Abstract: The public key infrastructure-based authentication protocol provides basic security services for the vehicular ad hoc networks (VANETs). However, trust and privacy are still open issues due to the unique characteristics of VANETs. It is crucial to prevent internal vehicles from broadcasting forged messages while simultaneously preserving the privacy of vehicles against the tracking attacks. In this paper, we propose a blockchain-based anonymous reputation system (BARS) to establish a privacy-preserving trust model for VANETs. The certificate and revocation transparency is implemented efficiently with the proofs of presence and absence based on the extended blockchain technology. The public keys are used as pseudonyms in communications without any information about real identities for conditional anonymity. In order to prevent the distribution of forged messages, a reputation evaluation algorithm is presented relying on both direct historical interactions and indirect opinions about vehicles. A set of experiments is conducted to evaluate BARS in terms of security, validity, and performance, and the results show that BARS is able to establish a trust model with transparency, conditional anonymity, efficiency, and robustness for VANETs.

Abstract: Mobile communication networks connect much of the world's population. The security of users' calls, SMSs, and mobile data depends on the guarantees provided by the Authenticated Key Exchange protocols used. For the next-generation network (5G), the 3GPP group has standardized the 5G AKA protocol for this purpose. We provide the first comprehensive formal model of a protocol from the AKA family: 5G AKA. We also extract precise requirements from the 3GPP standards defining 5G and we identify missing security goals. Using the security protocol verification tool Tamarin, we conduct a full, systematic, security evaluation of the model with respect to the 5G security goals. Our automated analysis identifies the minimal security assumptions required for each security goal and we find that some critical security goals are not met, except under additional assumptions missing from the standard. Finally, we make explicit recommendations with provably secure fixes for the attacks and weaknesses we found.

Abstract: The role-based access control (RBAC) framework is a mechanism that describes the access control principle. As a common interaction, an organization provides a service to a user who owns a certain role that was issued by a different organization. Such trans-organizational RBAC is common in face-to-face communication but not in a computer network, because it is difficult to establish both the security that prohibits the malicious impersonation of roles and the flexibility that allows small organizations to participate and users to fully control their own roles. In this paper, we present an RBAC using smart contract (RBAC-SC), a platform that makes use of Ethereum’s smart contract technology to realize a trans-organizational utilization of roles. Ethereum is an open blockchain platform that is designed to be secure, adaptable, and flexible. It pioneered smart contracts, which are decentralized applications that serve as “autonomous agents” running exactly as programmed and are deployed on a blockchain. The RBAC-SC uses smart contracts and blockchain technology as versatile infrastructures to represent the trust and endorsement relationship that are essential in the RBAC and to realize a challenge-response authentication protocol that verifies a user’s ownership of roles. We describe the RBAC-SC framework, which is composed of two main parts, namely, the smart contract and the challenge-response protocol, and present a performance analysis. A prototype of the smart contract is created and deployed on Ethereum’s Testnet blockchain, and the source code is publicly available.

Abstract: The public key infrastructure (PKI) based authentication protocol provides the basic security services for vehicular ad-hoc networks (VANETs). However, trust and privacy are still open issues due to the unique characteristics of vehicles. It is crucial for VANETs to prevent internal vehicles from broadcasting forged messages while simultaneously protecting the privacy of each vehicle against tracking attacks. In this paper, we propose a blockchain-based anonymous reputation system (BARS) to break the linkability between real identities and public keys to preserve privacy. The certificate and revocation transparency is implemented efficiently using two blockchains. We design a trust model to improve the trustworthiness of messages relying on the reputation of the sender based on both direct historical interactions and indirect opinions about the sender. Experiments are conducted to evaluate BARS in terms of security and performance and the results show that BARS is able to establish distributed trust management, while protecting the privacy of vehicles.

