29 research outputs found
ENSURING SPECIFICATION COMPLIANCE, ROBUSTNESS, AND SECURITY OF WIRELESS NETWORK PROTOCOLS
Several newly emerged wireless technologies (e.g., Internet-of-Things, Bluetooth, NFC)—extensively backed by the tech industry—are being widely adopted and have resulted in a proliferation of diverse smart appliances and gadgets (e.g., smart thermostat, wearables, smartphones), which has ensuingly shaped our modern digital life. These technologies include several communication protocols that usually have stringent requirements stated in their specifications. Failing to comply with such requirements can result in incorrect behaviors, interoperability issues, or even security vulnerabilities. Moreover, lack of robustness of the protocol implementation to malicious attacks—exploiting subtle vulnerabilities in the implementation—mounted by the compromised nodes in an adversarial environment can limit the practical utility of the implementation by impairing the performance of the protocol and can even have detrimental effects on the availability of the network. Even having a compliant and robust implementation alone may not suffice in many cases because these technologies often expose new attack surfaces as well as new propagation vectors, which can be exploited by unprecedented malware and can quickly lead to an epidemic
Protecting Privacy and Ensuring Security of RFID Systems Using Private Authentication Protocols
Radio Frequency IDentification (RFID) systems have been studied as an emerging technology for automatic identification of objects and assets in various applications ranging from inventory tracking to point of sale applications and from healthcare applications to e-passport. The expansion of RFID technology, however, gives rise to severe security and privacy concerns. To ensure the widespread deployment of this technology, the security and privacy threats must be addressed. However, providing solutions to the security and privacy threats has been a challenge due to extremely inadequate resources of typical RFID tags. Authentication protocols can be a possible solution to secure RFID communications. In this thesis, we consider RFID authentication protocols based on symmetric key cryptography. We identify the security and privacy requirements for an RFID system. We present four protocols in this thesis. First, we propose a lightweight authentication protocol for typical tags that can perform symmetric key operations. This protocol makes use of pseudo random number generators (PRNG) and one way hash functions to ensure the security and privacy requirements of RFID systems. Second, we define the desynchronizing attack and describe the vulnerabilities of this attack in RFID systems. We propose a robust authentication protocol that can prevent the desynchronizing attack. This protocol can recover the disabled tags that are desynchronized with the reader because of this attack. Third, we introduce a novel authentication protocol based on elliptic curve cryptography (ECC) to avoid the counterfeiting problem of RFID systems. This protocol is appropriate for the RFID tags that can perform the operations of ECC. Finally, to address the tradeoff between scalability and privacy of RFID systems, we propose an efficient anonymous authentication protocol. We characterize the privacy of RFID systems and prove that our protocol preserves the privacy of RFID tags and achieves better scalability as well
AnonPri: A Secure Anonymous Private Authentication Protocol for RFID Systems
Privacy preservation in RFID systems is a very important issue in modern day world. Privacy activists have been worried about the invasion of user privacy while using various RFID systems and services. Hence, significant efforts have been made to design RFID systems that preserve users\u27 privacy. Majority of the privacy preserving protocols for RFID systems require the reader to search all tags in the system in order to identify a single RFID tag which not efficient for large scale systems. In order to achieve high-speed authentication in large-scale RFID systems, researchers propose tree-based approaches, in which any pair of tags share a number of key components. Another technique is to perform group-based authentication that improves the tradeoff between scalability and privacy by dividing the tags into a number of groups. This novel authentication scheme ensures privacy of the tags. However, the level of privacy provided by the scheme decreases as more and more tags are compromised. To address this issue, in this paper, we propose a group based anonymous private authentication protocol (AnonPri) that provides higher level of privacy than the above mentioned group based scheme and achieves better efficiency (in terms of providing privacy) than the approaches that prompt the reader to perform an exhaustive search. Our protocol guarantees that the adversary cannot link the tag responses even if she can learn the identifier of the tags. Our evaluation results demonstrates that the level of privacy provided by AnonPri is higher than that of the group based authentication technique
AnonPri: A Secure Anonymous Private Authentication Protocol for RFID Systems
Privacy preservation in RFID systems is a very important issue in modern day world. Privacy activists have been worried about the invasion of user privacy while using various RFID systems and services. Hence, significant efforts have been made to design RFID systems that preserve users\u27 privacy. Majority of the privacy preserving protocols for RFID systems require the reader to search all tags in the system in order to identify a single RFID tag which not efficient for large scale systems. In order to achieve high-speed authentication in large-scale RFID systems, researchers propose tree-based approaches, in which any pair of tags share a number of key components. Another technique is to perform group-based authentication that improves the tradeoff between scalability and privacy by dividing the tags into a number of groups. This novel authentication scheme ensures privacy of the tags. However, the level of privacy provided by the scheme decreases as more and more tags are compromised. To address this issue, in this paper, we propose a group based anonymous private authentication protocol (AnonPri) that provides higher level of privacy than the above mentioned group based scheme and achieves better efficiency (in terms of providing privacy) than the approaches that prompt the reader to perform an exhaustive search. Our protocol guarantees that the adversary cannot link the tag responses even if she can learn the identifier of the tags. Our evaluation results demonstrates that the level of privacy provided by AnonPri is higher than that of the group based authentication technique
VetIoT: On Vetting IoT Defenses Enforcing Policies at Runtime
Smart homes are powered by numerous programmable IoT platforms. Despite
tremendous innovations, these platforms often suffer from safety and security
issues. One class of defense solutions dynamically enforces safety and security
policies, which essentially capture the expected behavior of the IoT system.
