Abstract: The security issues of the Internet of Things (IoT) are directly related to the wide application of its system. Beginning with introducing the architecture and features of IoT security, this paper expounds several security issues of IoT that exist in the three-layer system structure, and comes up with solutions to the issues above coupled with key technologies involved. Among these safety measures concerned, the ones about perception layer are particularly elaborated, including key management and algorithm, security routing protocol, data fusion technology, as well as authentication and access control, etc.

Abstract: In this paper, we introduce the first fully implemented two-way authentication security scheme for the Internet of Things (IoT) based on existing Internet standards, specifically the Datagram Transport Layer Security (DTLS) protocol. By relying on an established standard, existing implementations, engineering techniques and security infrastructure can be reused, which enables easy security uptake. Our proposed security scheme is therefore based on RSA, the most widely used public key cryptography algorithm. It is designed to work over standard communication stacks that offer UDP/IPv6 networking for Low power Wireless Personal Area Networks (6LoWPANs). Our implementation of DTLS is presented in the context of a system architecture and the scheme's feasibility (low overheads and high interoperability) is further demonstrated through extensive evaluation on a hardware platform suitable for the Internet of Things.

Abstract: Embodiments are directed to a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer, determining one or more items of context information related to at least one of the user, the request, and the client computer, and determining a disposition of the request based on the reply and the one or more items of context information. The reply includes a user password and may be provided by an authorizing client device coupled to the client computer over a wireless communications link.

Abstract: A checkout system is provided for carrying out a two-factor authentication process where coded products are purchased and theft activity might be pursued. The system typically includes an identification code reader for reading product identification codes (e.g. UPC bar code symbols or EPC-encoded RFID tags) on products that are passed through the point of sale (POS) and a security code detector/reader for automatically detecting/reading a security code (e.g. implemented as an EAS tag or an RFID tag) at the POS. During product checkout operations, the identification code reader reads identification codes, and the security code detector/reader detects or reads security codes applied to products. Collected identification and security data is automatically processed using identification and security data stored in a database to determine whether or not each product being purchased at the POS is in compliance or not in compliance with a two-factor authentication process supported by the checkout system.

Abstract: A user device transmits a login request. A provider server, receives a random number from and transmits other information to an authentication server. The provider server transmits the random number to the device. The random number is transferred to a second user device, which transmits it to the authentication server. The authentication server transmits provider authentication policy requirements and further transmits the other information to the second device. The second device transmits user validation information to the authentication server. The authentication server determines that the transmitted validation information corresponds to the service provider authentication policy requirements, compares the validation information with stored validation information for the user to authenticate the user. The second device transmits a message, including the random number and the other information, signed with a user credential to the authentication server. The authentication server transmits notice of authentication and the signed message to the provider server.

Abstract: We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.

Abstract: The security and privacy preservation issues are prerequisites for vehicular ad hoc networks. Recently, secure and privacy enhancing communication schemes (SPECS) was proposed and focused on intervehicle communications. SPECS provided a software-based solution to satisfy the privacy requirement and gave lower message overhead and higher successful rate than previous solutions in the message verification phase. SPECS also presented the first group communication protocol to allow vehicles to authenticate and securely communicate with others in a group of known vehicles. Unfortunately, we find out that SPECS is vulnerable to impersonation attack. SPECS has a flow such that a malicious vehicle can force arbitrary vehicles to broadcast fake messages to other vehicles or even a malicious vehicle in the group can counterfeit another group member to send fake messages securely among themselves. In this paper, we provide a secure scheme that can achieve the security and privacy requirements, and overcome the weaknesses of SPECS. Moreover, we show the efficiency merits of our scheme through performance evaluations in terms of verification delay and transmission overhead.

Abstract: In the last few years the Internet of Things (IoT) has seen widespreadapplication and can be found in each field. Authentication and accesscontrol are important and critical functionalities in the context of IoTto enable secure communication between devices. Mobility, dynamicnetwork topology and weak physical security of low power devices in IoTnetworks are possible sources for security vulnerabilities. It ispromising to make an authentication and access control attack resistant andlightweight in a resource constrained and distributed IoT environment.This paper presents the Identity Authentication and Capability basedAccess Control (IACAC) model with protocol evaluation and performanceanalysis. To protect IoT from man-in-the-middle, replay and denial ofservice (Dos) attacks, the concept of capability for access control isintroduced. The novelty of this model is that, it presents an integratedapproach of authentication and access control for IoT devices. Theresults of other related study have also been analyzed to validate andsupport our findings. Finally, the proposed protocol is evaluated byusing security protocol verification tool and verification results showsthat IACAC is secure against aforementioned attacks. This paper alsodiscusses performance analysis of the protocol in terms of computationaltime compared to other existing solutions. Furthermore, this paper addresseschallenges in IoT and security attacks are modelled with the use casesto give an actual view of IoT networks.

