Smart card authentication for mobile devices

While mobile handheld devices provide productivity benefits, they also pose new risks. User authentication is the best safeguard against the risk of unauthorized use and access to a device’s contents. This paper describes two novel types of smart card with unconventional form factors, designed to take advantage of common interfaces built into many current handheld devices

Mobile Identity, Credential, and Access Management Framework

Organizations today gather unprecedented quantities of data from their operations. This data is coming from transactions made by a person or from a connected system/application. From personal devices to industry including government, the internet has become the primary means of modern communication, further increasing the need for a method to track and secure these devices. Protecting the integrity of connected devices collecting data is critical to ensure the trustworthiness of the system. An organization must not only know the identity of the users on their networks and have the capability of tracing the actions performed by a user but they must trust the system providing them with this knowledge. This increase in the pace of usage of personal devices along with a lack of trust in the internet has driven demand for trusted digital identities. As the world becomes increasingly mobile with the number of smart phone users growing annually and the mobile web flourishing, it is critical to implement strong security on mobile devices. To manage the vast number of devices and feel confident that a machine’s identity is verifiable, companies need to deploy digital credentialing systems with a strong root of trust. As passwords are not a secure method of authentication, mobile devices and other forms of IoT require a means of two-factor authentication that meets NIST standards. Traditionally, this has been done with Public Key Infrastructure (PKI) through the use of a smart card. Blockchain technologies combined with PKI can be utilized in such a way as to provide an identity and access management solution for the internet of things (IoT). Improvements to the security of Radio Frequency Identification (RFID) technology and various implementations of blockchain make viable options for managing the identity and access of IoT devices. When PKI first began over two decades ago, it required the use of a smart card with a set of credentials known as the personal identity verification (PIV) card. The PIV card (something you have) along with a personal identification number (PIN) (something you know) were used to implement two-factor authentication. Over time the use of the PIV cards has proven challenging as mobile devices lack the integrated smart card readers found in laptop and desktop computers. Near Field Communication (NFC) capability in most smart phones and mobile devices provides a mechanism to allow a PIV card to be read by a mobile device. In addition, the existing PKI system must be updated to meet the demands of a mobile focused internet. Blockchain technology is the key to modernizing PKI. Together, blockchain-based PKI and NFC will provide an IoT solution that will allow industry, government, and individuals a foundation of trust in the world wide web that is lacking today

Secure spontaneous emergency access to personal health record

We propose a system which enables access to the user's Personal Health Record (PHR) in the event of emergency. The access typically occurs in an ad-hoc and spontaneous manner and the user is usually unconscious, hence rendering the unavailability of the user's password to access the PHR. The proposed system includes a smart card carried by the user at all time and it is personalized with a pseudo secret, an URL to the PHR Server, a secret key shared with the PHR Server and a number of redemption tokens generated using a hash chain. In each emergency session, a one-time use redemption token is issued by the smart card, allowing the emergency doctor to retrieve the user's PHR upon successful authentication of his credentials and validation of the redemption token. The server returns the PHR encrypted with a one-time session key which can only be decrypted by the emergency doctor. The devised interaction protocol to facilitate emergency access to the user's PHR is secure and efficient

Security Implications of Fog Computing on the Internet of Things

Recently, the use of IoT devices and sensors has been rapidly increased which also caused data generation (information and logs), bandwidth usage, and related phenomena to be increased. To our best knowledge, a standard definition for the integration of fog computing with IoT is emerging now. This integration will bring many opportunities for the researchers, especially while building cyber-security related solutions. In this study, we surveyed about the integration of fog computing with IoT and its implications. Our goal was to find out and emphasize problems, specifically security related problems that arise with the employment of fog computing by IoT. According to our findings, although this integration seems to be non-trivial and complicated, it has more benefits than the implications.Comment: 5 pages, conference paper, to appear in Proceedings of the ICCE 2019, IEEE 37th International Conference on Consumer Electronics (ICCE), Jan 11- 13, 2019, Las Vegas, NV, US

S-Mbank: Secure Mobile Banking Authentication Scheme Using Signcryption, Pair Based Text Authentication, and Contactless Smartcard

Nowadays, mobile banking becomes a popular tool which consumers can conduct financial transactions such as shopping, monitoring accounts balance, transferring funds and other payments. Consumers dependency on mobile needs, make people take a little bit more interest in mobile banking. The use of the one-time password which is sent to the user mobile phone by short message service (SMS) is a vulnerability which we want to solve with proposing a new scheme called S-Mbank. We replace the authentication using the one-time password with the contactless smart card to prevent attackers to use the unencrypted message which is sent to the user's mobile phone. Moreover, it deals vulnerability of spoofer to send an SMS pretending as a bank's server. The contactless smart card is proposed because of its flexibility and security which easier to bring in our wallet than the common passcode generators. The replacement of SMS-based authentication with contactless smart card removes the vulnerability of unauthorized users to act as a legitimate user to exploit the mobile banking user's account. Besides that, we use public-private key pair and PIN to provide two factors authentication and mutual authentication. We use signcryption scheme to provide the efficiency of the computation. Pair based text authentication is also proposed for the login process as a solution to shoulder-surfing attack. We use Scyther tool to analyze the security of authentication protocol in S-Mbank scheme. From the proposed scheme, we are able to provide more security protection for mobile banking service.Comment: 6 page