A proactive approach to ensuring long-term cybersecurity

To address the evolving cybersecurity threat, the EU-funded SHARCS and PQCRYPTO projects are developing the security paradigms, architectures and software needed to ensure our ICT systems are secure and trustworthy.

In today’s connected world, more and more of our day-to-day activities are dependent on cybersecurity. From banking to online shopping, telemedicine, mobile communication, cloud computing and the Internet of Things - society continues to put an increasing amount of sensitive and private information online.

With the always evolving threat of hacking, it is essential that the public and private sectors take a proactive approach to cybersecurity. To help accomplish this, two EU-funded projects, SHARCS and PQCRYPTO, are working to develop new security paradigms, architectures and software to ensure our ICT systems are secure and trustworthy.

Updated encryption methods needed

Today, most of our online information is protected via either public-key algorithms (RSA), discrete-logarithm in finite fields or elliptic curves. In practice, these systems typically provide enough variation to ensure the security of our online communications. But as society moves towards the use of large, quantum computers, the viability of these systems will become obsolete.

For example, confidential information like health records and national security secrets must come with a guaranteed level of security. However, when stored on a quantum computer, the use of RSA or elliptic curve based encryption will no longer provide protection against hacking. With the EU and national governments investing heavily in the development of quantum computers, SHARCS and PQCRYPTO researchers warn that society must act now to prepare itself for the cybersecurity consequences of the quantum computing era.

Flip Feng Shui demonstrates vulnerabilities

To put the severity of this threat into perspective, project-affiliated hacking experts used a new, non-software bug-based attack technique to alter the memory of cloud-hosted virtual machines. The technique, called Flip Feng Shui (FFS), lets the attacker rent a virtual machine on the same host as the victim, allowing them to crack the virtual machine’s keys or install malware without being noticed. With this attack, not only can the hacker view and leak data, they can also modify it by using a hardware glitch. As a result, the server can be ordered to install malicious and unwanted software and allow logins by unauthorised users.

In one FFS attack, researchers gained access to the host’s virtual machines by weakening OpenSSH public keys with just one bit. In another attack, researchers adjusted the settings of the software management application apt by making minor changes to the URL where an apt downloads software. From here, the server could install malware that was presented as a software update.

Mitigating tomorrow’s threats today

Clearly, more work needs to be done to ensure the security of our online information. In just this one test, researchers disproved the common belief that hardware bit flips have limited practical power. Armed with FFS primitives, researchers were able to mount a devastatingly powerful end-to-end attack - even in the complete absence of software vulnerabilities.

To mitigate threats such as FFS and others, there is an ongoing need for new testing methods, hardware certification and adaptations of software needs. For these reasons, the SHARCS project is designing, building and demonstrating secure-by-design applications and services capable of achieving end-to-end security for users. At the same time, the PQCRYPTO project is working on cryptographic systems that are secure not only for today’s needs, but also against the long-term attacks presented by quantum computers. Together, these projects will provide a portfolio of high-security systems capable of answering the evolving cybersecurity needs of mobile devices, cloud computing and the Internet of Things.

For more information please see:
SHARCS project website
PQCRYPTO project website

published: 2016-09-07
Comments


Privacy Policy