Your search keyword '"Authorization"' showing total 2,461 results

1. FPRESSO: Fast and Privacy-Preserving SSO Authentication With Dynamic Load Balancing for Multi-Cloud-Based Web Applications

Author

Somchart Fugkeaw, Sorravich Rattagool, Pawat Jiangthiranan, and Peerawichaya Pholwiset

Subjects

Single sign-on, authentication, authorization, privacy-preserving, access control, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Existing cloud-based Single Sign-on (SSO) model generally rely on token-based and secure API leveraging authentication standard models such as OAuth 2.0, FIDO 2, OpenID Connect. Even though these models enable secure and fast login experiences across websites and applications, most of them did not focus on the privacy of the SSO token generated for the authentication with many applications. In addition, they are incapable to support dynamic authorization binding of the multiple privileges of user in accessing multiple applications in the SSO token. In this paper, we propose a scheme called FPRESSO providing a fast and privacy-preserving SSO authentication system with anonymous authorization binding designed for multi-application environments hosted on cloud. We utilize random perturbation to safeguard the SSO token, which is structured as a JSON Web Token (JWT). Essentially, our approach stores tokens in cookies to efficiently manage access and facilitate SSO recovery. Additionally, we introduced the anonymous authorization binding protocol to bundle user roles and permissions of the user into the SSO token, enhancing the efficiency and agility of access control across applications. To deliver high scalability of the system in accommodating a large number of users in cloud environment, we introduced multi-threaded load balancing algorithm to dynamically handle both SSO token generation and verification requests, ensuring efficient distribution of load across multiple servers. We conducted experiments to assess the performance of our proposed system. The results show that the token generation and verification processes are more efficient than those in comparable studies. By implementing the new cookie strategy, latency decreased significantly compared to the method without cookies.

Published

2024

2. SAAC: Secure Access Control Management Framework for Multi-User Smart Home Systems

Author

Iram Fatima Hashmi, Zafar Iqbal, Eman Munir, Natalia Kryvinska, Iryna Ivanochko, and Gabriel Avelino Sampedro

Subjects

Smart home, access control, authorization, multi-user, attribute-based access control, role-based access control, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In a smart home environment, multiple users can access a single smart device simultaneously. Moreover, these multiple users may have conflicting demands at a time; that is, one user’s demands differ from another for the same device based on the role of users and environmental factors. Therefore, existing single-user access control systems cannot handle such conflicting and dynamically changing demands, considering both roles and environmental factors in the multi-user smart home environment. Considering this issue, we proposed a Smart Access Control and Authorization framework (SAAC). It is a multi-user access control solution that has four modules, namely, a user interaction module, a backend server module, a policy manager module, and a policy execution module. The user interaction module collects user data and resource policies, which are processed by the backend server and forwarded to the policy manager. The policy manager resolves conflicts and generates final policies, which are stored in the backend server for enforcement by the policy execution module. The finalized policies are shared with the backend server module and saved there till needed for execution by the policy execution module to enforce the access control decision. We have implemented a proof of concept of the proposed framework on VS Code using the Casbin library. The performance evaluation results show our framework’s effectiveness and efficiency with lower computational complexity requirements than existing methods. Finally, we performed a security analysis of the proposed model based on the STRIDE model that confirms its robustness against access control attacks.

Published

2024

3. Ephemeral Secret Leakage-Free ID-Role-Based Access Control Authentication and Key Exchange Protocol for Securing Electric Vehicle Data

Author

Amang Sudarsono, Rahardhita Widyatra Sudibyo, Idris Winarno, and Mike Yuliana

Subjects

Electric vehicle, role-based access control, identity-based cryptography, authentication, authorization, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Role-based Access Control (RBAC) promises an efficient authorization management system in accessing resources including electric vehicle (EV) data stored in the cloud server. In this EV data security implementation, access control has to be strong and efficient with respect to EV user authentication information, thus access control mechanism mandatorily relies on authentication as the system access prerequisite. In this work, identity-based cryptography (IBC) is incorporated with RBAC to invent an EV user role-based access control immersed in his/her identity as an internal EV user’s authentication and key exchange. Contribution to our work is in a simple way involving only the EV user’s signature to verify simultaneously both important aspects of authentication and authorization. In this case, authentication is carried out based on identity while authorization is activated based on EV user’s role. We formally prove that the proposed protocol satisfies the security requirements of both authentication and authorization outright by verifying EV user’s signature. The evaluation results show that the total computational cost for authentication and key exchange process between EV user and the server is practical enough and it only consumes approximately 800 ms.

Published

2024

4. Protecting Your Online Persona: A Preferential Selective Encryption Approach for Enhanced Privacy in Tweets, Images, Memes, and Metadata

Author

Nisha P. Shetty, Balachandra Muniyal, Aman Priyanshu, Dhruthi Kumar, Leander Melroy Maben, Yash Agrawal, Ruchita Natarajan, Shravya Gunda, and Nitish Gupta

Subjects

ABE, authentication, authorization, IBE, information security management, metadata anonymization, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The proliferation of online social networking websites has resulted in the growth of online communities and increased communication among users. However, sharing personal information can pose a privacy threat to users, leaving them vulnerable to attacks like blackmail and fraud. Also, with the rise in scandals such as Geofeedia and Cambridge Analytica, as well as Facebook’s admission of sharing user data with top mobile phone manufacturers, worries about privacy on social networking platforms have become increasingly palpable. This paper discusses the privacy risks of sharing personal information on social networking websites. The proposed approaches offer a comprehensive protection of user privacy and prevents unauthorized access to user’s data and information by social network providers and unauthorized users. The study employs a preferential selective encryption approach that encompasses not only tweets but also other personally identifiable components, including images, memes, and metadata. This approach serves as a comprehensive solution to encrypt all elements within a social network, making it a one-stop destination for privacy protection in online social networks (OSN). When compared to other investigated schemes, the proposed approach significantly reduces privacy leakage to 0.48 units while achieving a high utility score of 0.8116 units for non-sensitive attributes in tweets. Moreover, it demonstrates remarkable performance in maintaining sensitive information coverage with notably minimal information loss: 0.4 units for images, 0.3 units for memes, and 12.7 units for metadata. Thus, in essence these findings, backed by quantifiable measures of privacy and utility, strongly validate the effectiveness of the proposed methods in achieving a superior balance between privacy preservation and utility when compared to its contemporaries, particularly in applications like online social networks (OSNs). Furthermore, the suggested method’s architecture makes it platform-neutral; it can be customized for any social networking website, such as Facebook, Instagram, and LinkedIn, and it may include any attribute that the user chooses to keep private.

Published

2024

5. Blockchain-Based Authorization Mechanism for Educational Social Internet of Things

Author

Olfa Dallel, Souheil Ben Ayed, and Jamel Bel Hadj Tahar

Subjects

Access control, application-specific blockchain, authorization, delegation, educational social Internet of Things, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The Social Internet of Things (SIoT) paradigm has been integrated in the education domain to enable educational IoT devices to establish social relationships and exchange academic services. Nonetheless, the social relationships are not adapted to the educational context where devices must be socially linked based on their academic roles and activities. Furthermore, the exchange of services raises the requirement to implement an access control mechanism. In SIoT, social constraints such as the social relationship type and contact frequency are critical requirements to make an access decision. However, these constraints cannot be specified using the eXtensible Access Control Markup Language (XACML) standard as device attributes nor as contextual conditions. In this paper, we propose an Educational Social Internet of Things (EducationalSIoT) platform implemented as an application-specific blockchain where we define new social relationships for educational devices. To control the access to the academic services, we suggest extending the XACML policy model by considering the social requirements, and accordingly, we adjust the policy evaluation process and suggest priority-based combining algorithms. Additionally, our platform ensures the delegation of access permission by defining delegation policies and controlling the delegation operation with consideration of the social features. The simulation results show that by integrating social features, an access request is evaluated in 0.22 ms and a delegation request is evaluated in 0.32 ms. Finally, we guarantee that our platform is protected against the man-in-the-middle and replay attacks.

