Search

Your search keyword '"Credential"' showing total 697 results
Start Over Descriptor "Credential" Topic computer security
697 results on '"Credential"'

2. Scrutinizing Implementations of Smart Home Integrations

Author

Ling Shi, Zhenkai Liang, Kailong Wang, Yan Liu, Guangdong Bai, Kulani Mahadewa, and Jin Song Dong

Subjects
Security analysis, business.industry, Computer science, Vulnerability, 020207 software engineering, 02 engineering and technology, Computer security, computer.software_genre, Credential, Personalization, Attack model, Home automation, 0202 electrical engineering, electronic engineering, information engineering, Information system, Communications protocol, business, Implementation, computer, Software
Abstract

A key feature of the booming smart home is the integration of a wide assortment of technologies, including various standards, proprietary communication protocols and heterogeneous platforms. Due to customization, unsatisfied assumptions and incompatibility in the integration, critical security vulnerabilities are likely to be introduced by the integration. Hence, this work addresses the security problems in smart home systems from an integration perspective, as a complement to numerous studies that focus on the analysis of individual technologies. We propose HOMESCAN, an approach that examines the security of the implementations of smart home systems. It extracts the abstract specification of application-layer protocols and internal behaviors of entities, so that it is able to conduct an end-to-end security analysis against various attack models. Applying HOMESCAN on three extensively-used smart home systems, we have found twelve non-trivial security vulnerabilities, which may lead to unauthorized remote control and credential leakage.

Published
2021

3. Decentralized Anonymous Authentication With Fair Billing for Space-Ground Integrated Networks

Author

Yuxian Li, Tao Li, Cheng Huang, Xiang Liu, Ming Li, and Anjia Yang

Subjects
Security analysis, Authentication, Smart contract, Computer Networks and Communications, Computer science, media_common.quotation_subject, Aerospace Engineering, Computer security, computer.software_genre, Payment, Credential, Handover, Authentication protocol, Automotive Engineering, Verifiable secret sharing, Electrical and Electronic Engineering, computer, media_common
Abstract

The space-ground integrated network (SGIN) has attracted growing attention due to its advantages of high-capacity, low-latency and global coverage. To guarantee the security requirements of SGIN, anonymous authentication is an essential approach to addressing severe threats such as unauthorized access and impersonation attack, while payment is another common method in service-oriented applications in order to encourage companies to participate and also prevent insider attackers from enjoying services without paying. Existing anonymous authentication protocols for SGIN either require users to involve in heavy computation especially in dynamic scenarios, or do not consider cross-domain authentication. In this paper, we first introduce the concept of cross-company satellite services, and then address the cross-domain authentication and billing issues in SGIN, i.e., we propose a decentralized anonymous authentication scheme supporting fast handover and also achieve fairness for the billing procedures. To reduce the authentication delays, the authentication process is delegated from ground to satellites, such that users can arbitrarily switch the satellite networks belonging to different companies. Specifically, users can be anonymously authenticated by showing the knowledge of a secret bound with a randomized verifiable credential and connect to different satellite networks through a fast handover authentication protocol building on a blockchain. Even all companies collude, they cannot forge a valid identity credential and access records for a user. In addition, we provide a fair billing mechanism that can prevent malicious users and greedy satellite companies from manipulating the network accessing fees based on a well-designed smart contract. Finally, we demonstrate that the proposed scheme is secure and efficient through security analysis and performance evaluation.

Published
2021

4. Blockchain-enabled fog resource access and granting

Author

Gang Liu, Ting Wang, and Jinsong Wu

Subjects
Authentication, Smart contract, Computer science, End user, media_common.quotation_subject, Computer security, computer.software_genre, Credential, Negotiation, Resource (project management), Network Access Control, Resource Provider, computer, media_common
Abstract

Fog computing is a new computing paradigm for meeting ubiquitous massive access and latency-critical applications by moving the processing capability closer to end users. The geographical distribution/floating features with potential autonomy requirements introduce new challenges to the traditional methodology of network access control. In this paper, a blockchain-enabled fog resource access and granting solution is proposed to tackle the unique requirements brought by fog computing. The smart contract concept is introduced to enable dynamic, and automatic credential generation and delivery for an independent offer of fog resources. A per-transaction negotiation mechanism supports the fog resource provider to dynamically publish an offer and facilitates the choice of the preferred resource by the end user. Decentralized authentication and authorization relieve the processing pressure brought by massive access and single-point failure. Our solution can be extended and used in multi-access and especially multi-carrier scenarios in which centralized authorities are absent.

Published
2021

5. Locking the door: tackling credential abuse

Author

Steve Mansfield-Devine

Subjects
021110 strategic, defence & security studies, Information Systems and Management, Application programming interface, Computer Networks and Communications, business.industry, Computer science, Process (engineering), 0211 other engineering and technologies, 02 engineering and technology, Appropriate technology, Computer security, computer.software_genre, Login, Credential, Authentication (law), Software deployment, Safety, Risk, Reliability and Quality, Internet of Things, business, computer
Abstract

Credential abuse is a major issue facing organisations of all sizes. It affects not only simple login processes but also solutions and technologies such as application programming interfaces (APIs), the deployment of Internet of Things (IoT) devices and machine-to-machine authentication. Cyber criminals and nation-state attackers alike have automated the process of credential abuse while also refining highly targeted attacks. And the problem is getting worse. Credential abuse is a major issue facing organisations of all sizes. Cyber criminals and nation-state attackers alike have automated the process while also refining highly targeted attacks. The problem is getting worse and credential abuse presents itself in many forms. And there are equally as many solutions touted by vendors, all of which have their own challenges and weaknesses. However, there are successful solutions available and tackling the issue just takes a proper awareness of the problem and applying the appropriate technology and training, writes Steve Mansfield-Devine.

Published
2021

6. Who's that knocking at the door? The problem of credential abuse

Author

Steve Mansfield-Devine

Subjects
Password, 021110 strategic, defence & security studies, Information Systems and Management, Application programming interface, Computer Networks and Communications, Computer science, 0211 other engineering and technologies, Context (language use), 02 engineering and technology, Attack surface, Computer security, computer.software_genre, Security token, Certificate, Credential, Key (cryptography), Safety, Risk, Reliability and Quality, computer
Abstract

At the heart of IT security is a simple concept – proving you are who you say you are. In this context, ‘you’ might be a human logging into a network or service, a device interacting with an application programming interface (API), one network talking to another or any number of other scenarios. And the proof could be a certificate, an SSH key, a token of some form or our old favourite – and inevitably the artefact we'll be talking most about here – the old, fragile and yet seemingly unkillable password. At the heart of IT security is a simple concept – proving that you are who you say you are. But the ways we have of doing that, through credentials of some form, are flawed. Credential abuse comes in many forms. The question we need to ask is, where does it sit in terms of an organisation's attack surface and security priorities? In the first of a two-part feature, Steve Mansfield-Devine surveys a number of industry experts to get their views on what forms of credential abuse are being encountered and the threat these pose to enterprises.

Published
2021

7. Quantum-Resistant Cryptography for the Internet of Things Based on Location-Based Lattices

Author

Mischa Dohler and Ohood Saud Althobaiti

Subjects
Spoofing attack, General Computer Science, Computer science, Internet of Things, Cryptography, Computer security, computer.software_genre, localization, law.invention, Public-key cryptography, law, Cryptosystem, General Materials Science, Subscriber identity module, Authentication, business.industry, General Engineering, Public key infrastructure, quantum-resistant cryptography, Credential, TK1-9971, lattices, Electrical engineering. Electronics. Nuclear engineering, business, computer, location
Abstract

An important enabler of the Internet of Things (IoT) is the Narrow-Band Internet of Things (NB-IoT) technology, which is a 3GPP standards compliant connectivity solution. Quantum computing, another emerging technological paradigm, promises novel compute opportunities but is also able to compromise cybersecurity ciphers. Therefore, improved methods to mitigate such security threats are needed. In this research, we propose a location-aware cryptographic system that guarantees post-quantum IoT security. The ultimate value of a location-driven cryptosystem is to use the geographic location as a player’s identity and credential. Position-driven cryptography using lattices is efficient and lightweight, and it can be used to protect sensitive and confidential data in many critical situations that rely heavily on exchanging confidential data. At the best of our knowledge, this research starts the study of unconditional-quantum-resistant-location-driven cryptography by using the Lattice problem for the IoT in a pre-and post-quantum world. Unlike existing schemes, the proposed cryptosystem is the first secure and unrestricted position-based protocol that guards against any number of collusion attackers and against quantum attacks. It has a guaranteed authentication process, solves the problems of distributing public keys by removing a public key infrastructure (PKI), offers secure NB-IoT without SIM cards, and resists location spoofing attacks. Furthermore, it can be generalized to any network – not just NB-IoT.

