Improving authentication function in wireless mobile multicast communications

Mapoka, Trust T., Shepherd, Simon J., Anoh, Kelvin O.O., Abd-Alhameed, Raed, Dama, Yousef A.S., AlSabbagh, Haider M.

January 2015

No / In this paper a distributed authentication scheme based on independent session key per access network (HOISKA) is proposed for the decentralized multi-service group key management scheme in a wireless multicast environment. It enables a handover user Mi involved in multiple multicast service subscriptions to establish the long term credential from the trusted authentication server (As) during initial registration. The Mi then securely reuses the long term credential established to derive unique session keys per access network during handover across diverse access networks. The distributed nature HOISKA enables offloading the authentication function to the area network controllers (AKDs) such that As does not participate during handover authentication signalling. This simplifies handover by reducing handover exchange signalling constituting to less handover delays. Two scenarios for HOISKA, initial handover access (IAA) and Handover Access authentication (HAA) are presented then analyzed using the delay analytical model. The HOISKA model proves efficacy in both scenarios by inducing less transmission delays with comparable level of security compared to the widely deployed authentication scheme.

Wireless networks

User handover authentication

Security

Multicast communication

Mobility management

Group key management

Multi-Service Group Key Establishment for Secure Wireless Mobile Multicast Networks

Mapoka, Trust T., Dama, Yousef A.S., AlSabbagh, Haider M., Shepherd, Simon J., Abd-Alhameed, Raed

10 1900

Yes / Recently there is high demand in distributing multimedia services over the internet to ubiquitous and computational intelligent mobile subscribers by the service providers (SPs). In this instance, provision of those services must be restricted to authorized subscribers via integration of authentication and group key management (GKM). GKM with diverse group services subscribed dynamically by moving subscribers in wireless networks has been omitted in conventional approaches. However it is expected that significant key management overhead will arise in them due to multi-services co-existing in the same network. In this paper, we propose a scalable decentralized multi-service GKM scheme considering host mobility in wireless environment. In the scheme, authentication of mobile subscribers and key management phases are delegated from the trusted domain key distributor (DKD) to the subgroup controllers known as area key distributors (AKD). The trusted intermediate AKDs can then establish and distribute the service group keys to valid subscribers in a distributed manner using identity-based encryption without involving the domain key distributor (DKD). This alleviates unnecessary delays and possible bottlenecks at the DKD. We show by simulation that the proposed scheme has some unique scalability properties over known schemes in terms of optimized rekeying communication and storage overheads. The security performance studies have shown resilience to various attacks.

Multicast communication

Multi-service group key management

Wireless mobile multicast networks

A Security Framework for Wireless Sensor Networks

Zia, Tanveer

January 2008

Doctor of Philosophy (PhD) / Sensor networks have great potential to be employed in mission critical situations like battlefields but also in more everyday security and commercial applications such as building and traffic surveillance, habitat monitoring and smart homes etc. However, wireless sensor networks pose unique security challenges. While the deployment of sensor nodes in an unattended environment makes the networks vulnerable to a variety of potential attacks, the inherent power and memory limitations of sensor nodes makes conventional security solutions unfeasible. Though there has been some development in the field of sensor network security, the solutions presented thus far address only some of security problems faced. This research presents a security framework WSNSF (Wireless Sensor Networks Security Framework) to provide a comprehensive security solution against the known attacks in sensor networks. The proposed framework consists of four interacting components: a secure triple-key (STKS) scheme, secure routing algorithms (SRAs), a secure localization technique (SLT) and a malicious node detection mechanism. Singly, each of these components can achieve certain level of security. However, when deployed as a framework, a high degree of security is achievable. WSNSF takes into consideration the communication and computation limitations of sensor networks. While there is always a trade off between security and performance, experimental results prove that the proposed framework can achieve high degree of security with negligible overheads.

