70,759 research outputs found
METHOD OF PROTECTING MACHINE CERTIFICATES ISSUED TO LINUX CLIENTS OBTAINED BY USING SCEP PROTOCOL BY ENCRYPTING WITH A TPM DEVICE
The implemented solution leverages TPM as a security facility and streamlines the process from SCEP
enrollment and renewal to get certificate and private key till the private key being used by a WPA
Supplicant to get authenticated and authorized to access a secure network via 802.1x protocol. During the
whole process, the administrator, who manages certificates and configures network settings, just needs to
configure SCEP Client and 802.1x network as normal, except two extra steps to set TPM passwords and
enable TPM. Besides configuring all settings in local GUI, there is a set of command line tool. The actual
administrative efforts can be further reduced by executing command lines remotely in a mass deployment
scenario. The administrator can run command line remotely via a secure channel to get everything setup
A Certificate-based Light-weight Authentication Algorithm For Resource-constrained Devices
In this work, we analyze and extend a recently proposed design of digital certificates called TESLA certificates. Certificates are a necessary tool in today's secure networks to certify the identity of nodes taking part in communication. Most prevalent certificate technologies make use of public-key cryptography. Messages generated by the user are signed using its private key, and the signature can be verified by any node who knows the user's public key via its certificate. Signature generation and verification using public-key cryptography is computationally expensive for devices with limited computation power and energy resources. In this situation TESLA certificates can be very useful to certify identity, since they rely on symmetric cryptography which is computationally much more efficient. In this paper we explain the concept of TESLA certificates and provide a preliminary description of proposed modifications to the original algorithm to strengthen its security. We extend the original proposal by combining hash chains with TESLA certificates and come up with an efficient source and message authentication protocol based on symmetric key certificates. We also propose a new type of TESLA certificates called Group Certificates for use in multicast group communication. Through analysis, we show that our protocol is secure against malicious adversaries. We also give an initial estimate of the performance of our algorithm and the related comparison to public-key signatures, and we highlight network scenarios where the TESLA certificates could be particularly useful
To Share or Not to Share in Client-Side Encrypted Clouds
With the advent of cloud computing, a number of cloud providers have arisen
to provide Storage-as-a-Service (SaaS) offerings to both regular consumers and
business organizations. SaaS (different than Software-as-a-Service in this
context) refers to an architectural model in which a cloud provider provides
digital storage on their own infrastructure. Three models exist amongst SaaS
providers for protecting the confidentiality data stored in the cloud: 1) no
encryption (data is stored in plain text), 2) server-side encryption (data is
encrypted once uploaded), and 3) client-side encryption (data is encrypted
prior to upload). This paper seeks to identify weaknesses in the third model,
as it claims to offer 100% user data confidentiality throughout all data
transactions (e.g., upload, download, sharing) through a combination of Network
Traffic Analysis, Source Code Decompilation, and Source Code Disassembly. The
weaknesses we uncovered primarily center around the fact that the cloud
providers we evaluated were each operating in a Certificate Authority capacity
to facilitate data sharing. In this capacity, they assume the role of both
certificate issuer and certificate authorizer as denoted in a Public-Key
Infrastructure (PKI) scheme - which gives them the ability to view user data
contradicting their claims of 100% data confidentiality. We have collated our
analysis and findings in this paper and explore some potential solutions to
address these weaknesses in these sharing methods. The solutions proposed are a
combination of best practices associated with the use of PKI and other
cryptographic primitives generally accepted for protecting the confidentiality
of shared information
Secure Identification in Social Wireless Networks
The applications based on social networking have brought revolution towards social life and are continuously gaining popularity among the Internet users. Due to the advanced computational resources offered by the innovative hardware and nominal subscriber charges of network operators, most of the online social networks are transforming into the mobile domain by offering exciting applications and games exclusively designed for users on the go. Moreover, the mobile devices are considered more personal as compared to their desktop rivals, so there is a tendency among the mobile users to store sensitive data like contacts, passwords, bank account details, updated calendar entries with key dates and personal notes on their devices.
