Abstract: Vehicular ad hoc network (VANET) can offer various services and benefits to users and thus deserves deployment effort. Attacking and misusing such network could cause destructive consequences. It is therefore necessary to integrate security requirements into the design of VANETs and defend VANET systems against misbehavior, in order to ensure correct and smooth operations of the network. In this paper, we propose a security system for VANETs to achieve privacy desired by vehicles and traceability required by law enforcement authorities, in addition to satisfying fundamental security requirements including authentication, nonrepudiation, message integrity, and confidentiality. Moreover, we propose a privacy-preserving defense technique for network authorities to handle misbehavior in VANET access, considering the challenge that privacy provides avenue for misbehavior. The proposed system employs an identity-based cryptosystem where certificates are not needed for authentication. We show the fulfillment and feasibility of our system with respect to the security goals and efficiency.

Abstract: In this paper, we propose an efficient pseudonymous authentication scheme with strong privacy preservation (PASS), for vehicular communications. Unlike traditional pseudonymous authentication schemes, the size of the certificate revocation list (CRL) in PASS is linear with the number of revoked vehicles and unrelated to how many pseudonymous certificates are held by the revoked vehicles. PASS supports the roadside unit (RSU)-aided distributed certificate service that allows the vehicles to update certificates on road, but the service overhead is almost unrelated to the number of updated certificates. Furthermore, PASS provides strong privacy preservation to the vehicles so that the adversaries cannot trace any vehicle, even though all RSUs have been compromised. Extensive simulations demonstrate that PASS outperforms previously reported schemes in terms of the revocation cost and the certificate updating overhead.

Abstract: Existing authentication protocols to secure vehicular ad hoc networks (VANETs) raise challenges such as certificate distribution and revocation, avoidance of computation and communication bottlenecks, and reduction of the strong reliance on tamper-proof devices. This paper efficiently copes with these challenges with a decentralized group-authentication protocol in the sense that the group is maintained by each roadside unit (RSU) rather than by a centralized authority, as in most existing protocols that are employing group signatures. In our proposal, we employ each RSU to maintain and manage an on-the-fly group within its communication range. Vehicles entering the group can anonymously broadcast vehicle-to-vehicle (V2V) messages, which can be instantly verified by the vehicles in the same group (and neighboring groups). Later, if the message is found to be false, a third party can be invoked to disclose the identity of the message originator. Our protocol efficiently exploits the specific features of vehicular mobility, physical road limitations, and properly distributed RSUs. Our design leads to a robust VANET since, if some RSUs occasionally collapse, only the vehicles that are driving in those collapsed areas will be affected. Due to the numerous RSUs sharing the load to maintain the system, performance does not significantly degrade when more vehicles join the VANET; hence, the system is scalable.

Abstract: Users are increasingly dependent on mobile devices. However, current authentication methods like password entry are significantly more frustrating and difficult to perform on these devices, leading users to create and reuse shorter passwords and pins, or no authentication at all. We present implicit authentication - authenticating users based on behavior patterns. We describe our model for performing implicit authentication and assess our techniques using more than two weeks of collected data from over 50 subjects.

Abstract: Lower/physical layer characteristics have been considered as potential alternatives/complements to provide security services in wireless networks. This article provides an overview of various noncryptographic mechanisms for user authentication and device identification in wireless networks using lower/physical layer properties or information. We discuss merits and demerits of these authentication/identification schemes and the practical implementation issues. Future research on cross-layer security design concludes this article.

Abstract: An authorization and authentication system utilizing a mobile communication device. The authentication and authorization system enables a trusted server, in conjunction with a user controlled mobile communication device (which has been registered with the trusted site), to authorize a transaction carried out at a transaction management system. An identity of the user is authenticated by a verification that the user is in possession of the mobile communication device. In this way, the transaction management system is able to effectuate an authorized transaction with confidence that the authorization was from the user and not a third party. In variations, the authentication is a multi-factor authentication, i.e., the user must both possess the mobile communication device and information, e.g., a password.

Abstract: In this paper, the authors discuss security issues for cloud computing and present a layered framework for secure clouds and then focus on two of the layers, i.e., the storage layer and the data layer. In particular, the authors discuss a scheme for secure third party publications of documents in a cloud. Next, the paper will converse secure federated query processing with map Reduce and Hadoop, and discuss the use of secure co-processors for cloud computing. Finally, the authors discuss XACML implementation for Hadoop and discuss their beliefs that building trusted applications from untrusted components will be a major aspect of secure cloud computing.

