Biblio

With the rapid development of general cloud services, more and more individuals or collectives use cloud platforms to store data. Assured data deletion deserves investigation in cloud storage. In time-sensitive data storage scenarios, it is necessary for cloud platforms to automatically destroy data after the data owner-specified expiration time. Therefore, assured time-sensitive data deletion should be sought. In this paper, a fine-grained assured time-sensitive data deletion (ATDD) scheme in cloud storage is proposed by embedding the time trapdoor in Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Time-sensitive data is self-destructed after the data owner-specified expiration time so that the authorized users cannot get access to the related data. In addition, a credential is returned to the data owner for data deletion verification. This proposed scheme provides solutions for fine-grained access control and verifiable data self-destruction. Detailed security and performance analysis demonstrate the security and the practicability of the proposed scheme.

In the smart grid, the sharing of power data among various energy entities can make the data play a higher value. However, there may be unauthorized access while sharing data, which makes many entities unwilling to share their data to prevent data leakage. Based on blockchain and ABAC (Attribute-based Access Control) technology, this paper proposes an access control scheme, so that users can achieve fine-grained access control of their data when sharing them. The solution uses smart contract to achieve automated and reliable policy evaluation. IPFS (Interplanetary File System) is used for off-chain distributed storage to share the storage pressure of blockchain and guarantee the reliable storage of data. At the same time, all processes in the system are stored in the blockchain, ensuring the accountability of the system. Finally, the experiment proves the feasibility of the proposed scheme.

The 5G research community is increasingly leveraging the innovative features offered by Information Centric Networking (ICN). However, ICN’s fundamental features, such as in-network caching, make access control enforcement more challenging in an ICN-based 5G deployment. To address this shortcoming, we propose a Blockchain-based Decentralized Authentication Protocol (BDAP) which enables efficient and secure mobile user authentication in an ICN-based 5G network. We show that BDAP is robust against a variety of attacks to which mobile networks and blockchains are particularly vulnerable. Moreover, a preliminary performance analysis suggests that BDAP can reduce the authentication delay compared to the standard 5G authentication protocols.

With memory safety and security issues continuing to plague modern systems, security is rapidly becoming a first class priority in new architectures and competes directly with performance and power efficiency. The capability-based architecture model provides a promising solution to many memory vulnerabilities by replacing plain addresses with capabilities, i.e., addresses and related metadata. A key advantage of the capability model is compatibility with existing code bases. Capabilities can be implemented transparently to a programmer, i.e., without source code changes. Capabilities leverage semantics in source code to describe access permissions but require customized compilers to translate the semantics to their binary equivalent.In this work, we introduce a complete capabilityaware compiler toolchain for such secure architectures. We illustrate the compiler construction with a RISC-V capability-based architecture, called Zeno. As a securityfocused, large-scale, global shared memory architecture, Zeno implements a Namespace-based capability model for accesses. Namespace IDs (NSID) are encoded with an extended addressing model to associate them with access permission metadata elsewhere in the system. The NSID extended addressing model requires custom compiler support to fully leverage the protections offered by Namespaces. The Zeno compiler produces code transparently to the programmer that is aware of Namespaces and maintains their integrity. The Zeno assembler enables custom Zeno instructions which support secure memory operations. Our results show that our custom toolchain moderately increases the binary size compared to nonZeno compilation. We find the minimal overhead incurred by the additional NSID management instructions to be an acceptable trade-off for the memory safety and security offered by Zeno Namespaces.

In this paper, we proposed a data security model of a big data analytical environment in the financial sector. Big Data can be seen as a trend in the advancement of technology that has opened the door to a new approach to understanding and decision making that is used to describe the vast amount of data (structured, unstructured and semi-structured) that is too time consuming and costly to load a relational database for analysis. The increase in cybercriminal attacks on an organization’s assets results in organizations beginning to invest in and care more about their cybersecurity points and controls. The management of business-critical data is an important point for which robust cybersecurity controls should be considered. The proposed model is applied in a datalake and allows the identification of security gaps on an analytical repository, a cybersecurity risk analysis, design of security components and an assessment of inherent risks on high criticality data in a repository of a regulated financial institution. The proposal was validated in financial entities in Lima, Peru. Proofs of concept of the model were carried out to measure the level of maturity focused on: leadership and commitment, risk management, protection control, event detection and risk management. Preliminary results allowed placing the entities in level 3 of the model, knowing their greatest weaknesses, strengths and how these can affect the fulfillment of business objectives.

