The Insecurity of Two Proxy Signcryption Schemes: Proxy Credential Forgery Attack and How to Prevent It

Securing different online e-business activities usually requires applying different cryptographic algorithms. The proxy signcryption algorithms are designed for applications such as online proxy auction or online proxy signatures on business contracts, which require a proxy agent to sign on confidential messages. This paper proposes a proxy credential forgery attack to two recent proxy signcryption schemes in the literature. Using the attack, a malicious proxy signer can create a fake proxy credential from his original credential to extend his signing power. Simple modifications to these two schemes are also provided in this paper to prevent the attack without adding too much computational complexity. In addition to the contribution of introducing a new type of attacks to signcryption schemes, the paper also points out that, while designing a secure proxy signcryption scheme, not only the unforgeability of proxy signatures is important, but also that of proxy credentials as well

P2P Email Encryption by An Identity-Based One-Way Group Key Agreement Protocol

As a result of high-tech companies such as Google, Yahoo, and Microsoft offering free email services, email has become a primary channel of communication. However, email service providers have traditionally offered little in the way of message privacy protection. This has made emails, of which billions are sent around the world on any day, an attractive data source for personal identity information thieves. Google was one of the first companies to provide substantial email privacy protection when they began using the HTTPS always-on option to encrypt messages sent through their email service, Gmail. Unfortunately, Gmail\u27s encryption option does not offer true point-to-point encryption since the encrypted emails are decrypted and stored in plaintext form on Google\u27s servers. This type of approach poses a security vulnerability which is unacceptable to security-minded users such as highly sensitive government agencies and private companies. For these users, true point-to-point encryption is needed. This paper introduces an identity-based one-way group key agreement protocol and describes a point-to-point email encryption scheme based on the protocol. Both the security proofs and the efficiency analysis, with experimental results, of the new scheme are provided

Enhancing Malware Analysis and Detection Using Adversarial Machine Learning Techniques

In the realm of modern technology, malware has become a paramount concern. Defined as any software designed with malicious intent, malware manifests in numerous types that infect computer systems and devices. As of 2023, executable files account for 53% of computer viruses\u27 spread. Compounded by the emergence of AI and polymorphic malware, attackers have intensified their efforts to obfuscate malicious code, rendering traditional defenses, such as signature-based detection systems, ineffective. To counter the evolving nature of modern malware, the adoption of machine learning (ML) models for detection has gained prominence. These models are able to continuously analyze memory and other data, identifying new patterns and features that aid in uncovering previously hidden malware variants. While ML-based detection systems demonstrate commendable performance, they still have vulnerabilities that necessitate further exploration. In this research proposal, we aim to address the aforementioned gaps and challenges by developing novel techniques to robustify ML-based malware detection systems. Specifically, we will focus on designing a testing framework that utilizes adversarial machine learning to generate AEs as variants of known modern malware datasets. These AEs will simulate real-world attack strategies, thereby enabling researchers to continuously update detection systems and enhance their resilience against emerging threats. Additionally, we will explore the development of comprehensive evaluation methods that incorporate robustness as a central metric to gauge the effectiveness of ML-based detection systems

Analysis on the Security and Use of Password Managers

Cybersecurity has become one of the largest growing fields in computer science and the technology industry. Faulty security has cost the global economy immense losses. Oftentimes, the pitfall in such financial loss is due to the security of passwords. Companies and regular people alike do not do enough to enforce strict password guidelines like the NIST (National Institute of Standard Technology) recommends. When big security breaches happen, thousands to millions of passwords can be exposed and stored into files, meaning people are susceptible to dictionary and rainbow table attacks. Those are only two examples of attacks that are used to crack passwords. In this paper, we will be going over three open-source password managers, each chosen for their own uniqueness. Our results will conclude on the overall security of each password manager using a list of established attacks and development of new potential attacks on such software. Additionally, we will compare our research with the limited research already conducted on password managers. Finally, we will provide some general guidelines of how to develop a better and more secure password manager

Undergraduate Research Experience in Cybersecurity for Underrepresented Students and Students with Limited Research Opportunities

