YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

YAO Lin,FAN Qing-na,KONG Xiang-wei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.32.030

2010-01-01

Abstract:Pervasive computing raises new challenges to the security and privacy of the Internet communication,and conventional authentication protocols cannot meet the requirements of this new pervasive environment.A novel mutual authentication and key establishment scheme to secure the interactions between mobile users and service providers is proposed.Highly integrating biometric encryption and the Diffie-Hellman key exchange,the proposed protocol achieves mutual authentication without revealing any privacy information of the user.Secure session key establishment is enabled by the proposed algorithm.Differentiated service access control is also achieved with the biometric encryption.It is shown that the protocol can resist most of the attacks,especially the denial of service attack.

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Kruegel,Giovanni Vigna,Yan Chen

2014-01-01

Abstract:Author(s): Cao, Yinzhi; Shoshitaishvili, Yan; Borgolte, Kevin; Kruegel, Christopher; Vigna, Giovanni; Chen, Yan | Abstract: Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.Single sign-on (SSO) protocols, however, are not immune to vulnerabilities. Recent research introduced several attacks against existing SSO protocols, and further work showed that these problems are prevalent: 6.5% of the investigated relying parties were vulnerable to impersonation attacks, which can lead to account compromises and privacy breaches. Prior work used formal verification methods to identify vulnerabilities in SSO protocols or leveraged invariances of SSO interaction traces to identify logic flaws. No prior work, however, systematically studied the actual root cause of impersonation attacks against the relying party.In this paper, we systematically examine existing SSO protocols and determine the root cause of the aforementioned vulnerabilities: the design of the communication channel between the relying party and the identity provider, which, depending on the protocol and implementation, suffers from being a one-way communication protocol, or from a lack of authentication. We (a) systematically study the weakness responsible for the vulnerabilities in existing protocols that allow impersonation attacks against the relying party, (b) introduce a dedicated, authenticated, bi-directional, secure channel that does not suffer from those shortcomings, (c) formally verify the authentication property of this channel using a well-known cryptographic protocol verifier (ProVerif), and (d) evaluate the practicality of a prototype implementation of our protocol.Ultimately, to support a smooth and painless transition from existing SSO protocols, we introduce a proxy setup in which our channel can be used to secure existing SSO protocols from impersonation attacks. Furthermore, to demonstrate the flexibility of our approach, we design two different SSO protocols: an OAuth-like and an OpenID-like protocol.

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Krügel,Giovanni Vigna,Yan Chen

DOI: https://doi.org/10.1007/978-3-319-11379-1_14

2014-01-01

Abstract:Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.

Ge Gao,Yuan Zhang,Yaqing Song,Shiyu Li

DOI: https://doi.org/10.1109/tifs.2024.3392533

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Single-sign-on (SSO) authentication employs an identity provider (IdP) to provide users with an efficient way to authenticate themselves with different service providers and has been widely applied in digital systems. However, existing SSO authentication schemes suffer from critical issues in terms of security and privacy. Regarding security, most SSO authentication schemes achieve a high convenience at the expense of security and are thereby susceptible to various attacks. Regarding privacy, most existing schemes fail to protect users' subscription pattern and access pattern against adversaries who can easily extract users' sensitive information from their authentications and launch subsequent attacks for profits. In this paper, we develop a practical SSO authentication system, dubbed PrivSSO, with the protection of users' subscription pattern and access pattern. To balance the trade-off between security and convenience, the key technique is a secure "hybrid" key-based authentication mechanism: a long-term key stored in a well-guarded hardware token serves as the "primary" authentication factor (AF) to guarantee strong security; an ephemeral key bound with portable device(s) serves as the "daily-used" AF to achieve high convenience. To protect the subscription pattern and access pattern from leakage, we propose a redactable token generation mechanism, where the users themselves specify what IdP and the service providers can learn from their authentications. We formally define and prove the security of PrivSSO. We also implement a PrivSSO prototype and conduct a comprehensive performance evaluation to demonstrate its practicality.

