Biblio

With the increasing of health awareness, the users become more and more interested in their daily health information and healthcare activities results from healthcare organizations. They always try to collect them together for better usage. Traditionally, the healthcare data is always delivered by paper format from the healthcare organizations, and it is not easy and convenient for data usage and management. They would have to translate these data on paper to digital version which would probably introduce mistakes into the data. It would be necessary if there is a secure and convenient method for electronic health data transferring between the users and the healthcare organizations. However, for the security and privacy problems, almost no healthcare organization provides a stable and full service for health data delivery. In this paper, we propose a secure and convenient method, QRStream, which splits original health data and loads them onto QR code frame streaming for the data transferring. The results shows that QRStream can transfer text health data smoothly with an acceptable performance, for example, transferring 10K data in 10 seconds.

With the increasing popularity and adoption of IoT technology, fog computing has been used as an advancement to cloud computing. Although trust management issues in cloud have been addressed, there are still very few studies in a fog area. Trust is needed for collaborating among fog nodes and trust can further improve the reliability by assisting in selecting the fog nodes to collaborate. To address this issue, we present a provenance based trust mechanism that traces the behavior of the process among fog nodes. Our approach adopts the completion rate and failure rate as the process provenance in trust scores of computing workload, especially obvious measures of trustworthiness. Simulation results demonstrate that the proposed system can effectively be used for collaboration in a fog environment.

An increasing number of IoT scenarios involve mobile, resource-constrained IoT devices that rely on untrusted networks for Internet connectivity. In such environments, attackers can derive sensitive private information of IoT device owners, e.g., daily routines or secret supply chain procedures, when sniffing on IoT communication and linking IoT devices and owner. Furthermore, untrusted networks do not provide IoT devices with any protection against attacks from the Internet. Anonymous communication using onion routing provides a well-proven mechanism to keep the relationship between communication partners secret and (optionally) protect against network attacks. However, the application of onion routing is challenged by protocol incompatibilities and demanding cryptographic processing on constrained IoT devices, rendering its use infeasible. To close this gap, we tailor onion routing to the IoT by bridging protocol incompatibilities and offloading expensive cryptographic processing to a router or web server of the IoT device owner. Thus, we realize resource-conserving access control and end-to-end security for IoT devices. To prove applicability, we deploy onion routing for the IoT within the well-established Tor network enabling IoT devices to leverage its resources to achieve the same grade of anonymity as readily available to traditional devices.

Smart Farming is driven by the emergence of precise positioning systems and Internet of Things technologies which have already enabled site-specific applications, sustainable resource management, and interconnected machinery. Nowadays, so-called Farm Management Information Systems (FMISs) enable farm-internal interconnection of agricultural machines and implements and, thereby, allow in-field data exchange and the orchestration of collaborative agricultural processes. Machine data is often directly logged during task execution. Moreover, interconnection of farms, agricultural contractors, and marketplaces ease the collaboration. However, current FMISs lack in security and particularly in user authentication. In this paper, we present a security architecture for a decentralized, manufacturer-independent, and open-source FMIS. Special attention is turned on the Radio Frequency Identification (RFID)-based continuous user authentication which greatly improves security and credibility of automated documentation, while at the same time preserves usability in practice.

This paper provides a proof of concept for using SRAM based Physically Unclonable Functions (PUFs) to generate private keys for IoT devices. PUFs are utilized, as there is inadequate protection for secret keys stored in the memory of the IoT devices. We utilize a custom-made Arduino mega shield to extract the fingerprint from SRAM chip on demand. We utilize the concepts of ternary states to exclude the cells which are easily prone to flip, allowing us to extract stable bits from the fingerprint of the SRAM. Using the custom-made software for our SRAM device, we can control the error rate of the PUF to achieve an adjustable memory-based PUF for key generation. We utilize several fuzzy extractor techniques based on using different error correction coding methods to generate secret keys from the SRAM PUF, and study the trade-off between the false authentication rate and false rejection rate of the PUF.

