Strong authentication based on mobile application

The user authentication in online services has evolved over time from the old username and password-based approaches to current strong authentication methodologies. Especially, the smartphone app has become one of the most important forms to perform the authentication. This thesis describes various authentication methods used previously and discusses about possible factors that generated the demand for the current strong authentication approach. We present the concepts and architectures of mobile application based authentication systems. Furthermore, we take closer look into the security of the mobile application based authentication approach. Mobile apps have various attack vectors that need to be taken under consideration when designing an authentication system. Fortunately, various generic software protection mechanisms have been developed during the last decades. We discuss how these mechanisms can be utilized in mobile app environment and in the authentication context. The main idea of this thesis is to gather relevant information about the authentication history and to be able to build a view of strong authentication evolution. This history and the aspects of the evolution are used to state hypothesis about the future research and development. We predict that the authentication systems in the future may be based on a holistic view of the behavioral patterns and physical properties of the user. Machine learning may be used in the future to implement an autonomous authentication concept that enables users to be authenticated with minimal physical or cognitive effort

Secure Bitcoin Wallet

Virtuaalvaluutad ja mobiilne pangandus on tehnoloogilised uuendused, mis on rah- vusvahelises kogukonnas saamas kasvavat tähelepanu oma kättesaadavuse, mugavuse ja kiiruse tõttu. Populaarsuse kasv on kahjuks kaasa toonud ka suurenenud turvariski iden- titeedivarguste näol, tekitades ohu kasutajate anonüümsusele. Riske on võimalik vältida, kasutades krüptograafilisi meetmeid Bitcoini ja teiste hajutatud digitaalsete valuutade vastaste rünnete vähendamiseks sideliinil ning hoiustamisel. See ülevaade koondab erine- vad meetodid ja lahendused selliste rünnete vastu ning uurib nende tõhusust. Lisaks kir- jeldatakse turvalist Bitcoini rahakotti (Secure Bitcoin Wallet), mis on standardne Bitcoini ülekannete klient koos tõhustatud turvaomaduste ja -teenustega.Virtual currencies and mobile banking are technology advancements that are receiving increased attention in the global community because of their accessibility, convenience and speed. However, this popularity comes with growing security concerns, like increasing frequency of identity theft, leading to bigger problems which put user anonymity at risk. One possible solution for these problems is using cryptography to enhance security of Bitcoin or other decentralised digital currency systems and to decrease frequency of attacks on either communication channels or system storage. This report outlines various methods and solutions targeting these issues and aims to understand their effectiveness. It also describes Secure Bitcoin Wallet, standard Bitcoin transactions client, enhanced with various security features and services

Implementation of a public key infrastructure over peer-to-peer network

En este proyecto se ha desarrollado la aplicación PKI-P2P, esta aplicación implementa una infraestructura de clave pública (PKI) sobre una red peer-to-peer (P2P). Una PKI tiene como objetivo probar que una clave pública es auténtica para un cierto usuario, porque la confianza que se tiene en una clave pública es muy importante para la seguridad en los métodos criptográficos. Lo normal es que el sistema sea centralizado y jerárquico en donde unos pocos elementos llamados Autoridades de Certificación (AC) son los encargados de validar la relación entre un usuario y su clave pública. En redes con una gran cantidad de nodos la PKI tiene que atender muchas peticiones de autenticidad de clave pública, por lo tanto, en este tipo de escenarios es mejor descentralizar la PKI. Para ello todos los elementos de la PKI deberían ser capaces de decidir si una clave pública es auténtica o no. Las redes descentralizadas en donde todos los elementos son iguales son las llamadas P2P, estas redes ofrecen algunas ventajas sobre los sistemas jerárquicos o centralizados como: resistencia a fallos, distribución de carga, auto administración y independencia de organización operativa. La forma de implementar una PKI sobre una red P2P es descrita en el documento de Thomas Wölfl “Public-Key-Infrastructure Based on a Peer-to-Peer Network”, el autor de este documento desarrolló una aplicación Peer-to-Peer-PKI consiguiendo búsqueda y transferencia eficiente de certificados y recomendaciones. Se basa en una combinación del modelo de Maurers y el protocolo escalable de búsqueda P2P de Chord. La red P2P utilizada es Pastry mediante su implementación en Java Freepastry, esto ha hecho que todo el proyecto se desarrolle en Java. Pastry es un esquema genérico, escalable y eficiente para aplicaciones P2P. Los nodos Pastry forman una red overlay descentralizada, auto-organizada y tolerante a fallos. Además para probar el funcionamiento de la aplicación PKI-P2P se ha utilizado la red de pruebas PlanetLab. PlanetLab es una red global de investigación para dar soporte al desarrollo de nuevos servicios de red. Gran parte del tiempo se ha dedicado al estudio de PlanetLab, saber como funciona para poder realizar las pruebas

