2,037 research outputs found
Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials
Personal cryptographic keys are the foundation of many secure services, but
storing these keys securely is a challenge, especially if they are used from
multiple devices. Storing keys in a centralized location, like an
Internet-accessible server, raises serious security concerns (e.g. server
compromise). Hardware-based Trusted Execution Environments (TEEs) are a
well-known solution for protecting sensitive data in untrusted environments,
and are now becoming available on commodity server platforms.
Although the idea of protecting keys using a server-side TEE is
straight-forward, in this paper we validate this approach and show that it
enables new desirable functionality. We describe the design, implementation,
and evaluation of a TEE-based Cloud Key Store (CKS), an online service for
securely generating, storing, and using personal cryptographic keys. Using
remote attestation, users receive strong assurance about the behaviour of the
CKS, and can authenticate themselves using passwords while avoiding typical
risks of password-based authentication like password theft or phishing. In
addition, this design allows users to i) define policy-based access controls
for keys; ii) delegate keys to other CKS users for a specified time and/or a
limited number of uses; and iii) audit all key usages via a secure audit log.
We have implemented a proof of concept CKS using Intel SGX and integrated this
into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation
performs approximately 6,000 signature operations per second on a single
desktop PC. The latency is in the same order of magnitude as using
locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on
Security, Privacy, and Identity Management in the Cloud (SECPID) 201
Multiprotocol Authentication Device for HPC and Cloud Environments Based on Elliptic Curve Cryptography
Multifactor authentication is a relevant tool in securing IT infrastructures combining two or
more credentials. We can find smartcards and hardware tokens to leverage the authentication process,
but they have some limitations. Users connect these devices in the client node to log in or request access
to services. Alternatively, if an application wants to use these resources, the code has to be amended
with bespoke solutions to provide access. Thanks to advances in system-on-chip devices, we can
integrate cryptographically robust, low-cost solutions. In this work, we present an autonomous device
that allows multifactor authentication in client–server systems in a transparent way, which facilitates
its integration in High-Performance Computing (HPC) and cloud systems, through a generic gateway.
The proposed electronic token (eToken), based on the system-on-chip ESP32, provides an extra layer
of security based on elliptic curve cryptography. Secure communications between elements use
Message Queuing Telemetry Transport (MQTT) to facilitate their interconnection. We have evaluated
different types of possible attacks and the impact on communications. The proposed system offers an
efficient solution to increase security in access to services and systems.Spanish Ministry of Science, Innovation and Universities (MICINN)
PGC2018-096663-B-C44European Union (EU
Secure MAC protocols for cognitive radio networks
A thesis submitted in partial fulfilment for the degree of Doctor of PhilosophyWith the rapid increase in wireless devices, an effective improvement in the demand of efficient spectrum utilisation for gaining better connectivity is needed. Cognitive Radio (CR) is an emerging technology that exploits the inefficient utilisation of the unused spectrum dynamically. Since spectrum sharing is responsible for coordinating channels’ access for Cognitive Users (CUs), the Common Control Channel (CCC) is one of the existing methods used to exchange the control information between CUs. However, the unique characteristics and parameters of Cognitive Radio Networks (CRNs) present several possible threats targeting spectrum sensing, spectrum management, spectrum sharing, and spectrum mobility leading to the deterioration of the network performance. Thus, protection and detection security mechanisms are essential to maintaining the CRNs. This thesis presents a novel decentralised CR MAC protocol that successfully utilises the unused portion of the licensed band. The protocol achieves improved performance; communication time and throughput when compared to two benchmark protocols. Less communication time and higher throughput are accomplished by the protocol due to performing fast switching to the selected available data channel for initiating data transmission. The proposed protocol is then extended to two different versions based on two authentication approaches applied to it; one using Digital Signature and another is based on Shared-Key. The two proposed secure protocols address the security requirements in CRNs leading to subsequent secure communication among CUs. The protocols function effectively in providing defence against several attacks related to the MAC layer such as; Spectrum Sensing Data Manipulation/Falsification, Data Tempering and Modification, Jamming attacks, Eavesdropping, Forgery and Fake control information attacks, MAC address spoofing, and unauthorised access attacks. The associated security algorithms ensure the successful secure communication between CUs in a cooperative approach. Moreover, the security protocols are investigated and analysed in terms of security flows by launching unauthorised access and modification attacks on the transmitted information. The testing results demonstrated that two protocols perform successful detection of threats and ensure secure communication in CRNs
ViotSOC: Controlling Access to Dynamically Virtualized IoT Services using Service Object Capability
Virtualization of Internet of Things(IoT) is a concept of dynamically
building customized high-level IoT services which
rely on the real time data streams from low-level physical
IoT sensors. Security in IoT virtualization is challenging,
because with the growing number of available (building
block) services, the number of personalizable virtual
services grows exponentially. This paper proposes Service
Object Capability(SOC) ticket system, a decentralized access
control mechanism between servers and clients to effi-
ciently authenticate and authorize each other without using
public key cryptography. SOC supports decentralized
partial delegation of capabilities specified in each server/-
client ticket. Unlike PKI certificates, SOC’s authentication
time and handshake packet overhead stays constant regardless
of each capability’s delegation hop distance from the
root delegator. The paper compares SOC’s security bene-
fits with Kerberos and the experimental results show SOC’s
authentication incurs significantly less time packet overhead
compared against those from other mechanisms based on
RSA-PKI and ECC-PKI algorithms. SOC is as secure as,
and more efficient and suitable for IoT environments, than
existing PKIs and Kerberos
- …