Biblio

We conduct formal verification of the divide and conquer key distribution scheme (DC DHKE)-a contributory group key agreement that uses a quasilinear amount of exponentiations with respect to the number of communicating parties. The verification is conducted using both ProVerif and TLA+ as tools. ProVerif is used to verify the protocol correctness as well as its security against passive attacker; while TLA+ is utilized to verify whether all participants in the protocol retrieve the mutual key simultaneously. We also verify the ING and GDH.3 protocol for comparative purposes. The verification results show that the ING, GDH.3, and DC DHKE protocols satisfy the pre-meditated correctness, security, and liveness properties. However, the GDH.3 protocol does not satisfy the liveness property stating that all participants obtain the mutual key at the same time.

Internet of Things refers to a paradigm consisting of a variety of uniquely identifiable day to day things communicating with one another to form a large scale dynamic network. Securing access to this network is a current challenging issue. This paper proposes an encryption system suitable to IoT features. In this system we integrated the fuzzy commitment scheme in DCT-based recognition method for fingerprint. To demonstrate the efficiency of our scheme, the obtained results are analyzed and compared with direct matching (without encryption) according to the most used criteria; FAR and FRR.

Networks have evolved very rapidly, which allow secret data transformation speedily through the Internet. However, the security of secret data has posed a serious threat due to openness of these networks. Thus, researchers draw their attention on cryptography field for this reason. Due to the traditional cryptographic techniques which are vulnerable to intruders nowadays. Deoxyribonucleic Acid (DNA) considered as a promising technology for cryptography field due to extraordinary data density and vast parallelism. With the help of the various DNA arithmetic and biological operations are also Blum Blum Shub (BBS) generator, a multi-level of DNA encryption algorithm is proposed here. The algorithm first uses the dynamic key generation to encrypt sensitive information as a first level; second, it uses BBS generator to generate a random DNA sequence; third, the BBS-DNA sequence spliced with a DNA Gen Bank reference to produce a new DNA reference. Then, substitution, permutation, and dynamic key are used to scramble the new DNA reference nucleotides locations. Finally, for further enhanced security, an injective mapping is established to combine encrypted information with encrypted DNA reference using Knight tour movement in Hadamard matrix. The National Institute of Standard and Technology (NIST) tests have been used to test the proposed algorithm. The results of the tests demonstrate that they effectively passed all the randomness tests of NIST which means they can effectively resist attack operations.

Kerberos is a third party and widely used authentication protocol, in which it enables computers to connect securely using a single sign-on over an insecure channel. It proves the identity of clients and encrypts all the communications between them to ensure data privacy and integrity. Typically, Kerberos composes of three communication phases to establish a secure session between any two clients. The authentication is based on a password-based scheme, in which it is a secret long-term key shared between the client and the Kerberos. Therefore, Kerberos suffers from a password-guessing attack, the main drawback of Kerberos. In this paper, we overcome this limitation by modifying the first initial phase using the virtual password and biometric data. In addition, the proposed protocol provides a strong authentication scenario against multiple types of attacks.

The security level is very important in Bluetooth, because the network or devices using secure communication, are susceptible to many attacks against the transmitted data received through eavesdropping. The cryptosystem designers needs to know the complexity of the designed Bluetooth E0. And what the advantages given by any development performed on any known Bluetooth E0Encryption method. The most important criteria can be used in evaluation method is considered as an important aspect. This paper introduce a proposed fuzzy logic technique to evaluate the complexity of Bluetooth E0Encryption system by choosing two parameters, which are entropy and correlation rate, as inputs to proposed fuzzy logic based Evaluator, which can be applied with MATLAB system.

Network security and data confidentiality of transmitted information are among the non-functional requirements of industrial wireless sensor networks (IWSNs) in addition to latency, reliability and energy efficiency requirements. Physical layer security techniques are promising solutions to assist cryptographic methods in the presence of an eavesdropper in IWSN setups. In this paper, we propose a physical layer security scheme, which is based on both insertion of an random error vector to forward error correction (FEC) codewords and transmission over decentralized relay nodes. Reed-Solomon and Golay codes are selected as FEC coding schemes and the security performance of the proposed model is evaluated with the aid of decoding error probability of an eavesdropper. The results show that security level is highly based on the location of the eavesdropper and secure communication can be achieved when some of channels between eavesdropper and relay nodes are significantly noisier.

