Biblio

In this paper, we consider the problem of transparently authenticating a user to a local terminal (e.g., a desktop computer) as she approaches towards the terminal. Given its appealing usability, such zero-effort authentication has already been deployed in the real-world where a computer terminal or a vehicle can be unlocked by the mere proximity of an authentication token (e.g., a smartphone). However, existing systems based on a single authentication factor contains one major security weakness - unauthorized physical access to the token, e.g., during lunch-time or upon theft, allows the attacker to have unfettered access to the terminal. We introduce ZEMFA, a zero-effort multi-factor authentication system based on multiple authentication tokens and multi-modal behavioral biometrics. Specifically, ZEMFA utilizes two types of authentication tokens, a smartphone and a smartwatch (or a bracelet) and two types of gait patterns captured by these tokens, mid/lower body movements measured by the phone and wrist/arm movements captured by the watch. Since a user's walking or gait pattern is believed to be unique, only that user (no impostor) would be able to gain access to the terminal even when the impostor is given access to both of the authentication tokens. We present the design and implementation of ZEMFA. We demonstrate that ZEMFA offers a high degree of detection accuracy, based on multi-sensor and multi-device fusion. We also show that ZEMFA can resist active attacks that attempt to mimic a user's walking pattern, especially when multiple devices are used.

Two-factor authentication has been widely used due to the vulnerabilities associated with the traditional password-based authentication. One-Time Password (OTP) plays an important role in authentication protocol. However, a variety of security problems have been challenging the security of OTP, and improvements are introduced to solve it. This paper reviews several schemes to implement and modify the OTP, a comparison among the popular OTP algorithms is presented. A smart grid architecture with edge computing is shown. The authentication techniques in the smart grid are analyzed.

Nowadays one-time passwords are used in a lot of areas of information technologies including e-commerce. A few vulnerabilities in authentication protocols based on one-time passwords are widely known. In current work, we analyze authentication protocols based on one-time passwords and their vulnerabilities. Both simple and complicated protocols which are implementing cryptographic algorithms are reviewed. For example, an analysis of relatively old Lamport's hash-chain protocol is provided. At the same time, we examine HOTP and TOTP protocols which are actively used nowadays. The main result of the work are conclusions about the security of reviewed protocols based on one-time passwords.

Two-factor authentication (2FA) is widely prevalent in banking, emails and virtual private networks (VPN) connections or in accessing any secure web service. In 2FA, to get authenticated the users are expected to provide additional secret information along with the password. Typically, this secret information (tokens) is generated by a centralized trusted third party upon receiving an authentication request from users. Thus, this additional layer of security comes at the cost of inherently trusting the third party for their services. The security of such authentication systems is always under the threat of the trusted party is being compromised. In this paper, we propose a novel approach to make server authentication even more secure by building 2FA over the blockchain platform which is distributed in nature. The proposed solution does not require any trusted third party between claimant (user) and the verifier (server) for the authentication purpose. To demonstrate the idea of using blockchain technology for 2FA, we have added an extra layer of security component to the OpenSSH server a widely used application for Secure Shell (SSH) protocol.

As an extension of Internet of Things (IoT) in transportation sector, the Internet of Vehicles (IoV) can greatly facilitate vehicle management and route planning. With ever-increasing penetration of IoV, the security and privacy of driving data should be guaranteed. Moreover, since vehicles are often left unattended with minimum human interventions, the onboard sensors are vulnerable to physical attacks. Therefore, the physically secure authentication and key agreement (AKA) protocol is urgently needed for IoV to implement access control and information protection. In this paper, physical unclonable function (PUF) is introduced in the AKA protocol to ensure that the system is secure even if the user devices or sensors are compromised. Specifically, PUF, as a hardware fingerprint generator, eliminates the storage of any secret information in user devices or vehicle sensors. By combining password with PUF, the user device cannot be used by someone else to be successfully authenticated as the user. By resorting to public key cryptography, the proposed protocol can provide anonymity and desynchronization resilience. Finally, the elaborate security analysis demonstrates that the proposed protocol is free from the influence of known attacks and can achieve expected security properties, and the performance evaluation indicates the efficiency of our protocol.

