Search

Your search keyword '"Credential"' showing total 893 results
Start Over Descriptor "Credential" Topic computer science
893 results on '"Credential"'

1. Delegated Anonymous Credentials With Revocation Capability for IoT Service Chains (DANCIS)

Author

Sandeep Kiran Pinjala, S. Sree Vivek, and Krishna M. Sivalingam

Subjects
Service (systems architecture), Revocation, Computer Networks and Communications, business.industry, Computer science, Access control, Credential, Automation, Computer Science Applications, Hardware and Architecture, Signal Processing, Systems architecture, Identity (object-oriented programming), Architecture, business, Information Systems, Computer network
Abstract

This paper deals with providing privacy-preserving access control in Internet of Things (IoT) systems. Here, a user/IoT device requests access to services provided by other IoT devices and multiple requests are combined to a request-specific service chain. An anonymous delegated credential based system architecture is proposed, where the requester’s identity is not exposed to the services. The paper presents the proposed architecture’s various components including the security aspects. Various options for implementing the architecture on resource-full and resource-constrained services are presented. A prototype of the proposed architecture is then implemented using Linux-based containers to emulate the services. Two representative systems, namely, a small-scale home automation system using a short service chain and a large-scale industrial automation system using a long service chain are considered. Timing measurements from the implementation are presented to demonstrate that the architecture is feasible and can be adapted for practical use in large-scale IoT systems.

Published
2022

3. Scrutinizing Implementations of Smart Home Integrations

Author

Ling Shi, Zhenkai Liang, Kailong Wang, Yan Liu, Guangdong Bai, Kulani Mahadewa, and Jin Song Dong

Subjects
Security analysis, business.industry, Computer science, Vulnerability, 020207 software engineering, 02 engineering and technology, Computer security, computer.software_genre, Credential, Personalization, Attack model, Home automation, 0202 electrical engineering, electronic engineering, information engineering, Information system, Communications protocol, business, Implementation, computer, Software
Abstract

A key feature of the booming smart home is the integration of a wide assortment of technologies, including various standards, proprietary communication protocols and heterogeneous platforms. Due to customization, unsatisfied assumptions and incompatibility in the integration, critical security vulnerabilities are likely to be introduced by the integration. Hence, this work addresses the security problems in smart home systems from an integration perspective, as a complement to numerous studies that focus on the analysis of individual technologies. We propose HOMESCAN, an approach that examines the security of the implementations of smart home systems. It extracts the abstract specification of application-layer protocols and internal behaviors of entities, so that it is able to conduct an end-to-end security analysis against various attack models. Applying HOMESCAN on three extensively-used smart home systems, we have found twelve non-trivial security vulnerabilities, which may lead to unauthorized remote control and credential leakage.

Published
2021

4. The early teacher pipeline: What data do — and don’t — tell us

Author

Kristian L. Holden and Dan Goldhaber

Subjects
Teacher preparation, Computer science, Data science, Credential, Pipeline (software), Education
Abstract

Understanding the early teacher pipeline, how many and what types of individuals are pursuing a teaching credential, is critically important. Unfortunately, as Dan Goldhaber and Kris Holden explain, the two national data collections that can be used to explore these areas provide incomplete and sometimes contrasting pictures about the number of people preparing for a teaching career. They describe how data collection could be improved to address this problem and provide a clearer national picture of who is preparing to be tomorrow’s teachers.

Published
2021

5. Re-imagining Technology Education for Student Teachers Using Human-Centered Design

Author

Trang Phan and Myunghwan Shin

Subjects
Technology education, Engineering management, Process (engineering), Computer science, Technology integration, Design process, Plan (drawing), Engineering design process, Credential, User-centered design
Abstract

This design case describes the implementation of the Human-centered Design process, developed by the world leading design firm IDEO and Stanford d. school. The process describes the technology integration onto a teaching credential program course at a university in Central California. It reports the thought process to adopting HCD in the course with a focus on a semester-long assignment called Technology Leap Project (TLP). The preliminary design decisions and the design process in depth. Each phase of the HCD process (i.e. Inspiration, Ideation, Implementation) was defined and its manifestation into the TLP was articulated and assembled with samples of students’ work. The case also discusses various merits and challenges for the design team of applying the HCD process in engaging student learning and responding to their learning needs. Finally, the revision plan was discussed.

Published
2021

7. Skenario Implementasi Sistem Informasi Identitas Digital Dengan Menggunakan WSO2 IS Di STMIK 'AMIKBANDUNG'

Author

Muhammad Abdul Mujib, Andi Rahayu, Rizal Dzulkarnaen, and Hermawaty Hermawaty

Subjects
Password, Authentication, business.industry, Computer science, Application server, Login, computer.software_genre, Credential, Identity provider, Single sign-on, business, OpenID, computer, Computer network
Abstract

Semakin berkembangnya teknologi menjadikan banyaknya aplikasi yang digunakan dalam berbagai aktifitas. Sebagian besar pengguna menggunakan berbagai macam credential (username dan password) yang berbeda untuk login ke berbagai layanan aplikasi yang tersedia. Berdasarkan permasalahan, maka diusulkan sistem Single Sign On (SSO). untuk authentifikasi terhadap pengguna, dimana pengguna bisa mengakses beberapa aplikasi tanpa harus login di masing-masing aplikasi. Dalam penerapan SSO digunakanlah WSO2 IS sebagai Identity Provider dimana aplikasi server ini memfasilitasi keamanan saat menghubungkan dan mengelola banyak identitas di berbagai aplikasi. Dalam pengembangannya dibuat juga aplikasi yang bertindak sebagai Service Provider (pihak yang memerlukan otentikasi) dengan berbagai macam protokol seperti SAML dan OPENID. Hasil dari penerapan SSO menggunakan WSO2 IS dan aplikasi dengan protokol SAML dan OPENID berhasil membuat sistem untuk mengizinkan pengguna dapat mengakses seluruh sumber daya dalam jaringan hanya dengan menggunakan satu credential saja

Published
2021

8. Establishing and validating secured keys for IoT devices: using P3 connection model on a cloud-based architecture

Author

Hossein Saiedian and Sairath Bhattacharjya

Subjects
Password, Computer Networks and Communications, Computer science, business.industry, Cryptography, Cloud computing, Credential, Set (abstract data type), Resource (project management), Elliptic curve cryptography, Safety, Risk, Reliability and Quality, business, Software, Information Systems, Computer network, PATH (variable)
Abstract

IoT devices are slowly turning out to be an essential part of our everyday lives. These devices perform one operation, and they specialize in doing so. When communicating with these devices, we need to set up a secured key preventing unauthorized communications. We have been using the plug-and-play model for electronic devices for decades. These IoT devices fall into the same realm. The plug–pair–play connection model follows the same principle so that the user does not feel the added pressure of remembering a complex password or rely on a default credential. It helps to generate a secret that is only known to the device and its user. We used elliptic curve cryptography to circumvent the resource limitations on the device. The model establishes a zero-trust pattern where all requests and responses are validated and verified before being processed. This paper provides a unique way to set up a secret key for each user and device pair without much user interaction. The model sets the path to end-to-end secured communication.

Published
2021

9. AI-enabled digital identity – inputs for stakeholders and policymakers

Author

Arpan Kumar Kar, Manmohan Prasad Gupta, and Umar Bashir Mir

Subjects
Government, Knowledge management, business.industry, Computer science, 05 social sciences, Stakeholder, Identity (social science), Context (language use), Credential, Digital identity, Identity theft, 0502 economics and business, 050211 marketing, business, Stakeholder theory, 050203 business & management
Abstract

Purpose This conceptual article’s primary aim is to identify the significant stakeholders of the digital identity system (DIS) and then highlight the impact of artificial intelligence (AI) on each of the identified stakeholders. It also recommends vital points that could be considered by policymakers while developing technology-related policies for effective DIS. Design/methodology/approach This article uses stakeholder methodology and design theory (DT) as a primary theoretical lens along with the innovation diffusion theory (IDT) as a sub-theory. This article is based on the analysis of existing literature that mainly comprises academic literature, official reports, white papers and publicly available domain experts’ interviews. Findings The study identified six significant stakeholders, i.e. government, citizens, infrastructure providers, identity providers (IdP), judiciary and relying parties (RPs) of the DIS from the secondary data. Also, the role of IdP becomes insignificant in the context of AI-enabled digital identity systems (AIeDIS). The findings depict that AIeDIS can positively impact the DIS stakeholders by solving a range of problems such as identity theft, unauthorised access and credential misuse, and will also open a possibility of new ways to empower all the stakeholders. Research limitations/implications The study is based on secondary data and has considered DIS stakeholders from a generic perspective. Incorporating expert opinion and empirical validation of the hypothesis could derive more specific and context-aware insights. Practical implications The study could facilitate stakeholders to enrich further their understanding and significance of developing sustainable and future-ready DIS by highlighting the impact of AI on the digital identity ecosystem. Originality/value To the best of the authors’ knowledge, this article is the first of its kind that has used stakeholder theory, DT and IDT to explain the design and developmental phenomenon of AIeDIS. A list of six significant stakeholders of DIS, i.e. government, citizens, infrastructure providers, IdP, judiciary and RP, is identified through comprehensive literature analysis.