Cloud computing is a unified management and scheduling model of computing resources. To satisfy multiple resource requirements for various application, edge computing has been proposed. One challenge of edge computing is cross-domain data security sharing problem. Ciphertext policy attribute-based encryption (CP-ABE) is an effective way to ensure data security sharing. However, many existing schemes focus on could computing, and do not consider the features of edge computing. In order to address this issue, we propose a cross-domain data security sharing approach for edge computing based on CP-ABE. Besides data user attributes, we also consider access control from edge nodes to user data. Our scheme first calculates public-secret key peer of each edge node based on its attributes, and then uses it to encrypt secret key of data ciphertext to ensure data security. In addition, our scheme can add non-user access control attributes such as time, location, frequency according to the different demands. In this paper we take time as example. Finally, the simulation experiments and analysis exhibit the feasibility and effectiveness of our approach.

Although the public cloud is known for its incredible capabilities, consumers cannot totally depend on cloud service providers to keep personal data because to the lack of client maneuverability. To protect privacy, data controllers outsourced encryption keys rather than providing information. Crypt - text to conduct out okay and founder access control and provide the encryption keys with others, innate quality Aes (CP-ABE) may be employed. This, however, falls short of effectively protecting against new dangers. The public cloud was unable to validate if a downloader could decode using a number of older methods. Therefore, these files should be accessible to everyone having access to a data storage. A malicious attacker may download hundreds of files in order to launch Economic Deny of Sustain (EDoS) attacks, greatly depleting the cloud resource. The user of cloud storage is responsible for paying the fee. Additionally, the public cloud serves as both the accountant and the payer of resource consumption costs, without offering data owners any information. Cloud infrastructure storage should assuage these concerns in practice. In this study, we provide a technique for resource accountability and defense against DoS attacks for encrypted cloud storage tanks. It uses black-box CP-ABE techniques and abides by the access policy of CP-arbitrary ABE. After presenting two methods for different parameters, speed and security evaluations are given.

Cloud computing plays major role in the development of accessing clouduser’s document and sensitive information stored. It has variety of content and representation. Cyber security and attacks in the cloud is a challenging aspect. Information security attains a vital part in Cyber Security management. It involves actions intended to reduce the adverse impacts of such incidents. To access the documents stored in cloud safely and securely, access control will be introduced based on cloud users to access the user’s document in the cloud. To achieve this, it is highly required to combine security components (e.g., Access Control, Usage Control) in the security document to get automatic information. This research work has proposed a Role Key Homomorphic Encryption Algorithm (RKHEA) to monitor the cloud users, who access the services continuously. This method provides access creation of session-based key to store the singularized encryption to reduce the key size from random methods to occupy memory space. It has some terms and conditions to be followed by the cloud users and also has encryption method to secure the document content. Hence the documents are encrypted with the RKHEA algorithm based on Service Key Access (SKA). Then, the encrypted key will be created based on access control conditions. The proposed analytics result shows an enhanced control over the documents in cloud and improved security performance.

Recently, Ning et al. proposed the “CryptCloud$^\textrm+\$$: Secure and Expressive Data Access Control for Cloud Storage” in IEEE Transaction on Services Computing. This work provided two versatile ciphertext-policy attribute-based encryption (CP-ABE) schemes to achieve flexible access control on encrypted data, namely ATER-CP-ABE and ATIR-CP-ABE, both of which have attractive advantages, such as white-box malicious user traceability, semi-honest authority accountability, public auditing and user revocation. However, we find a bug of access control in both schemes, i.e., a non-revoked user with attribute set \$S\$ can decrypt the ciphertext \$ct\$ encrypted under any access policy \$(A,\textbackslashrho )\$, regardless of whether \$S\$ satisfies \$(A,\textbackslashrho )\$ or not. This paper carefully analyzes the bug, and makes an improvement on Ning's pioneering work, so as to fix it.

SWIM (System Wide Information Management) has become the development direction of A TM (Air Traffic Management) system by providing interoperable services to promote the exchange and sharing of data among various stakeholders. The premise of data sharing is security, and the access control has become the key guarantee for the secure sharing and exchange. The CP-ABE scheme (Ciphertext Policy Attribute-Based Encryption) can realize one-to-many access control, which is suitable for the characteristics of SWIM environment. However, the combination of the existing CP-ABE access control and SWIM has following constraints. 1. The traditional single authority CP-ABE scheme requires unconditional trust in the authority center. Once the authority center is corrupted, the excessive authority of the center may lead to the complete destruction of system security. So, SWIM with a large user group and data volume requires multiple authorities CP-ABE when performing access control. 2. There is no unified management of users' data access records. Lack of supervision on user behavior make it impossible to effectively deter malicious users. 3. There are a certain proportion of lightweight data users in SWIM, such as aircraft, users with handheld devices, etc. And their computing capacity becomes the bottleneck of data sharing. Aiming at these issues above, this paper based on cloud-chain fusion basically proposes a multi-authority CP-ABE scheme, called the MOV ATM scheme, which has three advantages. 1. Based on a multi-cloud and multi-authority CP-ABE, this solution conforms to the distributed nature of SWIM; 2. This scheme provides outsourced computing and verification functions for lightweight users; 3. Based on blockchain technology, a blockchain that is maintained by all stakeholders of SWIM is designed. It takes user's access records as transactions to ensure that access records are well documented and cannot be tampered with. Compared with other schemes, this scheme adds the functions of multi-authority, outsourcing, verifiability and auditability, but do not increase the decryption cost of users.

