1,000 research outputs found
Privacy-Preserving Credentials Upon Trusted Computing Augmented Servers
Abstract. Credentials are an indispensable means for service access control in electronic commerce. However, regular credentials such as X.509 certificates and SPKI/SDSI certificates do not address user pri-vacy at all, while anonymous credentials that protect user privacy are complex and have compatibility problems with existing PKIs. In this pa-per we propose privacy-preserving credentials, a concept between regular credentials and anonymous credentials. The privacy-preserving creden-tials enjoy the advantageous features of both regular credentials and anonymous credentials, and strike a balance between user anonymity and system complexity. We achieve this by employing computer servers equipped with TPMs (Trusted Platform Modules). We present a detailed construction for ElGamal encryption credentials. We also present XML-based specification for the privacy-preserving credentials.
Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments
Decentralized systems are a subset of distributed systems where multiple
authorities control different components and no authority is fully trusted by
all. This implies that any component in a decentralized system is potentially
adversarial. We revise fifteen years of research on decentralization and
privacy, and provide an overview of key systems, as well as key insights for
designers of future systems. We show that decentralized designs can enhance
privacy, integrity, and availability but also require careful trade-offs in
terms of system complexity, properties provided, and degree of
decentralization. These trade-offs need to be understood and navigated by
designers. We argue that a combination of insights from cryptography,
distributed systems, and mechanism design, aligned with the development of
adequate incentives, are necessary to build scalable and successful
privacy-preserving decentralized systems
LDAKM-EIoT: Lightweight Device Authentication and Key Management Mechanism for Edge-Based IoT Deployment
In recent years, edge computing has emerged as a new concept in the computing paradigm that empowers several future technologies, such as 5G, vehicle-to-vehicle communications, and the Internet of Things (IoT), by providing cloud computing facilities, as well as services to the end users. However, open communication among the entities in an edge based IoT environment makes it vulnerable to various potential attacks that are executed by an adversary. Device authentication is one of the prominent techniques in security that permits an IoT device to authenticate mutually with a cloud server with the help of an edge node. If authentication is successful, they establish a session key between them for secure communication. To achieve this goal, a novel device authentication and key management mechanism for the edge based IoT environment, called the lightweight authentication and key management scheme for the edge based IoT environment (LDAKM-EIoT), was designed. The detailed security analysis and formal security verification conducted by the widely used Automated Validation of Internet Security Protocols and Applications (AVISPA) tool prove that the proposed LDAKM-EIoT is secure against several attack vectors that exist in the infrastructure of the edge based IoT environment. The elaborated comparative analysis of the proposed LDAKM-EIoT and different closely related schemes provides evidence that LDAKM-EIoT is more secure with less communication and computation costs. Finally, the network performance parameters are calculated and analyzed using the NS2 simulation to demonstrate the practical facets of the proposed LDAKM-EIoT
Network security for augmented reality application in health care sector
Abstract. The recent advances in mobile devices and wireless communication sector transformed Mobile Augmented Reality (MAR) from science ļ¬ction to a reality. Incorporating this MAR technology in health care sector elevates the quality of diagnosis and treatment for the patients. However, due to the highly sensitive nature of the data being circulated in this process, it is also highly vulnerable to the security threats. In the thesis, an architecture is proposed for a MAR health care application based on Multi-access Edge Computing (MEC). This includes key features such as displaying augmented view of patient information on the mobile device, augmenting the X-ray or scan image on top of the patientās actual body parts to assist the doctor, and enabling the doctor to interact with an expert and get real time consultancy. Based on the proposed architecture, all the possible network security threats are analyzed. Furthermore, a secure key management scheme is proposed for registration and authentication phases to establish a secure end-to-end communication between the participating entities in the system. The security features of the proposed scheme are formally veriļ¬ed by using Automated Validation of Internet Security Protocols and Applications (AIVSPA) tool, Moreover, an informal veriļ¬cation is provided to discuss the protection against other possible attacks. It has justiļ¬ed that the proposed scheme is able to provide the required level of security for the system
COVID-19 Antibody Test/Vaccination Certification Thereās an app for that
Goal: As the Coronavirus Pandemic of 2019/2020 unfolds, a COVID-19 āImmunity Passportā has been mooted as a way to enable individuals to return back to work. While the quality of antibody testing, the avail- the ability of vaccines, and the likelihood of even attaining COVID-19 immunity continue to be researched, we address the issues involved in providing tamper-proof and privacy-preserving certification for test results and vaccinations. Methods: We developed a prototype mobile phone app and requisite decentralized server architecture that facilitates instant verification of tamper-proof test results. Personally identifiable information is only stored at the userās discretion, and the app allows the end-user selectively to present only the specific test result with no other personal information revealed. The architecture, designed for scalability, relies upon (a) the 2019 World Wide Web Consortium standard called āVerifiable Credentialsā, (b) Tim Berners-Leeās decentralized personal data platform āSolidā, and (c) a Consortium Ethereum-based blockchain. Results: Our mobile phone app and decentralized server architecture enable the mixture of verifiability and privacy in a manner derived from public/private key pairs and digital signatures, generalized to avoid restrictive ownership of sensitive digital keys and/or data. Benchmark performance tests show it to scale linearly in the worst case, as significant processing is done locally on each app. For the test certificate Holder, Issuer (e.g. healthcare staff, pharmacy) and Verifier (e.g. employer), it is ājust another appā which takes only minutes to use. Conclusions: The app and decentralized server architecture offer a prototype proof of concept that is readily scalable, applicable generically, and in effect āwaiting in the wingsā for the biological issues, plus key ethical issues raised in the discussion section, to be resolved
Bringing data minimization to digital wallets at scale with general-purpose zero-knowledge proofs
Today, digital identity management for individuals is either inconvenient and
error-prone or creates undesirable lock-in effects and violates privacy and
security expectations. These shortcomings inhibit the digital transformation in
general and seem particularly concerning in the context of novel applications
such as access control for decentralized autonomous organizations and
identification in the Metaverse. Decentralized or self-sovereign identity (SSI)
aims to offer a solution to this dilemma by empowering individuals to manage
their digital identity through machine-verifiable attestations stored in a
"digital wallet" application on their edge devices. However, when presented to
a relying party, these attestations typically reveal more attributes than
required and allow tracking end users' activities. Several academic works and
practical solutions exist to reduce or avoid such excessive information
disclosure, from simple selective disclosure to data-minimizing anonymous
credentials based on zero-knowledge proofs (ZKPs). We first demonstrate that
the SSI solutions that are currently built with anonymous credentials still
lack essential features such as scalable revocation, certificate chaining, and
integration with secure elements. We then argue that general-purpose ZKPs in
the form of zk-SNARKs can appropriately address these pressing challenges. We
describe our implementation and conduct performance tests on different edge
devices to illustrate that the performance of zk-SNARK-based anonymous
credentials is already practical. We also discuss further advantages that
general-purpose ZKPs can easily provide for digital wallets, for instance, to
create "designated verifier presentations" that facilitate new design options
for digital identity infrastructures that previously were not accessible
because of the threat of man-in-the-middle attacks
PKI Scalability Issues
This report surveys different PKI technologies such as PKIX and SPKI and the
issues of PKI that affect scalability. Much focus is spent on certificate
revocation methodologies and status verification systems such as CRLs,
Delta-CRLs, CRS, Certificate Revocation Trees, Windowed Certificate Revocation,
OCSP, SCVP and DVCS.Comment: 23 pages, 2 figure
- ā¦