Abstract: The system and method for intelligent workload management described herein may include a computing environment having a model-driven, service-oriented architecture for creating collaborative threads to manage workloads, wherein the management threads may converge information for managing identities and access credentials, enforcing policies, providing compliance assurances, managing provisioned and requested services, and managing physical and virtual infrastructure resources In one implementation, an authentication server may generate authentication tokens defining access credentials for managed entities across a plurality of authentication domains, wherein the authentication tokens may control access to resources in an information technology infrastructure For example, a management infrastructure may create service distributions for the managed entities, which may include virtual machine images hosted on physical resources Further, the authentication tokens may be embedded in the service distributions, whereby the embedded authentication tokens may control access to the resources in the information technology infrastructure

Abstract: We present a privacy preserving protocol for fingerprint-based authentication. We consider a scenario where a client equipped with a fingerprint reader is interested into learning if the acquired fingerprint belongs to the database of authorized entities managed by a server. For security, it is required that the client does not learn anything on the database and the server should not get any information about the requested biometry and the outcome of the matching process. The proposed protocol follows a multi-party computation approach and makes extensive use of homomorphic encryption as underlying cryptographic primitive. To keep the protocol complexity as low as possible, a particular representation of fingerprint images, named Fingercode, is adopted. Although the previous works on privacy-preserving biometric identification focus on selecting the best matching identity in the database, our main solution is a generic identification protocol and it allows to select and report all the enrolled identities whose distance to the user's fingercode is under a given threshold. Variants for simple authentication purposes are provided. Our protocols gain a notable bandwidth saving (about 25-39%) if compared with the best previous work (ICISC'09) and its computational complexity is still low and suitable for practical applications. Moreover, even if such protocols are presented in the context of a fingerprint-based system, they can be generalized to any biometric system that shares the same matching methodology, namely distance computation and thresholding.

Abstract: Key transfer protocols rely on a mutually trusted key generation center (KGC) to select session keys and transport session keys to all communication entities secretly. Most often, KGC encrypts session keys under another secret key shared with each entity during registration. In this paper, we propose an authenticated key transfer protocol based on secret sharing scheme that KGC can broadcast group key information to all group members at once and only authorized group members can recover the group key; but unauthorized users cannot recover the group key. The confidentiality of this transformation is information theoretically secure. We also provide authentication for transporting this group key. Goals and security threats of our proposed group key transfer protocol will be analyzed in detail.

Abstract: Apparatuses, methods, and systems pertaining to the verification of portable consumer devices for 3-D Secure Systems are disclosed. In one implementation, a verification token is coupled to a computer by a USB connection so as to use the computer's networking facilities. The verification token reads identification information from a user's portable consumer device (e.g., credit card) and sends the information to a validation entry over a communications network using the computer's networking facilities. The validation entity applies one or more validation tests to the information that it receives from the verification token. If a selected number of tests are passed, the validation entity sends a 3-D Secure datum to the verification token. The verification token may enter the 3-D Secure datum into a hidden field of a Purchase Authentication Page appearing on the computer's display.

Abstract: Recent years have seen the rapid spread of biometric technologies for automatic people recognition. However, security and privacy issues still represent the main obstacles for the deployment of biometric-based authentication systems. In this paper, we propose an approach, which we refer to as BioConvolving, that is able to guarantee security and renewability to biometric templates. Specifically, we introduce a set of noninvertible transformations, which can be applied to any biometrics whose template can be represented by a set of sequences, in order to generate multiple transformed versions of the template. Once the transformation is performed, retrieving the original data from the transformed template is computationally as hard as random guessing. As a proof of concept, the proposed approach is applied to an on-line signature recognition system, where a hidden Markov model-based matching strategy is employed. The performance of a protected on-line signature recognition system employing the proposed BioConvolving approach is evaluated, both in terms of authentication rates and renewability capacity, using the MCYT signature database. The reported extensive set of experiments shows that protected and renewable biometric templates can be properly generated and used for recognition, at the expense of a slight degradation in authentication performance.

Abstract: Purpose – The problem of protecting information and data flows has existed from the very first day of information exchange. Various approaches have been devised to protect and transfer such information securely. However, as technology and communications advance and information management systems become more and more powerful and distributed, the problem has taken on new and more complex dimensions and has become a major challenge. The widespread use of wired and wireless communication networks, internet, web applications and computing has increased the gravity of the problem. Organizations are totally dependent on reliable, secure and fault‐tolerant systems, communications, applications and information bases. Unfortunately, serious security and privacy breaches still occur every day, creating an absolute necessity to provide secure and safe information security systems through the use of firewalls, intrusion detection and prevention systems (ID/PSs), encryption, authentication and other hardware and softw...

