Model for cryptography protection of confidential information

УДК 004.056 Борсуковський Ю.В., Борсуковська В.Ю. Модель криптографічного захисту конфіденційної інформації В даній статті проведено детальний аналіз вимог щодо формування моделі криптографічного захисту конфіденційної інформації. Розглянуто використання засобів криптографічного захисту інформації з метою реалізації організаційних та технічних заходів по запобіганню витокам конфіденційної інформації на об’єктах критичної інфраструктури. Сформульовані базові вимоги та рекомендації щодо структури та функціональних складових моделі захисту конфіденційної інформації. Формалізовані вимоги щодо створення, впровадження та експлуатації превентивних процедур управління багатоступінчатим захистом конфіденційної інформації. Наведено приклад використання моделі криптографічного захисту інформації для створення захищеної і прозорої в використанні бази аутентифікаційних даних користувача. Запропонована модель захисту дозволяє мати кілька ступенів програмного та апаратного захисту, що із однієї сторони спрощує їх використання при виконанні чинних політик безпеки і зменшує ймовірність дискредитації аутентифікаційних даних, а із іншої сторони підвищує ймовірність виявлення зловмисних дій третьої сторони за рахунок багатоступінчатої системи захисту. Враховано практичний досвід створення типових моделей захисту конфіденційної інформації для розробки, впровадження та управління сучасними політиками інформаційної безпеки щодо питань використання засобів криптографічного захисту конфіденційної інформації на підприємствах різних форми власності.UDC 004.056 Borsukovskyi Y., Borsukovska V. Model for Cryptography Protection of Confidential Information Current article provides the detailed analysis of requirements for creation of model for cryptography protection of confidential information. Article defines the use of information cryptography protection tools in order to ensure the application of organizational and technical actions to prevent leakage of confidential information at critical infrastructure assets. It provides the basic requirements for the structure and functional elements of model for protection of confidential information. Formalize requirements on creation, implementation and exploitation of preventive procedure in management of multi-level protection of confidential information. The article includes example of use of model for cryptography protection of information for creation of secure and transparent in use the authenticating data base of user. The presented model of protection ensures to have a few levels of firewalls, that, on one hand, simplifies its use in execution of acting security policies and decrease the probability of discrediting of authenticating data, and, on other hand, increase the probability to detect the criminal actions of third party by means of multi-level protection system. It considers the practical experience in creation of standard models for protection of confidential information for development, implementation and management of modern policies on information security in part of use of cryptography protection tools for confidential information at enterprises of different forms of incorporation

Security of 5G-V2X: Technologies, Standardization and Research Directions

Cellular-Vehicle to Everything (C-V2X) aims at resolving issues pertaining to the traditional usability of Vehicle to Infrastructure (V2I) and Vehicle to Vehicle (V2V) networking. Specifically, C-V2X lowers the number of entities involved in vehicular communications and allows the inclusion of cellular-security solutions to be applied to V2X. For this, the evolvement of LTE-V2X is revolutionary, but it fails to handle the demands of high throughput, ultra-high reliability, and ultra-low latency alongside its security mechanisms. To counter this, 5G-V2X is considered as an integral solution, which not only resolves the issues related to LTE-V2X but also provides a function-based network setup. Several reports have been given for the security of 5G, but none of them primarily focuses on the security of 5G-V2X. This article provides a detailed overview of 5G-V2X with a security-based comparison to LTE-V2X. A novel Security Reflex Function (SRF)-based architecture is proposed and several research challenges are presented related to the security of 5G-V2X. Furthermore, the article lays out requirements of Ultra-Dense and Ultra-Secure (UD-US) transmissions necessary for 5G-V2X.Comment: 9 pages, 6 figures, Preprin

Enhancements to Secure Bootstrapping of Smart Appliances

In recent times, there has been a proliferation of smart IoT devices that make our everyday life more convenient, both at home and at work environment. Most of these smart devices are connected to cloud-based online services, and they typically reuse the existing Wi-Fi network infrastructure for Internet connectivity. Hence, it is of paramount importance to ensure that these devices establish a robust security association with the Wi-Fi networks and cloud-based servers. The initial process by which a device establishes a robust security association with the network and servers is known as secure bootstrapping. The bootstrapping process results in the derivation of security keys and other connection parameters required by the security associations. Since the smart IoT devices often possess minimal user-interface, there is a need for bootstrapping methods with which the users can effortlessly connect their smart IoT devices to the networks and services. Nimble out-of-band authentication for Extensible Authentication Protocol (EAP-NOOB) is one such secure bootstrapping method. It is a new EAP authentication method for IEEE 802.1X/EAP authentication framework. The protocol does not assume or require any pre-configured authentication credentials such as symmetric keys or certificates. In lieu, the authentication credentials along with the user’s ownership of the device are established during the bootstrapping process. The primary goal of this thesis is to study and implement the draft specification of the EAP-NOOB protocol in order to evaluate the working of EAP-NOOB in real-world scenarios. During our implementation and testing of the initial prototype for EAP-NOOB, we discovered several issues in the protocol. In this thesis, we propose a suitable solution for each of the problems identified and also, verify the solutions through implementation and testing. The main results of this thesis work are various enhancements and clarifications to the EAP-NOOB protocol specification. The results consequently aid the standardisation of the protocol at IETF. We also design and implement several additional features for EAP-NOOB to enhance the user experience