Published
2021

8. Learning from learning: detecting account takeovers by identifying forgetful users

Author

Sean A McElroy

Subjects
Authentication, General Computer Science, Computer science, business.industry, Social engineering (security), Data breach, Demographic data, Computer security, computer.software_genre, Original research, Credential, Web application, Profiling (information science), business, Law, computer
Abstract

Credential-stuffing attacks are increasing in frequency, allowing threat actors to use data breaches from one source to perpetrate another. While multi-factor authentication remains a crucial preventative measure to protect against credential stuffing, the availability of credential data sets with contact information and the correlation with demographic data can allow threat actors to overcome it through interactive social engineering. Concurrently, alternative defence mechanisms such as network source profiling and device fingerprinting lose effectiveness as privacy-protecting technologies reduce the observable variability between legitimate and fraudulent user sessions. Sean A McElroy of Lumin Digital presents original research which suggests that by measuring a user's increasing familiarity with a web application over time, outliers in use may indicate account takeover fraud. Credential-stuffing attacks are increasing in frequency, allowing threat actors to use data breaches from one source to perpetrate another. While multi-factor authentication remains a crucial preventative measure to protect against credential stuffing, the availability of credential data sets with contact information and the correlation with demographic data can allow threat actors to overcome it through interactive social engineering. Concurrently, alternative defence mechanisms such as network source profiling and device fingerprinting lose effectiveness as privacy-protecting technologies reduce the observable variability between legitimate and fraudulent user sessions.

Published
2021

9. SBI Model for the Detection of Advanced Persistent Threat Based on Strange Behavior of Using Credential Dumping Technique

Author

Bahari Belaton and Nachaat AbdElatif Mohamed

Subjects
Advanced persistent threat, General Computer Science, Computer science, 02 engineering and technology, Data loss, computer.software_genre, Computer security, Common knowledge, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Electrical and Electronic Engineering, Mimikatz and credential dumping, business.industry, General Engineering, Windows Registry, exploit, 020206 networking & telecommunications, Credential, Attacker, Malware, APT, 020201 artificial intelligence & image processing, The Internet, Central processing unit, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, dump, computer, lcsh:TK1-9971, ATT&CK
Abstract

This study investigated the shift from the manual approach of processing data to the digitized method making organizational data prone to attack by cybercriminals. The latest threat Advanced Persistent Threats (APT) was originated by the United States Air Force in 2006 by Colonel Greg Rattray. APT is constantly ravaging industries and governments, which causes severe damages including data loss, espionage, sabotage, leak, or forceful pay of ransom money to the attackers. This study introduces a new model built on Adversarial Tactics Techniques and Common Knowledge (ATT&CK) matrix for detecting APT attack. This is to identify the APT on the first potential victim when the attackers use credential dumping technique. Strange Behavior Inspection Model incorporating several models investigates and monitors APT behavioral features in the CPU, RAM, windows registry, and file systems proposed to detect APT Attack at the first potential victim machine. The Strange Behavior Inspection (SBI) Model proposed in this paper is designed to detect the attack before being developed to more advanced phases. The results of this study are presented at four levels:1- random access memory, 2-central processing unit, 3- windows registry, and 4- file systems. This study proposes a unique model as evidence to detect APT attacks before any other techniques are used. The proposed model reduces the detection time from nine-months to 2.7 minutes.

Published
2021

10. Economic authentic and anonymous data sharing with forward security

Author

N. Prabha and R. Banumathi

Subjects
010302 applied physics, Authentication, business.industry, Computer science, Public key infrastructure, Cloud computing, 02 engineering and technology, 021001 nanoscience & nanotechnology, Computer security, computer.software_genre, 01 natural sciences, Credential, Data sharing, Ring signature, Forward secrecy, 0103 physical sciences, Key (cryptography), 0210 nano-technology, business, computer
Abstract

With the advancements of cloud services, sharing of information has never ever been easier, and intelligent prediction of shared information provides a slew of advantages also to individuals and society. When sharing data with a huge group of people, several factors must be considered, which include effectiveness, authentication, and the confidentiality of the cloud provider. A viable target for constructing an unidentified and genuine interoperability system is ring signature. It enables an owner to privately configure the data that can then be stored or analyzed in the cloud. However, in a conventional Public-Key-Infrastructure (PKI) setting, the expensive credential authentication becomes a limiting factor for this solution's scalability. Instead, an Identity based Ring Signature can be used, which eliminates the need for document verification. We enhance the safety of identity based ring signatures in this paper by adding forward protection: If a user's secret key is corrupted, all previously stored confirmations containing this user are still valid. The whole product is extremely crucial in any big information sharing system, because it is pointless to force all digital assets to conceptual metaphor their data if a single user's secret key is compromised. We demonstrate the practicality of our scheme by providing a tangible as well as efficient implementation and proving its security in good manner.

Published
2021

12. A Flexible Privacy-Preserving Data Sharing Scheme in Cloud-Assisted IoT

Author

Letian Sha, Hui Yin, Hua Deng, and Zheng Qin

Subjects
Information privacy, Security analysis, Computer Networks and Communications, Computer science, media_common.quotation_subject, Cryptography, Cloud computing, 02 engineering and technology, Encryption, Computer security, computer.software_genre, Public-key cryptography, 0202 electrical engineering, electronic engineering, information engineering, media_common, Delegation, business.industry, 020206 networking & telecommunications, Credential, Computer Science Applications, Data sharing, Hardware and Architecture, Signal Processing, 020201 artificial intelligence & image processing, business, computer, Information Systems
Abstract

Cloud-assisted Internet of Things (IoT) has become an increasingly popular technological trend as the performance of IoT applications can be greatly improved by delegating the cloud to manage massive IoT data. To protect the confidentiality of data outsourced from IoT devices to the cloud, cryptographic mechanisms are usually employed to encrypt the data in such a way that only the user designated by the data owner can decrypt the data. However, in the IoT multiuser environment, the encrypted data may also need to be shared with more users beyond the initially designated one. In this article, we propose a flexible privacy-preserving data sharing (FPDS) scheme in cloud-assisted IoT. With the FPDS scheme, an IoT user can encrypt data to a recipient by using identity-based encryption. More importantly, the IoT user can specify a fine-grained access policy to generate a delegation credential, and then send this credential to the cloud so that it can convert all the encrypted data satisfying the access policy into new ciphertexts that are readable to a new recipient. In this way, IoT users can share the data outsourced to the cloud in a flexible and privacy-preserving manner. Detailed security analysis shows that the FPDS scheme is secure against semitrusted cloud and malicious IoT users. Thorough theoretical and experimental analyses demonstrate the high efficiency of the scheme.

Published
2020

13. Plain text passwords: A forensic RAM-raid

Author

Graeme Horsman

Subjects
Password, Plain text, Computer science, RAID, 010401 analytical chemistry, computer.file_format, Login, Computer security, computer.software_genre, 01 natural sciences, Credential, Criminal investigation, 0104 chemical sciences, Pathology and Forensic Medicine, Task (project management), law.invention, 03 medical and health sciences, 0302 clinical medicine, Test case, law, 030216 legal & forensic medicine, computer
Abstract

Despite many academic studies in the last 15 years acknowledging the investigative value of physical memory due to the potential sensitive nature of data it may contain, it arguably remains rarely collected at-scene in most criminal investigations. Whilst this may be due to factors such as first responders lacking the technical skills to do this task, or simply that it is overlooked as an evidence source, this work seeks to emphasise the worth of this task by demonstrating the ability to recover plain-text login credentials from it. Through an examination of logins made to 15 popular online services carried out via the Chrome, Edge and Mozilla Firefox browsers, testing shows that plain-text credentials are present in RAM in every case. Here, a transparent test methodology is defined and the results of test cases are presented along with ‘string markers’ which allow a practitioner to search their RAM captures for the presence of unknown credential information for these services in future cases.