Published
2021

10. Decentralized Anonymous Authentication With Fair Billing for Space-Ground Integrated Networks

Author

Yuxian Li, Tao Li, Cheng Huang, Xiang Liu, Ming Li, and Anjia Yang

Subjects
Security analysis, Authentication, Smart contract, Computer Networks and Communications, Computer science, media_common.quotation_subject, Aerospace Engineering, Computer security, computer.software_genre, Payment, Credential, Handover, Authentication protocol, Automotive Engineering, Verifiable secret sharing, Electrical and Electronic Engineering, computer, media_common
Abstract

The space-ground integrated network (SGIN) has attracted growing attention due to its advantages of high-capacity, low-latency and global coverage. To guarantee the security requirements of SGIN, anonymous authentication is an essential approach to addressing severe threats such as unauthorized access and impersonation attack, while payment is another common method in service-oriented applications in order to encourage companies to participate and also prevent insider attackers from enjoying services without paying. Existing anonymous authentication protocols for SGIN either require users to involve in heavy computation especially in dynamic scenarios, or do not consider cross-domain authentication. In this paper, we first introduce the concept of cross-company satellite services, and then address the cross-domain authentication and billing issues in SGIN, i.e., we propose a decentralized anonymous authentication scheme supporting fast handover and also achieve fairness for the billing procedures. To reduce the authentication delays, the authentication process is delegated from ground to satellites, such that users can arbitrarily switch the satellite networks belonging to different companies. Specifically, users can be anonymously authenticated by showing the knowledge of a secret bound with a randomized verifiable credential and connect to different satellite networks through a fast handover authentication protocol building on a blockchain. Even all companies collude, they cannot forge a valid identity credential and access records for a user. In addition, we provide a fair billing mechanism that can prevent malicious users and greedy satellite companies from manipulating the network accessing fees based on a well-designed smart contract. Finally, we demonstrate that the proposed scheme is secure and efficient through security analysis and performance evaluation.

Published
2021

11. HashWires: Hyperefficient Credential-Based Range Proofs

Author

Shir Cohen, Yolan Romailler, Kevin Lewi, Fredric Moezinia, and Konstantinos Chalkias

Subjects
Ethics, 0303 health sciences, malleability, accumulators, Computer science, cryptographic commitments, location privacy, QA75.5-76.95, BJ1-1725, Mathematical proof, micro-payments, Credential, 03 medical and health sciences, hash-chains, 0302 clinical medicine, Electronic computers. Computer science, 030220 oncology & carcinogenesis, Calculus, General Earth and Planetary Sciences, credentials, range proofs, 030304 developmental biology, General Environmental Science, Range (computer programming)
Abstract

This paper presents HashWires, a hash-based range proof protocol that is applicable in settings for which there is a trusted third party (typically a credential issuer) that can generate commitments. We refer to these as “credential-based” range proofs (CBRPs). HashWires improves upon hashchain solutions that are typically restricted to micro-payments for small interval ranges, achieving an exponential speedup in proof generation and verification time. Under reasonable assumptions and performance considerations, a Hash-Wires proof can be as small as 305 bytes for 64-bit integers. Although CBRPs are not zero-knowledge and are inherently less flexible than general zero-knowledge range proofs, we provide a number of applications in which a credential issuer can leverage HashWires to provide range proofs for private values, without having to rely on heavyweight cryptographic tools and assumptions.

Published
2021

12. WiONE: One-Shot Learning for Environment-Robust Device-Free User Authentication via Commodity Wi-Fi in Man–Machine System

Author

Huan Yan, Xiang Zhang, Mianxiong Dong, Fuji Ren, Meng Wang, Yu Gu, and Zhi Liu

Subjects
Authentication, Computer science, business.industry, Deep learning, 020206 networking & telecommunications, 02 engineering and technology, 010501 environmental sciences, Keystroke logging, One-shot learning, 01 natural sciences, Credential, Human-Computer Interaction, Channel state information, Human–computer interaction, Modeling and Simulation, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Artificial intelligence, business, Social Sciences (miscellaneous), 0105 earth and related environmental sciences, Communication channel
Abstract

User authentication is the first and most critical step in protecting a man–machine system from a malicious spoofer. However, security and privacy are just like the two sides of one coin, hard to see both at the same time, especially by the current mainstream credential- and biometric-based approaches. To this end, we propose WiONE, a safe and privacy-preserving user authentication system leveraging the ubiquitous Wi-Fi infrastructure by exploring “ how you behave ” rather than “ who you are ”. The key idea is to apply deep learning to user physical behavior captured by Wi-Fi channel state information (CSI) to identify legitimate users while rejecting spoofers. The design of WiONE faces two challenges, namely, how to capture the subtle behavior, such as a keystroke on CSI, and how to mitigate the heavy environment-specific training required by deep learning. For the former, we design a behavior enhancement model based on the Rician fading to highlight the behavior-induced information by suppressing the behavior-unrelated information on channel response. For the latter, we develop a behavior characterization method tailored for the prototypical networks to facilitate the extraction of the domain-independent behavioral features and enable one-shot recognition of a new user in a new environment. Numerous experiments are conducted in several real-world environments, and the results show that WiONE outperforms its state-of-the-art rivals in authentication performance with much less training effort.

Published
2021

13. Blockchain-enabled fog resource access and granting

Author

Gang Liu, Ting Wang, and Jinsong Wu

Subjects
Authentication, Smart contract, Computer science, End user, media_common.quotation_subject, Computer security, computer.software_genre, Credential, Negotiation, Resource (project management), Network Access Control, Resource Provider, computer, media_common
Abstract

Fog computing is a new computing paradigm for meeting ubiquitous massive access and latency-critical applications by moving the processing capability closer to end users. The geographical distribution/floating features with potential autonomy requirements introduce new challenges to the traditional methodology of network access control. In this paper, a blockchain-enabled fog resource access and granting solution is proposed to tackle the unique requirements brought by fog computing. The smart contract concept is introduced to enable dynamic, and automatic credential generation and delivery for an independent offer of fog resources. A per-transaction negotiation mechanism supports the fog resource provider to dynamically publish an offer and facilitates the choice of the preferred resource by the end user. Decentralized authentication and authorization relieve the processing pressure brought by massive access and single-point failure. Our solution can be extended and used in multi-access and especially multi-carrier scenarios in which centralized authorities are absent.

Published
2021

14. Using the Mathematical Model on Precision Marketing with Online Transaction Data Computing

Author

Guangshu Xu, Yu-Hsi Yuan, Sang-Bing Tsai, Jiesong Jiang, Li Shi, Weiyi Hao, and Jun Wu

Subjects
Data source, Article Subject, Series (mathematics), Computer science, General Mathematics, General Engineering, 02 engineering and technology, Engineering (General). Civil engineering (General), computer.software_genre, Credential, Purchasing, Precision marketing, Beijing, 020204 information systems, QA1-939, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Data mining, Data pre-processing, TA1-2040, Transaction data, computer, Mathematics
Abstract

In this paper, a decision-making system for precision marketing is presented to deal with real-world problems based on real e-business data collected in a company in Beijing. During the data preprocessing, the authors conducted a cleaning course to make sure the data to be analyzed in the latter part of the paper were credential. Based on the processed data, the authors analyzed consumer purchasing behaviors using three classic recommendation algorithms and made a performance comparison of the three algorithms. At the end of this paper, the authors proposed a series of precision marketing strategies which had been adopted by the data source company and had been proved to be effective in improving the performance.

Published
2021

15. Conceptual Framework of Kxpert:Knowledge-Based Information Retrieval for Expert Profiling

Author

S et.al Ismail

Subjects
Information retrieval, Boosting (machine learning), Computer science, Process (engineering), General Mathematics, Credential, Education, Computational Mathematics, Constant (computer programming), Computational Theory and Mathematics, Conceptual framework, Credibility, Profiling (information science), The Conceptual Framework
Abstract

With the constant demand for expertise within organisation, especially in boosting the credibility of experts in the organisation, it is a need to bring forth a simple yet effective knowledge-based expert profiling based on information retrieved from credential publication sites. A number of frameworks from previous authors are analysed to propose one sound framework for a case university, to improve its existing research expert database, to make it more efficient in the information retrieval process and knowledge repository technique. Knowledge expertise mapping is proposed to be part of the whole mechanism for the conceptual framework called kXpert in this paper. The choice of credential knowledge sources is highlighted due to the updated information made available on the sites that are based on the published works of the internal experts. Very rare that this information is referred to on daily basis when there is a need to find expertise, thinking that the existing database has it all. The proposed conceptual framework presented in this paper is the work to be completed in the next phase, and can be customised for other organisations, industries and purposes.

