2,663 research outputs found
CALIPER: Continuous Authentication Layered with Integrated PKI Encoding Recognition
Architectures relying on continuous authentication require a secure way to
challenge the user's identity without trusting that the Continuous
Authentication Subsystem (CAS) has not been compromised, i.e., that the
response to the layer which manages service/application access is not fake. In
this paper, we introduce the CALIPER protocol, in which a separate Continuous
Access Verification Entity (CAVE) directly challenges the user's identity in a
continuous authentication regime. Instead of simply returning authentication
probabilities or confidence scores, CALIPER's CAS uses live hard and soft
biometric samples from the user to extract a cryptographic private key embedded
in a challenge posed by the CAVE. The CAS then uses this key to sign a response
to the CAVE. CALIPER supports multiple modalities, key lengths, and security
levels and can be applied in two scenarios: One where the CAS must authenticate
its user to a CAVE running on a remote server (device-server) for access to
remote application data, and another where the CAS must authenticate its user
to a locally running trusted computing module (TCM) for access to local
application data (device-TCM). We further demonstrate that CALIPER can leverage
device hardware resources to enable privacy and security even when the device's
kernel is compromised, and we show how this authentication protocol can even be
expanded to obfuscate direct kernel object manipulation (DKOM) malwares.Comment: Accepted to CVPR 2016 Biometrics Worksho
Secure Identification in Social Wireless Networks
The applications based on social networking have brought revolution towards social life and are continuously gaining popularity among the Internet users. Due to the advanced computational resources offered by the innovative hardware and nominal subscriber charges of network operators, most of the online social networks are transforming into the mobile domain by offering exciting applications and games exclusively designed for users on the go. Moreover, the mobile devices are considered more personal as compared to their desktop rivals, so there is a tendency among the mobile users to store sensitive data like contacts, passwords, bank account details, updated calendar entries with key dates and personal notes on their devices.
The Project Social Wireless Network Secure Identification (SWIN) is carried out at Swedish Institute of Computer Science (SICS) to explore the practicality of providing the secure mobile social networking portal with advanced security features to tackle potential security threats by extending the existing methods with more innovative security technologies. In addition to the extensive background study and the determination of marketable use-cases with their corresponding security requirements, this thesis proposes a secure identification design to satisfy the security dimensions for both online and offline peers. We have implemented an initial prototype using PHP Socket and OpenSSL library to simulate the secure identification procedure based on the proposed design. The design is in compliance with 3GPP‟s Generic Authentication Architecture (GAA) and our implementation has demonstrated the flexibility of the solution to be applied independently for the applications requiring secure identification. Finally, the thesis provides strong foundation for the advanced implementation on mobile platform in future
ANCHOR: logically-centralized security for Software-Defined Networks
While the centralization of SDN brought advantages such as a faster pace of
innovation, it also disrupted some of the natural defenses of traditional
architectures against different threats. The literature on SDN has mostly been
concerned with the functional side, despite some specific works concerning
non-functional properties like 'security' or 'dependability'. Though addressing
the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to
efficiency and effectiveness problems. We claim that the enforcement of
non-functional properties as a pillar of SDN robustness calls for a systemic
approach. As a general concept, we propose ANCHOR, a subsystem architecture
that promotes the logical centralization of non-functional properties. To show
the effectiveness of the concept, we focus on 'security' in this paper: we
identify the current security gaps in SDNs and we populate the architecture
middleware with the appropriate security mechanisms, in a global and consistent
manner. Essential security mechanisms provided by anchor include reliable
entropy and resilient pseudo-random generators, and protocols for secure
registration and association of SDN devices. We claim and justify in the paper
that centralizing such mechanisms is key for their effectiveness, by allowing
us to: define and enforce global policies for those properties; reduce the
complexity of controllers and forwarding devices; ensure higher levels of
robustness for critical services; foster interoperability of the non-functional
property enforcement mechanisms; and promote the security and resilience of the
architecture itself. We discuss design and implementation aspects, and we prove
and evaluate our algorithms and mechanisms, including the formalisation of the
main protocols and the verification of their core security properties using the
Tamarin prover.Comment: 42 pages, 4 figures, 3 tables, 5 algorithms, 139 reference
Threshold Single Password Authentication
Passwords are the most widely used form of online user authentication.