Published
2020

14. Indistinguishability and unextractablility of password-based authentication in blockchain

Author

Xinyi Huang and Yuexin Zhang

Subjects
Password, Authentication, Software_OPERATINGSYSTEMS, Computer Networks and Communications, Computer science, Data_MISCELLANEOUS, Password cracking, 020206 networking & telecommunications, 02 engineering and technology, Service provider, Computer security, computer.software_genre, Credential, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, computer, Software, Digest access authentication
Abstract

Password is commonly used to protect Bitcoin wallet, the most known application of blockchain. In this paper, we investigate a subtle issue when forgetting password: The account owner uses guessed passwords during the authentication with a service provider. This is different from password guessing by cyber attackers, because passwords guessed by the account owner are (most likely) his/her passwords (or their minor variations) registered with other service providers. Thus, the confidentiality of incorrect passwords in unsuccessful authentication needs protection. To capture this security requirement, we define two security goals: Indistinguishability of Incorrect Passwords (IND-PW) and Unextractablility of Incorrect Passwords (UNE-PW). Our analysis shows that: (1) IND-PW is NOT achievable if password is the only authentication credential of the client, and (2) Two common authentication methods in online services, Basic and Digest Access Authentication (in conjunction with SSL), CANNOT provide UNE-PW.

Published
2020

15. HomeShield: A Credential-Less Authentication Framework for Smart Home Systems

Author

Molka Rekik, Yinhao Xiao, Chunchi Liu, Zhiguang Shan, Arwa Alrawais, and Yizhen Jia

Subjects
Authentication, Computer Networks and Communications, business.industry, Computer science, Computer security, computer.software_genre, Credential, Computer Science Applications, Workflow, Hardware and Architecture, Home automation, Server, Signal Processing, Threat model, Android (operating system), Internet of Things, business, Everyday life, computer, Information Systems
Abstract

Smart home systems have become more and more prevailent in recent years. On the one hand, they make our everyday life more convenient; on the other hand, they suffer from the two notorious security problems, namely, the open-port problem and the overprivilege problem, making their security situations extremely worrying and uncheerful. In this article, we proposed HomeShield, a novel credential-less authentication framework to shield smart home systems by effectively defending against the attacks resulted from these two security problems without the need for sensitive credentials. We further detailed an implementation of HomeShield based on the side channels that are publicly available in Android smartphones serving as controllers of smart home systems and presented its workflow in protecting against various attacks caused by the open-port and overprivilege problems. Finally, we tested our HomeShield implementation on a real-world smart home system and considered four threat models that cover basically all practical attacks, including Mirai and its variants. We also considered the effectiveness of our HomeShield implementation on the SmartApps of the Samsung SmartThings platform, which also suffers from the open-port and overprivilege problems, even though its overprivilege issue has been extensively studied by the recently proposed works, such as ContexIoT and SmartAuth. The evaluation results indicate that our HomeShield realization can successfully defend against over 90% attack trials with an average latency of less than 1 s.

Published
2020

16. Tracking cryptographic keys and encrypted data using position verification

Author

Laszlo Bacsardi and Mate Galambos

Subjects
business.industry, BitTorrent tracker, Computer science, Cryptography, Random permutation, Encryption, Computer security, computer.software_genre, Credential, Memory address, Quantum cryptography, Ciphertext, business, computer
Abstract

Position verification is an emerging field of quantum cryptography. Its goal is to verify whether a distant communicating party is telling the truth about where they are. However, the problem is usually formulated in a way that the position is the only credential of that party, which cannot guarantee uniqueness. In this study, the authors show how a practically secure position verification algorithm – assuming it exists – might be used to track (i.e. repeatedly verify the position) of some unique key or cipher text. To achieve this, they rely on pre-prepared position verification data called trackers. They also propose three algorithms that implement their general tracking scheme and examine some questions related to their security. These implementations include shuffling trackers into valuable data and hiding their memory address through a random permutation; using CNOT operations to entangle valuable data and trackers; and using random qubit strings from which either trackers or secret keys can be produced at will. These methods may be used to track a diplomatic package or reveal the location of a malicious party during a denial of service attack.

Published
2020

17. A practical solution to clone problem in anonymous information system

Author

Bin Lian, Lang Wang, Dake He, Ping Yu, Jialin Cui, and Gongliang Chen

Subjects
Information Systems and Management, Computer science, ComputingMilieux_LEGALASPECTSOFCOMPUTING, 02 engineering and technology, Login, Computer security, computer.software_genre, Theoretical Computer Science, Public-key cryptography, Artificial Intelligence, 0202 electrical engineering, electronic engineering, information engineering, Information system, Authentication, Cloning (programming), business.industry, 05 social sciences, 050301 education, Credential, Computer Science Applications, Control and Systems Engineering, Information leakage, 020201 artificial intelligence & image processing, business, 0503 education, computer, Software, Physical security
Abstract

Cloning user's identity is always a thorny problem for an information system, especially for an anonymous system. With the development of big data applications, clone behaviors sometimes even become attacks on these systems. But until now, there has been no very satisfactory anti-clone scheme in the anonymous system. After analyzing the problems in existing anti-clone schemes, without any assumptions about physical security, we provide a practical solution to the clone problem in anonymous authentication system. In our scheme, the authentication is not only related to user's private key, but also related to user's current state, which is constantly updated by the system. Therefore, the authentication trajectories of user and clone will inevitably overlap, and it results in information leakage so as to indentify clone behaviors and revoke clone user's credential. Meanwhile, we prove that honest users are truly anonymous and their login behaviors are unlinkable with complete security proofs. According to the analysis of the system function and the system efficiency, our scheme is much more efficient and has the best anti-clone properties comparing with the existing schemes.

Published
2020

18. Group Signatures with Time-Bound Keys Revisited: A New Model, an Efficient Construction, and its Implementation

Author

Ai Ishida, Keita Emura, and Takuya Hayashi

Subjects
021110 strategic, defence & security studies, Revocation, Computer science, business.industry, 0211 other engineering and technologies, 02 engineering and technology, Computer security model, Group signature, Computer security, computer.software_genre, Credential, Signature (logic), Public-key cryptography, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Constant (computer programming), Dependability, Electrical and Electronic Engineering, business, computer
Abstract

Chu et al. (ASIACCS 2012) proposed group signature with time-bound keys (GS-TBK), where each signing key is associated with expiry time $\tau$ τ . In addition, to prove membership of the group, a signer needs to prove that the expiry time has not passed, i.e., $t t τ , where $t$ t is the current time. A signer whose expiry time has passed is automatically revoked, and this revocation is called natural revocation. Signers can be revoked simultaneously before their expiry times if the credential is compromised. This revocation is called premature revocation. A nice property in the Chu et al. proposal is that the size of revocation lists can be reduced compared to those of Verifier-Local Revocation (VLR) group signature schemes by assuming that natural revocation accounts for most of the signer revocations in practice, and prematurely revoked signers are only a small fraction. In this paper, we point out that the definition of traceability of Chu et al. did not capture the unforgeability of expiry time for signing keys, which guarantees that no adversary who has a signing key associated with expiry time $\tau$ τ can compute a valid signature after $\tau$ τ has passed. This situation significantly reduces the dependability of the system since legitimate signing keys may be used for providing a forged signature. We introduce a security model that captures unforgeability, and propose a secure GS-TBK scheme in the new model. Our scheme also provides constant signing costs, whereas those of the previous schemes depended on the bit-length of the time representation. Finally, we provide the implementation results. We employ Barreto-Lynn-Scott (BLS) curves with 455-bit prime order and the RELIC library, and demonstrate that our scheme is feasible in practical settings.

Published
2020

19. Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability Related With Web Functions

Author

Qiao-Yan Wen, Yijie Shi, Senmiao Wang, Jing Guo, Jiawei Qin, and Hua Zhang

Subjects
021110 strategic, defence & security studies, General Computer Science, Computer science, business.industry, National Vulnerability Database, 0211 other engineering and technologies, General Engineering, Vulnerability, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Certificate, Computer security, computer.software_genre, Credential, Vulnerability assessment, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, The Internet, Android (operating system), business, computer
Abstract

Nowadays, people’s lifestyle is more and more dependent on mobile applications (Apps), such as shopping, financial management and surfing the internet. However, developers mainly focus on the implementation of Apps and the improvement of user experience while ignoring security issues. In this paper, we perform the comprehensive study on vulnerabilities caused by misuse of APIs and form a methodology for this type of vulnerability analysis. We investigate the security of three types of Android Apps including finance, shopping and browser which are closely related to human life. And we analyze four vulnerabilities including Improper certificate validation(CWE-295:ICV) , WebView bypass certificate validation vulnerability(CVE-2014-5531:WBCVV) , WebView remote code execution vulnerability(CVE-2014-1939:WRCEV) and Alibaba Cloud OSS credential disclosure vulnerability(CNVD-2017-09774:ACOCDV) . In order to verify the effectiveness of our analysis method in large-scale Apps on the Internet, we propose a novel scalable tool - VulArcher, which is based on heuristic method and used to discover if the above vulnerabilities exist in Apps. We download a total of 6114 of the above three types of samples in App stores, and we use VulArcher to perform the above vulnerability detection for each App. We perform manual verification by randomly selecting 100 samples of each vulnerability. We find that the accuracy rate for ACOCDV can reach 100%, the accuracy rate for WBCVV can reach 95%, and the accuracy rate for the other two vulnerabilities can reach 87%. And one of vulnerabilities detected by VulArcher has been included in China National Vulnerability Database (CNVD) ID(CNVD-2017-23282). Experiments show that our tool is feasible and effective. For the convenience of researchers in related communities, We make our data and tool available at https://buptnsrclab.github.io/blog/2020/01/03/vularcher-site-launched .