Abstract: Multi-server environment is the most common scenario for a large number of enterprise class applications. In this environment, user registration at each server is not recommended. Using multi-server authentication architecture, user can manage authentication to various servers using single identity and password. We introduce a new authentication scheme for multi-server environments using Chebyshev chaotic map. In our scheme, we use the Chebyshev chaotic map and biometric verification along with password verification for authorization and access to various application servers. The proposed scheme is light-weight compared to other related schemes. We only use the Chebyshev chaotic map, cryptographic hash function and symmetric key encryption-decryption in the proposed scheme. Our scheme provides strong authentication, and also supports biometrics & password change phase by a legitimate user at any time locally, and dynamic server addition phase. We perform the formal security verification using the broadly-accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to show that the presented scheme is secure. In addition, we use the formal security analysis using the Burrows-Abadi-Needham (BAN) logic along with random oracle models and prove that our scheme is secure against different known attacks. High security and significantly low computation and communication costs make our scheme is very suitable for multi-server environments as compared to other existing related schemes.

Abstract: Radio frequency identification (RFID) has been considered one of the imperative requirements for implementation of Internet-of-Things applications. It helps to solve the identification issues of the things in a cost-effective manner, but RFID systems often suffer from various security and privacy issues. To solve those issues for RFID systems, many schemes have been recently proposed by using the cryptographic primitive, called physically uncloneable functions (PUFs), which can ensure a tamper-evident feature. However, to the best of our knowledge, none of them has succeeded to address the problem of privacy preservation with the resistance of DoS attacks in a practical way. For instance, existing schemes need to rely on exhaustive search operations to identify a tag, and also suffer from several security and privacy related issues. Furthermore, a tag needs to store some security credentials (e.g., secret shared keys), which may cause several issues such as loss of forward and backward secrecy and large storage costs. Therefore, in this paper, we first propose a lightweight privacy-preserving authentication protocol for the RFID system by considering the ideal PUF environment. Subsequently, we introduce an enhanced protocol which can support the noisy PUF environment. It is argued that both of our protocols can overcome the limitations of existing schemes, and further ensure more security properties. By analyzing the performance, we have shown that the proposed solutions are secure, efficient, practical, and effective for the resource-constraint RFID tag.

Abstract: The Internet of Things (IoT) is an emerging technology and expected to provide solutions for various industrial fields. As a basic technology of the IoT, wireless sensor networks (WSNs) can be used to collect the required environment parameters for specific applications. Due to the resource limitation of sensor node and the open nature of wireless channel, security has become an enormous challenge in WSN. Authentication as a basic security service can be used to guarantee the legality of data access in WSN. Recently, Chang and Le proposed two authentication protocols for WSN for different security requirements. However, their protocol cannot provide proper mutual authentication and has other security and functionality defects. We present a three-factor user authentication protocol for WSN to remove the weaknesses of previous protocols. The security of the proposed protocol is analyzed, and the security, functionality and performance of our protocol are compared with other related protocols. The comparison results and simulation results by NS-3 show that the proposed protocol is robust and energy efficient for IoT applications.

Abstract: The Internet-of-Things (IoT) has brought in new challenges in device identification --what the device is, and authentication --is the device the one it claims to be. Traditionally, the authentication problem is solved by means of a cryptographic protocol. However, the computational complexity of cryptographic protocols and/or problems related to key management, render almost all cryptography based authentication protocols impractical for IoT. The problem of device identification is, on the other hand, sadly neglected. Almost always an artificially created identity is softly associated with the device. We believe that device fingerprinting can be used to solve both these problems effectively. In this work, we present a methodology to perform IoT device behavioral fingerprinting that can be employed to undertake strong device identification. A device behavior is approximated using features extracted from the network traffic of the device. These features are used to train a machine learning model that can be used to detect similar device-types. We validate our approach using five-fold cross validation; we report a identification rate of 93-100 and a mean accuracy of 99%, across all our experiments. Furthermore, we show preliminary results for fingerprinting device categories, i.e., identifying different devices having similar functionality.