Published
2021

16. Locking the door: tackling credential abuse

Author

Steve Mansfield-Devine

Subjects
021110 strategic, defence & security studies, Information Systems and Management, Application programming interface, Computer Networks and Communications, business.industry, Computer science, Process (engineering), 0211 other engineering and technologies, 02 engineering and technology, Appropriate technology, Computer security, computer.software_genre, Login, Credential, Authentication (law), Software deployment, Safety, Risk, Reliability and Quality, Internet of Things, business, computer
Abstract

Credential abuse is a major issue facing organisations of all sizes. It affects not only simple login processes but also solutions and technologies such as application programming interfaces (APIs), the deployment of Internet of Things (IoT) devices and machine-to-machine authentication. Cyber criminals and nation-state attackers alike have automated the process of credential abuse while also refining highly targeted attacks. And the problem is getting worse. Credential abuse is a major issue facing organisations of all sizes. Cyber criminals and nation-state attackers alike have automated the process while also refining highly targeted attacks. The problem is getting worse and credential abuse presents itself in many forms. And there are equally as many solutions touted by vendors, all of which have their own challenges and weaknesses. However, there are successful solutions available and tackling the issue just takes a proper awareness of the problem and applying the appropriate technology and training, writes Steve Mansfield-Devine.

Published
2021

17. Who's that knocking at the door? The problem of credential abuse

Author

Steve Mansfield-Devine

Subjects
Password, 021110 strategic, defence & security studies, Information Systems and Management, Application programming interface, Computer Networks and Communications, Computer science, 0211 other engineering and technologies, Context (language use), 02 engineering and technology, Attack surface, Computer security, computer.software_genre, Security token, Certificate, Credential, Key (cryptography), Safety, Risk, Reliability and Quality, computer
Abstract

At the heart of IT security is a simple concept – proving you are who you say you are. In this context, ‘you’ might be a human logging into a network or service, a device interacting with an application programming interface (API), one network talking to another or any number of other scenarios. And the proof could be a certificate, an SSH key, a token of some form or our old favourite – and inevitably the artefact we'll be talking most about here – the old, fragile and yet seemingly unkillable password. At the heart of IT security is a simple concept – proving that you are who you say you are. But the ways we have of doing that, through credentials of some form, are flawed. Credential abuse comes in many forms. The question we need to ask is, where does it sit in terms of an organisation's attack surface and security priorities? In the first of a two-part feature, Steve Mansfield-Devine surveys a number of industry experts to get their views on what forms of credential abuse are being encountered and the threat these pose to enterprises.

Published
2021

18. Quantum-Resistant Cryptography for the Internet of Things Based on Location-Based Lattices

Author

Mischa Dohler and Ohood Saud Althobaiti

Subjects
Spoofing attack, General Computer Science, Computer science, Internet of Things, Cryptography, Computer security, computer.software_genre, localization, law.invention, Public-key cryptography, law, Cryptosystem, General Materials Science, Subscriber identity module, Authentication, business.industry, General Engineering, Public key infrastructure, quantum-resistant cryptography, Credential, TK1-9971, lattices, Electrical engineering. Electronics. Nuclear engineering, business, computer, location
Abstract

An important enabler of the Internet of Things (IoT) is the Narrow-Band Internet of Things (NB-IoT) technology, which is a 3GPP standards compliant connectivity solution. Quantum computing, another emerging technological paradigm, promises novel compute opportunities but is also able to compromise cybersecurity ciphers. Therefore, improved methods to mitigate such security threats are needed. In this research, we propose a location-aware cryptographic system that guarantees post-quantum IoT security. The ultimate value of a location-driven cryptosystem is to use the geographic location as a player’s identity and credential. Position-driven cryptography using lattices is efficient and lightweight, and it can be used to protect sensitive and confidential data in many critical situations that rely heavily on exchanging confidential data. At the best of our knowledge, this research starts the study of unconditional-quantum-resistant-location-driven cryptography by using the Lattice problem for the IoT in a pre-and post-quantum world. Unlike existing schemes, the proposed cryptosystem is the first secure and unrestricted position-based protocol that guards against any number of collusion attackers and against quantum attacks. It has a guaranteed authentication process, solves the problems of distributing public keys by removing a public key infrastructure (PKI), offers secure NB-IoT without SIM cards, and resists location spoofing attacks. Furthermore, it can be generalized to any network – not just NB-IoT.

Published
2021

19. Learning from learning: detecting account takeovers by identifying forgetful users

Author

Sean A McElroy

Subjects
Authentication, General Computer Science, Computer science, business.industry, Social engineering (security), Data breach, Demographic data, Computer security, computer.software_genre, Original research, Credential, Web application, Profiling (information science), business, Law, computer
Abstract

Credential-stuffing attacks are increasing in frequency, allowing threat actors to use data breaches from one source to perpetrate another. While multi-factor authentication remains a crucial preventative measure to protect against credential stuffing, the availability of credential data sets with contact information and the correlation with demographic data can allow threat actors to overcome it through interactive social engineering. Concurrently, alternative defence mechanisms such as network source profiling and device fingerprinting lose effectiveness as privacy-protecting technologies reduce the observable variability between legitimate and fraudulent user sessions. Sean A McElroy of Lumin Digital presents original research which suggests that by measuring a user's increasing familiarity with a web application over time, outliers in use may indicate account takeover fraud. Credential-stuffing attacks are increasing in frequency, allowing threat actors to use data breaches from one source to perpetrate another. While multi-factor authentication remains a crucial preventative measure to protect against credential stuffing, the availability of credential data sets with contact information and the correlation with demographic data can allow threat actors to overcome it through interactive social engineering. Concurrently, alternative defence mechanisms such as network source profiling and device fingerprinting lose effectiveness as privacy-protecting technologies reduce the observable variability between legitimate and fraudulent user sessions.

Published
2021

20. SBI Model for the Detection of Advanced Persistent Threat Based on Strange Behavior of Using Credential Dumping Technique

Author

Bahari Belaton and Nachaat AbdElatif Mohamed

Subjects
Advanced persistent threat, General Computer Science, Computer science, 02 engineering and technology, Data loss, computer.software_genre, Computer security, Common knowledge, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Electrical and Electronic Engineering, Mimikatz and credential dumping, business.industry, General Engineering, Windows Registry, exploit, 020206 networking & telecommunications, Credential, Attacker, Malware, APT, 020201 artificial intelligence & image processing, The Internet, Central processing unit, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, dump, computer, lcsh:TK1-9971, ATT&CK
Abstract

This study investigated the shift from the manual approach of processing data to the digitized method making organizational data prone to attack by cybercriminals. The latest threat Advanced Persistent Threats (APT) was originated by the United States Air Force in 2006 by Colonel Greg Rattray. APT is constantly ravaging industries and governments, which causes severe damages including data loss, espionage, sabotage, leak, or forceful pay of ransom money to the attackers. This study introduces a new model built on Adversarial Tactics Techniques and Common Knowledge (ATT&CK) matrix for detecting APT attack. This is to identify the APT on the first potential victim when the attackers use credential dumping technique. Strange Behavior Inspection Model incorporating several models investigates and monitors APT behavioral features in the CPU, RAM, windows registry, and file systems proposed to detect APT Attack at the first potential victim machine. The Strange Behavior Inspection (SBI) Model proposed in this paper is designed to detect the attack before being developed to more advanced phases. The results of this study are presented at four levels:1- random access memory, 2-central processing unit, 3- windows registry, and 4- file systems. This study proposes a unique model as evidence to detect APT attacks before any other techniques are used. The proposed model reduces the detection time from nine-months to 2.7 minutes.