A hardware Trojan (HT) denotes the malicious addition or modification of circuit elements. The purpose of this work is to improve the HT detection sensitivity in ICs using power side-channel analysis. This paper presents three detection techniques in power based side-channel analysis by increasing Trojan-to-circuit power consumption and reducing the variation effect in the detection threshold. Incorporating the three proposed methods has demonstrated that a realistic fine-grain circuit partitioning and an improved pattern set to increase HT activation chances can magnify Trojan detectability.

As cloud services greatly facilitate file sharing online, there's been a growing awareness of the security challenges brought by outsourcing data to a third party. Traditionally, the centralized management of cloud service provider brings about safety issues because the third party is only semi-trusted by clients. Besides, it causes trouble for sharing online data conveniently. In this paper, the blockchain technology is utilized for decentralized safety administration and provide more user-friendly service. Apart from that, Ciphertext-Policy Attribute Based Encryption is introduced as an effective tool to realize fine-grained data access control of the stored files. Meanwhile, the security analysis proves the confidentiality and integrity of the data stored in the cloud server. Finally, we evaluate the performance of computation overhead of our system.

This paper aims to explain static analysis techniques in detail, and to highlight the weaknesses and challenges which face it. To this end, more than 80 static analysis-based framework have been studied, and in their light, the process of detecting malicious applications has been divided into four phases that were explained in a schematic manner. Also, the features that is used in static analysis were discussed in detail by dividing it into four categories namely, Manifest-based features, code-based features, semantic features and app's metadata-based features. Also, the challenges facing methods based on static analysis were discussed in detail. Finally, a case study was conducted to test the strength of some known commercial antivirus and one of the stat-of-art academic static analysis frameworks against obfuscation techniques used by developers of malicious applications. The results showed a significant impact on the performance of the most tested antiviruses and frameworks, which is reflecting the urgent need for more accurately tools.

Many techniques have been presented to protect image content confidentiality. The owner of an image encrypts it using a key and transmits the encrypted image across a network. If the recipient is authorized to access the original content of the image, he can reconstruct it losslessly. However, if during the transmission the encrypted image is noised, some parts of the image can not be deciphered. In order to localize and correct these errors, we propose an approach based on the local Shannon entropy measurement. We first analyze this measure as a function of the block-size. We provide then a full description of our blind error localization and removal process. Experimental results show that the proposed approach, based on local entropy, can be used in practice to correct noisy encrypted images, even with blocks of very small size.

The primary objective of Cognitive Radio Networks (CRN) is to opportunistically utilize the available spectrum for efficient and seamless communication. Like all other radio networks, Cognitive Radio Network also suffers from a number of security attacks and Primary User Emulation Attack (PUEA) is vital among them. Primary user Emulation Attack not only degrades the performance of the Cognitive Radio Networks but also dissolve the objective of Cognitive Radio Network. Efficient and secure authentication of Primary Users (PU) is an only solution to mitigate Primary User Emulation Attack but most of the mechanisms designed for this are either complex or make changes to the spectrum. Here, we proposed a mechanism to authenticate Primary Users in Cognitive Radio Network which is neither complex nor make any changes to spectrum. The proposed mechanism is secure and also has improved the performance of the Cognitive Radio Network substantially.