The biggest challenge of sharing data stored in cloud-storage is privacy-preservation. In this paper, we propose a simple yet effective solution for enforcing the security of private data stored in some cloud storage for sharing. We consider an environment where even if the cloud service provider is not-reliable or is compromised, our data still remain secure. The data Owner encrypts the private files using a secret key, file identifier and hash function and then uploads the cipher text files to the cloud. When a Data user requests access to a file, the owner establishes a key with the user and creates a new key, which is sent to the user. The user can then extract the original key by using the mutually established secret key and use it to decrypt the encrypted file. Thus we propose a system which is computationally simple yet provides a secure mechanism for sharing private data even over an untrusted cloud service provider.

Cloud computing is a rapid growing advanced technology which is Internet based, providing various ways for storage, resource sharing, and various features. It has brought a new way to securely store and share information and data with multiple users and groups. The cloud environment deals with many problems, and one of the most important problems in recent days is the security issues. Sharing the data in a group, in cloud conditions has turned into a blazing theme in up and coming decades. Thus the blasting interest in cloud computing, ways and measures to accomplish secure and effective information and data sharing in the cloud is a flourishing point to be engaged. In this way, the venture centers around empowering information sharing and capacity for a similar gathering inside the cloud with high security and intensity. Therefore, Honey Encryption and Advanced Encryption Standard is used for providing security for the data shared within the group by the crew members in cloud environment. In addition, an access key is provided by the Group Manager to enable access to the documents and files stored in cloud by the users for specific time period.

The usage of cloud for data storage has become ubiquitous. To prevent data leakage and hacks, it is common to encrypt the data (e.g. PDF files) before sending it to a cloud. However, this limits the search for specific files containing certain keywords over an encrypted cloud data. The traditional method is to take down all files from a cloud, store them locally, decrypt and then search over them, defeating the purpose of using a cloud. In this paper, we propose a method, called SecureCSearch, to perform keyword search operations on the encrypted PDF files over cloud in an efficient manner. The proposed method makes use of Shamir's Secret Sharing scheme in a novel way to create encrypted shares of the PDF file and the keyword to search. We show that the proposed method maintains the security of the data and incurs minimal computation cost.

With the rising popularity of file-sharing services such as Google Drive and Dropbox in the workflows of individuals and corporations alike, the protection of client-outsourced data from unauthorized access or tampering remains a major security concern. Existing cryptographic solutions to this problem typically require server-side support, involve non-trivial key management on the part of users, and suffer from severe re-encryption penalties upon access revocations. This combination of performance overheads and management burdens makes this class of solutions undesirable in situations where performant, platform-agnostic, dynamic sharing of user content is required. We present NEXUS, a stackable filesystem that leverages trusted hardware to provide confidentiality and integrity for user files stored on untrusted platforms. NEXUS is explicitly designed to balance security, portability, and performance: it supports dynamic sharing of protected volumes on any platform exposing a file access API without requiring server-side support, enables the use of fine-grained access control policies to allow for selective sharing, and avoids the key revocation and file re-encryption overheads associated with other cryptographic approaches to access control. This combination of features is made possible by the use of a client-side Intel SGX enclave that is used to protect and share NEXUS volumes, ensuring that cryptographic keys never leave enclave memory and obviating the need to reencrypt files upon revocation of access rights. We implemented a NEXUS prototype that runs on top of the AFS filesystem and show that it incurs ×2 overhead for a variety of common file and database operations.

Efficiently searchable and easily deployable encryption schemes enable an untrusted, legacy service such as a relational database engine to perform searches over encrypted data. The ease with which such schemes can be deployed on top of existing services makes them especially appealing in operational environments where encryption is needed but it is not feasible to replace large infrastructure components like databases or document management systems. Unfortunately all previously known approaches for efficiently searchable and easily deployable encryption are vulnerable to inference attacks where an adversary can use knowledge of the distribution of the data to recover the plaintext with high probability. We present a new efficiently searchable, easily deployable database encryption scheme that is provably secure against inference attacks even when used with real, low-entropy data. We implemented our constructions in Haskell and tested databases up to 10 million records showing our construction properly balances security, deployability and performance.

