Biblio

Nowadays, the increasing complexity of digital applications for social and business activities has required more and more advanced mechanisms to prove the identity of subjects like those based on the Two-Factor Authentication (2FA). Such an approach improves the typical authentication paradigm but it has still some weaknesses. Specifically, it has to deal with the disadvantages of a centralized architecture causing several security threats like denial of service (DoS) and man-in-the-middle (MITM). In fact, an attacker who succeeds in violating the central authentication server could be able to impersonate an authorized user or block the whole service. This work advances the state of art of 2FA solutions by proposing a decentralized Microservices and Blockchain Based One Time Password (MBB-OTP) protocol for security-enhanced authentication able to mitigate the aforementioned threats and to fit different application scenarios. Experiments prove the goodness of our MBB-OTP protocol considering both private and public Blockchain configurations.

This project develops a face recognition-based door locking system with two-factor authentication using OpenCV. It uses Raspberry Pi 4 as the microcontroller. Face recognition-based door locking has been around for many years, but most of them only provide face recognition without any added security features, and they are costly. The design of this project is based on human face recognition and the sending of a One-Time Password (OTP) using the Twilio service. It will recognize the person at the front door. Only people who match the faces stored in its dataset and then inputs the correct OTP will have access to unlock the door. The Twilio service and image processing algorithm Local Binary Pattern Histogram (LBPH) has been adopted for this system. Servo motor operates as a mechanism to access the door. Results show that LBPH takes a short time to recognize a face. Additionally, if an unknown face is detected, it will log this instance into a "Fail" file and an accompanying CSV sheet.

In recent years, blockchain-based cryptocurren-cies have attracted much attention. Attacks targeting cryptocurrencies and related services directly profit an attacker if successful. Related studies have reported attacks targeting configuration-vulnerable nodes in Ethereum using a method called honeypots to observe malicious user attacks. They have analyzed 380 million observed requests and showed that attacks had to that point taken at least 4193 Ether. However, long-term observations using honeypots are difficult because the cost of maintaining honeypots is high. In this study, we analyze the behavior of malicious users using our honeypot system. More precisely, we clarify the pre-investigation that a malicious user performs before attacks. We show that the cost of maintaining a honeypot can be reduced. For example, honeypots need to belong in Ethereum's P2P network but not to the mainnet. Further, if they belong to the testnet, the cost of storage space can be reduced.

A secure hash code or message authentication code is a one-way hash algorithm. It is producing a fixed-size hash function to be used to check verification, the integrity of electronic data, password storage. Numerous researchers have proposed hashing algorithms. They have a very high time complexity based on several steps, initial value, and key constants which are publically known. We are focusing here on the many exiting algorithms that are dependent on the initial value and key constant usage to increasing the security strength of the hash function which is publically known. Therefore, we are proposing autonomous initial value proposed secure hash algorithm (AIVPSHA64) in this research paper to produce sixty-four-bit secure hash code without the need of initial value and key constant, it is very useful for a smart card to verify their identity which has limited memory space. Then evaluate the performance of hash function using autonomous initial value proposed secure hash algorithm (AIVPSHA64) and will compare the result, which is found by python-3.9.0 programming language.

E-commerce, ticket booking, banking, and other web-based applications that deal with sensitive information, such as passwords, payment information, and financial information, are widespread. Some web developers may have different levels of understanding about securing an online application. The two vulnerabilities identified by the Open Web Application Security Project (OWASP) for its 2017 Top Ten List are SQL injection and Cross-site Scripting (XSS). Because of these two vulnerabilities, an attacker can take advantage of these flaws and launch harmful web-based actions. Many published articles concentrated on a binary classification for these attacks. This article developed a new approach for detecting SQL injection and XSS attacks using deep learning. SQL injection and XSS payloads datasets are combined into a single dataset. The word-embedding technique is utilized to convert the word’s text into a vector. Our model used BiLSTM to auto feature extraction, training, and testing the payloads dataset. BiLSTM classified the payloads into three classes: XSS, SQL injection attacks, and normal. The results showed great results in classifying payloads into three classes: XSS attacks, injection attacks, and non-malicious payloads. BiLSTM showed high performance reached 99.26% in terms of accuracy.

The Government of Indonesia has implemented an Electronic-Based Government System (SPBE) to provide fast and unlimited services by distance, space, and time. The Case Investigation Information System (SIPP) is a service for the public that requires good integration of information so that legal services are provided quickly and easily. In 2020 court websites experienced many hacker attacks based on data from internal court sources, at least there were more than 20 courts throughout Indonesia that were affected by damage to both the website, the SIPP web feature, and the court library featured. Based on the Minister of Communication and Informatics Regulation No. 4 of 2016 in article 7, every SPBE organizer must implement information security following the information security standards described by the Ministry of Communication and Information. Since this regulation is conceived to minimize the risk of the security breach on SPBE, and there is such numerous security breach in 2020 therefore this indicates poorly implemented of the regulation. Based on this finding this research aims to investigate which area is neglected. To achieve this, this research employs gap analysis using ISO/IEC 27001:2013and maturity level to reveal the neglected areas in information security. Current findings show there are SIPP users that still use weak passwords and lack of awareness of top management personnel in several information security areas such as securing sensitive documents or policies that regulate information security specifically for SIPP. These findings entails that the security management in Court is most likely at the initiative level.

