Amir Herzberg

University of Connecticut | UConn · Department of Computer Science and Engineering

We investigate an understudied threat: networks of stealthy routers (S-Routers) , relaying messages to a hidden destination . The S-Routers relay communication along a path of multiple short-range, low-energy hops, to avoid remote localization by triangulation. Mobile devices called Interceptors can detect communication by an S-Router, but only whe...

Introduction to Public Key Infrastructure (PKI), mainly, X.509.

PKI Tutorial, part 2: Revocation

PKI Tutorial, day 3: transparency.

People who use secure messaging apps are vulnerable to a hacked or malicious server unless they manually complete an authentication ceremony. In this article, we describe the usability challenges of the authentication ceremony and research to improve it. We conclude with recommendations for service providers and directions for research.

We study and extend Route Origin Validation (ROV), the basis for the IETF defenses of interdomain routing. We focus on two important hijack attacks: subprefix hijacks and non-routed prefix hijacks. For both attacks, we show that, with partial deployment, ROV provides disappointing security benefits. We also present a new attack, superprefix hijacks...

Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries. In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a co...

Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries. In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a co...

Cross-site search attacks allow a rogue website to expose private, sensitive user information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries. In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a c...

This is a draft of volume I of the textbook `Foundations of Cybersecurity'. This volume is titled `An applied introduction to cryptography'. This course evolved from my lecture notes in `introduction to cyber-security' course, which I give in University of Connecticut. See my project for this text for presentations and more details. Comments, corre...

This is an early draft of part II of the Foundations of Cybersecurity; this part focuses on Network Security. It is an early draft and I post it here mostly since it already contains quite a few useful exercises. I am beginning slowly to add content; the chapter on Denial of Service, in particular, may already be of some use. I will also post the...

Public Key Infrastructure - lecture set 8 from the course `Foundations of CyberSecurity - part I, applied cryptography'. Lecture notes as well as other presentations available from the `Foundations of CyberSecurity' project on researchgate. Comments, errors, missing/outdated materials - let me know, thanks.

A lecture covering the TLS and SSL protocols, mainly focusing on the handshake protocol. To be used with the lecture notes (also in researchgate) - part of Foundations of Cybersecurity project.

This is a presentation which covers the second part of the Public-Key Cyptography chapter in `Foundations of Cyber-Security, part I : applied cryptography'. Lecture notes and other presentation available in the researchgate project.

This is lecture set 4 for the course `introduction to cybersecurity, part I: applied crypto'. The lecture notes are also available as ResearchGate project. Corrections, comments and suggestions on the lecture and on the notes would be appreciated!

PKC part I - Key Exchange; Lecture set 5 in course `Foundations of CyberSecurity, part I : applied crypto'. The lecture notes are also available as ResearchGate project. Corrections, comments and suggestions on the lecture and on the notes would be appreciated!

Foundations of CyberSecurity, part II: Network Security, Lecture Set 3: TCP/IP Stack Security: Poisoning, Injecting, and more Covers: Link-layer Security and Poisoning Internet Protocol (IP) Security IPsec IP Spoofing Fragmentation attacks DNS poisoning DNSSEC Transport Layer Security TCP injections and related attacks Quic security

In this lecture set we discuss cryptographic hash functions, their properties, and (some of) their many applications, including: integrity (hash-block, blockchain), hash-then-sign, randomness, and more. The presentation should be most useful together with the course's lecture notes. Feedback appreciated.

Denial-of-service (DoS) attacks, which prevent legitimate users from accessing the system by flooding it with traffic or causing it to crash, are often used to disrupt network or computation services. We present QuicR, an adaptation of the QUIC protocol that is resilient to congestion and bandwidth-denial-of-service attacks. Specifically, QuicR use...

QuicR: QUIC Resiliency to BW-DoS Attacks Denial-of-service (DoS) attacks, which prevent legitimate users from accessingthe system by flooding it with traffic or causing it to crash, are often used to disrupt net-work or computation services. We present QuicR, an adaptation of the QUIC protocol thatis resilient to congestion and bandwidth-denial-of...

This is the second lecture set in the course `Introduction to cyber security', part I - applied crypto. The lecture notes are available (and pretty often updated) in my researchgate project.

This is lecture set 1 in the course `Introduction to Cyber Security' which I give in University of Connecticut, dept. of Computer Science and Engineering; see lecture notes and exercises (available in ResearchGate). This is work-in-progress and there are many comments and mistakes, please use with caution; corrections and suggestions are appreciate...