Published
2020

20. ARIES: Evaluation of a reliable and privacy-preserving European identity management framework

Author

Rafael Torres Moreno, Antonio F. Skarmeta, Jorge Bernal Bernabe, Sébastien Bahloul, Martin David, and Javier Presa Cordero

Subjects
Flexibility (engineering), Biometrics, Computer Networks and Communications, business.industry, Computer science, 020206 networking & telecommunications, Usability, 02 engineering and technology, Computer security, computer.software_genre, Credential, Identity management, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), Strong authentication, 020201 artificial intelligence & image processing, business, computer, Software
Abstract

Despite several efforts in the last years to make Identity Management Systems (IdMs) reliable, secured and privacy-respectful, identity-related cybercrimes are still continuously expanding. Current IdMs lack of proper security and privacy mechanisms that can holistically manage user’s privacy, strong authentication and ID-proofing mechanisms based on biometrics, usage of breeder documents, while maintaining usability for mobile, online or face-to-face scenarios. To fill this gap, the ARIES EU project aims to set up a reliable identity ecosystem, combining mature technologies for meet highest level of assurance, such as biometrics or use of secure elements, with innovative credential derivation mechanisms. ARIES has devised and implemented a privacy-preserving and user-centric Identity Management framework as well as associated management practices that ensure usability and flexibility for identity management processes. This paper presents ARIES results obtained after the successful development and validation of the ARIES IdM System in the associated use cases.

Published
2020

21. Zero-Knowledge Proofs Do Not Solve the Privacy-Trust Problem of Attribute-Based Credentials: What if Alice Is Evil?

Author

Dave Longley and Rachel Arnold

Subjects
Information privacy, Computer Networks and Communications, business.industry, Data_MISCELLANEOUS, Cryptography, Computer security, computer.software_genre, Encryption, Decentralised system, Witness, Credential, Management of Technology and Innovation, Trust management (information system), Zero-knowledge proof, Safety, Risk, Reliability and Quality, business, Law, computer
Abstract

Zero-knowledge schemes have recently become a popular attempt to offer users privacy in an attribute-based credential system. In this article, we do not contest the mathematics of these schemes; we assume it is logically sound. Instead, we draw attention to the trade-off that is made when employing cryptography instead of trusted parties to protect user privacy. We assert that, for these approaches to create the trust required by credential verifiers, they must introduce mechanisms that limit their utility and create significant privacy risk to the user that cuts against data minimization goals. Greater trust must be placed in the shelf life of cryptography to prevent the user from being unwantonly correlated than alternative approaches. Just as we would discourage storing encrypted private data on public blockchains, we discourage this approach here. Lastly, this article introduces the concept of a trusted witness which provides privacy for honest users and solves the privacy- trust problem without the disadvantages of the zero-knowledge approach.

Published
2019

22. With a Little Help from My Friends

Author

Lucjan Hanzlik and Daniel Slamanig

Subjects
Subscriber identity module, business.industry, Computer science, Cryptography, Computer security, computer.software_genre, Credential, law.invention, Public-key cryptography, law, MULTOS, Key (cryptography), Strong authentication, Smart card, business, computer
Abstract

Anonymous credentials (ACs) are a powerful cryptographic tool for the secure use of digital services, when simultaneously aiming for strong privacy guarantees of users combined with strong authentication guarantees for providers of services. They allow users to selectively prove possession of attributes encoded in a credential without revealing any other meaningful information about themselves. While there is a significant body of research on AC systems, modern use-cases of ACs such as mobile applications come with various requirements not sufficiently considered so far. These include preventing the sharing of credentials and coping with resource constraints of the platforms (e.g., smart cards such as SIM cards in smartphones). Such aspects are typically out of scope of AC constructions, and, thus AC systems that can be considered entirely practical have been elusive so far. In this paper we address this problem by introducing and formalizing the notion of core/helper anonymous credentials (CHAC). The model considers a constrained core device (e.g., a SIM card) and a powerful helper device (e.g., a smartphone). The key idea is that the core device performs operations that do not depend on the size of the credential or the number of attributes, but at the same time the helper device is unable to use the credential without its help. We present a provably secure generic construction of CHACs using a combination of signatures with flexible public keys (SFPK) and the novel notion of aggregatable attribute-based equivalence class signatures (AAEQ) along with a concrete instantiation. The key characteristics of our scheme are that the size of showing tokens is independent of the number of attributes in the credential(s) and that the core device only needs to compute a single elliptic curve scalar multiplication, regardless of the number of attributes. We confirm the practical efficiency of our CHACs with an implementation of our scheme on a Multos smart card as the core and an Android smartphone as the helper device. A credential showing requires less than 500 ms on the smart card and around 200 ms on the smartphone (even for a credential with 1000 attributes).

Published
2021

23. All your Credentials are Belong to Us: On Insecure WPA2-Enterprise Configurations

Author

Kin Man Leung, Endadul Hoque, Mohsen Minaei, Omar Chowdhury, Man Hong Hue, Joyanta Debnath, Kailiang Xian, Sze Yiu Chau, M. Hammad Mazhar, and Li Li

Subjects
Authentication, Transport Layer Security, business.industry, Network security, Computer science, Public key infrastructure, Computer security, computer.software_genre, Credential, Public-key cryptography, X.509, Server, business, computer
Abstract

In this paper, we perform the first multifaceted measurement study to investigate the widespread insecure practices employed by tertiary education institutes (TEIs) around the globe when offering WPA2-Enterprise Wi-Fi services. The security of such services critically hinges on two aspects: (1) the connection configuration on the client-side; and (2) the TLS setup on the authentication servers. Weaknesses in either can leave users susceptible to credential theft. Typically, TEIs prescribe to their users either manual instructions or pre-configured profiles (e.g., eduroam CAT). For studying the security of configurations, we present a framework in which each configuration is mapped to an abstract security label drawn from a strict partially ordered set. We first used this framework to evaluate the configurations supported by the user interfaces (UIs) of mainstream operating systems (OSs), and discovered many design weaknesses. We then considered 7045 TEIs in 54 countries/regions, and collected 7275 configuration instructions from 2061 TEIs. Our analysis showed that majority of these instructions lead to insecure configurations, and nearly 86% of those TEIs can suffer from credential thefts on at least one OS. We also analyzed a large corpus of pre-configured eduroam CAT profiles and discovered several misconfiguration issues that can negatively impact security. Finally, we evaluated the TLS parameters used by authentication servers of thousands of TEIs and discovered perilous practices, such as the use of expired certificates, deprecated versions of TLS, weak signature algorithms, and suspected cases of private key reuse among TEIs. Our long list of findings have been responsibly disclosed to the relevant stakeholders, many of which have already been positively acknowledged.

Published
2021

24. Decentralization of Credential Verification System using Blockchain

Author

Dilip Motwani, Priti P. Bokariya, and Blue Eyes Intelligence Engineering and Sciences Publication(BEIESP)

Subjects
100.1/ijitee.K951409101121, Blockchain, General Computer Science, ComputingMilieux_THECOMPUTINGPROFESSION, Computer science, Verification system, Computer security, computer.software_genre, Decentralization, Credential, Blockchain, cryptography, DAPP, Mechanics of Materials, 2278-3075, Electrical and Electronic Engineering, computer, Civil and Structural Engineering
Abstract

After successful completion of graduation, students receive the credits of the courses in the form of certificate issued by the respective University. A Student have to produce his/her documents to the employers or the authorities for employment or higher education. Today ,as the system is centralized all the data resides on the server which can be hacked or the data can be lost if the system crushes down. However, verifying a certificate by authorities, is a time-consuming process as there is an involvement of human resources ,for validating the details of the candidate from its University. Today , with the advancement in technologies and due to the easy availability of many efficient soft wares that have led to the forgery of credentials/certificates. The lack of anti-tampering mechanisms resulted in incidents where the forged graduation certificates are often found. Also ,in case certificates are out of place , applying for duplicate certificates and its issuance by the University consumes a lot of time. Use of blockchain technology in this process will make the system decentralized as blocks as cryptographically connected and all the nodes in the network shares the entire chain .Hence the proposed decentralized certificate verification system, uses blockchain technology incorporating all the essential features in developing a DAPP. This system is proposed to address the issue of certificate counterfeiting, faster certificate verification and issuance. Putting across all the issues, the system aims at addressing the problems and provide solutions to the current Certificate Issuance, verification and Validation Process.

