On Enhancing Security of Password-Based Authentication

Password has been the dominant authentication scheme for more than 30 years, and it will not be easily replaced in the foreseeable future. However, password authentication has long been plagued by the dilemma between security and usability, mainly due to human memory limitations. For example, a user often chooses an easy-to-guess (weak) password since it is easier to remember. The ever increasing number of online accounts per user even exacerbates this problem. In this dissertation, we present four research projects that focus on the security of password authentication and its ecosystem. First, we observe that personal information plays a very important role when a user creates a password. Enlightened by this, we conduct a study on how users create their passwords using their personal information based on a leaked password dataset. We create a new metric---Coverage---to quantify the personal information in passwords. Armed with this knowledge, we develop a novel password cracker named Personal-PCFG (Probabilistic Context-Free Grammars) that leverages personal information for targeted password guessing. Experiments show that Personal-PCFG is much more efficient than the original PCFG in cracking passwords. The second project aims to ease the password management hassle for a user. Password managers are introduced so that users need only one password (master password) to access all their other passwords. However, the password manager induces a single point of failure and is potentially vulnerable to data breach. To address these issues, we propose BluePass, a decentralized password manager that features a dual-possession security that involves a master password and a mobile device. In addition, BluePass enables a hand-free user experience by retrieving passwords from the mobile device through Bluetooth communications. In the third project, we investigate an overlooked aspect in the password lifecycle, the password recovery procedure. We study the password recovery protocols in the Alexa top 500 websites, and report interesting findings on the de facto implementation. We observe that the backup email is the primary way for password recovery, and the email becomes a single point of failure. We assess the likelihood of an account recovery attack, analyze the security policy of major email providers, and propose a security enhancement protocol to help securing password recovery emails by two factor authentication. \newline Finally, we focus on a more fundamental level, user identity. Password-based authentication is just a one-time checking to ensure that a user is legitimate. However, a user\u27s identity could be hijacked at any step. For example, an attacker can leverage a zero-day vulnerability to take over the root privilege. Thus, tracking the user behavior is essential to examine the identity legitimacy. We develop a user tracking system based on OS-level logs inside an enterprise network, and apply a variety of techniques to generate a concise and salient user profile for identity examination

Educational activities for a gamified system

The objective of this dissertation is to analyze, design, and implement an activity module for a larger educational platform with the use of gamification techniques with the purpose to improve learning, pass rates, and feedback. The project investigates how to better incentivize student learning. A software requirement specification was delineated to establish the system guidelines and behavior. Following, a definition of the activities in the module was created. This definition encompassed a detailed description of each activity, together with elements that compose it, available customizations and the involved formulas. The activity high-level design process includes the design of the defined activities by use of the software methodology UWE (UML-based Web Engineering) for their future implementation, modeling requirements, content, navigation and presentation. The low-level design is composed of the database schema and types and the relating EER (Enhanced Entity-Relationship) diagram. After this, the implementation of the designed module began, together with testing in the later stages. We expect that by using the implemented activity module, students will become more interested in learning, as well as more engaged in the process, resulting in a continuous progress during the course.---RESUMEN---El objetivo de este trabajo es analizar, diseñar e implementar un módulo de actividades didácticas que formará parte de una plataforma educativa, haciendo uso de técnicas de gamificación con la finalidad de mejorar el aprendizaje, ratio de aprobados y retroalimentación para los alumnos. El proyecto investiga como incentivar mejor el aprendizaje estudiantil. Se trazó una especificación de requisitos de software para establecer las pautas del sistema y su comportamiento. A continuación, se definieron las actividades del módulo. Esta definición abarca una descripción detallada de cada actividad, junto a los elementos que la componen, las configuraciones disponibles y las formulas involucradas. El proceso de diseño de alto nivel incluye el diseño de las actividades definidas usando la metodología de software UWE (UML-based Web Engineering) para su futura implementación, requisitos de modelaje, contenido, navegación y presentación. El diseño de bajo nivel está compuesto por el esquema y tipos de la base de datos y el diagrama de entidad-relación correspondiente. Tras esto se realizó la implementación y pruebas de parte del sistema. Se espera que usando el módulo de actividades implementado, los estudiantes muestren un mayor interés por aprender, así como estar más involucrados en el proceso, resultando en un progreso más continuo durante el curso

Security in 5G-Enabled Internet of Things Communication: Issues: Challenges, and Future Research Roadmap

5G mobile communication systems promote the mobile network to not only interconnect people, but also interconnect and control the machine and other devices. 5G-enabled Internet of Things (IoT) communication environment supports a wide-variety of applications, such as remote surgery, self-driving car, virtual reality, flying IoT drones, security and surveillance and many more. These applications help and assist the routine works of the community. In such communication environment, all the devices and users communicate through the Internet. Therefore, this communication agonizes from different types of security and privacy issues. It is also vulnerable to different types of possible attacks (for example, replay, impersonation, password reckoning, physical device stealing, session key computation, privileged-insider, malware, man-in-the-middle, malicious routing, and so on). It is then very crucial to protect the infrastructure of 5G-enabled IoT communication environment against these attacks. This necessitates the researchers working in this domain to propose various types of security protocols under different types of categories, like key management, user authentication/device authentication, access control/user access control and intrusion detection. In this survey paper, the details of various system models (i.e., network model and threat model) required for 5G-enabled IoT communication environment are provided. The details of security requirements and attacks possible in this communication environment are further added. The different types of security protocols are also provided. The analysis and comparison of the existing security protocols in 5G-enabled IoT communication environment are conducted. Some of the future research challenges and directions in the security of 5G-enabled IoT environment are displayed. The motivation of this work is to bring the details of different types of security protocols in 5G-enabled IoT under one roof so that the future researchers will be benefited with the conducted work

