The best of both worlds: Applying secure sketches to cancelable biometrics

AbstractCancelable biometrics and secure sketches have been introduced with the same purpose in mind: to protect the privacy of biometric templates while keeping the ability to match this protected data against a reference. The paradigm beyond cancelable biometrics is to perform an irreversible transformation over images and to make matching over transformed images. On one hand, a drawback of this technique is that for biometrics using a matching algorithm relying on some complex characteristics, such as the ones used for fingerprints, the irreversible transformation tends to break the underlying structure, thus degrading the performance accuracy. On the other hand, for secure sketches, matching is reduced to an error correction and we show here that applying secure sketch error correction to cancelable biometrics allows one to keep good matching performance. Moreover, the security’s advantages of both schemes adds up together

Security in Computer and Information Sciences

This open access book constitutes the thoroughly refereed proceedings of the Second International Symposium on Computer and Information Sciences, EuroCybersec 2021, held in Nice, France, in October 2021. The 9 papers presented together with 1 invited paper were carefully reviewed and selected from 21 submissions. The papers focus on topics of security of distributed interconnected systems, software systems, Internet of Things, health informatics systems, energy systems, digital cities, digital economy, mobile networks, and the underlying physical and network infrastructures. This is an open access book

A Framework for Facilitating Secure Design and Development of IoT Systems

The term Internet of Things (IoT) describes an ever-growing ecosystem of physical objects or things interconnected with each other and connected to the Internet. IoT devices consist of a wide range of highly heterogeneous inanimate and animate objects. Thus, a thing in the context of the IoT can even mean a person with blood pressure or heart rate monitor implant or a pet with a biochip transponder. IoT devices range from ordinary household appliances, such as smart light bulbs or smart coffee makers, to sophisticated tools for industrial automation. IoT is currently leading a revolutionary change in many industries and, as a result, a lot of industries and organizations are adopting the paradigm to gain a competitive edge. This allows them to boost operational efficiency and optimize system performance through real-time data management, which results in an optimized balance between energy usage and throughput. Another important application area is the Industrial Internet of Things (IIoT), which is the application of the IoT in industrial settings. This is also referred to as the Industrial Internet or Industry 4.0, where Cyber- Physical Systems (CPS) are interconnected using various technologies to achieve wireless control as well as advanced manufacturing and factory automation. IoT applications are becoming increasingly prevalent across many application domains, including smart healthcare, smart cities, smart grids, smart farming, and smart supply chain management. Similarly, IoT is currently transforming the way people live and work, and hence the demand for smart consumer products among people is also increasing steadily. Thus, many big industry giants, as well as startup companies, are competing to dominate the market with their new IoT products and services, and hence unlocking the business value of IoT. Despite its increasing popularity, potential benefits, and proven capabilities, IoT is still in its infancy and fraught with challenges. The technology is faced with many challenges, including connectivity issues, compatibility/interoperability between devices and systems, lack of standardization, management of the huge amounts of data, and lack of tools for forensic investigations. However, the state of insecurity and privacy concerns in the IoT are arguably among the key factors restraining the universal adoption of the technology. Consequently, many recent research studies reveal that there are security and privacy issues associated with the design and implementation of several IoT devices and Smart Applications (smart apps). This can be attributed, partly, to the fact that as some IoT device makers and smart apps development companies (especially the start-ups) reap business value from the huge IoT market, they tend to neglect the importance of security. As a result, many IoT devices and smart apps are created with security vulnerabilities, which have resulted in many IoT related security breaches in recent years. This thesis is focused on addressing the security and privacy challenges that were briefly highlighted in the previous paragraph. Given that the Internet is not a secure environ ment even for the traditional computer systems makes IoT systems even less secure due to the inherent constraints associated with many IoT devices. These constraints, which are mainly imposed by cost since many IoT edge devices are expected to be inexpensive and disposable, include limited energy resources, limited computational and storage capabilities, as well as lossy networks due to the much lower hardware performance compared to conventional computers. While there are many security and privacy issues in the IoT