Your search keyword '"COMPUTER access control"' showing total 1,674 results

1. Light Weight Authentication Scheme for Smart Home IoT Devices.

Author

Kumar, Vipin, Malik, Navneet, Singla, Jimmy, Jhanjhi, N. Z., Amsaad, Fathi, and Razaque, Abdul

Subjects

*COMPUTER access control, *COMPUTER networks, *COMPUTER science, *COMPUTER security, *QUANTUM computers

Abstract

In today's world, the use of computer networks is everywhere, and to access the home network we use the Internet. IoT networks are the new range of these networks in which we try to connect different home appliances and try to give commands from a remote place. Access to any device over an insecure network invites various types of attacks. User authentication can be performed using some password or biometric technique. However, when it comes to authenticating a device, it becomes challenging to maintain data security over a secure network such as the Internet. Many encryptions and decryption algorithms assert confidentiality, and hash code or message authentication code MAC is used for authentication. Traditional cryptographic security methods are expensive in terms of computational resources such as memory, processing capacity, and power consumption. They are incompatible with the Internet of Things devices that have limited resources. Although automatic Device-to-Device communication enables new potential applications, the limited resources of the networks' machines and devices impose various constraints. This paper proposes a home device authentication scheme when these are accessed from a remote place. An authentication device is used for the home network and controller device to control home appliances. Our scheme can prevent various attacks such as replay attacks, server spoofing, and man-in-the-middle attack. The proposed scheme maintains the confidentiality and authenticity of the user and devices in the network. At the same time, we check the system in a simulated environment, and the results show that the network's performance does not degrade much in terms of delay, throughput, and energy consumed. [ABSTRACT FROM AUTHOR]

Published

2022

2. Lightweight and Secure Mutual Authentication Scheme for IoT Devices Using CoAP Protocol.

Author

Oliver, S. Gladson and Purusothaman, T.

Subjects

COMPUTER access control, VIRTUAL networks, INTERNET of things, DENIAL of service attacks, COMPUTER science

Abstract

Internet of things enables every real world objects to be seamlessly integrated with traditional internet. Heterogeneous objects of real world are enhanced with capability to communicate, computing capabilities and standards to interoperate with existing network and these entities are resource constrained and vulnerable to various security attacks. Huge number of research works are being carried out to analyze various possible attacks and to propose standards for securing communication between devices in internet of things (IoT). In this article, a robust and lightweight authentication scheme for mutual authentication between client and server using constrained application protocol is proposed. Internet of things enables devices with different characteristics and capabilities to be integrated with internet. These heterogeneous devices should interoperate with each other to accumulate, process and transmit data for facilitating smart services. The growth of IoT applications leads to the rapid growth of IoT devices incorporated to the global network and network traffic over the traditional network. This scheme greatly reduces the authentication overhead between the devices by reducing the packet size of messages, number of messages transmitted and processing overhead on communicating devices. Efficiency of this authentication scheme against attacks such as DoS (denial of service), replay attacks and attacks to exhaust the resources are also examined. Message transmission time reduced upto 50% of using proposed techniques. [ABSTRACT FROM AUTHOR]

Published

2022

3. ARE YOU WHO YOU SAY YOU ARE? COMPUTER SCIENCE AND THE PROBLEM OF DIVINE SELF‐AUTHENTICATION.

Subjects

*COMPUTER access control, *REFORMED Church doctrines, *REFLECTION (Philosophy), *HOLY Spirit, *DECEPTION

Abstract

A vital axiom of Reformed theology is that God is who God claims to be, and that he acts to "self‐authenticate" his identity to humans through the internal witness of the Holy Spirit. But how ought theologians to represent and make sense of the multiform nature of divine self‐authentication (DSA)? And can their models account for the various kinds of evidence God utilizes in acts of DSA, or explain why doubt and deception about divine identity persists despite it? Operating at the intersection of theology and computer science, this study examines how modern authentication technologies can deepen theological reflection upon the nature, evidence, and efficacy of DSA. It proposes that computer authentication "trust systems": (1) offer a valuable schematic for representing the variegated structural patterns inherent in DSA; (2) shed critical light on the forms and functions of evidence used in DSA; and (3) provide strategies and practical measures for offsetting the continuing risk of deception about human and divine identity. [ABSTRACT FROM AUTHOR]

Published

2022

4. Fine with "1234"? An Analysis of SMS One-Time Password Randomness in Android Apps.

Author

Siqi Ma, Juanru Li, Hyoungshick Kim, Bertino, Elisa, Nepal, Surya, Ostry, Diethelm, and Cong Sun

Subjects

MOBILE apps, COMPUTER access control, ARTIFICIAL intelligence, COMPUTER science, SOFTWARE engineering

Abstract

A fundamental premise of SMS One-Time Password (OTP) is that the used pseudo-random numbers (PRNs) are uniquely unpredictable for each login session. Hence, the process of generating PRNs is the most critical step in the OTP authentication. An improper implementation of the pseudorandom number generator (PRNG) will result in predictable or even static OTP values, making them vulnerable to potential attacks. In this paper, we present a vulnerability study against PRNGs implemented for Android apps. A key challenge is that PRNGs are typically implemented on the server-side, and thus the source code is not accessible. To resolve this issue, we build an analysis tool, OTP-Lint, to assess implementations of the PRNGs in an automated manner without the source code requirement. Through reverse engineering, OTP-Lint identifies the apps using SMS OTP and triggers each app's login functionality to retrieve OTP values. It further assesses the randomness of the OTP values to identify vulnerable PRNGs. By analyzing 6,431 commercially used Android apps downloaded from Google Play and Tencent Myapp, OTP-Lint identified 399 vulnerable apps that generate predictable OTP values. Even worse, 194 vulnerable apps use the OTP authentication alone without any additional security mechanisms, leading to insecure authentication against guessing attacks and replay attacks. [ABSTRACT FROM AUTHOR]

Published

2021

5. Fenix: A Pan-European Federation of Supercomputing and Cloud e-Infrastructure Services.

Author

ALAM, SADAF R., BARTOLOME, JAVIER, CARPENE, MICHELE, HAPPONEN, KALLE, LAFOUCRIERE, JACQUES-CHARLES, and PLEITER, DIRK

Subjects

*COMPUTER access control, *SUPERCOMPUTERS, *COMPUTER science, *SCALABILITY, *BRAIN models, *HIGH performance computing

Abstract

The article profiles the Fenix supercomputing federation of Europe with a focus on its provision of supercomputer research infrastructure and a federated access management solution for the Supercomputing Centre in Barcelona, Spain, France’s Commissariat à L’énergie atomique et aux énergies alternatives, Italy’s Supercomputing Centre, Finland’s Supercomputing Centre, the Swiss National Supercomputing Centre, and Germany's Juelich Supercomputing Centre supercomputing center. The scalability of computing and storage solutions enabled by the federation is described using examples including cerebellar modeling.

Published

2022

6. Passwords and the Evolution of Imperfect Authentication.

Author

BONNEAU, JOSEPH, HERLEY, CORMAC, VAN OORSCHOT, PAUL C., and STAJANO, FRANK

Subjects

*COMPUTER access control, *COMPUTER passwords, *ELECTRONIC authentication, *COMPUTER security, *COMPUTER science, *MACHINE learning

Abstract

The article emphasizes the need to critically revisit authentication as a whole and the password's role therein to understand the current situation in computer security. Topics discussed include the simplistic models of user and attacker behaviors that have led researchers to emphasize on the wrong threats, authentication as a classification problem amenable to machine learning, and the continued use of passwords to reduce harm at acceptable cost. Also mentioned are the history of passwords, two outdated models that underlie much of the current password literature, and the need to protect user accounts and sensitive data.

