Due to the concern on cloud security, digital encryption is applied before outsourcing data to the cloud for utilization. This introduces a challenge about how to efficiently perform queries over ciphertexts. Crypto-based solutions currently suffer from limited operation support, high computational complexity, weak generality, and poor verifiability. An alternative method that utilizes hardware-assisted Trusted Execution Environment (TEE), i.e., Intel SGX, has emerged to offer high computational efficiency, generality and flexibility. However, SGX-based solutions lack support on multi-user query control and suffer from security compromises caused by untrustworthy TEE function invocation, e.g., key revocation failure, incorrect query results, and sensitive information leakage. In this article, we leverage SGX and propose a secure and efficient SQL-style query framework named QShield. Notably, we propose a novel lightweight secret sharing scheme in QShield to enable multi-user query control; it effectively circumvents key revocation and avoids cumbersome remote attestation for authentication. We further embed a trust-proof mechanism into QShield to guarantee the trustworthiness of TEE function invocation; it ensures the correctness of query results and alleviates side-channel attacks. Through formal security analysis, proof-of-concept implementation and performance evaluation, we show that QShield can securely query over outsourced data with high efficiency and scalable multi-user support.
Authored by Yaxing Chen, Qinghua Zheng, Zheng Yan, Dan Liu
Remote Attestation (RA) is a security service by which a Verifier (Vrf) can verify the platform state of a remote Prover (Prv). However, in most existing RA schemes, the Prv might be vulnerable to denial of service (DoS) attacks due to the interactive challenge-response methodology while there is no authentication about the challenge. Worse, many schemes cannot effectively detect mobile malware that can be inactive during the on-demand attestation launched by the Vrf. In this paper, we propose a self-measurement RA for SGX-based platforms, which can effectively mitigate DoS attacks and defend against mobile malware. To this end, a two-way identity authentication is first enforced between the Prv and Vrf with the help of a blockchain system, in which a shared session key is also generated. Secondly, trigger conditions of measurements on the Prv’s side are time points generated by the Prv self instead of Vrf’s requests. The Vrf can retrieve multiple selfmeasurement results during one execution of the protocol to monitor the Prv’s platform over a period of time continuously, which can detect mobile malware effectively. Our scheme utilizes SGX to provide the runtime protection for sensitive information such as session key, self-measurement code, time points of self-measurements, and self-measurement results, making a higher security guarantee. In addition, the session key, time points of self-measurements, and self-measurement code can be changed or upgraded, making our scheme more flexible and scalable. The simulation implementation and results show that our scheme is feasible and practical.
Authored by Zhengwei Ren, Xueting Li, Li Deng, Yan Tong, Shiwei Xu, Jinshan Tang
With the development of cloud computing and edge computing, data sharing and collaboration have become increasing between cloud edge and end. Under the assistance of edge cloud, end users can access the data stored in the cloud by data owners. However, in an unprotected cloud-edge-end network environment, data sharing is vulnerable to security threats from malicious users, and data confidentiality cannot be guaranteed. Most of the existing data sharing approaches use the identity authentication mechanism to resist unauthorized accessed by illegal end users, but the mechanism cannot guarantee the credibility of the end user’s network environment. Therefore, this article proposes an approach for trusted sharing of data under cloud-edge-end collaboration (TSDCEE), in which we verify the trustworthiness of the data requester’s network environment based on the mechanism of attribute remote attestation. Finally, this article uses model checking Spin method to formally analyze TSDCEE, and verifies the security properties of TSDCEE.
Authored by Xuejian Li, Mingguang Wang
Organizations strive to secure their valuable data and minimise potential damages, recognising that critical operations are susceptible to attacks. This research paper seeks to elucidate the concept of proactive cyber threat hunting. The proposed framework is to help organisations check their preparedness against upcoming threats and their probable mitigation plan. While traditional threat detection methods have been implemented, they often need to address the evolving landscape of advanced cyber threats. Organisations must adopt proactive threat-hunting strategies to safeguard business operations and identify and mitigate unknown or undetected network threats. This research proposes a conceptual model based on a review of the literature. The proposed framework will help the organisation recover from the attack. As the recovery time is less, the financial loss for the company will also be reduced. Also, the attacker might need more time to gather data, so there will be less stealing of confidential information. Cybersecurity companies use proactive cyber defence strategies to reduce an attacker s time on the network. The different frameworks used are SANS, MITRE, Hunting ELK, Logstash, Digital Kill Chain, Model in Diamonds, and NIST Framework for Cybersecurity, which proposes a proactive approach. It is beneficial for the defensive security team to assess their capabilities to defend against Advanced Threats Persistent (ATP) and a wide range of attack vectors.
