Biblio

Cloud Computing is an important term of modern technology. The usefulness of Cloud is increasing day by day and simultaneously more and more security problems are arising as well. Two of the major threats of Cloud are improper authentication and multi-tenancy. According to the specialists both pros and cons belong to multi-tenancy. There are security protocols available but it is difficult to claim these protocols are perfect and ensure complete protection. The purpose of this paper is to propose an integrated model to ensure better Cloud security for Authentication and multi-tenancy. Multi-tenancy means sharing of resources and virtualization among clients. Since multi-tenancy allows multiple users to access same resources simultaneously, there is high probability of accessing confidential data without proper privileges. Our model includes Kerberos authentication protocol to enhance authentication security. During our research on Kerberos we have found some flaws in terms of encryption method which have been mentioned in couple of IEEE conference papers. Pondering about this complication we have elected Elliptic Curve Cryptography. On the other hand, to attenuate arose risks due to multi-tenancy we are proposing a Resource Allocation Manager Unit, a Control Database and Resource Allocation Map. This part of the model will perpetuate resource allocation for the users.

The Internet of Things is stepping out of its infancy into full maturity, requiring massive data processing and storage. Unfortunately, because of the unique characteristics of resource constraints, short-range communication, and self-organization in IoT, it always resorts to the cloud or fog nodes for outsourced computation and storage, which has brought about a series of novel challenging security and privacy threats. For this reason, one of the critical challenges of having numerous IoT devices is the capacity to manage them and their data. A specific concern is from which devices or Edge clouds to accept join requests or interaction requests. This paper discusses a design concept for developing the IoT data management platform, along with a data management and lineage traceability implementation of the platform based on blockchain and smart contracts, which approaches the two major challenges: how to implement effective data management and enrich rational interoperability for trusted groups of linked Things; And how to settle conflicts between untrusted IoT devices and its requests taking into account security and privacy preserving. Experimental results show that the system scales well with the loss of computing and communication performance maintaining within the acceptable range, works well to effectively defend against unauthorized access and empower data provenance and transparency, which verifies the feasibility and efficiency of the design concept to provide privacy, fine-grained, and integrity data management over the IoT devices by introducing the blockchain-based data management platform.

The confidentiality of data stored in embedded and handheld devices has become an urgent necessity more than ever before. Encryption of sensitive data is a well-known technique to preserve their confidentiality, however it comes with certain costs that can heavily impact the device processing resources. Utilizing multicore processors, which are equipped with current embedded devices, has brought a new era to enhance data confidentiality while maintaining suitable device performance. Encrypting the complete storage area, also known as Full Disk Encryption (FDE) can still be challenging, especially with newly emerging massive storage systems. Alternatively, since the most user sensitive data are residing inside persisting databases, it will be more efficient to focus on securing SQLite databases, through encryption, where SQLite is the most common RDBMS in handheld and embedded systems. This paper addresses the problem of ensuring data protection in embedded and mobile devices while maintaining suitable device performance by mitigating the impact of encryption. We presented here a proposed design for a parallel database encryption system, called SQLite-XTS. The proposed system encrypts data stored in databases transparently on-the-fly without the need for any user intervention. To maintain a proper device performance, the system takes advantage of the commodity multicore processors available with most embedded and mobile devices.

Security attacks against Internet of Things (IoT) are on the rise and they lead to drastic consequences. Data confidentiality is typically based on a strong symmetric-key algorithm to guard against confidentiality attacks. However, there is a need to design an efficient lightweight cipher scheme for a number of applications for IoT systems. Recently, a set of lightweight cryptographic algorithms have been presented and they are based on the dynamic key approach, requiring a small number of rounds to minimize the computation and resource overhead, without degrading the security level. This paper follows this logic and provides a new flexible lightweight cipher, with or without chaining operation mode, with a simple round function and a dynamic key for each input message. Consequently, the proposed cipher scheme can be utilized for real-time applications and/or devices with limited resources such as Multimedia Internet of Things (MIoT) systems. The importance of the proposed solution is that it produces dynamic cryptographic primitives and it performs the mixing of selected blocks in a dynamic pseudo-random manner. Accordingly, different plaintext messages are encrypted differently, and the avalanche effect is also preserved. Finally, security and performance analysis are presented to validate the efficiency and robustness of the proposed cipher variants.

