Abstract: This paper presents an overview of the potential of free space optical technology in information security, encryption, and authentication. Optical waveform posses many degrees of freedom such as amplitude, phase, polarization, spectral content, and multiplexing which can be combined in different ways to make the information encoding more secure. This paper reviews optical techniques for encryption and security of two-dimensional and three-dimensional data. Interferometric methods are used to record and retrieve data by either optical or digital holography for security applications. Digital holograms are widely used in recording and processing three dimensional data, and are attractive for securing three dimensional data. Also, we review optical authentication techniques applied to ID tags with visible and near infrared imaging. A variety of images and signatures, including biometrics, random codes, and primary images can be combined in an optical ID tag for security and authentication.

Abstract: A communication device for performing communication by employing first and second communication units, includes: a reception unit for receiving a communication packet including a random number generated for every connection with another communication device, a certificate calculated with the random number, and authentication method information indicating whether or not an authentication method at the second communication unit is compatible with the public key system, through the first communication unit; and a method determining unit for determining whether or not an originator of the communication packet accepts public key encryption based on the authentication method information included in the communication packet; wherein in a case of the method determining unit determining that the originator of the communication packet does not accept the public key system, the random number included in the communication packet is replied to the originator as the identification information of the device itself.

Abstract: Cloud computing is a recently developed new technology for complex systems with massive-scale services sharing among numerous users. Therefore, authentication of both users and services is a significant issue for the trust and security of the cloud computing. SSL Authentication Protocol (SAP), once applied in cloud computing, will become so complicated that users will undergo a heavily loaded point both in computation and communication. This paper, based on the identity-based hierarchical model for cloud computing (IBHMCC) and its corresponding encryption and signature schemes, presented a new identity-based authentication protocol for cloud computing and services. Through simulation testing, it is shown that the authentication protocol is more lightweight and efficient than SAP, specially the more lightweight user side. Such merit of our model with great scalability is very suited to the massive-scale cloud.

Abstract: Vehicular Ad Hoc Networks (VANETs) require a mechanism to help authenticate messages, identify valid vehicles, and remove malevolent vehicles. A Public Key Infrastructure (PKI) can provide this functionality using certificates and fixed public keys. However, fixed keys allow an eavesdropper to associate a key with a vehicle and a location, violating drivers' privacy. In this work we propose a VANET key management scheme based on Temporary Anonymous Certified Keys (TACKs). Our scheme efficiently prevents eavesdroppers from linking a vehicle's different keys and provides timely revocation of misbehaving participants while maintaining the same or less overhead for vehicle-to-vehicle communication as the current IEEE 1609.2 standard for VANET security.

Abstract: The success of electronic authentication systems, be it e-ID card systems or Internet authentication systems such as CardSpace, highly depends on the provided level of user-privacy. Thereby, an important requirement is an efficient means for revocation of the authentication credentials. In this paper we consider the problem of revocation for certificate-based privacy-protecting authentication systems. To date, the most efficient solutions for revocation for such systems are based on cryptographic accumulators. Here, an accumulate of all currently valid certificates is published regularly and each user holds a witness enabling her to prove the validity of her (anonymous) credential while retaining anonymity. Unfortunately, the users' witnesses must be updated at least each time a credential is revoked. For the know solutions, these updates are computationally very expensive for users and/or certificate issuers which is very problematic as revocation is a frequent event as practice shows. In this paper, we propose a new dynamic accumulator scheme based on bilinear maps and show how to apply it to the problem of revocation of anonymous credentials. In the resulting scheme, proving a credential's validity and updating witnesses both come at (virtually) no cost for credential owners and verifiers. In particular, updating a witness requires the issuer to do only one multiplication per addition or revocation of a credential and can also be delegated to untrusted entities from which a user could just retrieve the updated witness. We believe that thereby we provide the first authentication system offering privacy protection suitable for implementation with electronic tokens such as eID cards or drivers' licenses.

Abstract: The need for secure logging is well-understood by the security professionals, including both researchers and practitioners. The ability to efficiently verify all (or some) log entries is important to any application employing secure logging techniques. In this article, we begin by examining the state of the art in secure logging and identify some problems inherent to systems based on trusted third-party servers. We then propose a different approach to secure logging based upon recently developed Forward-Secure Sequential Aggregate (FssAgg) authentication techniques. Our approach offers both space-efficiency and provable security. We illustrate two concrete schemes—one private-verifiable and one public-verifiable—that offer practical secure logging without any reliance on online trusted third parties or secure hardware. We also investigate the concept of immutability in the context of forward-secure sequential aggregate authentication to provide finer grained verification. Finally we evaluate proposed schemes and report on our experience with implementing them within a secure logging system.