While many proposed works were built on this runtime approach, they all are
under-vetted. The primary reason lies in their evaluation approach. They are
mostly self-evaluated in isolation using a virtual testbed combined with
manually orchestrated test scenarios that rely on user interactions with the
platform's UI. Such hand-crafted and non-uniform evaluation setups are limiting
not only the reproducibility but also a comparative analysis of their efficacy
results. Closing this gap in the traditional way requires a huge upfront manual
effort, which causes the researchers turn away from any large-scale comparative
empirical evaluation. Therefore, in this paper, we propose a highly-automated
uniform evaluation platform, dubbed VetIoT, to vet the defense solutions that
hinge on runtime policy enforcement. Given a defense solution, VetIoT easily
instantiates a virtual testbed inside which the solution is empirically
evaluated. VetIoT replaces manual UI-based interactions with an automated event
simulator and manual inspection of test outcomes with an automated comparator.
We developed a fully-functional prototype of VetIoT and applied it on three
runtime policy enforcement solutions: Expat, Patriot, and IoTguard. VetIoT
reproduced their individual prior results and assessed their efficacy results
via stress testing and differential testing. We believe VetIoT can foster
future research/evaluation.Comment: Accepted at the IEEE Conference on Communications and Network
Security (CNS) 202
MAVERICK: An App-independent and Platform-agnostic Approach to Enforce Policies in IoT Systems at Runtime
Many solutions have been proposed to curb unexpected behavior of automation
apps installed on programmable IoT platforms by enforcing safety policies at
runtime. However, all prior work addresses a weaker version of the actual
problem due to a simpler, unrealistic threat model. These solutions are not
general enough as they are heavily dependent on the installed apps and catered
to specific IoT platforms. Here, we address a stronger version of the problem
via a realistic threat model, where (i) undesired cyber actions can come from
not only automation platform backends (e.g., SmartThings) but also
close-sourced third-party services (e.g., IFTTT), and (ii) physical actions
(e.g., user interactions) on devices can move the IoT system to an undesirable
state. We propose a runtime mechanism, dubbed Maverick, which employs an
app-independent, platform-agnostic mediator to enforce policies against all
undesired cyber actions and applies corrective-actions to bring the IoT system
back to a safe state from an unsafe state transition. Maverick is equipped with
a policy language capable of expressing rich temporal invariants and an
automated toolchain that includes a policy synthesizer and a policy analyzer
for user assistance. We implemented Maverick in a prototype and showed its
efficacy in both physical and virtual testbeds, incurring minimal overhead.Comment: 13 pages, full version with material cut from version accepted at ACM
WiSec 202
ProQuPri: Towards Anonymity Protection with Privacy Quantification for Context-aware Applications
Privacy is the most often-cited criticism of context awareness in pervasive environments and may be the utmost barrier to its enduring success. Users certainly desire to be notified of potential data capture. Context-based pervasive applications have the vulnerabilities of tracking and capturing extensive portions of users\u27 activities. Whether such data capture is an actual threat or not, users\u27 perceptions of such possibilities may discourage them from using and adopting pervasive applications. So far in context-based pervasive applications, location data has been the main focus to make users anonymous. However in reality, anonymity depends on all the privacy sensitive data collected by the applications. Protecting anonymity with the help of an anonymizer has the susceptibility of a single point of failure. In this poster, we propose a formal model ProQuPri (Protect Anonymity and Quantify Privacy) that preserves users\u27 anonymity without anonymizer while quantifies the amount of privacy at the time asking for services from untrustworthy service providers. Before placing a request, each user can protect his own anonymity by collaborating with his peers
REBIVE: A Reliable Private Data Aggregation Scheme for Wireless Sensor Networks
An important topic addressed by the wireless sensor networks community over the last several years is the in-network data aggregation. It is significant as well as a challenging issue to provide reliable data aggregation scheme while preserving data privacy. However, in WSNs, achieving ideal data accuracy is complicated due to collision, heavy network traffic, processing delays and/or several attacks. The problem of gathering accurate integrated data will be further intensified if the environment is adverse. Hence how to attain data privacy and perfect data accuracy are two major challenges for data aggregation in wireless sensor networks. To address this problem, we propose in this paper a new privacy preserving data aggregation scheme. We present REBIVE (REliaBle prIVate data aggrEgation scheme). In REBIVE the data accuracy maintenance and data privacy protection mechanisms work cooperatively. Different from past research, our proposed solution have the following features: providing privacy preservation technique for individual sensor data and aggregated sensor data; maintaining perfect data accuracy for realistic environments; being highly efficient; and being robust to popular attacks launched in WSNs
Secured Tag Identification Using EDSA (Enhanced Distributed Scalable Architecture)
RFID technology has become increasingly popular in todays society and plays an important role in daily life. However, the exploitation of this technology requires practical and secure solutions to overcome certain issues. In the case of RFID systems, privacy protection and scalability are two conflicting goals. Nevertheless, in this paper we propose a hexagonal cell based distributed architecture which ensures improved scalability while maintaining privacy. The hexagonal architecture allows readers to co-operate with one another to identify tags without compromising scalability. Furthermore, this architecture uses serverless protocols for security assurance, cutting down set up and maintenance cost as well as traffic to server. To the best of our knowledge, we propose a combination of servered and serverless techniques within the same distributed architecture for the first time. Our proposed distributed scalable architecture together with the secure serverless protocols can be used in numerous real life situations