today, arguably a root cause of such issues is that many start-up IoT device manufacturers and smart apps development companies do not adhere to the concept of security by design. Consequently, some of these companies produce IoT devices and smart apps with security vulnerabilities. In recent years, attackers have exploited different security vulnerabilities in IoT infrastructures which have caused several data breaches and other security and privacy incidents involving IoT devices and smart apps. These have attracted significant attention from the research community in both academia and industry, resulting in a surge of proposals put forward by many researchers. Although research approaches and findings may vary across different research studies, the consensus is that a fundamental prerequisite for addressing IoT security and privacy challenges is to build security and privacy protection into IoT devices and smart apps from the very beginning. To this end, this thesis investigates how to bake security and privacy into IoT systems from the onset, and as its main objective, this thesis particularly focuses on providing a solution that can foster the design and development of secure IoT devices and smart apps, namely the IoT Hardware Platform Security Advisor (IoT-HarPSecA) framework. The security framework is expected to provide support to designers and developers in IoT start-up companies during the design and implementation of IoT systems. IoT-HarPSecA framework is also expected to facilitate the implementation of security in existing IoT systems. To accomplish the previously mentioned objective as well as to affirm the aforementioned assertion, the following step-by-step problem-solving approach is followed. The first step is an exhaustive survey of different aspects of IoT security and privacy, including security requirements in IoT architecture, security threats in IoT architecture, IoT application domains and their associated cyber assets, the complexity of IoT vulnerabilities, and some possible IoT security and privacy countermeasures; and the survey wraps up with a brief overview of IoT hardware development platforms. The next steps are the identification of many challenges and issues associated with the IoT, which narrowed down to the abovementioned fundamental security/privacy issue; followed by a study of different aspects of security implementation in the IoT. The remaining steps are the framework design thinking process, framework design and implementation, and finally, framework performance evaluation. IoT-HarPSecA offers three functionality features, namely security requirement elicitation security best practice guidelines for secure development, and above all, a feature that recommends specific Lightweight Cryptographic Algorithms (LWCAs) for both software and hardware implementations. Accordingly, IoT-HarPSecA is composed of three main components, namely Security Requirements Elicitation (SRE) component, Security Best Practice Guidelines (SBPG) component, and Lightweight Cryptographic Algorithms Recommendation (LWCAR) component, each of them servicing one of the aforementioned features. The author has implemented a command-line tool in C++ to serve as an interface between users and the security framework. This thesis presents a detailed description, design, and implementation of the SRE, SBPG, and LWCAR components of the security framework. It also presents real-world practical scenarios that show how IoT-HarPSecA can be used to elicit security requirements, generate security best practices, and recommend appropriate LWCAs based on user inputs. Furthermore, the thesis presents performance evaluation of the SRE, SBPG, and LWCAR components framework tools, which shows that IoT-HarPSecA can serve as a roadmap for secure IoT development.O termo Internet das coisas (IoT) é utilizado para descrever um ecossistema, em expansão, de objetos físicos ou elementos interconetados entre si e à Internet. Os dispositivos IoT consistem numa gama vasta e heterogénea de objetos animados ou inanimados e, neste contexto, podem pertencer à IoT um indivíduo com um implante que monitoriza a frequência cardíaca ou até mesmo um animal de estimação que tenha um biochip. Estes dispositivos variam entre eletrodomésticos, tais como máquinas de café ou lâmpadas inteligentes, a ferramentas sofisticadas de uso na automatização industrial. A IoT está a revolucionar e a provocar mudanças em várias indústrias e muitas adotam esta tecnologia para incrementar as suas vantagens competitivas. Este paradigma melhora a eficiência operacional e otimiza o desempenho de sistemas através da gestão de dados em tempo real, resultando num balanço otimizado entre o uso energético e a taxa de transferência. Outra área de aplicação é a IoT Industrial (IIoT) ou internet industrial ou Indústria 4.0, ou seja, uma aplicação de IoT no âmbito industrial, onde os sistemas ciberfísicos estão interconectados a diversas tecnologias de forma a obter um controlo de rede sem fios, bem como fabricações avançadas e automatização fabril. As aplicações da IoT estão a crescer e a tornarem-se predominantes em muitos domínios de aplicação inteligentes como sistemas de saúde, cidades, redes, agricultura e sistemas de fornecimento. Da mesma forma, a IoT está a transformar estilos de vida e de trabalho e assim, a procura por produtos inteligentes está constantemente a aumentar. As grandes