Code obfuscation is the de facto standard to protect intellectual property when delivering code in an unmanaged environment. It relies on additive layers of code tangling techniques, white-box encryption calls and platform-specific or tool-specific countermeasures to make it harder for a reverse engineer to access critical pieces of data or to understand core algorithms. The literature provides plenty of different obfuscation techniques that can be used at compile time to transform data or control flow in order to provide some kind of protection against different reverse engineering scenarii. Scheduling code transformations to optimize a given metric is known as the pass scheduling problem, a problem known to be NP-hard, but solved in a practical way using hard-coded sequences that are generally satisfactory. Adding code obfuscation to the problem introduces two new dimensions. First, as a code obfuscator needs to find a balance between obfuscation and performance, pass scheduling becomes a multi-criteria optimization problem. Second, obfuscation passes transform their inputs in unconventional ways, which means some pass combinations may not be desirable or even valid. This paper highlights several issues met when blindly chaining different kind of obfuscation and optimization passes, emphasizing the need of a formal model to combine them. It proposes a non-intrusive formalism to leverage on sequential pass management techniques. The model is validated on real-world scenarii gathered during the development of an industrial-strength obfuscator on top of the LLVM compiler infrastructure.

This paper presents a theoretical background of main research activity focused on the evaluation of wiping/erasure standards which are mostly implemented in specific software products developed and programming for data wiping. The information saved in storage devices often consists of metadata and trace data. Especially but not only these kinds of data are very important in the process of forensic analysis because they sometimes contain information about interconnection on another file. Most people saving their sensitive information on their local storage devices and later they want to secure erase these files but usually there is a problem with this operation. Secure file destruction is one of many Anti-forensics methods. The outcome of this paper is to define the future research activities focused on the establishment of the suitable digital environment. This environment will be prepared for testing and evaluating selected wiping standards and appropriate eraser software.

Various communication protocols are currently used in the Internet of Things (IoT) devices. One of the protocols that are already standardized by ISO is MQTT protocol (ISO / IEC 20922: 2016). Many IoT developers use this protocol because of its minimal bandwidth requirement and low memory consumption. Sometimes, IoT device sends confidential data that should only be accessed by authorized people or devices. Unfortunately, the MQTT protocol only provides authentication for the security mechanism which, by default, does not encrypt the data in transit thus data privacy, authentication, and data integrity become problems in MQTT implementation. This paper discusses several reasons on why there are many IoT system that does not implement adequate security mechanism. Next, it also demonstrates and analyzes how we can attack this protocol easily using several attack scenarios. Finally, after the vulnerabilities of this protocol have been examined, we can improve our security awareness especially in MQTT protocol and then implement security mechanism in our MQTT system to prevent such attack.

Mathematical constructs are necessary for computation on the underlying algebraic structures of cryptosystems. They are often written in assembly language and optimized manually for efficiency. We develop a certified technique to verify low-level mathematical constructs in X25519, the default elliptic curve Diffie-Hellman key exchange protocol used in OpenSSH. Our technique translates an algebraic specification of mathematical constructs into an algebraic problem. The algebraic problem in turn is solved by the computer algebra system Singular. The proof assistant Coq certifies the translation and solution to algebraic problems. Specifications about output ranges and potential program overflows are translated to SMT problems and verified by SMT solvers. We report our case studies on verifying arithmetic computation over a large finite field and the Montgomery Ladderstep, a crucial loop in X25519.

Efficient trust management between nodes in a huge network is an essential requirement in modern networks. This work shows few generic primitive protocols for creating a trusted link between nodes by deploying unclonable physical tokens as Secret Unknown Ciphers. The proposed algorithms are making use of the clone-resistant physical identity of each participating node. Several generic node authentication protocols are presented. An intermediate node is shown to be usable as a mediator to build trust without having influence on the resulting security chain. The physical clone-resistant identities are using our early concept of Secret Unknown Cipher (SUC) technique. The main target of this work is to show the particular and efficient trust-chaining in large networks when SUC techniques are involved.