Authored by Mugdha Kulkarni, Dudhia Ashit, Chauhan Chetan
In a one-way secret key agreement (OW-SKA) protocol in source model, Alice and Bob have private samples of two correlated variables X and Y that are partially leaked to Eve through the variable Z, and use a single message from Alice to Bob to obtain a shared secret key. We propose an efficient secure OW-SKA when the sent message over the public channel can be tampered with by an active adversary. Our construction uses a specially designed hash function that is used for reconciliation, as well as detection of tampering. In detection of tampering the function is a Message Authentication Code (MAC) that maintains its security when the key is partially leaked. We prove the secrecy of the established key and robustness of the protocol, and discuss our results.
Authored by Somnath Panja, Shaoquan Jiang, Reihaneh Safavi-Naini
At present, the application of wireless Ad hoc network in the field of mobile security inspection is in its infancy, and the network security protection means for the power industry are still insufficient, which is highlighted by the lack of efficient security authentication means for Ad hoc network, and it is difficult to completely eliminate security risks such as illegal terminal intrusion, data counterfeiting and tampering. A decentralized security authentication scheme suitable for Ad hoc network is designed, which can solve the security trust transfer problem on the variable network topology. Under any network route, the security trust is transferred to the proxy node step by step through multiple peer authentication, and the authentication chain is eUEblished between the digital intelligence edge proxy device, the proxy node and the node to be accessed. On the one hand, it can effectively solve the counterfeit problem of A-nodes and proxy nodes; on the other hand, it can greatly reduce the problem of reduced security authentication efficiency caused by deepening network hierarchy.
Authored by Wang Kai, Fei Zhengming, Zhou Hui, Yu Jun, Shi Hongwei
The new power system puts forward higher requirements for the communication interconnection of power equipment, especially in power areas that are difficult to cover by public networks and private power networks. As an efficient means, although building power communication ad hoc network has the advantages of low cost and flexibility, it puts forward higher requirements for the security of power ad hoc networks. This paper proposes a lightweight and secure access method for power WIFI to better meet the real-time requirements of power ad hoc networks. Based on the analysis of STA and AP flexible networking switching modes of WIFI ad hoc network system, this paper focuses on the security challenges of power WIFI ad hoc network system. Meanwhile, according to the environmental characteristics of the power ad hoc network, we simplify and improve the classic WIFI secure communication in three stages: Scanning, link authentication, and association, to improve lightweight and secure access to power WIFI. The secure access example of power ad hoc network of multiple nodes proves the effectiveness of the proposed method.
Authored by Ling Yu, Hanxian Han, Jinman Luo, Feng Xue, Zhiling Ying, Jingtong Huang
The goal of this project is to use hardware components built-in manufacturing faults as mobile phone IDs. We assessed the applicability of several I/O-related cell phone components, including sensors. Through this process, the focus was on creating hardware issue samples that could then be categorised using the device s speaker and microphone. In our technique, an audio sample was created by playing a known audio file via a mobile phone s speakers and then recording the sound using the same device. The impact of important variables on sample accuracy was examined using a variety of different sample groups. After collecting the samples, the frequency responses were extracted and classified. Data were categorised using a variety of classifiers, with certain label and sample group configurations achieving an accuracy of over 94.4\%. The conclusions of this article suggest that speaker and mike production faults may be exploited for device authentication.