Published
2021

21. Economic authentic and anonymous data sharing with forward security

Author

N. Prabha and R. Banumathi

Subjects
010302 applied physics, Authentication, business.industry, Computer science, Public key infrastructure, Cloud computing, 02 engineering and technology, 021001 nanoscience & nanotechnology, Computer security, computer.software_genre, 01 natural sciences, Credential, Data sharing, Ring signature, Forward secrecy, 0103 physical sciences, Key (cryptography), 0210 nano-technology, business, computer
Abstract

With the advancements of cloud services, sharing of information has never ever been easier, and intelligent prediction of shared information provides a slew of advantages also to individuals and society. When sharing data with a huge group of people, several factors must be considered, which include effectiveness, authentication, and the confidentiality of the cloud provider. A viable target for constructing an unidentified and genuine interoperability system is ring signature. It enables an owner to privately configure the data that can then be stored or analyzed in the cloud. However, in a conventional Public-Key-Infrastructure (PKI) setting, the expensive credential authentication becomes a limiting factor for this solution's scalability. Instead, an Identity based Ring Signature can be used, which eliminates the need for document verification. We enhance the safety of identity based ring signatures in this paper by adding forward protection: If a user's secret key is corrupted, all previously stored confirmations containing this user are still valid. The whole product is extremely crucial in any big information sharing system, because it is pointless to force all digital assets to conceptual metaphor their data if a single user's secret key is compromised. We demonstrate the practicality of our scheme by providing a tangible as well as efficient implementation and proving its security in good manner.

Published
2021

22. An Anonymous Credential System with Constant-Size Attribute Proofs for CNF Formulas with Negations

Author

Toru Nakanishi and Ryo Okishima

Subjects
Authentication, Theoretical computer science, Computer science, Applied Mathematics, Mathematical proof, Certificate, Computer Graphics and Computer-Aided Design, Credential, Accumulator (cryptography), TheoryofComputation_MATHEMATICALLOGICANDFORMALLANGUAGES, Constant (computer programming), Negation, Signal Processing, Electrical and Electronic Engineering, Conjunctive normal form
Abstract

To enhance the user’s privacy in electronic ID, anonymous credential systems have been researched. In the anonymous credential system, a trusted issuing organization first issues a certificate certifying the user’s attributes to a user. Then, in addition to the possession of the certificate, the user can anonymously prove only the necessary attributes. Previously, an anonymous credential system was proposed, where CNF (Conjunctive Normal Form) formulas on attributes can be proved. The advantage is that the attribute proof in the authentication has the constant size for the number of attributes that the user owns and the size of the proved formula. Thus, various expressive logical relations on attributes can be efficiently verified. However, the previous system has a limitation: the proved CNF formulas cannot include any negation. Therefore, in this paper, we propose an anonymous credential system with constant-size attribute proofs such that the user can prove CNF formulas with negations. For the proposed system, we extend the previous accumulator for the limited CNF formulas to verify CNF formulas with negations.

Published
2020

23. A Flexible Privacy-Preserving Data Sharing Scheme in Cloud-Assisted IoT

Author

Letian Sha, Hui Yin, Hua Deng, and Zheng Qin

Subjects
Information privacy, Security analysis, Computer Networks and Communications, Computer science, media_common.quotation_subject, Cryptography, Cloud computing, 02 engineering and technology, Encryption, Computer security, computer.software_genre, Public-key cryptography, 0202 electrical engineering, electronic engineering, information engineering, media_common, Delegation, business.industry, 020206 networking & telecommunications, Credential, Computer Science Applications, Data sharing, Hardware and Architecture, Signal Processing, 020201 artificial intelligence & image processing, business, computer, Information Systems
Abstract

Cloud-assisted Internet of Things (IoT) has become an increasingly popular technological trend as the performance of IoT applications can be greatly improved by delegating the cloud to manage massive IoT data. To protect the confidentiality of data outsourced from IoT devices to the cloud, cryptographic mechanisms are usually employed to encrypt the data in such a way that only the user designated by the data owner can decrypt the data. However, in the IoT multiuser environment, the encrypted data may also need to be shared with more users beyond the initially designated one. In this article, we propose a flexible privacy-preserving data sharing (FPDS) scheme in cloud-assisted IoT. With the FPDS scheme, an IoT user can encrypt data to a recipient by using identity-based encryption. More importantly, the IoT user can specify a fine-grained access policy to generate a delegation credential, and then send this credential to the cloud so that it can convert all the encrypted data satisfying the access policy into new ciphertexts that are readable to a new recipient. In this way, IoT users can share the data outsourced to the cloud in a flexible and privacy-preserving manner. Detailed security analysis shows that the FPDS scheme is secure against semitrusted cloud and malicious IoT users. Thorough theoretical and experimental analyses demonstrate the high efficiency of the scheme.

Published
2020

24. Plain text passwords: A forensic RAM-raid

Author

Graeme Horsman

Subjects
Password, Plain text, Computer science, RAID, 010401 analytical chemistry, computer.file_format, Login, Computer security, computer.software_genre, 01 natural sciences, Credential, Criminal investigation, 0104 chemical sciences, Pathology and Forensic Medicine, Task (project management), law.invention, 03 medical and health sciences, 0302 clinical medicine, Test case, law, 030216 legal & forensic medicine, computer
Abstract

Despite many academic studies in the last 15 years acknowledging the investigative value of physical memory due to the potential sensitive nature of data it may contain, it arguably remains rarely collected at-scene in most criminal investigations. Whilst this may be due to factors such as first responders lacking the technical skills to do this task, or simply that it is overlooked as an evidence source, this work seeks to emphasise the worth of this task by demonstrating the ability to recover plain-text login credentials from it. Through an examination of logins made to 15 popular online services carried out via the Chrome, Edge and Mozilla Firefox browsers, testing shows that plain-text credentials are present in RAM in every case. Here, a transparent test methodology is defined and the results of test cases are presented along with ‘string markers’ which allow a practitioner to search their RAM captures for the presence of unknown credential information for these services in future cases.

Published
2020

25. Efficient blacklistable anonymous credential system with reputation using a pairing‐based accumulator

Author

Toru Nakanishi and Takeshi Kanatani

Subjects
Authentication, Computer Networks and Communications, Computer science, business.industry, media_common.quotation_subject, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, Cryptographic protocol, Trusted third party, 01 natural sciences, Credential, Accumulator (cryptography), 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Session (computer science), business, Protocol (object-oriented programming), Software, Information Systems, Reputation, media_common, Computer network
Abstract

As privacy-enhancing authentications without any TTP (Trusted Third Party), blacklistable anonymous credential systems with reputation have been proposed. However, the previous systems have the efficiency problem: The authentication data size is O ( L ) or O ( K ) , where L is the reputation list, and K is the size of a window indicating the most recent K authentications of the user. Therefore, the previous systems suffer from O ( L ) or O ( K ) -size data in each authentication. In addition, the authentication needs the computation of O ( L ) or O ( K ) exponentiations. In this paper, an efficient blacklistable anonymous credential system with reputation is proposed. In our system, the data size of the authentication is O ( 1 ) . Furthermore, although the computational costs in the authentication depend on some parameters, the parameter-related costs are only multiplications instead of exponentiations. Compared to the previously proposed blacklistable system FARB with the constant computational and communication costs, our system has the advantage that the clear/redeem protocol only has to be executed every interval instead of every session. For constructing our system, we newly introduce the concept of an accumulator for reputation, and propose an efficient construction.

Published
2020

26. Indistinguishability and unextractablility of password-based authentication in blockchain

Author

Xinyi Huang and Yuexin Zhang

Subjects
Password, Authentication, Software_OPERATINGSYSTEMS, Computer Networks and Communications, Computer science, Data_MISCELLANEOUS, Password cracking, 020206 networking & telecommunications, 02 engineering and technology, Service provider, Computer security, computer.software_genre, Credential, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, computer, Software, Digest access authentication
Abstract

Password is commonly used to protect Bitcoin wallet, the most known application of blockchain. In this paper, we investigate a subtle issue when forgetting password: The account owner uses guessed passwords during the authentication with a service provider. This is different from password guessing by cyber attackers, because passwords guessed by the account owner are (most likely) his/her passwords (or their minor variations) registered with other service providers. Thus, the confidentiality of incorrect passwords in unsuccessful authentication needs protection. To capture this security requirement, we define two security goals: Indistinguishability of Incorrect Passwords (IND-PW) and Unextractablility of Incorrect Passwords (UNE-PW). Our analysis shows that: (1) IND-PW is NOT achievable if password is the only authentication credential of the client, and (2) Two common authentication methods in online services, Basic and Digest Access Authentication (in conjunction with SSL), CANNOT provide UNE-PW.

Published
2020

27. Students as Consumers: Retaining Engineering Students by Designing Learner-Centric Courses of Value

Author

Jeff Chernosky, Rebecca Curtis, and Jerry Ausburn

Subjects
Computer science, Instructional design, 05 social sciences, 050401 social sciences methods, 050301 education, Community of inquiry, Credential, Education, 0504 sociology, Mathematics education, 0503 education, Curriculum, Value (mathematics), Dependency (project management)
Abstract

The global economy’s dependency upon engineers is exacerbated by a lack of qualified engineers. Most engineering students fail to complete the credential. According to the American Society for Engi...