Published

2024

6. A Verifiably Secure ECC Based Authentication Scheme for Securing IoD Using FANET

Author

Saeed Ullah Jan, xIrshad Ahmed Abbasi, Fahad Algarni, and Adnan Shahid Khan

Subjects

Manageability, sensors, drones, latency, integrity, authorization, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Perfect forward secrecy, cross-verification, and robust mutual authentication guarantee secure communication through unfavorable and unsafe channels. The speedy development in wireless communication and drone-assisted networking technology has miserable significance in many areas, including wildlife monitoring, sidewalk checking, infrastructure inspection, and smart city surveillance. But guaranteeing message integrity, non-repudiation, authenticity, and authorization for information transmission for these areas are still challenging for researchers when using Flying Ad Hoc Networks (FANETs). The FANET’s existence for drone technology is more complicated due to dynamic changes in its topology and easily vulnerable to the adversary for numerous attacks. So far, before exhilarating a drone in the Internet-of-Drones (IoD) environment, controlled layered network architecture is indispensable to allow only legitimate drones to collaborate securely with each other and with the ground control station (GCS) for building the highest trust. A minor lapse creates a severe complication for communication security because an attacker might be trapping data from the open network channel and using it for their unusual deeds. Attentively, identification authentication and message authentication are necessary for such a sensitive environment. Therefore, in this research article, we have designed a verifiably secure Elliptic Curve Cryptographic (ECC)-based authentication scheme for IoD using FANET. The formal security proof of the scheme has been made using a programming verification toolkit ProVerif2.03, Random Oracle Model (ROM), and informally by pragmatic illustration. And the performance evaluation section of the article has been made by considering storage, computation, and communication costs. When comparing the proposed security mechanism with state-of-the-art schemes, it has been shown that the work done in this article is efficient and effective and is suitable for practically implementing in the IoD environment.

Published

2022

7. A Ranking Model for the Selection and Ranking of Commercial Off-the-Shelf Components.

Subjects

*MULTIPLE criteria decision making, *SET theory, *STATISTICAL decision making

Abstract

In this article, a deterministic model for the selection and ranking of commercial off-the-shelf (COTS) components is developed on the basis of fuzzy modified distance-based approach (FMDBA). The COTS selection and ranking problem is modeled as multicriteria decision making problem due to the involvement of multiple ranking criteria like functionality, reliability, compatibility, etc. FMDBA is the combination of the fuzzy set theory and the modified distance-based approach. To show the working of the developed ranking model, a case study of the e-payment system is demonstrated which aims on the selection and ranking of eight COTS components over four major categories of ranking criteria. FMDBA provides a comprehensive ranking of the components based on their calculated composite distance values. To depict the docility of FMDBA method, the results obtained are also compared with the existing decision-making methodologies. [ABSTRACT FROM AUTHOR]

Published

2022

8. Research on Distributed Dynamic Trusted Access Control Based on Security Subsystem.

Author

Huang, Haoxiang, Zhang, Jianbiao, Hu, Jun, Fu, Yingfang, and Qin, Chenggang

Abstract

The flow of data across nodes has become the dominant feature of data sharing in distributed environments with increasingly blurred boundaries, where it is crucial to maintain data access dynamic, trusted, and efficient. However, traditional centralized access control models are not only difficult to apply in distributed environments but also ignore trusted verification of authorized entities. What’s worse, existing access control models rarely consider themselves security, lack independence, at a high risk of being bypassed or tampered with. Thus, we propose in this paper a distributed, dynamic, and trusted access control model, DDTAC-BSS, where the standard Attribute-Based Access Control (ABAC) architecture is modified and extended. To reduce the attack surface, we separate policy enforcement point (PEP) from other core components, they are located in the node system and access control system, respectively. Then, the access control entry point (ACEP) is added as the only interface for the node system to interact with the access control system. Subsequently, the model introduces the entity trusted assessment mechanism to improve the trustworthiness of access control services. Driven by the dynamic attributes, our model can achieve dynamic trusted authorization and fine-grained access control. Moreover, we implement a lightweight, independent, and distributed security subsystem to achieve unified management of policies and decision-making autonomy by message-driven. By considering the independence of the security subsystem, a trusted operating environment is built based on Trusted Execution Environment (TEE) to ensure the security of the access control mechanism itself. The security of our model is proved rigorously based on the non-interference theory. Comprehensive experiments and comparisons have demonstrated the superior functionality, comparable performance, and strong security of our model. [ABSTRACT FROM AUTHOR]

Published

2022

9. Subversion-Resistant and Consistent Attribute-Based Keyword Search for Secure Cloud Storage.

Author

Zhang, Kai, Jiang, Zhe, Ning, Jianting, and Huang, Xinyi

Abstract

Secure cloud search service allows resource-constrained clients to effectively search over encrypted cloud storage. Towards enabling owner-enforced search authorization, the notion of attribute-based keyword search (ABKS) has been introduced and widely deployed in practice. To enhance traditional security of ABKS, two state-of-the-art solutions are presented to address keyword guessing attacks or setup inconsistency for secret key. Nevertheless, they have not simultaneously considered the following threats to a data user: (i) inconsistent secret key/cipher-index caused by outside dishonest authority and/or data owner; (ii) algorithm substitution attacks (ASA) launched by inside adversarial eavesdropping. These attacks may unfortunately lead to cloud data breach and user information exposure. To tackle such outside and inside threats, we introduce subversion-resistance and consistency for secure and fine-grained cloud document search services. In particular, we propose a consistent ABKS system with cryptographic reverse firewalls (CRF). Technically, we refer to verifiable functional encryption and employ non-interactive zero-knowledge proofs of discrete logarithm equality to ensure strong input consistency for ABKS. In addition, we build a trusted CRF zone for sanitizing algorithm outputs against ASA attacks. Moreover, we formalize the security model and formally prove security of our system. To clarify practical performance, we implement state-of-the-art solutions and our system in real cloud environment based on Enron dataset. The results show that our system achieves more enhanced security properties without obviously sacrificing performance. In particular, our system achieves comparable time and storage cost for document-index encryption and document search, as compared to state-of-the-art solutions. [ABSTRACT FROM AUTHOR]

Published

2022

10. Owner-Enabled Secure Authorized Keyword Search Over Encrypted Data With Flexible Metadata.

Author

Wang, Jiabei, Zhang, Rui, Li, Jianhao, and Xiao, Yuting

Abstract

Metadata plays an essential role in facilitating data organizing, finding, and understanding, but it also contains lots of sensitive information about the data and the data users, e.g., the location where a picture was taken. In practice, when sensitive data is encrypted before being uploaded to untrusted public clouds, an oblivious dilemma comes: if the metadata is totally encrypted, and its functionalities no longer exist; otherwise, sensitive information may be leaked. Hence, a secure and flexible mechanism for processing different fields (marked private or public for different scenario needs) of metadata simultaneously is desirable. We searched the literature for methods of achieving such a goal, it turned out that this was not explicitly considered or reasonably solved before. Therefore, in this paper, we investigate the problem of constructing privacy-enhancing metadata, namely, 1) flexible and tamper-resistant metadata setting, 2) owner-enabled secure search authorization with explicit metadata. Based on the concept of public key encryption with keyword search (PEKS), we propose a novel Authorized Keyword Search over Encrypted Data with Metadata scheme (MD-AKS), which firstly well addressed the above demands. We formalize the security model and prove the security of MD-AKS scheme. Our work maximizes the flexibility of metadata setting in two aspects: the associated metadata can be set as an arbitrary string and the costs of clients are independent of explicit metadata’s complexity. We implement MD-AKS, the theoretical comparison and experiment results further demonstrate the usability and scalability. [ABSTRACT FROM AUTHOR]

Published

2022

11. ANNPDP: An Efficient and Stable Evaluation Engine for Large-Scale Policy Sets.

Author

Deng, Fan, Yu, Zhenhua, Zhang, Liyong, Wang, Jiawei, Feng, Kexin, Kong, Wenbin, Li, Lingyu, and Wu, Jiawen

Abstract

As interactions between individuals and services increase, requests are more frequent and policy sets are larger. The evaluation performance of PDP (Policy Decision Point) plays a key role in the operation of a system. In order to solve bottlenecks of improving the PDP evaluation performance for large-scale policy sets, we propose an evaluation engine based on artificial neural networks, namely ANNPDP. We transform rules in a large-scale policy set described in the XACML (eXtensible Access Control Markup Language) into numerical rules. Evaluation networks are established and trained by the numerical rules. In order to ensure the accuracy, a misjudgment set is constructed for error corrections and stored by hash indexes. By simulating the arrival of requests, ANNPDP is compared with the Sun PDP, HPEngine, XEngine, and SBA-XACML. The experiment results show that ANNPDP has: 1) high performance: if the number of requests reaches 10,000, the evaluation time of ANNPDP on the large-scale policy set with 100,000 rules is approximately 0.46, 0.93, 0.71, and 1.43 percent of that of the Sun PDP, HPEngine, XEngine, and SBA-XACML, respectively, and 2) stability: as the size of the large-scale policy set and the number of requests increase, the evaluation time of ANNPDP grows linearly. ANNPDP can satisfy the requirements of an authorization system with large-scale policy sets. [ABSTRACT FROM AUTHOR]

Published

2022

12. iFaaSBus: A Security- and Privacy-Based Lightweight Framework for Serverless Computing Using IoT and Machine Learning.

