Enhanced secure interface for a portable e-voting terminal

This paper presents an enhanced interface for an e-voting client application that partially runs inside a small, portable terminal with reduced interaction capabilities. The interface was enhanced by cooperating with the hosting computer where the terminal is connected to: the hosting computer shows a detailed image of the filled ballot. The displayed image does not convey any personal information, namely the voter's choices, to the hosting computer; voter's choices are solely presented at the terminal. Furthermore, the image contains visual authentication elements that can be validated by the voter using information presented at the terminal. This way, hosting computers are not able to gather voters' choices or to deceive voters, by presenting tampered ballots, without being noticed

Protection of LAN-wide, P2P interactions: a holistic approach

This article advocates the need of a holistic approach to protect LAN interactions and presents a solution for implementing it based on secure LAN (SLAN), a novel security architecture. SLAN uses the 802.1X access control mechanisms and is supported by a key distribution centre (KDC) built upon an 802.1X authentication server. The KDC is used, together with a new host identification policy and modified DHCP servers, to provide proper resource allocation and message authentication in DHCP transactions. The KDC is used to authenticate ARP transactions and to distribute session keys to pairs of LAN hosts, allowing them to set up arbitrary, LAN-wide peer-to-peer security associations using such session keys. We show how PPPoE and IPSec security associations may be instantiated and present a prototype implementation for IPSec

Social networking for anonymous communication systems: a survey

Anonymous communication systems have been around for sometime, providing anonymity, enhanced privacy, and censorship circumvention. A lot has been done, since Chaum's seminal paper on mix networks, in preventing attacks able to undermine the anonymity provided by these systems. This, however, is goal difficult to achieve due to the de-centralized nature of these systems. In the end it boils down to finding a subset of trusted nodes to be placed in critical positions of the communication path. But the question remains: "How to know if a given node can be trusted?". In this paper we present a survey of a new research area which goal is to exploit trust in social links to solve some of the shortcomings of anonymous communication systems. Recent research shows that by using social networking features it is possible to prevent traffic analysis attacks and even detect Sybil attacks

Identification of source applications for enhanced traffic analysis and anomaly detection

This article presents an architecture for managing the identification of applications responsible for generating traffic in a network. The identification is to be explored by network auditing systems, which cooperate with surveyed systems to get the relevant information about the source applications. The ultimate goal of the system is to provide network auditors, such as NIDS, enough information about the exact sources of network traffic. This way, auditors are able to detect unauthorized applications or to detect anomalies in the traffic created by known applications, possibly as a consequence of the action of some malware in the source application or host

Packet tagging system for enhanced traffic profiling

This paper describes the design and implementation of a system for managing the tagging of traffic, in order to create detailed personal and applicational profiles. The ultimate goal of this separation is to facilitate the task of traffic auditing tools, namely in their struggle against botnets. The architecture was designed for domestic or enterprise facilities and uses the 802. IX authentication architecture as the base support infrastructure for dealing with unequivocal traffic binding to specific entities (persons or servers). Simultaneously, such binding uses virtual identities and encryption for preserving the privacy and protection of traffic originators from network eavesdroppers other than authorized traffic auditors. The traffic from each known originator is profiled with some detail, namely it includes a role tag and an application tag. Role tags are defined by originators and only partially follow a standard policy. On the contrary, application tags should follow a standard policy in order to reason about abnormal scenarios raised when correlating traffic from several instances of the same application. A first prototype was developed for Linux, using iptables and FreeRADIUS and conveying packet tagging information on a new IP option field

Biometric authentication using brain responses to visual stimuli

This paper studies the suitability of brain activity, namely electroencephalogram signals, as raw material for conducting biometrie authentication of individuals. Brain responses were extracted with visual stimulation, leading to biological brain responses known as Visual Evoked Potentials. We evaluated a novel method, using only 8 occipital electrodes and the energy of differential EEG signals, to extract information about the subjects for further use as their biometrie features. To classify the features obtained from each individual, we used a one-class classifier per subject and we tested four types of classifiers: K-Nearest Neighbor, Support Vector Data Description and two other classifiers resulting from the combination of the two ones previously mentioned. After testing these four classifiers with features of 70 subjects, the results showed that visual evoked potentials are suitable for an accurate biometrie authentication

Analysis of hybrid relaying in cooperative WLAN

An ever-growing demand for higher data-rates has facilitated the growth of wireless networks in the past decades. Nevertheless, wireless technologies face performance limitations due to unstable wireless conditions and mobility of devices. In face of multi-path propagation and low data-rate stations, cooperative relaying promises gains in performance and reliability. However, cooperation procedures are unstable and introduce overhead that can endanger performance. In this paper we analyze the performance of a hybrid relaying protocol build based on the combination of opportunistic and broadcast-based relaying approaches. Hybrid relaying aims to increase the transmission capacity of wireless networks (proactive operation) when compared to proactive opportunistic and broadcast-based approaches due to rectifying the setbacks involved in those approaches, while adding a reactive approach to recover from failed transmissions. © 2013 IEEE

Authentication of professionals in the RTS e-Health system

This paper describes the design and implementation of a PKI-based e-Health authentication architecture. This architecture was developed to authenticate e-Health Professionals accessing RTS (Rede Telemática da Saúde), a regional platform for sharing clinical data among a set of affiliated health institutions. The architecture had to accommodate specific RTS requirements, namely the security of Professionals' credentials, the mobility of Professionals, and the scalability to accommodate new health institutions. The adopted solution uses short lived certificates and cross-certification agreements between RTS and e-Health institutions for authenticating Professionals accessing the RTS. These certificates carry as well the Professional's role at their home institution for role-based authorization. Trust agreements between health institutions and RTS are necessary in order to make the certificates recognized by the RTS. As a proof of concept, a prototype was implemented with Windows technology. The presented authentication architecture is intended to be applied to other medical telematic systems

Secure and trustworthy file sharing over cloud storage using eID tokens

This paper presents a multi-platform, open-source application that aims to protect data stored and shared in existing cloud storage services. The access to the cryptographic material used to protect data is implemented using the identification and authentication functionalities of national electronic identity (eID) tokens. All peer to peer dialogs to exchange cryptographic material is implemented using the cloud storage facilities. Furthermore, we have included a set of mechanisms to prevent files from being permanently lost or damaged due to concurrent modification, deletion and malicious tampering. We have implemented a prototype in Java that is agnostic relatively to cloud storage providers; it only manages local folders, one of them being the local image of a cloud folder. We have successfully tested our prototype in Windows, Mac OS X and Linux, with Dropbox, OneDrive, Google Drive and SugarSync

A 3GPP open-ID framework

Currently Mobile Network Operators (MNO) rely on an authentication, authorization and profile management architecture which has proved, by its generalized use and acceptance, as being appropriate. The use of a secure component, the SIM-Card, provides a set of capabilities not seen in other access architectures and an advantage for MNOs. Nevertheless upcoming requirements in terms of open interfaces, new services and customer demands are questioning the actual architecture. This paper presents a novel approach to authentication and profile management that can be reused by both MNOs and 3rd party providers to answer the upcoming requirements. Here, a user is able to store his own identity information in different places, while taking advantage of the strong authentication mechanisms provided by the MNO. Furthermore, by integrating MNOs' generic authentication architecture with user-centric identity management, we are creating a generic way for service providers to reuse this authentication infrastructure, providing both single sign-on and strong authentication. Copyright © 2010 The authors