Published
2020

28. HomeShield: A Credential-Less Authentication Framework for Smart Home Systems

Author

Molka Rekik, Yinhao Xiao, Chunchi Liu, Zhiguang Shan, Arwa Alrawais, and Yizhen Jia

Subjects
Authentication, Computer Networks and Communications, business.industry, Computer science, Computer security, computer.software_genre, Credential, Computer Science Applications, Workflow, Hardware and Architecture, Home automation, Server, Signal Processing, Threat model, Android (operating system), Internet of Things, business, Everyday life, computer, Information Systems
Abstract

Smart home systems have become more and more prevailent in recent years. On the one hand, they make our everyday life more convenient; on the other hand, they suffer from the two notorious security problems, namely, the open-port problem and the overprivilege problem, making their security situations extremely worrying and uncheerful. In this article, we proposed HomeShield, a novel credential-less authentication framework to shield smart home systems by effectively defending against the attacks resulted from these two security problems without the need for sensitive credentials. We further detailed an implementation of HomeShield based on the side channels that are publicly available in Android smartphones serving as controllers of smart home systems and presented its workflow in protecting against various attacks caused by the open-port and overprivilege problems. Finally, we tested our HomeShield implementation on a real-world smart home system and considered four threat models that cover basically all practical attacks, including Mirai and its variants. We also considered the effectiveness of our HomeShield implementation on the SmartApps of the Samsung SmartThings platform, which also suffers from the open-port and overprivilege problems, even though its overprivilege issue has been extensively studied by the recently proposed works, such as ContexIoT and SmartAuth. The evaluation results indicate that our HomeShield realization can successfully defend against over 90% attack trials with an average latency of less than 1 s.

Published
2020

29. Tracking cryptographic keys and encrypted data using position verification

Author

Laszlo Bacsardi and Mate Galambos

Subjects
business.industry, BitTorrent tracker, Computer science, Cryptography, Random permutation, Encryption, Computer security, computer.software_genre, Credential, Memory address, Quantum cryptography, Ciphertext, business, computer
Abstract

Position verification is an emerging field of quantum cryptography. Its goal is to verify whether a distant communicating party is telling the truth about where they are. However, the problem is usually formulated in a way that the position is the only credential of that party, which cannot guarantee uniqueness. In this study, the authors show how a practically secure position verification algorithm – assuming it exists – might be used to track (i.e. repeatedly verify the position) of some unique key or cipher text. To achieve this, they rely on pre-prepared position verification data called trackers. They also propose three algorithms that implement their general tracking scheme and examine some questions related to their security. These implementations include shuffling trackers into valuable data and hiding their memory address through a random permutation; using CNOT operations to entangle valuable data and trackers; and using random qubit strings from which either trackers or secret keys can be produced at will. These methods may be used to track a diplomatic package or reveal the location of a malicious party during a denial of service attack.

Published
2020

30. ECCOE: Toward a Robust Solution for the Cross-Institutional Recognition and Validation of Prior Learning

Author

Timothy Read and Deborah Arnold

Subjects
Structure (mathematical logic), Identification (information), Appropriation, Knowledge management, Higher education, Process (engineering), business.industry, Computer science, Stakeholder, business, Credential, Discipline
Abstract

ECCOE, the European Credit Clearinghouse for Opening up Education, aims to facilitate the endorsement and appropriation of open, online and flexible higher education by increasing trust in technology-enabled credentials among students, higher education institutions (HEIs) and employers. To this end, the project is developing a complete solution in the form of the ECCOE-system, with publicly reviewed credential descriptors, Model Credit Recognition Agreements (MCRAs), an online catalogue of over 60 disciplinary and transversal modules, and a robust solution for technology-enabled credentials and a network of stakeholder users. In this paper the analysis and classification of existing prior learning agreements (at higher education institutions) is presented as a first step towards a generic recognition structure that subsumes all types of recognition and can form the basis for the MCRA template. The result of this work was the identification of four characteristics present in each type of recognition agreement: its type, the objective of applying it, the process steps that need to be followed, and constraints for a successful application.ECCOE, the European Credit Clearinghouse for Opening up Education, aims to facilitate the endorsement and appropriation of open, online and flexible higher education by increasing trust in technology-enabled credentials among students, higher education institutions (HEIs) and employers. To this end, the project is developing a complete solution in the form of the ECCOE-system, with publicly reviewed credential descriptors, Model Credit Recognition Agreements (MCRAs), an online catalogue of over 60 disciplinary and transversal modules, and a robust solution for technology-enabled credentials and a network of stakeholder users. In this paper the analysis and classification of existing prior learning agreements (at higher education institutions) is presented as a first step towards a generic recognition structure that subsumes all types of recognition and can form the basis for the MCRA template. The result of this work was the identification of four characteristics present in each type of recognition agreement: its type, the objective of applying it, the process steps that need to be followed, and constraints for a successful application.

Published
2020

31. A secure n-secret based client authentication protocol for 802.11 WLANs

Author

Dinesh Kumar and Pawan Kumar

Subjects
Authentication, Transport Layer Security, Computer science, business.industry, 020206 networking & telecommunications, 020302 automobile design & engineering, 02 engineering and technology, Computer security model, Internet security, Credential, 0203 mechanical engineering, Authentication protocol, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Extensible Authentication Protocol, business, Protocol (object-oriented programming), Computer network
Abstract

Authentication has strong impact on the overall security model of every information system. Various authentication techniques are available for restricting the access of unauthorized users to the enterprise scale networks. IEEE 802.1X defines a secure and reliable authentication framework for 802.11 WLANs, where Extensible Authentication Protocol (EAP) provides the base to this architecture. EAP is a generic architectural framework which supports extensibility by incorporating the new and improved authentication schemes, which are based on different types of credentials. Currently there exist a number of EAP and Non-EAP methods with varying level of security and complexity. In this work, we have designed a new n-secret based authentication scheme referred here as Personal Dialogue Based Authentication, for the client authentication to the network. It is a Transport Layer Security (TLS) protected authentication protocol, which will be executed inside the secure TLS tunnel for providing the privacy and credential security to the wireless client. The developed authentication protocol has a reasonable set of features like; strong security, user privacy, simplicity and extensibility. For the formal analysis of the protocol we have used SPAN–AVISAP model checker on Ubuntu platform for validating the realization of the specified security goals. The experimental results obtained by simulation performed with the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool shows that our protocol is efficient and secured.

Published
2020

32. A practical solution to clone problem in anonymous information system

Author

Bin Lian, Lang Wang, Dake He, Ping Yu, Jialin Cui, and Gongliang Chen

Subjects
Information Systems and Management, Computer science, ComputingMilieux_LEGALASPECTSOFCOMPUTING, 02 engineering and technology, Login, Computer security, computer.software_genre, Theoretical Computer Science, Public-key cryptography, Artificial Intelligence, 0202 electrical engineering, electronic engineering, information engineering, Information system, Authentication, Cloning (programming), business.industry, 05 social sciences, 050301 education, Credential, Computer Science Applications, Control and Systems Engineering, Information leakage, 020201 artificial intelligence & image processing, business, 0503 education, computer, Software, Physical security
Abstract

Cloning user's identity is always a thorny problem for an information system, especially for an anonymous system. With the development of big data applications, clone behaviors sometimes even become attacks on these systems. But until now, there has been no very satisfactory anti-clone scheme in the anonymous system. After analyzing the problems in existing anti-clone schemes, without any assumptions about physical security, we provide a practical solution to the clone problem in anonymous authentication system. In our scheme, the authentication is not only related to user's private key, but also related to user's current state, which is constantly updated by the system. Therefore, the authentication trajectories of user and clone will inevitably overlap, and it results in information leakage so as to indentify clone behaviors and revoke clone user's credential. Meanwhile, we prove that honest users are truly anonymous and their login behaviors are unlinkable with complete security proofs. According to the analysis of the system function and the system efficiency, our scheme is much more efficient and has the best anti-clone properties comparing with the existing schemes.

