Biblio

In this paper, we highlight a fundamental vulnerability associated with the widely adopted “Just Tap” push-based authentication in the face of a concurrency attack, and propose the method REPLICATE, a redesign to counter this vulnerability. In the concurrency attack, the attacker launches the login session at the same time the user initiates a session, and the user may be fooled, with high likelihood, into accepting the push notification which corresponds to the attacker's session, thinking it is their own. The attack stems from the fact that the login notification is not explicitly mapped to the login session running on the browser in the Just Tap approach. REPLICATE attempts to address this fundamental flaw by having the user approve the login attempt by replicating the information presented on the browser session over to the login notification, such as by moving a key in a particular direction, choosing a particular shape, etc. We report on the design and a systematic usability study of REPLICATE. Even without being aware of the vulnerability, in general, participants placed multiple variants of REPLICATE in competition to the Just Tap and fairly above PIN-based authentication.

The fifth-generation (5G) standard is the last telecommunication technology, widely considered to have the most important characteristics in the future network industry. The 5G system infrastructure contains three principle interfaces, each one follows a set of protocols defined by the 3rd Generation Partnership Project group (3GPP). For the next generation network, 3GPP specified two authentication methods systematized in two protocols namely 5G Authentication and Key Agreement (5G-AKA) and Extensible Authentication Protocol (EAP). Such protocols are provided to ensure the authentication between system entities. These two protocols are critical systems, thus their reliability and correctness must be guaranteed. In this paper, we aim to formally re-examine 5G-AKA protocol using micro Common Representation Language 2 (mCRL2) language to verify such a security protocol. The mCRL2 language and its associated toolset are formal tools used for modeling, validation, and verification of concurrent systems and protocols. In this context, the authentication protocol 5G-AKA model is built using Algebra of Communication Processes (ACP), its properties are specified using Modal mu-Calculus and the properties analysis exploits Model-Checker provided with mCRL2. Indeed, we propose a new mCRL2 model of 3GPP specification considering 5G-AKA protocol and we specify some properties that describe necessary requirements to evaluate the correctness of the protocol where the parsed properties of Deadlock Freedom, Reachability, Liveness and Safety are positively assessed.

Smart grids can be exposed to relay attacks (or wormhole attacks) resulting from weaknesses in cryptographic operations such as authentication and key derivation associated with process automation protocols. Relay attacks refer to attacks in which authentication is evaded without needing to attack the smart grid itself. By using a universal composability model that provides a strong security notion for designing cryptographic operations, we formulate the necessary relay resilience settings for strengthening authentication and key derivation and enhancing relay security in process automation protocols in this paper. We introduce R-Chain, a universally composable relay resilience framework that prevents bypass of cryptographic operations. Our framework provides an ideal chaining functionality that integrates all cryptographic operations such that all outputs from a preceding operation are used as input to the subsequent operation to support relay resilience. We apply R-Chain to provide relay resilience in a practical smart grid process automation protocol, namely WirelessHART.

Internet of Things (IoT) connects various nodes such as sensor devices. For users from foreign networks, their direct access to the data of sensor devices is restricted because of security threats. Therefore, a ticket-based authentication scheme was proposed, which can mutually authenticate a mobile device and a sensor device. This scheme with new features fills a gap in IoT authentication, but the scheme has not been verified formally. Hence, it is important to study the security and reliability of the scheme from the perspective of formal methods.In this paper, we model this scheme using Communicating Sequential Processes (CSP). Considering the possibility of key leakage caused by security threats in IoT networks, we also build models where one of the keys used in the scheme is leaked. With the model checker Process Analysis Toolkit (PAT), we verify four properties (deadlock freedom, data availability, data security, and data authenticity) and find that the scheme cannot satisfy the last two properties with key leakage. Thus, we propose two improved models. The verification results show that the first improved model can guarantee data security, and the second one can ensure both data security and data authenticity.