Cloud computing is becoming more and more popular day by day due to its maintenance, multitenancy and performance. Data owners are motivated to outsource their data to the cloud servers for resource pooling and productivity where multiple users can work on the same data concurrently. These servers offer great convenience and reduced cost for the computation, storage and management of data. But concerns can persist for loss of control over certain sensitive information. The complexity of security is largely intensified when data is distributed over a greater number of devices and data is shared among unrelated users. So these sensitive data should be encrypted for solving these security issues that many consumers cannot afford to tackle. In this paper, we present a dynamic searchable encryption scheme whose update operation can be completed by cloud server while reserving the ability to support multi-keyword ranked search. We have designed a scheme where dynamic operations on data like insert, update and delete are performed by cloud server without decrypting the data. Thus this scheme not only ensures dynamic operations on data but also provides a secure technique by performing those tasks without decryption. The state-of-the-art methods let the data users retrieve the data, re-encrypt it under the new policy and then send it again to the cloud. But our proposed method saves this high computational overhead by reducing the burden of performing dynamic operation by the data owners. The secure and widely used TF × IDF model is used along with kNN algorithm for construction of the index and generation of the query. We have used a tree-based index structure, so our proposed scheme can achieve a sub-linear search time. We have conducted experiments on Amazon EC2 cloud server with three datasets by updating a file, appending a file and deleting a file from the document collection and compared our result with the state-of-the-art method. Results show th- t our scheme has an average running time of 42ms which is 75% less than the existing method.

In the face of large-scale automated cyber-attacks to large online services, fast detection and remediation of compromised accounts are crucial to limit the spread of new attacks and to mitigate the overall damage to users, companies, and the public at large. We advocate a fully automated approach based on machine learning to enable large-scale online service providers to quickly identify potentially compromised accounts. We develop an early warning system for the detection of suspicious account activity with the goal of quick identification and remediation of compromised accounts. We demonstrate the feasibility and applicability of our proposed system in a four month experiment at a large-scale online service provider using real-world production data encompassing hundreds of millions of users. We show that - even using only login data, features with low computational cost, and a basic model selection approach - around one out of five accounts later flagged as suspicious are correctly predicted a month in advance based on one week's worth of their login activity.

The inherent nature of unattended sensors makes these devices most vulnerable to detection, exploitation, and denial in contested environments. Physical access is often cited as the easiest way to compromise any device or network. A new mechanism for mitigating these types of attacks developed under the Assistant Secretary of Defense for Research and Engineering, ASD(R&E) project, “Smoke Screen in Cyberspace”, was previously demonstrated in a live, over-the-air experiment. Smoke Screen encrypts, slices up, and disburses redundant fragments of files throughout the network. This paper describes enhancements to the disbursement of the file fragments routing improving the efficiency and time to completion of fragment distribution by defining the exact route, fragments should take to the destination. This is the first step in defining a custom protocol for the discovery of participating nodes and the efficient distribution of fragments in a mobile network. Future work will focus on the movement of fragments to avoid traffic analysis and avoid the collection of the entire fragment set that would enable an adversary to reconstruct the original piece of data.

Secure logging as an indispensable part of any secure system in practice is well-understood by both academia and industry. However, providing security for audit logs on an untrusted machine in a large distributed system is still a challenging task. The emergence and wide availability of log management tools prompted plenty of work in the security community that allows clients or auditors to verify integrity of the log data. Most recent solutions to this problem focus on the space-efficiency or public verifiability of forward security. Unfortunately, existing secure audit logging schemes have significant performance limitations that make them impractical for realtime large-scale distributed applications: Existing cryptographic hashing is computationally expensive for logging in task intensive or resource-constrained systems especially to prove individual log events, while Merkle-tree approach has fundamental limitations when face with highly concurrent, large-scale log streams due to its serially appending feature. The verification step of Merkle-tree based approach requiring a logarithmic number of hash computations is becoming a bottleneck to improve the overall performance. There is a huge gap between the flux of log streams collected and the computational efficiency of integrity verification in the large-scale distributed systems. In this work, we develop a novel scheme, performance of which favorably compares with the existing solutions. The performance guarantees that we achieve stem from a novel data structure called concurrent authenticated tree, which allows log events concurrently appending and removes the need to wait for append operations to complete sequentially. We implement a prototype using chameleon hashing based on discrete log and Merkle history tree. A comprehensive experimental evaluation of the proposed and existing approaches is used to validate the analytical models and verify our claims. The results demonstrate that our proposed scheme verifying in a concurrent way is significantly more efficient than the previous tree-based approach.