Ανάπτυξη μηχανισμών ΙΕΕΕ 802.15.4 σε πλατφόρμα περιορισμένων πόρων με επεξεργαστή MSP430 / Implementation of IEEE 802.15.4 mechanisms an a limited resources platform with MSP 430 microcontroller

Κατσαρός, Κωνσταντίνος

01 September 2009

Στη διπλωματική αυτή μελετήσαμε και υλοποιήσαμε μηχανισμούς ασφαλείας στο επίπεδο προσπέλασης μέσου (MAC) σε ένα ασύρματο δίκτυο αισθητήρων που βασίζονται στο πρότυπο ΙΕΕΕ 802.15.4. Συγκεκριμένα, ξεκινώντας από την υλοποίηση του επιπέδου MAC που υπάρχει στο TinyOS για την πλατφόρμα TelosB, αλλάξαμε το μηχανησμό backoff του CSMA-CA αλγορίθμου ώστε να γίνει συμβατός με το πρότυπο 802.15.4. Επίσης αναπτύξαμε της κατάλλήλες μεθόδους ώστε να ενσωματώσουμε στην υλοποίηση μηχανισμους ασφαλείας. Για το δεύτερο, αναπτύξαμε τον οδηγό (driver) για το ολοκληρωμένο CC2420 radio και κάναμε τις απαραίτητες πειραματικές μετρήσεις συγκρίνοντας το σύστημα σε τρείς λειτουργίες, δηλαδη χωρίς ασφάλεια, με ασφάλεια υλοποιημένη με λογισμικό (SW security) και με ασφάλεια χρησιμοποιώντας το ολοκληρωμενο CC2420 (HW security). Τέλος, μελετήθηκαν οι κύριοι μηχανισμοί διαχείρισης και διανομης των κλειδιών σε ένα δίκτυο και υλοποιήθηκαν δύο από αυτά τα μοντέλα. Το πρώτο βασίζεται στην πιθανολογική πρό-διανομη των κλειδιών ενώ το δεύτερο χρησιμοποιεί μηχανισμους ασυμμετρης κρυπτογραφίας, συγκεκριμένα ECC (elliptic curve cryptography) για να εγκαταστησει συμμετρικά κλειδιά στους κόμβους του δικτύου. / The thesis dealt with the implementation of the main medium access and security mechanisms in a wireless sensor network based on the IEEE 802.15.4 standard. More specifically, starting from the tinyos2.1 medium access implementation on the TelosB platform, the backoff mechanism was altered, in order to become fully 802.15.4 compliant, while the appropriate mechanisms were also developed in order to introduce the protocol's security features in the stack. For the latter, a driver for the CC2420 chip was developed and energy and performance meassurements were conducted, comparing the system under three modes of operation, namely with no security, with SW encryption/authentication and with HW encryption/authentication. Finally, the main mechanisms of key management and distribution in a deployed wireless sensor network were studied and developed. Specifically, we implemented two key management schemes. The first was a probalistic pre-distribution mechanism and the second an ECC (elliptic curve cryptography) mechanism of public cryptography in order to install symmetric keys on the motes.

Ασφάλεια

Κρυπτογράφηση

Διαχείριση κλειδιών

004.67

ΙΕΕΕ 802.15.4

Wireless sensor network

Security

Cryptography

Key management

E.C.C.

Secure communications for critical infrastructure control systems

Dawson, Robert Edward

January 2008

In March 2000, 1 million litres of raw sewage was released into the water system of Maroochy Shire on Queensland’s sunshine coast. This environmental disaster was caused by a disgruntled ex-contractor using a radio transmitter to illicitly access the electronically controlled pumps in the control system. In 2007 CNN screened video footage of an experimental attack against a electrical generator. The attack caused the generator to shake and smoke, visually showing the damage caused by cyber attack. These attacks highlight the importance of securing the control systems which our critical infrastructures depend on. This thesis addresses securing control systems, focusing on securing the communications for supervisory control and data acquisition (SCADA) systems. We review the architectures of SCADA systems and produce a list of the system constraints that relate to securing these systems. With these constraints in mind, we survey both the existing work in information and SCADA security, observing the need to investigate further the problem of secure communications for SCADA systems. We then present risk modelling techniques, and model the risk in a simple SCADA system, using the ISM, a software tool for modelling information security risk. In modelling the risk, we verify the hypothesis that securing the communications channel is an essential part of an effective security strategy for SCADA systems. After looking at risk modelling, and establishing the value of securing communications, we move on to key management for SCADA systems. Appropriate key management techniques are a crucial part of secure communications, and form an important part of the contributions made in this work. We present a key management protocol that has been designed to run under the constraints specific to SCADA systems. A reductionist security proof is developed for a simplified version of the protocol, showing it is secure in the Bellare Rogaway model.