Abstract: An identity authentication method is provided. The method comprises obtaining records information of a valid user, where the records information indicates behaviors having been executed by the valid user; mapping, based on an orthogonal behavior model having multiple mutually orthogonal dimensions, records information to the multiple dimensions, wherein behaviors indicated by records information mapped to different dimensions do not overlap therebetween and have no logical cause and effect relationship; sampling records information mapped to different dimensions, respectively, so as to generate an authentication questionnaire including a plurality of authentication questions; computing, responsive to answers of a client to the authentication questionnaire, a total confidence P for the client being a valid user; outputting a positive authentication result, responsive to the total confidence probability P falling into a confidence interval; and outputting a negative authentication result, responsive to the total confidence probability P failing to fall into a confidence interval. The present invention further provides a corresponding identity authentication apparatus.

Abstract: A computer-implemented method for protecting data stored on removable storage devices may include (1) identifying an attempt by a computing device to access encrypted data stored on a removable storage device and then, prior to allowing access to the encrypted data, (2) authenticating a user of the computing device by (a) obtaining security credentials from the user that include a time-synchronized authentication code generated by an external authentication device and (b) verifying the validity of the security credentials. Upon authenticating the user, the method may include allowing access to the encrypted data stored on the removable storage device. Various additional methods, systems, and computer-readable media are also disclosed.

Abstract: By using a symmetric key to encrypt mobile device data before transmitting the data to a backup location in a backup operation, access to the data, at the backup location, may be restricted. To facilitate later decryption of the backed up mobile device data, the mobile device may also transmit the symmetric key to the off-device location. However, to limit use of the symmetric key, the mobile device may encrypt the symmetric key using authentication data, before transmitting the encrypted symmetric key to the backup location.

Abstract: The introduction of tabletop interfaces has given rise to the need for the development of secure and usable authentication techniques that are appropriate for the co-located collaborative settings for which they have been designed. Most commonly, user authentication is based on something you know, but this is a particular problem for tabletop interfaces, as they are particularly vulnerable to shoulder surfing given their remit to foster co-located collaboration. In other words, tabletop users would typically authenticate in full view of a number of observers. In this paper, we introduce and evaluate a number of novel tabletop authentication schemes that exploit the features of multi-touch interaction in order to inhibit shoulder surfing. In our pilot work with users, and in our formal user-evaluation, one authentication scheme - Pressure-Grid - stood out, significantly enhancing shoulder surfing resistance when participants used it to enter both PINs and graphical passwords.

Abstract: By exploiting a smart card, this paper presents a robust and efficient password-authenticated key agreement scheme. This paper strengthens the security of the scheme by addressing untraceability property such that any third party over the communication channel cannot tell whether or not he has seen the same (unknown) smart card twice through the authentication sessions. The proposed remedy also prevents a kind of denial of service attack found in the original scheme. High performance and other good functionalities are preserved.

Abstract: Recently the problem of providing effective and appropriate healthcare to elderly and disable people is an important field in relative to the aging of population problems. The objective of information and communication technologies (ICT) is to focus on the new technologies the medical environments, so that it can provide management to accelerate and improve the clinical process. Our contribution is to introduce an approach based on Internet of things (IoT) in medical environments to achieve a global connectivity with the patient, sensors and everything around it. The main goal of this globality feature is to provide a context awareness to make the patient's life easier and the clinical process more effective. To achieve this approach, firstly has been developed an architecture which has been designed to offer great potential and flexibility of communications, monitoring and control. This architecture includes several advanced communication technologies; among them are 6LoWPAN and RFID/NFC, which are the basis ofthe IoT. Moreover the research deal with the problems related to the mobility and security that happens when IoT is applied in medical environments. The mobility issue requires developing a protocol over 6LoWPAN network to be carried out in sensor networks with high specification related with low power consumption and capacity. While in the RFID/NFC technologies need to support secure communications, our proposal is to introduce a set of security techniques and cryptographic SIM card to authenticate, encrypt and sign the communications with medical devices. The preliminary results showed a reduction of time in the handover process with the protocol for mobility defined, by omitting the stages of addressing and simplifying the MIPv6 protocol. In addition to increase the security in the communications carried out by NFC devices enhanced with the inclusion of cryptographic SIM card.