Published

2015

7. Secure authentication in the grid: A formal analysis of DNP3 SAv5.

Author

Cremers, Cas, Dehnel-Wild, Martin, and Milner, Kevin

Subjects

*ELECTRIC power distribution grids, *COMPUTER access control, *COMPUTER science, *COMPUTER network protocols

Abstract

Most of the world's power grids are controlled remotely. Their control messages are sent over potentially insecure channels, driving the need for an authentication mechanism. The main communication mechanism for power grids and other utilities is defined by an IEEE standard, referred to as DNP3; this includes the Secure Authentication v5 (SAv5) protocol, which aims to ensure that messages are authenticated. We provide the first security analysis of the complete DNP3: SAv5 protocol. Previous work has considered the message-passing sub-protocol of SAv5 in isolation, and considered some aspects of the intended security properties. In contrast, we formally model and analyse the complex composition of the protocol's sub-protocols. In doing so, we consider the full state machine, the protocol's asymmetric mode, and the possibility of cross-protocol attacks. Furthermore, we model fine-grained security properties that closely match the standard's intended security properties. For our analysis, we leverage the Tamarin prover for the symbolic analysis of security protocols. Our analysis shows that the core DNP3: SAv5 design meets its intended security properties. Notably, we show that a previously reported attack does not apply to the standard. However, our analysis also leads to several concrete recommendations for improving future versions of the standard. [ABSTRACT FROM AUTHOR]

Published

2019

8. Revocable and Non-Invertible Multibiometric Template Protection based on Matrix Transformation.

Author

Jegede, A., Udzir, N. I., Abdullah, A., and Mahmod, R.

Subjects

COMPUTER access control, DATA privacy, COMPUTER security, COMPUTER science, BIOMETRIC identification

Abstract

Biometric authentication refers to the use of measurable characteristics (or features) of the human body to provide secure, reliable and convenient access to a computer system or physical environment. These features (physiological or behavioural) are unique to individual subjects because they are usually obtained directly from their owner's body. Multibiometric authentication systems use a combination of two or more biometric modalities to provide improved performance accuracy without offering adequate protection against security and privacy attacks. This paper proposes a multibiometric matrix transformation based technique, which protects users of multibiometric systems from security and privacy attacks. The results of security and privacy analyses show that the approach provides high-level template security and user privacy compared to previous one-way transformation techniques. [ABSTRACT FROM AUTHOR]

Published

2018

9. Spatial Connector: Mapping Access Control Models for Pervasive Computing and Cloud Computing.

Author

Satoh, Ichiro

Subjects

CLOUD computing, CONTEXT-aware computing, UBIQUITOUS computing, COMPUTER access control, COMPUTER science

Abstract

Services on pervasive computing are delegated or offloaded to cloud computing platforms, because pervasive computing devices have only limited resources. However, access control models in pervasive computing environments and cloud computing platforms are different, where the former tends to be context-dependent and the latter to be subject-based, e.g., role-based access control (RBAC). To connect such different models, we propose a framework for managing context-aware services executed at pervasive computing and cloud computing. The framework is constructed as a world model for specifying contextual information in the real world. This paper describes the design and prototype implementation of the proposed model. [ABSTRACT FROM AUTHOR]

Published

2017

10. iCETD: An improved tag generation design for memory data authentication in embedded processor systems.

Author

Liu, Tao, Guo, Hui, Parameswaran, Sri, and Hu, Sharon X.

Subjects

*COMPUTER access control, *COMPUTER storage devices, *DATA integrity, *MICROPROCESSORS, *COMPUTER science, *DATA security

Abstract

Security becomes increasingly important in computing systems. Data integrity is of utmost importance. One way to protect data integrity is attaching an identifying tag to individual data. The authenticity of the data can then be checked against its tag. If the data is altered by the adversary, the related tag becomes invalid and the attack will be detected. The work presented in this paper studies an existing tag design (CETD) for authenticating memory data in embedded processor systems, where data that are stored in the memory or transferred over the bus can be tampered. Compared to other designs, this design offers the flexibility of trading-off between the implementation cost and tag size (hence the level of security); the design is cost effective and can counter the data integrity attack with random values (namely the fake values used to replace the valid data in the attack are random). However, we find that the design is vulnerable when the fake data is not randomly selected. For some data, their tags are not distributed over the full tag value space but rather limited to a much reduced set of values. When those values were chosen as the fake value, the data alteration would likely go undetected. In this article, we analytically investigate this problem and propose a low cost enhancement to ensure the full-range distribution of tag values for each data, hence effectively removing the vulnerability of the original design. [ABSTRACT FROM AUTHOR]

Published

2017

11. TAFC: Time and Attribute Factors Combined Access Control for Time-Sensitive Data in Public Cloud

Author

Peilin Hong, Nenghai Yu, David S. L. Wei, Jianan Hong, Yingjie Xue, Kaiping Xue, and Weikeng Chen

Subjects

020203 distributed computing, 021110 strategic, defence & security studies, Information Systems and Management, Cloud computing security, Database, Computer access control, Computer Networks and Communications, business.industry, Computer science, 0211 other engineering and technologies, Client-side encryption, Access control, Cloud computing, 02 engineering and technology, Data publishing, computer.software_genre, Computer security, Encryption, Computer Science Applications, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, business, computer, Cloud storage

Abstract

The new paradigm of outsourcing data to the cloud is a double-edged sword. On the one hand, it frees data owners from the technical management, and is easier for data owners to share their data with intended users. On the other hand, it poses new challenges on privacy and security protection. To protect data confidentiality against the honest-but-curious cloud service provider, numerous works have been proposed to support fine-grained data access control. However, till now, no schemes can support both fine-grained access control and time-sensitive data publishing. In this paper, by embedding timed-release encryption into Ciphertext-Policy Attribute-based Encryption (CP-ABE), we propose a new time and attribute factors combined access control on time-sensitive data for public cloud storage (named TAFC). Based on the proposed scheme, we further propose an efficient approach to design access policies faced with diverse access requirements for time-sensitive data. Extensive security and performance analysis shows that our proposed scheme is highly efficient and satisfies the security requirements for time-sensitive data storage in public cloud.

Published

2020

12. Authentication in virtual private networks based on quantum key distribution methods.

Author

Niemiec, Marcin and Machnik, Petr

Subjects

COMPUTER access control, VIRTUAL private networks, QUANTUM physicists, COMPUTER network architectures, COMPUTER science

Abstract

Quantum physics has a major influence on modern computer science and communications. New quantum-based solutions continue to be proposed by researchers. However, only a few techniques are possible to implement in practice. One of them is quantum key distribution, which ensures the confidentiality of digital data. This article introduces a new concept: quantum distribution of pre-shared keys. This approach provides end-users with very secure authentication, impossible to achieve using currently-available techniques. Secure authentication is a key requirement in virtual private networks (VPN)-popular protection in computer networks. The authors simulated quantum-based distribution of a shared secret in a typical VPN connection. Using a dedicated simulator, all individual steps of the quantum key distribution process were presented. Based on the created secret, a secure IPsec tunnel in a StrongSwan environment was established between AGH (Poland) and VSB (Czech Republic). It allows end-users to communicate at very high security levels. [ABSTRACT FROM AUTHOR]

Published

2016

13. Window-LRFU: a cache replacement policy subsumes the LRU and window-LFU policies.

Author

Bai, Sen, Bai, Xin, and Che, Xiangjiu

Subjects

CACHE memory, ALGORITHMS, ELECTRONIC file management, DATABASE management, COMPUTER access control, COMPUTER science, MANAGEMENT

Abstract

Replacement algorithms have been widely used as key technologies for cache management in areas such as file systems or database management. A replacement algorithm determines which page to be evicted when the cache is full and a new page is referenced. Because replacement policies considering only recency or frequency such as LRU (Least Recently Used) and LFU (Least Frequently Used) do not perform well, replacement polices that take both recency and frequency into account have been intensively studied. As a classical replacement policy, LRFU (Least Recently/Frequently Used) policy subsumes the LRU and LFU policy. However, because LFU is not able to adapt to the change of page accessing pattern and it is hard to select a suitable λ for each certain trace, LRFU cannot always guarantee a good performance. In this paper, we propose a Window-LRFU policy, to subsume the LRU and Window-LFU policies. Experimental results show that the Window-LRFU policy outperforms LRFU and has at least competitive performance than other classical algorithms. Copyright © 2015 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]

Published

2016

14. Αυθεντικοποίηση με χρήση οπτικής πληροφορίας και διαχείριση πρόσβασης με δυναμικές παραμέτρους σε πληροφοριακά συστήματα

Author

Emmanouil Georgakakis

Subjects

Password, Authentication, Computer access control, business.industry, Computer science, XACML, Access control, Security policy, Computer security, computer.software_genre, Role-based access control, business, Role hierarchy, computer, computer.programming_language