Digital Multifactor authentication is one of the best ways to make secure authentication. It covers many different areas of a Cyber-connected world, including online payments, communications, access right management, etc. Most of the time, Multifactor authentication is little complex as it require extra step from users. With two-factor authentication, along with the user-ID and password, user also needs to enter a special code which they normally receive by short message service or some special code which they got in advance. This paper will discuss the evolution from single authentication to Multi-Factor Authentication (MFA) starting from Single-Factor Authentication (SFA) and through Two-Factor Authentication (2FA). In addition, this paper presents five high-level categories of features of user authentication in the gadget-free world including security, privacy, and usability aspects. These are adapted and extended from earlier research on web authentication methods. In conclusion, this paper gives future research directions and open problems that stem from our observations.

Authorizing access to the public cloud has evolved over the last few years, from simple user authentication and password authentication to two-factor authentication (TOTP), with the addition of an additional field for entering a unique code. Today it is used by almost all major websites such as Facebook, Microsoft, Apple and is a frequently used solution for banking websites. On the other side, the private cloud solutions like OpenStack, CloudStack or Eucalyptus doesn't offer this security improvement. This article is presenting the advantages of this new type of authentication and synthetizes the TOTP authentication forms used by major cloud providers. Furthermore, the article is proposing to solve this challenge by presenting a practical solution for adding two-factor authentication for OpenStack cloud. For this purpose, the web authentication form has been modified and a new authentication module has been developed. The present document covers as well the entire process of adding a TOTP user, generating and sending the secret code in QR form to the user. The study concludes with OpenStack tools used for simplifying the entire process presented above.

The key concerns in VANET communication are the security and privacy of the vehicles involved, but at the same time an efficient way to provide non-repudiation in the ad-hoc network is an important requirement. Most schemes proposed are using public key infrastructure (PKI) or symmetric key encryption to achieve security in VANET; both individually lack in serving the required purpose of providing privacy preservation of the involved On-Board Units (OBUs) (while still being able to offer non-repudiation) and amount to very sizeable overheads in computation. This paper proposes a privacy-preserving authentication protocol that employs hybrid cryptography, using the best features of PKI and symmetric cryptography to form a protocol that is scalable, efficient and offers services of integrity, non-repudiation, conditional privacy, and unlinkability; while still keeping the computational overhead at a reasonable level. The performance and security analysis of this scheme is provided to support the propositions.

Internet of Things (IoT) is rapidly emerging as the manifestation of the networked society vision. But its centralized architecture will lead to a single point of failure. On the other hand, it will be difficult to handle communications in the near future considering the rapid growth of IoT devices. Along with its popularity, IoT suffers from a lot of vulnerabilities, which IoT developers are constantly working to mitigate. This paper proposes a new protocol called Mirage which can be used for secure and decentralized communication of IoT devices. This protocol is built based on security principles. Out of which Mirage mainly focuses on authentication, integrity, and non-repudiation. In this protocol, devices are authenticated via secret keys known only to the parties involved in the communication. These secret keys are not static and will be constantly changing for every communication. For ensuring integrity, an intermediary is asked to exchange the hash of the messages. As the intermediary nodes are lending their computing and networking powers, they should be rewarded. To ensure non-repudiation, instead of going for trusted third parties, blockchain technology is used. Every node in the network needs to spend a mirage token for sending a message. Mirage tokens will be provided only to those nodes, who help in exchanging the hashes as a reward. In the end, a decentralized network of IoT devices is formed where every node contribute to the security of the network.