Author

Golec, Muhammed, Ozturac, Ridvan, Pooranian, Zahra, Gill, Sukhpal Singh, and Buyya, Rajkumar

Abstract

As data of COVID-19 patients is increasing, the new framework is required to secure the data collected from various Internet of Things (IoT) devices and predict the trend of disease to reduce its spreading. This article proposes security- and privacy-based lightweight framework called iFaaSBus, which uses the concept of IoT, machine learning (ML), and function as a service (FaaS) or serverless computing to diagnose the COVID-19 disease and manages resources automatically to enable dynamic scalability. iFaaSBus offers OAuth-2.0 Authorization protocol-based privacy and JSON Web Token & Transport Layer Socket protocol-based security to secure the patient's health data. iFaaSBus outperforms response time compared to nonserverless computing while responding to up to 1100 concurrent requests. Further, the performance of various ML models is evaluated based on accuracy, precision, recall, F-score, and area under the curve (AUC) values, and the K-nearest neighbor model gives the highest accuracy rate of 97.51%. [ABSTRACT FROM AUTHOR]

Published

2022

13. A Consortium Blockchain-Based Access Control Framework With Dynamic Orderer Node Selection for 5G-Enabled Industrial IoT.

Author

Feng, Yuming, Zhang, Weizhe, Luo, Xiapu, and Zhang, Bin

Abstract

5G-enabled Industrial Internet of Things (IIoT) deployment will bring more severe security and privacy challenges, which puts forward higher requirements for access control. Blockchain-based access control method has become a promising security technology, but it still faces high latency in consensus process and weak adaptability to dynamic changes in network environment. This article proposes a novel access control framework for 5G-enabled IIoT based on consortium blockchain. We design three types of chaincodes for the framework named policy management chaincode (PMC), access control chaincode (ACC), and credit evaluation chaincode (CEC). The PMC and ACC are deployed on the same data channel to implement the management of access control policies and the authorization of access. The CEC deployed on another channel is used to add behavior records collected from IIoT devices and calculate the credit value of IIoT domain. Specifically, we design a two-step credit-based Raft consensus mechanism, which can select the orderer nodes dynamically to achieve fast and reliable consensus based on historical behavior records stored in the ledger. Furthermore, we implement the proposed framework on a real-world testbed and compare it with the framework based on practical Byzantine fault tolerance consensus. The experiment results show that our proposed framework can maintain lower consensus cost time with 100 ms level and achieves four to five times throughput with lower hardware resource consumption and communication consumption. Besides, our design also improves the security and robustness of the access control process. [ABSTRACT FROM AUTHOR]

Published

2022

14. 3AS: Authentication, Authorization, and Accountability for SDN-Based Smart Grids

Author

Arthur A. Z. Soares, Yona Lopes, Diego Passos, Natalia C. Fernandes, and Debora C. Muchaluat-Saade

Subjects

ARES framework, accountability, authentication, authorization, 3AS, IEC 61850, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Smart grid refers to the advancement of the current electric grid with the help of information and communication technologies. In such scenarios, an efficient and secure smart grid communication system is essential. Accordingly, Software-Defined Networks (SDN) have been gaining more prominence for smart grids in recent years, as this paradigm allows monitoring and managing these communication networks efficiently. An example is the Autonomic and Resilient Framework for Smart Grids (ARES). ARES allows integration between the supervisory system and the SDN controller, allowing for better energy applications. Although ARES emphasizes the need for security as a premise for its implementation, it does not provide a concrete implementation of this aspect. In this work, we provide an extensive review of the related literature about Authentication, Authorization, and Accountability (AAA) for smart grids, classifying approaches according to several relevant characteristics. We further propose 3AS, extending the ARES framework with a security component based on the IEEE 802.1X standard. 3AS has been implemented on the Ryu SDN controller and evaluated in an emulated environment. Results indicate 3AS successfully provides authentication, authorization, and accountability with low control load and delay, thus being suitable for diverse smart grid scenarios.

Published

2021

15. Survey on Delegated and Self-Contained Authorization Techniques in CPS and IoT

Author

Sreelakshmi Vattaparambil Sudarsan, Olov Schelen, and Ulf Bodin

Subjects

Authorization, access control models, cyber-physical systems (CPS), Internet of Things (IoT), subgranting, delegation, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Authentication, authorization, and digital identity management are core features required by secure digital systems. In this, authorization is a key component for regulating the detailed access credentials with respect to required service resources. Authorization, therefore, plays a significant role in the trust management of autonomous devices and services. Due to the heterogeneous nature of cyber-physical systems and the Internet of Things, several authorization techniques using different access control models, accounts, groups, tokens, and delegations have both strengths and weaknesses. Many studies exist in the literature that focus on other main security requirements, such as authentication, identity management, and confidentiality. However, there is a need for a comprehensive review of different authorization techniques in cyber-physical systems and the Internet of Things. A specific target of this paper is authorization in the cyber-physical system and Internet of Things networks with non-constrained devices in an industrial context with mobility, subcontractors, and autonomous machines that are able to carry out advanced tasks on behalf of others. We study the different authorization techniques using our three-dimensional classification, including access control models, subgranting models, and authorization governance. We focus on the state of the art of authorization subgranting, including delegation techniques by access control/authorization server and self-contained authorization using a new concept of power of attorney. Comparisons are performed with respect to several parameters, such as type of communication, method of authorization, control of expiration, and use of techniques such as public key certificate, encryption techniques, and tokens. The results show the differences and similarities of server-based and power of attorney-based authorization subgranting. The most common standards are also analyzed in light of those classifications.

Published

2021

16. Practical Medical Files Sharing Scheme Based on Blockchain and Decentralized Attribute-Based Encryption

Author

Jiyu Tao and Li Ling

Subjects

Attribute-based encryption, blockchain, medical data sharing, access control, authorization, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Medical files can help people prevent diseases, increase cure rates, promote medical development and help solve major public health crises. However, medical files are strongly private. It is an urgent problem needed to be solved that how to share medical files with privacy and data security. The existing models based on the centralized certificate authority is a feasible method, but it is possible to experience a single point failure. Besides there is a mismatch between the models and real-life scenario since they are only suitable for single patient. Therefore, this paper proposes a practical medical file sharing scheme based on blockchain and decentralized attribute-based encryption. The blockchain is used to record application and grant of authorizations. Smart contracts provide an interactive platform for all users in the system. By utilizing decentralized attribute-based encryption, fine-grained access control of medical files is carried out to ensure privacy and security as well as avoiding single point failure. Attribute-based algorithm that support multi-person democratic decision making and dynamic personnel changes are designed to make the model much closer to the real scene. Finally, through security, performance and comparing analysis with other solutions, the scheme in this paper can meet the needs of real-life scenarios in terms of security and practicability, and provides a new practical model for medical file sharing.

Published

2021

17. Trust Management Systems in Cloud Services Environment: Taxonomy of Reputation Attacks and Defense Mechanisms

Author

Salah T. Alshammari, Khalid Alsubhi, Hani Moaiteq Abdullah Aljahdali, and Ahmed Mohammed Alghamdi

Subjects

Access control, authorization, clouds, databases, information security, online services, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Using cloud data storage, large amounts of data can be stored by data owners in a flexible way and at low cost. Hence, there has been a major increase in online cloud service providers and their users. The privacy and security of data in the cloud computing environment is a major issue. Data privacy can be ensured by using a cryptographic access control method, so that data can only be accessed by authorized customers while keeping it inaccessible to unauthorized users. However, this type of cryptographic approach does not address the issue of trust. An integration between several trust models and cryptographic access control models has been presented in many research papers, the aim of which is to make data stored in cloud storage systems more secure. The objective of this study is to determine a solution that can suitably handle trust issues in access control models to decrease the risk as greater security to cloud storage systems, and the quality of decisions being made by data owners and cloud operators is improved. In this paper, we have presented a taxonomy for trust criteria and reputation attacks in cloud computing. Also, some of the fundamental concepts regarding trust management of services within cloud environments have been presented in this paper, along with the latest technologies. There are three layers in the model, and a series of dimensions are further determined for every layer (which are the assessment criteria), which serve as the benchmark to evaluate many research prototypes of trust models in a cloud computing environment by comparing these criteria when evaluating several trust models in a cloud computing environment. In this paper, a comparison of fifteen representative trust management research samples in cloud computing and the appropriate research domains were also carried out by employing this analytical model.