In a traditional setup, the user, who has a human-memorable low entropy password, wants to authenticate with a login server. Unfortunately, existing solutions in this setting are either non-portable or insecure against many attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks. Three previous studies (Acar et al. 2013, Bicakci et al. 2011, and Jarecki et al. 2016) provide solutions secure against offline dictionary attacks by additionally employing a storage provider (either a cloud storage or a mobile device for portability). These works provide solutions where offline dictionary attacks are impossible as long as the adversary does not corrupt both the login server and the storage provider.
For the first time, improving these previous works, we provide a more secure generalized solution employing multiple storage providers, where our solution is proven secure against offline dictionary attacks as long as the adversary does not corrupt the login server and threshold-many storage providers. We define ideal and real world indistinguishability for threshold single password authentication (Threshold SPA) schemes, and formally prove security of our solution via ideal-real simulation. Our solution provides security against all the above-mentioned attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks, and requires no change on the server side. Thus, our solution can immediately be deployed via a browser extension (or a mobile application) and support from some storage providers. We further argue that our protocol is efficient and scalable, and provide performance numbers where the user and storage load are only a few milliseconds
SoK: Design, Vulnerabilities and Defense of Cryptocurrency Wallets
The rapid growth of decentralized digital currencies, enabled by blockchain
technology, has ushered in a new era of peer-to-peer transactions,
revolutionizing the global economy. Cryptocurrency wallets, serving as crucial
endpoints for these transactions, have become increasingly prevalent. However,
the escalating value and usage of these wallets also expose them to significant
security risks and challenges. This research aims to comprehensively explore
the security aspects of cryptocurrency wallets. It provides a taxonomy of
wallet types, analyzes their design and implementation, identifies common
vulnerabilities and attacks, and discusses defense mechanisms and mitigation
strategies. The taxonomy covers custodial, non-custodial, hot, and cold
wallets, highlighting their unique characteristics and associated security
considerations. The security analysis scrutinizes the theoretical and practical
aspects of wallet design, while assessing the efficacy of existing security
measures and protocols. Notable wallet attacks, such as Binance, Mt. Gox are
examined to understand their causes and consequences. Furthermore, the paper
surveys defense mechanisms, transaction monitoring, evaluating their
effectiveness in mitigating threats
A comprehensive RFID solution to enhance inpatient medication safety
Errors involving medication administration can be costly, both in financial and in human terms. Indeed, there is much potential for errors due to the complexity of the medication administration process. Nurses are often singled out as the only responsible of these errors because they are in charge of drug administration. Nevertheless, the interventions of every actor involved in the process and the system design itself contribute to errors (Wakefield et al. (1998) [23]). Proper inpatient medication safety systems can help to reduce such errors in hospitals. In this paper, we review in depth two recent proposals (Chien et al. (2010) [7]; Huang and Ku (2009) [12]) that pursue the aforementioned objective. Unfortunately, they fail in their attempt mainly due to their security faults but interesting ideas can be drawn from both. These security faults refer to impersonation and replay attacks that could produce the generation of a forged proof stating that certain medication was administered to an inpatient when it was not. We propose a leading-edge solution to enhance inpatient medication safety based on RFID technology that overcomes these weaknesses. Our solution, named Inpatient Safety RFID system (IS-RFID), takes into account the Information Technology (IT) infrastructure of a hospital and covers every phase of the drug administration process. From a practical perspective, our system can be easily integrated within hospital IT infrastructures, has a moderate cost, is very ease to use and deals with security aspects as a key point.This work was partially supported by the Netherlands Organization for Scientific
Research (NWO) under the RUBICON grant "Intrusion Detection in Ubiquitous Computing Technologies" awarded to Aikaterini Mitrokotsa.Publicad
- …