Formal Analysis of MCAP Protocol Against Replay Attack

Replay attack is considered a common attacking technique that is used by adversaries to gain access to confidential information. Several approaches have been proposed to prevent replay attack in security-critical systems such as Automated Teller Machines (ATM) systems. Among those approaches is a recent one called the Mutual Chain Authentication Protocol for the Saudi Payments Network transactions (MCAP). This protocol aims to allow Saudi banking systems to overcome existing weaknesses in the currently used Two-Factor Authentication (2FA) protocols. In this paper, we analyze and verify the recent MCAP authentication protocol against replay attacks. Therefore, we examine the mutual authentication between the ATM Terminal, Sponsoring Banks (SBAT), Saudi Payments Network (SPAN) and the Issuing of Financial Bank (CIFI). The paper also provides a formal analysis of the MCAP to conduct formal proofs of the MCAP protocols against replay attacks

Study and development of a remote biometric authentication protocol

This paper reports the phases of study and implementation of a remote biometric authentication protocol developed during my internship at the I.i.t. of the C.n.r. in Pisa. Starting from the study of authentication history we had a look from the first system used since the 60ies to the latest technology; this helped us understand how we could realize a demonstration working protocol that could achieve a web remote authentication granting good reliability: to do this we choosed to modify the SSL handshake with biometric tests and we decided to use smart-cards a secure vault for the sensible biometric data involved. In the first chapter you will find a brief definition of authentication and an introduction on how we can achieve it, with a particular focus on new biometric techniques. In the second chapter there\u27s the history of authentication from the very first password system to actual ones: new token and smart card technolgies are longer stressed in order to introduce the reader to the last chapter. In the third chapter you will find the project framework, the development of our implementation choiches and the source code of the demo project

ERINYES: A CONTINUOUS AUTHENTICATION PROTOCOL

The need for user authentication in the digital domain is paramount as the number of digital interactions that involve sensitive data continues to increase. Advances in the fields of machine learning (ML) and biometric encryption have enabled the development of technologies that can provide fully remote continuous user authentication services. This thesis introduces the Erinyes protocol. The protocol leverages state of the art ML models, biometric encryption of asymmetric cryptographic keys, and a trusted third-party client-server architecture to continuously authenticate users through their behavioral biometrics. The goals in developing the protocol were to identify if biometric encryption using keystroke timing and mouse cursor movement sequences were feasible and to measure the performance of a continuous authentication system that utilizes biometric encryption. Our research found that with a combined keystroke and mouse cursor movement dataset, the biometric encryption system can perform with a 0.93% False Acceptance Rate (FAR), 0.00% False Reject Rate (FRR), and 99.07% accuracy. Using a similar dataset, the overall integrated system averaged 0% FAR, 2% FRR and 98% accuracy across multiple users. These metrics demonstrate that the Erinyes protocol can achieve continuous user authentication with minimal user intrusion.Lieutenant, United States NavyLieutenant, United States NavyApproved for public release. Distribution is unlimited

Application level security enforcement mechanisms for advanced network services

Masteroppgave i informasjons- og kommunikasjonsteknologi 2006 - Høgskolen i Agder, GrimstadToday the telecom world and the Internet world are converging. Ericsson has foreseen this convergence and developed a prototype of a service creation and execution environment called ServiceFrame. ServiceFrame is an extension of the ActorFrame framework. ActorFrame features new concepts described in UML 2.0, such as connectors, ports, parts and behaviour inheritance and structured classes. ActorFrame has central components called actors and agents. Actors and agents are modelled and described using the UML 2.0 notation. In ActorFrame and ServiceFrame actors and agents are communicating asynchronously using messages and concurrent state machines. The ServiceFrame developers have always concentrated on making ServiceFrame a framework with distributed components. The developers have not yet focused on the security issues in ServiceFrame. As a result ServiceFrame currently has no security mechanisms for securing actors or agents. This thesis proposes a security protocol and security mechanisms for securing ServiceFrame. The proposed security mechanisms are implemented in a prototype and tested using a test case. The report first gives an introduction to security concepts, such as authentication, authorisation, integrity and confidentiality. The report also describes relevant frameworks and security protocols. The Java programming language is used for developing and implementing the security mechanisms. UML 2.0 is used as the modelling language. At the end of the report the security mechanisms are analysed and discussed. Authentication in ServiecFrame is achieved by using a key exchange protocol with certificates. In the thesis a solution for achieving authorisation is proposed. This thesis only proposes a rudimentary solution which uses access control lists. Integrity and confidentiality are achieved using cryptography and signing of messages. The main conclusion of this thesis is that the security mechanisms proposed can contribute to securing the ServiceFrame framework. The security mechanisms achieve point to point security between two agents. ServiceFrame could be used to secure access to the Parlay gateway and telecom services. Fundamental in the security mechanisms is an extended variant of the Needham-Schroeder-Lowe public key protocol. The main contribution of this thesis has been to introduce security in ServiceFrame, which previously had not been implemented. The security mechanisms can be used by developers of ServiceFrame to accomplish security in their services. Commercial systems require focus on security to secure both end users and the service providers. The thesis work may contribute to the establishment of ServiceFrame in commercially related products in the future. The thesis has shown that ServiceFrame does not have security mechanisms and that achieving security is essential for ServiceFrame. The thesis has also shown that some of the proposed security mechanisms can be implemented in the framework. It has also shown how security concepts can be implemented and used by distributed components

