An Efficient NIZK Scheme for Privacy-Preserving Transactions over Account-Model Blockchain

We introduce the abstract framework of decentralized smart contracts system with balance and transaction amount hiding property under the ACCOUNT architecture. To build a concrete system with such properties, we utilize a homomorphic public key encryption scheme and construct a highly efficient non-interactive zero knowledge (NIZK) argument based upon the encryption scheme to ensure the validity of the transactions. Our NIZK scheme is perfect zero knowledge in the common reference string model, while its soundness holds in the random oracle model. Compared to previous similar constructions, our proposed NIZK argument dramatically improves the time efficiency in generating a proof, at the cost of relatively longer proof size

User-differentiated hierarchical key management for the bring-your-own-device environments

To ensure confidentiality, the sensitive electronic data held within a corporation is always carefully encrypted and stored in a manner so that it is inaccessible to those parties who are not involved. During this process, the specific manners of how to keep, distribute, use, and update keys which are used to encrypt the sensitive data become an important thing to be considered. Through use of hierarchical key management, a technique that provides access controls in multi-user systems where a portion of sensitive resources shall only be made available to authorized users or security ordinances, required information is distributed on a need-to-know basis. As a result of this hierarchical key management, time-bound hierarchical key management further adds time controls to the information access process. There is no existing hierarchical key management scheme or time-bound hierarchical key management scheme which is able to differentiate users with the same authority. When changes are required for any user, all other users who have the same access authorities will be similarly affected, and this deficiency then further deteriorates due to a recent trend which has been called Bring-Your-Own-Device. This thesis proposes the construction of a new time-bound hierarchical key management scheme called the User-Differentiated Two-Layer Encryption-Based Scheme (UDTLEBC), one which is designed to differentiate between users. With this differentiation, whenever any changes are required for one user during the processes of key management, no additional users will be affected during these changes and these changes can be done without interactions with the users. This new scheme is both proven to be secure as a time-bound hierarchical key management scheme and efficient for use in a BYOD environment

LDAKM-EIoT: Lightweight Device Authentication and Key Management Mechanism for Edge-Based IoT Deployment

In recent years, edge computing has emerged as a new concept in the computing paradigm that empowers several future technologies, such as 5G, vehicle-to-vehicle communications, and the Internet of Things (IoT), by providing cloud computing facilities, as well as services to the end users. However, open communication among the entities in an edge based IoT environment makes it vulnerable to various potential attacks that are executed by an adversary. Device authentication is one of the prominent techniques in security that permits an IoT device to authenticate mutually with a cloud server with the help of an edge node. If authentication is successful, they establish a session key between them for secure communication. To achieve this goal, a novel device authentication and key management mechanism for the edge based IoT environment, called the lightweight authentication and key management scheme for the edge based IoT environment (LDAKM-EIoT), was designed. The detailed security analysis and formal security verification conducted by the widely used Automated Validation of Internet Security Protocols and Applications (AVISPA) tool prove that the proposed LDAKM-EIoT is secure against several attack vectors that exist in the infrastructure of the edge based IoT environment. The elaborated comparative analysis of the proposed LDAKM-EIoT and different closely related schemes provides evidence that LDAKM-EIoT is more secure with less communication and computation costs. Finally, the network performance parameters are calculated and analyzed using the NS2 simulation to demonstrate the practical facets of the proposed LDAKM-EIoT

An Efficient Time-Bound Hierarchical Key Assignment Scheme with a New Merge Function: A Performance Study

The advent of digital age has resulted in more television consumers switching to Digital TV with considerable improvement in image quality and ease-of-use. Consumers are able to select and view television programs and channels of choice by using a pay-per-use model or streaming video from their computer terminals. In all these use cases, the media provider requires a means by which they can restrict the consumers from watching selected programs for a pre-approved temporal interval. The consumer needs to be prevented access to certain pay-per-use channels and programs upon expiry of this pre-approved access. This necessitates the media provider to have a way to generate and assign time-bound secure access keys which could be granted and removed easily. In conventional key assignment schemes, one has to renew the keys periodically and redistribute the keys to the users accordingly. To allow a user to access all the authorized data over some temporal window, this straightforward implementation requires him/her to keep a lot of keys which is very inefficient. In contrast to conventional schemes, a time-bound hierarchical key assignment scheme updates the keys periodically according to the class hierarchy and an entity only keeps a small amount of information for deriving all his entitled keys. Wang and Laih (WL) proposed a scheme with a concept of merging, which provides a systematic way to solve the problem. Yeh-Shyam (YS) scheme has improved on the WL scheme and has theoretically shown polynomial improvement in both memory and performance requirement. In this project, we will compare and contrast these secure key generation techniques and provide comparative analytical results

New Insights on cryptographic hierarchical access control: models, schemes and analysis

