person:eric wustrow

  • DDoSCoin : Researchers create crypto coin with DDoS puzzle for miners

    University of Colorado assistant professor Eric Wustrow and University of Michigan phD student Benjamin VanderSloot have created a cryptocurrency that uses a malicious alternative to bitcoin’s double-SHA256 hash-based proof-of-work, the computational effort required to mine new coins.

    Called DDoSCoin, the alternative cryptocurrency’s “Proof-of-DDoS” allows miners to prove that they have participated in distributed denial of service attacks against preselected targets in order to create more virtual money.

    DDoSCoin operates by miners opening a large number of Transport Layer Security (TLS) connections to target webservers. It would then use the signed responses as proof a connection has occurred.

    Miners with DDoSCoin blocks could then trade these for other currencies, including bitcoin and ethereum.

    This malicious “proof-of-DDoS” model used by DDoSCoin miners works only with sites that support TLS 1.2, but the researchers said over half of the top million websites as measured by metrics firm Alexa support that version of the protocol.

    Bitcoin’s proof-of-work, a mathematical puzzle that miners have to collectively solve before more units of the currency can be created, has been criticised as a waste of resources.

    The paper presented at the Usenix 2016 security conference:

    #DDoSCoin #bitcoin #cryptocurrency

  • « Elliptic Curve Cryptography in Practice

    de Joppe W. Bos1 , J. Alex Halderman , Nadia Heninger, Jonathan Moore, Michael Naehrig1 , et Eric Wustrow

    In this paper, we perform a review of elliptic curve cryptography (ECC), as it it used in practice today, in order to reveal unique mistakes and vulnerabilities that arise in implementations of ECC. We study four popular protocols that make use of this type of public-key cryptography : Bitcoin, secure shell (SSH), transport layer security (TLS), and the Austrian e-ID card. We are pleased to observe that about 1 in 10 systems support ECC across the TLS and SSH protocols. However, we find that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems. »

    Les auteurs ont mis la main sur plein de clés cryptographiques utilisant la technique (relativement) récente des courbes elliptiques et ont analysé ces clés. Les courbes elliptiques augmentent en popularité mais restent loin derrrière le classique RSA (par exemple, 10 % des clés SSH seulement, et 7 % des serveurs HTTPS). Plus gênant, l’examen de ces clés montre des faiblesses dans leur génération, telles que l’utilisation de générateurs aléatoires pas très aléatoires. On rencontre même des machines qui ont la même clé.

    #cryptographie #courbes_elliptiques