Abstract: As increasing amounts of valuable information are produced and persist digitally, the ability to determine the origin of data becomes important In science, medicine, commerce, and government, data provenance tracking is essential for rights protection, regulatory compliance, management of intelligence and medical data, and authentication of information as it flows through workplace tasks In this paper, we show how to provide strong integrity and confidentiality assurances for data provenance information We describe our provenance-aware system prototype that implements provenance tracking of data writes at the application layer, which makes it extremely easy to deploy We present empirical results that show that, for typical real-life workloads, the run-time overhead of our approach to recording provenance with confidentiality and integrity guarantees ranges from 1%-13%

Abstract: A method and apparatus for wireless authentication, secure automatic access to application and to systems and for providing an alarm to users upon detecting that a monitored device is not within a desired proximity using a BLUETOOTH apparatus are described.

Abstract: A system, method and apparatus for managing access across a plurality of applications is disclosed. The system may include a user store connector configured to connect to one or more user stores to retrieve attributes; an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user; a policy engine configured to retrieve attributes from the user store connector corresponding to a user and use the attributes to evaluate access policies, if any, which are defined for protection of resources, to determine whether or not the user should be granted access to the resources; an admin component that is configured to enable the access policies to be defined relative to attributes and the resources; and a policy store configured to store the access policies.

Abstract: An end user computer is assigned a multicast content distribution group by a network service intelligence platform. The network service intelligence platform authenticates a token sent by the user and signed by a third part content controller, and provides the user with credentials for joining the group. The credentials include an authorization key as well as identifications of the user and the requested content. The credentials are encrypted and authenticated by the third party content controller. The user includes the encrypted and authenticated credentials in a join request sent to a network resource, such as an edge router. After verifying the credentials, the network resource adds the end user computer to the multicast group.

Abstract: A method for establishing a link key between correspondents in a public key cryptographic scheme, one of the correspondents being an authenticating device and the other being an authenticated device. The method also provides a means for mutual authentication of the devices. The authenticating device may be a personalized device, such as a mobile phone, and the authenticated device may be a headset. The method for establishing the link key includes the step of introducing the first correspondent and the second correspondent within a predetermined distance, establishing a key agreement and implementing challenge-response routine for authentication. Advantageously, main-in-the middle attacks are minimized.

Abstract: Many Web sites embed third-party content in frames, relying on the browser's security policy to protect against malicious content. However, frames provide insufficient isolation in browsers that let framed content navigate other frames. We evaluate existing frame navigation policies and advocate a stricter policy, which we deploy in the open-source browsers. In addition to preventing undesirable interactions, the browser's strict isolation policy also affects communication between cooperating frames. We therefore analyze two techniques for interframe communication between isolated frames. The first method, fragment identifier messaging, initially provides confidentiality without authentication, which we repair using concepts from a well-known network protocol. The second method, postMessage, initially provides authentication, but we discover an attack that breaches confidentiality. We propose improvements in the postMessage API to provide confidentiality; our proposal has been standardized and adopted in browser implementations.

Abstract: An authentication system combines device credential verification with user credential verification to provide a more robust authentication mechanism that is convenient to the user and effective across enterprise boundaries. In one implementation, user credential verification and device credential verification are combined to provide a convenient two-factor authentication. In this manner, an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.

Abstract: A client device comprises a first secure element and a second secure element. The first secure element comprises a first computer-readable medium having a payment application comprising instructions for causing the client device to initiate a financial transaction. The second secure element comprises a second computer-readable medium having a security key, a payment instrument, stored authentication data and instructions for generating a secure payment information message responsive to the payment application. The secure payment information message comprises the payment instrument and is encrypted in accordance with the security key.

Abstract: End users of a multi-factor authentication service can utilize an account management service, and third-party website can register to utilize the multi-factor authentication service. Registering a third-party website can comprise the multi-factor authentication service receiving a valid digital identity certificate for the third-party website, and receiving an agreement to terms of use of the multi-factor authentication service for the third-party website. Once received, the multi-factor authentication service can enable the third-party website to utilize the service (e.g., switch the service on, or send an authorization key to the third-party website). Further, registering a user to the multi-factor authentication service can comprise determining availability of service, and providing a location-specific access code. Additionally, registering the user can comprise registering the user's mobile device, for example, to provide multi-factor authentication. Also, an Internet-based user account management user interface can be provided that allows a user to view transactions on their account, and an ability to shut off a designated mobile device's ability to authenticate.

Abstract: Providing dynamic authentication of a user requesting access to a system via a mobile device is disclosed. An account holder tailors a set of customized security challenges and responses. When a request for account authentication is received from a mobile device, the system conducts a multi-step user authentication process that includes dynamically selecting and prompting the user with the custom security challenges.

Abstract: The interconnectivity of modern and legacy supervisory control and data acquisition (SCADA) systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as firewalls, intrusion detection systems and antivirus software are relatively ineffective against attacks that specifically target vulnerabilities in SCADA protocols. This paper describes a secure version of the Modbus SCADA protocol that incorporates integrity, authentication, non-repudiation and anti-replay mechanisms. Experimental results using a power plant testbed indicate that the augmented protocol provides good security functionality without significant overhead.