Published

2021

18. Access Control in Fog Computing: Challenges and Research Agenda

Author

Mohammed A. Aleisa, Abdullah Abuhussein, and Frederick T. Sheldon

Subjects

Access control, attribute-based encryption, authorization, data modification, data ownership, fog computing, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Fog computing is an intermediate computing layer that has emerged to address the latency issues of cloud-based Internet of things (IoT) environments. As a result, new forms of security and privacy threats are emerging. These threats are mainly due to the huge number of sensors, as well as the enormous amount of data generated in IoT environments that needs to be processed in real time. These sensors send data to the cloud through the fog computing layer, creating an additional layer of vulnerabilities. In addition, the cloud by nature is vulnerable because cloud services can be located in different geographical locations and provided by multiple service providers. Moreover, cloud services can be hybrid and public, which exposes them to risks due to their infinite number of anonymous users. Access control (AC) is one of the essential prevention measures to protect data and services in computing environments. Many AC models have been implemented by researchers from academia and industry to address the problems associated with data breaches in pervasive computing environments. However, the question of which AC model(s) should be used to prevent unauthorized access to data remains. The selection of AC models for cloud-based IoT environments is highly dependent on the application requirements and how the AC models can impact the computation overhead. In this paper, we survey the features and challenges of AC models in the fog computing environment. We also discuss the diversity of different AC models. This survey provides the reader with state-of-the-art practices in the field of fog computing AC and helps to identify the existing gaps within the field.

Published

2020

19. A Privacy-Preserving Authentication, Authorization, and Key Agreement Scheme for Wireless Sensor Networks in 5G-Integrated Internet of Things

Author

Sooyeon Shin and Taekyoung Kwon

Subjects

Three-factor authentication, authorization, key agreement, elliptic curve cryptography, anonymity, untraceability, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Wireless sensor networks (WSNs) have played an important role in the Internet of Things (IoT), and the 5G network is being considered as a major candidate for IoT's communication network with the advent of 5G commercialization. The potential of integrating WSNs and 5G in the IoT is expected to allow IoT to penetrate deeply into our daily lives and to provide various services that are convenient, but at the same time, it also brings new security threats. From this aspect, user authentication and key agreement are essential for secure end-to-end communication. As IoT devices, including sensors, collect and process more and more personal information, both anonymous authentication and authorization are also required to protect the privacy and to prevent anyone without privileges from accessing private data. Recently, Adavoudi-Jolfaei et al. proposed an anonymous three-factor authentication and access control scheme for real-time applications in WSNs. However, we found that this scheme does not provide sensor-node anonymity and suffers from user collusion and desynchronization attacks. In this paper, we introduce a system architecture by considering the integration of WSNs and 5G for IoT. Based on a cryptanalysis of Adavoudi-Jolfaei et al.'s scheme and the system architecture, we propose an elliptic curve cryptography (ECC)-based privacy-preserving authentication, authorization, and key agreement scheme for WSNs in 5G-integrated IoT. We conduct a formal and informal security analysis in order to demonstrate that the proposed scheme withstands various security attacks and guarantees all desired security features, overcoming the drawbacks of Adavoudi-Jolfaei et al.'s scheme. Finally, a performance and comparative analysis with the related schemes indicate that the proposed scheme is both efficient and more secure.

Published

2020

20. Single Sign-On: A Solution Approach to Address Inefficiencies During Sign-Out Process

Author

Lokesh Saravanan Ramamoorthi and Dilip Sarkar

Subjects

Authentication, authorization, identity provider, information security, service provider, single sign-on, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In a Single Sign-on (SSO) environment, an Identity Provider (IDP) authenticates a user for the first Service Provider (SP). The IDP creates an active IDP session and stores its information in the user's web browser. Each SP also creates and maintains one active service session. Using state-transition diagrams, we illustrate sign-in and sign-out processes. An information security vulnerability situation is created because users are unaware of an active IDP session in the user's browser and signs-out only from SP sessions. One solution to this problem is educating users. Another solution is to implement the SSO that ensures the termination of the IDP session as soon as user signs-out from all services that the IDP authenticated. The first solution appears to be simple, but practically an impossible task to educate millions of web based SSO users worldwide. The second solution is better because one good implementation solves the problem for all users. In this article, we propose several solutions for terminating the hidden active IDP session. Also, we review the data storage-methods commonly used for storing information of SP and IDP sessions in the browsers. Moreover, we propose a browser extension for conveniently and efficiently managing active SP and IDP sessions. In our proposed browser extension, we have recommended IndexedDB browser storage for storing active session information. We believe our proposed browser extension is simple, but efficient solution for eliminating hidden active IDP session.

Published

2020

21. An Authorized Public Auditing Scheme for Dynamic Big Data Storage in Cloud Computing

Author

Han Yu, Xiuqing Lu, and Zhenkuan Pan

Subjects

Dynamic auditing, authorization, cloud storage, data security, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Nowadays, to utilize the abundant resources of cloud computing, most enterprise users prefer to store their big data on cloud servers for sharing and utilization. However, storing data in remote cloud servers is out of user's control and exposes to lots of security problems such data availability, unauthorized access and data integrity, among which data integrity is a challenging and urgent task in cloud computing. Many auditing schemes have been proposed to check the integrity of data in cloud, but these schemes usually have some disadvantages. One is that these auditing schemes cannot check which block is corrupt when the data is not integrated. The other is that there's no efficient authenticated data structure helping to achieve accurate auditing when the data needs to update frequently. To solve the problems, we propose a public auditing scheme for dynamic big data storage in cloud computing. Firstly, we design a dynamic index table, in which no elements need to be moved in insertion or deletion update operations. Secondly, when data in cloud is not integrated, the third-party auditor can detect which block is corrupt. Finally, an authorization is employed between the third party and cloud servers to prevent denial of service attack. The theoretical analysis and the simulation results demonstrate that our scheme is more secure and efficient.

Published

2020

22. Block Chain Based Internet of Medical Things for Uninterrupted, Ubiquitous, User-Friendly, Unflappable, Unblemished, Unlimited Health Care Services (BC IoMT U6 HCS)

Author

J. Indumathi, Achyut Shankar, Muhammad Rukunuddin Ghalib, J. Gitanjali, Qiaozhi Hua, Zheng Wen, and Xin Qi

Subjects

Authentication, authorization, availability, block chain, cloud computing, confidential, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The most burning topic of today, calls for a holistic solution that is reliable, secure, privacy preserved, cost effective Cloud storage that can tide over the turbulent conditions of the rapidly budding digital storage technologies. This send an outcry for a devoted solution, in the form of an individualized, patient-centric care - IoMT that augments precise disease identifications, decrease in errors, reduction in costs of care through the support of technology, allows patients to direct health information data to doctors,manage drugs, keep Personal Health Records, caters to remote medical supports Care, provides proactive approach to preserving Good Health, improves and Accelerates Clinician Workflows, empowers extreme connectivity due to better automation and perceptions in the DNA of IoMT functions. But IoMT adoption is like a rose with thorns like constraints of increased administrative costs, deficiency of universal data access, present-day electronic medical records. The BCT is used in the framework to overcome the security issues of IoMT through the use of latest encryptions. Furthermore, this framework harnesses the benefits of Block Chain like reduced cost, speed, automation, immutability, near-impossible loss of data, permanence, removal of intermediaries, decentralization of consensus, legitimate access to health data, data safekeeping, accrual-based imbursement mechanisms, and medical supply chain efficacy. The outcomes in this paper are (i)A systematic investigation of the current IoMT, Block Chain and Cloud Storage in Health Care;(ii) Explore the challenges and necessities for the confluence of Block Chain (BC), Internet of Medical Things (IoMT), Cloud Computing (CC);(iii)Formulate the requirements necessary for the real-time remote Health Care of one-to-one care structure, which, supports the vital functions that are critical to the Patient Centric Health Care;(iv) Design and develop a novel BC IoMT U6 HCS (Block Chain based Internet of Medical Things for Uninterrupted, Ubiquitous, User-friendly, Unflappable, Unblemished, Unlimited Health Care Services) Layered Architecture, to support the vital functions critical for Patient Centric Health Care and (v) Implement and test with the previous established and proven techniques. The integrity of the Layered Architecture is validated with the already existing ones in terms of audit performances. The results from the Layered Architecture are validated and are proven to be competent in achieving safe auditing and surpass the former ones. The technology is in the sprouting phases, it is perilous that affiliates of the Health Care community realize the rudimentary ideas behind Block Chain, and detect its feasible impact on the future of patient centric medical care. Finally, and most importantly, this paper also gives a panoramic view on the current research status, and imminent directions of Secure Internet of Medical Things Using Block Chain.