Abstract: The MULTI-PURPOSE VIRTUAL CARD TRANSACTION APPARATUSES, METHODS AND SYSTEMS (“WIP”) transform wallet in proxy card generation requests and purchase inputs via WIP components into wallet in proxy card generation notifications and wallet in proxy card-based transaction purchase notifications. In one implementation, the WIP server may receive a transaction authentication request associated with a proxy payment identifier, and then determine that the proxy payment identifier is associated with an electronic wallet. The WIP sever may further obtain a payment identifier associated with the electronic wallet, and authenticate the transaction using the obtained payment identifier associated with the electronic wallet.

Abstract: We present Heart-to-Heart (H2H), a system to authenticate external medical device controllers and programmers to Implantable Medical Devices (IMDs). IMDs, which include pacemakers and cardiac defibrillators, are therapeutic medical devices partially or wholly embedded in the human body. They often have built-in radio communication to facilitate non-invasive reprogramming and data readout. Many IMDs, though, lack well designed authentication protocols, exposing patients to over-the-air attack and physical harm.H2H makes use of ECG (heartbeat data) as an authentication mechanism, ensuring access only by a medical instrument in physical contact with an IMD-bearing patient. Based on statistical analysis of real-world data, we propose and analyze new techniques for extracting time-varying randomness from ECG signals for use in H2H. We introduce a novel cryptographic device pairing protocol that uses this randomness to protect against attacks by active adversaries, while meeting the practical challenges of lightweight implementation and noise tolerance in ECG readings. Finally, we describe an end-to-end implementation in an ARM-Cortex M-3 microcontroller that demonstrates the practicality of H2H in current IMD hardware.Previous schemes have had goals much like those of H2H, but with serious limitations making them unfit for deployment---such as naively designed cryptographic pairing protocols (some of them recently broken). In addition to its novel analysis and use of ECG entropy, H2H is the first physiologically-based IMD device pairing protocol with a rigorous adversarial model and protocol analysis.

Abstract: Vehicular Ad-Hoc Network (VANET) is an application of Ad-Hoc Network, which can significantly improve the efficiency of transportation systems. The authentication of information is particularly important in the VANET system, because of its significant impact, and the transportation systems may be paralyzed as a result of receiving the wrong traffic information. Hence, a lot of schemes have been proposed to verify the information of VANET. However, most of currently known schemes verify the information on a one by one basis. In real situation, the large amount of traffic flow will generate a lot of information at the same time. If the authentication method is authenticating one by one, it is bound to lead to information delays, and the system will have difficulty to achieve real-time performance. Therefore, we shall propose an improved authentication of the batch scheme based on bilinear pairing to make VANET more secure, efficient, and more suitable for practical use.

Abstract: A proposed Internet of Things system architecture offers a solution to the broad array of challenges researchers face in terms of general system security, network security, and application security.

Abstract: TLS is possibly the most used protocol for secure communications, with a 18-year history of flaws and fixes, ranging from its protocol logic to its cryptographic design, and from the Internet standard to its diverse implementations. We develop a verified reference implementation of TLS 1.2. Our code fully supports its wire formats, ciphersuites, sessions and connections, re-handshakes and resumptions, alerts and errors, and data fragmentation, as prescribed in the RFCs; it interoperates with mainstream web browsers and servers. At the same time, our code is carefully structured to enable its modular, automated verification, from its main API down to computational assumptions on its cryptographic algorithms. Our implementation is written in F# and specified in F7. We present security specifications for its main components, such as authenticated stream encryption for the record layer and key establishment for the handshake. We describe their verification using the F7 typechecker. To this end, we equip each cryptographic primitive and construction of TLS with a new typed interface that captures its security properties, and we gradually replace concrete implementations with ideal functionalities. We finally typecheck the protocol state machine, and obtain precise security theorems for TLS, as it is implemented and deployed. We also revisit classic attacks and report a few new ones.