Abstract

Τα σημερινά πληροφοριακά συστήματα χαρακτηρίζονται από αυξημένη πολυπλοκότητα και την ανάγκη να εξυπηρετούν ταυτόχρονα πολλαπλούς χρήστες με διαφορετικές απαιτήσεις. Σε κάθε περίπτωση, κοινή απαίτηση όλων των σύγχρονων πληροφοριακών συστημάτων είναι η προστασία της πληροφορίας κατά τη διακίνησή της μέσα σε αυτά. Προαπαιτούμενο για την επιτυχή προστασία των πόρων ενός συστήματος είναι η αυθεντικοποίηση των χρηστών από αποκτούν πρόσβαση σε αυτό και κατόπιν η εφαρμογή κανόνων διαχείρισης πρόσβασης όπου καθορίζεται τι δικαιώματα κατέχει ο κάθε χρήστης.Η πιο διαδεδομένη μέθοδος αυθεντικοποίησης, παρά τα προβλήματα που παρουσιάζει, είναι η χρήση κωδικών πρόσβασης. Ωστόσο, η ανθρώπινη ικανότητα να απομνημονεύουμε οπτική πληροφορία έχει δώσει το έναυσμα για έντονη ερευνητική δραστηριότητα στην αυθεντικοποίηση με χρήση γραφικών κωδικών ως μια πιο αξιόπιστη εναλλακτική λύση στους κωδικούς κειμένου. Όμως, τα μοντέλα γραφικών κωδικών παρουσιάζουν όχι μόνο προβλήματα αποδοχής χρήσης από τους χρήστες αλλά και ζητήματα ασφάλειας. Κατανοώντας τις αδυναμίες αυτές η παρούσα διατριβή προτείνει ένα καινοτόμο μοντέλο αυθεντικοποίησης το Novel Authentication with Visual Information (NAVI), το οποίο είναι βασισμένο σε οπτική πληροφορία και το οποίο παρέχει υψηλού επιπέδου ασφάλεια. Το προτεινόμενο σύστημα αυθεντικοποίησης χρησιμοποιεί ως διαπιστευτήρια την διαδρομή που επιλέγει ένας χρήστης σε έναν προκαθορισμένο χάρτη. Στη διατριβή αυτή, πραγματοποιείται ανάλυση της ασφάλειας που παρέχει το NAVI σε θεωρητικό επίπεδο και επιπλέον αναπτύχθηκε μια πρότυπη υλοποίηση με την οποία πραγματοποιήθηκαν δοκιμές χρηστών για την αξιολόγηση της ευκολίας χρήσης και της ασφάλειας του παραγόμενου κωδικού. Επιπλέον, ζητήθηκε από τους χρήστες που συμμετείχαν στις δοκιμές να απαντήσουν σε ένα ερωτηματολόγιο αξιολόγησης προκειμένου να ληφθεί υπόψη η γνώμη τους σε μια σειρά από ζητήματα που αφορούν την υλοποίηση του NAVI.Εφόσον έχει πιστοποιηθεί ότι ένας χρήστης είναι αυτός που υποστηρίζει ότι είναι θα πρέπει να του αποδωθούν τα κατάλληλα δικαιώματα πρόσβασης. Η πλειοψηφία των μοντέλων ελέγχου πρόσβασης που έχουν αναπτυχθεί βασίζονται στην υπόθεση ότι τα δικαιώματα πρόσβασης των χρηστών μπορεί να καθοριστούν εκ των προτέρων. Ωστόσο, σε ένα σύγχρονο περιβάλλον συχνά προκύπτουν καταστάσεις έκτακτης ανάγκης που οδηγούν σε αιτήματα πρόσβασης που δεν έχουν προβλεφθεί από τις συνήθεις διαδικασίες. Έχοντας εντοπίσει την ανάγκη αυτή προτείνουμε ένα καινοτόμο μοντέλο διαχείρισης πρόσβασης το Dynamic Spatio Temporal EMergency Role Based Access Control (DSTEM-RBAC), το οποίο βασίζεται στο μοντέλο διαχείρισης πρόσβασης με ρόλους (Role Based Access Control – RBAC). Tο DSTEM-RBAC λαμβάνει υπόψη του χρονικούς και χωρικούς περιορισμούς αλλά το σημαντικότερο είναι ότι προσφέρει έναν ελεγχόμενο και ασφαλή τρόπο για να παρακαμφθούν οι στατικές πολιτικές ασφαλείας χρησιμοποιώντας δυναμικές πληροφορίες για να καταλήξει σε μια απόφαση κατ’ εξαίρεση πρόσβασης η οποία θα παρακάμπτει την στατική πολιτική ασφαλείας που εφαρμόζεται. Στο προτεινόμενο μοντέλο η ιεραρχία των ρόλων αναπαρίσταται ως ένας κατευθυνόμενος γράφος με βάρη, όπου κάθε ρόλος αποτελεί έναν κόμβο. Οι αποστάσεις μεταξύ των κόμβων είναι μια παράμετρος-κλειδί για την προτεινόμενη διαδικασία της κατ’ εξαίρεση πρόσβασης. Επί της ουσίας, η απόσταση μεταξύ ρόλων σε συνδυασμό με τους χρονικούς και τους χωρικούς περιορισμούς και η δυναμική πληροφορία καθορίζουν την κατ’ εξαίρεση πρόσβαση. Οι δυναμικές πληροφορίες που λαμβάνονται υπόψη αποτελούνται από την τοποθεσία του χρήστη, το επίπεδο ασφαλείας και το επίπεδο έκτατης ανάγκης που βρίσκεται ο οργανισμός καθώς και το επίπεδο των κινδύνων από το διαδίκτυο. Η προτεινόμενη αρχιτεκτονική , η οποία είναι επί της ουσίας μια επέκταση του XACML, αναλύεται σε βάθος και παρουσιάζεται μια πρότυπη υλοποίηση με στόχο να αναδειχθεί η εφαρμοσιμότητα του προτεινόμενου μοντέλου στον χώρο της υγείας.Επιπλέον, παρέχεται και μια μεθοδολογία για την αξιολόγηση της συμπεριφοράς των χρηστών έτσι ώστε να είναι εφικτό να βελτιστοποιηθεί η παραμετροποίηση που έχει εφαρμοστεί και να εντοπιστεί μια πιθανή κατάχρηση της λειτουργικότητας της κατ’ εξαίρεση πρόσβασης. Τέλος, πραγματοποιήθηκε μια έρευνα σε δύο κλινικές ως μελέτες περίπτωσης για την αξιολόγηση των αναγκών που υπάρχει για κατ’ εξαίρεση προσβάσεις.

Published

2021

15. Vulnerability in Information Technology and Computing- A Study in Technological Information Assurance

Author

Anil Bhuimali, R. Rajesh, Sreeramana Aithal, and Prantosh Paul

Subjects

Authentication, Computer access control, business.industry, Computer science, 05 social sciences, Information technology, 02 engineering and technology, Information assurance, Computer security, computer.software_genre, Encryption, 020204 information systems, Application security, Information technology management, 0202 electrical engineering, electronic engineering, information engineering, Information system, 0509 other social sciences, 050904 information & library sciences, business, computer

Abstract

Information Assurance is the prime name for the security and privacy related affairs. It is responsible for the secure design, development and building of healthy sophisticated information systems. The technologies have become crucial for the development of content and information systems. Information Assurance is a new name in respect of Computing and IT Security; however, it has important significance as the area deals with both traditional and technological security related affairs. The IT Security primarily responsible for the computational secure systems whereas Information Assurance focuses not only on the design and development of secure systems but also policies, framework and regulations leading to secure information systems preparation. Among the technological space few common names are include vulnerabilities, virus, denial of services etc. Moreover, the vulnerabilities include the affairs of hardware, software, network, personal and physical site, organizational security systems etc. This paper talks about the basics of Information Assurance and allied affairs. Moreover, it talks about the vulnerabilities and affairs leading to computer access control, application security, authentication, authorization, aspects of data centric security, encryption, firewall etc. The paper also highlights the basic overview of the technologies and solution as well.