Nowadays, the increasing complexity of digital applications for social and business activities has required more and more advanced mechanisms to prove the identity of subjects like those based on the Two-Factor Authentication (2FA). Such an approach improves the typical authentication paradigm but it has still some weaknesses. Specifically, it has to deal with the disadvantages of a centralized architecture causing several security threats like denial of service (DoS) and man-in-the-middle (MITM). In fact, an attacker who succeeds in violating the central authentication server could be able to impersonate an authorized user or block the whole service. This work advances the state of art of 2FA solutions by proposing a decentralized Microservices and Blockchain Based One Time Password (MBB-OTP) protocol for security-enhanced authentication able to mitigate the aforementioned threats and to fit different application scenarios. Experiments prove the goodness of our MBB-OTP protocol considering both private and public Blockchain configurations.

Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than two-factor authentication and just as secure. However, users currently obtain RBA’s high security and usability benefits at the cost of exposing potentially sensitive personal data (e.g., IP address or browser information). This conflicts with user privacy and requires to consider user rights regarding the processing of personal data. We outline potential privacy challenges regarding different attacker models and propose improvements to balance privacy in RBA systems. To estimate the properties of the privacy-preserving RBA enhancements in practical environments, we evaluated a subset of them with long-term data from 780 users of a real-world online service. Our results show the potential to increase privacy in RBA solutions. However, it is limited to certain parameters that should guide RBA design to protect privacy. We outline research directions that need to be considered to achieve a widespread adoption of privacy preserving RBA with high user acceptance.

The Internet of Drones (IoD) is a distributed network control system that mainly manages unmanned aerial vehicle access to controlled airspace and provides navigation between so-called nodes. Securing the transmission of real-time information from the nodes in these applications is essential. The limited drone nodes, data storage, computing and communication capabilities necessitate the need to design an effective and secure authentication scheme. Recently, research has proposed remote user authentication and the key agreement on IoD and claimed that their schemes satisfied all security issues in these networks. However, we found that their schemes may lead to losing access to the drone system due to the corruption of using a key management system and make the system completely unusable. To solve this drawback, we propose a lightweight and anonymous two-factor authentication scheme for drones. The proposed scheme is based on an asymmetric cryptographic method to provide a secure system and is more suitable than the other existing schemes by securing real-time information. Moreover, the comparison shows that the proposed scheme minimized the complexity of communication and computation costs.

The increased need for online account security and the prominence of smartphones in today’s society has led to smartphone-based two-factor authentication schemes, in which the second factor is a code received on the user’s smartphone. Evolving two-factor authentication mechanisms suggest using the proximity of the user’s devices as the second authentication factor, avoiding the inconvenience of user-device interaction. These mechanisms often use low-range communication technologies or the similarities of devices’ environments to prove devices’ proximity and user authenticity. However, such mechanisms are vulnerable to colocated adversaries. This paper proposes Vibe-an implicit two-factor authentication mechanism, which uses a vibration communication channel to prove users’ authenticity in a secure and non-intrusive manner. Vibe’s design provides security at the physical layer, reducing the attack surface to the physical surface shared between devices. As a result, it protects users’ security even in the presence of co-located adversaries-the primary drawback of the existing systems. We prototyped Vibe and assessed its performance using commodity hardware in different environments. Our results show an equal error rate of 0.0175 with an end-to-end authentication latency of approximately 3.86 seconds.

Authentication, forms an important step in any security system to allow access to resources that are to be restricted. In this paper, we propose a novel artificial intelligence-assisted risk-based two-factor authentication method. We begin with the details of existing systems in use and then compare the two systems viz: Two Factor Authentication (2FA), Risk-Based Two Factor Authentication (RB-2FA) with each other followed by our proposed AIA-RB-2FA method. The proposed method starts by recording the user features every time the user logs in and learns from the user behavior. Once sufficient data is recorded which could train the AI model, the system starts monitoring each login attempt and predicts whether the user is the owner of the account they are trying to access. If they are not, then we fallback to 2FA.