In the paradigm of network coding, information-theoretic security is considered in the presence of wiretappers, who can access one arbitrary edge subset up to a certain size, referred to as the security level. Secure network coding is applied to prevent the leakage of the source information to the wiretappers. In this paper, we consider the problem of secure network coding for flexible pairs of information rate and security level with any fixed dimension (equal to the sum of rate and security level). We present a novel approach for designing a secure linear network code (SLNC) such that the same SLNC can be applied for all the rate and security-level pairs with the fixed dimension. We further develop a polynomial-time algorithm for efficient implementation and prove that there is no penalty on the required field size for the existence of SLNCs in terms of the best known lower bound by Guang and Yeung. Finally, by applying our approach as a crucial building block, we can construct a family of SLNCs that not only can be applied to all possible pairs of rate and security level but also share a common local encoding kernel at each intermediate node in the network.

Ransomware attacks are a prevalent cybersecurity threat to every user and enterprise today. This is attributed to their polymorphic behaviour and dispersion of inexhaustible versions due to the same ransomware family or threat actor. A certain ransomware family or threat actor repeatedly utilises nearly the same style or codebase to create a vast number of ransomware versions. Therefore, it is essential for users and enterprises to keep well-informed about this threat landscape and adopt proactive prevention strategies to minimise its spread and affects. This requires a technique to detect ransomware samples to determine the similarity and link with the known ransomware family or threat actor. Therefore, this paper presents a detection method for ransomware by employing a combination of a similarity preserving hashing method called fuzzy hashing and a clustering method. This detection method is applied on the collected WannaCry/WannaCryptor ransomware samples utilising a range of fuzzy hashing and clustering methods. The clustering results of various clustering methods are evaluated through the use of the internal evaluation indexes to determine the accuracy and consistency of their clustering results, thus the effective combination of fuzzy hashing and clustering method as applied to the particular ransomware corpus. The proposed detection method is a static analysis method, which requires fewer computational overheads and performs rapid comparative analysis with respect to other static analysis methods.

Image encryption is an essential part of a Visual Cryptography. Existing traditional sequential encryption techniques are infeasible to real-time applications. High-performance reformulations of such methods are increasingly growing over the last decade. These reformulations proved better performances over their sequential counterparts. A rotational encryption scheme encrypts the images in such a way that the decryption is possible with the rotated encrypted images. A parallel rotational encryption technique makes use of a high-performance device. But it less-leverages the optimizations offered by them. We propose a rotational image encryption technique which makes use of memory coalescing provided by the Compute Unified Device Architecture (CUDA). The proposed scheme achieves improved global memory utilization and increased efficiency.

The analysis of applied tasks and methods of entropy signal processing are carried out in this article. The theoretical comments about the specific schemes of special processors for the determination of probability and correlation activity are given. The perspective of the influence of probabilistic entropy of C. Shannon as cipher signal receivers is reviewed. Examples of entropy-manipulated signals and system characteristics of the proposed special processors are given.

This project enhances the security in which Ad Hoc On-Demand Distance Vector (AODV) routing protocol for MANETs with the game theoretical approach. This is achieved by using public key and private key for encryption and decryption processes. Proactive and reactive method is implemented in the proposed system. Reactive method is done in identification process but in proactive method is used to identify the nodes and also block the hackers node, then change the direction of data transmission to good nodes. This application can be used in military, research, confidential and emergency circumferences.

This article will consider the probability test of Solovey-Strassen, to determine the simplicity of the number and its possible modifications. This test allows for the shortest possible time to determine whether the number is prime or not. C\# programming language was used to implement the algorithm in practice.

With the rising popularity of file-sharing services such as Google Drive and Dropbox in the workflows of individuals and corporations alike, the protection of client-outsourced data from unauthorized access or tampering remains a major security concern. Existing cryptographic solutions to this problem typically require server-side support, involve non-trivial key management on the part of users, and suffer from severe re-encryption penalties upon access revocations. This combination of performance overheads and management burdens makes this class of solutions undesirable in situations where performant, platform-agnostic, dynamic sharing of user content is required. We present NEXUS, a stackable filesystem that leverages trusted hardware to provide confidentiality and integrity for user files stored on untrusted platforms. NEXUS is explicitly designed to balance security, portability, and performance: it supports dynamic sharing of protected volumes on any platform exposing a file access API without requiring server-side support, enables the use of fine-grained access control policies to allow for selective sharing, and avoids the key revocation and file re-encryption overheads associated with other cryptographic approaches to access control. This combination of features is made possible by the use of a client-side Intel SGX enclave that is used to protect and share NEXUS volumes, ensuring that cryptographic keys never leave enclave memory and obviating the need to reencrypt files upon revocation of access rights. We implemented a NEXUS prototype that runs on top of the AFS filesystem and show that it incurs ×2 overhead for a variety of common file and database operations.