Forced by regulations and industry demand, banks worldwide are working to open their customers' online banking accounts to third-party services via web-based APIs. By using these so-called Open Banking APIs, third-party companies, such as FinTechs, are able to read information about and initiate payments from their users' bank accounts. Such access to financial data and resources needs to meet particularly high security requirements to protect customers. One of the most promising standards in this segment is the OpenID Financial-grade API (FAPI), currently under development in an open process by the OpenID Foundation and backed by large industry partners. The FAPI is a profile of OAuth 2.0 designed for high-risk scenarios and aiming to be secure against very strong attackers. To achieve this level of security, the FAPI employs a range of mechanisms that have been developed to harden OAuth 2.0, such as Code and Token Binding (including mTLS and OAUTB), JWS Client Assertions, and Proof Key for Code Exchange. In this paper, we perform a rigorous, systematic formal analysis of the security of the FAPI, based on an existing comprehensive model of the web infrastructure - the Web Infrastructure Model (WIM) proposed by Fett, Küsters, and Schmitz. To this end, we first develop a precise model of the FAPI in the WIM, including different profiles for read-only and read-write access, different flows, different types of clients, and different combinations of security features, capturing the complex interactions in a web-based environment. We then use our model of the FAPI to precisely define central security properties. In an attempt to prove these properties, we uncover partly severe attacks, breaking authentication, authorization, and session integrity properties. We develop mitigations against these attacks and finally are able to formally prove the security of a fixed version of the FAPI. Although financial applications are high-stakes environments, this work is the first to formally analyze and, importantly, verify an Open Banking security profile. By itself, this analysis is an important contribution to the development of the FAPI since it helps to define exact security properties and attacker models, and to avoid severe security risks before the first implementations of the standard go live. Of independent interest, we also uncover weaknesses in the aforementioned security mechanisms for hardening OAuth 2.0. We illustrate that these mechanisms do not necessarily achieve the security properties they have been designed for.

Internet of Things (IoT) devices industry is rapidly growing, with an accelerated increase in the list of manufacturers offering a wide range of smart devices selected to enhance end-users' standard of living. Security remains an after-thought in these devices resulting in vulnerabilities. While there exists a cryptographic protocol designed to solve such authentication problem, the computational complexity of cryptographic protocols and scalability problems make almost all cryptography-based authentication protocols impractical for IoT. Wireless RFF (Radio Frequency Fingerprinting) comes as a physical layer-based security authentication method that improves wireless security authentication, which is especially useful for the power and computing limited devices. As a proof-of-concept, this paper proposes a universal SDR (software defined Radio)-based inexpensive implementation intended to sense emitted wireless signals from IoT devices. Our approach is validated by extracting mobile phone signal bursts under different user-dedicated modes. The proposed setup is well adapted to accurately capture signals from different telecommunication standards. To ensure a unique identification of IoT devices, this paper also provides an optimum set of features useful to generate the device identity fingerprint.

Smartwatches are expected to become the world's best-selling electronic product after smartphones. Various smart-watches have been released to the private consumer market, but the data on smartwatches is not well protected. In this paper, we show for the first time that photoplethysmography (PPG)signals influenced by hand gestures can be used to authenticate users on smartwatches. The insight is that muscle and tendon movements caused by hand gestures compress the arterial geometry with different degrees, which has a significant impact on the blood flow. Based on this insight, novel approaches are proposed to detect the starting point and ending point of the hand gesture from raw PPG signals and determine if these PPG signals are from a normal user or an attacker. Different from existing solutions, our approach leverages the PPG sensors that are available on most smartwatches and does not need to collect training data from attackers. Also, our system can be used in more general scenarios wherever users can perform hand gestures and is robust against shoulder surfing attacks. We conduct various experiments to evaluate the performance of our system and show that our system achieves an average authentication accuracy of 96.31 % and an average true rejection rate of at least 91.64% against two types of attacks.

Wearable devices, such as implantable medical devices and smart wearables, are becoming increasingly popular with applications that vary from casual activity monitoring to critical medical uses. Unsurprisingly, numerous security vulnerabilities have been found in this class of devices. Yet, research on physical measurement-based authentication and key distribution assumes that body-worn devices are benign and uncompromised. Tiek is a novel authentication and key distribution protocol which addresses this issue. We utilize two sources of randomness to perform device authentication and key distribution simultaneously but through separate means. This creates a two-tier authorization scheme that enables devices to join the network while protecting them from each other. We describe Tiek and analyze its security.

With the emergence of IoT, wearable devices are drawing attention and becoming part of our daily life. These wearable devices collect private information about their wearers. Mostly, a secure authentication process is used to verify a legitimate user that relies on the mobile terminal. Similarly, remote cloud services are used for verification and authentication of both wearable devices and wearers. Security is necessary to preserve the privacy of users. Some traditional authentication protocols are proposed which have vulnerabilities and are prone to different attacks like forgery, de-synchronization, and un-traceability issues. To address these vulnerabilities, recently, Wu et al. (2017) proposed a cloud-assisted authentication scheme which is costly in terms of computations required. Therefore this paper proposed an improved, lightweight and computationally efficient authentication scheme for wearable devices. The proposed scheme provides similar level of security as compared to Wu's (2017) scheme but requires 41.2% lesser computations.