ZeroComm: Decentralized, Secure and Trustful Group Communication

In the context of computer networks, decentralization is a network architecture that distributes both workload and control of a system among a set of coequal participants. Applications based on such networks enhance trust involved in communication by eliminating the external author- ities with self-interests, including governments and tech companies. The decentralized model delegates the ownership of data to individual users and thus mitigates undesirable behaviours such as harvesting personal information by external organizations. Consequently, decentral- ization has been adopted as the key feature in the next generation of the Internet model which is known as Web 3.0. DIDComm is a set of abstract protocols which enables secure messaging with decentralization and thus serves for the realization of Web 3.0 networks. It standardizes and transforms existing network applications to enforce secure, trustful and decentralized com- munication. Prior work on DIDComm has only been restricted to pair-wise communication and hence it necessitates a feasible strategy for adapting the Web 3.0 concepts in group-oriented networks. Inspired by the demand for a group communication model in Web 3.0, this study presents Zero- Comm which preserves decentralization, security and trust throughout the fundamental opera- tions of a group such as messaging and membership management. ZeroComm is built atop the publisher-subscriber pattern which serves as a messaging architecture for enabling communi- cation among multiple members based on the subjects of their interests. This is realized in our implementation through ZeroMQ, a low-level network library that facilitates the construction of advanced and distributed messaging patterns. The proposed solution leverages DIDComm protocols to deliver safe communication among group members at the expense of performance and efficiency. ZeroComm offers two different modes of group communication based on the organization of relationships among members with a compromise between performance and security. Our quantitative analysis shows that the proposed model performs efficiently for the messaging operation whereas joining a group is a relatively exhaustive procedure due to the es- tablishment of secure and decentralized relationships among members. ZeroComm primarily serves as a low-level messaging framework but can be extended with advanced features such as message ordering, crash recovery of members and secure routing of messages

Low-latency mix networks for anonymous communication

Every modern online application relies on the network layer to transfer information, which exposes the metadata associated with digital communication. These distinctive characteristics encapsulate equally meaningful information as the content of the communication itself and allow eavesdroppers to uniquely identify users and their activities. Hence, by exposing the IP addresses and by analyzing patterns of the network traffic, a malicious entity can deanonymize most online communications. While content confidentiality has made significant progress over the years, existing solutions for anonymous communication which protect the network metadata still have severe limitations, including centralization, limited security, poor scalability, and high-latency. As the importance of online privacy increases, the need to build low-latency communication systems with strong security guarantees becomes necessary. Therefore, in this thesis, we address the problem of building multi-purpose anonymous networks that protect communication privacy. To this end, we design a novel mix network Loopix, which guarantees communication unlinkability and supports applications with various latency and bandwidth constraints. Loopix offers better security properties than any existing solution for anonymous communications while at the same time being scalable and low-latency. Furthermore, we also explore the problem of active attacks and malicious infrastructure nodes, and propose a Miranda mechanism which allows to efficiently mitigate them. In the second part of this thesis, we show that mix networks may be used as a building block in the design of a private notification system, which enables fast and low-cost online notifications. Moreover, its privacy properties benefit from an increasing number of users, meaning that the system can scale to millions of clients at a lower cost than any alternative solution

