An Efficient QR Code Based Web Authentication Scheme

Nowadays, web authentication is the main and important measure which guarantees the information security and data privacy. Web authentication provides the basis of user accessibility and data security. In the last few years, frequent outbreaks in the password databases lead to a main concern in the data security. The default method for the web authentication is password only mechanism. There are many security problems associated with the password only approach. Many users have a tendency to reuse the same password in different websites. So when one password is being compromised, it may lead to the password break of the other websites due to the password reuse. In order to improve the security, Two factor authentication (TFA) is strongly recommended. But despite of this, TFA has not been widely accepted in the web authentication mechanism. Due to the high scale and drastic popularity of the mobile phone and an inbuilt function of the barcode scanning through camera lead to a new two factor authentication method. In this paper, the proposed two factor authentication protocol uses mobile phone with one or more camera as the second factor for the authentication. The proposed TFA in web authentication counter various attacks such as man in the middle attack (MITM), phishing attacks and so on. Here password is the first factor and mobile is used as the second factor for the web authentication. The communication between the mobile phone and the PC is with the help of visible light. Visible light communication has many advantages as compared with other communication mechanisms. There is a less cellular cost in this scheme which indicates the user does not need cellular network or Wi-Fi for the authentication

Internet security for mobile computing

Mobile devices are now the most dominant computer platform. Every time a mobile web application accesses the internet, the end user’s data is susceptible to malicious attacks. For instance, when paying a bill at a store with NFC mobile payment, navigating through a city operating GPS on a smartphone, or dictating the temperature at a household with a home automation device. These activities seem routine, yet, when vulnerabilities are present they can leave holes for hackers to access bank accounts, pinpoint a user’s recent location, or tell when someone is not at home. The awareness of the end user cannot be trusted. Device vendors and developers must provide safeguards. An ongoing issue is that the present security standards are outdated and were never envisioned with mobile devices in mind. It can be suggested that security is only idling the progress of mobile computing. Still, many application developers and IT professionals do not adopt security standards fast enough to keep up-to-date with known vulnerabilities. The main goals of the next generation of security standards, TLS, will provide developers with greater security efficiency and improved mobile throughput. These proposed capabilities of the TLS protocol will streamline mobile computing into the forefront of security practices. The analysis of this report demonstrates concepts on the direction mobile security, usability, and performance from a development standpoint.Electrical and Computer Engineerin

IoT Expunge: Implementing Verifiable Retention of IoT Data

The growing deployment of Internet of Things (IoT) systems aims to ease the daily life of end-users by providing several value-added services. However, IoT systems may capture and store sensitive, personal data about individuals in the cloud, thereby jeopardizing user-privacy. Emerging legislation, such as California's CalOPPA and GDPR in Europe, support strong privacy laws to protect an individual's data in the cloud. One such law relates to strict enforcement of data retention policies. This paper proposes a framework, entitled IoT Expunge that allows sensor data providers to store the data in cloud platforms that will ensure enforcement of retention policies. Additionally, the cloud provider produces verifiable proofs of its adherence to the retention policies. Experimental results on a real-world smart building testbed show that IoT Expunge imposes minimal overheads to the user to verify the data against data retention policies.Comment: This paper has been accepted in 10th ACM Conference on Data and Application Security and Privacy (CODASPY), 202

Who Can Find My Devices? Security and Privacy of Apple's Crowd-Sourced Bluetooth Location Tracking System

Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world's largest crowd-sourced location tracking network called offline finding (OF). OF leverages online finder devices to detect the presence of missing offline devices using Bluetooth and report an approximate location back to the owner via the Internet. While OF is not the first system of its kind, it is the first to commit to strong privacy goals. In particular, OF aims to ensure finder anonymity, untrackability of owner devices, and confidentiality of location reports. This paper presents the first comprehensive security and privacy analysis of OF. To this end, we recover the specifications of the closed-source OF protocols by means of reverse engineering. We experimentally show that unauthorized access to the location reports allows for accurate device tracking and retrieving a user's top locations with an error in the order of 10 meters in urban areas. While we find that OF's design achieves its privacy goals, we discover two distinct design and implementation flaws that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users. Apple has partially addressed the issues following our responsible disclosure. Finally, we make our research artifacts publicly available.Comment: Accepted at Privacy Enhancing Technologies Symposium (PETS) 202

