An Analysis of and Perspective on the Information Security Maturity Model: a case study of a Public and a Private Sector Company

Information Security (IS) is a concept that is related to protecting a set of data in order to preserve the value it has for an individual or an organization. A review of the literature shows there are four main aspects related to IS: confidentiality, integrity, availability and non-repudiation. Based on these four aspects, a new framework is put forward for analyzing the information security maturity model (ISMM) in an organization, assuming that each organization has a minimum level of information security policies in each aspect, taking into consideration the percentage of policies that this organization has from all those cited in our model. At the end, a case study was conducted in order to analyze the ISMM of a public and private sector company

Privacy protection for RFID-based tracking systems

Abstract—RFID technology is increasingly being deployed in ubiquitous computing environments for object tracking and localization. Existing tracking architecture usually assumes the use of a trusted server which is invulnerable to compromise by internal and external adversaries. However, maintaining such a trusted server is unlikely in the real world. In this paper, we consider the problem of adding privacy protection to object tracking systems built upon passive RFID tags, without relying on a trusted server assumption. Our protocol continues to protect user privacy in the event of partial compromise of a server. I

PPS: Privacy-preserving statistics using RFID tags

As RFID applications are entering our daily life, many new security and privacy challenges arise. However, current research in RFID security focuses mainly on simple authentication and privacy-preserving identication. In this paper, we discuss the possibility of widening the scope of RFID security and privacy by introducing a new application scenario. The suggested application consists of computing statistics on private properties of individuals stored in RFID tags. The main requirement is to compute global statistics while preserving the privacy of individual readings. PPS assures the privacy of properties stored in each tag through the combination of homomorphic encryption and aggregation at the readers. Re-encryption is used to prevent tracking of users. The readers scan tags and forward the aggregate of their encrypted readings to the back-end server. The back-end server then decrypts the aggregates it receives and updates the global statistics accordingly. PPS is provably privacypreserving. Moreover, tags can be very simple since they are not required to perform any kind of computation, but only to store data

Who counterfeited my Viagra? probabilistic item removal detection via RFID tag cooperation

We leverage RFID tag cooperation to enforce tampering detection. That is, we provide a set of probabilistic protocols that detect the absence of a tag from a system composed of a set of tags and a reader. Our proposals are able to detect which tag and for how long it has been taken away from the system. The grain of the detection can be tuned with respect to the resources available on the tags. Another merit of our solutions is to provide a proof-of-concept that a small level of cooperation among tags can further extend the range of applications RFID can support, possibly opening new veins of research. The proposed protocols fit the resource constraints of the several classes of RFID available on the market. In particular, the memory requirement ranges from few memory slots to a number of memory slots that is proportional to the number of rounds the presence of a tag is going to be checked. Computation is just one hash per round. This fully fledged set of protocols is thought to trade off the detection grain with the resources on the tag: the finer the item removal detection grain, the more resources a protocol requires. A thorough analysis for the removal detection probability is provided. Finally, extensive simulations support the analytical results, showing the viability of the proposed solutions

Attacks on RFID Protocols

This document consists of a collection of attacks upon RFID protocols and is meant to serve as a quick and easy reference. This document will be updated as new attacks are found. Currently the only attacks on protocols shown are the authors\u27 original attacks with references to similar attacks on other protocols. The main security properties considered are authentication, untraceability, and - for stateful protocols - desynchronization resistance

Secure and efficient data extraction for ubiquitous computing applications

Ubiquitous computing creates a world where computers have blended seamlessly into our physical environment. In this world, a computer is no longer a monitor-and-keyboard setup, but everyday objects such as our clothing and furniture. Unlike current computer systems, most ubiquitous computing systems are built using small, embedded devices with limited computational, storage and communication abilities. A common requirement for many ubiquitous computing applications is to utilize the data from these small devices to perform more complex tasks. For critical applications such as healthcare or medical related applications, there is a need to ensure that only authorized users have timely access to the data found in the small device. In this dissertation, we study the problem of how to securely and efficiently extract data from small devices.;Our research considers two categories of small devices that are commonly used in ubiquitous computing, battery powered sensors and battery free RFID tags. Sensors are more powerful devices equipped with storage and sensing capabilities that are limited by battery power, whereas tags are less powerful devices with limited functionalities, but have the advantage of being operable without battery power. We also consider two types of data access patterns, local and remote access. In local data access, the application will query the tag or the sensor directly for the data, while in remote access, the data is already aggregated at a remote location and the application will query the remote location for the necessary information, The difference between local and remote access is that in local access, the tag or sensor only needs to authenticate the application before releasing the data, but in remote access, the small device may have to perform additional processing to ensure that the data remains secure after being collected. In this dissertation, we present secure and efficient local data access solutions for a single RFID tag, multiple RFID tags, and a single sensor, and remote data access solutions for both RFID tag and sensor