2014 - 2015Nowadays the current network-centric world has given rise to several security concerns regarding the access control management, which en- sures that only authorized users are given access to certain resources or tasks. In particular, according to their respective roles and respon- sibilities, users are typically organized into hierarchies composed of several disjoint classes (security classes). A hierarchy is characterized by the fact that some users may have more access rights than others, according to a top-down inclusion paradigm following speci c hier- archical dependencies. A user with access rights for a given class is granted access to objects stored in that class, as well as to all the de- scendant ones in the hierarchy. The problem of key management for such hierarchies consists in assigning a key to each class of the hierar- chy, so that the keys for descendant classes can be e ciently obtained from users belonging to classes at a higher level in the hierarchy. In this thesis we analyze the security of hierarchical key assignment schemes according to di erent notions: security with respect to key indistinguishability and against key recovery [4], as well as the two recently proposed notions of security with respect to strong key in- distinguishability and against strong key recovery [42]. More precisely, we rst explore the relations between all security notions and, in par- ticular, we prove that security with respect to strong key indistin- guishability is not stronger than the one with respect to key indistin- guishability. Afterwards, we propose a general construction yielding a hierarchical key assignment scheme that ensures security against strong key recovery, given any hierarchical key assignment scheme which guarantees security against key recovery. Moreover, we de ne the concept of hierarchical key assignment schemes supporting dynamic updates, formalizing the relative secu- rity model. In particular, we provide the notions of security with respect to key indistinguishability and key recovery, by taking into ac- count the dynamic changes to the hierarchy. Furthermore, we show how to construct a hierarchical key assignment scheme supporting dy- namic updates, by using as a building block a symmetric encryption scheme. The proposed construction is provably secure with respect to key indistinguishability, provides e cient key derivation and updat- ing procedures, while requiring each user to store only a single private key. Finally, we propose a novel model that generalizes the conventional hierarchical access control paradigm, by extending it to certain addi- tional sets of quali ed users. Afterwards, we propose two construc- tions for hierarchical key assignment schemes in this new model, which are provably secure with respect to key indistinguishability. In par- ticular, the former construction relies on both symmetric encryption and perfect secret sharing, whereas, the latter is based on public-key threshold broadcast encryption. [edited by author]XIV n.s

Security of Bertino-Shang-Wagstaff Time-Bound Hierarchical Key Management Scheme for Secure Broadcasting

Bertino, Shang and Wagstaff proposed a time-bound hierarchical key management scheme for secure broadcasting, using elliptic curve cryptography and tamper-resistant devices. Two collusion attacks were made on this scheme

Securing clouds using cryptography and traffic classification

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Over the last decade, cloud computing has gained popularity and wide acceptance, especially within the health sector where it offers several advantages such as low costs, flexible processes, and access from anywhere. Although cloud computing is widely used in the health sector, numerous issues remain unresolved. Several studies have attempted to review the state of the art in eHealth cloud privacy and security however, some of these studies are outdated or do not cover certain vital features of cloud security and privacy such as access control, revocation and data recovery plans. This study targets some of these problems and proposes protocols, algorithms and approaches to enhance the security and privacy of cloud computing with particular reference to eHealth clouds. Chapter 2 presents an overview and evaluation of the state of the art in eHealth security and privacy. Chapter 3 introduces different research methods and describes the research design methodology and processes used to carry out the research objectives. Of particular importance are authenticated key exchange and block cipher modes. In Chapter 4, a three-party password-based authenticated key exchange (TPAKE) protocol is presented and its security analysed. The proposed TPAKE protocol shares no plaintext data; all data shared between the parties are either hashed or encrypted. Using the random oracle model (ROM), the security of the proposed TPAKE protocol is formally proven based on the computational Diffie-Hellman (CDH) assumption. Furthermore, the analysis included in this chapter shows that the proposed protocol can ensure perfect forward secrecy and resist many kinds of common attacks such as man-in-the-middle attacks, online and offline dictionary attacks, replay attacks and known key attacks. Chapter 5 proposes a parallel block cipher (PBC) mode in which blocks of cipher are processed in parallel. The results of speed performance tests for this PBC mode in various settings are presented and compared with the standard CBC mode. Compared to the CBC mode, the PBC mode is shown to give execution time savings of 60%. Furthermore, in addition to encryption based on AES 128, the hash value of the data file can be utilised to provide an integrity check. As a result, the PBC mode has a better speed performance while retaining the confidentiality and security provided by the CBC mode. Chapter 6 applies TPAKE and PBC to eHealth clouds. Related work on security, privacy preservation and disaster recovery are reviewed. Next, two approaches focusing on security preservation and privacy preservation, and a disaster recovery plan are proposed. The security preservation approach is a robust means of ensuring the security and integrity of electronic health records and is based on the PBC mode, while the privacy preservation approach is an efficient authentication method which protects the privacy of personal health records and is based on the TPAKE protocol. A discussion about how these integrated approaches and the disaster recovery plan can ensure the reliability and security of cloud projects follows. Distributed denial of service (DDoS) attacks are the second most common cybercrime attacks after information theft. The timely detection and prevention of such attacks in cloud projects are therefore vital, especially for eHealth clouds. Chapter 7 presents a new classification system for detecting and preventing DDoS TCP flood attacks (CS_DDoS) for public clouds, particularly in an eHealth cloud environment. The proposed CS_DDoS system offers a solution for securing stored records by classifying incoming packets and making a decision based on these classification results. During the detection phase, CS_DDOS identifies and determines whether a packet is normal or from an attacker. During the prevention phase, packets classified as malicious are denied access to the cloud service, and the source IP is blacklisted. The performance of the CS_DDoS system is compared using four different classifiers: a least-squares support vector machine (LS-SVM), naïve Bayes, K-nearest-neighbour, and multilayer perceptron. The results show that CS_DDoS yields the best performance when the LS-SVM classifier is used. This combination can detect DDoS TCP flood attacks with an accuracy of approximately 97% and a Kappa coefficient of 0.89 when under attack from a single source, and 94% accuracy and a Kappa coefficient of 0.9 when under attack from multiple attackers. These results are then discussed in terms of the accuracy and time complexity, and are validated using a k-fold cross-validation model. Finally, a method to mitigate DoS attacks in the cloud and reduce excessive energy consumption through managing and limiting certain flows of packets is proposed. Instead of a system shutdown, the proposed method ensures the availability of service. The proposed method manages the incoming packets more effectively by dropping packets from the most frequent requesting sources. This method can process 98.4% of the accepted packets during an attack. Practicality and effectiveness are essential requirements of methods for preserving the privacy and security of data in clouds. The proposed methods successfully secure cloud projects and ensure the availability of services in an efficient way