Published

2020

23. Privacy-Preserving Cloud Auditing for Multiple Users Scheme With Authorization and Traceability

Author

Xiaodong Yang, Meiding Wang, Ting Li, Rui Liu, and Caifen Wang

Subjects

Authorization, certificateless cryptography, cloud auditing, privacy-preserving, revocation, traceability, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

With the widespread application of cloud storage, users could obtain many conveniences such as low-price data remote storage and flexible data sharing. Considering cloud service provider (CSP) is not full-trusted, lots of cloud auditing schemes are proposed to ensure the shared data security and integrity. However, existing cloud auditing schemes have some security risks, such as user identity disclosure, denial of service attack and single-manager abuse of power. To solve the above issues, we use certificateless signature technology to construct a privacy-preserving cloud auditing scheme for multiple users with authorization and traceability in this paper. Unlike the traditional schemes, our scheme realizes user identity anonymity without group signature and ring signature techniques, which guarantees the tag is compact. Meanwhile, our scheme supports that at least $d$ managers could trace the identity of malicious user collaboratively, which avoids the abuse of single-manager power and provides non-frameability. Furthermore, we introduce an identity authentication process between the third-party auditor (TPA) and the CSP to prevent the denial of service attack. That is, our scheme could solve the problem that anyone can challenge the CSP for the proofs, which averts network congestion and waste of cloud resources. In terms of function, the proposed scheme also supports efficient user revocation from a group. Certificateless cryptography ensures that our scheme does not involve certificate management burden and the key escrow problem. The security analysis shows that our scheme is provably secure against two types of adversaries in the environment of certificateless cryptography. The performance analysis demonstrates that our scheme is efficient

Published

2020

24. Safety-Related Cooperative, Connected, and Automated Mobility Services: Interplay Between Functional and Security Requirements.

Author

Centenaro, Marco, Berlato, Stefano, Carbone, Roberto, Burzio, Gianfranco, Cordella, Giuseppe Faranda, Riggio, Roberto, and Ranise, Silvio

Abstract

Together with the electrification of vehicles, the provision of cooperative, connected, and automated mobility (CCAM) services is a prominent recent trend in the automotive sector. Upcoming car models will be able to exchange messages between themselves and with road traffic authorities by means of vehicle-to-everything (V2X) communication—in particular, leveraging mobile network technologies for the cellular V2X (C-V2X) paradigm. Moreover, (part of) such exchanged messages will be processed as a whole in, e.g., edge computing servers, to generate a global vision of the state of a given stretch of road. CCAM services will exploit vehicular information transport and processing to implement complex maneuvers in a (semi)automatic manner by interacting with the in-car network. [ABSTRACT FROM AUTHOR]

Published

2021

25. SILedger: A Blockchain and ABE-based Access Control for Applications in SDN-IoT Networks.

Author

Ren, Wei, Sun, Yan, Luo, Hong, and Guizani, Mohsen

Abstract

The Software Defined Network in Internet of Things (SDN-IoT) is enjoying growing popularity due to its flexibility, automaticity and programmability. However, there is still a lack of proper permission management on SDN-IoT applications (SIApps), especially when the SIApp’s required northbound interfaces are located in multiple heterogeneous controllers without mutual trust. Existing access control methods are usually based on centralized models, proprietary controllers, trusting conditions or manual operations. It can incur unnecessary performance degradation and poor scalability. To solve this problem, this paper proposes a SIApps’ ledger (SILedger), an open, trusted, and decentralized access control mechanism based on blockchain and attribute-based encryption (ABE). It can not only support effective authorization of SIApps in heterogeneous and untrusted SDN-IoT control domains, but also record all interactions between SIApps and resources, and thus facilitate SIApps further charging, analysis and audit. The main idea is that the SIApps are authorized using access tokens encrypted by ABE, and these tokens are seen as the currency of blockchain to be distributed. Specifically, we re-design blockchain transaction, token encryption, token initialization and token update schemes to achieve cross-domain, fine-grained and flexible SIApps’ permission management. In order to mitigate the delay and complexity problem of blockchain and ABE, we devise an access control framework that separates authorization from call process of SIApps. Finally, we perform security analysis and implement a FISCO-BCOS-based prototype for SILedger. The experimental results show that it can provide effective access control for SIApps with negligible overheads. [ABSTRACT FROM AUTHOR]

Published

2021

26. Delegated Authorization Framework for EHR Services Using Attribute-Based Encryption.

Author

Joshi, Maithilee, Joshi, Karuna P., and Finin, Tim

Abstract

Medical organizations find it challenging to adopt cloud-based Electronic Health Records (EHR) services due to the risk of data breaches and the resulting compromise of patient data. Existing authorization models follow a patient-centric approach for EHR management, where the responsibility of authorizing data access is handled at the patients end. This creates a significant overhead for the patient who must authorize every access of their health record. This is not practical given that multiple personnel are typically involved in providing care and that the patient may not always be in a state to provide this authorization. Hence there is a need to develop a proper authorization delegation mechanism for safe, secure and easy to use cloud-based EHR Service management. We present a novel, centralized, attribute-based authorization mechanism that uses Attribute Based Encryption (ABE) and allows for delegated secure access of patient records. This mechanism transfers the service management overhead from the patient to the medical organization and allows easy delegation of cloud-based EHRs access authority to medical providers. [ABSTRACT FROM AUTHOR]

Published

2021

27. PP-CSA: A Privacy-Preserving Cloud Storage Auditing Scheme for Data Sharing.

Author

Xu, Yan, Ding, Long, Cui, Jie, Zhong, Hong, and Yu, Jia

Abstract

Data sharing is one important service provided by cloud storage. In order to share data conveniently and securely, Shen et al. proposed a cloud storage auditing scheme for data sharing, which uses the sanitizable signature to hide sensitive information. However, it may cause unauthorized access to the data, since anyone can access the data stored on the cloud server. This article proposes a privacy-preserving cloud storage auditing (PP-CSA) scheme for data sharing, where only authorized users can access the data. Furthermore, PP-CSA adopts the Diffie–Hellman protocol to avoid the secure channel between the data owner and the sanitizer. Finally, the security analysis and the experimental results prove that the security and efficiency of PP-CSA can be accepted. [ABSTRACT FROM AUTHOR]

Published

2021

28. Private Set Intersection With Authorization Over Outsourced Encrypted Datasets.

Author

Wang, Yuanhao, Huang, Qiong, Li, Hongbo, Xiao, Meiyan, Ma, Sha, and Susilo, Willy

Abstract

Thanks to its convenience and cost-savings feature, cloud computing ushers a new era. Yet its security and privacy issues must not be neglected. Private set intersection (PSI) is useful and important in many cloud computing applications, such as document similarity, genetic paternity and data mining. The cloud server performs intersection operations on two outsourced encrypted datasets of data owners. In the existing protocols, however, data owners cannot decide whether to use all or part of their encrypted data to compute the intersection, nor can they specify whom to compare with. In this paper, we introduce an enhanced notion of outsourced PSI, called authorized PSI (APSI), which supports flexible authorization and cross-type authorized comparison of datasets. To demonstrate this notion, we propose a concrete APSI protocol, and prove it to be secure in the random oracle model based on simple number-theoretic assumptions. Experimental results show that our APSI protocol has performance comparable with existing related outsourced PSI protocols. [ABSTRACT FROM AUTHOR]

Published

2021

29. A Scalable and Secure Publish/Subscribe-Based Framework for Industrial IoT.

Author

Amoretti, Michele, Pecori, Riccardo, Protskaya, Yanina, Veltri, Luca, and Zanichelli, Francesco

Abstract

In the emerging industrial Internet of Things (IIoT) scenario, machine-to-machine communication is a key technology to set up environments, wherein sensors, actuators, and controllers can exchange information autonomously. However, many current communication frameworks do not provide enough dynamic interoperability and security. Hence, in this article, we propose a novel communication framework based on Message Queuing Telemetry Transport (MQTT) broker bridging, which, in an IIoT scenario, can foster dynamic interoperability across different production lines or industrial sites, guaranteeing, at the same time, a higher degree of isolation and control over the information flows, thereby increasing the overall security of the whole scenario. The solution we propose also supports dynamic authentication and authorization and has been practically implemented and evaluated in a proper small-scale IIoT testbed, encompassing PLCs, IIoT gateways, and MQTT brokers with novel and extended capabilities. The evaluation results demonstrate a linear time complexity for all the considered implementations and bridging modes of the extended brokers. Moreover, all considered access token encapsulation techniques demonstrate a minimum overhead in comparison with standard MQTT brokers. [ABSTRACT FROM AUTHOR]

Published

2021

30. An Attribute-Based Access Control for Cloud Enabled Industrial Smart Vehicles.

Author

Gupta, Maanak, Awaysheh, Feras M., Benson, James, Alazab, Mamoun, Patwa, Farhan, and Sandhu, Ravi

Abstract

Smart cities’ vision will encompass connected industrial vehicles, which will offer data-driven and intelligent services to the user. Such interaction within dispersed connected objects are sometimes referred as the industrial Internet-of-Vehicles (IIoV). The prime motivation of an intelligent transportation system (ITS) is ensuring the safety of the drivers and offering a comfortable experience to the user. However, such complex infrastructures opens broad attack surfaces to the adversaries, which can remotely exploit and control the critical mechanics in the smart vehicles, including engine and brake systems. Security and privacy concerns are significant barriers to the wide adoption of this revolutionary technology that has to be addressed before a comprehensive implementation of the real vision of ITS. This article is a stepping stone to address access control issues in the IIoV ecosystem and propose a formal attribute-based access control system (referred to ITS-ABAC $\mathrm{_G}$). The proposed model introduces the notion of groups, which are assigned to various smart entities based on the different attributes. It also offers the implementation of fine-grained security policies and considers individualized privacy preferences along with system-wide policies to accept or reject notification, alerts, and advertisements from different participating smart entities. We present the prototype implementation of our proposed model in the Amazon Web Services IoT platform together with extensive performance to reflect the practicality and wide-scale adoption of the proposed system. [ABSTRACT FROM AUTHOR]