Using secure coprocessors to enforce network access policies in enterprise and ad hoc networks

Nowadays, network security is critically important. Enterprises rely on networks to improvetheir business. However, network security breaches may cause them loss of millions of dollars.Ad hoc networks, which enable computers to communicate wirelessly without the need forinfrastructure support, have been attracting more and more interests. However, they cannotbe deployed effectively due to security concerns.Studies have shown that the major network security threat is insiders (malicious orcompromised nodes). Enterprises have traditionally employed network security solutions(e.g., firewalls, intrusion detection systems, anti-virus software) and network access controltechnologies (e.g., 802.1x, IPsec/IKE) to protect their networks. However, these approachesdo not prevent malicious or compromised nodes from accessing the network. Many attacksagainst ad hoc networks, including routing, forwarding, and leader-election attacks, requiremalicious nodes joining the attacked network too.This dissertation presents a novel solution to protect both enterprise and ad hoc networksby addressing the above problem. It is a hardware-based solution that protects a networkthrough the attesting of a node's configuration before authorizing the node's access to thenetwork. Attestation is the unforgeable disclosure of a node's configuration to another node,signed by a secure coprocessor known as a Trusted Platform Module (TPM).This dissertation makes following contributions. First, several techniques at operatingsystem level (i.e., TCB prelogging, secure association root tripping, and sealing-free attestation confinement) are developed to support attestation and policy enforcement. Second, two secure attestation protocols at network level (i.e., Bound Keyed Attestation (BKA) andBatched Bound Keyed Attestation (BBKA)) are designed to overcome the risk of a man-inthe-middle (MITM) attack. Third, the above techniques are applied in enterprise networks todifferent network access control technologies to enhance enterprise network security. Fourth,AdHocSec, a novel network security solution for ad hoc networks, is proposed and evaluated. AdHocSec inserts a security layer between the network and data link layer of the networkstack. Several algorithms are designed to facilitate node's attestation in ad hoc networks,including distributed attestation (DA), and attested merger (AM) algorithm

Demystifying Internet of Things Security

Break down the misconceptions of the Internet of Things by examining the different security building blocks available in Intel Architecture (IA) based IoT platforms. This open access book reviews the threat pyramid, secure boot, chain of trust, and the SW stack leading up to defense-in-depth. The IoT presents unique challenges in implementing security and Intel has both CPU and Isolated Security Engine capabilities to simplify it. This book explores the challenges to secure these devices to make them immune to different threats originating from within and outside the network. The requirements and robustness rules to protect the assets vary greatly and there is no single blanket solution approach to implement security. Demystifying Internet of Things Security provides clarity to industry professionals and provides and overview of different security solutions What You'll Learn Secure devices, immunizing them against different threats originating from inside and outside the network Gather an overview of the different security building blocks available in Intel Architecture (IA) based IoT platforms Understand the threat pyramid, secure boot, chain of trust, and the software stack leading up to defense-in-depth Who This Book Is For Strategists, developers, architects, and managers in the embedded and Internet of Things (IoT) space trying to understand and implement the security in the IoT devices/platforms

Security, Trust and Privacy (STP) Model for Federated Identity and Access Management (FIAM) Systems

The federated identity and access management systems facilitate the home domain organization users to access multiple resources (services) in the foreign domain organization by web single sign-on facility. In federated environment the user’s authentication is performed in the beginning of an authentication session and allowed to access multiple resources (services) until the current session is active. In current federated identity and access management systems the main security concerns are: (1) In home domain organization machine platforms bidirectional integrity measurement is not exist, (2) Integrated authentication (i.e., username/password and home domain machine platforms mutual attestation) is not present and (3) The resource (service) authorization in the foreign domain organization is not via the home domain machine platforms bidirectional attestation