KEDGEN2: A key establishment and derivation protocol for EPC Gen2 RFID systems

International audienceThe EPC Class-1 Generation-2 (Gen2 for short) is a Radio Frequency IDentification (RFID) technology that is gaining a prominent place in several domains. However, the Gen2 standard lacks verifiable security functionalities. Eavesdropping attacks can, for instance, affect the security of applications based on the Gen2 technology. To address this problem, RFID tags must be equipped with a robust mechanism to authenticate readers before authorising them to access their data. In this paper, we propose a key establishment and derivation protocol, which is applied at both identification phase and those remainder operations requiring security. Our solution is based on a pseudorandom number generator that uses a low computational workload, while ensuring long term secure communication to protect the secrecy of the exchanged data. Mutual authentication of the tag and the sensor and strong notions of secrecy such as forward and backward secrecy are analysed, and we prove formally that after being amended, our protocol is secure with respect to these properties

Privacy preservation in Internet of Things: a secure approach for distributed group authentication through Paillier cryptosystem

Ho creato un applicativo in java per l'autenticazione distribuita di gruppo in ambienti con risorse limitate come Internet of things. L'applicativo è stato testato su una rete MANET da 2 a 5 nodi

Securing IoT-based collaborative applications using a new compressed and distributed MIKEY mode

International audienceMultimedia internet keying protocol (MIKEY) aims at establishing secure credentials between two communicating entities. However, existing MIKEY modes fail to meet the requirements of low-power and low-processing devices. To address this issue, we combine two previously proposed approaches to introduce a new compressed and distributed MIKEY mode applied to a collaborative internet of things context. A set of third parties is used to discharge the constrained nodes from heavy computational operations. Doing so, the MIKEY pre-shared mode is used in the constrained part of network, while the public key mode is used in the unconstrained part of the network. Furthermore, to mitigate the communication cost we introduce a new header compression scheme that reduces the size of MIKEY's header from 12 bytes to 3 bytes in the best compression case. To assess our approach, we performed a detailed security analysis using a formal validation tool (i.e., Avispa). In addition, we performed an energy evaluation of both communicational and computational costs. The obtained results show that our proposed mode is energy preserving whereas its security properties are preserved untouched

Securing IoT-based collaborative applications using a new compressed and distributed MIKEY mode

International audienceMultimedia internet keying protocol (MIKEY) aims at establishing secure credentials between two communicating entities. However, existing MIKEY modes fail to meet the requirements of low-power and low-processing devices. To address this issue, we combine two previously proposed approaches to introduce a new compressed and distributed MIKEY mode applied to a collaborative internet of things context. A set of third parties is used to discharge the constrained nodes from heavy computational operations. Doing so, the MIKEY pre-shared mode is used in the constrained part of network, while the public key mode is used in the unconstrained part of the network. Furthermore, to mitigate the communication cost we introduce a new header compression scheme that reduces the size of MIKEY's header from 12 bytes to 3 bytes in the best compression case. To assess our approach, we performed a detailed security analysis using a formal validation tool (i.e., Avispa). In addition, we performed an energy evaluation of both communicational and computational costs. The obtained results show that our proposed mode is energy preserving whereas its security properties are preserved untouched

Distributed Smart City Services for Urban Ecosystems

A Smart City is a high-performance urban context, where citizens live independently and are more aware of the surrounding opportunities, thanks to forward-looking development of economy politics, governance, mobility and environment. ICT infrastructures play a key-role in this new research field being also a mean for society to allow new ideas to prosper and new, more efficient approaches to be developed. The aim of this work is to research and develop novel solutions, here called smart services, in order to solve several upcoming problems and known issues in urban areas and more in general in the modern society context. A specific focus is posed on smart governance and on privacy issues which have been arisen in the cellular age

Secure-by-Design Real-Time Internet of Medical Things Architecture: e-Health Population Monitoring (RTPM)

