Survey and Systematization of Secure Device Pairing

Secure Device Pairing (SDP) schemes have been developed to facilitate secure communications among smart devices, both personal mobile devices and Internet of Things (IoT) devices. Comparison and assessment of SDP schemes is troublesome, because each scheme makes different assumptions about out-of-band channels and adversary models, and are driven by their particular use-cases. A conceptual model that facilitates meaningful comparison among SDP schemes is missing. We provide such a model. In this article, we survey and analyze a wide range of SDP schemes that are described in the literature, including a number that have been adopted as standards. A system model and consistent terminology for SDP schemes are built on the foundation of this survey, which are then used to classify existing SDP schemes into a taxonomy that, for the first time, enables their meaningful comparison and analysis.The existing SDP schemes are analyzed using this model, revealing common systemic security weaknesses among the surveyed SDP schemes that should become priority areas for future SDP research, such as improving the integration of privacy requirements into the design of SDP schemes. Our results allow SDP scheme designers to create schemes that are more easily comparable with one another, and to assist the prevention of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications Surveys & Tutorials 2017 (Volume: PP, Issue: 99

Implementation and Analysis of Communication Protocols in Internet of Things

Internet of Things (IoT) is the future of all the present-day devices around the globe. Giving them internet connectivity makes IoT the next frontier of technology. Possibilities are limitless as the devices communicate and interact with each other which make it even more interesting for the global markets. For example, Rolls-Royce announced that it would use the Microsoft Azure IoT suite and also the Intelligence suite of Cortana to keep track of the fuel usage, for performance analysis, to optimize the fly routes etc. which improves the airline efficiency. The devices must communicate with each other, the data from these devices must be collected by the servers, and the data is then analyzed or provided to the people. For all this to happen, there is a need for efficient protocols to ensure that the communication is secure and to avoid loss of data. This research is about the implementation and analysis of various protocols that can be used for the communication in IoT. Various protocols with various capabilities are required for different environments. The internet today supports hundreds of protocols from which choosing the best would be a great challenge. But each protocol is different in its own way when we have the specifics like security, reliability, range of communication etc. This research emphasizes on the best available protocols and the environments that suit them the most. It provides an implementation of some of the protocols and analyzes the protocols according to the results obtained. The data collected from the sensors/devices through a protocol is also subject to predictive analysis which improves the scope of the project to performing data analysis on the data collected through IoT

Segurança em ambientes de proximidade

Mestrado em Engenharia de Computadores e TelemáticaA crescente adopção de dispositivos móveis, com cada vez mais capacidades de computação e comunicação, leva inevitavelmente à questão de como podem ser explorados. O objectivo desta dissertação passa por explorar algumas dessas capacidades de forma a melhorar e evoluir a interac ção segura entre o utilizador e os serviços que utilizada no seu dia-a-dia. É particularmente interessante o uso destes dispositivos não apenas como sistemas de armazenamento, mas como peças activas na interacção entre o utilizador e o mundo que o rodeia, um cenário potenciado pelas crescentes capacidades de comunicação em proximidade destes dispositivos. Esta dissertação debruça-se sobre o estudo e possível integração da proximidade física entre um utilizador e os sistemas que usa diariamente como um requisito extra na autenticação e comunicação entre eles, usando o seu dispositivo móvel para interagir com os mesmos. De forma a demonstrar uma possível integração destes elementos num sistema, este trabalho apresenta uma implementação que explora o uso de tecnologias de curto alcance como meio de comunicação e como requisito de autenticação, recorrendo a mecanismos de segurança para estabelecer comunicações privadas sobre redes públicas e garantir e veri car a autencidade da informa ção trocada e armazenada.The increasing adoption of mobile devices with more computing and communication capabilities inevitably raises the question of how to explore them. The goal of this dissertation is to explore some of those capabilities to improve and evolve secure interactions between the user and the services that he uses in his daily life. It is particularly interesting to use these devices not only as storage systems, but also as active elements in the interaction between the user and the world around him: this objective is boosted by the increasing proximity-based communication capabilities of those devices. This dissertation focus on the study and possible integration of the physical proximity between a user and the systems he uses every day as an extra requirement for authentication, using his mobile device to interact with them. To demonstrate a possible integration of these elements into a system, this work presents an implementation that explores the use of short-range wireless technologies as a communication mean and as a requirement for authentication, using security mechanisms to establish private communications through public networks and to ensure and verify the authenticity of the information exchanged and stored