Undergraduate research opportunities have expanded from elite universities in the United States to universities and learning institutions of all ranks and sizes. Research studies have showed some positive outcomes of the research experience for undergraduates (REU), such as enhanced research skills and competencies. However, with the widespread implementation of REU programs across the country, there are some serious and challenging issues, such as fierce competition among students for limited participation opportunities and a overlooking of underrepresented students’ needs. This study reported a nine-week REU Site program in cybersecurity designed for underrepresented students (women and minorities) and participants from institutions with limited research opportunities for the past three years. Results showed that most participants enjoyed the opportunity to work on a real world project and to gain research experience in the REU program. The program helped participants improve various research skills. Recommendations for future REU programs are discussed

Integrity Coded Databases (ICDB) - An Evaluation of Efficiency, Performance, and Practicality

Recently, cloud database storage has become an inexpensive and convenient option to store information; however, this relatively new area of service can be vulnerable to security breaches. Storing data in a foreign location requires the owner to relinquish control of their information. This opens the possibility for internal, malicious attacks that can involve the manipulation, omission, or addition of data. Our research tests a potential solution for retaining data as it was intended to be stored (known as integrity) in these cloud-stored databases: by converting the original databases to Integrity-Coded Databases (ICDB). ICDBs utilize Integrity Codes: cryptographic codes created for the data by a private key that only the data owner has access to. When the database is queried, an integrity code is returned along with the queried information. The owner is able to verify that the information is correct, complete, and fresh. Consequently, ICDBs also incur performance and memory penalties. In our research, we explore, test, and benchmark ICDBs to determine the costs and benefits of maintaining an ICDB versus a standard database

Prediction of Fatality Crashes with Multilayer Perceptron of Crash Record Information System Datasets

Despite the effort of the authorities and researchers, there has been no sign of decreasing in the number of fatal crashes annually. To analyze the deadly collisions, researchers have focused on finding which factors affect injury severity, and thus many crash prediction models for it had been developed. Commonly the injury severity is categorized into five different classes. Still, in many studies, minority classes like fatality and incapacitating injury were merged so that the dataset becomes balanced, and the model can provide decent predictions. However, this approach does not help analyze the fatal crashes as they are joined with other types of injury. Therefore, in this study, we proposed a multilayer perceptron model for binary classification of crash fatality. The model was proved to be able to handle heavily imbalanced datasets while providing decent performance. Moreover, a sensitivity analysis was conducted on the input of the model to estimate the importance of crash-related factors

A Practical and Secure Stateless Order Preserving Encryption for Outsourced Databases

Order-preserving encryption (OPE) plays an important role in securing outsourced databases. OPE schemes can be either Stateless or Stateful. Stateful schemes can achieve the ideal security of order-preserving encryption, i.e., “reveal no information about the plaintexts besides order.” However, comparing to stateless schemes, stateful schemes require maintaining some state information locally besides encryption keys and the ciphertexts are mutable. On the other hand, stateless schemes only require remembering encryption keys and thus is more efficient. It is a common belief that stateless schemes cannot provide the same level of security as stateful ones because stateless schemes reveal the relative distance among their corresponding plaintext. In real world applications, such security defects may lead to the leakage of statistical and sensitive information, e.g., the data distribution, or even negates the whole encryption. In this paper, we propose a practical and secure stateless order-preserving encryption scheme. With prior knowledge of the data to be encrypted, our scheme can achieve IND-CCPA (INDistinguishability under Committed ordered Chosen Plaintext Attacks) security for static data set. Though the IND-CCPA security can\u27t be met for dynamic data set, our new scheme can still significantly improve the security in real world applications. Along with the encryption scheme, in this paper we also provide methods to eliminate access pattern leakage in communications and thus prevents some common attacks to OPE schemes in practice

A Shoulder Surfing Resistant Graphical Authentication System

Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as ”the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability

Development of an Intelligent Equipment Lock Management System with RFID Technology

The equipment lock has been an important tool for the power company to protect the electricity metering equipment. however, the conventional equipment lock has two potential problems: vandalism and counterfeiting. To fulfill the control and track the potential illegal behavior, the human labor and paper are required to proceed with related operations, resulting in the consumption of a large amount of human resources and maintenance costs. This study focused on the design of RFID technology applied to the traditional equipment lock, which, through the mobile and electronic technology, strengthens the management/operating convenience of the lock and provides the solutions for anti-counterfeiting and spoilage detection so that the national energy can be properly protected and fairly distributed