The main searching functions realized by searchable encryption can be divided into searching using one query and searching using multiple queries. Searchable encryption using one query has been widely studied and researched; however, few methods of searchable encryption can accommodate search using multiple queries. In addition, most of the method proposed thus far utilize the concept of index search. Therefore, a new problem exists, in which an additional process of updating or deleting an index when new documents are added or removed is required. Hence, the overall computation cost increases. Another problem is that a document that is not registered in the index cannot be searched. Therefore, herein, using a secret-sharing scheme that is known to offer a low computational cost, we propose a method that can realize both logical conjunctive (AND) and logical disjunctive (OR) search over multiple conditions, without the construction of any index. Hence, we can realize direct searching over sentences, thus achieving a more efficient search method.

Searchable symmetric encryption (SSE) is an important technique for cloud computing. SSE allows encrypted critical data stored on an untrusted cloud server to be searched using keywords, returning correct data, but the keywords and data content are unknown by the server. However, an SSE database is not practical because the data is generally frequently modified even when stored on a remote server, since the server cannot update the encrypted data without decryption. Dynamic searchable symmetric encryption (DSSE) is designed to support this requirement. DSSE allows adding or deleting encrypted data on the server without decryption. Many DSSE systems have been proposed, based on link-list structures or blind storage (a new primitive). Each has advantages and drawbacks regarding function, extensibility, and efficiency. For a real system, the most important aspect is the tradeoff between performance and security. Therefore, we implemented several DSSE systems to compare their efficiency and security, and identify the various disadvantages with a view to developing an improved system.

Searchable symmetric encryption (SSE) scheme allows a data owner to perform search queries over encrypted documents using symmetric cryptography. SSE schemes are useful in cloud storage and data outsourcing. Most of the SSE schemes in existing literature have been proved to leak a substantial amount of information that can lead to an inference attack. This paper presents, a novel leakage resilient searchable symmetric encryption with periodic updation (LRSSEPU) scheme that minimizes extra information leakage, and prevents an untrusted cloud server from performing document mapping attack, query recovery attack and other inference attacks. In particular, the size of the keyword vector is fixed and the keywords are periodically permuted and updated to achieve minimum leakage. Furthermore, our proposed LRSSEPU scheme provides authentication of the query messages and restricts an adversary from performing a replay attack, forged query attack and denial of service attack. We employ a combination of identity-based cryptography (IBC) with symmetric key cryptography to reduce the computation cost and communication overhead. Our scheme is lightweight and easy to implement with very little communication overhead.

Software defined networks (SDNs) represent new centralized network architecture that facilitates the deployment of services, applications and policies from the upper layers, relatively the management and control planes to the lower layers the data plane and the end user layer. SDNs give several advantages in terms of agility and flexibility, especially for mobile operators and for internet service providers. However, the implementation of these types of networks faces several technical challenges and security issues. In this paper we will focus on SDN's security issues and we will propose the implementation of a centralized security layer named AM-SecP. The proposed layer is linked vertically to all SDN layers which ease packets inspections and detecting intrusions. The purpose of this architecture is to stop and to detect malware infections, we do this by denying services and tunneling attacks without encumbering the networks by expensive operations and high calculation cost. The implementation of the proposed framework will be also made to demonstrate his feasibility and robustness.

Continuously growing amount of research experiments using High Performance Computing (HPC) leads to the questions of research data management and in particular how to preserve a scientific experiment including all related data for long term for its future reproduction. This paper covers some challenges and possible solutions related to the preservation of scientific experiments on HPC systems and represents a concept of the preservation system for HPC computations. Storage of the experiment itself with some related data is not only enough for its future reproduction, especially in the long term. For that case preservation of the whole experiment's environment (operating system, used libraries, environment variables, input data, etc.) via containerization technology (e.g. using Docker, Singularity) is proposed. This approach allows to preserve the entire environment, but is not always possible on every HPC system because of security issues. And it also leaves a question, how to deal with commercial software that was used within the experiment. As a possible solution we propose to run a preservation process outside of the computing system on the web-server and to replace all commercial software inside the created experiment's image with open source analogues that should allow future reproduction of the experiment without any legal issues. The prototype of such a system was developed, the paper provides the scheme of the system, its main features and describes the first experimental results and further research steps.