A Security Framework for Wireless Sensor Networks

Zia, Tanveer

January 2008

Doctor of Philosophy (PhD) / Sensor networks have great potential to be employed in mission critical situations like battlefields but also in more everyday security and commercial applications such as building and traffic surveillance, habitat monitoring and smart homes etc. However, wireless sensor networks pose unique security challenges. While the deployment of sensor nodes in an unattended environment makes the networks vulnerable to a variety of potential attacks, the inherent power and memory limitations of sensor nodes makes conventional security solutions unfeasible. Though there has been some development in the field of sensor network security, the solutions presented thus far address only some of security problems faced. This research presents a security framework WSNSF (Wireless Sensor Networks Security Framework) to provide a comprehensive security solution against the known attacks in sensor networks. The proposed framework consists of four interacting components: a secure triple-key (STKS) scheme, secure routing algorithms (SRAs), a secure localization technique (SLT) and a malicious node detection mechanism. Singly, each of these components can achieve certain level of security. However, when deployed as a framework, a high degree of security is achievable. WSNSF takes into consideration the communication and computation limitations of sensor networks. While there is always a trade off between security and performance, experimental results prove that the proposed framework can achieve high degree of security with negligible overheads.

Evaluation of Key Management Protocols and Their Implementations / Utvärdering av Key Management Protokoll och dess implementationer

Andersson, Erik, Combler, David

January 2018

When constructing a network system it is important to consider the attributes which define said system and how to best build around those attributes. In this report we’ve studied Key Management Protocols as well as 802.15.4 WPAN networks and how key managment is conducted in such networks. This was done to better understand how Key Management Protocols themselves work and if, or how, they differ when used in 802.15.4 networks. In this report we studied 4 different Key Management Protocols: IKEv2,HIPv2,PANA and 802.1X as well as their various implementations. Based on the information gathered we analyzed how an implementation would work according to IEEE 802.15.9. Firstly we found was that IKEv2 offers a lot of functionality at the cost of system complexity and required a lot of memory. It also required major modifications to work in 802.15.4 networks. Secondly we found that HIPv2 offers the ability to separate the locator and identifier tags of TCP/IP and is lightweight. It doesn’t use IP or TCP/UDP and as such required minor changes to work in 802.15.4 networks. Finally, PANA and 802.1X both offer client-to-network authentication using EAP and use a moderate to high amount of space. 802.1X required a moderate amount of changes to work in 802.15.4 networks. PANA on the other hand required few changes, though it should not be used as a general purpose Key Management Protocol in 802.15.4 networks.

Key Management Protcol

Key Management

Evaluation

Comparison

IKEv2

HIPv2

PANA

802.1X

Implementation

strongSwan

OpenHIP

openPANA

Open1X

Computer Sciences

Datavetenskap (datalogi)

A Lab System for Secret Sharing / Utveckling av laborationssystem för secret sharing

Olsson, Fredrik

January 2004

Finnegan Lab System is a graphical computer program for learning how secret sharing works. With its focus on the algorithms and the data streams, the user does not have to consider machine-specific low-level details. It is highly modularised and is not restricted to secret sharing, but can easily be extended with new functions, such as building blocks for Feistel networks or signal processing. This thesis describes what secret sharing is, the development of a new lab system designed for secret sharing and how it can be used.