Abstract: Methods, apparatus, and systems for securing application interactions are disclosed. Application interactions may be secured by, at a user authentication device, capturing a signal emitted by an access device encoded with an authentication initiating message including an application identifier, decoding the signal and obtaining the authentication initiating message, retrieving the application identifier, presenting a human interpretable representation of the application identity to the user, obtaining user approval to generate a response message available to a verification server, generating a dynamic security value using a cryptographic algorithm that is cryptographically linked to the application identity, and generating a response message including the generated dynamic security value; making the response message available to a verification server; and, at the verification server, receiving the response message, verifying the response message including verifying the validity of the dynamic security value, and communicating the result of the verification of the response message to the application.

Abstract: A wireless charging method and apparatus are provided. A non-contact wireless local communication unit performs non-contact wireless local communication for wireless charging authentication through a non-contact wireless local communication antenna. A wireless power receiver receives supply power from a wireless power transmitter by using a resonator resonating on a resonance frequency equal to that of the wireless power transmitter after the wireless charging authentication. A charging controller performs wireless charging by using the supply power received by the wireless power receiver. One or more switches switch between a connection between the non-contact wireless local communication antenna and the non-contact wireless local communication unit, and a connection between the wireless power receiver and the charging controller.

Abstract: In one example, a controller device for a software defined network (SDN) includes one or more network interfaces configured to communicate with network devices of the SDN, and one or more processors configured to receive credentials from a client device in accordance with a public key infrastructure (PKI)-based authentication protocol, determine one or more policies that are applicable to the client device based on the received credentials, and program network devices of the SDN to enforce the determined policies on a per-packet-flow basis for packet flows including the client device.

Abstract: Behavior-based user authentication with pointing devices, such as mice or touchpads, has been gaining attention. As an emerging behavioral biometric, mouse dynamics aims to address the authentication problem by verifying computer users on the basis of their mouse operating styles. This paper presents a simple and efficient user authentication approach based on a fixed mouse-operation task. For each sample of the mouse-operation task, both traditional holistic features and newly defined procedural features are extracted for accurate and fine-grained characterization of a user's unique mouse behavior. Distance-measurement and eigenspace-transformation techniques are applied to obtain feature components for efficiently representing the original mouse feature space. Then a one-class learning algorithm is employed in the distance-based feature eigenspace for the authentication task. The approach is evaluated on a dataset of 5550 mouse-operation samples from 37 subjects. Extensive experimental results are included to demonstrate the efficacy of the proposed approach, which achieves a false-acceptance rate of 8.74%, and a false-rejection rate of 7.69% with a corresponding authentication time of 11.8 seconds. Two additional experiments are provided to compare the current approach with other approaches in the literature. Our dataset is publicly available to facilitate future research.

Abstract: Wireless spoofing attacks are easy to launch and can significantly impact the performance of networks. Although the identity of a node can be verified through cryptographic authentication, conventional security approaches are not always desirable because of their overhead requirements. In this paper, we propose to use spatial information, a physical property associated with each node, hard to falsify, and not reliant on cryptography, as the basis for 1) detecting spoofing attacks; 2) determining the number of attackers when multiple adversaries masquerading as the same node identity; and 3) localizing multiple adversaries. We propose to use the spatial correlation of received signal strength (RSS) inherited from wireless nodes to detect the spoofing attacks. We then formulate the problem of determining the number of attackers as a multiclass detection problem. Cluster-based mechanisms are developed to determine the number of attackers. When the training data are available, we explore using the Support Vector Machines (SVM) method to further improve the accuracy of determining the number of attackers. In addition, we developed an integrated detection and localization system that can localize the positions of multiple attackers. We evaluated our techniques through two testbeds using both an 802.11 (WiFi) network and an 802.15.4 (ZigBee) network in two real office buildings. Our experimental results show that our proposed methods can achieve over 90 percent Hit Rate and Precision when determining the number of attackers. Our localization results using a representative set of algorithms provide strong evidence of high accuracy of localizing multiple adversaries.

Abstract: Conventional single-server authentication schemes suffer a significant shortcoming. If a remote user wishes to use numerous network services, he/she must register his/her identity and password at these servers. It is extremely tedious for users to register numerous servers. In order to resolve this problem, various multi-server authentication schemes recently have been proposed. However, these schemes are insecure against some cryptographic attacks or inefficiently designed because of high computation costs. Moreover, these schemes do not provide strong key agreement function which can provide perfect forward secrecy. Based on these motivations, this paper proposes a new efficient and secure biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem (ECC) without verification table to minimize the complexity of hash operation among all users and fit multi-server communication environments. By adopting the biometrics technique, the proposed scheme can provide more strong user authentication function. By adopting the ECC technique, the proposed scheme can provide strong key agreement function with the property of perfect forward secrecy to reduce the computation loads for smart cards. As a result, compared with related multi-serve authentication schemes, the proposed scheme has strong security and enhanced computational efficiency. Thus, the proposed scheme is extremely suitable for use in distributed multi-server network environments such as the Internet and in limited computations and communication resource environments to access remote information systems since it provides security, reliability, and efficiency.