Emergency medical services universally get regarded as the essential part of the health care delivery system [1]. A relationship exists between the emergency patient death rate and factors such as the failure to access a patient's critical data and the time it takes to arrive at hospitals. Nearly thirty million Americans do not live within an hour of trauma care, so this poor access to trauma centers links to higher pre-hospital death rates in more than half of the United States [2]. So, we need to address the problem. In a patient care-cycle, loads of medical data items are born in different healthcare settings using a disparate system of records during patient visits. The ability for medical care providers to access a patient's complete picture of emergency-relevant medical data is critical and can significantly reduce the annual mortality rate. Today, the problem exists with a continuous recording system of the patient data between healthcare providers. In this paper, we've introduced a combination of secure file transfer methods/tools and blockchain technology as a solution to record patient Emergency relevant medical data as patient walk through from one clinic/medical facility to another, creating a continuous footprint of patient as a secure and scalable data source. So, ambulance crews can access and use it to provide high quality pre-hospital care. All concerns of medical record sharing and accessing like authentication, privacy, security, scalability and audibility, confidentiality has been considered in this approach.

This article is devoted to the development of a platform for reliable storage of information on supplies based on blockchain technology. The article discusses the main approaches to the work of decentralized applications, as well as the main problems.

In Cloud Computing Environment, using only static security measures didn't mitigate the attack considerably. Hence, deployment of sophisticated methods by the attackers to understand the network topology of complex network makes the task easier. For this reason, the use of dynamic security measure as virtual machine (VM) migration increases uncertainty to locate a virtual machine in a dynamic attack surface. Although this, not all VM's migration enhances security. Indeed, the destination server to host the VM should be selected precisely in order to avoid externality and attack at the same time. In this paper, we model migration in cloud environment by using continuous Markov Chain. Then, we analyze the probability of a VM to be compromised based on the destination server parameters. Finally, we provide some numerical results to show the effectiveness of our approach in term of avoiding intrusion.

To protect sensitive information of an organization, we need to have proper access controls since several data breach incidents were happened because of broken access controls. Normally, the IT auditing process would be used to identify security weaknesses and should be able to detect any potential access control violations in advance. However, most auditing processes are done manually and not performed consistently since lots of resources are required; thus, the auditing is performed for quality assurance purposes only. This paper proposes an automated process to audit the access controls on the Windows server operating system. We define the audit checklist and use the controls defined in ISO/IEC 27002:2013 as a guideline for identifying audit objectives. In addition, an automated audit tool is developed for checking security controls against defined security policies. The results of auditing are the list of automatically generated passed and failed policies. If the auditing is done consistently and automatically, the intrusion incidents could be detected earlier and essential damages could be prevented. Eventually, it would help increase the reliability of the system.

Delivery service via ridesharing is a promising service to share travel costs and improve vehicle occupancy. Existing ridesharing systems require participating vehicles to periodically report individual private information (e.g., identity and location) to a central controller, which is a potential central point of failure, resulting in possible data leakage or tampering in case of controller break down or under attack. In this paper, we propose a Blockchain secured ridesharing delivery system, where the immutability and distributed architecture of the Blockchain can effectively prevent data tampering. However, such tamper-resistance property comes at the cost of a long confirmation delay caused by the consensus process. A Hash-oriented Practical Byzantine Fault Tolerance (PBFT) based consensus algorithm is proposed to improve the Blockchain efficiency and reduce the transaction confirmation delay from 10 minutes to 15 seconds. The Hash-oriented PBFT effectively avoids the double-spending attack and Sybil attack. Security analysis and simulation results demonstrate that the proposed Blockchain secured ridesharing delivery system offers strong security guarantees and satisfies the quality of delivery service in terms of confirmation delay and transaction throughput.

