Online toll payment system using android application

Now a day’s android application are emerging popular day by day.Online toll payment system will be very useful for the passengers and also the payment can be done in online. The toll payment system consists of an application that generates QR-Scanner code that will be displayed on the mobile device after the payment is done. The application also gives notification to the passenger before 2km or 3km before reaching the toll booth. The generated QR code will be scanned through a camera mobile device which is connected to the mySql server. The code generated is compared with server data and will be verified

Online authentication methods used in banks and attacks against these methods

© 2019 The Authors. Published by Elsevier B.V. Growing threats and attacks to online banking security (e.g. phishing, identity theft) motivates most banks to look for and use stronger authentication methods instead of using a normal username and password authentication. The main objective of the research is to identify the most common online authentication methods used widely in international banks and compare it with the methods used in six banks operating in UAE. In addition, this research will cover the current authentication threats and attacks against these methods. Two well-defined comparison matrices [15], one based on characteristics and second one on attack vectors, will be used to examine and assess the authentication methods of those six banks. This paper is different than other studies and works since it will help to identify the common authentication methods used in banks operating in UAE. Moreover, the comparison matrices will help to examine those authentication methods, define their weaknesses, and evaluate them

State-of-the art teaching material of the OWASP Top 10

Nowadays, web security has become something indispensable when working with the Internet, whether to protect business databases, establish communications, etc. With the aim of creating teaching material, I have created some laboratory sessions and documented several issues related to the ?OWASP (Open Web Application Security Project) top 10 vulnerabilities?. As a method, a systematic review o information in a large number of reliable Internet resources has been carried out, and several laboratory exercises has been created. As a result a large amount of teaching material including some exercises has been created about different themes, mianly: JWT (JSON Web Tokens), JKUs (JWK Set URL) and JWKs (JSON Web Keys); Cookies, XSS Attacks (Cross Site Scripting). As a conclusion, this project collects information about different topics related to web security, and the exploitation of some vulnerabilities. With all this material, students can get a solid base on this topics and see the performance of some of this attacks.En la actualidad, la seguridad web se ha convertido en algo indispensable a la hora de trabajar con Internet, ya sea para proteger bases de datos empresariales, establecer comunicaciones, etc. Con el objetivo de crear material docente, he creado algunas sesiones de laboratorio y documentado varios problemas relacionados con el 'Top 10 de vulnerabilidades de OWASP'. Como método se ha llevado a cabo una revisión sistemática de la información en un gran número de recursos fiables de Internet y se han creado varios ejercicios de laboratorio. Como resultado se ha creado una gran cantidad de material didáctico que incluye algunos ejercicios sobre diferentes temas, principalmente: JWT (JSON Web Tokens), JKUs (JWK Set URL) y JWKs (JSON Web Keys); Cookies, Ataques XSS (Cross Site Scripting). Como conclusión, este proyecto recopila información sobre diferentes temas relacionados con la seguridad web y la explotación de algunas vulnerabilidades. Con todo este material, los estudiantes pueden obtener una base sólida sobre estos temas y ver el rendimiento de algunos de estos ataques.En l'actualitat, la seguretat web s'ha convertit en una cosa indispensable per treballar amb Internet, ja sigui per a protegir les bases de dades empresarials, establir comunicacions, etc. Amb l'objectiu de crear material docent, he creat algunes sessions de laboratori i documentat diversos temes relacionats amb «OWASP (Open Web Application Security Project) top 10 vulnerabilitats». Com a mètode, s'ha dut a terme una revisió sistemàtica de la informació en un gran nombre de recursos d'Internet fiables, i s'han creat diversos exercicis de laboratori. Com a resultat, s'ha creat una gran quantitat de material docent que inclou alguns exercicis sobre diferents temes, principalment: JWT (JSON Web Tokens), JKUs (JWK Set URL) i JWKs (JSON Web Keys); Cookies, atacs XSS (Cross Site Scripting). Com a conclusió, aquest projecte recopila informació sobre diferents temes relacionats amb la seguretat web i l'explotació d'algunes vulnerabilitats. Amb tot aquest material, els estudiants poden obtenir una base sòlida en aquests temes i veure com es portem a terme alguns d'aquests atacs

Password-less two-factor authentication using scannable barcodes on a mobile device

Currently, passwords are the default method used to authenticate users. As hardware continues to advance in speed, breaking these passwords becomes easier. The traditional solution to this problem is ever increasing password complexity and two-factor authentication. However, users become strained under overly complex login systems and often circumvent them. Two-factor authentication also adds to this complexity and many forms of two-factor authentication are inherently insecure. In answer to these problems, this project proposes a password-less multi-factor authentication system, which leverages the tried-and-proven existing technologies, asymmetric cryptography, digital signatures, and biometric authentication. Simulated user testing shows promising results, suggesting that registration can be completed in just over thirty seconds, and authentication in just over two seconds. An analysis of this project’s possible attack vectors, preventative steps taken, and their solutions in potential future research are also discussed