Di Wu,Yabo Dong,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11563952_52

2005-01-01

Abstract:The fast development of E-Commerce and information technology brings much higher requirements for enterprise informationization. Because of the differences in platforms, development languages and standards etc, enterprise application integration (EAI) has become the important form of enterprise informationization to support complex business processes. Web services have emerged as the next generation of integration technology which provides the power to support interoperability. However EAI doesn’t just present new interoperability challenges; it also presents serious privacy and security challenges. This paper presents security architecture of Web Services based EAI which uses distributed Single Sign On authentication and distributed Role-based Access Control authorization. The basic concept and prototype system of the security architecture are described in detail.

Stephen S. Yau,Yisheng Yao

2006-01-01

Abstract:A major advantage of the emerging service-oriented computing technology is its ability to enable rapid formation of large-scale distributed systems by composing massively available services to achieve the system goals, regardless of the programming languages and platforms used to develop and run these services. For these systems which often involve interactions among multiple organizations over various networks, how to manage and enforce security policies is the prime concern in assuring that only authorized users or systems have the access to massively available services. However, with the increasing scalability and flexibility required by the dynamic service-oriented computing environments, manage and enforce security policies in such systems is a very challenging task. Existing research efforts have not sufficiently addressed this challenging task for enabling systematic security policy management and enforcement in service-oriented systems. In this dissertation research, a framework based on formal foundations is developed for dynamically, yet systematically, managing and enforcing security policies in service-oriented systems. This framework includes a security policy meta-model and a runtime security policy execution model for security decision making and enforcement. The security policy meta-model will be used to provide unambiguous security policy specifications and to facilitate sound and complete security policy reasoning, such as consistency checking, redundancy analysis, security policy specification composition, and automated security service synthesis from declarative security policy specifications. Analysis of expressiveness of this security policy meta-model is also provided in this dissertation. The runtime security policy execution model is developed for enforcing the security policies with provable correctness. This framework will also include tools for generating and deploying security services to compute and enforce security decisions based on security policies, credentials and situational information. With this framework, various parties of large-scale service-oriented systems can easily manage and enforce security policies to meet their security requirements under various situations. Examples are provided to show the effectiveness of the framework.

Aslan Askarov,Andrew Myers

DOI: https://doi.org/10.2168/LMCS-7%283%3A17%292011

2011-09-23

Abstract:Language-based information flow methods offer a principled way to enforce strong security properties, but enforcing noninterference is too inflexible for realistic applications. Security-typed languages have therefore introduced declassification mechanisms for relaxing confidentiality policies, and endorsement mechanisms for relaxing integrity policies. However, a continuing challenge has been to define what security is guaranteed when such mechanisms are used. This paper presents a new semantic framework for expressing security policies for declassification and endorsement in a language-based setting. The key insight is that security can be characterized in terms of the influence that declassification and endorsement allow to the attacker. The new framework introduces two notions of security to describe the influence of the attacker. Attacker control defines what the attacker is able to learn from observable effects of this code; attacker impact captures the attacker's influence on trusted locations. This approach yields novel security conditions for checked endorsements and robust integrity. The framework is flexible enough to recover and to improve on the previously introduced notions of robustness and qualified robustness. Further, the new security conditions can be soundly enforced by a security type system. The applicability and enforcement of the new policies is illustrated through various examples, including data sanitization and authentication.

Programming Languages,Cryptography and Security

Zheng Yang,Chao Yin,Chenglu Jin,Jianting Ning,Jianying Zhou

DOI: https://doi.org/10.1145/3457339.3457984

2021-01-01

Abstract:Delegated authentication is a very popular and effective paradigm to deal with entity authentication problems for resource-constrained clients in cyber-physical systems; namely, the authentication between two clients is proxied by a trusted authentication server. However, an attacker may compromise the authentication server to impersonate the clients for sabotaging the cyber-physical systems. To detect the identity fraud attacks caused by an authentication server compromise, we propose two mutual authentication protocols by using a pseudo-random function family and a one-time signature (OTS) scheme. Our idea is to leverage the continuously evolving OTS signing and verifying keys at the signer and the verifier sides respectively for identity fraud detection because an identity fraud attack would violate the victim's honest OTS key update procedure. The proposed protocols are proven secure under a new mutual authentication security model that formulates the identity fraud detection.

