43 research outputs found
Security Analysis of Digital Signature Scheme with Message Recovery using Self-Certified Public Keys
Tseng and his colleagues have proposed two variants of authenticated encryption scheme using self-certified public keys. Their schemes have two fundamental properties. Only the intended receiver can recover the message while verifying the signature, and each user can use his own private key independently without system authority learning about it. This paper presents man-in-the-middle attacks to both Tseng and his colleagues authenticated encryption variants. It will be shown that these schemes are not secure against this attack
Secure Authentication and Privacy-Preserving Techniques in Vehicular Ad-hoc NETworks (VANETs)
In the last decade, there has been growing interest in Vehicular Ad Hoc NETworks (VANETs). Today car manufacturers have already started to equip vehicles with sophisticated sensors that can provide many assistive features such as front collision avoidance, automatic lane tracking, partial autonomous driving, suggestive lane changing, and so on. Such technological advancements are enabling the adoption of VANETs not only to provide safer and more comfortable driving experience but also provide many other useful services to the driver as well as passengers of a vehicle. However, privacy, authentication and secure message dissemination are some of the main issues that need to be thoroughly addressed and solved for the widespread adoption/deployment of VANETs. Given the importance of these issues, researchers have spent a lot of effort in these areas over the last decade. We present an overview of the following issues that arise in VANETs: privacy, authentication, and secure message dissemination. Then we present a comprehensive review of various solutions proposed in the last 10 years which address these issues. Our survey sheds light on some open issues that need to be addressed in the future
Cryptanalysis on `Robust Biometrics-Based Authentication Scheme for Multi-server Environment\u27
Authentication plays an important role in an open network environment in order to authenticate two communication parties among each other. Authentication protocols should protect the sensitive information against a malicious adversary by providing a variety of services, such as authentication, user credentials\u27 privacy, user revocation and re-registration, when the smart card is lost/stolen or the private key of a user or a server is revealed. Unfortunately, most of the existing multi-server authentication schemes proposed in the literature do not support the fundamental security property such as the revocation and re-registration with same identity. Recently, in 2014, He and Wang proposed a robust and efficient multi-server authentication scheme using biometrics-based smart card and elliptic curve cryptography (ECC). In this paper, we analyze the He-Wang\u27s scheme and show that He-Wang\u27s scheme is vulnerable to a known session-specific temporary information attack and impersonation attack. In addition, we show that their scheme does not provide strong user\u27s anonymity. Furthermore, He-Wang\u27s scheme cannot support the revocation and re-registration property. Apart from these, He-Wang\u27s scheme has some design flaws, such as wrong password login and its consequences, and wrong password update during password change phase
Protocols and Architecture for Privacy-preserving Authentication and Secure Message Dissemination in Vehicular Ad Hoc Networks
The rapid development in the automotive industry and wireless communication technologies have enhanced the popularity of Vehicular ad hoc networks (VANETs). Today, the automobile industry is developing sophisticated sensors that can provide a wide range of assistive features, including accident avoidance, automatic lane tracking, semi-autonomous driving, suggested lane changes, and more. VANETs can provide drivers a safer and more comfortable driving experience, as well as many other useful services by leveraging such technological advancements. Even though this networking technology enables smart and autonomous driving, it also introduces a plethora of attack vectors. However, the main issues to be sorted out and addressed for the widespread deployment/adoption of VANETs are privacy, authenticating users, and the distribution of secure messages. These issues have been addressed in this dissertation, and the contributions of this dissertation are summarized as follows: Secure and privacy-preserving authentication and message dissemination in VANETs: Attackers can compromise the messages disseminated within VANETs by tampering with the message content or sending malicious messages. Therefore, it is crucial to ensure the legitimacy of the vehicles participating in the VANETs as well as the integrity and authenticity of the messages transmitted in VANETs. In VANET communication, the vehicle uses pseudonyms instead of its real identity to protect its privacy. However, the real identity of a vehicle must be revealed when it is determined to be malicious. This dissertation presents a distributed and scalable privacy-preserving authentication and message dissemination scheme in VANET. Low overhead privacy-preserving authentication scheme in VANETs: The