Published

2021

31. Digital Twins for Intelligent Authorization in the B5G-Enabled Smart Grid.

Author

Lopez, Javier, Rubio, Juan E., and Alcaraz, Cristina

Abstract

Beyond fifth generation (B5G) communication networks and computation paradigms in the edge are expected to be integrated into power grid infrastructures over the coming years. In this sense, AI technologies will play a fundamental role to efficiently manage dynamic information flows of future applications, which impacts the authorization policies applied in such a complex scenario. This article studies how digital twins can evolve their context awareness capabilities and simulation technologies to anticipate faults or to detect cyber-security issues in real time, and update access control policies accordingly. Our study analyzes the evolution of monitoring platforms and architecture decentralization, including the application of machine learning and blockchain technologies in the smart grid, toward the goal of implementing autonomous and self-learning agents in the medium and long term. We conclude this study with future challenges on applying digital twins to B5G-based smart grid deployments. [ABSTRACT FROM AUTHOR]

Published

2021

32. Kollector: Detecting Fraudulent Activities on Mobile Devices Using Deep Learning.

Author

Sun, Lichao, Cao, Bokai, Wang, Ji, Srisa-an, Witawas, Yu, Philip S., Leow, Alex D., and Checkoway, Stephen

Subjects

DEEP learning, DATA privacy, SMARTPHONES, KEYBOARDS (Electronics), ERROR rates, IMPERSONATION, DECISION making

Abstract

With the rapid growth in smartphone usage, preventing leakage of personal information and privacy has become a challenging task. One major consequence of such leakage is impersonation. This type of illegal usage is nearly impossible to prevent as existing preventive mechanisms (e.g., passcode and fingerprinting), are not capable of continuously monitoring usage and determining whether the user is authorized. Once unauthorized users can defeat the initial protection mechanisms, they would have full access to the devices including using stored passwords to access high-value websites. We present Kollector, a new framework to detect impersonation based on a multi-view bagging deep learning approach to capture sequential tapping information on the smart-phone's keyboard. We construct a sequential-tapping biometrics model to continuously authenticate the user while typing. We empirically evaluated our system using real-world phone usage sessions from 26 users over eight weeks. We then compared our model against commonly used shallow machine techniques and find that our system performs better than other approaches and can achieve an 8.42 percent equal error rate, a 94.24 percent accuracy and a 94.41 percent H-mean using only the accelerometer and only five keyboard taps. We also experiment with using only three keyboard taps and find that the system still yields high accuracy while giving additional opportunities to make more decisions that can result in more accurate final decisions. [ABSTRACT FROM AUTHOR]

Published

2021

33. Expressive Policy-Based Access Control for Resource-Constrained Devices

Author

Mikel Uriarte, Jasone Astorga, Eduardo Jacob, Maider Huarte, and Manuel Carnerero

Subjects

Access control model, authorization, resource-constrained device, expressive policy language, least privilege, message exchange protocol, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Upcoming smart scenarios enabled by the Internet of Things envision smart objects that expose services that can adapt to user behavior or be managed with the goal of achieving higher productivity, often in multi-stakeholder applications. In such environments, smart things are cheap sensors (and actuators) and, therefore, constrained devices. However, they are also critical components because of the importance of the provided information. Therefore, strong security is a must. Nevertheless, existing feasible approaches do not cope well with the principle of least privilege; they lack both expressiveness and the ability to update the policy to be enforced in the sensors. In this paper, we propose an access control model that comprises a policy language that provides dynamic fine-grained policy enforcement in the sensors based on local context conditions. This dynamic policy cycle requires a secure, efficient, and traceable message exchange protocol. For that purpose, a security protocol called Hidra is also proposed. A security and performance evaluation demonstrates the feasibility and adequacy of the proposed protocol and access control model.

Published

2018

34. Killing the Password and Preserving Privacy With Device-Centric and Attribute-Based Authentication.

Author

Papadamou, Kostantinos, Gevers, Steven, Xenakis, Christos, Sirivianos, Michael, Zannettou, Savvas, Chifor, Bogdan, Teican, Sorin, Gugulea, George, Caponi, Alberto, Recupero, Annamaria, Pisa, Claudio, and Bianchi, Giuseppe

Abstract

Current authentication methods on the Web have serious weaknesses. First, services heavily rely on the traditional password paradigm, which diminishes the end-users’ security and usability. Second, the lack of attribute-based authentication does not allow anonymity-preserving access to services. Third, users have multiple online accounts that often reflect distinct identity aspects. This makes proving combinations of identity attributes hard on the users. In this paper, we address these weaknesses by proposing a privacy-preserving architecture for device-centric and attribute-based authentication based on: 1) the seamless integration between usable/strong device-centric authentication methods and federated login solutions; 2) the separation of the concerns for Authorization, Authentication, Behavioral Authentication and Identification to facilitate incremental deployability, wide adoption and compliance with NIST assurance levels; and 3) a novel centralized component that allows end-users to perform identity profile and consent management, to prove combinations of fragmented identity aspects, and to perform account recovery in case of device loss. To the best of our knowledge, this is the first effort towards fusing the aforementioned techniques under an integrated architecture. This architecture effectively deems the password paradigm obsolete with minimal modification on the service provider’s software stack. [ABSTRACT FROM AUTHOR]

Published

2020

35. Fast Authentication and Progressive Authorization in Large-Scale IoT: How to Leverage AI for Security Enhancement.

Author

Fang, He, Qi, Angie, and Wang, Xianbin

Subjects

*ADAPTIVE control systems, *ARTIFICIAL intelligence, *CLASSROOM learning centers, *INTERNET of things, *COMPUTATIONAL complexity

Abstract

Security provisioning has become the most important design consideration for large-scale Internet of Things (IoT) systems due to their critical roles in supporting diverse vertical applications by connecting heterogenous devices, machines, and industry processes. Conventional authentication and authorization schemes are insufficient to overcome the emerging IoT security challenges due to their reliance on both static digital mechanisms and computational complexity for improving security levels. Furthermore, the isolated security designs for different layers and link segments while ignoring the overall protection leads to cascaded security risks as well as growing communication latency and overhead. In this article, we envision new artificial intelligence (AI)-enabled security provisioning approaches to overcome these issues while achieving fast authentication and progressive authorization. To be more specific, a lightweight intelligent authentication approach is developed by exploring machine learning at the base station to identify the prearranged access time sequences or frequency bands or codes used in IoT devices. Then we propose a holistic authentication and authorization approach, where online machine learning and trust management are adopted for achieving adaptive access control. These new AI-enabled approaches establish the connections between transceivers quickly and enhance security progressively so that communication latency can be reduced and security risks are well controlled in large-scale IoT systems. Finally, we outline several areas for AI-enabled security provisioning for future research. [ABSTRACT FROM AUTHOR]

Published

2020

36. Authentic Caller: Self-Enforcing Authentication in a Next-Generation Network.

Author

Azad, Muhammad Ajmal, Bag, Samiran, Perera, Charith, Barhamgi, Mahmoud, and Hao, Feng

Abstract

The Internet of Things (IoT) or the cyber-physical system (CPS) is the network of connected devices, things, and people that collect and exchange information using the emerging telecommunication networks (4G, 5G IP-based LTE). These emerging telecommunication networks can also be used to transfer critical information between the source and destination, informing the control system about the outage in the electrical grid, or providing information about the emergency at the national express highway. This sensitive information requires authorization and authentication of source and destination involved in the communication. To protect the network from unauthorized access and to provide authentication, the telecommunication operators have to adopt the mechanism for seamless verification and authorization of parties involved in the communication. Currently, the next-generation telecommunication networks use a digest-based authentication mechanism, where the call-processing engine of the telecommunication operator initiates the challenge to the request-initiating client or caller, which is being solved by the client to prove his credentials. However, the digest-based authentication mechanisms are vulnerable to many forms of known attacks, e.g., the man-in-the-middle (MITM) attack and the password guessing attack. Furthermore, the digest-based systems require extensive processing overheads. Several public-key infrastructure (PKI)-based and identity-based schemes have been proposed for the authentication and key agreements. However, these schemes generally require a smart card to hold long-term private keys and authentication credentials. In this article, we propose a novel self-enforcing authentication protocol for the session-initiation-protocol-based next-generation network, based on a low-entropy shared password without relying on any PKI or the trusted third party system. The proposed system shows effective resistance against various attacks, e.g., MITM, replay attack, password guessing attack, etc. We analyze the security properties of the proposed scheme in comparison to the state of the art. [ABSTRACT FROM AUTHOR]

