Zero Trust Network Security

A poster for the Pathways Student Showcase that includes a description of what Zero Trust Network Security is, the rough timeline for the initial stages of implementation here at KSC, who I am, and what I'm working on

A two‐step authentication framework for Mobile ad hoc networks

The lack of fixed infrastructure in ad hoc networks causes nodes to rely more heavily on peer nodes for communication. Nevertheless, establishing trust in such a distributed environment is very difficult, since it is not straightforward for a node to determine if its peer nodes can be trusted. An additional concern in such an environment is with whether a peer node is merely relaying a message or if it is the originator of the message. In this paper, we propose an authentication approach for protecting nodes in mobile ad hoc networks. The security requirements for protecting data link and network layers are identified and the design criteria for creating secure ad hoc networks using several authentication protocols are analyzed. Protocols based on zero knowledge and challenge response techniques are presented and their performance is evaluated through analysis and simulation

ZETA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology

Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context

TRIDEnT: Building Decentralized Incentives for Collaborative Security

Sophisticated mass attacks, especially when exploiting zero-day vulnerabilities, have the potential to cause destructive damage to organizations and critical infrastructure. To timely detect and contain such attacks, collaboration among the defenders is critical. By correlating real-time detection information (alerts) from multiple sources (collaborative intrusion detection), defenders can detect attacks and take the appropriate defensive measures in time. However, although the technical tools to facilitate collaboration exist, real-world adoption of such collaborative security mechanisms is still underwhelming. This is largely due to a lack of trust and participation incentives for companies and organizations. This paper proposes TRIDEnT, a novel collaborative platform that aims to enable and incentivize parties to exchange network alert data, thus increasing their overall detection capabilities. TRIDEnT allows parties that may be in a competitive relationship, to selectively advertise, sell and acquire security alerts in the form of (near) real-time peer-to-peer streams. To validate the basic principles behind TRIDEnT, we present an intuitive game-theoretic model of alert sharing, that is of independent interest, and show that collaboration is bound to take place infinitely often. Furthermore, to demonstrate the feasibility of our approach, we instantiate our design in a decentralized manner using Ethereum smart contracts and provide a fully functional prototype.Comment: 28 page

Social Security: What Would Happen If the Trust Funds Ran Out?

[Excerpt] Each year when the Social Security trustees release their annual report, attention is focused on the projection of the year that the Social Security trust funds will become insolvent. In their 2014 report, the Trustees projected that, under their intermediate assumptions and under current law, the Disability Insurance (DI) trust fund will become exhausted in 2016 and the Old-Age and Survivors Insurance (OASI) trust fund will do so in 2034. Although the two funds are legally separate, they are often described in combination. The trustees project that the combined Social Security trust funds will become exhausted in 2033. Some Americans may believe that if the trust funds were exhausted, Social Security would be unable to pay any benefits. In fact, in 2033, the first year of projected insolvency of the combined Social Security trust funds, the program is projected to have enough tax revenue to pay about 77% of scheduled benefits; that percentage would decline to 72% by the end of the 75-year projection period. Although benefits would be paid in some form, it is unclear how the necessary reductions would be implemented, because the Social Security Act does not specify what would happen to benefits if a trust fund became exhausted. One option would be to pay full benefit checks on a delayed schedule; another would be to make timely but reduced payments. This report explains what the Social Security trust funds are and how they work. It describes the historical operations of the trust funds and the Social Security trustees’ projections of future operations. It explains what could happen if Congress allowed the trust funds to run out. It also analyzes two scenarios that assume Congress waits until the moment of insolvency to act, showing the magnitude of benefit cuts or tax increases needed and how such changes would affect beneficiaries

Just-in-Time Memoryless Trust for Crowdsourced IoT Services

We propose just-in-time memoryless trust for crowdsourced IoT services. We leverage the characteristics of the IoT service environment to evaluate their trustworthiness. A novel framework is devised to assess a service's trust without relying on previous knowledge, i.e., memoryless trust. The framework exploits service-session-related data to offer a trust value valid only during the current session, i.e., just-in-time trust. Several experiments are conducted to assess the efficiency of the proposed framework.Comment: 8 pages, Accepted and to appear in 2020 IEEE International Conference on Web Services (ICWS). Content may change prior to final publicatio

Variable Bias Coin Tossing

Alice is a charismatic quantum cryptographer who believes her parties are unmissable; Bob is a (relatively) glamorous string theorist who believes he is an indispensable guest. To prevent possibly traumatic collisions of self-perception and reality, their social code requires that decisions about invitation or acceptance be made via a cryptographically secure variable bias coin toss (VBCT). This generates a shared random bit by the toss of a coin whose bias is secretly chosen, within a stipulated range, by one of the parties; the other party learns only the random bit. Thus one party can secretly influence the outcome, while both can save face by blaming any negative decisions on bad luck. We describe here some cryptographic VBCT protocols whose security is guaranteed by quantum theory and the impossibility of superluminal signalling, setting our results in the context of a general discussion of secure two-party computation. We also briefly discuss other cryptographic applications of VBCT.Comment: 14 pages, minor correction

Towards Enhanced Usability of IT Security Mechanisms - How to Design Usable IT Security Mechanisms Using the Example of Email Encryption

Nowadays, advanced security mechanisms exist to protect data, systems, and networks. Most of these mechanisms are effective, and security experts can handle them to achieve a sufficient level of security for any given system. However, most of these systems have not been designed with focus on good usability for the average end user. Today, the average end user often struggles with understanding and using security mecha-nisms. Other security mechanisms are simply annoying for end users. As the overall security of any system is only as strong as the weakest link in this system, bad usability of IT security mechanisms may result in operating errors, resulting in inse-cure systems. Buying decisions of end users may be affected by the usability of security mechanisms. Hence, software provid-ers may decide to better have no security mechanism then one with a bad usability. Usability of IT security mechanisms is one of the most underestimated properties of applications and sys-tems. Even IT security itself is often only an afterthought. Hence, usability of security mechanisms is often the after-thought of an afterthought. This paper presents some guide-lines that should help software developers to improve end user usability of security-related mechanisms, and analyzes com-mon applications based on these guidelines. Based on these guidelines, the usability of email encryption is analyzed and an email encryption solution with increased usability is presented. The approach is based on an automated key and trust man-agement. The compliance of the proposed email encryption solution with the presented guidelines for usable security mechanisms is evaluated