Deep Packet Inspection (DPI) is instrumental in investigating the presence of malicious activity in network traffic and most existing DPI tools work on unencrypted payloads. As the internet is moving towards fully encrypted data-transfer, there is a critical requirement for privacy-aware techniques to efficiently decrypt network payloads. Until recently, passive proxying using certain aspects of TLS 1.2 were used to perform decryption and further DPI analysis. With the introduction of TLS 1.3 standard that only supports protocols with Perfect Forward Secrecy (PFS), many such techniques will become ineffective. Several security solutions will be forced to adopt active proxying that will become a big-data problem considering the velocity and veracity of network traffic involved. We have developed an ABAC (Attribute Based Access Control) framework that efficiently supports existing DPI tools while respecting user's privacy requirements and organizational policies. It gives the user the ability to accept or decline access decision based on his privileges. Our solution evaluates various observed and derived attributes of network connections against user access privileges using policies described with semantic technologies. In this paper, we describe our framework and demonstrate the efficacy of our technique with the help of use-case scenarios to identify network connections that are candidates for Deep Packet Inspection. Since our technique makes selective identification of connections based on policies, both processing and memory load at the gateway will be reduced significantly.

This article presents a practical approach for secure key exchange exploiting reciprocity in wireless transmission. The method relies on the reciprocal channel phase to mask points of a Phase Shift Keying (PSK) constellation. Masking is achieved by adding (modulo 2π) the measured reciprocal channel phase to the PSK constellation points carrying some of the key bits. As the channel phase is uniformly distributed in [0, 2π], knowing the sum of the two phases does not disclose any information about any of its two components. To enlarge the key size over a static or slow fading channel, the Radio Frequency (RF) propagation path is perturbed to create independent realizations of multi-path fading. Prior techniques have relied on quantizing the reciprocal channel state measured at the two ends and thereby suffer from information leakage in the process of key consolidation (ensuring the two ends have access to the same key). The proposed method does not suffer from such shortcomings as raw key bits can be equipped with Forward Error Correction (FEC) without affecting the masking (zero information leakage) property. To eavesdrop a phase value shared in this manner, the Eavesdropper (Eve) would require to solve a system of linear equations defined over angles, each equation corresponding to a possible measurement by the Eve. Channel perturbation is performed such that each new channel state creates an independent channel realization for the legitimate nodes, as well as for each of Eves antennas. As a result, regardless of the Eves Signal-to-Noise Ratio (SNR) and number of antennas, Eve will always face an under-determined system of equations. On the other hand, trying to solve any such under-determined system of linear equations in terms of an unknown phase will not reveal any useful information about the actual answer, meaning that the distribution of the answer remains uniform in [0, 2π].

Blockchain technology is useful with the record keeping of digital transactions, IoT, supply chain management etc. However, we have observed that the traditional attacks are possible on blockchain due to lack of robust identity management. We found that Sybil attack can cause severe impact in public/permissionless blockchain, in which an attacker can subvert the blockchain by creating a large number of pseudonymous identities (i.e. Fake user accounts) and push legitimate entities in the minority. Such virtual nodes can act like genuine nodes to create disproportionately large influence on the network. This may lead to several other attacks like DoS, DDoS etc. In this paper, a Sybil attack is demonstrated on a blockchain test bed with its impact on the throughput of the system. We propose a solution directive, in which each node monitors the behavior of other nodes and checks for the nodes which are forwarding the blocks of only particular user. Such nodes are quickly identified, blacklisted and notified to other nodes, and thus the Sybil attack can be restricted. We analyze experimental results of the proposed solution.

Searchable encryption server protects privacal data of data owner from leaks. This paper analyzes the security of a multi-user searchable encryption scheme and points out that this scheme does not satisfy the invisibility of trapdoors. In order to improve the security of the original scheme, this paper proposes a probably secure multi-user multi-keyword searchable encryption scheme. New secheme not only ensures the confidentiality of the cipher text keyword, but also does not increase the encryption workload of the data owner when the new data user joins. In the random oracle model, based on the hard problem of decisional Diffie-Hellman, it is proved that the scheme has trapdoor indistinguishability. In the end, obtained by the simulation program to achieve a new computationally efficient communication at low cost.