Published

2019

16. AccConF: An Access Control Framework for Leveraging In-Network Cached Data in the ICN-Enabled Wireless Edge

Author

Satyajayant Misra, Travis Mick, Nahid Ebrahimi Majd, Frank Natividad, Reza Tourani, and Hong Huang

Subjects

Computer access control, Distributed System Security Architecture, business.industry, Computer science, Network Access Control, Server, The Internet, Access control, Internet traffic, Electrical and Electronic Engineering, business, Authentication server, Computer network

Abstract

The fast-growing Internet traffic is increasingly becoming content-based and driven by mobile users, with users more interested in data rather than its source. This has precipitated the need for an information-centric Internet architecture. Research in information-centric networks (ICNs) have resulted in novel architectures, e.g., CCN/NDN, DONA, and PSIRP/PURSUIT; all agree on named data based addressing and pervasive caching as integral design components. With network-wide content caching, enforcement of content access control policies become non-trivial. Each caching node in the network needs to enforce access control policies with the help of the content provider. This becomes inefficient and prone to unbounded latencies especially during provider outages. In this paper, we propose an efficient access control framework for ICN, which allows legitimate users to access and use the cached content directly, and does not require verification/authentication by an online provider authentication server or the content serving router. This framework would help reduce the impact of system down-time from server outages and reduce delivery latency by leveraging caching while guaranteeing access only to legitimate users. Experimental/simulation results demonstrate the suitability of this scheme for all users, but particularly for mobile users, especially in terms of the security and latency overheads.

Published

2019

17. A new two-round dynamic authenticated contributory group key agreement protocol using elliptic curve Diffie-Hellman with privacy preserving public key infrastructure.

Author

NARESH, VANKAMAMIDI S. and MURTHY, NISTALA V. E. S.

Subjects

*PUBLIC key infrastructure (Computer security), *ELLIPTIC curves, *TELECOMMUNICATION systems, *COMPUTER access control, *COMPUTER science, *COMPUTER network protocols

Abstract

In this paper a new two-round authenticated contributory group key agreement based on Elliptic Curve Diffie-Hellman protocol with Privacy Preserving Public Key Infrastructure (PP-PKI) is introduced and is extended to a dynamic authenticated contributory group key agreement with join and leave protocols for dynamic groups. The proposed protocol provides such security attributes as forward secrecy, backward secrecy, and defense against man in the middle (MITM) and Unknown keyshare security attacks and also authentication along with privacy preserving attributes like anonymity, traceability and unlinkability. In the end, they are compared with other popular Diffie-Hellman and Elliptic Curve Diffie-Hellman based group key agreement protocols and the results are found to be satisfactory. [ABSTRACT FROM AUTHOR]

Published

2015

18. Recycled IC Detection Based on Statistical Methods.

Author

Huang, Ke, Liu, Yu, Korolija, Nenad, Carulli, John M., and Makris, Yiorgos

Subjects

*INTEGRATED circuits, *COMPUTER access control, *ELECTRONIC circuits, *MICROELECTRONICS, *COMPUTER science

Abstract

We introduce two statistical methods for identifying recycled integrated circuits (ICs) through the use of one-class classifiers and degradation curve sensitivity analysis. Both methods rely on statistically learning the parametric behavior of known new devices and using it as a reference point to determine whether a device under authentication has previously been used. The proposed methods are evaluated using actual measurements and simulation data from digital and analog devices, with experimental results confirming their effectiveness in distinguishing between new and aged ICs and their superiority over previously proposed methods. [ABSTRACT FROM PUBLISHER]

Published

2015

19. Reevaluating Data Stall Time with the Consideration of Data Access Concurrency.

Author

Liu, Yu-Hang and Sun, Xian-He

Subjects

DATA transmission systems, DATA science, COMPUTER access control, DATA mining, COMPUTER science

Abstract

Data access delay has become the prominent performance bottleneck of high-end computing systems. The key to reducing data access delay in system design is to diminish data stall time. Memory locality and concurrency are the two essential factors influencing the performance of modern memory systems. However, existing studies in reducing data stall time rarely focus on utilizing data access concurrency because the impact of memory concurrency on overall memory system performance is not well understood. In this study, a pair of novel data stall time models, the L-C model for the combined effort of locality and concurrency and the P-M model for the effect of pure miss on data stall time, are presented. The models provide a new understanding of data access delay and provide new directions for performance optimization. Based on these new models, a summary table of advanced cache optimizations is presented. It has 38 entries contributed by data concurrency while only has 21 entries contributed by data locality, which shows the value of data concurrency. The L-C and P-M models and their associated results and opportunities introduced in this study are important and necessary for future data-centric architecture and algorithm design of modern computing systems. [ABSTRACT FROM AUTHOR]

Published

2015

20. A Logic-Based Authorization Framework and Implementation.

Author

Mingsheng Zhang, Xinqiang Ma, and Mingyi Zhang

Subjects

COMPUTER access control, LOGIC programming, COMPUTER software, COMPUTER security, COMPUTER-aided design, COMPUTER science, COMPUTER systems

Abstract

In access control, it is a reasonable requirement that authorization mechanism can be implemented intelligently by logic programs. We propose an authorization framework based on logic programs, ranging from design, analysis, and implementation. Our proposed framework is powerful and useful, with RBAC features, flexible authorization, logic-based formalization and integration of policies. It can specify complex security requirements in real world, and facilitate many advantage aspects held by the some prevailing authorization theories. [ABSTRACT FROM AUTHOR]

Published

2009

21. ANALYSIS OF ENHANCED SEPARATION OF DUTY IN ROLE-BASED ACCESS CONTROL MODEL.

Author

ZHANG Zhikun, GENG Yauping, LI Tingyan, and XIAO Jianguo

Subjects

COMPUTER access control, INFORMATION technology security, DATA security, ACCESS to information, COMPUTER science

Published

2005

22. ATTRIBUTE ANALYSIS OF USAGE CONTROL (UCON).

Author

LI Zude and YE Xiaojun

Subjects

COMPUTER access control, INFORMATION technology security, DATA security, COMPUTER network management, COMPUTER science

Published

2005

23. Authenticating Location-Based Skyline Queries in Arbitrary Subspaces.

Author

Lin, Xin, Xu, Jianliang, Hu, Haibo, and Lee, Wang-Chien

Subjects

*DATABASE management, *TABLET computers, *CLOUD computing, *COMPUTER access control, *INDEXES, *QUERY (Information retrieval system), *CLIENT/SERVER computing, *COMPUTER network resources

Abstract

With the ever-increasing use of smartphones and tablet devices, location-based services (LBSs) have experienced explosive growth in the past few years. To scale up services, there has been a rising trend of outsourcing data management to Cloud service providers, which provide query services to clients on behalf of data owners. However, in this data-outsourcing model, the service provider can be untrustworthy or compromised, thereby returning incorrect or incomplete query results to clients, intentionally or not. Therefore, empowering clients to authenticate query results is imperative for outsourced databases. In this paper, we study the authentication problem for location-based arbitrary-subspace skyline queries (LASQs), which represent an important class of LBS applications. We propose a basic Merkle Skyline R-tree method and a novel Partial S4-tree method to authenticate one-shot LASQs. For the authentication of continuous LASQs, we develop a prefetching-based approach that enables clients to compute new LASQ results locally during movement, without frequently contacting the server for query re-evaluation. Experimental results demonstrate the efficiency of our proposed methods and algorithms under various system settings. [ABSTRACT FROM PUBLISHER]

Published

2014

24. Incorporating behavioral trust theory into system development for ubiquitous applications.

Author

Hoffmann, Holger and Söllner, Matthias

Subjects

*COMPUTER systems, *COMPUTER software development, *COMPUTER users, *COMPUTER science, *INFORMATION storage & retrieval systems, *DATA security, *COMPUTER access control