Managing and storing big data is non-trivial for traditional relational databases (RDBMS). Therefore, the NoSQL (Not Only SQL) database management system emerged. It is ca-pable of handling the vast amount and the heterogeneity of data. In this research, we are interested in one of its trending types, the graph database, namely, the Directed Property Graph (DPG). This type of database is powerful in dealing with complex relationships (\$\textbackslashmathrme.\textbackslashmathrmg\$., social networks). However, its sen-sitive and private data must be protected against unauthorized access. This research proposes a security model that aims at exploiting and combining the benefits of Access Control, View-Based, and Query-Rewriting approaches. This is a novel combination for securing DPG.

As a new generation of power grid system, smart grid and smart meter conduct two-way communication to realize the intelligent collection, monitoring and dispatching of user power data, so as to achieve a safer, stable, reliable and efficient power grid environment. With the vigorous development of power grid, there are also some security and privacy problems. This paper uses Paillier homomorphic encryption algorithm and role-based access control strategy to ensure the privacy security in the process of multi-dimensional aggregation, data transmission and sharing of power data. Applying the characteristics of blockchain technology such as decentralization, non tampering and traceability to the smart grid can effectively solve the privacy and security problems of power data transmission and sharing in the smart grid. This paper compares Paillier encryption algorithm with PPAR algorithm and SIAHE algorithm in terms of encryption mechanism, number of aggregators and computational complexity respectively. The results show that Paillier homomorphic encryption algorithm has higher data privacy and security.

This paper presents a novel authentication method based on a distributed version of Kerberos for UAVs. One of the major problems of UAVs in recent years has been cyber-attacks which allow attackers to control the UAV or access its information. The growing use of UAVs has encouraged us to investigate the methods of their protection especially authentication of their users. In the past, the Kerberos system was rarely used for authentication in UAV systems. In our proposed method, based on a distributed version of Kerberos, we can authenticate multiple ground stations, users, and controllers for one or more UAVs. This method considers most of the security aspects to protect UAV systems mainly in the authentication phase and improves the security of UAVs and ground control stations and their communications considerably.

Mobile Ad-hoc Networks (MANETs) have attracted lots of concerns with its widespread use. In MANETs, wireless nodes usually self-organize into groups to complete collaborative tasks and communicate with one another via public channels which are vulnerable to attacks. Group key management is generally employed to guarantee secure group communication in MANETs. However, most existing group key management schemes for MANETs still suffer from some issues, e.g., receiver restriction, relying on a trusted dealer and heavy certificates overheads. To address these issues, we propose a group key management scheme for MANETs based on an identity-based authenticated dynamic contributory broadcast encryption (IBADConBE) protocol which builds on an earlier work. Our scheme abandons the certificate management and does not need a trusted dealer to distribute a secret key to each node. A set of wireless nodes are allowed to negotiate the secret keys in one round while forming a group. Besides, our scheme is receiver-unrestricted which means any sender can flexibly opt for any favorable nodes of a group as the receivers. Further, our scheme satisfies the authentication, confidentiality of messages, known-security, forward security and backward security concurrently. Performance evaluation shows our scheme is efficient.

Smart grids are envisioned as the next-generation electricity grids. The data measured from the smart grid is very sensitive. It is thus highly necessary to adopt data access control in smart grids to guarantee the security and privacy of the measured data. Due to its flexibility and scalability, attribute-based encryption (ABE) is widely utilized to realize data access control in smart grids. However, most existing ABE solutions impose a heavy decryption overhead on their users. To this end, we propose a lightweight attribute-based encryption scheme for data access control in smart grids by adopting the idea of computation outsourcing. Under our proposed scheme, users can outsource a large amount of computation to a server during the decryption phase while still guaranteeing the security and privacy of the data. Theoretical analysis and experimental evaluation demonstrate that our scheme outperforms the existing schemes by achieving a very low decryption cost.