Due to the importance of securing electronic transactions, many cryptographic protocols have been employed, that mainly depend on distributed keys between the intended parties. In classical computers, the security of these protocols depends on the mathematical complexity of the encoding functions and on the length of the key. However, the existing classical algorithms 100% breakable with enough computational power, which can be provided by quantum machines. Moving to quantum computation, the field of security shifts into a new area of cryptographic solutions which is now the field of quantum cryptography. The era of quantum computers is at its beginning. There are few practical implementations and evaluations of quantum protocols. Therefore, the paper defines a well-known quantum key distribution protocol which is BB84 then provides a practical implementation of it on IBM QX software. The practical implementations showed that there were differences between BB84 theoretical expected results and the practical implementation results. Due to this, the paper provides a statistical analysis of the experiments by comparing the standard deviation of the results. Using the BB84 protocol the existence of a third-party eavesdropper can be detected. Thus, calculations of the probability of detecting/not detecting a third-party eavesdropping have been provided. These values are again compared to the theoretical expectation. The calculations showed that with the greater number of qubits, the percentage of detecting eavesdropper will be higher.

We propose a new spam detection approach based solely on meta data features gained from email headers. The approach achieves above 99 % classification accuracy on the CSDMC2010 dataset, which matches or surpasses state-of-the-art spam classifiers. We utilize a static set of engineered features, supplemented with automatically extracted features. The approach is just as effective for spam detection in end-to-end encryption, as our feature set remains unchanged for encrypted emails. In contrast to most established spam detectors, we disregard the email body completely and can therefore deliver very high classification speeds, as computationally expensive text preprocessing is not necessary.

Diffie-Hellman and RSA encryption/decryption involve computationally intensive cryptographic operations such as modular exponentiation. Computing modular exponentiation using appropriate pre-computed pairs of bases and exponents was first proposed by Boyko et al. In this paper, we present a reconfigurable architecture for pre-computation methods to compute modular exponentiation and thereby speeding up RSA and Diffie-Hellman like protocols. We choose Diffie-Hellman key pair (a, ga mod p) to illustrate the efficiency of Boyko et al's scheme in hardware architecture that stores pre-computed values ai and corresponding gai in individual block RAM. We use a Pseudo-random number generator (PRNG) to randomly choose ai values that are added and corresponding gai values are multiplied using modular multiplier to arrive at a new pair (a, ga mod p). Further, we present the advantage of using Montgomery and interleaved methods for batch multiplication to optimise time and area. We show that a 1024-bit modular exponentiation can be performed in less than 73$μ$s at a clock rate of 200MHz on a Xilinx Virtex 7 FPGA.

This paper studies and describes encrypted communication between IoT cloud and IoT embedded systems. It uses encrypted MQTTS protocol with SSL/TLS certificate. A JSON type data format is used between the cloud structure and the IoT device. The embedded system used in this experiment is Esp32 Wrover. The IoT embedded system measures temperature and humidity from a sensor DHT22. The architecture and software implementation of the experimental stage are also presented.

Accurate network traffic identification is an important basis for network traffic monitoring and data analysis, and is the key to improve the quality of user service. In this paper, through the analysis of two network traffic identification methods based on machine learning and deep packet inspection, a network traffic identification method based on machine learning and deep packet inspection is proposed. This method uses deep packet inspection technology to identify most network traffic, reduces the workload that needs to be identified by machine learning method, and deep packet inspection can identify specific application traffic, and improves the accuracy of identification. Machine learning method is used to assist in identifying network traffic with encryption and unknown features, which makes up for the disadvantage of deep packet inspection that can not identify new applications and encrypted traffic. Experiments show that this method can improve the identification rate of network traffic.

With the rapid development of the contemporary society, wide use of smart phone and vehicle sensing devices brings a huge influence on the extensive data collection. Network coding can only provide weak security privacy protection. Aiming at weak secure feature of network coding, this paper proposes an information transfer mechanism, Weak Security Network Coding with Homomorphic Encryption (HE-WSNC), and it is integrated into routing policy. In this mechanism, a movement model is designed, which allows information transmission process under Wi-Fi and Bluetooth environment rather than consuming 4G data flow. Not only does this application reduce the cost, but also improve reliability of data transmission. Moreover, it attracts more users to participate.