Abstract

Trust has been shown to be a key factor for technology adoption by users, that is, users prefer to use applications they trust. While existing literature on trust originating in computer science mostly revolves around aspects of information security, authentication, etc., research on trust in automation-originating from behavioral sciences-almost exclusively focuses on the sociotechnical context in which applications are embedded. The behavioral theory of trust in automation aims at explaining the formation of trust, helping to identify countermeasures for users' uncertainties that lead to lessened trust in an application. We hence propose an approach to augment the system development process of ubiquitous systems with insights into behavioral trust theory. Our approach enables developers to derive design elements that help foster trust in their application by performing four key activities: identifying users' uncertainties, linking them to trust antecedents from theory, deducting functional requirements and finally designing trust-supporting design elements (TSDEs). Evaluating user feedback on two recommender system prototypes, gathered in a study with over 160 participants, we show that by following our process, we were able to derive four TSDEs that helped to significantly increase the users' trust in the system. [ABSTRACT FROM AUTHOR]

Published

2014

25. ICF Inspired Personas to Improve Development for Usability and Accessibility in Ambient Assisted Living.

Author

Queirós, Alexandra, Cerqueira, Margarida, Martins, Ana Isabel, Silva, Anabela G., Alvarelhão, Joaquim, Teixeira, António, and Rocha, Nelson Pacheco

Subjects

COMPUTER users, PEOPLE with disabilities, COMPUTER software development, COMPUTER science, COMPUTER access control, WEB accessibility

Abstract

Abstract: Ambient Assisted Living (AAL) is an important research and development area. The acceptance of the AAL paradigm is closely related to the quality of the available systems and services, namely in terms of the user interaction. This means that usability and accessibility are crucial issues. The paper presents how the concepts of the International Classification of Functioning, Disability and Health (ICF) can be used to optimize the role of personas and scenarios in the development and evaluation of AAL systems and services, especially in aspects related with human functioning and health conditions. [Copyright &y& Elsevier]

Published

2014

26. A Rhythm-Based Authentication Scheme for Smart Media Devices.

Author

Jae Dong Lee, Young-Sik Jeong, and Jong Hyuk Park

Subjects

ELECTRONIC equipment, PSYCHOLOGICAL vulnerability, COMPUTER access control, LOCKS & keys, COMPUTER science

Abstract

In recent years, ubiquitous computing has been rapidly emerged in our lives and extensive studies have been conducted in a variety of areas related to smart devices, such as tablets, smartphones, smart TVs, smart refrigerators, and smart media devices, as a measure for realizing the ubiquitous computing. In particular, smartphones have significantly evolved from the traditional feature phones. Increasingly higher-end smartphonemodels that can performa range of functions are now available. Smart devices have become widely popular since they provide high efficiency and great convenience for not only private daily activities but also business endeavors. Rapid advancements have been achieved in smart device technologies to improve the end users' convenience. Consequently, many people increasingly rely on smart devices to store their valuable and important data. With this increasing dependence, an important aspect thatmust be addressed is security issues. Leaking of private information or sensitive business data due to loss or theft of smart devices could result in exorbitant damage. To mitigate these security threats, basic embedded locking features are provided in smart devices. However, these locking features are vulnerable. In this paper, an original security-locking scheme using a rhythm-based locking system (RLS) is proposed to overcome the existing security problems of smart devices. RLS is a user-authenticated systemthat addresses vulnerability issues in the existing locking features and provides secure confidentiality in addition to convenience. [ABSTRACT FROM AUTHOR]

Published

2014

27. Efficient Certificate-Based Signcryption Secure against Public Key Replacement Attacks and Insider Attacks.

Author

Yang Lu and Jiguo Li

Subjects

PUBLIC key cryptography, COMPUTER access control, DATA security, PERFORMANCE evaluation, COMPUTER science, INFORMATION technology

Abstract

Signcryption is a useful cryptographic primitive that achieves confidentiality and authentication in an efficient manner. As an extension of signcryption in certificate-based cryptography, certificate-based signcryption preserves the merits of certificatebased cryptography and signcryption simultaneously. In this paper, we present an improved security model of certificate-based signcryption that covers both public key replacement attack and insider security. We show that an existing certificate-based signcryption scheme is insecure in our model.We also propose a new certificate-based signcryption scheme that achieves security against both public key replacement attacks and insider attacks.We prove in the random oracle model that the proposed scheme is chosen-ciphertext secure and existentially unforgeable. Performance analysis shows that the proposed scheme outperforms all the previous certificate-based signcryption schemes in the literature. [ABSTRACT FROM AUTHOR]

Published

2014

28. An Army guide to navigating the cyber security process for Facility Related Control Systems : cybersecurity and risk management framework explanations for the real world

Author

Joseph Bush, Tapan C. Patel, Michael Cary. Long, Eric D. Lynch, Eileen T. Westervelt, Stephen Briggs, Daniel A. Shepard, and David M. Schwenk

Subjects

Computer access control, Process (engineering), Computer science, business.industry, Risk management framework, Industrial control system, Computer security, computer.software_genre, Facility management, Control system, Information system, business, computer, Vulnerability (computing)

Published

2020

29. AccessAuth: Capacity-aware security access authentication in federated-IoT-enabled V2G networks

Author

Kaoru Ota, Mianxiong Dong, Ming Tao, and Zhuzhong Qian

Subjects

Challenge-Handshake Authentication Protocol, Information privacy, Computer access control, Computer Networks and Communications, Computer science, computer.internet_protocol, Email authentication, Access control, 02 engineering and technology, Computer security, computer.software_genre, NTLMSSP, Theoretical Computer Science, Distributed System Security Architecture, Artificial Intelligence, Forward secrecy, Generic Bootstrapping Architecture, Lightweight Extensible Authentication Protocol, 0202 electrical engineering, electronic engineering, information engineering, Data Authentication Algorithm, Authentication, Revocation, business.industry, 020206 networking & telecommunications, Mutual authentication, Multi-factor authentication, Chip Authentication Program, Hardware and Architecture, Network Admission Control, IPsec, Network Access Control, Authentication protocol, Protected Extensible Authentication Protocol, 020201 artificial intelligence & image processing, Lightweight protocol, Challenge–response authentication, business, computer, Software, Computer network

Abstract

Vehicle-to-Grid (V2G) systems promoted by the federated Internet of Things (IoT) technology will be ubiquitous in the future; therefore, it is crucial to provide trusted, flexible and efficient operations for V2G services using high-quality measures for security and privacy. These can be achieved by access and authority authentication. This paper presents a lightweight protocol for capacity-based security access authentication named A c c e s s A u t h . Considering the overload probability and system capacity constraints of the V2G network domain, as well as the mobility of electric vehicles, the ideal number of admissible access requests is first calculated adaptively for each V2G network domain to actively achieve capacity-based access admission control. Subsequently, to provide mutual authentication and maintain the data privacy of admitted sessions, by considering whether there is prior knowledge of the trust relationship between the relevant V2G network domains, a high-level authentication model with specific authentication procedures is presented to enforce strict access authentication such that the sessions are conducted only by authorized requesters. Additionally, efficient session revocation with forward security and session recovery with no extra authentication delay are also discussed. Finally, analytical and evaluation results are presented to demonstrate the performance of A c c e s s A u t h .

Published

2018

30. Fine-Grained Access Control via Policy-Carrying Data

Author

Wamberto Vasconcelos and Julian Padget

Subjects

Deontic logic, Authentication, Computer access control, Computer Networks and Communications, Computer science, business.industry, Action language, Answer set programming, Access control, 02 engineering and technology, Computer security, computer.software_genre, Data sharing, Data access, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), 020201 artificial intelligence & image processing, The Internet, Privacy policy, business, computer

Abstract

We address the problem of associating access policies with datasets and how to monitor compliance via policy-carrying data. Our contributions are a formal model in first-order logic inspired by normative multi-agent systems to regulate data access, and a computational model for the validation of specific use cases and the verification of policies against criteria. Existing work on access policy identifies roles as a key enabler, with which we concur, but much of the rest focusses on authentication and authorization technology. Our proposal aims to address the normative principles put forward in Berners-Lee’s bill of rights for the internet, through human-readable but machine-processable access control policies.

