Detection of Dishonest Entities

This paper discusses mechanisms to identify dishonest users of services provided by a server in environments where identities of honest users must be kept as their secrets. An anonymous token based mechanism enables the server to identify dishonest users when dishonest events are detected while the users are receiving services, and a homomorhic anonymous token based one enables that even dishonest events can be detected only after the server completed their services and the users had left from the server. A linear equation based encryption algorithm that is used for implementing the above methods is also enhanced

Need To Know Before Utopian Balloon Is Popped: Security Perspective Analysis of Nun-Fungible Tokens

Non-Fungible Tokens (NFTs) have exploded into the technological and blockchain worlds with millions of dollars’ worth of cryptocurrencies such as Ethereum and Bitcoin among others, being traded for with these NFTs by individuals. NFTs are utilized by most buyers and sellers to show authenticity and sole ownership of a rare piece of work which could be in the form of an art, a video, a game, an image, a collectible, or anything the individual deems to be of great value and of interest for other individuals to pay for and own. NFTs however are not immune to the security and privacy issues that are already affiliated with the blockchain. This research work therefore examines the existing vulnerabilities in the blockchain then specifically investigates vulnerabilities with NFTs. Not much of research effort has been put into this area but the ones that have been conducted centered on generic security issues related to Non-Fungible Tokens. Taxonomies are developed in this paper to classify the security threats and attacks as identified by investigating the vulnerabilities of NFTs. This work will be of great assistance to investors and developers who look to enter into the NFT market, as they will be provided with some adequate knowledge for them to be aware of the security issues related to the booming market of NFTs

Security, Trust and Privacy (STP) Model for Federated Identity and Access Management (FIAM) Systems

The federated identity and access management systems facilitate the home domain organization users to access multiple resources (services) in the foreign domain organization by web single sign-on facility. In federated environment the user’s authentication is performed in the beginning of an authentication session and allowed to access multiple resources (services) until the current session is active. In current federated identity and access management systems the main security concerns are: (1) In home domain organization machine platforms bidirectional integrity measurement is not exist, (2) Integrated authentication (i.e., username/password and home domain machine platforms mutual attestation) is not present and (3) The resource (service) authorization in the foreign domain organization is not via the home domain machine platforms bidirectional attestation

A machine-checked proof of security for AWS key management service

We present a machine-checked proof of security for the domain management protocol of Amazon Web Services' KMS (Key Management Service) a critical security service used throughout AWS and by AWS customers. Domain management is at the core of AWS KMS; it governs the top-level keys that anchor the security of encryption services at AWS. We show that the protocol securely implements an ideal distributed encryption mechanism under standard cryptographic assumptions. The proof is machine-checked in the EasyCrypt proof assistant and is the largest EasyCrypt development to date.Manuel Barbosa was supported by grant SFRH/BSAB/143018/2018 awarded by the Portuguese Foundation for Science and Technology (FCT). Vitor Pereira was supported by grant FCT-PD/BD/113967/201 awarded by FCT. This work was partially funded by national funds via FCT in the context of project PTDC/CCI-INF/31698/2017

The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines

Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis. In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties. In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend the web model presented in arXiv:1411.7210, arXiv:1403.1866, arXiv:1508.01719, and arXiv:1601.0122

Design for trust an exploration of the challenges and opportunities of Bitcoin users

Bitcoin is a cryptocurrency which has received increasing interest over the last five years. Built upon a decentralized peer to peer system, it supports transparent, fast, cost effective, and irreversible transactions, without the need for trusting third party financial institutions. We know however little about people’s motivation and experience with bitcoin currency. This paper reports on interviews with 20 bitcoin users about their experience and their trust challenges. Findings show that bitcoins are used more as commodities for speculative investment or savings’ protection. The paper advances the HCI theories on trust by identifying main bitcoin characteristics and their impact on trust, such as decentralization, unregulation, embedded expertise, and reputation, as well as transactions’ transparency, low cost, and easiness to complete. We also discuss the issue of insecure transactions and the associated risks, in particular the one of dishonest traders and its mitigating strategies. The paper concludes with three design implications including support for the transparency of two-way transactions, tools for materializing trust, and tools for supporting reversible transactions

A multi-agent architecture for electronic payment

The Internet has brought about innumerable changes to the way enterprises do business. An essential problem to be solved before the widespread commercial use of the Internet is to provide a trustworthy solution for electronic payment. We propose a multi-agent mediated electronic payment architecture in this paper. It is aimed at providing an agent-based approach to accommodate multiple e-payment schemes. Through a layered design of the payment structure and a well-defined uniform payment interface, the architecture shows good scalability. When a new e-payment scheme or implementation is available, it can be plugged into the framework easily. In addition, we construct a framework allowing multiple agents to work cooperatively to realize automation of electronic payment. A prototype has been built to illustrate the functionality of this design. Finally we discuss the security issues