Published

2020

37. Flexible Wildcard Searchable Encryption System.

Author

Yang, Yang, Liu, Ximeng, Deng, Robert H., and Weng, Jian

Abstract

Searchable encryption is an important technique for public cloud storage service to provide user data confidentiality protection and at the same time allow users performing keyword search over their encrypted data. Previous schemes only deal with exact or fuzzy keyword search to correct some spelling errors. In this paper, we propose a new wildcard searchable encryption system to support wildcard keyword queries which has several highly desirable features. First, our system allows multiple keywords search in which any queried keyword may contain zero, one or two wildcards, and a wildcard may appear in any position of a keyword and represent any number of symbols. Second, it supports simultaneous search on multiple data owner's data using only one trapdoor. Third, it provides flexible user authorization and revocation to effectively manage search and decryption privileges. Fourth, it is constructed based on homomorphic encryption rather than Bloom filter and hence completely eliminates the false probability caused by Bloom filter. Finally, it achieves a high level of privacy protection since matching results are unknown to the cloud server in the test phase. The proposed system is thoroughly analyzed and is proved secure. Extensive experimental results indicate that our system is efficient compared with other existing wildcard searchable encryption schemes in the public key setting. [ABSTRACT FROM AUTHOR]

Published

2020

38. Adaptive Trust Management for Soft Authentication and Progressive Authorization Relying on Physical Layer Attributes.

Author

Fang, He, Wang, Xianbin, and Hanzo, Lajos

Subjects

*TRUST, *SELF-efficacy, *ALGORITHMS, *RADIO transmitters & transmission, *TRANSMITTERS (Communication)

Abstract

Conventional authentication mechanisms routinely used for validating communication devices are facing significant challenges. This is mainly due to their reliance on both ‘spoofable’ digital credentials and static binary characteristic, and inevitable misdetection in physical layer authentication using time-varying attributes, leading to the cascading risks of security and trust. To circumvent these impediments, we develop an adaptive trust management based soft authentication and progressive authorization scheme by intelligently exploiting the time-varying communication link-related attribute of the transmitter to improve wireless security. First of all, the trust relationship between the transmitter and receiver is established based on the evaluation of selected physical layer attribute for fast authentication and multiple-level authorization. Through the designed trust model, the transmitter is authorized by the specific level of services/resources corresponding to its trust level, so that soft security is achieved. To dynamically update the trust level of the transmitter, we propose an online conformal prediction-based adaptive trust adjustment algorithm relying on the real-time validation of its attribute estimates at the receiver, thus resulting in progressive authorization. The performance of our scheme is theoretically analyzed in terms of its individual risk and individual satisfaction. Our simulation results demonstrate that the proposed scheme significantly improves the security performance and robustness in time-varying environments, and performs better than the static binary authentication scheme and existing physical layer authentication benchmarker. [ABSTRACT FROM AUTHOR]

Published

2020

39. Cryptographic Attribute-Based Access Control (ABAC) for Secure Decision Making of Dynamic Policy With Multiauthority Attribute Tokens.

Author

Zhu, Yan, Yu, Ruyun, Ma, Di, and Cheng-Chung Chu, William

Subjects

*DECISION making, *ACCESS control, *CRYPTOCURRENCIES, *NATIONAL security, *PRICE markup

Abstract

This article aims to establish a cryptographic solution to improve security and reliability of the National Institute of Standards and Technology's attribute-based access control (ABAC) model. By breaking down the existing structure of attribute-based encryption, we propose a new cryptographic ABAC (C-ABAC) framework with dynamic policy authorization and real-time attribute credentials. Moreover, a practical C-ABAC construction is proposed to support provable policy decision making and verifiable attribute Tokens among multiple distributed authorities. In this construction, we develop a concrete approach of generating a cryptographic policy from access control markup language. We also prove that attribute Token has existential unforgeability under chosen-attribute and chosen-nonce attacks, and the cryptographic policy is existentially unforgeable under chosen-object attack. In addition, our C-ABAC construction provides semantic security against chosen-plaintext attack with Token and policy queries under the extended general Diffie–Hellman exponent assumption. Finally, we evaluate the performance of the C-ABAC system according to complexity analysis and experimental results. The results show that the C-ABAC system is reliable and easy to implement. [ABSTRACT FROM AUTHOR]

Published

2019

40. The Informativeness of $k$ -Means for Learning Mixture Models.

Author

Liu, Zhaoqiang and Tan, Vincent Y. F.

Subjects

*GAUSSIAN distribution, *CLUSTER sampling

Abstract

The learning of mixture models can be viewed as a clustering problem. Indeed, given data samples independently generated from a mixture of distributions, we often would like to find the correct target clustering of the samples according to which component distribution they were generated from. For a clustering problem, practitioners often choose to use the simple $k$ -means algorithm. $k$ -means attempts to find an optimal clustering which minimizes the sum-of-squares distance between each point and its cluster center. In this paper, we consider fundamental (i.e., information-theoretic) limits of the solutions (clusterings) obtained by optimizing the sum-of-squares distance. In particular, we provide sufficient conditions for the closeness of any optimal clustering and the correct target clustering assuming that the data samples are generated from a mixture of spherical Gaussian distributions. We also generalize our results to log-concave distributions. Moreover, we show that under similar or even weaker conditions on the mixture model, any optimal clustering for the samples with reduced dimensionality is also close to the correct target clustering. These results provide intuition for the informativeness of $k$ -means (with and without dimensionality reduction) as an algorithm for learning mixture models. [ABSTRACT FROM AUTHOR]

Published

2019

41. BGP with BGPsec: Attacks and Countermeasures.

Author

Li, Qi, Liu, Jiajia, Hu, Yih-Chun, Xu, Mingwei, and Wu, Jianping

Subjects

*COMPUTER security vulnerabilities, *INTERNET

Abstract

The BGP suffers from numerous security vulnerabilities, for example, fake routing updates incurring traffic hijacking and interception. The BGPsec protocol is supposed to fix these vulnerabilities by attesting routing updates. Although the BGP security problem has been extensively studied, the security of BGP with BGPsec is not well studied yet. We argue that even secured with BGPsec, BGP still has inherent security vulnerabilities. In particular, traffic can still be hijacked. In this article, we systematically study the vulnerabilities of BGP with BGPsec. We find that the protocol still cannot achieve the desired security guarantee of inter-domain routing. In particular, it is unable to ensure correct packet delivery on the Internet. We measure the impacts of the vulnerabilities by using a real data trace, and discuss enhancements to the design and the implementation of the secure BGP protocol, which allows BGP to achieve strong secure inter-domain routing. [ABSTRACT FROM AUTHOR]

Published

2019

42. Security Middleground for Resource Protection in Measurement Infrastructure-as-a-Service.

Author

Akella, Ravi, Debroy, Saptarshi, Calyam, Prasad, Berryman, Alex, Zhu, Kunpeng, and Sridharan, Mukundan

Abstract

Securing multi-domain network performance monitoring (NPM) systems that are being widely deployed as 'Measurement Infrastructure-as-a-Service' (MIaaS) in high-performance computing is becoming increasingly critical. It presents an emerging set of research challenges in cloud security given that security mechanisms such as policy-driven access to federated NPM services across multiple domains need to be designed carefully to protect MIaaS resources and data. In this paper, we advocate the design of a security middleground between default open/closed access settings and present policy-driven access controls of measurement functions for a multi-domain federation using a MIaaS. Our approach involves an analytical investigation based on a set of custom metrics to compare and contrast the legacy, role-based and more fine-grained, attribute-based access control schemes to design a security middleground. We implement the chosen middleground with a secured middleware, viz., "OnTimeSecure". Our middleware enables 'user-to-service' and 'service-to-service' authentication, and enforces federated authorization entitlement policies for timely orchestration of MIaaS services. Lastly, we evaluate OnTimeSecure in a real multi-domain MIaaS testbed by performing threat modeling and security risk assessments to validate the analysis outcomes and demonstrate its effectiveness for easy integration and sustainable adoption. [ABSTRACT FROM AUTHOR]

Published

2019

43. Overview of Device Access Control in the IoT and its Challenges.

Author

Beltran, V. and Skarmeta, A. F.

