RADIS: Remote Attestation of Distributed IoT Services

Remote attestation is a security technique through which a remote trusted party (i.e., Verifier) checks the trustworthiness of a potentially untrusted device (i.e., Prover). In the Internet of Things (IoT) systems, the existing remote attestation protocols propose various approaches to detect the modified software and physical tampering attacks. However, in an interoperable IoT system, in which IoT devices interact autonomously among themselves, an additional problem arises: a compromised IoT service can influence the genuine operation of other invoked service, without changing the software of the latter. In this paper, we propose a protocol for Remote Attestation of Distributed IoT Services (RADIS), which verifies the trustworthiness of distributed IoT services. Instead of attesting the complete memory content of the entire interoperable IoT devices, RADIS attests only the services involved in performing a certain functionality. RADIS relies on a control-flow attestation technique to detect IoT services that perform an unexpected operation due to their interactions with a malicious remote service. Our experiments show the effectiveness of our protocol in validating the integrity status of a distributed IoT service.Comment: 21 pages, 10 figures, 2 table

LiSA: A Lightweight and Secure Authentication Mechanism for Smart Metering Infrastructure

Smart metering infrastructure (SMI) is the core component of the smart grid (SG) which enables two-way communication between consumers and utility companies to control, monitor, and manage the energy consumption data. Despite their salient features, SMIs equipped with information and communication technology are associated with new threats due to their dependency on public communication networks. Therefore, the security of SMI communications raises the need for robust authentication and key agreement primitives that can satisfy the security requirements of the SG. Thus, in order to realize the aforementioned issues, this paper introduces a lightweight and secure authentication protocol, "LiSA", primarily to secure SMIs in SG setups. The protocol employs Elliptic Curve Cryptography at its core to provide various security features such as mutual authentication, anonymity, replay protection, session key security, and resistance against various attacks. Precisely, LiSA exploits the hardness of the Elliptic Curve Qu Vanstone (EVQV) certificate mechanism along with Elliptic Curve Diffie Hellman Problem (ECDHP) and Elliptic Curve Discrete Logarithm Problem (ECDLP). Additionally, LiSA is designed to provide the highest level of security relative to the existing schemes with least computational and communicational overheads. For instance, LiSA incurred barely 11.826 ms and 0.992 ms for executing different passes across the smart meter and the service providers. Further, it required a total of 544 bits for message transmission during each session.Comment: To appear in IEEE Globecom 201

Smart Grid Communications: Overview of Research Challenges, Solutions, and Standardization Activities

Optimization of energy consumption in future intelligent energy networks (or Smart Grids) will be based on grid-integrated near-real-time communications between various grid elements in generation, transmission, distribution and loads. This paper discusses some of the challenges and opportunities of communications research in the areas of smart grid and smart metering. In particular, we focus on some of the key communications challenges for realizing interoperable and future-proof smart grid/metering networks, smart grid security and privacy, and how some of the existing networking technologies can be applied to energy management. Finally, we also discuss the coordinated standardization efforts in Europe to harmonize communications standards and protocols.Comment: To be published in IEEE Communications Surveys and Tutorial

Secure Hardware Enhanced MyProxy: A Ph.D. Thesis Proposal

In 1976, Whitfield Diffie and Martin Hellman demonstrated how New Directions In Cryptography could enable secure information exchange between parties that do not share secrets. In order for public key cryptography to work in modern distributed environments, we need an infrastructure for finding and trusting other parties\u27 public keys (i.e., a PKI). A number of useful applications become possible with PKI. While the applications differ in how they use keys (e.g., S/MIME uses the key for message encryption and signing, while client-side SSL uses the key for authentication), all applications share one assumption: users have keypairs. In previous work, we examined the security aspects of some of the standard keystores and the their interaction with the OS. We concluded that desktops are not safe places to store private keys, and we demonstrated the permeability of keystores such as the default Microsoft keystore and the Mozilla keystore. In addition to being unsafe, these desktop keystores have the added disadvantage of being immobile. In other previous work, we examined trusted computing. In industry, a new trusted computing initiative has emerged: the Trusted Computing Platform Alliance (TCPA) (now renamed the Trusted Computing Group (TCG)). The goal of the TCG design is lower-assurance security that protects an entire desktop platform and is cheap enough to be commercially feasible. Last year, we built a trusted computing platform based on the TCG specifications and hardware. The picture painted by these previous projects suggests that common desktops are not secure enough for use as PKI clients, and trusted computing can improve the security of client machines. The question that I propose to investigate is: Can I build a system which applies trusted computing hardware in a reasonable manner in order to make desktops usable for PKI? My design begins with the Grid community\u27s MyProxy credential repository, and enhances it to take advantage of secure hardware on the clients, at the repository, and in the policy framework. The result is called Secure Hardware Enhanced MyProxy

False data injection attack (FDIA): An overview and new metrics for fair evaluation of its countermeasure

The concept of false data injection attack (FDIA) was introduced originally in the smart grid domain. While the term sounds common, it specifically means the case when an attacker compromises sensor readings in such tricky way that undetected errors are introduced into calculations of state variables and values. Due to the rapid growth of the Internet and associated complex adaptive systems, cyber attackers are interested in exploiting similar attacks in other application domains such as healthcare, finance, defense, governance, etc. In today’s increasingly perilous cyber world of complex adaptive systems, FDIA has become one of the top-priority issues to deal with. It is a necessity today for greater awareness and better mechanism to counter such attack in the cyberspace. Hence, this work presents an overview of the attack, identifies the impact of FDIA in critical domains, and talks about the countermeasures. A taxonomy of the existing countermeasures to defend against FDIA is provided. Unlike other works, we propose some evaluation metrics for FDIA detection and also highlight the scarcity of benchmark datasets to validate the performance of FDIA detection techniques. [Figure not available: see fulltext.] © 2020, The Author(s)

Analysing Trust Issues in Cloud Identity Environments

Trust acts as a facilitator for decision making in environments, where decisions are subject to risk and uncertainty. Security is one of the factors contributing to the trust model that is a requirement for service users. In this paper we ask, What can be done to improve end user trust in choosing a cloud identity provider? Security and privacy are central issues in a cloud identity environment and it is the end user who determines the amount of trust they have in any identity system. This paper is an in-depth literature survey that evaluates identity service delivery in a cloud environment from the perspective of the service user

How Far Removed Are You? Scalable Privacy-Preserving Estimation of Social Path Length with Social PaL

Social relationships are a natural basis on which humans make trust decisions. Online Social Networks (OSNs) are increasingly often used to let users base trust decisions on the existence and the strength of social relationships. While most OSNs allow users to discover the length of the social path to other users, they do so in a centralized way, thus requiring them to rely on the service provider and reveal their interest in each other. This paper presents Social PaL, a system supporting the privacy-preserving discovery of arbitrary-length social paths between any two social network users. We overcome the bootstrapping problem encountered in all related prior work, demonstrating that Social PaL allows its users to find all paths of length two and to discover a significant fraction of longer paths, even when only a small fraction of OSN users is in the Social PaL system - e.g., discovering 70% of all paths with only 40% of the users. We implement Social PaL using a scalable server-side architecture and a modular Android client library, allowing developers to seamlessly integrate it into their apps.Comment: A preliminary version of this paper appears in ACM WiSec 2015. This is the full versio