Authored by Kundan Pramanik, Tejal Patel
This study presents a novel method of authentication in digital environment in which each element of authentication is linked to one another. Having multiple factors to authenticate and deriving co-relations among these increases the safety and security of the device. Types of behavioral and acoustic patterns which are to be considered are GPS, accelerometer, microphone \& speaker fingerprint, lip \& tongue movement sensing and pinna shape sensing. Pattern data from different sensors is compared and cross checked. Having multiple factors to authenticate and deriving co-relations among these increases the security of device. The main advantage of multi factor behavioral authentication is that the verification is done dynamically and continuously to provide real time security. All authentication activities are carried out in the background without the user being interrupted. Furthermore, because these authentication approaches do not involve the user, the user experience is enhanced along with the security of the device.
Authored by Manu Srivastava, Ishita Naik
Research in underwater communication is rapidly becoming attractive due to its various modern applications. An efficient mechanism to secure such communication is via physical layer security. In this paper, we propose a novel physical layer authentication (PLA) mechanism in underwater acoustic communication networks where we exploit the position/location of the transmitter nodes to achieve authentication. We perform transmitter position estimation from the received signals at reference nodes deployed at fixed positions in a predefined underwater region. We use time of arrival (ToA) estimation and derive the distribution of inherent uncertainty in the estimation. Next, we perform binary hypothesis testing on the estimated position to decide whether the transmitter node is legitimate or malicious. We then provide closed-form expressions of false alarm rate and missed detection rate resulted from binary hypothesis testing. We validate our proposal via simulation results, which demonstrate errors’ behavior against the link quality, malicious node location, and receiver operating characteristic (ROC) curves. We also compare our results with the performance of previously proposed fingerprint mechanisms for PLA in underwater acoustic communication networks, for which we show a clear advantage of using the position as a fingerprint in PLA.
Authored by Waqas Aman, Saif Al-Kuwari, Marwa Qaraqe
This paper reports the commercialized large area (20×30mm2), multi-functional, thin form-factor, ultrasound fingerprint technology for under display integration in mobile devices. This technology consists of a thin piezoelectric polymer ultrasonic transceiver layer deposited on highly scalable 2D pixel array fabricated using low temperature polysilicon (LTPS) thin film transistors (TFT) circuitry on glass substrate. The technology not only delivers a high quality under display fingerprint scanner for biometric authentication, but also enables multiple value-added features including heart rate monitor, ultrasound based passive stylus, force sensor, and a contact gesture sensor. The large sensing area removes the requirement for accurate finger placement and therefore provides a better user experience for fingerprint authentication. Larger sensing area is also used for multi-finger authentication for enhanced security. Furthermore, the integrated multifunctional sensing enriches the user experience in the scenarios of gaming, education, health indicator monitoring etc.
Authored by Jessica Strohmann, Gordon Thomas, Kohei Azumi, Changting Xu, Soon Yoon, Hrishikesh Panchawagh, Jae Seo, Kostadin Djordjev, Samir Gupta
The two-factor authentication (2FA) has become pervasive as the mobile devices become prevalent. Existing 2FA solutions usually require some form of user involvement, which could severely affect user experience and bring extra burdens to users. In this work, we propose a secure 2FA that utilizes the individual acoustic fingerprint of the speaker/microphone on enrolled device as the second proof. The main idea behind our system is to use both magnitude and phase fingerprints derived from the frequency response of the enrolled device by emitting acoustic beep signals alternately from both enrolled and login devices and receiving their direct arrivals for 2FA. Given the input microphone samplings, our system designs an arrival time detection scheme to accurately identify the beginning point of the beep signal from the received signal. To achieve a robust authentication, we develop a new distance mitigation scheme to eliminate the impact of transmission distances from the sound propagation model for extracting stable fingerprint in both magnitude and phase domain. Our device authentication component then calculates a weighted correlation value between the device profile and fingerprints extracted from run-time measurements to conduct the device authentication for 2FA. Our experimental results show that our proposed system is accurate and robust to both random impersonation and Man-in-the-middle (MiM) attack across different scenarios and device models.