The past decade has shown us the power of cyber space and we getting dependent on the same. The exponential evolution in the domain has attracted attackers and defenders of technology equally. This inevitable domain has led to the increase in average human awareness and knowledge too. As we see the attack sophistication grow the protectors have always been a step ahead mitigating the attacks. A study of the various Threat Detection, Protection and Mitigation Systems revealed to us a common similarity wherein users have been totally ignored or the systems rely heavily on the user inputs for its correct functioning. Compiling the above we designed a study wherein user inputs were taken in addition to independent Detection and Prevention systems to identify and mitigate the risks. This approach led us to a conclusion that involvement of users exponentially enhances machine learning and segments the data sets faster for a more reliable output.

The de facto approach to Web security today is HTTPS. While HTTPS ensures complete security for clients and servers, it also interferes with transparent content-caching at middleboxes. To address this problem and support both security and caching, we propose a new approach to Web security and privacy called GroupSec. The key innovation of GroupSec is that it replaces the traditional session-based security model with a new model based on content group membership. We introduce the GroupSec security model and show how HTTP can be easily adapted to support GroupSec without requiring changes to browsers, servers, or middleboxes. Finally, we present results of a threat analysis and performance experiments which show that GroupSec achieves notable performance benefits at the client and server while remaining as secure as HTTPS.

Cloud-centric cognitive cellular networks utilize dynamic spectrum access and opportunistic network access technologies as a means to mitigate spectrum crunch and network demand. However, furnishing a carrier with personally identifiable information for user setup increases the risk of profiling in cognitive cellular networks, wherein users seek secondary access at various times with multiple carriers. Moreover, network access provisioning - assertion, authentication, authorization, and accounting - implemented in conventional cellular networks is inadequate in the cognitive space, as it is neither spontaneous nor scalable. In this paper, we propose a privacy-enhancing user identity management system using blockchain technology which places due importance on both anonymity and attribution, and supports end-to-end management from user assertion to usage billing. The setup enables network access using pseudonymous identities, hindering the reconstruction of a subscriber's identity. Our test results indicate that this approach diminishes access provisioning duration by up to 4x, decreases network signaling traffic by almost 40%, and enables near real-time user billing that may lead to approximately 3x reduction in payments settlement time.

In cloud storage, remote data integrity checking is considered as a crucial technique about data owners who upload enormous data to cloud server provider. A majority of the existing remote data integrity checking protocols rely on the expensive public key infrastructure. In addition, the verification of certificates needs heavy computation and communication cost. Meanwhile, the existing some protocols are not secure under the quantum computer attacks. However, lattice-based constructed cryptography can resist quantum computer attacks and is fairly effective, involving matrix-matrix or matrix-vector multiplications. So, we propose an identity-based remote data integrity checking protocol from lattices, which can eliminate the certificate management process and resist quantum computer attacks. Our protocol is completeness and provably secure based on the hardness small integer solution assumption. The presented scheme is secure against cloud service provider attacks, and leaks no any blocks of the stored file to the third party auditor during verification stage, namely the data privacy against the curiosity third party auditor attacks. The cloud service provider attack includes lost attack and tamper attack. Furthermore, the performance analysis of some protocols demonstrate that our protocol of remote data integrity checking is useful and efficient.

The importance of the task of countering the means of unauthorized access is to preserve the integrity of restricted access information circulating in computer networks determines the relevance of investigating perspective methods of cryptographic transformations, which are characterized by high speed and reliability of encryption. The methods of information security in the telecommunication system were researched based on integration of encryption processes and noise-immune coding. The method for data encryption based on generic polynomials of cyclic codes, gamut of the dynamic chaos sequence, and timer coding was proposed. The expediency of using timer coding for increasing the cryptographic strength of the encryption system and compensating for the redundancy of the verification elements was substantiated. The method for cryptographic transformation of data based on the gamma sequence was developed, which is formed by combining numbers from different sources of dynamical chaos generators. The efficiency criterion was introduced for the integrated information transformation method.