This article discusses the vulnerabilities and complexity of designing secure IoT-solutions, and then presents proven approaches to protecting devices and gateways. Specifically, security mechanisms such as device authentication (including certificate-based authentication), device authentication, and application a verification of identification are described. The authors consider a protocol of message queue telemetry transport for speech and sensor networks on the Internet, its features, application variants, and characteristic procedures. The principle of "publishersubscriber" is considered. An analysis of information elements and messages is carried out. The urgency of the theme is due to the rapid development of "publisher-subscriber" architecture, for which the protocol is most characteristic.

Bio-modalities are ideal for user authentication in Medical Cyber-Physical Systems. Various forms of bio-modalities, such as the face, iris, fingerprint, are commonly used for secure user authentication. Concurrently, various spoofing approaches have also been developed over time which can fail traditional bio-modality detection systems. Image synthesis with play-doh, gelatin, ecoflex etc. are some of the ways used in spoofing bio-identifiable property. Since the bio-modality detection sensors are small and resource constrained, heavy-weight detection mechanisms are not suitable for these sensors. Recently, Fog based architectures are proposed to support sensor management in the Medical Cyber-Physical Systems (MCPS). A thin software client running in these resource-constrained sensors can enable communication with fog nodes for better management and analysis. Therefore, we propose a fog-based security application to detect bio-modality spoofing in a Fog based MCPS. In this regard, we propose a machine learning based security algorithm run as an application at the fog node using a binarized multi-factor boosted ensemble learner algorithm coupled with feature selection. Our proposal is verified on real datasets provided by the Replay Attack, Warsaw and LiveDet 2015 Crossmatch benchmark for face, iris and fingerprint modality spoofing detection used for authentication in an MCPS. The experimental analysis shows that our approach achieves significant performance gain over the state-of-the-art approaches.

In most produced modern vehicles, Passive Keyless Entry and Start System (PKES), a newer form of an entry access system, is becoming more and more popular. The PKES system allows the consumer to enter within a certain range and have the vehicle's doors unlock automatically without pressing any buttons on the key. This technology increases the overall convenience to the consumer; however, it is vulnerable to attacks known as relay and amplified relay attacks. A relay attack consists of placing a device near the vehicle and a device near the key to relay the signal between the key and the vehicle. On the other hand, an amplified relay attack uses only a singular amplifier to increase the range of the vehicle sensors to reach the key. By exploiting these two different vulnerabilities within the PKES system, an attacker can gain unauthorized access to the vehicle, leading to damage or even stolen property. To minimize both vulnerabilities, we propose a coordinate tracing system with an additional Bluetooth communication channel. The coordinate tracing system, or PKES Forcefield, traces the authorized key's longitude and latitude in real time using two proposed algorithms, known as the Key Bearing algorithm and the Longitude and Latitude Key (LLK) algorithm. To further add security, a Bluetooth communication channel will be implemented. With an additional channel established, a second frequency can be traced within a secondary PKES Forcefield. The LLK Algorithm computes both locations of frequencies and analyzes the results to form a pattern. Furthermore, the PKES Forcefield movement-tracing allows a vehicle to understand when an attacker attempts to transmit an unauthenticated signal and blocks any signal from being amplified over a fixed range.

A noble multi-factor authentication (MFA) algorithm is developed for the security enhancement of the Cryptocurrency (CR). The main goal of MFA is to set up extra layer of safeguard while seeking access to a targets such as physical location, computing device, network or database. MFA security scheme requires more than one method for the validation from commutative family of credentials to verify the user for a transaction. MFA can reduce the risk of using single level password authentication by introducing additional factors of authentication. MFA can prevent hackers from gaining access to a particular account even if the password is compromised. The superfluous layer of security introduced by MFA offers additional security to a user. MFA is implemented by using time-based onetime password (TOTP) technique. For logging to any entity with MFA enabled, the user first needs username and password, as a second factor, the user then needs the MFA token to virtually generate a TOTP. It is found that MFA can provide a better means of secured transaction of CR.

