CORE

Cryptography provides the basic tools to guarantee confidentiality and integrity of data. It hence plays a pivotal role in securing our digital infrastructure, and in enforcing the right for privacy of individuals. The development of secure cryptographic techniques is however difficult and error-prone, as unknown attack strategies need to be taken into account. To overcome this, modern cryptography advocates the paradigm of provable security, where threat models are precisely formalized using the language of mathematics, and the security of cryptosystems is proved within these models.

The Internet has become a societally transformative technology. Because the design of the Internet allows any Internet-connected device to send any amount of traffic to any other Internet-connected device, attackers can send large volumes of traffic to a victim, overwhelming the ability of the network to carry legitimate traffic to the victim. When many different devices send such attack traffic in a coordinated manner, the attack is called a Distributed Denial-of-Service (DDoS) attack, and is difficult to filter in the current Internet architecture.

Mobile device security is critical to millions of users and mobile operating system vulnerabilities can lead to exposure of sensitive data (e.g., passwords, credit card numbers, medical data) or compromise of sensitive operations (e.g., banking transactions). This research project is working to answer the following question: If the device's operating system is compromised, is it still possible to protect user's sensitive data and operations? The researchers are using new hardware technology, "Trusted Execution Environments (TEEs)," to enable such protection.

The rapid development of information technology not only leads to great convenience in our daily lives, but also raises significant concerns in the field of security and privacy. Particularly, the authentication process, which serves as the first line of information security by verifying the identity of a person or device, has become increasingly critical. An unauthorized access could result in detrimental impact on both corporation and individual in both secrecy loss and privacy leakage.

Most traditional security systems authenticate a user only at the initial log-in session. As a result, it is possible for another user, authorized or unauthorized, to access the system information, with or without the permission of the signed-on user, until the initial user logs out. This could be a critical security flaw even for high-security systems. Traditional one-time (e.g., password) or two-factor (e.g., password with fingerprint) authentication methods are no longer sufficient.