The utilization of "cloud storage services (CSS)", empowering people to store their data in cloud and avoid from maintenance cost and local data storage. Various data integrity auditing (DIA) frameworks are carried out to ensure the quality of data stored in cloud. Mostly, if not all, of current plans, a client requires to utilize his private key (PK) to generate information authenticators for knowing the DIA. Subsequently, the client needs to have hardware token to store his PK and retain a secret phrase to actuate this PK. In this hardware token is misplaced or password is forgotten, the greater part of existing DIA plans would be not able to work. To overcome this challenge, this research work suggests another DIA without "private key storage (PKS)"plan. This research work utilizes biometric information as client's fuzzy private key (FPK) to evade utilizing hardware token. In the meantime, the plan might in any case viably complete the DIA. This research work uses a direct sketch with coding and mistake correction procedures to affirm client identity. Also, this research work plan another mark conspire that helps block less. Verifiability, yet in addition is viable with linear sketch Keywords– Data integrity auditing (DIA), Cloud Computing, Block less Verifiability, fuzzy biometric data, secure cloud storage (SCS), key exposure resilience (KER), Third Party Auditor (TPA), cloud audit server (CAS), cloud storage server (CSS), Provable Data Possession (PDP)

Current paradigms for client-server authentication often rely on username/password schemes. Studies show such schemes are increasingly vulnerable to heuristic and brute-force attacks. This is either due to poor practices by users such as insecure weak passwords, or insecure systems by server operators. A recurring problem in any system which retains information is insecure management policies for sensitive information, such as logins and passwords, by both hosts and users. Increased processing power on the horizon also threatens the security of many popular hashing algorithms. Furthermore, increasing reliance on applications that exchange sensitive information has resulted in increased urgency. This is demonstrated by a large number of mobile applications being deemed insecure by Open Web Application Security Project (OWASP) standards. This paper proposes a secure alternative technique of authentication that retains the current ecosystem, while minimizes attack vectors without inflating responsibilities on users or server operators. Our proposed authentication scheme uses layered encryption techniques alongside a two-part verification process. In addition, it provides dynamic protection for preventing against common cyber-attacks such as replay and man-in-the-middle attacks. Results show that our proposed authentication mechanism outperform other schemes in terms of deployability and resilience to cyber-attacks, without inflating transaction's speed.

Security and usability are two essential aspects of a system, but they usually move in opposite directions. Sometimes, to achieve security, usability has to be compromised, and vice versa. Password-based authentication systems require both security and usability. However, to increase password security, absurd rules are introduced, which often drive users to compromise the usability of their passwords. Users tend to forget complex passwords and use techniques such as writing them down, reusing them, and storing them in vulnerable ways. Enhancing the strength while maintaining the usability of a password has become one of the biggest challenges for users and security experts. In this paper, we define the pronounceability of a password as a means to measure how easy it is to memorize - an aspect we associate with usability. We examine a dataset of more than 7 million passwords to determine whether the usergenerated passwords are secure. Moreover, we convert the usergenerated passwords into phonemes and measure the pronounceability of the phoneme-based representations. We then establish a relationship between the two and suggest how password creation strategies can be adapted to better align with both security and usability.

Abstract Despite decades of research into developing abstract security advice and improving interfaces, users still struggle to make passwords. Users frequently create passwords that are predictable for attackers [1, 9] or make other decisions (e.g., reusing the same password across accounts) that harm their security [2, 8]. In this thesis,1 I use data-driven methods to better understand how users choose passwords and how attackers guess passwords. I then combine these insights into a better password-strength meter that provides real-time, data-driven feedback about the user's password. I first quantify the impact on password security and usability of showing users different password-strength meters that score passwords using basic heuristics. I find in a 2,931- participant online study that meters that score passwords stringently and present their strength estimates visually lead users to create stronger passwords without significantly impacting password memorability [6]. Second, to better understand how attackers guess passwords, I perform comprehensive experiments on password-cracking approaches. I find that simply running these approaches in their default configuration is insufficient, but considering multiple well-configured approaches in parallel can serve as a proxy for guessing by an expert in password forensics [9]. The third and fourth sections of this thesis delve further into how users choose passwords. Through a series of analyses, I pinpoint ways in which users structure semantically significant content in their passwords [7]. I also examine the relationship between users' perceptions of password security and passwords' actual security, finding that while users often correctly judge the security impact of individual password characteristics, wide variance in their understanding of attackers may lead users to judge predictable passwords as sufficiently strong [5]. Finally, I integrate these insights into an open-source2 password-strength meter that gives users data-driven feedback about their specific password. This meter uses neural networks [3] and numerous carefully combined heuristics to score passwords and generate data-driven text feedback about a given password. I evaluate this meter through a ten-participant laboratory study and 4,509-participant online study [4]. Under the more common password-composition policy we tested, we find that the data-driven meter with detailed feedback leads users to create more secure, and no less memorable, passwords than a meter with only a bar as a strength indicator. In sum, the objective of this thesis is to demonstrate how integrating data-driven insights about how users create and how attackers guess passwords into a tool that presents real-time feedback can help users make better passwords.

Despite their ubiquity, many password meters provide inaccurate strength estimates. Furthermore, they do not explain to users what is wrong with their password or how to improve it. We describe the development and evaluation of a data-driven password meter that provides accurate strength measurement and actionable, detailed feedback to users. This meter combines neural networks and numerous carefully combined heuristics to score passwords and generate data-driven text feedback about the user's password. We describe the meter's iterative development and final design. We detail the security and usability impact of the meter's design dimensions, examined through a 4,509-participant online study. Under the more common password-composition policy we tested, we found that the data-driven meter with detailed feedback led users to create more secure, and no less memorable, passwords than a meter with only a bar as a strength indicator.

Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood. We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by subjecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make passwords more than 1.5 times as strong as those of users associated with the business school. while users associated with computer science make strong ones. In addition, we find that stronger passwords are correlated with a higher rate of errors entering them. We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more consistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of passwords leaked from low-value accounts that happen to comply with the same policies.