Authored by Yanzhi Ren, Tingyuan Yang, Zhiliang Xia, Hongbo Liu, Yingying Chen, Nan Jiang, Zhaohui Yuan, Hongwei Li
Scientific and technological advancements, particularly in IoT, have greatly enhanced the quality of life in society. Nevertheless, resource constrained IoT devices are now connected to the Internet through IPv6 and 6LoWPAN networks, which are often unreliable and untrusted. Securing these devices with robust security measures poses a significant challenge. Despite implementing encryption and authentication, these devices remain vulnerable to wireless attacks from within the 6LoWPAN network and from the Internet. Researchers have developed various methods to prevent attacks on the RPL protocol within the 6LoWPAN network. However, each method can only detect a limited number of attack types, and there are still several drawbacks that require improvement. This study aims to implement several attack prevention methods, such as Lightweight Heartbeat Protocol, SVELTE, and Contiki IDS. The study will provide an overview of these methods theories and simulate them on Contiki OS using Cooja software to assess their performance. The study s results demonstrate a correlation between the simulated data and the proposed theories. Furthermore, the study identifies and evaluates the strengths and weaknesses of these methods, highlighting areas that can be improved upon.
Authored by Tran Duc, Vo Son
IoT technology establishes a platform for automating services by connecting diverse objects through the Internet backbone. However, the integration of IoT networks also introduces security challenges, rendering IoT infrastructure susceptible to cyber-attacks. Notably, Distributed Denial of Service (DDoS) attacks breach the authorization conditions and these attacks have the potential to disrupt the physical functioning of the IoT infrastructure, leading to significant financial losses and even endangering human lives. Yet, maintaining availability even when networking elements malfunction has not received much attention. This research paper introduces a novel Twin eye Architecture, which includes dual gateway connecting every IoT access network to provide reliability even with the failure or inaccessibility of connected gateway. It includes the module called DDoS Manager that is molded into the gateway to recognize the dangling of the gateway. The effectiveness of the proposed model is evaluated using dataset simulated in NS3 environment. The results highlight the outstanding performance of the proposed model, achieving high accuracy rates. These findings demonstrate the proposed network architecture continues to provide critical authentication services even upon the failure of assigned gateway.
Authored by Manjula L, G Raju
According to the idea of zero trust, this paper proposed an anonymous identity authentication scheme based on hash functions and pseudo-random number generators, which effectively increased the anonymity and confidentiality when users use the mobile networks, and ensure the security of the server. This scheme first used single-packet authentication technology to realize the application stealth. Secondly, hash functions and pseudo-random number generators were used to replace public key cryptosystems and time synchronization systems, which improved system performance. Thirdly, different methods were set to save encrypted information on the user s mobile device and the server, which realized different forms of anonymous authentication and negotiates a secure session key. Through security analysis, function and performance comparison, the results showed that the scheme had better security, flexibility and practicality, while maintained good communication efficiency.
Authored by Rui Wang, Haiwei Li, Yanru Chen, Zheng Xue, Yan Hao, Yanfei Li
In recent days, security and privacy is becoming a challenge due to the rapid development of technology. In 2021, Khan et al. proposed an authentication and key agreement framework for smart grid network and claimed that the proposed protocol provides security against all well-known attacks. However, in this paper, we present the analysis and shows that the protocol proposed by Khan et al has failed to protect the secrecy of the shared session key between the user and service provider. An adversary can derive the session key (online) by intercepting the communicated messages under the Dolev-Yao threat model. We simulated Khan et al.’s protocol for formal security verification using Tamarin Prover and found a trace for deriving the temporary key. It is used to encrypt the login request that includes the user’s secret credentials. Hence, it also fails to preserve the privacy of the user’s credentials, and therefore any adversary can impersonate the user. As a result, the protocol proposed by Khan et al. is not suitable for practical applications.
Authored by Singam Ram, Vanga Odelu
To improve the security and reliability of remote terminals under trusted cloud platform, an identity authentication model based on DAA optimization is proposed. By introducing a trusted third-party CA, the scheme issues a cross domain DAA certificate to the trusted platform that needs cross domain authentication. Then, privacy CA isolation measures are taken to improve the security of the platform, so that the authentication scheme can be used for identity authentication when ordinary users log in to the host equipped with TPM chip. Finally, the trusted computing platform environment is established, and the performance load distribution and total performance load of each entity in the DAA protocol in the unit of machine cycle can be acquired through experimental analysis. The results show that the scheme can take into account the requirements of anonymity, time cost and cross domain authentication in the trusted cloud computing platform, and it is a useful supplement and extension to the existing theories of web service security.