Abstract: Wearable devices are used in various applications to collect information including step information, sleeping cycles, workout statistics, and health-related information. Due to the nature and richness of the data collected by such devices, it is important to ensure the security of the collected data. This paper presents a new lightweight authentication scheme suitable for wearable device deployment. The scheme allows a user to mutually authenticate his/her wearable device(s) and the mobile terminal (e.g., Android and iOS device) and establish a session key among these devices (worn and carried by the same user) for secure communication between the wearable device and the mobile terminal. The security of the proposed scheme is then demonstrated through the broadly accepted real-or-random model, as well as using the popular formal security verification tool, known as the Automated validation of Internet security protocols and applications. Finally, we present a comparative summary of the proposed scheme in terms of the overheads such as computation and communication costs, security and functionality features of the proposed scheme and related schemes, and also the evaluation findings from the NS2 simulation.

Abstract: Key agreement between two constrained Internet of Things (IoT) devices that have not met each other is an essential feature to provide in order to establish trust among its users. Physical Unclonable Functions (PUFs) on a device represent a low cost primitive exploiting the unique random patterns in the device and have been already applied in a multitude of applications for secure key generation and key agreement in order to avoid an attacker to take over the identity of a tampered device, whose key material has been extracted. This paper shows that the key agreement scheme of a recently proposed PUF based protocol, presented by Chatterjee et al., for Internet of Things (IoT) is vulnerable for man-in-the-middle, impersonation, and replay attacks in the Yao–Dolev security model. We propose an alternative scheme, which is able to solve these issues and can provide in addition a more efficient key agreement and subsequently a communication phase between two IoT devices connected to the same authentication server. The scheme also offers identity based authentication and repudiation, when only using elliptic curve multiplications and additions, instead of the compute intensive pairing operations.

Abstract: The idea of using molecules in the context of information security has sparked the interest of researchers from many scientific disciplines. This is clearly manifested in the diversity of the molecular platforms and the analytical techniques used for this purpose, some of which we highlight in this Tutorial Review. Moreover, those molecular systems can be used to emulate a broad spectrum of security measures. For a long time, molecular keypad locks enjoyed a clear preference and the review starts off with a description of how these devices developed. In the last few years, however, the field has evolved into something larger. Examples include more complex authentication protocols (multi-factor authentication and one-time passwords), the recognition of erroneous procedures in data transmission (parity devices), as well as steganographic and cryptographic protection.

Abstract: Recently, Tewari and Gupta proposed a ultra-lightweight mutual authentication protocol in IoT environments for RFID tags. Their protocol aims to provide secure communication with least cost in both storage and computation. Unfortunately, in this paper, we exploit the vulnerability of this protocol. In this attack, an attacker can obtain the key shared between a back-end database server and a tag. We also explore the possibility in patching the system with some modifications.

Abstract: Providing secure, efficient, and privacy-preserving user authentication in mobile networks is a challenging problem due to the inherent mobility of users, variety of attack vectors, and resource-constrained nature of user devices. Recent studies show that identity-based cryptosystems can eliminate the certificate overhead and thus address the issues associated with public-key infrastructure technology—which is a rare bit of good news in today's computer security world. In this paper, we employ three representative identity-based remote user authentication schemes (i.e., Truong et al. 's scheme, Li et al. 's scheme, and Zhang et al. 's scheme) as case studies to reveal the challenges and subtleties in designing a practical authentication scheme for mobile devices. First, we demonstrate that Truong et al. 's scheme, which was presented at the IEEE AINA 2012, cannot achieve a few important security goals under our new attacking scenarios: 1) it fails to resist against known session-specific temporary information attack; 2) it cannot withstand key compromise impersonation attack; and 3) it is of poor usability. Second, we show that Li et al. 's privacy-preserving scheme, which was proposed at GLOBECOM 2012, is subject to some subtle (yet severe) efficiency problems that make it virtually impossible for any practical use. Third, we scrutinize a “provably secure” scheme for roaming services in mobile networks designed by Zhang et al. at SCN 2015 and find it prone to collusion attack and replay attack. Further, we investigate into the underlying causes for these identified failures, and figure out an improvement over Truong et al. 's scheme to overcome the revealed challenges while maintaining reasonable efficiency.