Identity Management and Authorization Infrastructure in Secure Mobile Access to Electronic Health Records

We live in an age of the mobile paradigm of anytime/anywhere access, as the mobile device is the most ubiquitous device that people now hold. Due to their portability, availability, easy of use, communication, access and sharing of information within various domains and areas of our daily lives, the acceptance and adoption of these devices is still growing. However, due to their potential and raising numbers, mobile devices are a growing target for attackers and, like other technologies, mobile applications are still vulnerable. Health information systems are composed with tools and software to collect, manage, analyze and process medical information (such as electronic health records and personal health records). Therefore, such systems can empower the performance and maintenance of health services, promoting availability, readability, accessibility and data sharing of vital information about a patients overall medical history, between geographic fragmented health services. Quick access to information presents a great importance in the health sector, as it accelerates work processes, resulting in better time utilization. Additionally, it may increase the quality of care. However health information systems store and manage highly sensitive data, which raises serious concerns regarding patients privacy and safety, and may explain the still increasing number of malicious incidents reports within the health domain. Data related to health information systems are highly sensitive and subject to severe legal and regulatory restrictions, that aim to protect the individual rights and privacy of patients. Along side with these legislations, security requirements must be analyzed and measures implemented. Within the necessary security requirements to access health data, secure authentication, identity management and access control are essential to provide adequate means to protect data from unauthorized accesses. However, besides the use of simple authentication models, traditional access control models are commonly based on predefined access policies and roles, and are inflexible. This results in uniform access control decisions through people, different type of devices, environments and situational conditions, and across enterprises, location and time. Although already existent models allow to ensure the needs of the health care systems, they still lack components for dynamicity and privacy protection, which leads to not have desire levels of security and to the patient not to have a full and easy control of his privacy. Within this master thesis, after a deep research and review of the stat of art, was published a novel dynamic access control model, Socio-Technical Risk-Adaptable Access Control modEl (SoTRAACE), which can model the inherent differences and security requirements that are present in this thesis. To do this, SoTRAACE aggregates attributes from various domains to help performing a risk assessment at the moment of the request. The assessment of the risk factors identified in this work is based in a Delphi Study. A set of security experts from various domains were selected, to classify the impact in the risk assessment of each attribute that SoTRAACE aggregates. SoTRAACE was integrated in an architecture with requirements well-founded, and based in the best recommendations and standards (OWASP, NIST 800-53, NIST 800-57), as well based in deep review of the state-of-art. The architecture is further targeted with the essential security analysis and the threat model. As proof of concept, the proposed access control model was implemented within the user-centric architecture, with two mobile prototypes for several types of accesses by patients and healthcare professionals, as well the web servers that handles the access requests, authentication and identity management. The proof of concept shows that the model works as expected, with transparency, assuring privacy and data control to the user without impact for user experience and interaction. It is clear that the model can be extended to other industry domains, and new levels of risks or attributes can be added because it is modular. The architecture also works as expected, assuring secure authentication with multifactor, and secure data share/access based in SoTRAACE decisions. The communication channel that SoTRAACE uses was also protected with a digital certificate. At last, the architecture was tested within different Android versions, tested with static and dynamic analysis and with tests with security tools. Future work includes the integration of health data standards and evaluating the proposed system by collecting users’ opinion after releasing the system to real world.Hoje em dia vivemos em um paradigma móvel de acesso em qualquer lugar/hora, sendo que os dispositivos móveis são a tecnologia mais presente no dia a dia da sociedade. Devido à sua portabilidade, disponibilidade, fácil manuseamento, poder de comunicação, acesso e partilha de informação referentes a várias áreas e domínios das nossas vidas, a aceitação e integração destes dispositivos é cada vez maior. No entanto, devido ao seu potencial e aumento do número de utilizadores, os dispositivos móveis são cada vez mais alvos de ataques, e tal como outras tecnologias, aplicações móveis continuam a ser vulneráveis. Sistemas de informação de saúde são compostos por ferramentas e softwares que permitem recolher, administrar, analisar e processar informação médica (tais como documentos de saúde eletrónicos). Portanto, tais sistemas podem potencializar a performance e a manutenção dos serviços de saúde, promovendo assim a disponibilidade, acessibilidade e a partilha de dados vitais referentes ao registro médico geral dos pacientes, entre serviços e instituições que estão geograficamente fragmentadas. O rápido acesso a informações médicas apresenta uma grande importância para o setor da saúde, dado que acelera os processos de trabalho, resultando assim numa melhor eficiência na utilização do tempo e recursos. Consequentemente haverá uma melhor qualidade de tratamento. Porém os sistemas de informação de saúde armazenam e manuseiam dados bastantes sensíveis, o que levanta sérias preocupações referentes à privacidade e segurança do paciente. Assim se explica o aumento de incidentes maliciosos dentro do domínio da saúde. Os dados de saúde são altamente sensíveis e são sujeitos a severas leis e restrições regulamentares, que pretendem assegurar a proteção dos direitos e privacidade dos pacientes, salvaguardando os seus dados de saúde. Juntamente com estas legislações, requerimentos de segurança devem ser analisados e medidas implementadas. Dentro dos requerimentos necessários para aceder aos dados de saúde, uma autenticação segura, gestão de identidade e controlos de acesso são essenciais para fornecer meios adequados para a proteção de dados contra acessos não autorizados. No entanto, além do uso de modelos simples de autenticação, os modelos tradicionais de controlo de acesso são normalmente baseados em políticas de acesso e cargos pré-definidos, e são inflexíveis. Isto resulta em decisões de controlo de acesso uniformes para diferentes pessoas, tipos de dispositivo, ambientes e condições situacionais, empresas, localizações e diferentes alturas no tempo. Apesar dos modelos existentes permitirem assegurar algumas necessidades dos sistemas de saúde, ainda há escassez de componentes para accesso dinâmico e proteção de privacidade , o que resultam em níveis de segurança não satisfatórios e em o paciente não ter controlo directo e total sobre a sua privacidade e documentos de saúde. Dentro desta tese de mestrado, depois da investigação e revisão intensiva do estado da arte, foi publicado um modelo inovador de controlo de acesso, chamado SoTRAACE, que molda as diferenças de acesso inerentes e requerimentos de segurança presentes nesta tese. Para isto, o SoTRAACE agrega atributos de vários ambientes e domínios que ajudam a executar uma avaliação de riscos, no momento em que os dados são requisitados. A avaliação dos fatores de risco identificados neste trabalho são baseados num estudo de Delphi. Um conjunto de peritos de segurança de vários domínios industriais foram selecionados, para classificar o impacto de cada atributo que o SoTRAACE agrega. O SoTRAACE foi integrado numa arquitectura para acesso a dados médicos, com requerimentos bem fundados, baseados nas melhores normas e recomendações (OWASP, NIST 800-53, NIST 800-57), e em revisões intensivas do estado da arte. Esta arquitectura é posteriormente alvo de uma análise de segurança e modelos de ataque. Como prova deste conceito, o modelo de controlo de acesso proposto é implementado juntamente com uma arquitetura focada no utilizador, com dois protótipos para aplicações móveis, que providênciam vários tipos de acesso de pacientes e profissionais de saúde. A arquitetura é constituída também por servidores web que tratam da gestão de dados, controlo de acesso e autenticação e gestão de identidade. O resultado final mostra que o modelo funciona como esperado, com transparência, assegurando a privacidade e o controlo de dados para o utilizador, sem ter impacto na sua interação e experiência. Consequentemente este modelo pode-se extender para outros setores industriais, e novos níveis de risco ou atributos podem ser adicionados a este mesmo, por ser modular. A arquitetura também funciona como esperado, assegurando uma autenticação segura com multi-fator, acesso e partilha de dados segura baseado em decisões do SoTRAACE. O canal de comunicação que o SoTRAACE usa foi também protegido com um certificado digital. A arquitectura foi testada em diferentes versões de Android, e foi alvo de análise estática, dinâmica e testes com ferramentas de segurança. Para trabalho futuro está planeado a integração de normas de dados de saúde e a avaliação do sistema proposto, através da recolha de opiniões de utilizadores no mundo real

