Attack Resilience and Recovery using Physical Challenge Response Authentication for Active Sensors Under Integrity Attacks

Embedded sensing systems are pervasively used in life- and security-critical systems such as those found in airplanes, automobiles, and healthcare. Traditional security mechanisms for these sensors focus on data encryption and other post-processing techniques, but the sensors themselves often remain vulnerable to attacks in the physical/analog domain. If an adversary manipulates a physical/analog signal prior to digitization, no amount of digital security mechanisms after the fact can help. Fortunately, nature imposes fundamental constraints on how these analog signals can behave. This work presents PyCRA, a physical challenge-response authentication scheme designed to protect active sensing systems against physical attacks occurring in the analog domain. PyCRA provides security for active sensors by continually challenging the surrounding environment via random but deliberate physical probes. By analyzing the responses to these probes, and by using the fact that the adversary cannot change the underlying laws of physics, we provide an authentication mechanism that not only detects malicious attacks but provides resilience against them. We demonstrate the effectiveness of PyCRA through several case studies using two sensing systems: (1) magnetic sensors like those found wheel speed sensors in robotics and automotive, and (2) commercial RFID tags used in many security-critical applications. Finally, we outline methods and theoretical proofs for further enhancing the resilience of PyCRA to active attacks by means of a confusion phase---a period of low signal to noise ratio that makes it more difficult for an attacker to correctly identify and respond to PyCRA's physical challenges. In doing so, we evaluate both the robustness and the limitations of PyCRA, concluding by outlining practical considerations as well as further applications for the proposed authentication mechanism.Comment: Shorter version appeared in ACM ACM Conference on Computer and Communications (CCS) 201

Extending AES with DH Key-Exchange to Enhance VoIP Encryption in Mobile Networks

Recently,the evolution and progress have become significant in the field of information technology and mobile technology, especially inSmartphone applications that are currently widely spreading. Due to the huge developments in mobile and smartphone technologies in recent years, more attention is given to voice data transmission such as VoIP (Voice overIP) technologies– e.g. (WhatsApp, Skype, and Face Book Messenger). When using VoIP services over smartphones, there are always security and privacy concerns like the eavesdropping of calls between the communicating parties. Therefore, there is a pressing need to address these risks by enhancing the security level and encryption methods. In this work, we use scheme to encrypt VoIP channels using (128, 192 & 256-bit) enhanced encryption based on the Advanced Encryption Standard (AES) algorithm, by extending it with the well-known Diffie-Hellman (DH) key exchange method. We have performed a series of real tests on the enhanced (AES-DH) algorithm and compared its performance with the generic AES algorithm. The results have shown that we can get a significant increase in the encryption strength at a very small overhead between 4% and 7% of execution timebetween AES and AEScombine withDH for all scenario which was incurred by added time of encryption and decryption. Our approach uses high security and speed and reduces the voice delay.In dealing with sound transfer process via the internet, we use the SIP server to authenticate the communication process between the two parties. The implementation is done on a mobile device (Which is operated by (Android) system) because it has recently been widely used among different people around the world.اصبحت الثورة والتطور كبيرة حديثاً في حقول تكنولوجيا االتصاالت واليواتف النقالة، وخصوصا في تطبيقات اليواتف الذكية التي تنتشر حاليا بشكل واسع. وتم اعطاء المزيد من االىتمام لنقل البيانات الصوتية مثل تكنولوجيا االتصال عبر بروتكول االنترنت، عمى سبيل المثال: )الواتساب، السكايب، الفيس بوك، والماسنجر(. ويعزى ذلك لمتطور الكبير في تكنولوجيا اليواتف النقالة والذكية في السنوات االخيرة. عند استخدام خدمات االتصال عبر بروتكول االنترنت VoIP ،ىناك مخاوف دائمة حول الحماية والخصوصية كالتجسس عمى المكالمات بين جيات االتصال. ولذلك ىنالك حاجة ماسة لمعالجة ىذه المخاطر عن طريق تحسين مستوى الحماية وطرق التشفير. في ىذا العمل، نستخدم/ نجمع بين اثنتين من الخوارزميات لتشفير قنوات االتصال عبر بروتوكول االنترنت )128 ، 192 ،و 256 بت( عبر خوارزمية AESوتمديدىا عبر طريقة تبادل ديفي ىيممان الرئيسية المعروفة. وقمنا باداء العديد من التجارب الحقيقية عمى DH-AES ، وقمنا بمقارنة ادائيا مع اداء خوارزمية معيار التشفير المتقدم العامة. اظيرت النتائج انو بامكاننا الحصول عمى زيادة كبيرة في قوة التشفير بنسبة صغيرة جدا بين 4 %و7 %من وقت التنفيذ بين AESو DH/AES لجميع السيناريو والتي تم تكبدىا من قبل الوقت المضاف لمتشفير وفك التشفير. يستخدم نيجنا درجة عالية من الحماية والسرعة ويقمل من تأخير الصوت، ونستخدم في التعامل مع عممية نقل الصوت عبر االنترنت Server SIPلتوثيق عممية االتصال بين الجيتين. وتم التنفيذ عمى ىاتف نقال يعمل عمى نظام اندرويد؛ النو استخدم بشكل واسع مؤخرا بين مختمف الناس حول العالم

Implementing Azure Active Directory Integration with an Existing Cloud Service

Training Simulator (TraSim) is an online, web-based platform for holding crisis management exercises. It simulates epidemics and other exceptional situations to test the functionality of an organization’s operating instructions in the hour of need. The main objective of this thesis is to further develop the service by delegating its existing authentication and user provisioning mechanisms to a centralized, cloud-based Identity and Access Management (IAM) service. Making use of a centralized access control service is widely known as a Single Sign-On (SSO) implementation which comes with multiple benefits such as increased security, reduced administrative overhead and improved user experience. The objective originates from a customer organization’s request to enable SSO for TraSim. The research mainly focuses on implementing SSO by integrating TraSim with Azure Active Directory (AD) from a wide range of IAM services since it is considered as an industry standard and already utilized by the customer. Anyhow, the complexity of the integration is kept as reduced as possible to retain compatibility with other services besides Azure AD. While the integration is a unique operation with an endless amount of software stacks that a service can build on and multiple IAM services to choose from, this thesis aims to provide a general guideline of how to approach a resembling assignment. Conducting the study required extensive search and evaluation of the available literature about terms such as IAM, client-server communication, SSO, cloud services and AD. The literature review is combined with an introduction to the basic technologies that TraSim is built with to justify the choice of OpenID Connect as the authentication protocol and why it was implemented using the mozilla-django-oidc library. The literature consists of multiple online articles, publications and the official documentation of the utilized technologies. The research uses a constructive approach as it focuses into developing and testing a new feature that is merged into the source code of an already existing piece of software