Privacy-preserving Payments for Transportation Systems

The operation of our society heavily relies on high mobility of people. Not only our social life but also our economy and trade are built upon a system where people need to be able to move around easily. The costs for building and maintaining a suitable transportation infrastructure to satisfy those needs are high, and to charge users is thus a central requirement. This calls for well functioning payment systems satisfying the multitude of requirements that transportation systems impose on them. Electronic payment systems have many benefits over traditional cash payments as they are easy to maintain, can be more secure, reduce revenue collection costs, and can reduce the execution time of a payment. However, as a drawback, currently employed electronic payment systems usually reveal a payer’s identity during a payment which greatly infringes customer privacy. In the transportation domain this allows to generate fine grain patterns of customers’ locations. Cryptographic payment protocols called e-cash have been proposed which allow to preserve a customer’s privacy. E-cash provides provable guarantees for both security and user privacy, as it allows secure, unlinkable payments which do not reveal the identity of the payer during a payment. From a security and privacy perspective these protocols present a good solution. However, even though e-cash protocols have been proposed three decades ago, there are relatively few actual implementations. One reason for this is their high computational complexity which makes an implementation on potential mobile payment devices rather difficult. While customers usually value their privacy they often do not accept to sacrifice convenience. A fast execution of payments is thus a hard constraint, which conflicts with the computational complexity of e-cash schemes. This dissertation analyzes how e-cash can be used to solve the issue of privacy in the domain of transportation payments while satisfying the unique requirements of transportation payment systems and achieving high security and ease of use. Highlyefficient implementations of the underlying cryptographic primitives of e-cash schemes on constrained devices as they might be used in the transportation setting are presented. Based on the efficient implementations of these primitives, e-cash schemes are analyzed with regards to speed and hardware requirements. The results show that e-cash presents a good solution for privacy-preserving payments in the domain of public transport, if the number of coins that have to be spent can be limited. It is further practically shown that this limitation can be alleviated relying on the e-cash based privacy-preserving pre-payments with refunds scheme (P4R). Moreover, it is demonstrated that the promising feature of supporting the encoding of user attributes into electronic coins can be implemented at only moderate extra cost. Finally, an ecash based e-mobility payment scheme is presented which highlights the flexibility and unique advantages of e-cash based transportation payment schemes

Mobile Identity, Credential, and Access Management Framework

Organizations today gather unprecedented quantities of data from their operations. This data is coming from transactions made by a person or from a connected system/application. From personal devices to industry including government, the internet has become the primary means of modern communication, further increasing the need for a method to track and secure these devices. Protecting the integrity of connected devices collecting data is critical to ensure the trustworthiness of the system. An organization must not only know the identity of the users on their networks and have the capability of tracing the actions performed by a user but they must trust the system providing them with this knowledge. This increase in the pace of usage of personal devices along with a lack of trust in the internet has driven demand for trusted digital identities. As the world becomes increasingly mobile with the number of smart phone users growing annually and the mobile web flourishing, it is critical to implement strong security on mobile devices. To manage the vast number of devices and feel confident that a machine’s identity is verifiable, companies need to deploy digital credentialing systems with a strong root of trust. As passwords are not a secure method of authentication, mobile devices and other forms of IoT require a means of two-factor authentication that meets NIST standards. Traditionally, this has been done with Public Key Infrastructure (PKI) through the use of a smart card. Blockchain technologies combined with PKI can be utilized in such a way as to provide an identity and access management solution for the internet of things (IoT). Improvements to the security of Radio Frequency Identification (RFID) technology and various implementations of blockchain make viable options for managing the identity and access of IoT devices. When PKI first began over two decades ago, it required the use of a smart card with a set of credentials known as the personal identity verification (PIV) card. The PIV card (something you have) along with a personal identification number (PIN) (something you know) were used to implement two-factor authentication. Over time the use of the PIV cards has proven challenging as mobile devices lack the integrated smart card readers found in laptop and desktop computers. Near Field Communication (NFC) capability in most smart phones and mobile devices provides a mechanism to allow a PIV card to be read by a mobile device. In addition, the existing PKI system must be updated to meet the demands of a mobile focused internet. Blockchain technology is the key to modernizing PKI. Together, blockchain-based PKI and NFC will provide an IoT solution that will allow industry, government, and individuals a foundation of trust in the world wide web that is lacking today

A Mobile Secure Bluetooth-Enabled Cryptographic Provider

The use of digital X509v3 public key certificates, together with different standards for secure digital signatures are commonly adopted to establish authentication proofs between principals, applications and services. One of the robustness characteristics commonly associated with such mechanisms is the need of hardware-sealed cryptographic devices, such as Hardware-Security Modules (or HSMs), smart cards or hardware-enabled tokens or dongles. These devices support internal functions for management and storage of cryptographic keys, allowing the isolated execution of cryptographic operations, with the keys or related sensitive parameters never exposed. The portable devices most widely used are USB-tokens (or security dongles) and internal ships of smart cards (as it is also the case of citizen cards, banking cards or ticketing cards). More recently, a new generation of Bluetooth-enabled smart USB dongles appeared, also suitable to protect cryptographic operations and digital signatures for secure identity and payment applications. The common characteristic of such devices is to offer the required support to be used as secure cryptographic providers. Among the advantages of those portable cryptographic devices is also their portability and ubiquitous use, but, in consequence, they are also frequently forgotten or even lost. USB-enabled devices imply the need of readers, not always and not commonly available for generic smartphones or users working with computing devices. Also, wireless-devices can be specialized or require a development effort to be used as standard cryptographic providers. An alternative to mitigate such problems is the possible adoption of conventional Bluetooth-enabled smartphones, as ubiquitous cryptographic providers to be used, remotely, by client-side applications running in users’ devices, such as desktop or laptop computers. However, the use of smartphones for safe storage and management of private keys and sensitive parameters requires a careful analysis on the adversary model assumptions. The design options to implement a practical and secure smartphone-enabled cryptographic solution as a product, also requires the approach and the better use of the more interesting facilities provided by frameworks, programming environments and mobile operating systems services. In this dissertation we addressed the design, development and experimental evaluation of a secure mobile cryptographic provider, designed as a mobile service provided in a smartphone. The proposed solution is designed for Android-Based smartphones and supports on-demand Bluetooth-enabled cryptographic operations, including standard digital signatures. The addressed mobile cryptographic provider can be used by applications running on Windows-enabled computing devices, requesting digital signatures. The solution relies on the secure storage of private keys related to X509v3 public certificates and Android-based secure elements (SEs). With the materialized solution, an application running in a Windows computing device can request standard digital signatures of documents, transparently executed remotely by the smartphone regarded as a standard cryptographic provider