Published

2018

31. Multi-user permission strategy to access sensitive information

Author

Debasis Ghosh, Arunava Roy, and Dipankar Dasgupta

Subjects

Authentication, Information Systems and Management, Computer access control, Computer science, Control (management), 02 engineering and technology, Permission, Multi-user, Computer security, computer.software_genre, Computer Science Applications, Theoretical Computer Science, Discretionary access control, World Wide Web, 03 medical and health sciences, Information sensitivity, 0302 clinical medicine, Artificial Intelligence, Control and Systems Engineering, 020204 information systems, 030220 oncology & carcinogenesis, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, computer, Software

Abstract

A system and related methods for providing greater security and control over access to classified files and documents and other forms of sensitive information based upon a multi-user, multi-modality permission strategy centering on organizational structure, thereby making authentication strategy unpredictable so to significantly reduce the risk of exploitation. Based on the sensitivity or classification of the information being requested by a user, approvers are selected dynamically based on the work environment, e.g., mobility, use of the computing device seeking access, authentication factors under applicable environmental settings, access policy, and the like.

Published

2018

32. ACROSS: A generic framework for attribute-based access control with distributed policies for virtual organizations

Author

Edelberto Silva, Natália Coelho Couto de Azevedo Fernandes, and Débora C. Muchaluat-Saade

Subjects

Authentication, User profile, Computer access control, Computer Networks and Communications, Computer science, business.industry, Virtual organization, Authorization, 020206 networking & telecommunications, Access control, 02 engineering and technology, Attribute-based access control, computer.software_genre, Identity management, Shared resource, World Wide Web, Resource (project management), Grid computing, Hardware and Architecture, Scalability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Software

Abstract

Research interests about access control mechanisms for distributed resources have recently increased. In this scenario, users from different institutions access distributed resources, maintained by different organizations, in order to participate in a common research project, network, or testbed. Several challenges arise from these virtual organizations in order to give different types of access privileges to distinct types of resources, depending on the user profile and considering local and global access policies from partners. This work presents a generic and extensible authentication and authorization framework, named ACROSS, based on policies and attributes for virtual organizations. Our proposal creates a granular and scalable access control, which supports different authentication technologies and is independent of the kind of resource federation. In addition, ACROSS introduces a new concept of attribute generalization for access control, providing a transparent management based on access level computed from user attribute values and weights. Other works with similar goals have limitations restricting their integration with any kind of identity and resource federations. Also, these works present restrictions concerning environment and resource types. Hence, they are specific for usage in grid computing, testbed experimentation, or other distributed-resource environment. Differently from other proposals, ACROSS is a framework for supporting the development of new virtual organizations using any kind of resource sharing. ACROSS provides all A&A functionalities so that creating the virtual organization is no longer a challenge for new applications. We validate ACROSS using it on two scenarios: a real testbed and a testing environment composed of resources simulating a distributed open lab. The results show the feasibility to apply the proposal to different scenarios.

Published

2018

33. Keystroke dynamics in the pre-touchscreen era.

Author

Ahmad, Nasir, Szymkowiak, Andrea, and Campbell, Paul A.

Subjects

BIOMETRIC identification, KEYSTROKE timing authentication, COMPUTER access control, ARTIFICIAL neural networks, COMPUTER science

Abstract

Biometric authentication seeks to measure an individual's unique physiological attributes for the purpose of identity verification. Conventionally, this task has been realized via analyses of fingerprints or signature iris patterns. However, whilst such methods effectively offer a superior security protocol compared with password-based approaches for example, their substantial infrastructure costs, and intrusive nature, make them undesirable and indeed impractical for many scenarios. An alternative approach seeks to develop similarly robust screening protocols through analysis of typing patterns, formally known as keystroke dynamics. Here, keystroke analysis methodologies can utilize multiple variables, and a range of mathematical techniques, in order to extract individuals' typing signatures. Such variables may include measurement of the period between key presses, and/or releases, or even key-strike pressures. Statistical methods, neural networks, and fuzzy logic have often formed the basis for quantitative analysis on the data gathered, typically from conventional computer keyboards. Extension to more recent technologies such as numerical keypads and touch-screen devices is in its infancy, but obviously important as such devices grow in popularity. Here, we review the state of knowledge pertaining to authentication via conventional keyboards with a view toward indicating how this platform of knowledge can be exploited and extended into the newly emergent type-based technological contexts. [ABSTRACT FROM AUTHOR]

Published

2013

34. Lightweight key management on sensitive data in the cloud.

Author

Cui, Zongmin, Zhu, Hong, and Chi, Lianhua

Subjects

PUBLIC key cryptography, COMPUTER security, COMPUTER access control, DATA encryption, COMPUTER science

Abstract

ABSTRACT As cloud servers may not be trusted, sensitive data have to be transmitted and stored in an encrypted form. Major challenges for users are from the management (storage, update, protection, backup, and recoverability) of keys that can help users to decrypt authorized data available on the servers. In this paper, we propose a versatile approach for extremely lightweight key management, which is one of the most basic security tasks in cloud systems. In the multiple data owners scenario, each user only needs to manage a single key by our approach. With the help of the single key and a set of public information stored on the server, users can decrypt all authorized data from different data owners. Specifically, our paper proposes a novel access control model, proves the correctness and security, and analyzes the complexity of the model. Experimental results show that our approach significantly outperforms the single-layer derivation encryption and double-layer derivation encryption on the lightweight performance. Copyright © 2013 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]

Published

2013

35. Provably secure revocable ID-based signature in the standard model.

Author

Tsai, Tung-Tso, Tseng, Yuh-Min, and Wu, Tsu-Yang

Subjects

COMPUTER security, DIGITAL signage, PUBLIC key cryptography, COMPUTER access control, COMPUTER science

Abstract

ABSTRACT A signature scheme is one of the important primitives in modern cryptography, which may offer functionalities of user identification, non-repudiation, and message authentication. With the advent of identity (ID)-based public key systems with bilinear pairings defined on elliptic curves, many ID-based signature schemes have been proposed. Like certificate-based public key systems, any ID-based public key system must provide a revocation method to revoke misbehaving users. There was little work on studying the revocation problem of ID-based public key systems, and no ID-based signature scheme deals with how to revoke the signing ability of misbehaving users. Quite recently, Tseng and Tsai presented a practical revocation mechanism using a public channel for ID-based public key systems. In this paper, we adopt Tseng and Tsai's revocation concept to define the new framework and security notions of revocable ID-based signature (RIBS) scheme and propose the first RIBS scheme in the standard model. Under the computational Diffie-Hellman assumption, we demonstrate that the proposed RIBS scheme is provably secure while remaining efficient for signing and verification as compared with previously proposed ID-based signature schemes. Copyright © 2013 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]

Published

2013

36. Sybil Attack Detection and Prevention Using AODV in VANET.

Author

Navneet and Gill, Rakesh

Subjects

VEHICULAR ad hoc networks, CYBERTERRORISM, WIRELESS sensor networks, COMPUTER access control, COMPUTER science

Abstract

VANET is recognized as an important component of Intelligent Transportation Systems. To successfully deploy VANET, security is one of the major challenges that must be addressed. A very important one is to guarantee the security of vehicle-generated reports. In what regards security, selfish vehicles may attempt to clear up the way ahead or mess up the way behind with false traffic reports; criminals being chased may disseminate bogus notifications to other vehicles in order to block police cars. Such attacks may result in serious harm, even loss of lives. Another challenge is to protect the privacy of vehicles. Sybil attacks have become a serious threat as they can affect the functionality of VANETs (Vehicular Ad Hoc Networks).The Sybil attack is the case where a single faulty entity, called a malicious node, can present multiple identities known as Sybil nodes or fake nodes. This attack can affect the functionality of the network for the benefit of the attacker. Several techniques have been developed to detect misbehaving or fake nodes in VANETs. This research detects the Sybil attack a new filed is introduced in the AODV named SCID i.e. Secondary id. It maintains a unique identity of each node. Now the packet format of AODV consists seqno as well as secondary identity i.e. SCID. [ABSTRACT FROM AUTHOR]

Published

2013

37. A novel image-based implicit password authentication system (IPAS) for mobile and non-mobile devices.

Author

Almuairfi, Sadiq, Veeraraghavan, Prakash, and Chilamkurti, Naveen

Subjects

*COMPUTER passwords, *COMPUTER access control, *COMPUTER systems, *MOBILE apps, *BIOMETRIC identification, *COMPUTER science

Abstract

Abstract: Authentication is the first line of defense against compromising confidentiality and integrity. Though traditional login/password-based schemes are easy to implement, they have been subjected to several attacks. As an alternative, token and biometric-based authentication systems were introduced. However, they have not improved substantially to justify the investment. Thus, a variation to the login/password scheme, viz. graphical scheme was introduced. But it also suffered due to shoulder-surfing and screen-dump attacks. In this paper, we introduce a framework of our proposed (IPAS) Implicit Password Authentication System, which is immune to the common attacks suffered by other authentication schemes. [Copyright &y& Elsevier]

Published

2013

38. System Event Monitoring for Active Authentication.

Author

Payne, Jeffery, Fenner, Mark, and Kauffman, Jonathan

Subjects

COMPUTER access control, COMPUTER network monitoring, COMPUTER users, PRIVACY, IDENTIFICATION

Abstract

The authors use system event monitoring to distinguish between the behavioral characteristics of normal and anomalous computer system users. Identifying anomalous behavior at the system event level diminishes privacy concerns and supports the identification of cross-application behavioral patterns. [ABSTRACT FROM AUTHOR]

Published

2013

39. An Improved Dynamic Password-based User Authentication Scheme for Hierarchical Wireless Sensor Networks.

Author

Turkanovic, M. and Holbl, M.

