2,219 research outputs found
Practical Schemes For Privacy & Security Enhanced RFID
Proper privacy protection in RFID systems is important. However, many of the
schemes known are impractical, either because they use hash functions instead
of the more hardware efficient symmetric encryption schemes as a efficient
cryptographic primitive, or because they incur a rather costly key search time
penalty at the reader. Moreover, they do not allow for dynamic, fine-grained
access control to the tag that cater for more complex usage scenarios.
In this paper we investigate such scenarios, and propose a model and
corresponding privacy friendly protocols for efficient and fine-grained
management of access permissions to tags. In particular we propose an efficient
mutual authentication protocol between a tag and a reader that achieves a
reasonable level of privacy, using only symmetric key cryptography on the tag,
while not requiring a costly key-search algorithm at the reader side. Moreover,
our protocol is able to recover from stolen readers.Comment: 18 page
The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines
Web-based single sign-on (SSO) services such as Google Sign-In and Log In
with Paypal are based on the OpenID Connect protocol. This protocol enables
so-called relying parties to delegate user authentication to so-called identity
providers. OpenID Connect is one of the newest and most widely deployed single
sign-on protocols on the web. Despite its importance, it has not received much
attention from security researchers so far, and in particular, has not
undergone any rigorous security analysis.
In this paper, we carry out the first in-depth security analysis of OpenID
Connect. To this end, we use a comprehensive generic model of the web to
develop a detailed formal model of OpenID Connect. Based on this model, we then
precisely formalize and prove central security properties for OpenID Connect,
including authentication, authorization, and session integrity properties.
In our modeling of OpenID Connect, we employ security measures in order to
avoid attacks on OpenID Connect that have been discovered previously and new
attack variants that we document for the first time in this paper. Based on
these security measures, we propose security guidelines for implementors of
OpenID Connect. Our formal analysis demonstrates that these guidelines are in
fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend
the web model presented in arXiv:1411.7210, arXiv:1403.1866,
arXiv:1508.01719, and arXiv:1601.0122
Secure spontaneous emergency access to personal health record
We propose a system which enables access to the user's Personal Health Record (PHR) in the event of emergency. The
access typically occurs in an ad-hoc and spontaneous manner and the user is usually unconscious, hence rendering the
unavailability of the user's password to access the PHR. The
proposed system includes a smart card carried by the user
at all time and it is personalized with a pseudo secret, an
URL to the PHR Server, a secret key shared with the PHR
Server and a number of redemption tokens generated using
a hash chain. In each emergency session, a one-time use
redemption token is issued by the smart card, allowing the
emergency doctor to retrieve the user's PHR upon successful authentication of his credentials and validation of the
redemption token. The server returns the PHR encrypted
with a one-time session key which can only be decrypted by
the emergency doctor. The devised interaction protocol to
facilitate emergency access to the user's PHR is secure and
efficient
Recommended from our members
Patient privacy protection using anonymous access control techniques
Objective: The objective of this study is to develop a solution to preserve security and privacy in a healthcare environment where health-sensitive information will be accessed by many parties and stored in various distributed databases. The solution should maintain anonymous medical records and it should be able to link anonymous medical information in distributed databases into a single patient medical record with the patient identity. Methods: In this paper we present a protocol that can be used to authenticate and authorize patients to healthcare services without providing the patient identification. Healthcare service can identify the patient using separate temporary identities in each identification session and medical records are linked to these temporary identities. Temporary identities can be used to enable record linkage and reverse track real patient identity in critical medical situations. Results: The proposed protocol provides main security and privacy services such as user anonymity, message privacy, message confidentiality, user authentication, user authorization and message replay attacks. The medical environment validates the patient at the healthcare service as a real and registered patient for the medical services. Using the proposed protocol, the patient anonymous medical records at different healthcare services can be linked into one single report and it is possible to securely reverse track anonymous patient into the real identity. Conclusion: The protocol protects the patient privacy with a secure anonymous authentication to healthcare services and medical record registries according to the European and the UK legislations, where the patient real identity is not disclosed with the distributed patient medical records
Biometric Security for Cell Phones
Cell phones are already prime targets for theft. The increasing functionality of cell phones is making them even more attractive. With the increase of cell phone functionality including personal digital assistance, banking, e-commerce, remote work, internet access and entertainment, more and more confidential data is stored on these devices. What is protecting this confidential data stored on cell phones? Studies have shown that even though most of the cell phone users are aware of the PIN security feature more than 50% of them are not using it either because of the lack of confidence in it or because of the inconvenience. A large majority of those users believes that an alternative approach to security would be a good idea.biometrics, security, fingerprint, face recognition, cell phones
An Elliptic Curve-based Signcryption Scheme with Forward Secrecy
An elliptic curve-based signcryption scheme is introduced in this paper that
effectively combines the functionalities of digital signature and encryption,
and decreases the computational costs and communication overheads in comparison
with the traditional signature-then-encryption schemes. It simultaneously
provides the attributes of message confidentiality, authentication, integrity,
unforgeability, non-repudiation, public verifiability, and forward secrecy of
message confidentiality. Since it is based on elliptic curves and can use any
fast and secure symmetric algorithm for encrypting messages, it has great
advantages to be used for security establishments in store-and-forward
applications and when dealing with resource-constrained devices.Comment: 13 Pages, 5 Figures, 2 Table
- …