SHA-3 Winner is KECCAK

The National Institute of Standards and Technology (NIST) announced on October 2, 2012 the selection of KECCAK as the winner of the SHA-3 Cryptographic Hash Algorithm Competition and the new SHA-3 hash algorithm.

Keccak makes use of the sponge construction and is hence a sponge function family.

The design philosophy of Keccak is the hermetic sponge strategy. It uses the sponge construction for having provable security against all generic attacks. It calls a permutation that should not have structural properties with the exception of a compact description. By structural properties we mean properties that a typical random permutation does not have.

You will notice that Joan Daemen was also the co-author of Rijndael, the chosen algorithm for Advanced Encryption Standard (AES). Quite a record of success! And AES was announced on October 2, 2000, precisely 12 years ago. Interesting coincidence.

Congratulations to Keccak team and to NIST!

Continue reading


Possible Approaches to Information Security

There are three possible approaches to information security: reactive, proactive, and predictive.

  1. Reactive Information Security – Post incident detection, analysis, notification, containment, eradication, and remediation.
  2. Proactive Information Security – Avoiding or opposing threats against computers and networks through understanding the situation, assessing potential impacts, and implementing deterrence based on defensive methodologies.
  3. Predictive Information Security – Anticipating and predicting future threats and vulnerabilities based on strategic analysis, threat intelligence, and correlation of disparate datasets to protect the confidentiality, integrity, and availability of data and IT infrastructure.

It is better to be more proactive than reactive. It is even better to be more predictive.


Security Risk Management for Critical Infrastructures

Two colleagues and I presented paper titled “Security Risk Management for Critical Infrastructures” at itAIS 2011 Conference, “Information Systems: a crossroads for organization, management, accounting and engineering”, held in Rome, Italy, October 7 – 8, 2011.

Abstract: This paper presents a methodology for risk management developed and used mainly for critical infrastructures, but that can be generalized and used in other contexts. It outlines security risk assessment including identifying processes, resources / assets, threats and vulnerabilities, impacts and likelihood of failures. The methodology primary focus is the analysis of business impacts and the quantification of the different risks, together with the identification of priority intervention areas, in order to eliminate, reduce, transfer or assume calculated risks, finding the right balance between the investment (resources, money etc.) and the acceptable level / threshold of risk. The paper, based on theoretical background and on practical experiences and results achieved in real organizations that operate on global level, presents critical infrastructure characteristics, the risk management process, security goals and standards and an integrated methodology for risk management applied to critical infrastructures. Some applications cases and results obtained are shortly described, disguised for strong confidentiality issues.

Citation information:
Dragan Pleskonjic, Fabrizio Virtuani, Oscar Zoggia: “Security Risk Management for Critical Infrastructures”, ItAIS 2011, Rome, Italy, October 7-8, 2011

Conference is held on LUISS “Guido Carli” University, Rome – Italy.

Paper and presentation was well accepted and generated a lot of interest in this new challenging topic among the scientific and industry community.

Conference program is here.

If you are interested to know more details, please send me e-mail.


Location Based Services – Security and Privacy Aspects

On September 28th, I delivered presentation on topic “Location Based Services – Security and Privacy Aspects” on global group Telenor Security Conference 2011.

Abstract: Location based services are fast growing area in various types of businesses, particularly concerning mobile operators and telecoms. Mobile devices with GPS systems and location based services and its applications give great advantages and opportunities, but also generate various challenges. In present time it raises many concerns about security and privacy among individual users and business customers. Media report about these types of issues with lot of sensationalism and often without detailed and deep analysis and knowledge of technology. This presentation is intended to give overview of privacy issues and to analyze various points of view and aspects. It includes aspects users of location based services on mobile devices (mobile phones, PDAs, computers, other devices), mobile operators (telecoms, ISPs), vendors (mobile devices producers, operating systems and application developers, services providers), and regulatory bodies (including standards and compliance programs). There are many myths about privacy issues and this presentation will try to separate myths and facts in order to create balanced and real view. Also, it will try to anticipate some of future trends.

Conference is held in Belgrade on September 27 and 28, 2011 in presence of delegates of Telenor from all countries where this multinational telecom group operates.

Presentation was very well accepted and generated a lot of interest in this new challenging topic. If you are interested to now more, contact me by e-mail.

For the citation:

  • Dragan Pleskonjic: “Location Based Services – Security and Privacy Aspects”, Telenor Security Conference, September 27-28, 2011, Belgrade.

If you are interested to know more details, please send me e-mail.