Published
2021

25. Malicious URL Detection using Multilayer CNN

Author

Ashish Singh and Pradeep Kumar Roy

Subjects
business.industry, Computer science, Data loss, Computer security, computer.software_genre, Credential, Convolutional neural network, Phishing, Web page, Classifier (linguistics), The Internet, Layer (object-oriented design), business, computer
Abstract

Due to developing Internet-based technologies, the number of online domains and URLs is increasing globally. Parallel several cybersecurity threats and phishing attacks have been encountered while accessing these websites. Accessing a malicious webpage can create serious harm to the physical system. Data loss, privacy breach, credential theft and many security threats are entered while an Internet user clicks a malicious URL. Several defence and detection strategies have been proposed in the previous research works. But, the works have used a traditional classifier which is not adequate. This is because the size of the URL is huge, and the URL patterns are changed over time so finding the correlation between old and new patterns is almost impossible. Hence, this paper proposed malicious URL detection using multilayer Convolutional Neural Network (CNN). The proposed model first considered one layer of CNN. After that, to improve the accuracy, a two-layer of CNN will be used. The achieved result illustrated that malicious website detection accuracy is enhanced 89% to 91% when the model uses two layers of CNN.

Published
2021

26. A Biometric Approach for Electronic Healthcare Database System using SAML - A Touchfree Technology

Author

T. Devi, N. Deepa, and Ramachandran. A

Subjects
Authentication, business.industry, Computer science, Fingerprint (computing), Cloud computing, Fingerprint recognition, Computer security, computer.software_genre, Credential, Security Assertion Markup Language, Authentication protocol, business, computer, Protocol (object-oriented programming)
Abstract

In Healthcare 4.0, the enhanced view is to analyze the highly affected people in one common disease. In 2021, the global pandemic scenario poses the greatest threat to human life owing to Covid-19. In this approach, medical records and their accessibility play an important role in dealing with illnesses and problems in electronic healthcare record systems (EHR). The proposed system provides a solution for tracking the affected person, who is not in control to isolate them during the high symptoms situation. Security Assertion Markup Language (SAML) is an authentication protocol that helps to prevent other human lives to be saved by providing mobile based health care systems. In such cloud access the credentials are turned in important credential authentication such that pass code allows authorizing doctors and caretakers to access it. Since SAML transactions are enabled with border control such that proof of Covid positive people can be recognized easily with the fingerprint scanning. Also proposed work using the SAML protocol for authentication which helps to provide environment for mobile applications for COVID-observed patients to identify the user who are remotely in access by applying the bio-id generated and updated in Cloud service provider. Also on boarding people who are available for supporting the patients. The main objective of the proposed work using healthcare 4-0 as authentication system is to provide Covid patient instant support for availability of necessary control through biometric border control such that the instant death can be avoided by finding the positive patients using their fingerprint and performance the least access from the huge database. Results from implementation using various affected patients from Covid strategies show the reliable data and secured protocol using SAML gives a better performance compared to other services.

Published
2021

27. Federated Authorization for Managed Data Sharing: Experiences from the ImPACT Project

Author

Jeffrey S. Chase and Ilya Baldin

Subjects
Data sharing, Data access, Computer science, Context (language use), Architecture, Computer security, computer.software_genre, Pipeline (software), Credential, computer, Identity management, Data modeling
Abstract

This paper presents the rationale and design of the trust plane for ImPACT, a federated platform for managed sharing of restricted data. Key elements of the architecture include Web-based notaries for credential establishment based on declarative templates for Data Usage Agreements, a federated authorization pipeline, integration of popular services for identity management, and programmable policy based on a logical trust model with a repository of linked certificates. We show how these elements of the trust plane work in concert, and set the ideas in context with principles of federated authorization. A focus and contribution of the paper is to explore limitations of the resulting architecture and tensions among competing design goals. We also point the way toward future extensions, including policy-checked data access from cloud-hosted data enclaves with enhanced defenses against data leakage and exfiltration.

Published
2021

28. Proposing a reliable method of securing and verifying the credentials of graduates through blockchain

Author

R. V. S. Lalitha, T. Rama Reddy, P. V. G. D. Prasad Reddy, Rayudu Srinivas, B. Annapurna, and Ch. V. Raghavendran

Subjects
Computer engineering. Computer hardware, Blockchain, 020205 medical informatics, Computer science, Digital era, Verification system, 02 engineering and technology, Certification, Overlay, Computer security, computer.software_genre, TK7885-7895, Etherium, Credibility, 0202 electrical engineering, electronic engineering, information engineering, DAPPs, 020206 networking & telecommunications, QA75.5-76.95, Credential, Computer Science Applications, Test (assessment), Electronic computers. Computer science, Credential verification, Signal Processing, Tamper-proof digital certificates, computer
Abstract

Education acts as a soul in the overall societal development, in one way or the other. Aspirants, who gain their degrees genuinely, will help society with their knowledge and skills. But, on the other side of the coin, the problem of fake certificates is alarming and worrying. It has been prevalent in different forms from paper-based dummy certificates to replicas backed with database tampering and has increased to astronomic levels in this digital era. In this regard, an overlay mechanism using blockchain technology is proposed to store the genuine certificates in digital form and verify them firmly whenever needed without delay. The proposed system makes sure that the certificates, once verified, can be present online in an immutable form for further reference and provides a tamper-proof concealment to the existing certification system. To confirm the credibility of the proposed method, a prototype of blockchain-based credential securing and verification system is developed in ethereum test network. The implementation and test results show that it is a secure and feasible solution to online credential management system.

Published
2021

29. Managing Trust and Detecting Malicious Groups in Peer-to-Peer IoT Networks

Author

Alanoud Alhussain, Heba Kurdi, and Lina Altoaimy

Subjects
IoT, Exploit, Computer science, Compromise, media_common.quotation_subject, reputation management, Internet of Things, Cloud computing, 02 engineering and technology, TP1-1185, Peer-to-peer, Computer security, computer.software_genre, Trust, Biochemistry, Article, peer-to-peer networks, Analytical Chemistry, 0202 electrical engineering, electronic engineering, information engineering, Trust management (information system), Electrical and Electronic Engineering, Instrumentation, Computer Security, media_common, Internet, business.industry, Chemical technology, 020206 networking & telecommunications, Eavesdropping, neural networks, Credential, Atomic and Molecular Physics, and Optics, Harm, 020201 artificial intelligence & image processing, Neural Networks, Computer, business, trust management, computer
Abstract

Peer-to-peer (P2P) networking is becoming prevalent in Internet of Thing (IoT) platforms due to its low-cost low-latency advantages over cloud-based solutions. However, P2P networking suffers from several critical security flaws that expose devices to remote attacks, eavesdropping and credential theft due to malicious peers who actively work to compromise networks. Therefore, trust and reputation management systems are emerging to address this problem. However, most systems struggle to identify new smart models of malicious peers, especially those who cooperate together to harm other peers. This paper proposes an intelligent trust management system, namely, Trutect, to tackle this issue. Trutect exploits the power of neural networks to provide recommendations on the trustworthiness of each peer. The system identifies the specific model of an individual peer, whether good or malicious. The system also detects malicious collectives and their suspicious group members. The experimental results show that compared to rival trust management systems, Trutect raises the success rates of good peers at a significantly lower running time. It is also capable of accurately identifying the peer model.

