recently, many popular Instant-Messaging (IM) applications announced support for end-to-end encryption, claiming confidentiality even against a rogue operator. Is this, finally, a positive answer to the basic challenge of usable-security presented in the seminal paper, 'Why Johnny Can't Encrypt'?
Our work evaluates the implementation of end-to-end...
We study the trade-off between the benefits obtained by communication, vs. the risks due to exposure of the location of the transmitter. To study this problem, we introduce a game between two teams of mobile agents, the P-bots team and the E-bots team. The E-bots attempt to eavesdrop and collect information, while evading the P-bots; the P-bots att...
We define the concept of and present provably secure constructions for Anonymous RAM (AnonRAM), a novel multiuser storage primitive that offers strong privacy and integrity guarantees. AnonRAM combines privacy features of anonymous communication and oblivious RAM (ORAM) schemes, allowing it to protect, simultaneously, the privacy of content, access...
Autocomplete, a well-known feature in popular search engines, offers suggestions for search terms before the user has even completed typing their query. We present the autocomplete injection attack and its potential exploits. In this attack, a cross-site attacker injects terms into the autocomplete suggestions offered by a web-service to a victim u...
Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmount-able,...
Obfuscation is challenging; we currently have practical candidates with rather vague security guarantees on the one side, and theoretical constructions which have recently experienced jeopardizing attacks against the underlying cryptographic assumptions on the other side. This motivates us to study and present robust combiners for obfuscators, whic...
AnoNotify is a service for private, timely and low-cost on-line notifications. We present the design and security arguments behind AnoNotify, as well as an evaluation of its cost. AnoNotify is based on mix-networks, Bloom filters and shards. We present a security definition and security proofs for AnoNotify. We then discuss a number of applications...
We present the malicious CAPTCHA attack, allowing rogue sites to trick users into unknowingly disclosing their private information. This circumvents the Same Origin Policy (SOP), whose goal is to prevent direct access by the rogue site to such private information. The rogue site exploits the fact that sites often display some private information to...
Obfuscation is challenging; we currently have practical candidates with rather vague security guarantees on the one side, and theoretical constructions which have recently experienced jeopardizing attacks against the underlying cryptographic assumptions on the other side. This motivates us to study and present robust combiners for obfuscators, whic...
We present CDN-on-Demand, a software-based defense that administrators of small to medium websites install to resist powerful DDoS attacks, with a fraction of the cost of comparable commercial CDN services. Upon excessive load, CDN-on-Demand serves clients from a scalable set of proxies that it automatically deploys on multiple IaaS cloud providers...
We identify the threat of cross-site framing attacks, which involves planting false evidence that incriminates computer users, without requiring access to their computer. We further show that a variety of framing-evidence can be planted using only modest framing-attacker capabilities. The attacker can plant evidence in both the logs of popular repu...
Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two complementary mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon. This is due to inherent, pos...
Cross-site search (XS-search) attacks circumvent the same-origin policy and extract sensitive information, by using the time it takes for the browser to receive responses to search queries. This side-channel is usually considered impractical, due to the limited attack duration and high variability of delays. This may be true for naive XS-search att...
Given a network of n = 2 k gossipers, we want to schedule a cyclic calendar of meetings between all of them, such that: (1) each gossiper meets (gossips) only once a day, with one other gossiper, (2) in every (n 1) consecutive days, each gossiper meets all other gossipers, and (3) every gossip, initiated by any gossiper, will reach all gossipers wi...
To ensure the best security and efficiency, cryptographic protocols such as Transport Layer Security and IPsec should let parties negotiate the use of the "best" cryptographic algorithms; this is referred to as cipher-suite negotiation. However, cipher-suite negotiation is lacking in DNS Security Extensions (DNSSEC), introducing several problems. T...