Abstract: The deployment of telecare medical information system (TMIS) over public networks gives rise to the threat of exposing sensitive medical information to illegal entities. Although a number of three-factor authentication (3FA) schemes have been developed to address this challenge, most of them are found to be flawed. Understanding security and privacy failures of authentication protocols is a prerequisite to both fixing existing protocols and designing future ones. In this paper, we investigate the 3FA protocol of Lu et al. for TMIS (J Med Syst 39:32, 2015) and reveal that it cannot achieve the claimed security and privacy goals. (1) It fails to provide anonymity and untraceability, and is susceptible to the following attacks targeting user privacy: identity revelation attack, identity guessing attack and tracking attack. (2) It is susceptible to offline password guessing attack, user impersonation attack, and server impersonation attack. Then we present an improved 3FA scheme and show that the new scheme fulfills session key secrecy and mutual authentication using the formal verification tool ProVerif. Moreover, detailed heuristic security analysis is also presented to demonstrate that our new scheme is capable of withstanding various attacks, and provides desired security features. Additionally, performance analysis shows that our proposed protocol is a practical solution for TMIS.

Abstract: In current times, multimedia application includes integrated sensors, mobile networks and Internet-of-Things (IoT) services. In IoT services, if more devices are connected without much constrains, the problem of security, trust and privacy remain a challenge. For multimedia communications through Wireless Sensor Network (WSN), sensor nodes transmit confidential data to the gateway nodes via public channels. In such an environment, the security remains a serious issue from past many years. Only few works are available to support secure multimedia communications performed in IoT-enabled WSNs. Among the few works, Kumari and Om recently proposed an authentication protocol for multimedia communications in IoT-enabled WSNs, which is applicable in coal mine for safety monitoring. The authors claimed in their work that their contributory protocol strongly withstands several security threats such as, user impersonation attack, sensor node impersonation attack, sensor node anonymity issue and others technical design issues. However, this article proved that Kumari and Om’s protocol has some design flaws and is susceptible to various security attacks including, user and sensor node impersonation attacks. As a remedy, a robust authentication protocol using smartcard is constructed to solve the security issues found in Kumari and Om’s protocol. The proof of correctness of mutual authentication is performed using the BAN logic model. In addition, our further security investigation claimed strong protection against known security attacks. Our protocol is analyzed comprehensively and compared against the similar protocols and the results showed that it is efficient and robust than earlier protocols.

Abstract: The Internet-of-Things (IoT) has brought in new challenges in, device identification --what the device is, and, authentication --is the device the one it claims to be. Traditionally, the authentication problem is solved by means of a cryptographic protocol. However, the computational complexity of cryptographic protocols and/or scalability problems related to key management, render almost all cryptography based authentication protocols impractical for IoT. The problem of device identification is, on the other hand, sadly neglected. We believe that device fingerprinting can be used to solve both these problems effectively. In this work, we present a methodology to perform device behavioral fingerprinting that can be employed to undertake device type identification. A device behavior is approximated using features extracted from the network traffic of the device. These features are used to train a machine learning model that can be used to detect similar device types. We validate our approach using five-fold cross validation; we report a identification rate of 86-99% and a mean accuracy of 99%, across all our experiments. Our approach is successful even when a device uses encrypted communication. Furthermore, we show preliminary results for fingerprinting device categories, i.e., identifying different device types having similar functionality.