Strong authentication based on mobile application

The user authentication in online services has evolved over time from the old username and password-based approaches to current strong authentication methodologies. Especially, the smartphone app has become one of the most important forms to perform the authentication. This thesis describes various authentication methods used previously and discusses about possible factors that generated the demand for the current strong authentication approach. We present the concepts and architectures of mobile application based authentication systems. Furthermore, we take closer look into the security of the mobile application based authentication approach. Mobile apps have various attack vectors that need to be taken under consideration when designing an authentication system. Fortunately, various generic software protection mechanisms have been developed during the last decades. We discuss how these mechanisms can be utilized in mobile app environment and in the authentication context. The main idea of this thesis is to gather relevant information about the authentication history and to be able to build a view of strong authentication evolution. This history and the aspects of the evolution are used to state hypothesis about the future research and development. We predict that the authentication systems in the future may be based on a holistic view of the behavioral patterns and physical properties of the user. Machine learning may be used in the future to implement an autonomous authentication concept that enables users to be authenticated with minimal physical or cognitive effort

An Overview of Cryptography (Updated Version, 3 March 2016)

There are many aspects to security and many applications, ranging from secure commerce and payments to private communications and protecting passwords. One essential aspect for secure communications is that of cryptography...While cryptography is necessary for secure communications, it is not by itself sufficient. This paper describes the first of many steps necessary for better security in any number of situations. A much shorter, edited version of this paper appears in the 1999 edition of Handbook on Local Area Networks published by Auerbach in September 1998