Abstract: As increasing amounts of valuable information are produced and persist digitally, the ability to determine the origin of data becomes important. In science, medicine, commerce, and government, data provenance tracking is essential for rights protection, regulatory compliance, management of intelligence and medical data, and authentication of information as it flows through workplace tasks. While significant research has been conducted in this area, the associated security and privacy issues have not been explored, leaving provenance information vulnerable to illicit alteration as it passes through untrusted environments.In this article, we show how to provide strong integrity and confidentiality assurances for data provenance information at the kernel, file system, or application layer. We describe Sprov, our provenance-aware system prototype that implements provenance tracking of data writes at the application layer, which makes Sprov extremely easy to deploy. We present empirical results that show that, for real-life workloads, the runtime overhead of Sprov for recording provenance with confidentiality and integrity guarantees ranges from 1p to 13p, when all file modifications are recorded, and from 12p to 16p, when all file read and modifications are tracked.

Abstract: Authentication systems for public terminals and thus public spaces have to be fast, easy and secure. Security is of utmost importance since the public setting allows manifold attacks from simple shoulder surfing to advanced manipulations of the terminals. In this work, we present EyePassShapes, an eye tracking authentication method that has been designed to meet these requirements. Instead of using standard eye tracking input methods that require precise and expensive eye trackers, EyePassShapes uses eye gestures. This input method works well with data about the relative eye movement, which is much easier to detect than the precise position of the user's gaze and works with cheaper hardware. Different evaluations on technical aspects, usability, security and memorability show that EyePassShapes can significantly increase security while being easy to use and fast at the same time.

Abstract: Systems and methods for authenticating electronic transactions are provided. The authentication methods employ a combination of security features and communication channels. These security features can be based, for example, on unique knowledge of the person being authenticated, a unique thing that the person has, unique personal features and attributes of the person, the ability of the person to respond, and to do so in a fashion that a machine cannot, and so forth. Methods for enrolling the person prior to authentication are also provided, as well as systems for enrollment and authentication.

Abstract: Systems, apparatuses, and methods for increasing the security of electronic payment transactions, such as eCommerce transactions conducted over the Internet. A transaction approval or authorization mechanism uses an out of band process to provide authentication or identification data that has previously been registered by a user and associated with the user's payment device or account. The out of band authentication data may be provided in response to a message sent to a user's mobile phone, where the message is generated in response to entering the user's phone number into a form that is provided when the user engages in an electronic payment transaction using a desktop computer. The data may include a digital signature and associated digital certificate that is used to authenticate the user.

Abstract: A mobile electronic security device may include a biometric sensor to measure a physical characteristic of a user, an interface component to operatively couple the electronic security device with another device, and a control circuit that are assembled as a single portable unit. Other components, such as a battery, a display, and a memory may be included in the security device. The security device authenticates the identity of a user using output data from the biometric sensor and, in some embodiments, using data from an environmental sensor. Once validated, an encrypted authentication certificate may be output to another device. The security device provides a trusted platform that enables a user to verify his or her identity, show proof of presence of the user, control access to data, etc., and may operate in a standalone manner and/or in conjunction with another device.

Abstract: In this paper, we propose a robust and efficient signature scheme for vehicle-to-infrastructure communications, called binary authentication tree (BAT). The BAT scheme can effectively eliminate the performance bottleneck when verifying a mass of signatures within a rigorously required interval, even under adverse scenarios with bogus messages. Given any n received messages with k ges 1 bogus ones, the computation cost to verify all these messages only requires approximately (k + 1) ldr log(n/k) + 4k - 2 time-consuming pairing operations. The BAT scheme can also be gracefully transplanted to other similar batch signature schemes. In addition, it offers the other conventional security for vehicular networks, such as identity privacy and traceability. Theoretical analysis and simulation results demonstrate the validity and practicality of the BAT scheme.

Abstract: Query answers from servers operated by third parties need to be verified, as the third parties may not be trusted or their servers may be compromised. Most of the existing authentication methods construct validity proofs based on the Merkle hash tree (MHT). The MHT, however, imposes severe concurrency constraints that slow down data updates. We introduce a protocol, built upon signature aggregation, for checking the authenticity, completeness and freshness of query answers. The protocol offers the important property of allowing new data to be disseminated immediately, while ensuring that outdated values beyond a pre-set age can be detected. We also propose an efficient verification technique for ad-hoc equijoins, for which no practical solution existed. In addition, for servers that need to process heavy query workloads, we introduce a mechanism that significantly reduces the proof construction time by caching just a small number of strategically chosen aggregate signatures. The efficiency and efficacy of our proposed mechanisms are confirmed through extensive experiments.

Abstract: An authentication counterpart of Wyner's study of the wiretap channel is developed in this work. More specifically, message authentication over noisy channels is studied while impersonation and substitution attacks are investigated for both single- and multiple-message scenarios. For each scenario, information-theoretic lower and upper bounds on the opponent's success, or cheating, probability are derived. Remarkably, in both scenarios, the lower and upper bounds are shown to match, and hence, the fundamental limits on message authentication over noisy channels are fully characterized. The opponent's success probability is further shown to be smaller than that derived in the classical noiseless channel model. These results rely on a novel authentication scheme in which shared key information is used to provide simultaneous protection against both types of attacks. Finally, message authentication for the case in which the source and receiver possess only correlated sequences is studied.