Abstract: In a distributed network environment, companies and institutions have their own sharing resource. To prevent unauthorized users to access these shared resources, cross-domain authentication is necessary. For ensuring the safety and efficiency to access resources in different domain, we propose a blockchain-based cross-domain authentication model called BlockCAM and designed the cross-domain authentication protocol. BlockCAM employs consortium blockchain technology to construct a decentralized network with the root Certificate Authorities as the verification nodes. The hash values of the authorized certificates are stored in each block and the verification process only needs to compare whether the hash calculated by the certificate provided by the user is consistent with the hash stored in the blockchain. The authentication process omits the key encryption and decryption overhead. BlockCAM has the characteristics of decentralization, anonymity and temper-resistant. Analyses show that BlockCAM has the advantage over the existing public key infrastructure (PKI) cross-domain authentication schemes at efficiency.

Abstract: Progression of the internet technologies has led to the emergence of internet of things (IoT). One of the familiar deployment of IoT is through radio-frequency identification (RFID) technology. In recent times, RFID based systems are one of the most widely spread applications for tagging and keep tracking purposes in IoT deployment. This is due to their powerful features compared to their counterparts of similar techniques such as barcodes. In contrast, radio-frequency identification systems suffer from various attacks and security threats. The wireless channel used for communication is responsible for the majority of these vulnerabilities. In this paper, we propose a new radio-frequency identification authentication protocol based on elliptic curve cryptography (ECC) to eliminate these vulnerabilities. In addition, we use elliptic curve Diffie–Hellman (ECDH) key agreement protocol to generate a temporary shared key used to encrypt the later transmitted messages. Our protocol achieves a set of security properties likes mutual authentication, anonymity, confidentiality, forward security, location privacy, resistance of man-in-the-middle attack, resistance of replay attack and resistance of impersonation attack. We implement our proposed protocol in real RFID system using Omnikey smartcard reader (Omnikey 5421) and NXP Java smartcards (J3A040). Implementation results shows that our proposed protocol outperform in term of time complexity as compared to other similar protocols and requires less number of operations.

Abstract: Device-to-Device (D2D) communications play a key role in the next generation mobile communication networks and wireless systems (5G) and the Internet of Things ecosystem. D2D group communications are significant for group based services. In spite of its benefits, new application scenarios and new system architecture expose the D2D group communications to unique security threats. Although there are numerous studies on security and privacy in two-user D2D communications, a lack of solutions on secure and privacy-preserving D2D group communications would restrict their wide usage. In this paper, we propose two privacy-preserving authentication and key Agreement protocols (PPAKA-HAMC and PPAKA-IBS) to guarantee secure and anonymous D2D group communications. In our protocols, a group of D2D users mutually authenticate with each other without leaking their identity information while negotiate a common D2D group session key for secure communications in a D2D session. Formal security analysis and comprehensive performance evaluation show security and effectivity of our protocols.

Abstract: The Internet of Drones (IoD) provides the coordinated access to controlled airspace for the Unmanned Aerial Vehicles (called drones). The on-going cheaper costs of sensors and processors, and also wireless connectivity make it feasible to use the drones for several applications ranging from military to civilian. Since most of the applications using the drones involved in the IoD are real-time based applications, the users (external parties) usually have their interest in getting the real-time services from the deployed drones belonging to a particular fly zone. To address this important issue in the IoD, there is a great need of an efficient and secure user authentication approach in which an authorized user (for example, a driver of an ambulance) in the IoD environment can be given access to the data directly from an accessed drone. In this article, we first discuss an authentication model used in the IoD communication. We then discuss some security challenges and requirements for the IoD environment. A taxonomy of various security protocols in the IoD environment is also discussed. We then emphasis on the study of some recently proposed user authentication schemes for the IoD communication. A detailed comparative study is done based on functionality features, security attacks, and also communication and computation costs. Through the rigorous comparative study of the existing schemes, we identify the strengths and weaknesses of the user authentication schemes for the IoD communication. Finally, we identify some of the challenges for the IoD that need to be addressed in the coming future.