Analysing the behaviour of a smart card based model for secure communication with remote computers over the internet

This dissertation presents the findings of a generic model aimed at providing secure communication with remote computers via the Internet, based on smart cards. The results and findings are analysed and presented in great detail, in particular the behaviour and performance of smart cards when used to provide the cryptographic functionality. Two implemented models are presented. The first model uses SSL to secure the communication channel over the Internet while using smart cards for user authentication and storage of cryptographic keys. The second model presents the SSH for channel security and smart cards for user authentication, key storage and actual encryption and decryption of data. The model presented is modular and generic by nature, meaning that it can easily be modified to accept the newer protocol by simply including the protocols in a library and with a minor or no modification to both server and client application software. For example, any new algorithm for encryption, key exchange, signature, or message digest, can be easily accommodated into the system, which proves that the model is generic and can easily be integrated into newer technologies. Similarly, smart cards are used for cryptography. Two options are presented: first the smart cards only store the algorithm keys and user authentication, and secondly, smart cards are used for storing the algorithm keys, user authentication, and actual data encryption or decryption, as the requirement may dictate. This is very useful, for example, if data to be transferred is limited to a few bytes, then actual data encryption and decryption is performed using smart cards. On the other hand, if a great deal of data is to be transferred, then only authentication and key storage are performed with smart cards. The model currently uses 3DES with smart card encryption and decryption, because this is faster and consumes fewer resources when compared to RSA. Once again, the model design is flexible to accommodate new algorithms such as AES or IDEA. Important aspects of the dissertation are the study and analysis of the security attacks on smart card use. Several smart card attack scenarios are presented in CHAPTER 3, and their possible prevention is also discussed in detail. AFRIKAANS : Hierdie verhandeling bied die bevindinge van 'n generiese model wat daarop gemik is om veilige kommunikasie te voorsien met 'n afstandsrekenaar via die Internet en op slimkaarte gebaseer. Die resultate en bevindings word ontleed en breedvoerig aangebied, veral die gedrag en werkverrigting van slimkaarte wanneer hulle gebruik word om die kriptografiese funksionaliteit te voorsien. Daar word twee geïmplementeerde modelle aangebied. Die eerste model gebruik SSL om die kommunikasiekanaal oor die Internet te beveilig terwyl slimkaarte vir gebruikerbekragtiging en stoor van kriptografiese sleutels gebruik word. Die tweede model bied die SSH vir kanaalsekuriteit en slimkaarte vir gebruikergeldigheidvasstelling, sleutelstoor en werklike kodering en dekodering van data. Die model wat aangebied word, is modulêr en generies van aard, wat beteken dat dit maklik gewysig kan word om die jongste protokolle te aanvaar deur bloot die protokolle by 'n programbiblioteek met geringe of geen wysiging van beide die bediener- en kliënttoepassingsagteware in te sluit. Byvoorbeeld, enige nuwe algoritme vir kodering, sleuteluitruiling, handtekening of boodskapbondeling kan maklik in die stelsel gehuisves word, wat bewys dat die model generies is en maklik in jonger tegnologieë geïntegreer kan word. Slimkaarte word op soortgelyke wyse vir kriptografie gebruik. Daar word twee keuses aangebied: eerstens stoor die slimkaarte slegs die algoritmesleutels en gebruikergeldigheidvasstelling en tweedens word slimkaarte gebruik om die algoritmesleutels, gebruikergeldigheidvasstelling en werklike datakodering en –dekodering te stoor na gelang van wat vereis word. Dit is baie nuttig, byvoorbeeld, wanneer data wat oorgedra moet word, tot 'n paar grepe beperk is, word die eintlike datakodering en – dekodering uitgevoer deur slimkaarte te gebruik. Andersyds, indien 'n groot hoeveelheid data oorgedra moet word, word slegs geldigheidvasstelling en stoor met slimkaarte uitgevoer. Die model gebruik tans 3DES met slimkaartkodering en –dekodering omdat dit vinniger is en minder hulpbronne gebruik vergeleke met RSA. Die modelontwerp is weer eens buigsaam om nuwe algoritmes soos AES of IDEA te huisves. Nog 'n belangrike aspek van die verhandeling is om die sekuriteitaanvalle op slimkaartgebruik te ondersoek en te ontleed. Verskeie slimkaartaanvalscenario's word in Hoofstuk 3 aangebied en die moontlike voorkoming daarvan word ook breedvoerig bespreek.Dissertation (MEng)--University of Pretoria, 2011.Electrical, Electronic and Computer Engineeringunrestricte