An OAuth2-based protocol with strong user privacy preservation for smart city mobile e-Health apps

In the context of the Smart City concept, mobile e-Health applications can play a pivotal role towards the improvement of citizens’ quality of life, since they can enable citizens to access personalized e-Health services, without limitations on time and location. However, accessing personalized e-Health services through citizens’ mobile e-Health applications, running on their mobile devices, raises many privacy issues in terms of citizens’ identity and location. These privacy issues should be addressed so that citizens, concerned about privacy leakage, will embrace Smart City mobile e-Health applications and reap their benefits. Hence, in this paper we propose an OAuth2-based protocol with strong user privacy preservation that addresses these privacy issues. Our proposed protocol follows the OAuth2 protocol flow and integrates a pseudonym-based signature scheme and a delegation signature scheme into the user authentication phase of the OAuth2 protocol. The proposed protocol enables citizens authentication towards the servers providing personalized e-Health services, while preserving their privacy from malicious mobile applications and/or eavesdroppers. Moreover, the proposed protocol does not require to store sensitive information in the citizens’ mobile devices

A Lightweight Privacy-Preserving OAuth2-Based Protocol for Smart City Mobile Apps

In the forthcoming Smart City scenario, users' mobile applications will be of fundamental role towards supporting the envisioned functionalities and services. Mobile users, provided with a smartphone, will be capable of ubiquitously connecting to service providers through their installed mobile applications. However, this connection must be authenticated, which threatens the citizen privacy rights. Privacy-preserving mechanisms have already been proposed in the past; nevertheless, they are based on RSA groups or groups with bilinear pairings, which are inefficient in mobile devices due to its computational complexity. Thus, in this paper, we integrate a lightweight anonymous credential mechanism, suitable for computationally-limited mobile devices, into the user authentication phase of the OAuth2 protocol, which has become a de facto solution for user authentication in mobile applications. The proposed protocol enables citizen's authentication towards service providers, while preserving their privacy. Additionally, the protocol is compliant with the OAuth2 specification, which enables an easy integration in current mobile application implementations

Attribute-based pseudonymity for privacy-preserving authentication in cloud services

Attribute-based authentication is considered a cornerstone component to achieve scalable fine-grained access control in the fast growing market of cloud-based services. Unfortunately, it also poses a privacy concern. Users attributes should not be linked to the users identity and spread across different organizations. To tackle this issue, several solutions have been proposed such as Privacy Attribute-Based Credentials (Privacy-ABCs), which support pseudonym-based authentication with embedded attributes. Privacy-ABCs allow users to establish anonymous accounts with service providers while hiding the identity of the user under a pseudonym. However, Privacy-ABCs require the selective disclosure of the attribute values towards service providers. Other schemes such as Attribute Base Signatures (ABS) and mesh signatures do not require the disclosure of attributes; unfortunately, these schemes do not cater for pseudonym generation in their construction, and hence cannot be used to establish anonymous accounts. In this paper, we propose a pseudonym-based signature scheme that enables unlinkable pseudonym self-generation with embedded attributes, similarly to Privacy-ABCs, and integrates a secret sharing scheme in a similar fashion to ABS and mesh signature schemes for attribute verification. Our proposed scheme also provides verifiable collusion, enabling users to share attributes according to the service providers policies

Physical-layer entity authentication scheme for mobile MIMO systems

Exploiting physical layer in achieving different security aspects in wireless communications has been widely encouraged. In this work, the authors propose an entity authentication scheme for mobile devices with multiple antennas, which is purely based on physical layer parameters. According to the proposed scheme, in order to authenticate a device, a number of predefined authentication signals should be detected at the receive antennas on the authenticator side. The transmitted signals are designed based on the instantaneous channel responses in order to deliver the authentication signals to the receiver. The proposed scheme works efficiently even for mobile users, which is considered a significant improvement over previous related works. Mathematical analysis of the different involved factors along with sufficient simulations show the high performance of the proposed authentication scheme

Implementation of a pseudonym-based signature scheme with bilinear pairings on Android