Note: this entry contains both presentation and paper. BGP is a gaping security hole in today’s Internet, as evidenced by numerous Internet outages and blackouts, repeated traffic hijacking, and surveillance incidents. To protect against prefix hijacking, the Resource Public Key Infrastructure (RPKI) has been standardized. Yet, despite Herculean e...

Cyber physical systems (CPS) typically contain multiple control loops, where the controllers use actuators to trigger a physical process, based on sensor readings. Attackers typically coordinate attack with multiple corrupted devices; defenses often focus on detecting this abnormal communication. We present the first provably-covert channel from a...

Strict regulations and security practices of critical cyber-physical systems, such as nuclear plants, require complete isolation between their data-acquisition zone and their safety and security zones. Isolation methods range from firewall devices, to 'data diodes' that only allow one-way communication. In this work we explore a possible threat byp...

Mix networks are a key technology to achieve network anonymity and private messaging, voting and database lookups. However, simple mix network designs are vulnerable to malicious mixes, which may drop or delay packets to facilitate traffic analysis attacks. Mix networks with prov-able robustness address this drawback through complex and expensive p...

Lecture on spam and phishing, mostly focused on email. Covers SPF, DKIM, DMARC and more. Included in part II (Network security) of `Foundations of Cybersecurity'.

With the recent emergence of efficient zero-knowledge (ZK) proofs for general circuits, while efficient zero-knowledge proofs of algebraic statements have existed for decades, a natural challenge arose to combine algebraic and non-algebraic statements. Chase et al. (CRYPTO 2016) proposed an interactive ZK proof system for this cross-domain problem....

An introduction to the basic cryptography involved in blockchains: digital signatures and hash functions. This can be useful as part of the `intro to cybersecurity' course (part I). The presentation was prepared for and presented as a tutorial in the Blockchain workshop, March 2019, ITAM (Mexico). No prior knowledge in crypto is required - this is...

This is introductory presentation about Denial of Service (DoS) attacks, presentation-set 4 in the Foundations of Cybersecurity project, part II: Network security.

With the recent emergence of efficient zero-knowledge (ZK) proofs for general circuits, while efficient zero-knowledge proofs of algebraic statements have existed for decades, a natural challenge arose to combine algebraic and non-algebraic statements. Chase et al. (CRYPTO 2016) proposed an interactive ZK proof system for this cross-domain problem....

An overview of my recent works on practical and secure anonymous messaging protocols, including AnonPoP, Miranda and AnNotify. These are joint works with Nethanel Gelerenter, Jamie Hayes, Hemi Leibowitz, Ania Piotrowska and George Danezis .

This is an improved version of the presentation (lecture) on public key infrastructure; I think it is already usable, although, there is yet much to improve, esp. related to advanced emerging PK schemes - I cover Certificate Transparency, but not deeply/clearly enough. I'll revise this when I prepare the corresponding chapter in the notes, but this...

Mix networks are a key technology to achieve network anonymity, private messaging, voting and database lookups. However, simple mix networks are vulnerable to malicious mixes, which may drop or delay packets to facilitate traffic analysis attacks. Mix networks with provable robustness address this drawback through complex and expensive proofs of co...

This paper presents a grass-root approach to issuing routing public key certificates, to secure inter-domain routing in the Internet.

Privacy, facilitated by a confluence of cryptography and decentralization, is one of the primary motivations for the adoption of cryptocurrencies like Bitcoin. Alas, Bitcoins privacy promise has proven illusory, and despite growing interest in privacy-centric blockchains, most blockchain users remain susceptible to privacy attacks that exploit netw...

This is lecture set 9 for the course `introduction to cybersecurity'. Updated Nov. 2018. The lecture notes are also available as ResearchGate project; but this specific chapter will only be added in few months. Corrections, comments and suggestions on the lecture and on the notes would be appreciated!

We investigate an understudied threat: networks of stealthy routers (S-Routers), communicating across a restricted area. S-Routers use short-range, low-energy communication, detectable only by nearby devices. We examine algorithms to intercept S-Routers, using one or more mobile devices, called Interceptors. We focus on Destination-Search scenarios...

Performing Route Origin Validation (ROV) to filter BGP announcements, which contradict Route Origin Authorizations (ROAs) is critical for protection against BGP prefix hijacks. Recent works quantified ROV enforcing Autonomous Systems (ASes) using control-plane experiments. In this work we show that control-plane experiments do not provide accurate...