indústrias e startups competem entre si de forma a dominar o mercado com os seus novos serviços e produtos IoT, desbloqueando o valor de negócio da IoT. Apesar da sua crescente popularidade, benefícios e capacidades comprovadas, a IoT está ainda a dar os seus primeiros passos e é confrontada com muitos desafios. Entre eles, problemas de conectividade, compatibilidade/interoperabilidade entre dispositivos e sistemas, falta de padronização, gestão das enormes quantidades de dados e ainda falta de ferramentas para investigações forenses. No entanto, preocupações quanto ao estado de segurança e privacidade ainda estão entre os fatores adversos à adesão universal desta tecnologia. Estudos recentes revelaram que existem questões de segurança e privacidade associadas ao design e implementação de vários dispositivos IoT e aplicações inteligentes (smart apps.), isto pode ser devido ao facto, em parte, de que alguns fabricantes e empresas de desenvolvimento de dispositivos (especialmente startups) IoT e smart apps., recolham o valor de negócio dos grandes mercados IoT, negligenciando assim a importância da segurança, resultando em dispositivos IoT e smart apps. com carências e violações de segurança da IoT nos últimos anos. Esta tese aborda os desafios de segurança e privacidade que foram supra mencionados. Visto que a Internet e os sistemas informáticos tradicionais são por vezes considerados inseguros, os sistemas IoT tornam-se ainda mais inseguros, devido a restrições inerentes a tais dispositivos. Estas restrições são impostas devido ao custo, uma vez que se espera que muitos dispositivos de ponta sejam de baixo custo e descartáveis, com recursos energéticos limitados, bem como limitações na capacidade de armazenamento e computacionais, e redes com perdas devido a um desempenho de hardware de qualidade inferior, quando comparados com computadores convencionais. Uma das raízes do problema é o facto de que muitos fabricantes, startups e empresas de desenvolvimento destes dispositivos e smart apps não adiram ao conceito de segurança por construção, ou seja, logo na conceção, não preveem a proteção da privacidade e segurança. Assim, alguns dos produtos e dispositivos produzidos apresentam vulnerabilidades na segurança. Nos últimos anos, hackers maliciosos têm explorado diferentes vulnerabilidades de segurança nas infraestruturas da IoT, causando violações de dados e outros incidentes de privacidade envolvendo dispositivos IoT e smart apps. Estes têm atraído uma atenção significativa por parte das comunidades académica e industrial, que culminaram num grande número de propostas apresentadas por investigadores científicos. Ainda que as abordagens de pesquisa e os resultados variem entre os diferentes estudos, há um consenso e pré-requisito fundamental para enfrentar os desafios de privacidade e segurança da IoT, que buscam construir proteção de segurança e privacidade em dispositivos IoT e smart apps. desde o fabrico. Para esta finalidade, esta tese investiga como produzir segurança e privacidade destes sistemas desde a produção, e como principal objetivo, concentra-se em fornecer soluções que possam promover a conceção e o desenvolvimento de dispositivos IoT e smart apps., nomeadamente um conjunto de ferramentas chamado Consultor de Segurança da Plataforma de Hardware da IoT (IoT-HarPSecA). Espera-se que o conjunto de ferramentas forneça apoio a designers e programadores em startups durante a conceção e implementação destes sistemas ou que facilite a integração de mecanismos de segurança nos sistemas préexistentes. De modo a alcançar o objetivo proposto, recorre-se à seguinte abordagem. A primeira fase consiste num levantamento exaustivo de diferentes aspetos da segurança e privacidade na IoT, incluindo requisitos de segurança na arquitetura da IoT e ameaças à sua segurança, os seus domínios de aplicação e os ativos cibernéticos associados, a complexidade das vulnerabilidades da IoT e ainda possíveis contramedidas relacionadas com a segurança e privacidade. Evolui-se para uma breve visão geral das plataformas de desenvolvimento de hardware da IoT. As fases seguintes consistem na identificação dos desafios e questões associadas à IoT, que foram restringidos às questões de segurança e privacidade. As demais etapas abordam o processo de pensamento de conceção (design thinking), design e implementação e, finalmente, a avaliação do desempenho. O IoT-HarPSecA é composto por três componentes principais: a Obtenção de Requisitos de Segurança (SRE), Orientações de Melhores Práticas de Segurança (SBPG) e a recomendação de Componentes de Algoritmos Criptográficos Leves (LWCAR) na implementação de software e hardware. O autor implementou uma ferramenta em linha de comandos usando linguagem C++ que serve como interface entre os utilizadores e a IoT-HarPSecA. Esta tese apresenta ainda uma descrição detalhada, desenho e implementação das componentes SRE, SBPG, e LWCAR. Apresenta ainda cenários práticos do mundo real que demostram como o IoT-HarPSecA pode ser utilizado para elicitar requisitos de segurança, gerar boas práticas de segurança (em termos de recomendações de implementação) e recomendar algoritmos criptográficos leves apropriados com base no contributo dos utilizadores. De igual forma, apresenta-se a avaliação do desempenho destes três componentes, demonstrando que o IoT-HarPSecA pode servir como um roteiro para o desenvolvimento seguro da IoT