As cloud services enter the Internet market, cloud security issues are gradually exposed. In the era of knowledge economy, the unique potential value of big data is being gradually explored. However, the control of data security is facing many challenges. According to the development status and characteristics of database within the cloud environment, this paper preliminary studies on the database security risks faced by the “three-clouds” of State Grid Corporation of China. Based on the mature standardization of information security, this paper deeply studies the database security requirements of cloud environment, and six-step method for cloud database protection is presented, which plays an important role in promoting development of security work for the cloud database. Four key technologies of cloud database security protection are introduced, including database firewall technology, sensitive data encryption, production data desensitization, and database security audit technology. It is helpful to the technology popularization of the grade protection in the security of the cloud database, and plays a great role in the construction of the security of the state grid.

With the unprecedented prevalence of mobile network applications, cryptographic protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS), are widely used in mobile network applications for communication security. The proven methods for encrypted video stream classification or encrypted protocol detection are unsuitable for the SSL/TLS traffic. Consequently, application-level traffic classification based networking and security services are facing severe challenges in effectiveness. Existing encrypted traffic classification methods exhibit unsatisfying accuracy for applications with similar state characteristics. In this paper, we propose a multiple-attribute-based encrypted traffic classification system named Multi-Attribute Associated Fingerprints (MAAF). We develop MAAF based on the two key insights that the DNS traces generated during the application runtime contain classification guidance information and that the handshake certificates in the encrypted flows can provide classification clues. Apart from the exploitation of key insights, MAAF employs the context of the encrypted traffic to overcome the attribute-lacking problem during the classification. Our experimental results demonstrate that MAAF achieves 98.69% accuracy on the real-world traceset that consists of 16 applications, supports the early prediction, and is robust to the scale of the training traceset. Besides, MAAF is superior to the state-of-the-art methods in terms of both accuracy and robustness.

Network attacks have become a growing threat to the current Internet. For the enhancement of network security and accountability, it is urgent to find the origin and identity of the adversary who misbehaves in the network. Some studies focus on embedding users' identities into IPv6 addresses, but such design cannot support the Stateless Address Autoconfiguration (SLAAC) protocol which is widely deployed nowadays. In this paper, we propose SDN-Ti, a general solution to traceback and identification for attackers in IPv6 networks based on Software Defined Network (SDN). In our proposal, the SDN switch performs a translation between the source IPv6 address of the packet and its trusted ID-encoded address generated by the SDN controller. The network administrator can effectively identify the attacker by parsing the malicious packets when the attack incident happens. Our solution not only avoids the heavy storage overhead and time synchronism problems, but also supports multiple IPv6 address assignment scenarios. What's more, SDN-Ti does not require any modification on the end device, hence can be easily deployed. We implement SDN-Ti prototype and evaluate it in a real IPv6 testbed. Experiment results show that our solution only brings very little extra performance cost, and it shows considerable performance in terms of latency, CPU consumption and packet loss compared to the normal forwarding method. The results indicate that SDN-Ti is feasible to be deployed in practice with a large number of users.

In cloud computing application scenarios involving computationally weak clients, the natural need for applied cryptography solutions requires the delegation of the most expensive cryptography algorithms to a computationally stronger cloud server. Group exponentiation is an important operation used in many public-key cryptosystems and, more generally, cryptographic protocols. Solving the problem of delegating group exponentiation in the case of a single, possibly malicious, server, was left open since early papers in the area. Only recently, we have solved this problem for a large class of cyclic groups, including those commonly used in cryptosystems proved secure under the intractability of the discrete logarithm problem. In this paper we solve this problem for an important class of non-cyclic groups, which includes RSA groups when the modulus is the product of two safe primes, a common setting in applications using RSA-based cryptosystems. We show a delegation protocol for fixed-exponent exponentiation in such groups, satisfying natural correctness, security, privacy and efficiency requirements, where security holds with exponentially small probability. In our protocol, with very limited offline computation and server computation, a client can delegate an exponentiation to an exponent of the same length as a group element by only performing two exponentiations to an exponent of much shorter length (i.e., the length of a statistical parameter). We obtain our protocol by a non-trivial adaptation to the RSA group of our previous protocol for cyclic groups.