Published
2021

30. An Anonymous Delegatable Attribute-based Credential Scheme for a Collaborative E-health Environment

Author

Vladimir A. Oleshchuk and Harsha S. Gardiyawasam Pussewalage

Subjects
Scheme (programming language), Computational complexity theory, Delegation, Computer Networks and Communications, Computer science, media_common.quotation_subject, 020206 networking & telecommunications, Provisioning, 02 engineering and technology, Computer security, computer.software_genre, Credential, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, ComputingMilieux_COMPUTERSANDSOCIETY, computer, media_common, computer.programming_language, Anonymity
Abstract

We propose an efficient anonymous, attribute-based credential scheme capable of provisioning multi-level credential delegations. It is integrated with a mechanism to revoke the anonymity of credentials for resolving access disputes and making users accountable for their actions. The proposed scheme has a lower end-user computational complexity in comparison to existing credential schemes with delegatability and has a comparable level of performance with the credential standards of U-Prove and Idemix. Furthermore, we demonstrate how the proposed scheme can be applied to a collaborative e-health environment to provide its users with the necessary anonymous access with delegation capabilities.

Published
2019

31. Decentralized blacklistable anonymous credentials with reputation

Author

Qiuliang Xu, Rupeng Yang, Man Ho Au, and Zuoxia Yu

Subjects
Authentication, Blockchain, General Computer Science, business.industry, Computer science, media_common.quotation_subject, Compromise, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Service provider, Computer security, computer.software_genre, Credential, Blacklist, Issuer, Ledger, 0202 electrical engineering, electronic engineering, information engineering, ComputingMilieux_COMPUTERSANDSOCIETY, 020201 artificial intelligence & image processing, business, Law, computer, Reputation, media_common
Abstract

Blacklistable anonymous credential systems provide service providers with a way to authenticate users according to their historical behaviors, while guaranteeing that all users can access services in an anonymous and unlinkable manner, thus are potentially useful in practice. Traditionally, to protect services from illegal access, the credential issuer, which completes the registration with users, must be trusted by the service provider. However, in practice, this trust assumption is usually unsatisfied. In this paper, we solve this problem and present the decentralized blacklistable anonymous credential system with reputation (DBLACR), which inherits nearly all features of the BLACR system presented in Au et al. (2012) but does not need a trusted party to register users.The new system also has extra advantages. In particular, it enables blacklist (historical behaviors) sharing among different service providers and is partially resilient to the blacklist gaming attack, where dishonest service providers attempt to compromise the privacy of users via generating blacklist maliciously. Technically, the main approach to achieve DBLACR system is a novel use of the blockchain technique, which serves as a public append-only ledger. The system can be instantiated from three different types of cryptographic systems, including the RSA system, the classical DL system, and the pairing based system. To demonstrate the practicability of our system, we also give a proof of concept implementation for the instantiation under the RSA system. The experiment results indicate that when authenticating with blacklists of reasonable size, our implementation can fulfill practical efficiency demands.

Published
2019

32. TCALAS: Temporal Credential-Based Anonymous Lightweight Authentication Scheme for Internet of Drones Environment

Author

Jangirala Srinivas, Joel J. P. C. Rodrigues, Neeraj Kumar, and Ashok Kumar Das

Subjects
Security analysis, Authentication, Computer Networks and Communications, business.industry, Computer science, Aerospace Engineering, Adversary, Computer security, computer.software_genre, Internet security, Credential, Secure communication, Automotive Engineering, Session key, The Internet, Electrical and Electronic Engineering, business, computer, Software verification
Abstract

A user (external party) is interested in accessing the real-time data from some designated drones of a particular fly zone in the Internet of Drones (IoD) deployment. However, to provide this facility, the user needs to be authenticated by an accessed remote drone and vice-versa. After successful authentication both parties can establish a secret session key for the secure communication. To handle this important problem in IoD environment, we design a novel temporal credential based anonymous lightweight user authentication mechanism for IoD environment, called TCALAS. A detailed security analysis using formal security under the broadly applied real-or-random (ROR) model, formal security verification under the broadly used software verification tool, known as automated validation of internet security protocols and applications, and also informal security analysis reveal that TCALAS has the capability to resist various known attacks against passive/active adversary. In addition, a detailed comparative study has been conducted for TCALAS and other related schemes, and the study also reveals that TCALAS provides better security and functionality features, and lower costs in both computation and communication as compared to existing schemes.

Published
2019

33. Isilon Credential Vault: An Authentication Provider

Author

M Shushanth, Sanket Kulkarni, and R B Murumkar Prof.

Subjects
Authentication, Computer science, Computer security, computer.software_genre, Credential, computer, Vault (organelle)
Published
2019

34. Securing e-voting based on blockchain in P2P network

Author

Haibo Yi

Subjects
Blockchain, Computer Networks and Communications, Computer science, Electronic voting, media_common.quotation_subject, lcsh:TK7800-8360, Cryptography, ComputingMilieux_LEGALASPECTSOFCOMPUTING, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, lcsh:Telecommunication, Voting, lcsh:TK5101-6720, 0202 electrical engineering, electronic engineering, information engineering, Elliptic curve cryptography, media_common, Authentication, business.industry, 010401 analytical chemistry, lcsh:Electronics, 020206 networking & telecommunications, Credential, Electronic voting (e-voting), 0104 chemical sciences, Computer Science Applications, Secure voting, Signal Processing, business, P2P network, computer
Abstract

Electronic voting (e-voting) is an electronic means for casting and counting votes. It is an efficient and cost-effective way for conducting a voting procedure, which has characteristic of being magnanimous data and real time and requesting high safety. However, concerns on security of networking and privacy of communication for e-voting have been grown. Securing e-voting is very urgent and has becoming a popular topic in the area of communications and networking. We present techniques to exploit blockchain in P2P network to improve the security of e-voting. First, we design a synchronized model of voting records based on distributed ledger technology (DLT) to avoid forgery of votes. Second, we design a user credential model based on elliptic curve cryptography (ECC) to provide authentication and non-repudiation. Third, we design a withdrawal model that allows voters to change their vote before a preset deadline. By integrating the above designs, a blockchain-based e-voting scheme in P2P network is proposed for essential requirements of e-voting process. To prove and verify the scheme, a blockchain-based e-voting system for multiple candidates has been designed on Linux platforms in P2P network. The system involves electronic voting theory, cryptography, and software engineering theory. The implementation result shows that it is a practical and secure e-voting system, which solves the problem on forgery of votes during e-voting. The blockchain-based e-voting system can be applied to a variety of networking applications directly.

Published
2019

36. Understanding the credential theft lifecycle

Author

Jose Miguel Esparza

Subjects
Password, 021110 strategic, defence & security studies, Public key certificate, General Computer Science, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Login, Computer security, computer.software_genre, Credential, Cybercrime, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, For profit, ComputingMilieux_COMPUTERSANDSOCIETY, Session (computer science), Law, computer
Abstract

Credential theft is a serious driver of cybercrime today. The world over, different kinds of credentials are used by billions daily to authenticate themselves in their physical and digital lives. From physical keys, to tokens and cards, to digital private keys, session cookies, digital certificates, crypto-currency wallets, login and password combinations, all of these types of credentials are vulnerable to attack. Credential theft is a serious driver of cybercrime today. The world over, different kinds of credentials are used by billions daily to authenticate themselves in their physical and digital lives. From physical keys, through tokens and cards, to digital private keys, session cookies, digital certificates, crypto-currency wallets, login and password combinations, all of these types of credentials are vulnerable to attack. But what happens after they are compromised? Jose Miguel Esparza of Blueliv follows the lifespan of stolen credentials, from theft to being exploited for profit.

Published
2019

37. A Mechanism for Verifying the Integrity and Immutability of Tuberculosis Data Using IOTA Distributed Ledger Technology

Author

Vinicius Lima, Filipe Andrade Bernardi, Domingos Alves, Rui Rijo, and Jó Ueyama

Subjects
Iota, Consistency (database systems), Immutability, Traceability, Computer science, Hash function, Information system, Computer security, computer.software_genre, Digital health, computer, Credential
Abstract

Background: Intensified research and innovation and rapid uptake of new tools, interventions, and strategies are crucial to fight Tuberculosis, the world’s deadliest infectious disease. The sharing of health data remains a significant challenge. Data consumers must be able to verify the consistency and integrity of data. Solutions based on distributed ledger technologies may be adequate, where each member in a network holds a unique credential and stores an identical copy of the ledger and contributes to the collective process of validating and certifying digital transactions. Objectives: This work proposes a mechanism and presents a use case in Digital Health to allow the verification of integrity and immutability of TB electronic health records. Methods: IOTA was selected as a supporting tool due to its data immutability, traceability and tamper-proof characteristics. Results: A mechanism to verify the integrity of data through hash functions and the IOTA network is proposed. Then, a set of TB related information systems was integrated with the network. Conclusion: IOTA technology offers performance and flexibility to enable a reliable environment for electronic health records.