traditional pseudonym-based authentication scheme uses Certificate Revocation Lists (CRLs) to store the certificates of revoked and malicious entities in VANETs. However, the size of CRL increases significantly with the increased number of revoked entities. Therefore, the overhead involved in maintaining the revoked certificates is overwhelming in CRL-based solutions. This dissertation presents a lightweight privacy-preserving authentication scheme that reduces the overhead associated with maintaining CRLs in VANETs. Our scheme also provides an efficient look-up operation for CRLs. Efficient management of pseudonyms for privacy-preserving authentication in VANETs: In VANETs, vehicles change pseudonyms frequently to avoid the traceability of attackers. However, if only one vehicle out of 100 vehicles changes its pseudonym, an intruder can easily breach the privacy of the vehicle by linking the old and new pseudonym. This dissertation presents an efficient method for managing pseudonyms of vehicles. In our scheme, vehicles within the same region simultaneously change their pseudonyms to reduce the chance of linking two pseudonyms to the same vehicle
A systematic literature review on security and privacy of electronic health record systems: technical perspectives
Abstract Background: Even though many safeguards and policies for electronic health record (EHR) security have been implemented, barriers to the privacy and security protection of EHR systems persist. Objective: This article presents the results of a systematic literature review regarding frequently adopted security and privacy technical features of EHR systems. Method: Our inclusion criteria were full articles that dealt with the security and privacy of technical implementations of EHR systems published in English in peer-reviewed journals and conference proceedings between 1998 and 2013; 55 selected studies were reviewed in detail. We analysed the review results using two International Organization for Standardization (ISO) standards (29100 and 27002) in order to consolidate the study findings. Results: Using this process, we identified 13 features that are essential to security and privacy in EHRs. These included system and application access control, compliance with security requirements, interoperability, integration and sharing, consent and choice mechanism, policies and regulation, applicability and scalability and cryptography techniques. Conclusion: This review highlights the importance of technical features, including mandated access control policies and consent mechanisms, to provide patients' consent, scalability through proper architecture and frameworks, and interoperability of health information systems, to EHR security and privacy requirements
Development of a secure multi-factor authentication algorithm for mobile money applications
A Thesis Submitted in Fulfillment of the Requirements for the Degree of Doctor of Philosophy in Information and Communication Science and Engineering of the Nelson Mandela African Institution of Science and TechnologyWith the evolution of industry 4.0, financial technologies have become paramount and mobile
money as one of the financial technologies has immensely contributed to improving financial
inclusion among the unbanked population. Several mobile money schemes were developed but,
they suffered severe authentication security challenges since they implemented two-factor
authentication. This study focused on developing a secure multi-factor authentication (MFA)
algorithm for mobile money applications. It uses personal identification numbers, one-time
passwords, biometric fingerprints, and quick response codes to authenticate and authorize mobile
money subscribers. Secure hash algorithm-256, Rivest-Shamir-Adleman encryption, and Fernet
encryption were used to secure the authentication factors, confidential financial information and
data before transmission to the remote databases. A literature review, survey, evolutionary
prototyping model, and heuristic evaluation and usability testing methods were used to identify
authentication issues, develop prototypes of native genuine mobile money (G-MoMo)
applications, and identify usability issues with the interface designs and ascertain their usability,
respectively. The results of the review grouped the threat models into attacks against privacy,
authentication, confidentiality, integrity, and availability. The survey identified authentication
attacks, identity theft, phishing attacks, and PIN sharing as the key mobile money systems’
security issues. The researcher designed a secure MFA algorithm for mobile money applications
and developed three native G-MoMo applications to implement the designed algorithm to prove
the feasibility of the algorithm and that it provided robust security. The algorithm was resilient to
non-repudiation, ensured strong authentication security, data confidentiality, integrity, privacy,
and user anonymity, was highly effective against several attacks but had high communication
overhead and computational costs. Nevertheless, the heuristic evaluation results showed that the
G-MoMo applications’ interface designs lacked forward navigation buttons, uniformity in the
applications’ menu titles, search fields, actions needed for recovery, and help and documentation.