Building the Hyperconnected Society- Internet of Things Research and Innovation Value Chains, Ecosystems and Markets

This book aims to provide a broad overview of various topics of Internet of Things (IoT), ranging from research, innovation and development priorities to enabling technologies, nanoelectronics, cyber-physical systems, architecture, interoperability and industrial applications. All this is happening in a global context, building towards intelligent, interconnected decision making as an essential driver for new growth and co-competition across a wider set of markets. It is intended to be a standalone book in a series that covers the Internet of Things activities of the IERC – Internet of Things European Research Cluster from research to technological innovation, validation and deployment.The book builds on the ideas put forward by the European Research Cluster on the Internet of Things Strategic Research and Innovation Agenda, and presents global views and state of the art results on the challenges facing the research, innovation, development and deployment of IoT in future years. The concept of IoT could disrupt consumer and industrial product markets generating new revenues and serving as a growth driver for semiconductor, networking equipment, and service provider end-markets globally. This will create new application and product end-markets, change the value chain of companies that creates the IoT technology and deploy it in various end sectors, while impacting the business models of semiconductor, software, device, communication and service provider stakeholders. The proliferation of intelligent devices at the edge of the network with the introduction of embedded software and app-driven hardware into manufactured devices, and the ability, through embedded software/hardware developments, to monetize those device functions and features by offering novel solutions, could generate completely new types of revenue streams. Intelligent and IoT devices leverage software, software licensing, entitlement management, and Internet connectivity in ways that address many of the societal challenges that we will face in the next decade

Building the Hyperconnected Society- Internet of Things Research and Innovation Value Chains, Ecosystems and Markets

This book aims to provide a broad overview of various topics of Internet of Things (IoT), ranging from research, innovation and development priorities to enabling technologies, nanoelectronics, cyber-physical systems, architecture, interoperability and industrial applications. All this is happening in a global context, building towards intelligent, interconnected decision making as an essential driver for new growth and co-competition across a wider set of markets. It is intended to be a standalone book in a series that covers the Internet of Things activities of the IERC – Internet of Things European Research Cluster from research to technological innovation, validation and deployment.The book builds on the ideas put forward by the European Research Cluster on the Internet of Things Strategic Research and Innovation Agenda, and presents global views and state of the art results on the challenges facing the research, innovation, development and deployment of IoT in future years. The concept of IoT could disrupt consumer and industrial product markets generating new revenues and serving as a growth driver for semiconductor, networking equipment, and service provider end-markets globally. This will create new application and product end-markets, change the value chain of companies that creates the IoT technology and deploy it in various end sectors, while impacting the business models of semiconductor, software, device, communication and service provider stakeholders. The proliferation of intelligent devices at the edge of the network with the introduction of embedded software and app-driven hardware into manufactured devices, and the ability, through embedded software/hardware developments, to monetize those device functions and features by offering novel solutions, could generate completely new types of revenue streams. Intelligent and IoT devices leverage software, software licensing, entitlement management, and Internet connectivity in ways that address many of the societal challenges that we will face in the next decade

An Approach to Guide Users Towards Less Revealing Internet Browsers

When browsing the Internet, HTTP headers enable both clients and servers send extra data in their requests or responses such as the User-Agent string. This string contains information related to the sender’s device, browser, and operating system. Previous research has shown that there are numerous privacy and security risks result from exposing sensitive information in the User-Agent string. For example, it enables device and browser fingerprinting and user tracking and identification. Our large analysis of thousands of User-Agent strings shows that browsers differ tremendously in the amount of information they include in their User-Agent strings. As such, our work aims at guiding users towards using less exposing browsers. In doing so, we propose to assign an exposure score to browsers based on the information they expose and vulnerability records. Thus, our contribution in this work is as follows: first, provide a full implementation that is ready to be deployed and used by users. Second, conduct a user study to identify the effectiveness and limitations of our proposed approach. Our implementation is based on using more than 52 thousand unique browsers. Our performance and validation analysis show that our solution is accurate and efficient. The source code and data set are publicly available and the solution has been deployed