Security and privacy in RFID systems

Vu que les tags RFID sont actuellement en phase de large déploiement dans le cadre de plusieurs applications (comme les paiements automatiques, le contrôle d'accès à distance, et la gestion des chaînes d approvisionnement), il est important de concevoir des protocoles de sécurité garantissant la protection de la vie privée des détenteurs de tags RFID. Or, la conception de ces protocoles est régie par les limitations en termes de puissance et de calcul de la technologie RFID, et par les modèles de sécurité qui sont à notre avis trop forts pour des systèmes aussi contraints que les tags RFID. De ce fait, on limite dans cette thèse le modèle de sécurité; en particulier, un adversaire ne peut pas observer toutes les interactions entre tags et lecteurs. Cette restriction est réaliste notamment dans le contexte de la gestion des chaînes d approvisionnement qui est l application cible de ce travail. Sous cette hypothèse, on présente quatre protocoles cryptographiques assurant une meilleure collaboration entre les différents partenaires de la chaîne d approvisionnement. D abord, on propose un protocole de transfert de propriété des tags RFID, qui garantit l authentification des tags en temps constant alors que les tags implémentent uniquement des algorithmes symétriques, et qui permet de vérifier l'authenticité de l origine des tags. Ensuite, on aborde le problème d'authenticité des produits en introduisant deux protocoles de sécurité qui permettent à un ensemble de vérificateurs de vérifier que des tags sans capacité de calcul ont emprunté des chemins valides dans la chaîne d approvisionnement. Le dernier résultat présenté dans cette thèse est un protocole d appariement d objets utilisant des tags sans capacité de calcul , qui vise l automatisation des inspections de sécurité dans la chaîne d approvisionnement lors du transport des produits dangereux. Les protocoles introduits dans cette thèse utilisent les courbes elliptiques et les couplages bilinéaires qui permettent la construction des algorithmes de signature et de chiffrement efficaces, et qui minimisent donc le stockage et le calcul dans les systèmes RFID. De plus, la sécurité de ces protocoles est démontrée sous des modèles formels bien définis qui prennent en compte les limitations et les contraintes des tags RFID, et les exigences strictes en termes de sécurité et de la protection de la vie privée des chaines d approvisionnement.While RFID systems are one of the key enablers helping the prototype of pervasive computer applications, the deployment of RFID technologies also comes with new privacy and security concerns ranging from people tracking and industrial espionage to produ ct cloning and denial of service. Cryptographic solutions to tackle these issues were in general challenged by the limited resources of RFID tags, and by the formalizations of RFID privacy that are believed to be too strong for such constrained devices. It follows that most of the existing RFID-based cryptographic schemes failed at ensuring tag privacy without sacrificing RFID scalability or RFID cost effectiveness. In this thesis, we therefore relax the existing definitions of tag privacy to bridge the gap between RFID privacy in theory and RFID privacy in practice, by assuming that an adversary cannot continuously monitor tags. Under this assumption, we are able to design sec ure and privacy preserving multi-party protocols for RFID-enabled supply chains. Namely, we propose a protocol for tag ownership transfer that features constant-time authentication while tags are only required to compute hash functions. Then, we tackle the problem of product genuineness verification by introducing two protocols for product tracking in the supply chain that rely on storage only tags. Finally, we present a solution for item matching that uses storage only tags and aims at the automation of safety inspections in the supply chain.The protocols presented in this manuscript rely on operations performed in subgroups of elliptic curves that allow for the construction of short encryptions and signatures, resulting in minimal storage requirements for RFID tags. Moreover, the privacy and the security of these protocols are proven under well defined formal models that take into account the computational limitations of RFID technology and the stringent privacy and security requirements of each targeted supply chain application.PARIS-Télécom ParisTech (751132302) / SudocSudocFranceF