7 research outputs found
Caching-based Multicast Message Authentication in Time-critical Industrial Control Systems
Attacks against industrial control systems (ICSs) often exploit the
insufficiency of authentication mechanisms. Verifying whether the received
messages are intact and issued by legitimate sources can prevent malicious
data/command injection by illegitimate or compromised devices. However, the key
challenge is to introduce message authentication for various ICS communication
models, including multicast or broadcast, with a messaging rate that can be as
high as thousands of messages per second, within very stringent latency
constraints. For example, certain commands for protection in smart grids must
be delivered within 2 milliseconds, ruling out public-key cryptography. This
paper proposes two lightweight message authentication schemes, named CMA and
its multicast variant CMMA, that perform precomputation and caching to
authenticate future messages. With minimal precomputation and communication
overhead, C(M)MA eliminates all cryptographic operations for the source after
the message is given, and all expensive cryptographic operations for the
destinations after the message is received. C(M)MA considers the urgency
profile (or likelihood) of a set of future messages for even faster
verification of the most time-critical (or likely) messages. We demonstrate the
feasibility of C(M)MA in an ICS setting based on a substation automation system
in smart grids.Comment: For viewing INFOCOM proceedings in IEEE Xplore see
https://ieeexplore.ieee.org/abstract/document/979676
Versioning, integrity and access control for collaborative applications over hosted data
The objective of this thesis is to design a suite of techniques to facilitate the storage and manipulation of mutable content over untrusted storage (cloud/hosted) services in a more secure and efficient manner. We consider the storage service to be untrusted either because they are typically administered by a third party (as with data outsourcing); or because, even if administered by the data owner, the Byzantine behavior of the storage service due to faults, bugs or attacks cannot be discounted. The security of stored data is a widely acknowledged concern. This thesis primarily focuses on the classic CIA security triad - Confidentiality, Integrity, and Availability. A critical sore point with security mechanisms is their associated overheads, and an important challenge in addition to the functional correctness of the security mechanisms is their efficiency. Thus, this thesis explores data structures and algorithms which enable efficient yet secure primitives for outsourcing of data storage, while supporting mutable and versioned content (as opposed to just static or append-only data). This can ensure that feature-rich applications, such as collaborative and social applications, can be realized by leveraging on the proposed security techniques. We focus first on the integrity of data, which can then be readily used to also ascertain availability; second, we present techniques which incorporate elements of confidentiality; and finally, we focus on the consistency of the data shared among collaborators. For the purposes of this thesis, it is assumed that the collaborators are trusted. In reality, determining who to trust and provide access to a given set of data can be a challenging problem; however this is beyond the scope of the presented work.Doctor of Philosophy (SCE
Two-factor authentication for trusted third party free dispersed storage
We propose a trusted third party free protocol for secure (in terms of content access, manipulation, and confidentiality) data storage and multi-user collaboration over an infrastructure of untrusted storage servers. It is achieved by the application of data dispersal, encryption as well as two-factor (knowledge and possession) based authentication and access control techniques so that unauthorized parties (attackers) or a small set of colluding servers cannot gain access to the stored data. The protocol design takes into account usability issues as opposed to the closest prior work Esiner and Datta (2016). We explore the security implications of the proposed model with event tree analysis and report on experiment results to demonstrate the practicality of the approach concerning computational overheads. Given that the protocol does not rely on any trusted third party, and most operations including actual collaboration do not require users to be online simultaneously, it is suitable not only for traditional multi-cloud setups but also for edge/fog computing environments.Accepted versio
On query result integrity over encrypted data
We leverage on authenticated data structures to guarantee correctness and completeness of query results over encrypted data. Our contribution is in bridging two independent lines of work (searchable encryption, and provable data possession) resulting in a general purpose technique, which does so without increasing the client storage overhead, while only a small token and a data structure is added to the server side (in comparison to a base searchable encryption without mechanisms for determining result integrity), where the data structure can simultaneously also be used for integrity checks on the stored data.Accepted versio
Layered Security for Storage at the Edge: On Decentralized Multi-factor Access Control
In this paper we propose a protocol that allows end-users in a decentralized setup (without requiring any trusted third party) to protect data shipped to remote servers using two factors - knowledge (passwords) and possession (a time based one time password generation for authentication) that is portable. The protocol also supports revocation and recreation of a new possession factor if the older possession factor is compromised, provided the legitimate owner still has a copy of the possession factor. Furthermore, akin to some other recent works, our approach naturally protects the outsourced data from the storage servers themselves, by application of encryption and dispersal of information across multiple servers. We also extend the basic protocol to demonstrate how collaboration can be supported even while the stored content is encrypted, and where each collaborator is still restrained from accessing the data through a multi-factor access mechanism. Such techniques achieving layered security is crucial to (opportunistically) harness storage resources from untrusted entities.MOE (Min. of Education, S’pore)Accepted versio
FlexDPDP: FlexList-based Optimized Dynamic Provable Data Possession
With popularity of cloud storage, efficiently proving the integrity of data stored at an untrusted server has become significant. Authenticated Skip Lists and Rank-based Authenticated Skip Lists (RBASL) have been used in cloud storage to provide support for provable data update operations. In a dynamic file scenario, an RBASL falls short when updates are not proportional to a fixed block size; such an update to the file, however small, may translate to O(n) many block updates to the RBASL, for a file with n blocks. To overcome this problem, we introduce FlexList: Flexible Length-Based Authenticated Skip List. FlexList translates even variable-size updates to O(u) insertions, removals, or modifications, where u is the size of the update divided by the block size. We present various optimizations on the four types of skip lists (regular, authenticated, rank-based authenticated, and FlexList). We compute one single proof to answer multiple (non-)membership queries and obtain efficiency gains of 35%, 35 % and 40 % in terms of proof time, energy, and size, respectively. We also deployed our implementation of FlexDPDP (DPDP with FlexList instead of RBASL) on PlanetLab, demonstrating that FlexDPDP performs comparable to the most efficient static storage scheme (PDP), while providing dynamic data support