Abstract: Wireless sensor networks (WSNs) are considered due to the ubiquitous nature, ease of deployment, and wide range of possible applications. WSNs can be deployed in unattended environments, where a registered user can login to the network and access data collected by the linked sensors. Authenticating users in resource constrained environments is one of the major security concerns. Since sensor nodes have limited resources and computation power, it is desirable that the authentication protocol is simple and efficient. In 2009, M. L. Das proposed a two-factor authentication for WSNs, where a user has to prove possession of both, a password and a smart card. Since his scheme utilizes only cryptographic one-way hash function and exclusive-OR operation, it is well-suited for resource constrained environments. However, Khan and Algahathbar pointed out that Das's scheme has some flaws and is vulnerable to various attacks and proposed an alternative solution. In this paper, we show that both, Das's and Khan-Algahathbar's schemes have flaws and remain vulnerable to various attacks including stolen smart card attacks. To overcome the security weaknesses of both schemes, we propose an improved two-factor user authentication that is resilient to stolen smart card attacks as well as other common types of attacks. We provide security evaluation of the proposed protocols showing its robustness to various attacks and analyzed the scheme's performance to determine its efficiency. Compared to the previous schemes, it is proven more robust and provides better security.

Abstract: This document defines Secure/Multipurpose Internet Mail Extensions (S/MIME) version 3.2. S/MIME provides a consistent way to send and receive secure MIME data. Digital signatures provide authentication, message integrity, and non-repudiation with proof of origin. Encryption provides data confidentiality. Compression can be used to reduce data size. This document obsoletes RFC 3851. [STANDARDS-TRACK]

Abstract: A gateway server interoperates with client and remote server systems to provide stateless security management for a distributed Web application. A Web client application on the client system initiates a WebSocket connection directed to a remote Web service by performing an authentication challenge directed to a user of the Web-browser client where a secure token is not present in a local store instance corresponding to the client application. The authentication challenge obtains the user credentials and then exchanges the user credentials with the gateway server for a secure token. The secure token is then sent in a protocol specific connect message to the gateway server. The gateway server, in response to receipt of the connect message, initiates a WebSocket connection directed to the remote Web service by inspecting the connect message to recover the secure token, evaluating the secure token to obtain user credentials, injecting the secure token with the user credentials, and sending the connect message to the remote Web service.

Abstract: A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.

Abstract: Concerns on widespread use of biometric authentication systems are primarily centered around template security, revocability, and privacy. The use of cryptographic primitives to bolster the authentication process can alleviate some of these concerns as shown by biometric cryptosystems. In this paper, we propose a provably secure and blind biometric authentication protocol, which addresses the concerns of user's privacy, template protection, and trust issues. The protocol is blind in the sense that it reveals only the identity, and no additional information about the user or the biometric to the authenticating server or vice-versa. As the protocol is based on asymmetric encryption of the biometric data, it captures the advantages of biometric authentication as well as the security of public key cryptography. The authentication protocol can run over public networks and provide nonrepudiable identity verification. The encryption also provides template protection, the ability to revoke enrolled templates, and alleviates the concerns on privacy in widespread use of biometrics. The proposed approach makes no restrictive assumptions on the biometric data and is hence applicable to multiple biometrics. Such a protocol has significant advantages over existing biometric cryptosystems, which use a biometric to secure a secret key, which in turn is used for authentication. We analyze the security of the protocol under various attack scenarios. Experimental results on four biometric datasets (face, iris, hand geometry, and fingerprint) show that carrying out the authentication in the encrypted domain does not affect the accuracy, while the encryption key acts as an additional layer of security.

Abstract: RFID, Radio Frequency Identification is an inexpensive technology, can be implemented for several applications such as security, asset tracking, people tracking, inventory detection, access control applications. The main objective of this paper is to design and implement a digital security system which can deploy in secured zone where only authentic person can be entered. We implemented a security system containing door locking system using passive type of RFID which can activate, authenticate, and validate the user and unlock the door in real time for secure access. The advantage of using passive RFID is that it functions without a battery and passive tags are lighter and are less expensive than the active tags. A centralized system manages the controlling, transaction and operation task. The door locking system functions in real time as the door open quickly when user put their tag in contact of reader. The system also creates a log containing check-in and check-out of each user along with basic information of user. General Terms Ubiquitous computing, Security

Abstract: Method and apparatus for integrating distributed shared services system which integrates web based applications with each other and with other centralized application to provide a single sign-on approach for authentication and authorization services for distributed web sites requiring no access time back to the authentication/authorization server is provided.