Security in User- Assisted Communications

Today, companies called service providers enable communications and control the related infrastructures. However, with increased computing power, advanced wireless technologies and more standardized terminals, users in the future will be able to take more control of communications. In this paper, we define and discuss a disruptive communication model called User-Assisted Communications (UAC), which allows users to assist other users to establish communications, and propose a method for managing trust and security, which are the most challenging variables in UAC and must be addressed before UAC can be implemented successfully. A Social Network based Trust Establishment (SN-TE) is proposed for UAC implementation

Privacy-Enhanced AKMA for Multi-Access Edge Computing Mobility

Multi-access edge computing (MEC) is an emerging technology of 5G that brings cloud computing benefits closer to the user. The current specifications of MEC describe the connectivity of mobile users and the MEC host, but they have issues with application-level security and privacy. We consider how to provide secure and privacy-preserving communication channels between a mobile user and a MEC application in the non-roaming case. It includes protocols for registration of the user to the main server of the MEC application, renewal of the shared key, and usage of the MEC application in the MEC host when the user is stationary or mobile. For these protocols, we designed a privacy-enhanced version of the 5G authentication and key management for applications (AKMA) service. We formally verified the current specification of AKMA using ProVerif and found a new spoofing attack as well as other security and privacy vulnerabilities. Then we propose a fix against the spoofing attack. The privacy-enhanced AKMA is designed considering these shortcomings. We formally verified the privacy-enhanced AKMA and adapted it to our solution

Mobility management across converged IP-based heterogeneous access networks

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University, 8/2/2010.In order to satisfy customer demand for a high performance “global” mobility service, network operators (ISPs, carriers, mobile operators, etc.) are facing the need to evolve to a converged “all-IP” centric heterogeneous access infrastructure. However, the integration of such heterogeneous access networks (e.g. 802.11, 802.16e, UMTS etc) brings major mobility issues. This thesis tackles issues plaguing existing mobility management solutions in converged IP-based heterogeneous networks. In order to do so, the thesis firstly proposes a cross-layer mechanism using the upcoming IEEE802.21 MIH services to make intelligent and optimized handovers. In this respect, FMIPv6 is integrated with the IEEE802.21 mechanism to provide seamless mobility during the overall handover process. The proposed solution is then applied in a simulated vehicular environment to optimize the NEMO handover process. It is shown through analysis and simulations of the signalling process that the overall expected handover (both L2 and L3) latency in FMIPv6 can be reduced by the proposed mechanism by 69%. Secondly, it is expected that the operator of a Next Generation Network will provide mobility as a service that will generate significant revenues. As a result, dynamic service bootstrapping and authorization mechanisms must be in place to efficiently deploy a mobility service (without static provisioning), which will allow only legitimate users to access the service. A GNU Linux based test-bed has been implemented to demonstrate this. The experiments presented show the handover performance of the secured FMIPv6 over the implemented test-bed compared to plain FMIPv6 and MIPv6 by providing quantitative measurements and results on the quality of experience perceived by the users of IPv6 multimedia applications. The results show the inclusion of the additional signalling of the proposed architecture for the purpose of authorization and bootstrapping (i.e. key distribution using HOKEY) has no adverse effect on the overall handover process. Also, using a formal security analysis tool, it is shown that the proposed mechanism is safe/secure from the induced security threats. Lastly, a novel IEEE802.21 assisted EAP based re-authentication scheme over a service authorization and bootstrapping framework is presented. AAA based authentication mechanisms like EAP incur signalling overheads due to large RTTs. As a result, overall handover latency also increases. Therefore, a fast re-authentication scheme is presented which utilizes IEEE802.21 MIH services to minimize the EAP authentication process delays and as a result reduce the overall handover latency. Analysis of the signalling process based on analytical results shows that the overall handover latency for mobility protocols will be approximately reduced by 70% by the proposed scheme