Abstract: A dynamic object tag for a product and systems and methods relating thereto is disclosed. The dynamic object tag comprises a hardware security module, including an electronic storage module, and a communication module for communicating with an interrogation device. The hardware security module is adapted to establish a secure communication channel with the interrogation device, to exchange dynamic authentication parameters with the interrogation device, and to communicate product information stored on the electronic storage module to the interrogation device over the secure communication channel.

Abstract: Systems, devices and process for secure storage, retrieval and management of files using cloud-based hosting services are supported with a real identity authentication device and process. Biometric authentication is required for encryption/decryption of files. The real identity authentication processes are integrated with file exchange processes and API's related to the hosting services. Systems for enabling third parties to request encrypted files, and for notifying a file owner of such requests, are supported.

Abstract: With the embedding of EEG (electro-encephalography) sensors in wireless headsets and other consumer electronics, authenticating users based on their brainwave signals has become a realistic possibility. We undertake an experimental study of the usability and performance of user authentication using consumer-grade EEG sensor technology. By choosing custom tasks and custom acceptance thresholds for each subject, we can achieve 99% authentication accuracy using single-channel EEG signals, which is on par with previous research employing multi-channel EEG signals using clinical-grade devices. In addition to the usability improvement offered by the single-channel dry-contact EEG sensor, we also study the usability of different classes of mental tasks. We find that subjects have little difficulty recalling chosen “pass-thoughts” (e.g., their previously selected song to sing in their mind). They also have different preferences for tasks based on the perceived difficulty and enjoyability of the tasks. These results can inform the design of authentication systems that guide users in choosing tasks that are both usable and secure.

Abstract: User authentication in wireless sensor networks (WSNs) is a critical security issue due to their unattended and hostile deployment in the field. Since sensor nodes are equipped with limited computing power, storage, and communication modules, authenticating remote users in such resource-constrained environments is a paramount security concern. To overcome the weaknesses of Yeh et al.’s protocol, we proposed a new authentication protocol for wireless sensor networks using elliptic curves cryptography. The comparisons show that our protocol is more suitable for WSNs.

Abstract: Recently, vehicular ad hoc networks (VANETs) have emerged as a promising approach to increasing road safety and efficiency, as well as improving the driving experience. This can be accomplished in a variety of applications that involve communication between vehicles, such as warning other vehicles about emergency braking; however, if we do not take security and privacy issues into consideration, the attractive features of VANETs will inevitably result in higher risks for abuse, even before the wide deployment of such networks. While message authentication is a common tool for ensuring information reliability, namely, data integrity and authenticity, it faces a challenge in VANETs. When the number of messages that are received by a vehicle becomes large, traditional exhaustive (or per-message) authentication may generate unaffordable computational overhead on the vehicle and therefore bring unacceptable delay to time-critical applications, such as accident warning. In this paper, we propose an efficient cooperative authentication scheme for VANETs. To reduce the authentication overhead on individual vehicles and shorten the authentication delay, this scheme maximally eliminates redundant authentication efforts on the same message by different vehicles. To further resist various attacks, including free-riding attacks that are launched by selfish vehicles, and encourage cooperation, the scheme uses an evidence-token approach to controlling the authentication workload, without the direct involvement of a trusted authority (TA). When a vehicle passes a roadside unit (RSU), the vehicle obtains an evidence token from the TA via the RSU. This token reflects the contribution that the vehicle has made to cooperative authentication in the past, which enables the vehicle to proportionally benefit from other vehicles' authentication efforts in the future and thus reduce its own workload. Through extensive simulation, we evaluate the proposed cooperative authentication scheme in terms of workload savings and the ability to resist free-riding attacks.

Abstract: Some systems allow a user to access content using both a native client application and a web interface. In these systems, the client application authorized to access a user account can assist with automatically logging a user into the web interface through the use of authentication tokens. In response to an authentication request, the client application can select a token and split it into multiple parts. One piece can be embedded in a URL and a second piece can be stored in a file. The file can also contain browser executable instructions that when executed combine the two pieces to re-create the token and send the re-created token to a server to authenticate the user. The client application can forward the URL to the browser, which can direct the browser to the file. The browser can execute the instructions thereby authenticating the user.