Muhammad Rizwan Asghar,Mihaela Ion,Giovanni Russello,Bruno Crispo

DOI: https://doi.org/10.48550/arXiv.1306.4828

2013-06-20

Abstract:The enforcement of security policies in outsourced environments is still an open challenge for policy-based systems. On the one hand, taking the appropriate security decision requires access to the policies. However, if such access is allowed in an untrusted environment then confidential information might be leaked by the policies. Current solutions are based on cryptographic operations that embed security policies with the security mechanism. Therefore, the enforcement of such policies is performed by allowing the authorised parties to access the appropriate keys. We believe that such solutions are far too rigid because they strictly intertwine authorisation policies with the enforcing mechanism. In this paper, we want to address the issue of enforcing security policies in an untrusted environment while protecting the policy confidentiality. Our solution ESPOON is aiming at providing a clear separation between security policies and the enforcement mechanism. However, the enforcement mechanism should learn as less as possible about both the policies and the requester attributes.

Cryptography and Security

Vanesa Daza,Matteo Signorini

DOI: https://doi.org/10.1007/978-3-319-09885-2_19

2014-08-22

Abstract:Market analysis predicts that in a few years, companies, universities, government agencies as well as common people in they daily life will increasingly adopt mobile computing systems thus increasingly enjoying the benefits of online, Internet-based services. However, such scenario will also expose user data privacy to severe attacks. This situation has led to the development of authentication approaches aimed at preventing unauthorized access to user data. Many different authentication approaches have been proposed over the last years, starting from basic password to more complex biometric solutions but all of them have proven to suffer from the same weaknesses. This issue drove us to design a solution based upon hardware intrinsic security features and aimed at guaranteeing a high level of data privacy while providing a user friendly authentication process. Our solution shows advanced features of data privacy policies definition making it a good candidate for the construction of future data privacy policies.

Manika Garg,Anita Goel

DOI: https://doi.org/10.1007/s10207-024-00931-y

2024-10-30

International Journal of Information Security

Abstract:The security of online assessments is a major concern due to widespread cheating. One common form of cheating is impersonation, where students invite unauthorized persons to take assessments on their behalf. Several techniques exist to handle impersonation. Some researchers recommend use of integrity policy, but communicating the policy effectively to the students is a challenge. Others propose authentication methods like, password and fingerprint; they offer initial authentication but are vulnerable thereafter. Face recognition offers post-login authentication but necessitates additional hardware. Keystroke Dynamics (KD) has been used to provide post-login authentication without any additional hardware, but its use is limited to subjective assessment.

computer science, information systems, theory & methods, software engineering

Marius Schlegel

DOI: https://doi.org/10.48550/arXiv.2105.01970

2021-05-05

Abstract:While there have been approaches for integrating security policies into operating systems (OSs) for more than two decades, applications often use objects of higher abstraction requiring individual security policies with application-specific semantics. Due to insufficient OS support, current approaches for enforcing application-level policies typically lead to large and complex trusted computing bases rendering tamperproofness and correctness difficult to achieve. To mitigate this problem, we propose the application-level policy enforcement architecture AppSPEAR and a C++ framework for its implementation. The configurable framework enables developers to balance enforcement rigor and costs imposed by different implementation alternatives and thus to easily tailor an AppSPEAR implementation to individual application requirements. We especially argue that hardware-based trusted execution environments offer an optimal balance between effectiveness and efficiency of policy protection and enforcement. This claim is substantiated by a practical evaluation based on an electronic medical record system.