Subjects

COMPUTER access control, WIRELESS sensor networks, HIERARCHICAL Bayes model, SMART cards, COMPUTER users, COMPUTER security, COMPUTER science

Abstract

User authentication is an important issue in wireless sensor networks. Das et al. recently proposed a dynamic password-based user authentication scheme for hierarchical wireless sensor networks, which provides high security and a simple authentication approach. In this paper we present a flaw in Das et al.'s scheme that makes it infeasible for real-life implementation. Additionally, we demonstrate that Das et al.'s scheme has redundant elements. To overcome these imperfections we propose an enhanced user authentication scheme based on Das et al.'s, which is both efficient and secure. [ABSTRACT FROM AUTHOR]

Published

2013

40. Escrowable identity-based authenticated key agreement protocol with strong security.

Author

Ni, Liang, Chen, Gongliang, and Li, Jianhua

Subjects

*COMPUTER access control, *COMPUTER network protocols, *DATA security, *APPLICATION software, *AUDIT trails, *COMPUTER science

Abstract

Abstract: Escrowable identity-based authenticated key agreement protocols are welcome in certain closed groups applications, where audit trail is a legal requirement. In this paper, we present a strongly secure one-round escrowable identity-based two-party authenticated key agreement protocol, which captures all basic desirable security properties including perfect forward secrecy, ephemeral secrets reveal resistance and so on, and is provably secure in the extended Canetti–Krawczyk (eCK) model. We show that the security of the protocol can be reduced to the standard computational bilinear Diffie–Hellman assumption in the random oracle model. Assuming that no adversary can obtain the master private key for the escrow mode, our scheme is secure as long as each party has at least one uncompromised secret. To the best of our knowledge, our scheme is the first escrowable identity-based authenticated key agreement protocol provably secure in the eCK model. [Copyright &y& Elsevier]

Published

2013

41. G-Profile: A Hybrid Solution for Extended Identity Management in the Field of Personalized Service Provision.

Author

Viviani, Marco, Bennani, Nadia, and Egyed-Zsigmond, Elöd

Subjects

IDENTITY management systems, DATA security, CONJOINT analysis, COMPUTER security, COMPUTER science, COMPUTER access control

Abstract

In the digital world, many organizations are developing different applications (with different purposes) where users are generally represented by a heterogeneous set of attributes. From time to time, depending on the context, different attributes can provide different digital identities for the same user, often involved in the identification/authentication processes. In the personalized service provision perspective, the scope of identity management becomes much larger, and takes into account information susceptible to change such as user profile information as a whole. Many purely user-centric identity management systems has emerged in the few last years, among them the Higgins project that provides the user with a direct control over his/her data and covers some data security issues. However, a complete user-centric view of extended user identity management is not realistic, in our opinion. In this paper, the authors present G-Profile: a hybrid, open, general-purpose and flexible user modeling system for extended identity management in multi-application environments. G-Profile also tackles the trade-off between users 'and applications 'requirements [ABSTRACT FROM AUTHOR]

Published

2012

42. On Protection by Layout Randomization.

Author

Abadi, Martin and Plotkin, Gordon D.

Subjects

RANDOMIZATION (Statistics), SOFTWARE protection, PROGRAMMING languages, COMPUTER software, COMPUTER science, COMPUTER access control

Abstract

Layout randomization is a powerful, popular technique for software protection. We present it and study it in programming-language terms. More specifically, we consider layout randomization as part of an implementation for a high-level programming language; the implementation translates this language to a lower-level language in which memory addresses are numbers. We analyze this implementation, by relating low-level attacks against the implementation to contexts in the high-level programming language, and by establishing full abstraction results. [ABSTRACT FROM AUTHOR]

Published

2012

43. Research on Separation of Three Powers Architecture for Trusted OS.

Author

Li, Yu, Zhao, Yong, and Xin, Siyuan

Subjects

COMPUTER operating systems, SECURITY systems, COMPUTER access control, COMPUTER science, INFORMATION technology, GRAPH theory

Abstract

Abstract: The privilege in the operating system (OS) often results in the break of confidentiality and integrity of the system. To solve this problem, several security mechanisms are proposed, such as Role-based Access Control, Separation of Duty. However, these mechanisms can not eliminate the privilege in OS kernel layer. This paper proposes a Separation of Three Powers Architecture (STPA). The authorizations in OS are divided into three parts: System Management Subsystem (SMS), Security Management Subsystem (SEMS) and Audit Subsystem (AS). Mutual support and mutual checks and balances which are the design principles of STPA eliminate the administrator in the kernel layer. Furthermore, the paper gives the formal description for authorization division using the graph theory. Finally, the implementation of STPA is given. Proved by experiments, the Separation of Three Powers Architecture we proposed can provide reliable protection for the OS through authorization division. [Copyright &y& Elsevier]

Published

2012

44. A Review of Grid Authentication and Authorization Technologies and Support for Federated Access Control.

Author

Wei Jie, Arshad, Junaid, Townend, Paul, Sinnott, Richard, and Zhou Lei

Subjects

*GRID computing, *COMPUTER access control, *COMPUTER security management, *COMPUTER network security, *DISTRIBUTED computing, *HIGH performance computing, *COMPUTER architecture, *COMPUTER science, *AUTHENTICATION (Law)

Abstract

Grid computing facilitates resource sharing typically to support distributed virtual organizations (VO). The multi-institutional nature of a grid environment introduces challenging security issues, especially with regard to authentication and authorization. This article presents a state-of-the-art review of major grid authentication and authorization technologies. In particular we focus upon the Internet2 Shibboleth technologies and their use to support federated authentication and authorization to support interinstitutional sharing of remote grid resources that are subject to access control. We outline the architecture, features, advantages, limitations, projects, and applications of Shibboleth in a grid environment. The evidence suggests that Shibboleth meets many of the demands of the research community in accessing and using grid resources. [ABSTRACT FROM AUTHOR]

Published

2011

45. Attribute based access control scheme with controlled access delegation for collaborative E-health environments

Author

Vladimir A. Oleshchuk and Harsha S. Gardiyawasam Pussewalage

Subjects

Scheme (programming language), Computer access control, Delegation, Revocation, Computer Networks and Communications, Computer science, business.industry, media_common.quotation_subject, 020206 networking & telecommunications, 020207 software engineering, Provisioning, Access control, 02 engineering and technology, Computer security, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, Physical access, Role-based access control, Safety, Risk, Reliability and Quality, business, computer, Software, media_common, computer.programming_language

Abstract

Modern electronic healthcare (e-health) settings constitute collaborative environments with complex access requirements. Thus, there is a need for sophisticated fine-grained access control mechanisms to cater these access demands and thereby experience the full potential of e-health systems. In order to realize a flexible access control scheme, integrating access delegation is of paramount importance. However, access delegation has to be enforced in a controlled manner so that it will not jeopardize the security of the system. In this paper, we addressed this issue through proposing an attribute based access control scheme integrated with controlled access delegation capabilities. We demonstrate how the proposed scheme could function by considering a health information sharing scenario which constitutes a collaborative environment. The proposed scheme capable of provisioning multi-level access delegation with each delegating user having the capability of controlling further delegations by the delegatee. In addition, the scheme is also integrated with a mechanism to limit the total number of delegations allowable for a given attribute to accommodate for inappropriate user behaviors. Thus, users can claim access to resources by providing a proof that they possess attribute sets (attributes may or may not be delegated) that satisfy the relevant attribute based access policies which govern the access to the shared resources. The proposed scheme is also equipped with on-demand attribute revocation mechanism along with preventing attacks via attribute collusion. Furthermore, we have shown that the proposed access control scheme is secure and also exhibits superior delegation capabilities compared to the existing attribute based schemes coupled with access delegation capabilities.