Published
2020

33. Group Signatures with Time-Bound Keys Revisited: A New Model, an Efficient Construction, and its Implementation

Author

Ai Ishida, Keita Emura, and Takuya Hayashi

Subjects
021110 strategic, defence & security studies, Revocation, Computer science, business.industry, 0211 other engineering and technologies, 02 engineering and technology, Computer security model, Group signature, Computer security, computer.software_genre, Credential, Signature (logic), Public-key cryptography, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Constant (computer programming), Dependability, Electrical and Electronic Engineering, business, computer
Abstract

Chu et al. (ASIACCS 2012) proposed group signature with time-bound keys (GS-TBK), where each signing key is associated with expiry time $\tau$ τ . In addition, to prove membership of the group, a signer needs to prove that the expiry time has not passed, i.e., $t t τ , where $t$ t is the current time. A signer whose expiry time has passed is automatically revoked, and this revocation is called natural revocation. Signers can be revoked simultaneously before their expiry times if the credential is compromised. This revocation is called premature revocation. A nice property in the Chu et al. proposal is that the size of revocation lists can be reduced compared to those of Verifier-Local Revocation (VLR) group signature schemes by assuming that natural revocation accounts for most of the signer revocations in practice, and prematurely revoked signers are only a small fraction. In this paper, we point out that the definition of traceability of Chu et al. did not capture the unforgeability of expiry time for signing keys, which guarantees that no adversary who has a signing key associated with expiry time $\tau$ τ can compute a valid signature after $\tau$ τ has passed. This situation significantly reduces the dependability of the system since legitimate signing keys may be used for providing a forged signature. We introduce a security model that captures unforgeability, and propose a secure GS-TBK scheme in the new model. Our scheme also provides constant signing costs, whereas those of the previous schemes depended on the bit-length of the time representation. Finally, we provide the implementation results. We employ Barreto-Lynn-Scott (BLS) curves with 455-bit prime order and the RELIC library, and demonstrate that our scheme is feasible in practical settings.

Published
2020

34. Token-Based Access Control

Author

Guohua Gan, E. Chen, Zhiyuan Zhou, and Yan Zhu

Subjects
blockchain, Blockchain, General Computer Science, Smart contract, Computer science, Concurrency, Access control, 02 engineering and technology, Security token, distributed computing, distributed control, 0203 mechanical engineering, token, Robustness (computer science), 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, business.industry, General Engineering, 020302 automobile design & engineering, 020206 networking & telecommunications, Fault tolerance, Credential, Systems architecture, lcsh:Electrical engineering. Electronics. Nuclear engineering, smart contract, business, lcsh:TK1-9971, Computer network
Abstract

Traditional centralized access control has some shortcomings in robustness, trustworthiness and circulation. Blockchains have the advantages of fault tolerance and trust. Smart contracts have the characteristics of automatic execution and flexible expansion. Tokens can well record credential information and transfer easily. In this paper, blockchain, smart contract and token are integrated and applied to access control to solve the shortcomings of traditional access control. First, access control, blockchain, smart contract and token are briefly described. Second, this paper proposes a solution by giving the general data structure of access control token, elaborating the equivalence, split, merge and verification algorithms of access control token, and explaining the system architecture of token-based access control. Last, this paper uses a token-based access control simulation system to verify that token-based access control has certain comparative advantages in robustness, trustworthiness, circulation, concurrency and so on.

Published
2020

35. Android Data-Clone Attack via Operating System Customization

Author

Han Yan, Kun He, Yuan Luo, Ming Jiang, Wenna Song, Yi Xiang, Yuan Chen, and Guojun Peng

Subjects
General Computer Science, Computer science, 02 engineering and technology, Login, computer.software_genre, Personalization, User experience design, identity theft, 020204 information systems, Identity theft, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Android (operating system), Password, business.industry, General Engineering, 020207 software engineering, OS customization, Credential, Automatic login, data-clone attack, Covert, Operating system, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971
Abstract

To avoid the inconvenience of retyping a user’s ID and password, most mobile apps now provide the automatic login feature for a better user experience. To this end, auto-login credential is stored locally on the smartphone. However, such sensitive credential can be stolen by attackers and placed into their smartphones via the well-known credential-clone attack. Then, attackers can imperceptibly log into the victim’s account, which causes more devastating and covert losses than merely intercepting the user’s password. In this article, we propose a generalized Android credential-clone attack, called data-clone attack. By exploiting the new-found vulnerabilities of original equipment manufacturer (OEM)-made phone clone apps, we design an identity theft method that overcomes the problem of incomplete credential extraction and eliminates the requirement of root authority. To evade the consistency check of device-specific attributes in apps, we design two environment customization methods for app-level and operating system (OS)-level, respectively. Especially, we develop a transparent Android OS customization solution, named CloneDroid, which simulates 101 special attributes of Android OS. We implement a prototype of CloneDroid and the experimental results show that 172 out of 175 most-downloaded apps’ accounts can be jeopardized, such as Facebook and WeChat. Moreover, our study has identified 18 confirmed zero-day vulnerabilities. Our findings paint a cautionary tale for the security community that billions of accounts are potentially exposed to Android OS customization-assisted data-clone attacks.

Published
2020

36. Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability Related With Web Functions

Author

Qiao-Yan Wen, Yijie Shi, Senmiao Wang, Jing Guo, Jiawei Qin, and Hua Zhang

Subjects
021110 strategic, defence & security studies, General Computer Science, Computer science, business.industry, National Vulnerability Database, 0211 other engineering and technologies, General Engineering, Vulnerability, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Certificate, Computer security, computer.software_genre, Credential, Vulnerability assessment, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, The Internet, Android (operating system), business, computer
Abstract

Nowadays, people’s lifestyle is more and more dependent on mobile applications (Apps), such as shopping, financial management and surfing the internet. However, developers mainly focus on the implementation of Apps and the improvement of user experience while ignoring security issues. In this paper, we perform the comprehensive study on vulnerabilities caused by misuse of APIs and form a methodology for this type of vulnerability analysis. We investigate the security of three types of Android Apps including finance, shopping and browser which are closely related to human life. And we analyze four vulnerabilities including Improper certificate validation(CWE-295:ICV) , WebView bypass certificate validation vulnerability(CVE-2014-5531:WBCVV) , WebView remote code execution vulnerability(CVE-2014-1939:WRCEV) and Alibaba Cloud OSS credential disclosure vulnerability(CNVD-2017-09774:ACOCDV) . In order to verify the effectiveness of our analysis method in large-scale Apps on the Internet, we propose a novel scalable tool - VulArcher, which is based on heuristic method and used to discover if the above vulnerabilities exist in Apps. We download a total of 6114 of the above three types of samples in App stores, and we use VulArcher to perform the above vulnerability detection for each App. We perform manual verification by randomly selecting 100 samples of each vulnerability. We find that the accuracy rate for ACOCDV can reach 100%, the accuracy rate for WBCVV can reach 95%, and the accuracy rate for the other two vulnerabilities can reach 87%. And one of vulnerabilities detected by VulArcher has been included in China National Vulnerability Database (CNVD) ID(CNVD-2017-23282). Experiments show that our tool is feasible and effective. For the convenience of researchers in related communities, We make our data and tool available at https://buptnsrclab.github.io/blog/2020/01/03/vularcher-site-launched .

Published
2020

37. Is credential stuffing the new phishing?

Author

Steven Rees-Pullman

Subjects
Moment (mathematics), General Computer Science, Computer science, business.industry, Wish, Internet privacy, The Internet, Set (psychology), business, Law, Phishing, Credential
Abstract

Sometimes it seems as though, in a moment of weakness or just wishing for an easier life, the average security pro might wish that Clifford Stoll, writer of an (in)famous 1995 Newsweek article titled ‘The Internet? Bah!' (or ‘Why the web won't be Nirvana') had been right. 1 As the title suggests, Stoll contended that, while fun, the Internet was a bubble set to burst.

Published
2020

38. ARIES: Evaluation of a reliable and privacy-preserving European identity management framework

Author

Rafael Torres Moreno, Antonio F. Skarmeta, Jorge Bernal Bernabe, Sébastien Bahloul, Martin David, and Javier Presa Cordero

Subjects
Flexibility (engineering), Biometrics, Computer Networks and Communications, business.industry, Computer science, 020206 networking & telecommunications, Usability, 02 engineering and technology, Computer security, computer.software_genre, Credential, Identity management, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), Strong authentication, 020201 artificial intelligence & image processing, business, computer, Software
Abstract

Despite several efforts in the last years to make Identity Management Systems (IdMs) reliable, secured and privacy-respectful, identity-related cybercrimes are still continuously expanding. Current IdMs lack of proper security and privacy mechanisms that can holistically manage user’s privacy, strong authentication and ID-proofing mechanisms based on biometrics, usage of breeder documents, while maintaining usability for mobile, online or face-to-face scenarios. To fill this gap, the ARIES EU project aims to set up a reliable identity ecosystem, combining mature technologies for meet highest level of assurance, such as biometrics or use of secure elements, with innovative credential derivation mechanisms. ARIES has devised and implemented a privacy-preserving and user-centric Identity Management framework as well as associated management practices that ensure usability and flexibility for identity management processes. This paper presents ARIES results obtained after the successful development and validation of the ARIES IdM System in the associated use cases.