Identification and functional analysis of thylakoid membrane proteome

Membrane proteins play crucial roles in many biological functions. Identities and functions of most membrane proteins remain to be revealed. New technological breakthroughs in proteomics together with the availability of genomic sequence information make it possible to study functions of membrane proteins on a genome-wide scale. We used a multidisciplinary approach combining biochemistry, genetics, proteomics and bioinformatics to study the functions of the thylakoid proteome of Synechocystis sp. PCC6803. The thylakoid membrane proteins were separated into peripheral and integral fractions and resolved into 2-D gels with different pH ranges. The protein spots in the 2-D gels were subjected to peptide mass fingerprinting analysis, and totally 390 out of 558 analyzed spots were identified as protein products of 128 individual genes, of which 38 gene encode hypothetical proteins with unknown function. To study the function of some hypothetical proteins, we inactivated a set of genes, and 10 knockout mutants were obtained. The growth analysis for the mutant cells revealed that only one mutant (H1) which has a deletion in the ORF slr0110, showed conditional growth phenotype. Detailed analysis indicated that the H1 mutant is sensitive to both glucose and light, which is caused by the over-reduction of the PQ pool in the thylakoid membrane. The ID and the structural and functional information of the identified proteins as well as the 2-D reference maps were included in a web-based relational database for thylakoid membrane proteins. The database was constructed with MySQL, and the application programs were developed with SQL, PERL, JAVASCRIPT and HTML. Users can search the information of identified proteins and compare their own identified proteins with the identified proteins in the database. A manager interface is also provided for the routine maintenance of the database

Implementación de un prototipo de una red inalámbrica de sensores para la identificación de personas y acceso a historias clínicas basado en tarjetas de desarrollo.

La presente investigación realizada en la ESPOCH, consiste en estructurar un prototipo de una red inalámbrica de sensores para la identificación de personas y acceso a historias clínicas, que se administran desde un gestor de base de datos en la web, basándose en tarjetas de desarrollo Arduino y RFID como sistema de identificación, la información se registra en una plataforma web y es accesada por medio de una aplicación móvil desarrollada en Android Studio. Para la selección de los dispositivos se utilizo una metodología comparativa en base a la funcionalidad, precio, tamaño, distancia de funcionamiento. La transmisión de datos se realiza por medio de tecnologías Wifi, Radio Frecuencia y Bluetooth, que en conjunto permiten la lectura y el acceso a la información, por medio de interfaces gráficas amigables. El funcionamiento del sistema se basa en la lectura de un código único que es asignado a una persona el misma que constituye un nodo llave de la red y es comparado con la información ubicada en la base de datos con un módulo lector, para extraer información relacionada a datos personales, datos patológicos, antecedentes familiares y hábitos tóxicos, información necesaria para personal policial y paramédicos. De las pruebas realizadas se obtuvo que la conexión Bluetooth en espacios libres se realiza sin pérdidas hasta 26 metros, para la comunicación WIFI se registró 1.4 segundos como tiempo de respuesta del sistema de identificación, y 3.5 segundos en caso de utilizar datos móviles. Se concluye que la red implementada es una herramienta de ayuda rápida, de fácil manejo y útil para la obtención de datos de personas involucradas en un evento que requiera identificación. Se recomienda que para futuras implementaciones se realice la selección de elementos electrónicos que permitan la miniaturización del dispositivo identificador y del módulo lector para mejorar su manipulación y uso.The present research carried out in ESPOCH, consists of structuring a prototype of a wireless network of sensors for the identification of people and access to clinical histories, wich are administered from a database manager on the web, based on development cards Ardunio and RFID as an identification system, the information is registered on a web patform and accessed through a mobile application developed in Android Studio. For the selection of the devices a comparative methodology was used based on the functionality, price, size and operating distance. The data transmission is carried out by means of Wi-Fi, Radio Frecuency and Bluetooth technologies, which together allow the reading and access to information, through friendly graphical interfaces. The operation of the system is based on the reading of a unique code that is assigned to a person the same that constitutes a key node of the network and is compared with the information located in the database with a reader node, to extract information related to personal data, pathological data, family history and toxic habits, information necessary for police personnel and paramedics. From the tests carried out, it was obtained that the Bluetooth connection in free spaces is performed without losses up to 26 meters, for WIFI communication, 1.4 seconds was recorded as the response time of the identification system, and 3.5 seconds when using mobile data. It is concluded that the implemented network is a quick, easy to use and useful tool for obtaining data from people involved in an event that requires identification. It is recommended for future implementations the selection of electronic elements that allow the miniature making of the identification device and the reader module to be improved to be manipulated and used

Integrated Time Management System

The development of this project will focus on the Information and Communication Technology (ICT), and Business Information System (BIS) department regarding the lecturer attendance. The objective of this project is to study the current lecturer attendance process andto automate the process by developing the Pre-Integrated Time Management prototype. It is to ensure that the system satisfied the entire user which is lecturers, head programme and students; to eliminate the redundant stage in the current manual process and to make the business process faster and organize. The problem with the current process is there are no efficient ways to track lecturer attendance, keep attendance records, to notify the availability of the lecturer, to make an appointment as well as request and approve leave. Due to no efficient way to keep track and store lecturer attendance, it can lead to data redundancy and lost in the middle ofthe process. The methodology that selected for the system development is Iterative Model. For the data collection, a survey is conducted to get the students feedbacks through questionnaires and interviews. 'Integrated Time Management System' is developed to substitute the existing manual process to computerized system