In this paper, we propose an efficient and secure physically unclonable function based multi-factor authenticated key exchange (PUF-MAKE). In a PUF-MAKE setting, we suppose two participants; a user and a server. The user keeps multi-factor authenticators and securely holds a PUF-embedded device while the server maintains PUF outputs for authentication. We first study on how to efficiently construct a PUF-MAKE protocol. The main difficulty comes from that it should establish a common key from both multi-factor authenticators and a PUF-embedded device. Our construction is the first secure PUF-MAKE protocol that just needs three communication flows.

With the development of internet of things (IoT) and communication technology, the sensors and embedded devices collect a large amount of data and handle it. However, IoT environment cannot efficiently treat the big data and is vulnerable to various attacks because IoT is comprised of resource limited devices and provides a service through a open channel. In 2018, Sharma and Kalra proposed a lightweight multi-factor authentication protocol for cloud-IoT environment to overcome this problems. We demonstrate that Sharma and Kalra's scheme is vulnerable to identity and password guessing, replay and session key disclosure attacks. We also propose a secure multifactor authentication protocol to resolve the security problems of Sharma and Kalra's scheme, and then we analyze the security using informal analysis and compare the performance with Sharma and Kalra's scheme. The proposed scheme can be applied to real cloud-IoT environment securely.

As the number of Internet users increases, their usage also diversifies, and it is important to prevent Identity on the Internet (Digital Identity) from being violated. Unauthorized authentication is one of the methods to infringe Digital Identity. Multi-factor authentication has been proposed as a method for preventing unauthorized authentication. However, the cryptographic authenticator required for multi-factor authentication is expensive both financially and UX-wise for the user. In this paper, we design, implement and evaluate multi-factor authentication using My Number Card provided by public personal identification service and WebUSB, which is being standardized.

Federated authentication can drastically reduce the overhead of basic account maintenance while simultaneously improving overall system security. Integrating with the user's more frequently used account at their primary organization both provides a better experience to the end user and makes account compromise or changes in affiliation more likely to be noticed and acted upon. Additionally, with many organizations transitioning to multi-factor authentication for all account access, the ability to leverage external federated identity management systems provides the benefit of their efforts without the additional overhead of separately implementing a distinct multi-factor authentication process. This paper describes our experiences and the lessons we learned by enabling federated authentication with the U.S. Government PKI and In Common Federation, scaling it up to the user base of a production HPC system, and the motivations behind those choices. We have received only positive feedback from our users.

Authentication is achieved by using different techniques, like using smart-card, identity password and biometric techniques. Some of the proposed schemes use a single factor for authentication while others combine multiple ways to provide multi-factor authentication for better security. lately, a new scheme for multi-factor authentication was presented by Cao and Ge and claimed that their scheme is highly secure and can withstand against all known attacks. In this paper, it is revealed that their scheme is still vulnerable and have some loopholes in term of reflection attack. Therefore, an improved scheme is proposed to overcome the security weaknesses of Cao and Ge's scheme. The proposed scheme resists security attacks and secure. Formal testing is carried out under a broadly-accepted simulated tool ProVerif which demonstrates that the proposed scheme is well secure.

The work defines a multi-factor authentication model in case the application supports multiple authentication factors. The aim of this modeling is to find acceptable authentication methods sufficient to access specifically qualified information. The core of the proposed model is risk-based authentication. Results of simulations of some key scenarios often used in practice are also presented.

State-of-the-art security frameworks have been extensively addressing security issues for web resources, agents and services in the Semantic Web. The provision of Stream Reasoning as a new area spanning Semantic Web and Data Stream Management Systems has eventually opened up new challenges. Namely, their decentralized nature, the metadata descriptions, the number of users, agents, and services, makes securing Stream Reasoning systems difficult to handle. Thus, there is an inherent need of developing new security models which will handle security and automate security mechanism to a more autonomous system that supports complex and dynamic relationships between data, clients and service providers. We plan to validate our proposed security model on a typical application of stream data, on Wireless Sensor Networks (WSNs). In particular, WSNs for water quality monitoring will serve as a case study. The proposed model can be a guide when deploying and maintaining WSNs in different contexts. Moreover, this model will point out main segments which are most important in ensuring security in semantic stream reasoning systems, and their interrelationships. In this paper we propose a security framework to handle most important issues of security within WSN. The security model in itself should be an incentive for other researchers in creating other models to improve information security within semantic stream reasoning systems.