This project develops a face recognition-based door locking system with two-factor authentication using OpenCV. It uses Raspberry Pi 4 as the microcontroller. Face recognition-based door locking has been around for many years, but most of them only provide face recognition without any added security features, and they are costly. The design of this project is based on human face recognition and the sending of a One-Time Password (OTP) using the Twilio service. It will recognize the person at the front door. Only people who match the faces stored in its dataset and then inputs the correct OTP will have access to unlock the door. The Twilio service and image processing algorithm Local Binary Pattern Histogram (LBPH) has been adopted for this system. Servo motor operates as a mechanism to access the door. Results show that LBPH takes a short time to recognize a face. Additionally, if an unknown face is detected, it will log this instance into a "Fail" file and an accompanying CSV sheet.

Rapid development of wireless technologies has driven the evolution of smart grid application. In smart grid, authentication plays an important role for secure communication between smart meter and service provider. Hence, the design of secure authenticated key agreement schemes has received significant attention from researchers. In these schemes, a trusted third party directly participates in key agreement process. Although, this third party is assumed as trusted, however we cannot reject the possibility that being a third party, it can also be malicious. In the existing works, either the established session key is revealed to the agents of a trusted third party, or a trusted third party agent can impersonate the smart meter and establish a valid session key with the service provider, which is likely to cause security vulnerabilities. Therefore, there is a need to design a secure authentication scheme so that only the deserving entities involved in the communication can establish and know the session key. This paper proposes a new secure authenticated key agreement scheme for smart grid considering the fact that the third party can also be malicious. The security of the proposed scheme has been thoroughly evaluated using an adversary model. Correctness of the scheme has been analyzed using the broadly accepted Burrows-Abadi-Needham (BAN) Logic. In addition, the formal security verification of the proposed scheme has been performed using the widely accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool. Results of this simulation confirm that the proposed scheme is safe. Detailed security analysis shows the robustness of the scheme against various known attacks. Moreover, the comparative performance study of the proposed scheme with other relevant schemes is presented to demonstrate its practicality.

The majority of systems rely on user authentication on passwords, but passwords have so many weaknesses and widespread use that easily raise significant security concerns, regardless of their encrypted form. Users hold the same password for different accounts, administrators never check password files for flaws that might lead to a successful cracking, and the lack of a tight security policy regarding regular password replacement are a few problems that need to be addressed. The proposed research work aims at enhancing this security mechanism, prevent penetrations, password theft, and attempted break-ins towards securing computing systems. The selected solution approach is two-folded; it implements a two-factor authentication scheme to prevent unauthorized access, accompanied by Honeyword principles to detect corrupted or stolen tokens. Both can be integrated into any platform or web application with the use of QR codes and a mobile phone.

This research presented a digital watermarking scheme using multi-level authentication for protecting QR code images in order to provide security and authenticity. This research focuses on the improved digital watermarking scheme for QR code security that can protect the confidentiality of the information stored in QR code images from the public. Information modification, malicious attack, and copyright violation may occur due to weak security and disclosure pattern of QR code. Digital watermarking can be a solution to reduce QR code imitation and increase QR code security and authenticity. The objectives of this research are to provide QR code image authentication and security, tamper localization, and recovery scheme on QR code images. This research proposed digital watermarking for QR code images based on multi-level authentication with Least Significant Bit (LSB) and SHA-256 hash function. The embedding and extracting watermark utilized region of Interest (ROI) and Region of Non-Interest (RONI) in the spatial domain for improving the depth and width of QR code application in the anti-counterfeiting field. The experiments tested the reversibility and robustness of the proposed scheme after a tempered watermarked QR code image. The experimental results show that the proposed scheme provides multi-level security, withstands tampered attacks and it provided high imperceptibility of QR code image.

Pairings on elliptic curves which are carried out by the Miller loop and final exponentiation are used for innovative protocols such as ID-based encryption and group signature authentication. As the recent progress of attacks for finite fields in which pairings are defined, the importance of the use of the curves with prime embedding degrees \$k\$ has been increased. In this manuscript, the authors provide a method for providing efficient final exponentiation algorithms for a specific cyclotomic family of curves with arbitrary prime \$k\$ of \$k\textbackslashtextbackslashequiv 1(\textbackslashtextbackslashtextmod\textbackslashtextbackslash 6)\$. Applying the proposed method for several curves such as \$k=7\$, 13, and 19, it is found that the proposed method gives rise to the same algorithms as the previous state-of-the-art ones by the lattice-based method.