Cryptography and Security

Faisal Fiaz,Syed Muhammad Sajjad,Zafar Iqbal,Muhammad Yousaf,Zia Muhammad

DOI: https://doi.org/10.3390/fi16050176

2024-05-19

Future Internet

Abstract:The Metaverse brings together components of parallel processing computing platforms, the digital development of physical systems, cutting-edge machine learning, and virtual identity to uncover a fully digitalized environment with equal properties to the real world. It possesses more rigorous requirements for connection, including safe access and data privacy, which are necessary with the advent of Metaverse technology. Traditional, centralized, and network-centered solutions fail to provide a resilient identity management solution. There are multifaceted security and privacy issues that hinder the secure adoption of this game-changing technology in contemporary cyberspace. Moreover, there is a need to dedicate efforts towards a secure-by-design Metaverse that protects the confidentiality, integrity, and privacy of the personally identifiable information (PII) of users. In this research paper, we propose a logical substitute for established centralized identity management systems in compliance with the complexity of the Metaverse. This research proposes a sustainable Self-Sovereign Identity (SSI), a fully decentralized identity management system to mitigate PII leaks and corresponding cyber threats on all multiverse platforms. The principle of the proposed framework ensures that the users are the only custodians and proprietors of their own identities. In addition, this article provides a comprehensive approach to the implementation of the SSI principles to increase interoperability and trustworthiness in the Metaverse. Finally, the proposed framework is validated using mathematical modeling and proved to be stringent and resilient against modern-day cyber attacks targeting Metaverse platforms.

Fagen Li,Jiaojiao Hong,Anyembe Andrew Omala

DOI: https://doi.org/10.1007/s11276-016-1317-9

IF: 2.701

2016-01-01

Wireless Networks

Abstract:Pervasive computing environments allow users to get services anytime and anywhere. Security has become a great challenge in pervasive computing environments because of its heterogeneity, openness, mobility and dynamicity. In this paper, we propose two heterogeneous deniable authentication protocols for pervasive computing environments using bilinear pairings. The first protocol allows a sender in a public key infrastructure (PKI) environment to send a message to a receiver in an identity-based cryptography (IBC) environment. The second protocol allows a sender in the IBC environment to send a message to a receiver in the PKI environment. Our protocols admits formal security proof in the random oracle model under the bilinear Diffie–Hellman assumption. In addition, our protocols support batch verification that can speed up the verification of authenticators. The characteristic makes our protocols useful in pervasive computing environments.

Jesus Diaz,David Arroyo,Francisco B. Rodriguez

DOI: https://doi.org/10.48550/arXiv.1201.1134

2012-09-06

Abstract:In this work we present and formally analyze CHAT-SRP (CHAos based Tickets-Secure Registration Protocol), a protocol to provide interactive and collaborative platforms with a cryptographically robust solution to classical security issues. Namely, we focus on the secrecy and authenticity properties while keeping a high usability. In this sense, users are forced to blindly trust the system administrators and developers. Moreover, as far as we know, the use of formal methodologies for the verification of security properties of communication protocols isn't yet a common practice. We propose here a methodology to fill this gap, i.e., to analyse both the security of the proposed protocol and the pertinence of the underlying premises. In this concern, we propose the definition and formal evaluation of a protocol for the distribution of digital identities. Once distributed, these identities can be used to verify integrity and source of information. We base our security analysis on tools for automatic verification of security protocols widely accepted by the scientific community, and on the principles they are based upon. In addition, it is assumed perfect cryptographic primitives in order to focus the analysis on the exchange of protocol messages. The main property of our protocol is the incorporation of tickets, created using digests of chaos based nonces (numbers used only once) and users' personal data. Combined with a multichannel authentication scheme with some previous knowledge, these tickets provide security during the whole protocol by univocally linking each registering user with a single request. [..]

Cryptography and Security

Hao Zeng,Dianfu Ma,Yongwang Zhao,Zhuqing Li

DOI: https://doi.org/10.1109/ISCC.2013.6754982

2013-01-01

Abstract:With the rapid development of the Internet, web service technology has been extensively used in distributed applications and is highly likely to replace other various technologies for the distributed application development. However, concerning most hard issues of the web services authentication, no proper solutions have been discovered and available for use now. Due to its dynamic and cross-domain characteristics, web services authentication is confronted with new challenges and difficulties. Each service or autonomous domain may have their separate authentication technologies and identity token types. Meanwhile, the same services may adopt different authentication technologies in terms of different application scenarios. Therefore, the difficult question arises as how to design an integrated and flexible architecture to enhance trust in web services. According to our findings, presented in this paper is a policy-based architecture for web services authentication termed PBA4WSA. Compared with the other architectures, the PBA4WSA can better satisfy the characteristics of web services.