Published
2021

38. Security Analyses of Misbehavior Tracking in Bitcoin Network

Author

Wenjun Fan, Simeon Wuthier, Sang-Yoon Chang, Yan Bai, Xiaobo Zhou, and Hsiang-Jen Hong

Subjects
Spoofing attack, Exploit, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Peer to peer computing, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Denial-of-service attack, Tracking (education), Adversary, Computer security, computer.software_genre, Credential, computer
Abstract

Because Bitcoin P2P networking is permissionless by the application requirement, it is vulnerable against networking threats based on identity/credential manipulations such as Sybil and spoofing attacks. The current Bitcoin implementation keeps track of its peer’s networking misbehaviors through ban score. In this paper, we investigate the security problems of the ban-score mechanism and discover that the ban score is not only ineffective against the Bitcoin Message-based DoS attacks but also vulnerable to a Defamation attack. In the Defamation attack, the network adversary can exploit the ban-score mechanism to defame innocent peers.

Published
2021

39. Secretation: Toward a Decentralised Identity and Verifiable Credentials Based Scalable and Decentralised Secret Management Solution

Author

Ivan Abellan Alvarez and Zakwan Jaroucheh

Subjects
TheoryofComputation_MISCELLANEOUS, Password, Authentication, Computer science, business.industry, Access control, Computer security, computer.software_genre, Encryption, Credential, Secret sharing, Verifiable secret sharing, business, computer, Key exchange
Abstract

Secrets such as passwords, encryption keys, and certificates are used to assist in protecting access to resources such as computing devices, customer data and other information. Unauthorised access to resources can cause significant disruption and/or disastrous consequences. Given the importance of protecting these secrets to the security and privacy of many software systems, many solutions have been proposed. These solutions take two main directions: either securely store the secret and implement an access control mechanism, or divide the secret into a set of shares and distribute them in different machines (such as the Shamir’s secret sharing approach or multi-party computation MPC). However, apart from the MPC approach, they all share the same limitation: once the consumer receives the secret, it can be leaked and be used by any malicious actor. We believe that the secret management should not be centralised and that the secret should never be sent to the receiver. Therefore, in this paper we propose, Secretation, a new approach for managing the secrets in a decentralised way by leveraging decentralised identity concepts such as verifiable credential technologies, password-authenticated key exchange protocols and multi-party computation. The result is a more scalable and secure solution that significantly reduces the risk of leaking the secrets.

Published
2021

40. Privacy-Preserving PayString Service

Author

Flaviene Scheidt de Cristo, Aanchal Malhotra, Radu State, Lucian Andrei Trestioreanu, and Wazen M. Shbair

Subjects
Service (systems architecture), Computer science, media_common.quotation_subject, Payment, Computer security, computer.software_genre, Credential, Identifier, Identity (object-oriented programming), Verifiable secret sharing, Reference implementation, Protocol (object-oriented programming), computer, media_common
Abstract

PayString is an initiative to make payment identifiers global and human-readable, facilitating the exchange of payment information. However, the reference implementation lacks privacy and security features, making it possible for anyone to access the payment information as long as the PayString identifier is known. We propose an innovative solution, named PayStringSecure, for this issue by integrating a privacy layer based on Self-Sovereign Identity (SSI), Decentralized Identifier (DID) and Verifiable Credential (VC) to the PayString protocol. A working prototype has been developed to enrich the protocol with the new features.

Published
2021

41. A-PoA: Anonymous Proof of Authorization for Decentralized Identity Management

Author

Mohammad Hamad, Jan Lauinger, Jens Ernstberger, Emanuel Regnath, and Sebastian Steinhorst

Subjects
Security analysis, Authentication, Computer science, business.industry, Public key infrastructure, Cryptography, Computer security, computer.software_genre, Credential, Identity management, Public-key cryptography, Verifiable secret sharing, business, computer
Abstract

Self-sovereign Identity Management (SSIM) pro-motes self-control of credentials without relying on external administration. However, the state-of-the-art SSIM based on Decentralized Identifiers and Verifiable Credentials (VCs) defined by the World Wide Web Consortium does not enable credential holders to verify whether a Credential Issuing Authority (CIA) legitimately issued a credential.As a remedy, our work constructs a secure authentication protocol, called A-PoA, to provide decentralized and anonymous authorization of CIAs. We leverage a cryptographic accumulator to enable the Root Authority (registering a Credential Schema) with the ability to authorize a CIA (registering a Credential Definition) to issue a credential. The proof of accumulator membership relies on a non-interactive zero-knowledge proof. This allows a credential holder or validator node to verify the validity of a CIA, while the CIA remains anonymous. Our security analysis shows the integrity and confidentiality of our protocol against hostile network participants and our experimental evaluation shows constant verification times independent of the number of authenticated CIAs. Hence, A-PoA introduces the missing building block to develop SSIM-capable and VC-compatible ecosystems acting as a drop-in replacement for traditional Public Key Infrastructure schemes.

Published
2021

42. Performance Evaluation of Pseudonym Reload over Cellular Technology

Author

Brigitte Lonc, Pascal Urien, Farah Braiteh, Arnaud Kaiser, and Farah Haidar

Subjects
Computer science, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 020206 networking & telecommunications, Public key infrastructure, 02 engineering and technology, Pseudonym, Certificate, Computer security, computer.software_genre, Credential, Public-key cryptography, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, Cellular network, ComputingMilieux_COMPUTERSANDSOCIETY, Pseudonymization, business, computer, Intelligent transportation system
Abstract

Security credential systems are used by vehicles to secure communications in Cooperative Intelligent Transportation Systems (C-ITS). Privacy protection of vehicles/passengers is ensured by a pseudonymization mechanism of communication identities and certificates. Vehicles request pseudonym certificates from the Public Key Infrastructure (PKI) and change them frequently. They renew their certificates pool by requesting new certificates from the PKI.In this paper, we present and discuss the performance of pseudonym certificate reloading from the PKI over cellular network (4G). We conducted several tests, statically and while driving, in order to evaluate the performance in both scenarios.

Published
2021

43. A Subject-Centric Credential Management Method based on the Verifiable Credentials

Author

Seungjoo Lim, Ki-Hyung Kim, DongYeop Hwang, and Min-Hyung Rhie

Subjects
Structure (mathematical logic), Authentication, Software_OPERATINGSYSTEMS, Computer science, Subject (philosophy), Permission, Computer security, computer.software_genre, Credential, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Identity (object-oriented programming), Verifiable secret sharing, Control (linguistics), computer
Abstract

In this paper, a subject-centric structure is proposed that improves the holder-centric structural problems of verifiable credentials developed for self-sovereign identities. Holder-Centric structured verifiable credentials represent a structure in which a holder can control the credentials even if it is not a subject. This structure allows the holder to attempt authentication or transfer credentials without the subject’s permission. The subject may lose some control over the credential, thus losing the meaning of self-sovereign identity. We propose a subject-centric structure that allows the subject to control over the transferred verifiable credentials.

Published
2021

44. SMS Goes Nuclear: Fortifying SMS-Based MFA in Online Account Ecosystem

Author

Yuan Tian, Zhou Zhuang, Weizhao Jin, Xiaoyu Ji, Ruiwen He, and Wenyuan Xu

Subjects
Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Service (systems architecture), Authentication, Computer Science - Cryptography and Security, Exploit, Computer science, Service provider, Multi-factor authentication, Computer security, computer.software_genre, Credential, C.2.m, Computer Science - Networking and Internet Architecture, Personally identifiable information, computer, Cryptography and Security (cs.CR), Vulnerability (computing)
Abstract

With the rapid growth of online services, the number of online accounts proliferates. The security of a single user account no longer depends merely on its own service provider but also the accounts on other service platforms(We refer to this online account environment as Online Account Ecosystem). In this paper, we first uncover the vulnerability of Online Account Ecosystem, which stems from the defective multi-factor authentication (MFA), specifically the ones with SMS-based verification, and dependencies among accounts on different platforms. We propose Chain Reaction Attack that exploits the weakest point in Online Account Ecosystem and can ultimately compromise the most secure platform. Furthermore, we design and implement ActFort, a systematic approach to detect the vulnerability of Online Account Ecosystem by analyzing the authentication credential factors and sensitive personal information as well as evaluating the dependency relationships among online accounts. We evaluate our system on hundreds of representative online services listed in Alexa in diversified fields. Based on the analysis from ActFort, we provide several pragmatic insights into the current Online Account Ecosystem and propose several feasible countermeasures including the online account exposed information protection mechanism and the built-in authentication to fortify the security of Online Account Ecosystem., Comment: 11 pages, 11 figures