Abstract: Vehicular ad-hoc networks (VANETs) have been researched with regard to enhance driver’s safety and comfort. In VANETs, all vehicles share their status and road conditions with neighboring nodes by periodically generating safety messages. To provide reliable VANET services, message authentication is an important feature. In particular, anonymous message authentication has attracted considerable interest, because periodic broadcast messages from a vehicle can be used to track its location. Unfortunately, previously proposed anonymous message authentication protocols had serious practical shortcomings, including high communication, authentication, and revocation costs, as well as reliability issues. Thus, in this paper, we propose an anonymous authentication protocol based on a cooperative authentication method. The proposed method does not require mode synchronization between cooperative and non-cooperative authentication. In addition, we design a two-layer pseudo-identity generation method and construct a key update tree for efficient revocation. Simulations show that our protocol does not result in packet losses caused by authentication overheads, even when the vehicle density is 200/km2.

Abstract: We introduce a privacy preserving biometrics-based authentication solution by which users can authenticate to different service providers from mobile phones without involving identity providers in the transactions. Authentication is performed via zero-knowledge proof of knowledge, based on a cryptographic identity token that encodes the biometric identifier of the user and a secret provided by the user, making it three-factor authentication. Our approach for generating a unique, repeatable, and revocable biometric identifier from the user’s biometric image is based on a machine learning-based classification technique, which involves the features extracted from the user’s biometric image. We have implemented a prototype of the proposed authentication solution and evaluated our solution with respect to its performance, security, and privacy. The evaluation has been performed on a public data set of face images.

Abstract: Token-based authentication is commonly used to enable a single-sign-on experience on the web, in mobile applications and on enterprise networks using a wide range of open standards and network authentication protocols: clients sign on to an identity provider using their username/password to obtain a cryptographic token generated with a master secret key, and store the token for future accesses to various services and applications. The authentication server(s) are single point of failures that if breached, enable attackers to forge arbitrary tokens or mount offline dictionary attacks to recover client credentials. Our work is the first to introduce and formalize the notion of password-based threshold token-based authentication which distributes the role of an identity provider among n servers. Any t servers can collectively verify passwords and generate tokens, while no t-1 servers can forge a valid token or mount offline dictionary attacks. We then introduce PASTA, a general framework that can be instantiated using any threshold token generation scheme, wherein clients can "sign-on" using a two-round (optimal) protocol that meets our strong notions of unforgeability and password-safety. We instantiate and implement our framework in C++ using two threshold message authentication codes (MAC) and two threshold digital signatures with different trade-offs. Our experiments show that the overhead of protecting secrets and credentials against breaches in PASTA, i.e. compared to a naive single server solution, is extremely low (1-5%) in the most likely setting where client and servers communicate over the internet. The overhead is higher in case of MAC-based tokens over a LAN (though still only a few milliseconds) due to public-key operations in PASTA. We show, however, that this cost is inherent by proving a symmetric-key only solution impossible.

Abstract: As an important part of Internet of Things, Radio Frequency Identification (RFID) system employs low-cost RFID tag to communicate with everything containing animate and inanimate objects. This technology is widely used in the e-healthcare applications. However, the malicious communication environment makes people more and more worried. In order to overcome the hazards in the network, RFID authentication schemes for e-healthcare have been proposed by researchers. But since the computation ability of the tag is relatively weak, it is necessary to put forward a lightweight and secure scheme for medical systems. Moreover, cloud is widely accepted by people and used in many kinds of systems. So we propose a novel and lightweight RFID authentication scheme with cloud for e-healthcare applications. We use an enhanced formal security model to prove the security of our scheme. In this model the channel between the server and the reader is considered to be insecure and informal analysis is used to prove the security of the proposed scheme. Through the formal and informal analysis, our scheme not only resists the common attacks, but also keeps mutual authentication, information integrity, forward untraceability and backward untraceability. Moreover, both the tag and the reader can reach the anonymity. Our scheme is only hash-based and suitable to realize various security requirements. Compared to recent schemes of the same sort, it is more applicable in e-healthcare.