Published
2020

39. An Efficient Blacklistable Anonymous Credentials without TTP of Tracing Authority Using Pairing-Based Accumulator

Author

Toru Nakanishi, Shahidatul Sadiah, and Yuu Aikou

Subjects
Authentication, Computer science, business.industry, Applied Mathematics, Tracing, Trusted third party, Computer Graphics and Computer-Aided Design, Credential, Accumulator (cryptography), Blacklist, Public-key cryptography, Signal Processing, Electrical and Electronic Engineering, business, Anonymity, Computer network
Abstract

In conventional ID-based user authentications, privacy issues may occur, since users’ behavior histories are collected in Service Providers (SPs). Although anonymous authentications such as group signatures have been proposed, these schemes rely on a Trusted Third Party (TTP) capable of tracing misbehaving users. Thus, the privacy is not high, because the TTP of tracing authority can always trace users. Therefore, the anonymous credential system using a blacklist without the TTP of tracing authority has been proposed, where blacklisted anonymous users can be blocked. Recently, an RSA-based blacklistable anonymous credential system with efficiency improvement has been proposed. However, this system still has an efficiency problem: The data size in the authentication is O(K0), where K0 is the maximum number of sessions in which the user can conduct. Furthermore, the O(K0)-size data causes the user the computational cost of O(K0) exponentiations. In this paper, a blacklistable anonymous credential system using a pairing-based accumulator is proposed. In the proposed system, the data size in the authentication is constant for parameters. Although the user’s computational cost depends on parameters, the dependent cost is O(δBL · K) multiplications, instead of exponentiations, where δBL is the number of sessions added to the blacklist after the last authentication of the user, and K is the number of past sessions of the user. The demerit of the proposed system is O(n)-size public key, where n corresponds to the total number of all sessions of all users in the system. But, the user only has to download the public key once.

Published
2019

40. Credential Provisioning and Device Configuration with EAP

Author

Pekka Laitinen, Tolgahan Akgün, Sebastien Boire, Sandeep Tamrakar, Tuomas Aura, Philip Ginzboorg, Department of Computer Science, Huawei Technologies, Computer Science Professors, Aalto-yliopisto, and Aalto University

Subjects
Authentication, business.industry, Computer science, Provisioning, security, Certificate, Web API, Credential, EAP, wireless network, Session (computer science), Extensible Authentication Protocol, device management, business, configuration, Protocol (object-oriented programming), certificate provisioning, Computer network
Abstract

The Extensible Authentication Protocol (EAP) is used for authenticating client devices to WiFi networks, and it is designed to be extensible with new authentication methods. We look at ways to extend the protocol to support credential provisioning and configuration of new client devices. As large numbers of IoT devices are deployed, the task will be simplified by combining the network connectivity, identity and certificate provisioning, and application-layer connectivity to one process. The solution will also allow the use of a one-time credential for the initial authentication, so that the long-term device certificate is issued automatically after the first connection to the network. The paper analyzes the requirements and architectural design options that implement such a user experience. We consider solutions that transfer short bootstrapping data inside the EAP session and then implement the provisioning and configuration with web APIs over HTTPS. This allows future flexibility and speed of development inthe provisioning and configuration steps. We designed and implemented several architecturally different solutions and present the comparison results and also compare with previous proposals that have similar goals.

Published
2021

41. With a Little Help from My Friends

Author

Lucjan Hanzlik and Daniel Slamanig

Subjects
Subscriber identity module, business.industry, Computer science, Cryptography, Computer security, computer.software_genre, Credential, law.invention, Public-key cryptography, law, MULTOS, Key (cryptography), Strong authentication, Smart card, business, computer
Abstract

Anonymous credentials (ACs) are a powerful cryptographic tool for the secure use of digital services, when simultaneously aiming for strong privacy guarantees of users combined with strong authentication guarantees for providers of services. They allow users to selectively prove possession of attributes encoded in a credential without revealing any other meaningful information about themselves. While there is a significant body of research on AC systems, modern use-cases of ACs such as mobile applications come with various requirements not sufficiently considered so far. These include preventing the sharing of credentials and coping with resource constraints of the platforms (e.g., smart cards such as SIM cards in smartphones). Such aspects are typically out of scope of AC constructions, and, thus AC systems that can be considered entirely practical have been elusive so far. In this paper we address this problem by introducing and formalizing the notion of core/helper anonymous credentials (CHAC). The model considers a constrained core device (e.g., a SIM card) and a powerful helper device (e.g., a smartphone). The key idea is that the core device performs operations that do not depend on the size of the credential or the number of attributes, but at the same time the helper device is unable to use the credential without its help. We present a provably secure generic construction of CHACs using a combination of signatures with flexible public keys (SFPK) and the novel notion of aggregatable attribute-based equivalence class signatures (AAEQ) along with a concrete instantiation. The key characteristics of our scheme are that the size of showing tokens is independent of the number of attributes in the credential(s) and that the core device only needs to compute a single elliptic curve scalar multiplication, regardless of the number of attributes. We confirm the practical efficiency of our CHACs with an implementation of our scheme on a Multos smart card as the core and an Android smartphone as the helper device. A credential showing requires less than 500 ms on the smart card and around 200 ms on the smartphone (even for a credential with 1000 attributes).

Published
2021

42. All your Credentials are Belong to Us: On Insecure WPA2-Enterprise Configurations

Author

Kin Man Leung, Endadul Hoque, Mohsen Minaei, Omar Chowdhury, Man Hong Hue, Joyanta Debnath, Kailiang Xian, Sze Yiu Chau, M. Hammad Mazhar, and Li Li

Subjects
Authentication, Transport Layer Security, business.industry, Network security, Computer science, Public key infrastructure, Computer security, computer.software_genre, Credential, Public-key cryptography, X.509, Server, business, computer
Abstract

In this paper, we perform the first multifaceted measurement study to investigate the widespread insecure practices employed by tertiary education institutes (TEIs) around the globe when offering WPA2-Enterprise Wi-Fi services. The security of such services critically hinges on two aspects: (1) the connection configuration on the client-side; and (2) the TLS setup on the authentication servers. Weaknesses in either can leave users susceptible to credential theft. Typically, TEIs prescribe to their users either manual instructions or pre-configured profiles (e.g., eduroam CAT). For studying the security of configurations, we present a framework in which each configuration is mapped to an abstract security label drawn from a strict partially ordered set. We first used this framework to evaluate the configurations supported by the user interfaces (UIs) of mainstream operating systems (OSs), and discovered many design weaknesses. We then considered 7045 TEIs in 54 countries/regions, and collected 7275 configuration instructions from 2061 TEIs. Our analysis showed that majority of these instructions lead to insecure configurations, and nearly 86% of those TEIs can suffer from credential thefts on at least one OS. We also analyzed a large corpus of pre-configured eduroam CAT profiles and discovered several misconfiguration issues that can negatively impact security. Finally, we evaluated the TLS parameters used by authentication servers of thousands of TEIs and discovered perilous practices, such as the use of expired certificates, deprecated versions of TLS, weak signature algorithms, and suspected cases of private key reuse among TEIs. Our long list of findings have been responsibly disclosed to the relevant stakeholders, many of which have already been positively acknowledged.

Published
2021

43. Decentralization of Credential Verification System using Blockchain

Author

Dilip Motwani, Priti P. Bokariya, and Blue Eyes Intelligence Engineering and Sciences Publication(BEIESP)

Subjects
100.1/ijitee.K951409101121, Blockchain, General Computer Science, ComputingMilieux_THECOMPUTINGPROFESSION, Computer science, Verification system, Computer security, computer.software_genre, Decentralization, Credential, Blockchain, cryptography, DAPP, Mechanics of Materials, 2278-3075, Electrical and Electronic Engineering, computer, Civil and Structural Engineering
Abstract

After successful completion of graduation, students receive the credits of the courses in the form of certificate issued by the respective University. A Student have to produce his/her documents to the employers or the authorities for employment or higher education. Today ,as the system is centralized all the data resides on the server which can be hacked or the data can be lost if the system crushes down. However, verifying a certificate by authorities, is a time-consuming process as there is an involvement of human resources ,for validating the details of the candidate from its University. Today , with the advancement in technologies and due to the easy availability of many efficient soft wares that have led to the forgery of credentials/certificates. The lack of anti-tampering mechanisms resulted in incidents where the forged graduation certificates are often found. Also ,in case certificates are out of place , applying for duplicate certificates and its issuance by the University consumes a lot of time. Use of blockchain technology in this process will make the system decentralized as blocks as cryptographically connected and all the nodes in the network shares the entire chain .Hence the proposed decentralized certificate verification system, uses blockchain technology incorporating all the essential features in developing a DAPP. This system is proposed to address the issue of certificate counterfeiting, faster certificate verification and issuance. Putting across all the issues, the system aims at addressing the problems and provide solutions to the current Certificate Issuance, verification and Validation Process.