Privacy preservation is of paramount importance in the emerging smart city scenario, where numerous and diverse online services will be accessed by users through their mobile or wearable devices. In this scenario, service providers or eavesdroppers can track users’ activities, location, and interactions with other users, which may discourage citizens from accessing smart city services. Pseudonym-based systems have been proposed as an efficient solution to provide identity confidentiality, and more concretely pseudonym-based signature schemes have been suggested as an effective means to authenticate entities and messages privately. In this paper we describe our implementation of a pseudonym-based signature scheme, based on bilinear-pairings. Concretely, our implementation consists of an Android application that enables users to authenticate messages under self-generated pseudonyms, while still enabling anonymity revocation by a trusted third party in case of misbehavior. The paper presents a description of the implementation, performance results, and it also describes the use cases for which it was designed

Through the Looking-Glass: Benchmarking Secure Multi-Party Computation Comparisons for ReLU\u27s

Comparisons or Inequality Tests are an essential building block of Rectified Linear Unit functions (ReLU\u27s), ever more present in Machine Learning, specifically in Neural Networks. Motivated by the increasing interest in privacy-preserving Artificial Intelligence, we explore the current state of the art of privacy preserving comparisons over Multi-Party Computation (MPC). We then introduce constant round variations and combinations, which are compatible with customary fixed point arithmetic over MPC. Our main focus is implementation and benchmarking; hence, we showcase our contributions via an open source library, compatible with current MPC software tools. Furthermore, we include a comprehensive comparative analysis on various adversarial settings. Our results improve running times in practical scenarios. Finally, we offer conclusions about the viability of these protocols when adopted for privacy-preserving Machine Learning

Security framework for the semiconductor supply chain environment

This paper proposes a security framework for secure data communications across the partners in the Semiconductor Supply Chain Environment. The security mechanisms of the proposed framework will be based on the SSL/TLS and OAuth 2.0 protocols, which are two standard security protocols. However, both protocols are vulnerable to a number of attacks, and thus more sophisticated security mechanisms based on these protocols should be designed and implemented in order to address the specific security challenges of the Semiconductor Supply Chain in a more effective and efficient manner

Secure multi-party computation-based privacy-preserving authentication for smart cities

The increasing concern for identity confidentiality in the Smart City scenario has fostered research on privacy-preserving authentication based on pseudonymization. Pseudonym systems enable citizens to generate pseudo-identities and establish unlinkable anonymous accounts in cloud service providers. The citizen's identity is concealed, and his/her different anonymous accounts cannot be linked to each other. Unfortunately, current pseudonym systems require a trusted certification authority (CA) to issue the cryptographic components (e.g. credentials, secret keys, or pseudonyms) to citizens. This CA, generally a Smart City governmental entity, has the capability to grant or revoke privacy rights at will, hence posing a serious threat in case of corruption. Additionally, if the pseudonym system enables de-anonymization of misusers, a corrupted CA can jeopardize the citizens' privacy. This paper presents a novel approach to construct a pseudonym system without a trusted issuer. The CA is emulated by a set of Smart City service providers by means of secure multi-party computation (MPC), which circumvents the requirement of assuming an honest CA. The paper provides a full description of the system, which integrates an MPC protocol and a pseudonym-based signature scheme. The system has been implemented and tested

Risk estimation for a secure and usable user authentication mechanism for mobile passenger ID devices

User Authentication in mobile devices acts as a first line of defense verifying the user's identity to allow access to the resources of a device and typically was based on “something the user knows”, known also as knowledge-based user authentication for several decades. However, recent studies point out that although knowledge-based user authentication has been the most popular for authenticating an individual, nowadays it is no more considered secure and convenient for the mobile user as it is imposing several limitations in terms of security and usability. These limitations stress the need for the development and implementation of more secure and usable user authentication methods. Toward this direction, user authentication based on the “something the user is” has caught the attention. This category includes authentication methods which make use of human physical characteristics (also referred to as physiological biometrics), or involuntary actions (also referred to as behavioral biometrics). In particular, risk-based user authentication based on behavioral biometrics appears to have the potential to increase the reliability of authentication without sacrificing usability. In this context, we focus on the estimation of the risk score, in a continuous mode, of the risk-based user authentication mechanism that we have proposed in our previous work for mobile passenger identification (ID) devices for land/sea border control