In order to develop a `common session secret key' though the insecure channel, cryptographic Key Agreement Protocol plays a major role. Many researchers' cryptographic protocol uses smart card as a medium to store transaction secret values. The tampered resistance property of smart card is unable to defend the secret values from side channel attacks. It means a lost smart card is an easy target for any attacker. Though password authentication helps the protocol to give secrecy but on-line as well as off-line password guessing attack can make the protocol vulnerable. The concerned paper manifested key agreement protocol based on three party authenticated key agreement protocol to defend all password related attacks. The security analysis of our paper has proven that the accurate guess of the password of a legitimate user will not help the adversary to generate a common session key.

The safety management is an important and fundamental task in the construction and operation of pumped-storage power stations. However, because of the traditional technical framework, the relevant systems are separated from each other, leading to a lot of disadvantages in application and performance. In order to meet the requirements of smart pumped-storage power stations, an integrated safety management system (ISMS) based on ubiquitous internet of things in electricity is proposed in this paper. The ISMS is divided into five layers including data display layer, data manipulation layer, data processing layer, data transmission layer and data acquisition layer. It consists of six modules, i.e., central control module, cave access control and personnel location module, video and security monitoring module, emergency broadcasting and communication module, geological warning module, and fall protection module. All modules are integrated into a unified information platform.

Nowadays one-time passwords are used in a lot of areas of information technologies including e-commerce. A few vulnerabilities in authentication protocols based on one-time passwords are widely known. In current work, we analyze authentication protocols based on one-time passwords and their vulnerabilities. Both simple and complicated protocols which are implementing cryptographic algorithms are reviewed. For example, an analysis of relatively old Lamport's hash-chain protocol is provided. At the same time, we examine HOTP and TOTP protocols which are actively used nowadays. The main result of the work are conclusions about the security of reviewed protocols based on one-time passwords.

Two-factor authentication (2FA) is widely prevalent in banking, emails and virtual private networks (VPN) connections or in accessing any secure web service. In 2FA, to get authenticated the users are expected to provide additional secret information along with the password. Typically, this secret information (tokens) is generated by a centralized trusted third party upon receiving an authentication request from users. Thus, this additional layer of security comes at the cost of inherently trusting the third party for their services. The security of such authentication systems is always under the threat of the trusted party is being compromised. In this paper, we propose a novel approach to make server authentication even more secure by building 2FA over the blockchain platform which is distributed in nature. The proposed solution does not require any trusted third party between claimant (user) and the verifier (server) for the authentication purpose. To demonstrate the idea of using blockchain technology for 2FA, we have added an extra layer of security component to the OpenSSH server a widely used application for Secure Shell (SSH) protocol.

As an extension of Internet of Things (IoT) in transportation sector, the Internet of Vehicles (IoV) can greatly facilitate vehicle management and route planning. With ever-increasing penetration of IoV, the security and privacy of driving data should be guaranteed. Moreover, since vehicles are often left unattended with minimum human interventions, the onboard sensors are vulnerable to physical attacks. Therefore, the physically secure authentication and key agreement (AKA) protocol is urgently needed for IoV to implement access control and information protection. In this paper, physical unclonable function (PUF) is introduced in the AKA protocol to ensure that the system is secure even if the user devices or sensors are compromised. Specifically, PUF, as a hardware fingerprint generator, eliminates the storage of any secret information in user devices or vehicle sensors. By combining password with PUF, the user device cannot be used by someone else to be successfully authenticated as the user. By resorting to public key cryptography, the proposed protocol can provide anonymity and desynchronization resilience. Finally, the elaborate security analysis demonstrates that the proposed protocol is free from the influence of known attacks and can achieve expected security properties, and the performance evaluation indicates the efficiency of our protocol.