Published
2021
Full Text
View/download PDF

45. Designated-Verifier Anonymous Credential for Identity Management in Decentralized Systems

Author

Fei Chen, Chengliang Tian, Hequn Xian, and Xudong Deng

Subjects
Article Subject, Computer Networks and Communications, Computer science, business.industry, Hash function, Cryptography, TK5101-6720, Pseudonym, Security token, Computer security, computer.software_genre, Credential, Identity management, Computer Science Applications, Identity (object-oriented programming), Telecommunication, business, computer, Anonymity
Abstract

Most of the existing identity management is the centralized architecture that has to validate, certify, and manage identity in a centralized approach by trusted authorities. Decentralized identity is causing widespread public concern because it enables to give back control of identity to clients, and the client then has the ability to control when, where, and with whom they share their credentials. A decentralized solution atop on blockchain will bypass the centralized architecture and address the single point of the failure problem. To our knowledge, blockchain is an inherited pseudonym but it cannot achieve anonymity and auditability directly. In this paper, we approach the problem of decentralized identity management starting from the designated-verifier anonymous credential (DVAC in short). DVAC would assist to build a new practical decentralized identity management with anonymity and auditability. Apart from the advantages of the conventional anonymous credential, the main advantage of the proposed DVAC atop blockchain is that the issued cryptographic token will be divided into shares at the issue phase and will be combined at the showing credential phase. Further, the smooth projective hash function ( SPHF in short) is regarded as a designated-verifier zero-knowledge proof system. Thus, we introduce the SPHF to achieve the designated verifiability without compromising the privacy of clients. Finally, the security of the proposed DVAC is proved along with theoretical and experimental evaluations.

Published
2021

46. The Importance of IDS and IPS in Cloud Computing Environment: Intensive Review and Future Directions

Author

Shahid Anwar, Aws Naser Jaber, Mohammed Anbar, and Nik Zulkarnaen Khidzir

Subjects
Access network, File server, Software deployment, business.industry, Computer science, Data security, Cloud computing, Intrusion prevention system, business, Computer security, computer.software_genre, Credential, computer
Abstract

Cloud computing paradigm produce several network access resources for example, storage server and networking. A vast number of transactions over the cloud computing attract the cyber criminals to attack on the sensitive credential of the users. Therefore, the users feel unsafe to store their data on the clouds, despite remarkable interest in the cloud-based computing. Data security is the main issue, since data of an organization provides an alluring target for cyber-criminals. It will cause to reduce the development of the distributed computing, in case the researchers failed to address these security issues on time. Thus, intrusion detection and prevention systems must be updated with the current advancement. In this paper we present an intensive review for the most related work done for IDS/IPS. Furthermore, it shows that IDS/IPS are under the deployment since four decades.

Published
2021

47. Privacy ABCs: Now Ready for Your Wallets!

Author

Hajny, Jan, Dzurenda, Petr, Casanova-Marqués, Raúl, and Malina, Lukas

Subjects
Protocol (science), 021110 strategic, defence & security studies, anonymity, Ubiquitous computing, Revocation, business.industry, Computer science, access control, 0211 other engineering and technologies, Cryptography, 02 engineering and technology, Construct (python library), privacy, Computer security, computer.software_genre, Credential, Identification (information), 0202 electrical engineering, electronic engineering, information engineering, smart cards, 020201 artificial intelligence & image processing, Smart card, business, computer, identity
Abstract

The paper deals with privacy-enhanced electronic access control technologies, in particular cryptographic schemes that allow verification of users' personal attributes without their identification, so-called anonymous attribute-based credential schemes (ABCs). We present the last bit necessary for making ABCs practical for large-scale applications that are using smart cards as users' devices for storing credentials: a novel cryptographic scheme that combines fast credential verification protocols with efficient offline revocation protocols. Using proven building blocks, namely weak Boneh-Boyen (wBB) signatures, keyed-verification credentials and $k$ -times anonymous proofs, we construct a practical scheme for proving personal attributes anonymously, unlinkably, untraceably and, most importantly, with the verifier-local revocation (VLR) functionality that is running on standard existing smart cards. To prove the practicality of the design, we implemented all the proposed protocols using an off-the-shelf card, benchmarked the proving protocol, compared to existing solutions and put all the source codes on the GitHub as an open source. The cryptographic design and our implementation are efficient enough to be immediately used for the privacy enhancement of existing large-scale applications, such as electronic ID cards (e-IDs), public transportation cards, apps for citizen tracing during pandemic situations or secure authentication of IoT devices.

Published
2021
Full Text
View/download PDF

48. Formally Verified Credentials Management for Industrial Control Systems

Author

Tomas Kulik, Diego F. Aranha, and Jalil Boudjadar

Subjects
Password, Computer science, business.industry, Industrial control system, Formal methods, Computer security, computer.software_genre, Credential, Automation, Systems architecture, business, Formal verification, computer, Structured systems analysis and design method
Abstract

The field of industrial automation is experiencing growth in interconnectivity and digital interaction. This growth is slower than in a consumer segment due to often critical nature of industrial control systems. Security of such systems is an important aspect as malicious behaviors could lead to potential system malfunction, injuries or financial losses. As control networks are becoming more complex, having a robust credential management for system operators and users that could interact with the system components is an essential need. One way of assuring the robustness of the credential management is by using formal methods. In this paper we present a formally verified credential management system for use within industrial control systems. We demonstrate that the credential management can use centralized credential storage with secret passwords available only to system administrators. We use UPPAAL to formally analyze security properties based on requirements defined by our industrial partner and present the viability of formal verification to a real-world industrial case study.

Published
2021

49. Pass-As-You-Go: A Direct Anonymous Attestation-Based Untraceable Contactless Transit Pass

Author

Nicolas Desmoulins, Jacques Traore, and Aïda Diop

Subjects
Subscriber identity module, Authentication, Computer science, media_common.quotation_subject, Personal mobility, Payment, Computer security, computer.software_genre, Credential, law.invention, Unique identifier, Identification (information), law, Direct Anonymous Attestation, computer, media_common
Abstract

The secure deployment of NFC-enabled digital services, such as electronic payment, electronic identification (eID), and mobile transit passes in public transportation, is enabled by the trusted execution environment in smartphones, namely the SIM card. A user’s authentication and identification credentials are stored in the SIM card, which provides a secure enclave for credential storage and secure authentication operations. The unique identifier assigned to each user leads to important privacy concerns. Indeed, in the case of mobile transit passes, the accountability of users to use a valid and unique transport pass should not undermine the privacy of commuters on the network, notably by disclosing their identities at each pass validation, or by revealing information on their personal mobility patterns.

Published
2021

50. Publicly Traceable Attribute-Based Anonymous Authentication and Its Application to Voting

Author

Li Peng, Wu Yongdong, and Lai Junzuo

Subjects
Authentication, Science (General), Traceability, Article Subject, Computer Networks and Communications, business.industry, Computer science, media_common.quotation_subject, Data_MISCELLANEOUS, Access control, Trusted third party, Computer security, computer.software_genre, Credential, Q1-390, Voting, T1-995, business, computer, Technology (General), Information Systems, TRACE (psycholinguistics), Anonymity, media_common
Abstract

Numerous anonymous authentication schemes are designed to provide efficient authentication services while preserving privacy. Such schemes may easily neglect access control and accountability, which are two requirements that play an important role in some particular environments and applications. Prior designs of attribute-based anonymous authentication schemes did not concentrate on providing full anonymity while at the same time holding public traceability. To address this problem, we formally define and present a new primitive called traceable attribute-based anonymous authentication (TABAA) which achieves (i) full anonymity, i.e., both registration and authentication cannot reveal user’s privacy; (ii) reusable credential, i.e., a registered credential can be repeatedly used without being linked; (iii) access control, i.e., only when the user’s attribute satisfies the access policy can the user be involved in authentication; and (iv) public traceability, i.e., anyone, without help from the trusted third party, can trace a misbehaving user who has authenticated two messages corresponding to a common address. Then, we formally define the security requirements of TABAA, including unforgeability, anonymity, and accountability, and give a generic construction satisfying the security requirements. Furthermore, based on TABAA, we propose the first attribute-based, decentralized, fully anonymous, publicly traceable e-voting, which enables voters to engage in a number of different voting activities without repeated registration.

Published
2021
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results