SIN 2015 will feature the following keynote papers and talks:

Ron Poet, University of Glasgow, UK

Title: The Use of Mobile Devices in Authentication

Ramki Thurimella, University of Denver, USA

Title: Some new results in keyless jam resistance communication (Joint work with Hamid Hanifi and Leemon Baird)

Abstract: An important problem for secure communication is that of achieving jam resistance, without any prior shared secret between the sender and receiver, and with few limits on the assumed computational ability of the attacker. To date, only one system has been proposed for this, the BBC system, which is based on coding theory using codes derived from arbitrary hash functions. It is unfortunate that only one, narrow solution has been found for this important problem. We now propose another system for this problem. It is very different from BBC, using codes based on Monotone Boolean Functions (MBF), rather than hash functions. It is also more general. We show that despite being very different from BBC, the latter can be viewed as a special case of it. In fact, we prove a theorem that all such codes are special cases of this new system. We give empirical results suggesting that this new approach is useful, and describe directions for future research.

Barabanov markov

Alexander Barabanov, Alexey Markov, NPO Echelon, Moscow, Russia

Title: Modern trends in the regulatory framework of the information security conformity assessment in Russia based on Common Criteria

Abstract:

When established in 1995, Russian IT security certification scheme was mostly similar to the well-known Orange Book approach in its requirements. Current approaches to evaluation may be generally classified as follows:
- structural testing: source code analyses (static and dynamic analyses) in order to reveal software errors, non-declared opportunities and software bugs and flaws;
- functional testing is a test conducted to determine if the requirements of a specification are met (black box testing).
The first attempt to use Common Criteria approach was made in 2002 by origination and approval of authentic translation of 3 parts of Common Criteria and Common Methodology for Information Technology Security Evaluation. The work also included steps targeted at harmony between the Russian and European regulations, in particular, origination of state standards which comprise authentic translation of the European standards ISO/IEC 15408, ISO/IEC 18045 and ISO/IEC TR 15446. Since 2012 Russia has been insistently introducing TOE certification according to the Common Criteria procedure. Each type of TOE` has a document (regulations) which contains requirements to information security and sets up security categories with minimum requirements. For each type of TOE and category the FSTEC of Russia creates and approves Protection Profiles. In 2011-2013 Russia originated requirements to intrusion detection systems and antivirus. We provide statistics of Russian IT Security Certification Scheme obtained after processing the information accessible in the official site of FSTEC of Russia and the results of comparative analysis of the certification system of FSTEC of Russia and Common Criteria certification system. Based on processed information from the official site of the FSTEC of Russia, one may reach the following conclusions concerning to Russian IT Security Certification Scheme.First certifications according to the new requirements involved foreign-made TOE. The fact is the documents needed for certification in compliance with new requirements have been originated for certification in accordance with Common Criteria Certification Schemes. The "batch" certification shall be gradually substituted by the "series" pattern since new regulations require applicants to maintain certified software at all stages of the life cycle.More and more leading foreign developers provide the Russian test laboratories with an access to their source code, and this tendency shall be observed in future. Introduction of new regulations shall enhance efficiency in detection of vulnerabilities in software submitted for certification. In the new documents the vulnerability assessment procedure is obligatory during certification with regard to all classes of security. In certification based on the traditional ruling documents the search for vulnerabilities is not an obligatory procedure and such search has been performed only by zealots for certification. For instance, the test laboratory in NPO Echelon revealed vulnerabilities in 50% (both the Russian-made and foreign-made) submitted for certification according to the new regulations. It should be noted that all vulnerabilities detected by NPO Echelon have been eliminated by developers. The Russian developers shall pay more for certification. Even during certification for most popular Protection Class (Class 4) which has nothing to do with security of information comprising a state secret, EAL 3 is to be reached. The challenge is related to developer's evidences required which are relatively new (correlation with GOST is nearly absent) and procedures originated by FSTEC of Russia for developers are not available. Costs of test laboratories for test procedures shall grow. The number of actively working laboratories will reduce since lack of procedures will make most of laboratories incapable of performing tests to satisfy new requirements. Possibly, test laboratories will be accredited by the highest security class (EAL) for which the laboratory may perform tests.

zhukov 

Alexey Zhukov, Bauman Moscow State Technical University, Russia

Title: Lightweight cryptography: modern development paradigms

Abstract: The escalating number of the most various intelligent devices having Internet connection will be the defining direction of development of the Internet for the next years. Already now 98.8% of all manufactured microprocessors are used in the embedded applications and only 1.2% – in traditional computers. Along with traditional Internet devices, such as personal computers, laptops, smartphones, the Internet access have the devices of household appliances, transport, various sensors (including connected with processing of biometric data, personal information of medical character, etc.), and also the tags of radio-frequency identification (RFID). However there is a basic possibility of using of this technology for unauthorized obtaining of confidential information of personal character. So the former CIA director David Petraeus declared that data from the Internet-connected devices can be used for drawing up the most detailed file on any person. Thus, development information and the Internet of technologies will demand effective implementation of the information security algorithms providing confidentiality and integrity of data. It is obvious that cryptographic methods of information security form a basis of such safety. Feature is that they have to be applied to the most various intelligent devices which because of their activity conditions as well as cost constrains peculiar to mass production, are characterized by rigid restrictions on the used memory resources, computing power, power supplies, etc. that in turn conducts to restrictions on the used technologies and technological decisions. So, for example, strict restrictions are imposed on energy consumption of passive intelligent devices such as radio-frequency tags or contactless smart cards. Other restriction imposed on the hardware is a limit on number of the logical elements used in an algorithm chip. The report examines various approaches to the design of information security algorithms, effective for realization in the conditions of significantly limited resources such as radio-frequency tags, contactless smart cards, sensors, coprocessors for 8-bit processors etc.