Published
2021

44. Malicious URL Detection using Multilayer CNN

Author

Ashish Singh and Pradeep Kumar Roy

Subjects
business.industry, Computer science, Data loss, Computer security, computer.software_genre, Credential, Convolutional neural network, Phishing, Web page, Classifier (linguistics), The Internet, Layer (object-oriented design), business, computer
Abstract

Due to developing Internet-based technologies, the number of online domains and URLs is increasing globally. Parallel several cybersecurity threats and phishing attacks have been encountered while accessing these websites. Accessing a malicious webpage can create serious harm to the physical system. Data loss, privacy breach, credential theft and many security threats are entered while an Internet user clicks a malicious URL. Several defence and detection strategies have been proposed in the previous research works. But, the works have used a traditional classifier which is not adequate. This is because the size of the URL is huge, and the URL patterns are changed over time so finding the correlation between old and new patterns is almost impossible. Hence, this paper proposed malicious URL detection using multilayer Convolutional Neural Network (CNN). The proposed model first considered one layer of CNN. After that, to improve the accuracy, a two-layer of CNN will be used. The achieved result illustrated that malicious website detection accuracy is enhanced 89% to 91% when the model uses two layers of CNN.

Published
2021

45. A Biometric Approach for Electronic Healthcare Database System using SAML - A Touchfree Technology

Author

T. Devi, N. Deepa, and Ramachandran. A

Subjects
Authentication, business.industry, Computer science, Fingerprint (computing), Cloud computing, Fingerprint recognition, Computer security, computer.software_genre, Credential, Security Assertion Markup Language, Authentication protocol, business, computer, Protocol (object-oriented programming)
Abstract

In Healthcare 4.0, the enhanced view is to analyze the highly affected people in one common disease. In 2021, the global pandemic scenario poses the greatest threat to human life owing to Covid-19. In this approach, medical records and their accessibility play an important role in dealing with illnesses and problems in electronic healthcare record systems (EHR). The proposed system provides a solution for tracking the affected person, who is not in control to isolate them during the high symptoms situation. Security Assertion Markup Language (SAML) is an authentication protocol that helps to prevent other human lives to be saved by providing mobile based health care systems. In such cloud access the credentials are turned in important credential authentication such that pass code allows authorizing doctors and caretakers to access it. Since SAML transactions are enabled with border control such that proof of Covid positive people can be recognized easily with the fingerprint scanning. Also proposed work using the SAML protocol for authentication which helps to provide environment for mobile applications for COVID-observed patients to identify the user who are remotely in access by applying the bio-id generated and updated in Cloud service provider. Also on boarding people who are available for supporting the patients. The main objective of the proposed work using healthcare 4-0 as authentication system is to provide Covid patient instant support for availability of necessary control through biometric border control such that the instant death can be avoided by finding the positive patients using their fingerprint and performance the least access from the huge database. Results from implementation using various affected patients from Covid strategies show the reliable data and secured protocol using SAML gives a better performance compared to other services.

Published
2021

46. It's Badging Time!

Author

Joseph R. Fanfarelli and Paul M. Harden

Subjects
Computer science, business.industry, Internet privacy, Certification, Credentialing, business, Credential, Terminology
Abstract

Digital badges, or virtual images that indicate skill or accomplishment of the earner, have been shown to be effective tools for supporting learning, credentialing, and other purposes. However, they are sometimes ineffective, demonstrating incompatibility between badging applications and purposes. To this end, recent research has become increasingly detailed in its examination of the specific design attributes of badges. This paper continues this trend by examining the topic of digital badging lifespan in order to create a common terminology for use in research and practice, and to lay a foundation for future discussion and research on badging lifespan, an area that has received little attention. This paper's primary contribution is the proposal of three types of badging lifespans: momentary badges, permanent badges, and semi-permanent badges. These types are not meant to be exhaustive, but can be used to more precisely describe badging system design and experimental manipulations in badging.

Published
2021

47. A Blockchain-Based Verification System for Academic Certificates

Author

Nevil D'Souza, Hrithik Gaikwad, Amiya Kumar Tripathy, and Rajkumar Gupta

Subjects
Blockchain, Database, Process (engineering), business.industry, Computer science, Scalability, Verification system, Overhead (computing), Web application, computer.software_genre, business, computer, Credential
Abstract

Millions of students complete their education each year and go on to do higher studies or a corporate job. In this case student credentials are verified through a lengthy document verification process. This results in significant overhead as documents are transferred between institutions for verification. There is a need for an automated credential verification system which can reduce the time required for the document verification process. Blockchain Technology can be used to reduce overhead and reduce the time taken for document verification from days to mere seconds. In this work, an attempt has been made to develop a Blockchain-based verification system for academic certificates. With the advent of public Blockchain like Ethereum, DApps (Decentralized Applications) and Smart contracts, scalable and cost effective solutions can be implemented to reduce overhead and make document verification a seamless process. The proposed solution consists of a web app which will have a front-end for registering and requesting verification, along with a backend which will have two modules: An OCR module to extract details from certificates and a Blockchain module to send and verify data stored in the Blockchain.

Published
2021

48. Mapping Risk Assessment Strategy for COVID-19 Mobile Apps’ Vulnerabilities

Author

Masooda Bashir, Tanusree Sharma, Hunter A. Dyer, and Roy H. Campbell

Subjects
Scope (project management), Coronavirus disease 2019 (COVID-19), Computer science, business.industry, Internet privacy, Research studies, Mobile apps, Baseline risk, Mobile technology, business, Risk assessment, Credential
Abstract

Recent innovations in mobile technologies are playing an important and vital role in combating the COVID-19 pandemic. While mobile apps’ functionality plays a crucial role in tackling the COVID-19 spread, it is also raising concerns about the associated privacy risks that users may face. Recent research studies have showed various technological measures on mobile applications that lack consideration of privacy risks in their data practices. For example, security vulnerabilities in COVID-19 apps can be exploited and therefore also pose privacy violations. In this paper, we focus on recent and newly developed COVID-19 apps and consider their threat landscape. Our objective was to identify security vulnerabilities that can lead to user-level privacy risks. We also formalize our approach by measuring the level of risk associated with assets and services that attackers may be targeting to capture during the exploitation. We utilized baseline risk assessment criteria within the scope of three specific security vulnerabilities that often exists in COVID-19 applications namely credential leaks, insecure communication, and HTTP request libraries. We present a proof of concept implementation for risk assessment of COVID-19 apps that can be utilized to evaluate privacy risk by the impact of assets and threat likelihood.

Published
2021

49. Pict-Place Authentication: Recognition-based Graphical Password using Image Layout for Better Balance of Security and Operation Time

Author

Mitsuhiro Yoshida and Tetsuji Takada

Subjects
Password, Scheme (programming language), Authentication, Computer science, business.industry, PICT, Usability, computer.file_format, Credential, Image (mathematics), Embedded system, Input method, business, computer, computer.programming_language
Abstract

In this paper, we propose a novel recognition-based graphical authentication (RbGA) scheme, named “Pict-Place authentication” (PPA). RbGA was expected to improve the credential memorability issue of knowledge-based user authentication. However, RbGA has not been widely used owing to its low security and longer operation time. We therefore propose a new RbGA scheme to modify the credential input method in order to improve these issues. In PPA, the credential is input as a layout of multiple images. Based on this idea, we implemented a web-based prototype system and conducted evaluation experiments. The results indicate that PPA has the potential to reduce the operation time and improve theoretical security.

Published
2021

50. Federated Authorization for Managed Data Sharing: Experiences from the ImPACT Project

Author

Jeffrey S. Chase and Ilya Baldin

Subjects
Data sharing, Data access, Computer science, Context (language use), Architecture, Computer security, computer.software_genre, Pipeline (software), Credential, computer, Identity management, Data modeling
Abstract

This paper presents the rationale and design of the trust plane for ImPACT, a federated platform for managed sharing of restricted data. Key elements of the architecture include Web-based notaries for credential establishment based on declarative templates for Data Usage Agreements, a federated authorization pipeline, integration of popular services for identity management, and programmable policy based on a logical trust model with a repository of linked certificates. We show how these elements of the trust plane work in concert, and set the ideas in context with principles of federated authorization. A focus and contribution of the paper is to explore limitations of the resulting architecture and tensions among competing design goals. We also point the way toward future extensions, including policy-checked data access from cloud-hosted data enclaves with enhanced defenses against data leakage and exfiltration.

Published
2021

Catalog

Books, media, physical & digital resources
See catalog results