Subjects

*INTERNET of things, *ACCESS control, *CLIENT/SERVER computing, *MESSAGE authentication codes, *DENIAL of service attacks

Abstract

Access control is a building block for the overall security of any communication system. When it comes to device-to-device communication, decentralized approaches for access control will allow governing a mass of devices in a scalable mode. Common understanding and standardization of application-level access control is also primordial for the incoming era of cooperating devices in the IoT. This article introduces different architectural models for decentralized device access control, their security requirements and implications. [ABSTRACT FROM AUTHOR]

Published

2019

44. Specification and Verification of Separation of Duty Constraints in Attribute-Based Access Control.

Author

Jha, Sadhana, Sural, Shamik, Atluri, Vijayalakshmi, and Vaidya, Jaideep

Abstract

Constraints form an important aspect of any access control system and are often regarded as one of the principle motivations behind developing different access control models. The two primary concerns related to a constraint are its specification and enforcement. Among the various types of constraints, enforcement of the Separation of Duty (SoD) constraint is considered to be the most important in commercial applications. In this paper, we introduce the problem of SoD specification, verification, and enforcement in attribute-based access control (ABAC) systems. We then demonstrate the effect of modifications in the different components of ABAC on enforcement. We also analyze the complexity of the enforcement problem and provide a methodology for solving it. Experiments on a wide range of data sets show encouraging results. [ABSTRACT FROM PUBLISHER]

Published

2018

45. Policy-Controlled Authenticated Access to LLN-Connected Healthcare Resources.

Author

Rantos, Konstantinos, Fysarakis, Konstantinos, Manifavas, Charalampos, and Askoxylakis, Ioannis G.

Abstract

Ubiquitous devices comprising several resource-constrained nodes with sensors, actuators, and networking capabilities are becoming part of many solutions that seek to enhance user's environment smartness and quality of living, prominently including enhanced healthcare services. In such an environment, security issues are of primary concern as a potential resource misuse can severely impact user's privacy or even become life threatening. Access to these resources should be appropriately controlled to ensure that eHealth nodes are adequately protected and the services are available to authorized entities. The intrinsic resource limitations of these nodes, however, make satisfying these requirements a great challenge. This paper proposes and analyzes a service-oriented architecture that provides a policy-based, unified, cross-platform, and flexible access control mechanism, allowing authorized entities to consume services provided by eHealth nodes while protecting their valuable resources. The scheme is XACML driven, although modifications to the related standardized architecture are proposed to satisfy the requirements imposed by nodes that comprise low-power and lossy networks (LLNs). A proof-of-concept implementation is presented, along with the associated performance evaluation, confirming the feasibility of the proposed approach. [ABSTRACT FROM PUBLISHER]

Published

2018

46. MEICAN: Simplifying DCN Life-Cycle Management from End-User and Operator Perspectives in Inter-Domain Environments.

Author

Wickboldt, Juliano Araujo, Guerreiro, Mauricio Quatrin, Granville, Lisandro Zambenedetti, Gaspary, Luciano Paschoal, Schwarz, Marcos Felipe, Guok, Chin, Chaniotakis, Vangelis, Lake, Andrew, and MacAuley, and John

Subjects

*COMPUTER network management, *NATIONAL Research & Education Network (Computer network), *VIRTUAL circuits, *COMPUTER network laws, *PRODUCT life cycle

Abstract

National research and education networks (NRENs), such as ESnet, G?ANT, and RNP, currently promote the employment of dynamic circuit networks (DCNs) to improve scientific communications beyond the capabilities of today's Internet. In spite of their alleged benefits to materialize user-initiated, ad hoc dedicated end-to-end circuits for high-demanding applications, DCNs also pose important challenges. Two examples are dealing with the end-user's lack of ability or willingness to understand low-level technicalities of virtual circuit establishment, and accommodating NRENs' local policies throughout the life-cycle of DCN. In this article, we seek to improve the usability of DCN services with a focus on the inexperienced end-user and the skilled network operator alike. We introduce MEICAN, a platform to manage the life-cycle of DCN from definition to provisioning of virtual circuits. We also present a case study of inter-domain circuit reservation with mixed manual and automated policy checking, and discuss lessons learned, relevant challenges, and open issues still to be overcome. [ABSTRACT FROM PUBLISHER]

Published

2018

47. SecRBAC: Secure data in the Clouds.

Author

Marin Perez, Juan M., Perez, Gregorio Martinez, and Gomez-Skarmeta, Antonio F.

Abstract

Most current security solutions are based on perimeter security. However, Cloud computing breaks the organization perimeters. When data resides in the Cloud, they reside outside the organizational bounds. This leads users to a loos of control over their data and raises reasonable security concerns that slow down the adoption of Cloud computing. Is the Cloud service provider accessing the data? Is it legitimately applying the access control policy defined by the user? This paper presents a data-centric access control solution with enriched role-based expressiveness in which security is focused on protecting user data regardless the Cloud service provider that holds it. Novel identity-based and proxy re-encryption techniques are used to protect the authorization model. Data is encrypted and authorization rules are cryptographically protected to preserve user data against the service provider access or misbehavior. The authorization model provides high expressiveness with role hierarchy and resource hierarchy support. The solution takes advantage of the logic formalism provided by Semantic Web technologies, which enables advanced rule management like semantic conflict detection. A proof of concept implementation has been developed and a working prototypical deployment of the proposal has been integrated within Google services. [ABSTRACT FROM PUBLISHER]

Published

2017

48. Privacy-Preserving Multikeyword Similarity Search Over Outsourced Cloud Data.

Author

Yu, Chia-Mu, Chen, Chi-Yuan, and Chao, Han-Chieh

Abstract

The amount of data generated by individuals and enterprises is rapidly increasing. With the emerging cloud computing paradigm, the data and corresponding complex management tasks can be outsourced to the cloud for the management flexibility and cost savings. Unfortunately, as the data could be sensitive, the direct data outsourcing would have the problem of privacy leakage. The encryption can be used, before the data outsourcing, with the concern that the operations can still be accomplished by the cloud. We consider the multikeyword similarity search over outsourced cloud data. In particular, with the consideration of the text data only, multiple keywords are specified by the user. The cloud returns the files containing more than a threshold number of input keywords or similar keywords, where the similarity here is defined according to the edit distance metric. We propose three solutions, where blind signature provides the user access privacy, and a novel use of Bloom filter's bit pattern provides the speedup of search task at the cloud side. Our final design to achieve the search is secure against insider threats and efficient in terms of the search time at the cloud side. Performance evaluation and analysis are used to demonstrate the practicality of our proposed solutions. [ABSTRACT FROM PUBLISHER]

Published

2017

49. CABA: Continuous Authentication Based on BioAura.

Author

Mosenia, Arsalan, Sur-Kolay, Susmita, Raghunathan, Anand, and Jha, Niraj K.

Subjects

*COMPUTER access control, *BIOMETRIC identification, *MACHINE learning, *WEARABLE technology, *DETECTORS, *MEDICAL equipment

Abstract

Most computer systems authenticate users only once at the time of initial login, which can lead to security concerns. Continuous authentication has been explored as an approach for alleviating such concerns. Previous methods for continuous authentication primarily use biometrics, e.g., fingerprint and face recognition, or behaviometrics, e.g., key stroke patterns. We describe CABA, a novel continuous authentication system that is inspired by and leverages the emergence of sensors for pervasive and continuous health monitoring. CABA authenticates users based on their BioAura, an ensemble of biomedical signal streams that can be collected continuously and non-invasively using wearable medical devices. While each such signal may not be highly discriminative by itself, we demonstrate that a collection of such signals, along with robust machine learning, can provide high accuracy levels. We demonstrate the feasibility of CABA through analysis of traces from the MIMIC-II dataset. We propose various applications of CABA, and describe how it can be extended to user identification and adaptive access control authorization. Finally, we discuss possible attacks on the proposed scheme and suggest corresponding countermeasures. [ABSTRACT FROM AUTHOR]

Published

2017

50. Secure Real-Time Monitoring and Management of Smart Distribution Grid Using Shared Cellular Networks.

Author

Nielsen, Jimmy J., Ganem, Herve, Jorguseski, Ljupco, Alic, Kemal, Smolnikar, Miha, Zhu, Ziming, Pratas, Nuno K., Golinski, Michal, Zhang, Haibin, Kuhar, Urban, Fan, Zhong, and Svigelj, Ales

Abstract

Electricity production and distribution is facing two major changes. First, production is shifting from classical energy sources such as coal and nuclear power toward renewable resources such as solar and wind. Second, consumption in the low voltage grid is expected to grow significantly due to the expected introduction of electrical vehicles. The first step toward more efficient operational capabilities is to introduce an observability of the distribution system and allow for leveraging the flexibility of end connection points with manageable consumption, generation, and storage capabilities. Thanks to advanced measurement devices, management framework, and secure communication infrastructure developed in the FP7 SUNSEED project, the distribution system operator (DSO) now has full observability of the energy flows in the medium/low voltage grid. Furthermore, the prosumers are able to participate pro-actively and coordinate with the DSO and other stakeholders in the grid. The monitoring and management functionalities have strong requirements for communication latency, reliability, and security. This article presents novel solutions and analyses of these aspects for the SUNSEED scenario, where smart grid ICT solutions are pr [ABSTRACT FROM PUBLISHER]

Published

2017