We introduce the Anonymous Post-Office Protocol (AnonPoP), a practical strongly-anonymous messaging system. Its design effectively combines known techniques such as (synchronous) mix-cascade and constant sending rate, with several new techniques including request-pool, bad-server isolation and per-epoch mailboxes. AnonPoP offers strong anonymity ag...

AnNotify is a scalable service for private, timely and low-cost on-line notifications, based on anonymous communication, sharding, dummy queries, and Bloom filters. We present the design and analysis of AnNotify, as well as an evaluation of its costs. We outline the design of AnNotify and calculate the concrete advantage of an adversary observing m...

The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners' public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI's deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fun...

We introduce the Anonymous Post-Office Protocol (Anon-PoP), a practical strongly-anonymous messaging system. Its design effectively combines known techniques such as (synchronous) mix-cascade and constant sending rate, with several new techniques including request-pool, bad-server isolation and per-epoch mailboxes. AnonPoP offers strong anonymity a...

Network Address Translation (NAT) routers aggregate the flows of multiple devices behind a single IP address. NAT routers 'hide' the original IP address. This is often viewed as a privacy feature, making it harder to identify the communication of individuals devices behind the NAT. De-NAT is the reverse process: of re-identifying communication flow...

Recently, many popular Instant-Messaging (IM) applications announced support for end-to-end encryption, claiming confidentiality even against a rogue operator. Is this, finally, a positive answer to the basic challenge of usable-security presented in the seminal paper, 'Why Johnny Can't Encrypt'? Our work evaluates the implementation of end-to-end...

We study the trade-off between the benefits obtained by communication, vs. the risks due to exposure of the location of the transmitter. To study this problem, we introduce a game between two teams of mobile agents, the P-bots team and the E-bots team. The E-bots attempt to eavesdrop and collect information, while evading the P-bots; the P-bots att...

We define the concept of and present provably secure constructions for Anonymous RAM (AnonRAM), a novel multiuser storage primitive that offers strong privacy and integrity guarantees. AnonRAM combines privacy features of anonymous communication and oblivious RAM (ORAM) schemes, allowing it to protect, simultaneously, the privacy of content, access...

Autocomplete, a well-known feature in popular search engines, offers suggestions for search terms before the user has even completed typing their query. We present the autocomplete injection attack and its potential exploits. In this attack, a cross-site attacker injects terms into the autocomplete suggestions offered by a web-service to a victim u...

Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmount-able,...

Obfuscation is challenging; we currently have practical candidates with rather vague security guarantees on the one side, and theoretical constructions which have recently experienced jeopardizing attacks against the underlying cryptographic assumptions on the other side. This motivates us to study and present robust combiners for obfuscators, whic...

AnoNotify is a service for private, timely and low-cost on-line notifications. We present the design and security arguments behind AnoNotify, as well as an evaluation of its cost. AnoNotify is based on mix-networks, Bloom filters and shards. We present a security definition and security proofs for AnoNotify. We then discuss a number of applications...

We present the malicious CAPTCHA attack, allowing rogue sites to trick users into unknowingly disclosing their private information. This circumvents the Same Origin Policy (SOP), whose goal is to prevent direct access by the rogue site to such private information. The rogue site exploits the fact that sites often display some private information to...

Obfuscation is challenging; we currently have practical candidates with rather vague security guarantees on the one side, and theoretical constructions which have recently experienced jeopardizing attacks against the underlying cryptographic assumptions on the other side. This motivates us to study and present robust combiners for obfuscators, whic...

We present CDN-on-Demand, a software-based defense that administrators of small to medium websites install to resist powerful DDoS attacks, with a fraction of the cost of comparable commercial CDN services. Upon excessive load, CDN-on-Demand serves clients from a scalable set of proxies that it automatically deploys on multiple IaaS cloud providers...

We identify the threat of cross-site framing attacks, which involves planting false evidence that incriminates computer users, without requiring access to their computer. We further show that a variety of framing-evidence can be planted using only modest framing-attacker capabilities. The attacker can plant evidence in both the logs of popular repu...

Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two complementary mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon. This is due to inherent, pos...

Cross-site search (XS-search) attacks circumvent the same-origin policy and extract sensitive information, by using the time it takes for the browser to receive responses to search queries. This side-channel is usually considered impractical, due to the limited attack duration and high variability of delays. This may be true for naive XS-search att...

Given a network of n = 2 k gossipers, we want to schedule a cyclic calendar of meetings between all of them, such that: (1) each gossiper meets (gossips) only once a day, with one other gossiper, (2) in every (n 1) consecutive days, each gossiper meets all other gossipers, and (3) every gossip, initiated by any gossiper, will reach all gossipers wi...