Similarly, the usability testing revealed that they were easy to learn, effective, efficient,
memorable, with few errors, subscriber satisfaction, easy to use, aesthetic, easy to integrate, and
understandable. Implementing a secure mobile money authentication and authorisation by
combining multiple factors which are securely stored helps mobile money subscribers and other
stakeholders to have trust in the developed native G-MoMo applications
New Security Definitions, Constructions and Applications of Proxy Re-Encryption
La externalización de la gestión de la información es una práctica cada vez más común, siendo la computación en la nube (en inglés, cloud computing) el paradigma más representativo. Sin embargo, este enfoque genera también preocupación con respecto a la seguridad y privacidad debido a la inherente pérdida del control sobre los datos. Las soluciones tradicionales, principalmente basadas en la aplicación de polÃticas y estrategias de control de acceso, solo reducen el problema a una cuestión de confianza, que puede romperse fácilmente por los proveedores de servicio, tanto de forma accidental como intencionada. Por lo tanto, proteger la información externalizada, y al mismo tiempo, reducir la confianza que es necesario establecer con los proveedores de servicio, se convierte en un objetivo inmediato. Las soluciones basadas en criptografÃa son un mecanismo crucial de cara a este fin.
Esta tesis está dedicada al estudio de un criptosistema llamado recifrado delegado (en inglés, proxy re-encryption), que constituye una solución práctica a este problema, tanto desde el punto de vista funcional como de eficiencia. El recifrado delegado es un tipo de cifrado de clave pública que permite delegar en una entidad la capacidad de transformar textos cifrados de una clave pública a otra, sin que pueda obtener ninguna información sobre el mensaje subyacente. Desde un punto de vista funcional, el recifrado delegado puede verse como un medio de delegación segura de acceso a información cifrada, por lo que representa un candidato natural para construir mecanismos de control de acceso criptográficos. Aparte de esto, este tipo de cifrado es, en sà mismo, de gran interés teórico, ya que sus definiciones de seguridad deben balancear al mismo tiempo la seguridad de los textos cifrados con la posibilidad de transformarlos mediante el recifrado, lo que supone una estimulante dicotomÃa.
Las contribuciones de esta tesis siguen un enfoque transversal, ya que van desde las propias definiciones de seguridad del recifrado delegado, hasta los detalles especÃficos de potenciales aplicaciones, pasando por construcciones concretas
Energy Conservation and Security Enhancement in Wireless End-to-end Secure Connections
Wireless channels are vulnerable to interception. In some applications an end-to-end secure data transfer is required. However the use of cryptographic functions in communication over a wireless channel increases sensitivity to channel errors. As a result, the connection characteristics in terms of delay, throughput, and transmission energy worsen. Transmission energy is a key issue in some secure end-to-end wireless applications especially if they are running on mobile handheld devices with a limited source of energy such as batteries. That is why in most secure end-to-end wireless connections, the connection is dropped in poor channel conditions.
In this thesis, models are proposed by which the performance is improved and transmission energy is lowered. A combination of a cross-layer controller, K Best Likelihood (K-BL) channel decoder, and a keyed error detection algorithm in the novel model supports the authorized receivers by a higher throughput, lower delay mean, and less transmission energy in a certain range of the Signal to Noise Ratio (SNR). This is done at the expense of additional computation at the receiving end. Ttradeoffs are examined and the simulation results of the new model are compared with those of conventional wireless communication systems.
Another model is devised to mitigate the energy consumption of the Turbo Code channel decoder. The overall decoding energy consumption for each packet can be lowered by reducing the average number of iterations in the Turbo Code channel decoder.
The proposed models achieve better energy consumption by reducing the number of iterations in a channel decoder that uses the Turbo decoder and by reducing the number of retransmissions in a trellis channel decoder. Furthermore, the security enhancement of the novel models is assessed in terms of the extent to which the enhancement is fully achieved
Cybersecurity applications of Blockchain technologies
With the increase in connectivity, the popularization of cloud services, and the rise
of the Internet of Things (IoT), decentralized approaches for trust management
are gaining momentum. Since blockchain technologies provide a distributed ledger,
they are receiving massive attention from the research community in different application
fields. However, this technology does not provide cybersecurity by itself.
Thus, this thesis first aims to provide a comprehensive review of techniques and
elements that have been proposed to achieve cybersecurity in blockchain-based systems.