Access control includes authorization of security administrators and access of users. Aiming at the problems of log information storage difficulty and easy tampering faced by auditing and traceability forensics of authorization and access in cross-domain scenarios, we propose an access control auditing and traceability forensics method based on Blockchain, whose core is Ethereum Blockchain and IPFS interstellar mail system, and its main function is to store access control log information and trace forensics. Due to the technical characteristics of blockchain, such as openness, transparency and collective maintenance, the log information metadata storage based on Blockchain meets the requirements of distribution and trustworthiness, and the exit of any node will not affect the operation of the whole system. At the same time, by storing log information in the blockchain structure and using mapping, it is easy to locate suspicious authorization or judgment that lead to permission leakage, so that security administrators can quickly grasp the causes of permission leakage. Using this distributed storage structure for security audit has stronger anti-attack and anti-risk.

In order to solve the problem that the traditional “centralized” access control technology can no longer guarantee the security of access control in the current Internet of Things (IoT)environment, a dynamic access control game mechanism based on trust is proposed. According to the reliability parameters of the recommended information obtained by the two elements of interaction time and the number of interactions, the user's trust value is dynamically calculated, and the user is activated and authorized to the role through the trust level corresponding to the trust value. The trust value and dynamic adjustment factor are introduced into the income function to carry out game analysis to avoid malicious access behavior of users. The hybrid Nash equilibrium strategy of both sides of the transaction realizes the access decision-making work in the IoT environment. Experimental results show that the game mechanism proposed in this paper has a certain restraining effect on malicious nodes and can play a certain incentive role in the legitimate access behavior of IoT users.

Based on the analysis of material performance data management requirements, a network-sharing scheme of material performance data is proposed. A material performance database system including material performance data collection, data query, data analysis, data visualization, data security management and control modules is designed to solve the problems of existing material performance database network sharing, data fusion and multidisciplinary support, and intelligent services Inadequate standardization and data security control. This paper adopts hierarchical access control strategy. After logging into the material performance database system, users can standardize the material performance data and store them to form a shared material performance database. The standardized material performance data of the database system shall be queried and shared under control according to the authority. Then, the database system compares and analyzes the material performance data obtained from controlled query sharing. Finally, the database system visualizes the shared results of controlled queries and the comparative analysis results obtained. The database system adopts the MVC architecture based on B/S (client/server) cross platform J2EE. The Third-party computing platforms are integrated in System. Users can easily use material performance data and related services through browsers and networks. MongoDB database is used for data storage, supporting distributed storage and efficient query.

Databases are at the heart of modern applications and any threats to them can seriously endanger the safety and functionality of applications relying on the services offered by a DBMS. It is therefore pertinent to identify key risks to the secure operation of a database system. This paper identifies the key risks, namely, SQL injection, weak audit trails, access management issues and issues with encryption. A malicious actor can get help from any of these issues. It can compromise integrity, availability and confidentiality of the data present in database systems. The paper also identifies various means and ways to defend against these issues and remedy them. This paper then proceeds to identify from the literature, the potential solutions to these ameliorate the threat from these vulnerabilities. It proposes the usage of encryption to protect the data from being breached and leveraging encrypted databases such as CryptoDB. Better access control norms are suggested to prevent unauthorized access, modification and deletion of the data. The paper also recommends ways to prevent SQL injection attacks through techniques such as prepared statements.

In the context of cybersecurity systems, trust is the firm belief that a system will behave as expected. Trustworthiness is the proven property of a system that is worthy of trust. Therefore, trust is ephemeral, i.e. trust can be broken; trustworthiness is perpetual, i.e. trustworthiness is verified and cannot be broken. The gap between these two concepts is one which is, alarmingly, often overlooked. In fact, the pressure to meet with the pace of operations for mission critical cross domain solution (CDS) development has resulted in a status quo of high-risk, ad hoc solutions. Trustworthiness, proven through formal verification, should be an essential property in any hardware and/or software security system. We have shown, in "vCDS: A Virtualized Cross Domain Solution Architecture", that developing a formally verified CDS is possible. virtual CDS (vCDS) additionally comes with security guarantees, i.e. confidentiality, integrity, and availability, through the use of a formally verified trusted computing base (TCB). In order for a system, defined by an architecture description language (ADL), to be considered trustworthy, the implemented security configuration, i.e. access control and data protection models, must be verified correct. In this paper we present the first and only security auditing tool which seeks to verify the security configuration of a CDS architecture defined through ADL description. This tool is useful in mitigating the risk of existing solutions by ensuring proper security enforcement. Furthermore, when coupled with the agile nature of vCDS, this tool significantly increases the pace of system delivery.