Published

2017

46. EACSIP: Extendable Access Control System With Integrity Protection for Enhancing Collaboration in the Cloud

Author

Willy Susilo, Peng Jiang, Yi Mu, Guomin Yang, Yong Yu, and Fuchun Guo

Subjects

021110 strategic, defence & security studies, Cryptographic primitive, Computer access control, Computer Networks and Communications, Computer science, business.industry, 0211 other engineering and technologies, Access control, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Encryption, Upload, Server, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, Physical access, Role-based access control, 020201 artificial intelligence & image processing, Key encapsulation, Safety, Risk, Reliability and Quality, business, Cloud storage, computer

Abstract

It is widely acknowledged that the collaborations with more users increase productivity. Secure cloud storage is a promising tool to enhance such a collaboration. Access control system can be enabled with attribute-based encryption. In this system, a user encrypts and uploads his/her data to the cloud with an access policy, such that only people who satisfy that access policy can decrypt the data. When a recipient would like to enable another person who is originally unauthorized by the original access policy, this recipient will need to extend the access policy by adding a new policy that includes the new person hence, the notion of extendable access control system. Admitting new users to access the uploaded data is an important requirement in enhancing collaborations. The main issue is with regards to the integrity protection during the process of extending the access policy. When a new access policy is added, the cloud has to be sure that the extended access policy remains guarding the same encrypted data as the original access policy, even though the cloud cannot decrypt this ciphertext, which is a challenging problem to solve. In this paper, we answer the above problem affirmatively by introducing an extendable access control system with Integrity Protection (EACSIP), which is suitable to enhance collaboration in the cloud. The construction of EACSIP is built on top of a novel cryptographic primitive, namely functional key encapsulation with equality testing. The security proof and the performance evaluation of EACSIP are provided in this paper.

Published

2017

47. SeGoAC: A tree-based model for self-defined, proxy-enabled and group-oriented access control in mobile cloud computing

Author

Wei Ren, Kim-Kwang Raymond Choo, Min Lei, and Ran Liu

Subjects

Flexibility (engineering), 021110 strategic, defence & security studies, User Friendly, Computer access control, business.industry, Computer science, 0211 other engineering and technologies, 020206 networking & telecommunications, Access control, 02 engineering and technology, Computer security, computer.software_genre, Mobile cloud computing, Tree (data structure), Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, business, Proxy (statistics), Law, computer, Software, Computer network

Abstract

Designing an effective and secure group-oriented access control for mobile cloud storage services is an area of active research. For example, such schemes should provide user-friendly features that allow group members to be conveniently added or removed, privileges of group members to be assigned or revoked by authorized parties (e.g., group leaders), organizing of members into one or more sub-groups, forming of (multiple) hierarchical layers, etc. Specifically, privileges should be self-defined by group leaders, and access control can be carried out by group leaders as a proxy. In this paper, we propose a lightweight tree-based model designed to achieve self-defined, proxy-enabled and group-oriented access control (hereafter referred to as SeGoAC) for file storage access control in mobile cloud computing. SoGoAC is a flexible access control model that supports group access control, self-authorization and self-management iteratively, flexible self-defined accessing policies, user friendly features to grant and revoke privileges. We then demonstrate the utility of SeGoAC via extensive analysis.

Published

2017

48. OrBAC from access control model to access usage model

Author

Khalida Guesmia and Narhimene Boustia

Subjects

021110 strategic, defence & security studies, Information privacy, Computer access control, Computer science, business.industry, Distributed computing, 0211 other engineering and technologies, Authorization, Context (language use), Access control, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Description logic, Organization based access control, Artificial Intelligence, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, 020201 artificial intelligence & image processing, Non-monotonic logic, business, computer

Abstract

The purpose based access control model has been proposed recently to restrict the access to the sensitive data which are out of control of their owner. This model can be enforced by ensuring that the user who wants to access the private data will respect the specific plan of tasks/actions that leads to achieving the intended objective to use these data. The Organization Based Access Control (OrBAC) model is suitable to integrate this principle, but in a dynamic environment such as the cloud computing, the authorization rules should be expressed in flexible way, and they may include optional tasks which can be skipped in some cases in order to adapt temporarily to the changes in the context. To meet these requirements, we propose in this paper a new extension of the OrBAC model using the temporal nonmonotonic description logic ( $\textit {TL-JClassic}^{+}_{\delta \epsilon }$ ) that allows to represent formally the policy rules as hierarchical planning that includes a set of ordered tasks that may admit exceptions in special cases and when the access request is made, the access control system depending on the current context will infer dynamically the appropriate sequence of actions that can be performed by subject who demands access to private data that may be outsourced into the cloud.

Published

2017

49. Flexible CP-ABE Based Access Control on Encrypted Data for Mobile Users in Hybrid Cloud System

Author

Hua Zhang, Wenmin Li, Xuelei Li, Shuo Zhang, and Qiao-Yan Wen

Subjects

020203 distributed computing, 021110 strategic, defence & security studies, Computer access control, Computer science, business.industry, 0211 other engineering and technologies, Access control, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Encryption, Computer Science Applications, Theoretical Computer Science, Computational Theory and Mathematics, Hardware and Architecture, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, Attribute-based encryption, business, Access control list, computer, Software, Computer network

Abstract

In hybrid cloud computing, encrypted data access control can provide a fine-grained access method for organizations to enact policies closer to organizational policies. This paper presents an improved CP-ABE (ciphertext-policy attribute-based encryption) scheme to construct an encrypted data access control solution that is suitable for mobile users in hybrid cloud system. In our improvement, we split the original decryption keys into a control key, a secret key and a set of transformation keys. The private cloud managed by the organization administrator takes charge of updating the transformation keys using the control key. It helps to handle the situation of flexible access management and attribute alteration. Meanwhile, the mobile user’s single secret key remains unchanged as well as the ciphertext even if the data user’s attribute has been revoked. In addition, we modify the access control list through adding the attributes with corresponding control key and transformation keys so as to manage user privileges depending upon the system version. Finally, the analysis shows that our scheme is secure, flexible and efficient to be applied in mobile hybrid cloud computing.

Published

2017

50. A study on secure user authentication and authorization in OAuth protocol

Author

Han-Jin Cho, Cheol-Joo Chae, and Ki-Bong Kim

Subjects

Challenge-Handshake Authentication Protocol, User authentication, Authentication, Otway–Rees protocol, Computer access control, Computer Networks and Communications, Computer science, business.industry, Authorization, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Access token, Authentication protocol, SAFER, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Reflection attack, business, computer, Replay attack, Software, Vulnerability (computing), Computer network

Abstract

When developing the client with the social network service, the OAuth protocol gets to be mostly followed. The OAuth protocol is the protocol which is being most much used in the company providing the social network service as the protocol which doesn’t expose the user certification information in 3rd Party and is developed in order to give the user resources accessible rights like Google or facebook, twitter, and etc. However, when of the authentication information of this user is exposed on network by the attacker, there is the malicious problem that it can be used. It can classify as the replay attack, phishing attack, and impersonation attack as the general security vulnerability which it can happen in this OAuth protocol. Therefore, before the Access Token is issued in order to this solve the security vulnerability in the OAuth protocol. By using E-mail, the resource owner is authenticated and the access token is safely issued. And it distribute the Access Token and stores. When using the proposed method, it uses the E-mail authentication less than 0.8% can confirm the authentication success rate of the attacker to be safer than the existing method. Because of distributes the access token and storing, although the attacker won the some of user information, it would not allow to use for the user authentication. When seven over distributed the access token, it can check that as in the E-mail authentication it can use since the release time of the access Token has 10 min or greater.

Published

2017