Authored by Yi Liang, Youyong Chen, Xiaoqi Dong, Changchao Dong, Qingyuan Cai
Face verification is by far the most popular biometrics technology used for authentication since it is noninvasive and does not require the assistance of the user. In contrast, fingerprint and iris identification technologies require the help of a user during the identification process. Now the technology behind facial recognition has been around for years but recently as its grown more sophisticated is applications have expanded greatly. These days a third-party service provider is often hired to perform facial recognition. The sensitivity of face data raises important privacy concerns about outsourcing servers. In order to protect the privacy of users, this paper discusses privacy-preserving face recognition frameworks applied to different networks. In this survey, we focused primarily on the accuracy of face recognition, computation time, and algorithmic approaches to face recognition on edge and cloud-based networks.
Authored by Rajashree Nambiar, M. Jaiganesh, M.V. Rao
Providing security to the IoT system is very essential to protect them from various attacks. Such security features include credential management to avoid hard-coding of credentials in web applications, key management for secure inter-device communication and assignment of trust score to the devices based on various parameters. This work contains the design and implementation details of an open source simulation environment with credential management, key management and trust score calculation features. In credential management, credentials are sent to the target device which is then stored in a JSON file. Web application in the device makes use of these credentials for authentication. In key management, X.509 certificate and private key file are generated. They are used for secure message communication using a session key that is secretly exchanged between the devices. For trust score calculation, parameters are collected from the device. Feedback parameters given by other devices are also sent to the centralised server. The dynamic weighted average model is applied to the trust values derived from these parameters to get the trust score of the device. In addition to the design, the source code of our simulation environment is also made publicly available so that researchers can alter and extend its capabilities.
Authored by Srivatsan V, Vinod Pathari
To improve the security and reliability of remote terminals under trusted cloud platform, an identity authentication model based on DAA optimization is proposed. By introducing a trusted third-party CA, the scheme issues a cross domain DAA certificate to the trusted platform that needs cross domain authentication. Then, privacy CA isolation measures are taken to improve the security of the platform, so that the authentication scheme can be used for identity authentication when ordinary users log in to the host equipped with TPM chip. Finally, the trusted computing platform environment is established, and the performance load distribution and total performance load of each entity in the DAA protocol in the unit of machine cycle can be acquired through experimental analysis. The results show that the scheme can take into account the requirements of anonymity, time cost and cross domain authentication in the trusted cloud computing platform, and it is a useful supplement and extension to the existing theories of web service security.
Authored by Yi Liang, Youyong Chen, Xiaoqi Dong, Changchao Dong, Qingyuan Cai
The objective of this paper is to introduce a scheme of comprehensive-factor authentication in edge computing, focusing on a case study of time attendance in smart environments. This authentication scheme deploys all possible factors to maximize security while maintaining usability at a specific smart context. The factors used include three classic elements: something you know, something you have, and something you are, plus an additional location factor. The usability issue involves the ability to reduce time used and to minimize the human actions required throughout the authentication process. The results show that all factors should be authenticated at once in background, and a user can successfully complete the authentication process by performing one or two actions simultaneously. Since user role in a smart environment can be more complicated than roles in other smart offices, role classification at an early stage is highly recommended. The case study reveals that the same setting can require varying levels of security and usability for each user.
Authored by Chalee Vorakulpipat, Ekkachan Rattanalerdnusorn, Sasakorn Pichetjamroen
Cyber-physical Systems can be defined as a complex networked control system, which normally develop by combining several physical components with the cyber space. Cyber Physical System are already a part of our daily life. As its already being a part of everyone life, CPS also have great potential security threats and can be vulnerable to various cyber-attacks without showing any sign directly to component failure. To protect user security and privacy is a fundamental concern of any kind of system; either it’s a simple web application or supplicated professional system. Digital Multifactor authentication is one of the best ways to make secure authentication. It covers many different areas of a Cyberconnected world, including online payments, communications, access right management, etc. Most of the time, Multifactor authentication is little complex as it requires extra step from users. This paper will discuss the evolution from single authentication to Multi-Factor Authentication (MFA) starting from Single-Factor Authentication (SFA) and through Two-Factor Authentication (2FA). This paper seeks to analyze and evaluate the most prominent authentication techniques based on accuracy, cost, and feasibility of implementation. We also suggest several authentication schemes which incorporate with Multifactor authentication for CPS.