In this paper is devoted a creation cryptographic protocol for the division of mutual authentication and session key. For secure protocols, suitable cryptographic algorithms were monitored.

CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) is a widely used challenge-measures to distinguish humans and computer automated programs apart. Several existing CAPTCHAs are reliable for normal users, whereas visually impaired users face a lot of problems with the CAPTCHA authentication process. CAPTCHAs such as Google reCAPTCHA alternatively provides audio CAPTCHA, but many users find it difficult to decipher due to noise, language barrier, and accent of the audio of the CAPTCHA. Existing CAPTCHA systems lack user satisfaction on smartphones thus limiting its use. Our proposed system potentially solves the problem faced by visually impaired users during the process of CAPTCHA authentication. Also, our system makes the authentication process generic across users as well as platforms.

Mobile healthcare (mHealth) application and technologies have promised their cost-effectiveness to enhance healthcare quality, particularly in rural areas. However, the increased security incidents and leakage of patient data raise the concerns to address security risks and privacy issues of mhealth applications urgently. While recent mobile health applications that rely on password-based authentication cannot withstand password guessing and cracking attacks, several countermeasures such as One-Time Password (OTP), grid-based password, and biometric authentication have recently been implemented to protect mobile health applications. These countermeasures, however, can be thwarted by brute force attacks, man-in-the-middle attacks and persistent malware attacks. This paper proposed grid-based honey encryption by hybridising honey encryption with grid-based authentication. Compared to recent honey encryption limited in the hardening password attacks process, the proposed grid-based honey encryption can be further employed against shoulder surfing, smudge and replay attacks. Instead of rejecting access as a recent security defence mechanism in mobile healthcare applications, the proposed Grid-based Honey Encryption creates an indistinct counterfeit patient's record closely resembling the real patients' records in light of each off-base speculation legitimate password.

Nowadays, with the continuous increase in oil prices and the worldwide shift towards clean energy, all-electric vehicles are booming. Thence, these vehicles need widespread charging systems operating securely and reliably. Consequently, these charging systems need the most robust cybersecurity measures and strong authentication mechanisms to protect its user. This paper presents a new security scheme leveraging human biometrics in terms of iris recognition to defend against multiple types of cyber-attacks such as fraudulent identities, man-in-the-middle attacks, or unauthorized access to electric vehicle charging stations. Fundamentally, the proposed scheme implements a security mechanism based on the inherently unique characteristics of human eye biometric. The objective of the proposed scheme is to enhance the security of electric vehicle charging stations by using a low-cost and efficient authentication using k-Nearest Neighbours (KNN), which is a lightweight encryption algorithm.We tested our system on high-quality images obtained from the standard IITD iris database to search over the encrypted database and authenticate a legitimate user. The results showed that our proposed technique had minimal communication and computation overhead, which is quite suitable for the resource-limited charging station devices. Furthermore, we proved that our scheme outperforms other existing techniques.

This paper considers methods of fingerprint protection in biometric authentication systems. Including methods of protecting fingerprint templates using zero digital watermarks and cryptography techniques. The paper considers a secure authentication model using cryptography and digital watermarks.

Reversible data hiding (RDH) is an emerging area in the field of information security. The RDH schemes are widely explored in the field of cloud computing for data authentication and in medical image transmission for clinical data transmission along with medical images. The RDH schemes allow the data hider to embed sensitive information in digital content in such a way that later it can be extracted while recovering the original image. In this research, we explored the use of the RDH through the encryption scheme in a biometric authentication system. The internet of things (IoT) enabled biometric authentication systems are very common nowadays. In general, in biometric authentication, computationally complex tasks such as feature extraction and feature matching will be performed in a cloud server. The user-side devices will capture biometric data such as the face, fingerprint, or iris and it will be directly communicated to the cloud server for further processing. Since the confidentiality of biometric data needs to be maintained during the transmission, the original biometric data will be encrypted using any one of the data encryption techniques. In this manuscript, we propose the use of RDH through encryption approach to transmit two different biometric data as a single file without compromising confidentiality. The proposed scheme will ensure the integrity of the biometric data during transmission. For data hiding purposes, we have used a block-wise RDH through encryption scheme. The experimental study of the proposed scheme is carried out by embedding fingerprint data in the face images. The validation of the proposed scheme is carried out by extracting the fingerprint details from the face images during image decryption. The scheme ensures the exact recovery of face image images and fingerprint data at the receiver site.