Enable Reliable and Secure Data Transmission in Resource-Constrained Emerging Networks

The increasing deployment of wireless devices has connected humans and objects all around the world, benefiting our daily life and the entire society in many aspects. Achieving those connectivity motivates the emergence of different types of paradigms, such as cellular networks, large-scale Internet of Things (IoT), cognitive networks, etc. Among these networks, enabling reliable and secure data transmission requires various resources including spectrum, energy, and computational capability. However, these resources are usually limited in many scenarios, especially when the number of devices is considerably large, bringing catastrophic consequences to data transmission. For example, given the fact that most of IoT devices have limited computational abilities and inadequate security protocols, data transmission is vulnerable to various attacks such as eavesdropping and replay attacks, for which traditional security approaches are unable to address. On the other hand, in the cellular network, the ever-increasing data traffic has exacerbated the depletion of spectrum along with the energy consumption. As a result, mobile users experience significant congestion and delays when they request data from the cellular service provider, especially in many crowded areas. In this dissertation, we target on reliable and secure data transmission in resource-constrained emerging networks. The first two works investigate new security challenges in the current heterogeneous IoT environment, and then provide certain countermeasures for reliable data communication. To be specific, we identify a new physical-layer attack, the signal emulation attack, in the heterogeneous environment, such as smart home IoT. To defend against the attack, we propose two defense strategies with the help of a commonly found wireless device. In addition, to enable secure data transmission in large-scale IoT network, e.g., the industrial IoT, we apply the amply-and-forward cooperative communication to increase the secrecy capacity by incentivizing relay IoT devices. Besides security concerns in IoT network, we seek data traffic alleviation approaches to achieve reliable and energy-efficient data transmission for a group of users in the cellular network. The concept of mobile participation is introduced to assist data offloading from the base station to users in the group by leveraging the mobility of users and the social features among a group of users. Following with that, we deploy device-to-device data offloading within the group to achieve the energy efficiency at the user side while adapting to their increasing traffic demands. In the end, we consider a perpendicular topic - dynamic spectrum access (DSA) - to alleviate the spectrum scarcity issue in cognitive radio network, where the spectrum resource is limited to users. Specifically, we focus on the security concerns and further propose two physical-layer schemes to prevent spectrum misuse in DSA in both additive white Gaussian noise and fading environments

Time-Delay Switch Attack on Networked Control Systems, Effects and Countermeasures

In recent years, the security of networked control systems (NCSs) has been an important challenge for many researchers. Although the security schemes for networked control systems have advanced in the past several years, there have been many acknowledged cyber attacks. As a result, this dissertation proposes the use of a novel time-delay switch (TDS) attack by introducing time delays into the dynamics of NCSs. Such an attack has devastating effects on NCSs if prevention techniques and countermeasures are not considered in the design of these systems. To overcome the stability issue caused by TDS attacks, this dissertation proposes a new detector to track TDS attacks in real time. This method relies on an estimator that will estimate and track time delays introduced by a hacker. Once a detector obtains the maximum tolerable time delay of a plant’s optimal controller (for which the plant remains secure and stable), it issues an alarm signal and directs the system to its alarm state. In the alarm state, the plant operates under the control of an emergency controller that can be local or networked to the plant and remains in this stable mode until the networked control system state is restored. In another effort, this dissertation evaluates different control methods to find out which one is more stable when under a TDS attack than others. Also, a novel, simple and effective controller is proposed to thwart TDS attacks on the sensing loop (SL). The modified controller controls the system under a TDS attack. Also, the time-delay estimator will track time delays introduced by a hacker using a modified model reference-based control with an indirect supervisor and a modified least mean square (LMS) minimization technique. Furthermore, here, the demonstration proves that the cryptographic solutions are ineffective in the recovery from TDS attacks. A cryptography-free TDS recovery (CF-TDSR) communication protocol enhancement is introduced to leverage the adaptive channel redundancy techniques, along with a novel state estimator to detect and assist in the recovery of the destabilizing effects of TDS attacks. The conclusion shows how the CF-TDSR ensures the control stability of linear time invariant systems