Authored by Mangal Sain, Oloviddin Normurodov, Chen Hong, Kueh Hui
Two-factor authentication (2FA) is commonly used in Internet of Things (IoT) authentication to provide multi-layer protection. Tokens, often known as One-Time Passwords (OTP), are used to offer additional information. While this technique provides flexible verification and an additional layer of security, it still has a number of security issues. This is because it relies on third-party services to produce tokens or OTPs, which leads to serious information leakage issues. Additionally, relying on a third party to provide authentication tokens significantly increases the risk of exposure and attacks, as tokens can be stolen via Man-In-The-Middle (MITM) attacks. In trying to rectify this issue, in this paper, we propose and develop a blockchain-based two-factor authentication method for web-based access to sensor data. The proposed method provides a lightweight and usercentric authentication that makes use of Ethereum blockchain and smart contracts technologies. Then we provided performance and security analysis of our system. Based on the evaluation results, our method has proven to be effective and has the ability to facilitate reliable authentication.
Authored by Mwrwan Abubakar, Zakwan Jaroucheh, Ahmed Dubai, Xiaodong Liu
Two-factor authentication (2FA) offers very important security enhancement to traditional username-password authentication, while in many cases incurring undesirable user burdens (e.g., entering a one-time verification code sent to a phone via SMS). Some zero-effort authentication techniques (e.g., Sound-Proof) have been proposed to relieve such burdens without degrading security, but are vulnerable to prediction attacks and co-existence attacks. This paper proposes ABLE, a zeroeffort 2FA approach based on co-location detection leveraging environmental Bluetooth Low Energy (BLE) signal characteristics. In this approach, a laptop on which the user tries to authenticate to a web server, and the user’s smartphone placed nearby which is trusted by the server, both collect and send a record of environmental BLE signal characteristics to the server. The server decides whether the two devices are colocated by evaluating the similarity of the two records, and makes the authentication decision. ABLE is constructed based on the fact that only two devices in close proximity share similar environmental signal characteristics, which distinguishes a legitimate user device from potential adversaries. Due to its location-sensitive nature, combining favorable features brought with the BLE protocol, ABLE is gifted with good resistance to attacks that threaten existing zero-effort authentication schemes. ABLE is not only immune to remote attackers, but also achieves an accuracy over 90\% even against co-present attackers.
Authored by Yaxi He, Wei Wang, Yajun Teng, Qiongxiao Wang, Mingyue Wang, Jingqiang Lin
The development of IoT has penetrated various sectors. The development of IoT devices continues to increase and is predicted to reach 75 billion by 2025. However, the development of IoT devices is not followed by security developments. Therefore, IoT devices can become gateways for cyber attacks, including brute force and sniffing attacks. Authentication mechanisms can be used to ward off attacks. However, the implementation of authentication mechanisms on IoT devices is challenging. IoT devices are dominated by constraint devices that have limited computing. Thus, conventional authentication mechanisms are not suitable for use. Two-factor authentication using RFID and fingerprint can be a solution in providing an authentication mechanism. Previous studies have proposed a twofactor authentication mechanism using RFID and fingerprint. However, previous research did not pay attention to message exchange security issues and did not provide mutual authentication. This research proposes a secure mutual authentication protocol using two-factor RFID and fingerprint using MQTT protocol. Two processes support the authentication process: the registration process and authentication. The proposed protocol is tested based on biometric security by measuring the false acceptance rate (FAR) and false rejection rate (FRR) on the fingerprint, measuring brute force attacks, and measuring sniffing attacks. The test results obtained the most optimal FAR and FRR at the 80\% threshold. Then the equal error rate (ERR) on FAR and FRR is around 59.5\%. Then, testing brute force and sniffing attacks found that the proposed protocol is resistant to both attacks.
Authored by Rizka Pahlevi, Vera Suryani, Hilal Nuha, Rahmat Yasirandi