Biometric methods are the most effective and accurate authentication methods. However, a significant drawback of such methods is the storage of authentication information in clear text. The article is devoted to solving this problem by means of symmetric encryption method and the method of dividing the memory space. The method of symmetric encryption ensures confidentiality during storage and transmission of biometric characteristics, the method of dividing the memory space provides an increase of information security level during processing of biometric characteristics.

The widespread use of smartphones has made the gadget a prime source of evidence for crime investigators. The cloud-based applications on mobile devices store a rich set of evidence in the cloud servers. The physical acquisition of Android devices reveals only minimal data of cloud-based apps. However, the artifacts collected from mobile devices can be used for data acquisition from cloud servers. This paper focuses on the forensic acquisition and analysis of cloud data of Google apps on Android devices. The proposed methodology uses the tokens extracted from the Android devices to get authenticated to the Google server bypassing the two-factor authentication scheme and access the cloud data for further analysis. Based on the investigation, we have also developed a tool to acquire, preserve and analyze cloud data in a forensically sound manner.

This project is an extension of ongoing research on Fully Homomorphic Encryption - Arithmetic Circuit Homomorphic Encryption. This paper focus on the implementation of pairing algorithm Supersingular Isogeny Diffie Hellman Key Exchange into Arithmetic Circuit Homomorphic Encryption as well as comparison and analyse with Elliptic Curve Diffie Hellman. Next, the paper will discuss on the latencies incurred due to pairing sessions between machines, key generations, key sizes, CPU usage and overall latency for the two respective key exchange methods to be compared against each other.

Cryptographic algorithms are playing an important role in the information security field. Strong and unbreakable algorithms provide high security and good throughput. The strength of any encryption algorithm is basically based on the degree of difficulty to obtain the encryption key by such cyber-attacks as brute. It is supposed that the bigger the key size, the more difficult it is to compute the key. But increasing the key size will increase both the computational complexity and the processing time of algorithms. In this paper, we proposed a reliable, effective, and more secure symmetric stream cipher algorithm for encryption and decryption called Symmetric Cipher based on Key Hashing Algorithm (SCKHA). The idea of this algorithm is based on hashing and splitting the encryption symmetric key. Hashing the key will hide the encrypted key to prevent any intruder from forging the hash code, and, thus, it satisfies the purpose of security, authentication, and integrity for a message on the network. In addition, the algorithm is secure against a brute-force attack by increasing the resources it takes for testing each possible key. Splitting the hashed value of the encryption key will divide the hashed key into two key chunks. The encryption process performed using such one chunk based on some calculations on the plaintext. This algorithm has three advantages that are represented in computational simplicity, security and efficiency. Our algorithm is characterized by its ability to search on the encrypted data where the plaintext character is represented by two ciphertext characters (symbols).

Return address authentication mechanisms protect return addresses by calculating and checking their message authentication codes (MACs) at runtime. However, these works only provide empirical analysis on their security, and it is still unclear whether the attacker can bypass these defenses by launching reuse attacks.In this paper, we present a solution to quantitatively analysis the security of return address authentication mechanisms against reuse attacks. Our solution utilizes some libc functions that could leakage data from memory. First, we perform reaching definition analysis to identify the source of parameters of these functions. Then we infer how many MACs could be observed at runtime by modifying these parameters. Afterward, we select the gadgets that could be exploited by reusing these observed MACs. Finally, we stitch desired gadget to craft attacks. We evaluated our solution on 5 real-word applications and successfully crafted reuse attacks on 3 of them. We find that the larger an application is, the more libc functions and gadgets can be found and reused, and furthermore, the more likely the attack is successfully crafted.