The analysis is intended to target area researchers, cybersecurity specialists
and blockchain developers. We present a series of lessons learned as well. One of
them is the rise of Ethereum as one of the most used technologies.
Furthermore, some intrinsic characteristics of the blockchain, like permanent
availability and immutability made it interesting for other ends, namely as covert
channels and malicious purposes.
On the one hand, the use of blockchains by malwares has not been characterized
yet. Therefore, this thesis also analyzes the current state of the art in this area. One
of the lessons learned is that covert communications have received little attention.
On the other hand, although previous works have analyzed the feasibility of
covert channels in a particular blockchain technology called Bitcoin, no previous
work has explored the use of Ethereum to establish a covert channel considering all
transaction fields and smart contracts.
To foster further defence-oriented research, two novel mechanisms are presented
on this thesis. First, Zephyrus takes advantage of all Ethereum fields and smartcontract
bytecode. Second, Smart-Zephyrus is built to complement Zephyrus by
leveraging smart contracts written in Solidity. We also assess the mechanisms feasibility
and cost. Our experiments show that Zephyrus, in the best case, can embed
40 Kbits in 0.57 s. for US 1.82 per bit), the provided stealthiness might be worth the price for attackers. Furthermore,
these two mechanisms can be combined to increase capacity and reduce
costs.Debido al aumento de la conectividad, la popularización de los servicios en la nube
y el auge del Internet de las cosas (IoT), los enfoques descentralizados para la
gestión de la confianza están cobrando impulso. Dado que las tecnologÃas de cadena
de bloques (blockchain) proporcionan un archivo distribuido, están recibiendo
una atención masiva por parte de la comunidad investigadora en diferentes campos
de aplicación. Sin embargo, esta tecnologÃa no proporciona ciberseguridad por sÃ
misma. Por lo tanto, esta tesis tiene como primer objetivo proporcionar una revisión
exhaustiva de las técnicas y elementos que se han propuesto para lograr la ciberseguridad
en los sistemas basados en blockchain. Este análisis está dirigido a investigadores
del área, especialistas en ciberseguridad y desarrolladores de blockchain. A
su vez, se presentan una serie de lecciones aprendidas, siendo una de ellas el auge
de Ethereum como una de las tecnologÃas más utilizadas.
Asimismo, algunas caracterÃsticas intrÃnsecas de la blockchain, como la disponibilidad
permanente y la inmutabilidad, la hacen interesante para otros fines, concretamente
como canal encubierto y con fines maliciosos.
Por una parte, aún no se ha caracterizado el uso de la blockchain por parte
de malwares. Por ello, esta tesis también analiza el actual estado del arte en este
ámbito. Una de las lecciones aprendidas al analizar los datos es que las comunicaciones
encubiertas han recibido poca atención.
Por otro lado, aunque trabajos anteriores han analizado la viabilidad de los
canales encubiertos en una tecnologÃa blockchain concreta llamada Bitcoin, ningún
trabajo anterior ha explorado el uso de Ethereum para establecer un canal encubierto
considerando todos los campos de transacción y contratos inteligentes.
Con el objetivo de fomentar una mayor investigación orientada a la defensa,
en esta tesis se presentan dos mecanismos novedosos. En primer lugar, Zephyrus
aprovecha todos los campos de Ethereum y el bytecode de los contratos inteligentes.
En segundo lugar, Smart-Zephyrus complementa Zephyrus aprovechando los contratos inteligentes escritos en Solidity. Se evalúa, también, la viabilidad y el coste
de ambos mecanismos. Los resultados muestran que Zephyrus, en el mejor de los
casos, puede ocultar 40 Kbits en 0,57 s. por 1,64 US$, y recuperarlos en 2,8 s.
Smart-Zephyrus, por su parte, es capaz de ocultar un secreto de 4 Kb en 41 s. Si
bien es cierto que es caro (alrededor de 1,82 dólares por bit), el sigilo proporcionado
podrÃa valer la pena para los atacantes. Además, estos dos mecanismos pueden
combinarse para aumentar la capacidad y reducir los costesPrograma de Doctorado en Ciencia y TecnologÃa Informática por la Universidad Carlos III de MadridPresidente: José Manuel Estévez Tapiador.- Secretario: Jorge Blasco AlÃs.- Vocal: Luis Hernández Encina