The healthcare sector has undergone a profound transformation, owing to the influential role played by Internet of Medical Things (IoMT) technology. However, there are substantial concerns over these devices’ security and privacy-preserving mechanisms. The current literature on IoMT tends to focus on specific security features, rather than wholistic security concerning Confidentiality, Integrity, and Availability (CIA Triad), and the solutions are generally simulated and not tested in a real-world network. The proposed innovative solution is known as Secure-by-Design Real-Time IoMT Architecture for e-Health Population Monitoring (RTPM) and it can manage keys at both ends (IoMT device and IoMT server) to maintain high privacy standards and trust during the monitoring process and enable the IoMT devices to run safely and independently even if the server is compromised. However, the session keys are controlled by the trusted IoMT server to lighten the IoMT devices’ overheads, and the session keys are securely exchanged between the client system and the monitoring server. The proposed RTPM focuses on addressing the major security requirements for an IoMT system, i.e., the CIA Triad, and conducts device authentication, protects from Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, and prevents non-repudiation attacks in real time. A self-healing solution during the network failure of live e-health monitoring is also incorporated in RTPM. The robustness and stress of the system are tested with different data types and by capturing live network traffic. The system’s performance is analysed using different security algorithms with different key sizes of RSA (1024 to 8192 bits), AES (128 to 256 bits), and SHA (256 bits) to support a resource-constraint-powered system when integrating with resource-demanding secure parameters and features. In the future, other security features like intrusion detection and prevention and the user’s experience and trust level of such a system will be tested

Reflective-Physically Unclonable Function based System for Anti-Counterfeiting

Physically unclonable functions (PUF) are physical security mechanisms, which utilize inherent randomness in processes used to instantiate physical objects. In this dissertation, an extensive overview of the state of the art in implementations, accompanying definitions and their analysis is provided. The concept of the reflective-PUF is presented as a product security solution. The viability of the concept, its evaluation and the requirements of such a system is explored

Integrating Public and Private Data Sources for Freight Transportation Planning

The Moving Ahead for Progress in the 21st Century Act (MAP-21) stipulates that state transportation agencies expand their interest in freight initiatives and modeling to support planning efforts, particularly the evaluation of current and future freight transportation capacity necessary to ensure freight mobility. However, the understanding of freight demand and the evaluation of current and future freight transportation capacity are not only determined by robust models, but are critically contingent on the availability of accurate data. Effective partnerships are clearly needed between the public and private sectors to ensure adequate freight planning and funding of transportation infrastructure at the state and local levels. However, establishing partnerships with firms who are both busy and suspicious of data-sharing, remains a challenge. This study was commissioned by the Texas Department of Transportation (TxDOT) to explore the feasibility of TxDOT entering into a data-sharing partnership with representatives of the private sector to obtain sample data for use in formulating a strategy for integrating public and private sector data sources. This report summarizes the findings, lessons learned, and recommendations formed from the outreach effort, and provides a prototype freight data architecture that will facilitate the storage, exchange, and integration of freight data through a data-sharing partnership.Texas Department of Transportation Research and Technology Implementation Office P.O. Box 5080 Austin, TX 78763-5080Civil, Architectural, and Environmental Engineerin

Achieving Better Privacy for the 3GPP AKA Protocol

Proposed by the 3rd Generation Partnership Project (3GPP) as a standard for 3G and 4G mobile-network communications, the AKA protocol is meant to provide a mutually-authenticated key-exchange between clients and associated network servers. As a result AKA must guarantee the indistinguishability from random of the session keys (key-indistinguishability), as well as client- and server-impersonation resistance. A paramount requirement is also that of client privacy, which 3GPP defines in terms of: user identity confidentiality,service untraceability,and location untraceability. Moreover, since servers are sometimes untrusted (in the case of roaming),the AKA protocol must also protect clients with respect to these third parties. Following the description of client-tracking attacks e.g. by using error messages or IMSI catchers, van den Broek et al. and respectively Arapinis et al. each proposed a new variant of AKA, addressing such problems. In this paper we use the approach of provable security to show that these variants still fail to guarantee the privacy of mobile clients. We propose an improvement of AKA, which retains most of its structure and respects practical necessities such as key management, but which provably attains security with respect to servers and Man-in-the-Middle (MiM) adversaries. Moreover, it is impossible to link client sessions in the absence of client-corruptions. Finally, we prove that any variant of AKA retaining its mutual authentication specificities cannot achieve client-unlinkability in the presence of corruptions. In this sense, our proposed variant is optimal