PALPAS - PAsswordLess PAssword Synchronization

Tools that synchronize passwords over several user devices typically store the encrypted passwords in a central online database. For encryption, a low-entropy, password-based key is used. Such a database may be subject to unauthorized access which can lead to the disclosure of all passwords by an offline brute-force attack. In this paper, we present PALPAS, a secure and user-friendly tool that synchronizes passwords between user devices without storing information about them centrally. The idea of PALPAS is to generate a password from a high entropy secret shared by all devices and a random salt value for each service. Only the salt values are stored on a server but not the secret. The salt enables the user devices to generate the same password but is statistically independent of the password. In order for PALPAS to generate passwords according to different password policies, we also present a mechanism that automatically retrieves and processes the password requirements of services. PALPAS users need to only memorize a single password and the setup of PALPAS on a further device demands only a one-time transfer of few static data.Comment: An extended abstract of this work appears in the proceedings of ARES 201

A Case of Sesame Seeds: Growing and Nurturing Credentials in the Face of Mimicry

The purpose of this paper is to put the study of mimicry on the information security research map. Mimicry in humans has received little scholarly attention. Sociologist Diego Gambetta has constructed a framework that enables reasoning about episodes of mimicry based on trust in signs. By looking at the problem of phishing the applicability of this framework to problems of mimicry in information security system was tested. It was found that while the framework offers valuable insights, it needs to be updated since the assumptions that it makes do not hold in practice. A new framework is proposed, built on the core ideas of Gambetta’s framework, and extended with results from a literature study of phishing and other sources. This framework has been used for finding possible solutions to problems in web browser interface design. Because the nature of authentication was found to be the observation of discriminatory signals the paper also discusses the ethical issues surrounding the use of credentials. We hope that this paper will help system designers in finding and choosing appropriate credentials for authentication. By using the proposed framework a system can be analysed for the presence of credentials that enable the discrimination between genuine users and impostors. The framework can also serve as a method for identifying the dynamics behind user verification of credentials. The two problems that the framework can help address are the impersonation of providers and the impersonation of users. Like much other security research the results of this paper can be misused by attackers. It is expected that the framework will be more useful for defenders than attackers, as it is of an analytical nature, and cannot be used directly in any attacks. Since this study is of an exploratory nature the findings of the study need to be verified through research with greater validity. The paper contains directions for further research

Steps in Building a Successful Resilient Cyber Protocol

This article aims to help city administrators gain a systematic approach to building resilient cybersecurity protocols. Resilient protocols provide the basic organizational framework that layers employees, processes, and technologies that can address cyber risks to cities. Thus, these protocols provide the solid foundation necessary to protect cities and public institutions from the constant threat of cyberattacks. This article also offers suggestions on how cities can gain information technology (IT) resilience, and discusses boundaries in the layered approach to resilience

Mobile Commerce: Secure Multi-party Computation & Financial Cryptography

Abstract: The basic objective of this work is to construct an efficient and secure mechanism for mobile commerce applying the concept of financial cryptography and secure multi-party computation. The mechanism (MCM) is defined by various types of elements: a group of agents or players, actions, a finite set of inputs of each agent, a finite set of outcomes as defined by output function, a set of objective functions and constraints, payment function, a strategy profile, dominant strategy and revelation principle. The mechanism adopts a set of intelligent moves as dominant strategies: (a) flexible use of hybrid payment system which supports cash, e-payment and m-payment, (b) secure multi-party computation to ensure information security and privacy and (c) call intelligent analytics to assess and mitigate possible threats on m-commerce service. The mechanism supports three different types of transaction processing protocols (P1, P2 and P3) and calls a cryptographic protocol (Pc). The cryptographic protocol performs a set of functions sequentially such as authentication, authorization, correct identification, privacy verification and audit of correctness, fairness, rationality, accountability and transparency of secure multi-party computation on each m-transaction. The basic building blocks of the cryptographic protocol are signcryption, proofs of knowledge, commitments and secret sharing. This work also presents the complexity analysis of the mechanism in terms of computational cost, communication cost, security and business intelligence. Keywords: Secure multi-party computation, Financial cryptography, Mobile commerce mechanism, Threat analytics, Digital econom

PCI DSS case study: Impact in network design and security

The Payment Card Industry Data Security Standard is a set of twelve security requirements applicable to all institutions and systems handling, storing or transmitting cardholder information. It was created by the main card brands in a united effort to respond to the increasing number of attacks and data breaches cases targeted and linked to card and cardholder data. The standard considers points such as policies design, data security, network architecture, software design, application security, transmission encryption requirements and so on. Being compliant with the standard can be both expensive and traumatic for any business willing to do it. This research analyzes the impact that this compliance achievement process can have on an enterprise. This work is focused on the networking infrastructure and security and application security in general. This is a case study based on a real situation, where real current procedures and implementations were evaluated against the standard requirements regarding networking design, security and applications security. This will provide a benchmark of the situation towards getting the compliance validation in the company subject of this case study

The Effects of COVID-19 on Cybersecurity and Securing a Post-COVID World

The world became hardly recognizable throughout the COVID-19 pandemic as the normal state of the world was disrupted. In addition to affecting everyday life, the pandemic touched every industry, especially that of cybersecurity. To properly remediate for the future of cybersecurity, the trends in cybercrime seen throughout the pandemic warrant further investigation. An overall increase in cybercrime was clearly observed with no signs of plateauing. This trend was paired with developing sophistication of cybercrime means and methods. In response to this, a defense-in-depth strategy focusing on a layered defense approach strengthens an organization’s security posture. Focusing on every policy and technology implementation to limit attacker impact is the path to security in this post-COVID era. A proactive focus on how to leverage future technologies and methodologies will pave the way to securing the future