63 research outputs found
Security, Trust and Privacy (STP) Model for Federated Identity and Access Management (FIAM) Systems
The federated identity and access management systems facilitate the home domain
organization users to access multiple resources (services) in the foreign domain
organization by web single sign-on facility. In federated environment the user’s
authentication is performed in the beginning of an authentication session and allowed
to access multiple resources (services) until the current session is active. In current
federated identity and access management systems the main security concerns are: (1)
In home domain organization machine platforms bidirectional integrity measurement
is not exist, (2) Integrated authentication (i.e., username/password and home domain
machine platforms mutual attestation) is not present and (3) The resource (service)
authorization in the foreign domain organization is not via the home domain machine
platforms bidirectional attestation
Critical Perspectives on Provable Security: Fifteen Years of Another Look Papers
We give an overview of our critiques of “proofs” of security and a guide to
our papers on the subject that have appeared over the past decade and a half. We also
provide numerous additional examples and a few updates and errata
Token Based Authentication and Authorization with Zero-Knowledge Proofs for Enhancing Web API Security and Privacy
This design science study showcases an innovative artifact that utilizes Zero-Knowledge Proofs for API Authentication and Authorization. A comprehensive examination of existing literature and technology is conducted to evaluate the effectiveness of this alternative approach. The study reveals that existing APIs are using slower techniques that don’t scale, can’t take advantage of newer hardware, and have been unable to adequately address current security issues. In contrast, the novel technique presented in this study performs better, is more resilient in privacy sensitive and security settings, and is easy to implement and deploy. Additionally, this study identifies potential avenues for further research that could help advance the field of Web API development in terms of security, privacy, and simplicity
Cryptographic key management for the vehicles of tomorrow
The automotive industry is undergoing a major transformation process in which nearly every part of the vehicle is becoming digital and connected. Modern vehicles are often connected to the internet, feature several wireless interfaces and will soon communicate directly with surrounding vehicles and roadside infrastructure using V2X technology. However, this transformation has not yet been paralleled by the development of techniques or standards which address the cyber security challenges posed by these systems. The automotive industry has historically failed to use secure cryptography or appropriate key management techniques and there is no sign that things have improved.
In this thesis, we present several new cryptographic and key management flaws in an existing automotive immobiliser system and we develop two new V2X architectures for improving the safety and privacy of tomorrow’s connected and autonomous vehicles. Specifically, we study the AUT64 automotive block cipher and its associated authentication protocol in a real-world immobiliser system. Despite having a 120~bit key, we find a number of flaws in the system which we combine to present several practical key-recovery attacks.
Our first new V2X architecture, IFAL, provides a practical and secure improvement to the leading European standard for V2X. IFAL introduces a new certificate issuance mechanism that eliminates the trade-off between pseudonym duration and bandwidth. Our second architecture, VDAA, addresses the need for efficient techniques that preserve vehicle privacy despite dishonest or colluding certificate authorities
- …