User privacy is an attractive and valuable task to the success of blockchain systems. However, user privacy protection's performance and data capacity have not been well studied in existing access control models of blockchain systems because of traceability and openness of the P2P network. This paper focuses on investigating performance and data capacity from a blockchain infrastructure perspective, which adds secondary encryption to shield confidential information in a non-invasive way. First, we propose an efficient asymmetric encryption scheme by combining homomorphic encryption and state-of-the-art multi-signature key aggregation to preserve privacy. Second, we use smart contracts and CA infrastructure to achieve attribute-based access control. Then, we use the non-interactive zero-knowledge proof scheme to achieve secondary confidentiality explicitly. Finally, experiments show our scheme succeeds better performance in data capacity and system than other schemes. This scheme improves availability and robust scalability, solves the problem of multi-signature key distribution and the unlinkability of transactions. Our scheme has established a sound security cross-chain system and privacy confidentiality mechanism and that has more excellent performance and higher system computing ability than other schemes.

CP-ABE (Ciphertext-policy attribute based encryption) is considered as a secure access control for data sharing. However, the SK(secret key) in most CP-ABE scheme is generated by Centralized authority(CA). It could lead to the high cost of building trust and single point of failure. Because of the characters of blockchain, some schemes based on blockchain have been proposed to prevent the disclosure and protect privacy of users' attribute. Thus, a new CP-ABE identity-attribute management(IAM) data sharing scheme is proposed based on blockchain, i.e. IAM-BDSS, to guarantee privacy through the hidden policy and attribute. Meanwhile, we define a transaction structure to ensure the auditability of parameter transmission on blockchain system. The experimental results and security analysis show that our IAM-BDSS is effective and feasible.

Under the situation of regular epidemic prevention and control, teleworking has gradually become a normal working mode. With the development of modern information technologies such as big data, cloud computing and mobile Internet, it's become a problem that how to build an effective security defense system to ensure the information security of teleworking in complex network environment while ensuring the availability, collaboration and efficiency of teleworking. One of the solutions is Zero Trust Network(ZTN), most enterprise infrastructures will operate in a hybrid zero trust/perimeter-based mode while continuing to invest in IT modernization initiatives and improve organization business processes. In this paper, we have systematically studied the zero trust principles, the logical components of zero trust architecture and the key technology of zero trust network. Based on the abstract model of zero trust architecture and information security technologies, a prototype has been realized which suitable for iOS terminals to access enterprise resources safely in teleworking mode.

Access control is a widely used technology to protect information security. The implementation of access control depends on the response generated by access control policies to users’ access requests. Therefore, ensuring the correctness of access control policies is an important step to ensure the smooth implementation of access control mechanisms. To solve this problem, this paper proposes a constraint based access control policy security analysis framework (CACPSAF) to perform security analysis on access control policies. The framework transforms the problem of security analysis of access control policy into the satisfiability of security principle constraints. The analysis and calculation of access control policy can be divided into formal transformation of access control policy, SMT coding of policy model, generation of security principle constraints, policy detection and evaluation. The security analysis of policies is divided into mandatory security principle constraints, optional security principle constraints and user-defined security principle constraints. The multi-dimensional security analysis of access control policies is realized and the semantic expression of policy analysis is stronger. Finally, the effectiveness of this framework is analyzed by performance evaluation, which proves that this framework can provide strong support for fine-grained security analysis of policies, and help to correctly model and conFigure policies during policy modeling, implementation and verification.

Named Data Networking (NDN) has been viewed as a promising future Internet architecture. It requires a new access control scheme to prevent the injection of unauthorized data request. In this paper, an access control supported by information service entity (ACISE) is proposed for NDN networks. A trust entity, named the information service entity (ISE), is deployed in each domain for the registration of the consumer and the edge router. The identity-based cryptography (IBC) is used to generate a private key for the authorized consumer at the ISE and to calculate a signature encapsulated in the Interest packet at the consumer. Therefore, the edge router could support the access control by the signature verification of the Interest packets so that no Interest packet from unauthorized consumer could be forwarded or replied. Moreover, shared keys are negotiated between authorized consumers and their edge routers. The subsequent Interest packets would be verified by the message authentication code (MAC) instead of the signature. The simulation results have shown that the ACISE scheme would achieve a similar response delay to the original NDN scheme when the NDN is under no attacks. However, the ACISE scheme is immune to the cache pollution attacks so that it could maintain a much smaller response delay compared to the other schemes when the NDN network is under the attacks.