Token Based Authentication and Authorization with Zero-Knowledge Proofs for Enhancing Web API Security and Privacy

This design science study showcases an innovative artifact that utilizes Zero-Knowledge Proofs for API Authentication and Authorization. A comprehensive examination of existing literature and technology is conducted to evaluate the effectiveness of this alternative approach. The study reveals that existing APIs are using slower techniques that don’t scale, can’t take advantage of newer hardware, and have been unable to adequately address current security issues. In contrast, the novel technique presented in this study performs better, is more resilient in privacy sensitive and security settings, and is easy to implement and deploy. Additionally, this study identifies potential avenues for further research that could help advance the field of Web API development in terms of security, privacy, and simplicity

Efficient Key Management Schemes for Smart Grid

With the increasing digitization of different components of Smart Grid by incorporating smart(er) devices, there is an ongoing effort to deploy them for various applications. However, if these devices are compromised, they can reveal sensitive information from such systems. Therefore, securing them against cyber-attacks may represent the first step towards the protection of the critical infrastructure. Nevertheless, realization of the desirable security features such as confidentiality, integrity and authentication relies entirely on cryptographic keys that can be either symmetric or asymmetric. A major need, along with this, is to deal with managing these keys for a large number of devices in Smart Grid. While such key management can be easily addressed by transferring the existing protocols to Smart Grid domain, this is not an easy task, as one needs to deal with the limitations of the current communication infrastructures and resource-constrained devices in Smart Grid. In general, effective mechanisms for Smart Grid security must guarantee the security of the applications by managing (1) key revocation; and (2) key exchange. Moreover, such management should be provided without compromising the general performance of the Smart Grid applications and thus needs to incur minimal overhead to Smart Grid systems. This dissertation aims to fill this gap by proposing specialized key management techniques for resource and communication constrained Smart Grid environments. Specifically, motivated by the need of reducing the revocation management overhead, we first present a distributed public key revocation management scheme for Advanced Metering Infrastructure (AMI) by utilizing distributed hash trees (DHTs). The basic idea is to enable sharing of the burden among smart meters to reduce the overall overhead. Second, we propose another revocation management scheme by utilizing cryptographic accumulators, which reduces the space requirements for revocation information significantly. Finally, we turn our attention to symmetric key exchange problem and propose a 0-Round Trip Time (RTT) message exchange scheme to minimize the message exchanges. This scheme enables a lightweight yet secure symmetric key-exchange between field devices and the control center in Smart Gird by utilizing a dynamic hash chain mechanism. The evaluation of the proposed approaches show that they significantly out-perform existing conventional approaches

Regular and almost universal hashing: an efficient implementation

Random hashing can provide guarantees regarding the performance of data structures such as hash tables---even in an adversarial setting. Many existing families of hash functions are universal: given two data objects, the probability that they have the same hash value is low given that we pick hash functions at random. However, universality fails to ensure that all hash functions are well behaved. We further require regularity: when picking data objects at random they should have a low probability of having the same hash value, for any fixed hash function. We present the efficient implementation of a family of non-cryptographic hash functions (PM+) offering good running times, good memory usage as well as distinguishing theoretical guarantees: almost universality and component-wise regularity. On a variety of platforms, our implementations are comparable to the state of the art in performance. On recent Intel processors, PM+ achieves a speed of 4.7 bytes per cycle for 32-bit outputs and 3.3 bytes per cycle for 64-bit outputs. We review vectorization through SIMD instructions (e.g., AVX2) and optimizations for superscalar execution.Comment: accepted for publication in Software: Practice and Experience in September 201

Preserving Privacy: How Governments and Digital Services Can Harness Zero-Knowledge Proofs for Secure Identification

Amidst rapid technological advancement and digital transformation, ensuring privacy and data security is paramount. Governments and digital service providers face the challenge of establishing secure identification systems that protect individuals' personal information while enabling reliable authentication and seamless user experiences. Traditional identification methods often require individuals to disclose sensitive personal information, leading to privacy risks and potential data breaches. Zero-knowledge proofs (ZKPs) have emerged as a promising solution to address these concerns. By leveraging ZKPs, individuals can authenticate their identities or assert specific attributes without revealing sensitive data. This approach holds great potential for preserving privacy while enabling efficient and trustworthy verification processes. This paper explored ZKPs and how governments and digital service providers can utilize this technology to achieve secure identification while upholding privacy. A key focus was prototyping a secure identification protocol using ZKPs. Through practical implementation, this research aimed to demonstrate the reliability and effectiveness of ZKPs in real-world scenarios. Keywords: zero-knowledge proofs, privacy, digital identity, governments, digital services. DOI: 10.7176/ISDE/13-2-06 Publication date:September 30th 202

Blacklistable Anonymous Credentials: Blocking Misbehaving Users without TTPs (Extended Version)

Several credential systems have been proposed in which users can authenticate to services anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user\u27s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, systems such as ``e-cash\u27\u27 have been proposed in which users are deanonymized under only certain types of well-defined misbehavior such as ``double spending.\u27\u27 While useful in some applications, it is not possible to generalize such techniques to more subjective definitions of misbehavior. We present the first anonymous credential system in which services can ``blacklist\u27\u27 misbehaving users without contacting a TTP. Since blacklisted users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP

Towards Solving the Blockchain Trilemma: An Exploration of Zero-Knowledge Proofs

Research on blockchain has found that the technology is no silver bullet compared to traditional data structures due to limitations regarding decentralization, security, and scalability. These limitations are summarized in the blockchain trilemma, which today represents the greatest barrier to blockchain adoption and applicability. To address these limitations, recent advancements by blockchain businesses have focused on a new cryptographic technique called Zero-knowledge proofs . While these primitives have been around for some time and despite their potential significance on blockchains, not much is known in information systems research about them and their potential effects. Therefore, we employ a multivocal literature review to explore this new tool and find that although it has the potential to resolve the trilemma, it currently only solves it in certain dimensions, which necessitates further attention and research

IoT Expunge: Implementing Verifiable Retention of IoT Data

The growing deployment of Internet of Things (IoT) systems aims to ease the daily life of end-users by providing several value-added services. However, IoT systems may capture and store sensitive, personal data about individuals in the cloud, thereby jeopardizing user-privacy. Emerging legislation, such as California's CalOPPA and GDPR in Europe, support strong privacy laws to protect an individual's data in the cloud. One such law relates to strict enforcement of data retention policies. This paper proposes a framework, entitled IoT Expunge that allows sensor data providers to store the data in cloud platforms that will ensure enforcement of retention policies. Additionally, the cloud provider produces verifiable proofs of its adherence to the retention policies. Experimental results on a real-world smart building testbed show that IoT Expunge imposes minimal overheads to the user to verify the data against data retention policies.Comment: This paper has been accepted in 10th ACM Conference on Data and Application Security and Privacy (CODASPY), 202