The Project Social Wireless Network Secure Identification (SWIN) is carried out at Swedish Institute of Computer Science (SICS) to explore the practicality of providing the secure mobile social networking portal with advanced security features to tackle potential security threats by extending the existing methods with more innovative security technologies. In addition to the extensive background study and the determination of marketable use-cases with their corresponding security requirements, this thesis proposes a secure identification design to satisfy the security dimensions for both online and offline peers. We have implemented an initial prototype using PHP Socket and OpenSSL library to simulate the secure identification procedure based on the proposed design. The design is in compliance with 3GPP‟s Generic Authentication Architecture (GAA) and our implementation has demonstrated the flexibility of the solution to be applied independently for the applications requiring secure identification. Finally, the thesis provides strong foundation for the advanced implementation on mobile platform in future
Encryption – use and control in E-commerce
The author describes how cryptography can be used to address modern business requirements such as identity protection, secure web access and digital signatures. Article by Robert Bond (Head of Innovation & Technology Group, Hobson Audley and Fellow of SALS). Published in Amicus Curiae - Journal of the Institute of Advanced Legal Studies and its Society for Advanced Legal Studies. The Journal is produced by the Society for Advanced Legal Studies at the Institute of Advanced Legal Studies, University of London
Secure Mobile Social Networks using USIM in a Closed Environment
Online social networking and corresponding mobile based applications are gaining popularity and now considered
a well-integrated service within mobile devices. Basic security mechanisms normally based on passwords for the authentication of social-network users are widely deployed and poses a threat for the user security. In particular, for dedicated social groups with high confidentiality and privacy demands, stronger and user friendly principles for the authentication and identification of group members are needed. On the other hand, most of the mobile units already provide strong authentication procedures through the USIM/ISIM module. This paper explores how to build an architectural framework for secure enrollment and identification of group members in dedicated closed social groups using the USIM/SIM authentication and in particular, the 3GPP Generic Authentication Architecture (GAA), which is built upon the USIM/SIM capabilities. One part of the research is to identify the marketable use-cases with corresponding security challenges to fulfill the requirements that extend beyond the online connectivity. This paper proposes a secure identification design to satisfy the security dimensions for both online and offline peers. We have also implemented an initial proof of the concept prototype to simulate the secure identification procedure based on the proposed design. Our implementation has demonstrated the flexibility of the solution to be applied independently for applications requiring secure identification
Maintaining unlinkability in group based P2P environments
In the wake of the success of Peer-to-Peer (P2P) networking, security has arisen as one of its main concerns, becoming a key issue when evaluating a P2P system. Unfortunately, some systems' design focus targeted issues such as scalabil-ity or overall performance, but not security. As a result, security mechanisms must be provided at a later stage, after the system has already been designed and partially (or even fully) implemented, which may prove a cumbersome proposition. This work exposes how a security layer was provided under such circumstances for a specic Java based P2P framework: JXTA-Overlay.Arran de l'èxit de (P2P) peer-to-peer, la seguretat ha sorgit com una de les seves principals preocupacions, esdevenint una qĂĽestiĂł clau en l'avaluaciĂł d'un sistema P2P. Malauradament, alguns sistemes de disseny apunten focus de problemes com l'escalabilitat o l'acompliment general, però no de seguretat. Com a resultat d'això, els mecanismes de seguretat sÂżhan de proporcionar en una etapa posterior, desprĂ©s que el sistema ja ha estat dissenyat i parcialment (o fins i tot totalment) implementat, la qual cosa pot ser una proposiciĂł incòmode. Aquest article exposa com es va proveir una capa de seguretat sota aquestes circumstĂ ncies per un Java especĂfic basat en un marc P2P: JXTA-superposiciĂł.A raĂz del Ă©xito de (P2P) peer-to-peer, la seguridad ha surgido como una de sus principales preocupaciones, convirtiĂ©ndose en una cuestiĂłn clave en la evaluaciĂłn de un sistema P2P. Desgraciadamente, algunos sistemas de diseño apuntan un foco de problemas como la escalabilidad o el desempeño general, pero no de seguridad. Como resultado de ello, los mecanismos de seguridad se proporcionarán en una etapa posterior, despuĂ©s de que el sistema ya ha sido diseñado y parcialmente (o incluso totalmente) implementado, lo que puede ser una proposiciĂłn incĂłmodo. Este artĂculo expone cĂłmo se proveyĂł una capa de seguridad bajo estas circunstancias por un Java especĂfico basado en un marco P2P: JXTA-superposiciĂłn
Merging and Extending the PGP and PEM Trust Models - the ICE-TEL Trust Model
The ICE-TEL project is a pan-European project that is building an Internet X.509 based certification infrastructure throughout Europe, plus several secure applications that will use it. This paper describes the trust model that is being implemented by the project. A trust model specifies the means by which a user may build trust in the assertion that a remote user is really who he purports to be (authentication) and that he does in fact have a right to access the service or information that he is requesting (authorization). The ICE-TEL trust model is based on a merging of and extensions to the existing Pretty Good Privacy (PGP) web of trust and Privacy Enhanced Mail (PEM) hierarchy of trust models, and is called a web of hierarchies trust model. The web of hierarchies model has significant advantages over both of the previous models, and these are highlighted here. The paper further describes the way that the trust model is enforced through some of the new extensions in the X.509 V3 certificates, and gives examples of its use in different scenarios
On the security of the Blockchain Bix Protocol and Certificates
The BIX protocol is a blockchain-based protocol that allows distribution of
certificates linking a subject with his public key, hence providing a service
similar to that of a PKI but without the need of a CA. In this paper we analyze
the security of the BIX protocol in a formal way, in four steps. First, we
identify formal security assumptions which are well-suited to this protocol.
Second, we present some attack scenarios against the BIX protocol. Third, we
provide a formal security proof that some of these attacks are not feasible
under our previously established assumptions. Finally, we show how another
attack may be carried on.Comment: 16 pages, 1 figur
- …