Proof of Latency Using a Verifiable Delay Function

In this thesis I present an interactive public-coin protocol called Proof of Latency (PoL) that aims to improve connections in peer-to-peer networks by measuring latencies with logical clocks built from verifiable delay functions (VDF). PoL is a tuple of three algorithms, Setup(e, λ), VCOpen(c, e), and Measure(g, T, l_p, l_v). Setup creates a vector commitment (VC), from which a vector commitment opening corresponding to a collaborator's public key is taken in VCOpen, which then gets used to create a common reference string used in Measure. If no collusion gets detected by neither party, a signed proof is ready for advertising. PoL is agnostic in terms of the individual implementations of the VC or VDF used. This said, I present a proof of concept in the form of a state machine implemented in Rust that uses RSA-2048, Catalano-Fiore vector commitments and Wesolowski's VDF to demonstrate PoL. As VDFs themselves have been shown to be useful in timestamping, they seem to work as a measurement of time in this context as well, albeit requiring a public performance metric for each peer to compare to during the measurement. I have imagined many use cases for PoL, like proving a geographical location, working as a benchmark query, or using the proofs to calculate VDFs with the latencies between peers themselves. As it stands, PoL works as a distance bounding protocol between two participants, considering their computing performance is relatively similar. More work is needed to verify the soundness of PoL as a publicly verifiable proof that a third party can believe in.Tässä tutkielmassa esitän interaktiivisen protokollan nimeltä Proof of latency (PoL), joka pyrkii parantamaan yhteyksiä vertaisverkoissa mittaamalla viivettä todennettavasta viivefunktiosta rakennetulla loogisella kellolla. Proof of latency koostuu kolmesta algoritmista, Setup(e, λ), VCOpen(c, e) ja Measure(g, T, l_p, l_v). Setup luo vektorisitoumuksen, josta luodaan avaus algoritmissa VCOpen avaamalla vektorisitoumus indeksistä, joka kuvautuu toisen mittaavan osapuolen julkiseen avaimeen. Tätä avausta käytetään luomaan yleinen viitemerkkijono, jota käytetään algoritmissa Measure alkupisteenä molempien osapuolien todennettavissa viivefunktioissa mittaamaan viivettä. Jos kumpikin osapuoli ei huomaa virheitä mittauksessa, on heidän allekirjoittama todistus valmis mainostettavaksi vertaisverkossa. PoL ei ota kantaa sen käyttämien kryptografisten funktioiden implementaatioon. Tästä huolimatta olen ohjelmoinut protokollasta prototyypin Rust-ohjelmointikielellä käyttäen RSA-2048:tta, Catalano-Fiore--vektorisitoumuksia ja Wesolowskin todennettavaa viivefunktiota protokollan esittelyyn. Todistettavat viivefunktiot ovat osoittaneet hyödyllisiksi aikaleimauksessa, mikä näyttäisi osoittavan niiden soveltumisen myös ajan mittaamiseen tässä konteksissa, huolimatta siitä että jokaisen osapuolen tulee ilmoittaa julkisesti teholukema, joka kuvaa niiden tehokkuutta viivefunktioiden laskemisessa. Toinen osapuoli käyttää tätä lukemaa arvioimaan valehteliko toinen viivemittauksessa. Olen kuvitellut monta käyttökohdetta PoL:lle, kuten maantieteellisen sijainnin todistaminen, suorituskykytestaus, tai itse viivetodistuksien käyttäminen uusien viivetodistusten laskemisessa vertaisverkon osallistujien välillä. Tällä hetkellä PoL toimii etäisyydenmittausprotokollana kahden osallistujan välillä, jos niiden suorituskyvyt ovat tarpeeksi lähellä toisiaan. Protokolla tarvitsee lisätutkimusta sen suhteen, voiko se toimia uskottavana todistuksena kolmansille osapuolille kahden vertaisverkon osallistujan välisestä viiveestä

Secure End-to-End Communications in Mobile Networks

2009 - 2010Cellular communication has become an important part of our daily life. Besides using cell phones for voice communication, we are now able to access the Internet, conduct monetary transactions, send voice, video and text messages and new services continue to be added. The frequencies over which voice is transmitted are public, so voice encryption is necessary to avoid interception of the signal over the air. But once the signal reaches the operators Base Station (BS), it will be transmitted to the receiver over a wired or wireless mean. In either case, no protection is de ned. This does not seem a problem, but this is not true. Along the path across operator network, voice is at risk. It will only be encrypted again, with a di erent key, from the BS to the receiver if the receiver is herself a mobile user. Moreover, voice encryption is not mandatory. The choice whether or not to accept an unprotected communication is up to the network. When adopted, the same encryption algorithm is used for sending SMS messages between mobile telephones and base stations and for encrypting of calls. Unfortunately, vulnerabilities in this encryption systems were already revealed more than 10 years ago and more continue to be discovered. Currently the most popular communication technologies are the GSM and the UMTS. The UMTS is in use as a successor to GSM. Along with mobile phone services, It provides rapid data communication. The security algo- rithms in UMTS di ers from GSM in two important ways: encryption and mutual authentication. Although security standards have been improved, the end- to-end security is not provided... [edited by Author]IX n.s

Developing a security mechanism for software agents

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2006Includes bibliographical references (leaves: 73-76)Text in English; Abstract: Turkish and Englishx 76 leavesThis thesis proposes a message security solution on multi-agent systems. A general security analysis based on properties of software agents is presented along with an overview of security measures applicable to multi-agent systems. A security design and implementation has been developed to protect communication among agents. And this implementation scheme has been applied to Seagent, a semantic web enabled multi-agent framework. Hence, a set of agent security mechanisms have been adapted for Seagent and have been implemented for message confidentiality, integrity, authentication and nonrepudiation. Then these mechanisms have been tested for communication performance on Seagent