To ensure the best security and efficiency, cryptographic protocols such as Transport Layer Security and IPsec should let parties negotiate the use of the "best" cryptographic algorithms; this is referred to as cipher-suite negotiation. However, cipher-suite negotiation is lacking in DNS Security Extensions (DNSSEC), introducing several problems. T...

This report documents the program and the outcomes of Dagstuhl Seminar 15102 "Secure Routing for Future Communication Networks". Routing is a fundamental mechanism in communication networks, and its security is critical to ensure availability and prevent attacks; however, developing and deploying secure routing mechanism is still a challenge. Signi...

We propose a transport layer cipher-suite negotiation mechanism for DNSSEC standard, allowing name-servers to send responses containing only the keys and signatures that correspond to the cipher-suite option negotiated with the resolver, rather than sending all the signatures and keys (as is done currently). As we show, a lack of cipher-suite negot...

We present the first defence against DNS-amplification DoS attacks, which is compatible with the common DNS servers configurations and with the (important standard) DNSSEC. We show that the proposed DNS-authentication system is efficient, and effectively prevents DNS-based amplification DoS attacks abusing DNS name servers. We present a game-theore...

Private Information Retrieval (PIR) allows to privately request a block of data from a database such that no information about the queried block is revealed to the database owner. With the rapid rise of cloud computing, data is often shared across multiple servers, making multi-server PIR a promising privacy-enhancing technology. In this paper, we...

To ensure best security and efficiency, cryptographic protocols should allow parties to negotiate the use of the ‘best’ cryptographic algorithms supported by the different parties; this is usually referred to as cipher-suite negotiation, and considered an essential feature of such protocols, e.g., TLS and IPsec. However, such negotiation is absent...

As mobile phones have evolved into smartphones, with complex operating systems running third-party software, they have become increasingly vulnerable to malicious applications (malware). The authors introduce a new design for mitigating malware attacks against smartphone users based on a small trusted computing base module, denoted μTCB. The μTCB m...

removed

We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow Web-cache poisoning with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a long period of time, exposing any user of that cache to cross-site scripting, cross-site request...

As mobile phones have evolved into `smartphones', with complex operating systems running third- party software, they have become increasingly vulnerable to malicious applications (malware). We introduce a new design for mitigating malware attacks against smartphone users, based on a small trusted computing base module, denoted uTCB. The uTCB manage...

DNS Security Extensions (DNSSEC) became standardized more than 15 years ago, but its adoption is still limited. The recent publication of several new, off-path DNS cache-poisoning and wide-scale man-in-the-middle attacks should motivate DNSSEC adoption. However, significant challenges and pitfalls have resulted in severely limited deployment, which...

We present a new technique, which we call socket overloading, that we apply for off-path attacks on DNS. Socket overloading consists of short, low-rate, bursts of inbound packets, sent by off-path attacker to a victim host. Socket overloading exploits the priority assigned by the kernel to hardware interrupts, and enables an off-path attacker to il...

Online social networks (OSNs) have rapidly become a prominent and widely used service, offering a wealth of personal and sensitive information with significant security and privacy implications. Hence, OSNs are also an important-and popular-subject for research. To perform research based on real-life evidence, however, researchers may need to acces...

We define and study cloudoscopy, i.e., exposing sensitive information about the location of (victim) cloud services and/or about the internal organisation of the cloud network, in spite of location-hiding efforts by cloud providers. A typical cloudoscopy attack is composed of a number of steps: first expose the internal IP address of a victim insta...

Online Social Networks (OSNs) have rapidly become a prominent and widely used service, offering a wealth of personal and sensitive information with significant security and privacy implications. Hence, OSNs are also an important - and popular - subject for research. To perform research based on real-life evidence, however, researchers may need to a...

We present effective off-path DNS cache poisoning attacks, circumventing widely-deployed challenge-response defenses, e.g., transaction identifier randomisation, port and query randomisation. Our attacks depend on the use of UDP to retrieve long DNS responses, resulting in IP fragmentation. We show how attackers are often able to generate such frag...

DNSSEC was proposed more than 15 years ago but its (correct) adoption is still very limited. Recent cache poisoning attacks motivate deployment of DNSSEC. In this work we present a comprehensive overview of challenges and potential pitfalls of DNSSEC, including: Vulnerable configurations: we show that inter-domain referrals (via NS, MX and CNAME re...