Informationsteknik

Cryptography

Graph-Based Application Framework

Java

Key Management

Secret Sharing

Informationsteknik

Computer and Information Sciences

Data- och informationsvetenskap

Securing Safebook : Secure Data Access Control and Key Management for Safebook

Ali, Waqas Liaqat

January 2013

Online social networks have become a fast and efficient way of sharing information and experiences. Over the past few years the trend of using social networks has drastically increased with an enormous amount of users’ private contents injected into the providers’ data centers. This has raised concerns about how the users’ contents are protected and how the privacy of users is preserved by the service providers. Moreover, current social networks have been subject to much criticism over their privacy settings and access control mechanism. The providers own the users’ contents and these contents are subject to potential misuse. Many socially engineered attacks have exposed user contents due to the lack of sufficient privacy and access control. These security and privacy threats are addressed by Project Safebook, a distributed peer-to-peer online social networking solution leveraging real life trust. By design Safebook decentralizes data storage and thus the control over user content is no longer in the service provider’s hands. Moreover, Safebook uses an anonymous routing technique to ensure communication privacy between different users. This thesis project addresses privacy aware data management for Safebook users and a data access control solution to preserve users’ data privacy and visibility utilizing a peer to peer paradigm. The solution focuses on three sub-problems: (1) preserving the user’s ownership of user data, (2) providing an access control scheme which supports fine grained access rights, and (3) secure key management. In our proposed system, the user profile is defined over a collection of small data artifacts. An artifact is the smallest logical entity of a profile. An artifact could be a user’s status tweak, text comment, photo album metadata, or multimedia contents. These artifacts are then logically arranged to form a hierarchical tree, call the User Profile Hierarchy. The root of the profile hierarchy is the only entry point exposed by Safebook from where the complete user profile can be traversed. The visibility of portions of the user profile can be defined by exposing a subset of profile hierarchy. This requires limiting access to child artifacts, by encrypting the connectivity information with specific access keys. Each artifact is associated with a dynamic access chain, which is an encrypted string and contains the information regarding the child nodes. A dynamic access chain is generated using a stream cipher, where each child’s unique identifier is encrypted with its specific access key and concatenated to form the dynamic access chain. The decryption process will reveal only those child artifacts whose access keys are shared. The access keys are managed in a hierarchical manner over the profile hierarchy. Child artifacts inherit the parent’s access key or their access key can be overridden with a new key. In this way, fine grained access rights can be achieved over a user’s artifacts. Remote users can detect changes in a specific branch of a profile hierarchy and fetch new artifacts through our proposed profile hierarchy update service. On top of the proposed access control scheme, any social networking abstraction (such as groups, circles, badges, etc.) can be easily implemented. / Online sociala nätverk har blivit ett snabbt och effektivt sätt att dela information och erfarenheter. Under de senaste åren har trenden med att använda sociala nätverk har ökat drastiskt med en enorm mängd av användarnas privata innehåll injiceras in i leverantörernas datacenter. Detta har väckt farhågor om hur användarnas innehåll skyddas och hur användarnas integritet bevaras av tjänsteleverantörerna. Dessutom har nuvarande sociala nätverk varit föremål för mycket kritik över sina sekretessinställningar och åtkomstkontroll. Leverantörerna äger användarnas innehåll och dessa innehåll är föremål för potentiellt missbruk. Många socialt konstruerade attacker har utsatt användarnas innehåll på grund av bristen på tillräcklig integritet och åtkomstkontroll. Dessa säkerhets-och privatliv hot hanteras av Project Safebook, en distribuerad peer-to-peer sociala nätverk online-lösning utnyttja verkliga livet förtroende. Genom design Safebook decentralizes datalagring och därmed kontrollen över användarens innehåll är inte längre i tjänsteleverantörens händer. Dessutom använder Safebook en anonym routing teknik för att säkerställa kommunikationen sekretess mellan olika användare. Detta examensarbete behandlar sekretess medvetna datahantering för Safebook användare och åtkomstkontroll lösning för att bevara användarnas integritet och synlighet använder en peer to peer paradigm. Lösningen fokuserar på tre delproblem: (1) bevara användarens ägande av användardata, (2) att tillhandahålla ett system för åtkomstkontroll som stöder finkorniga åtkomsträttigheter, samt (3) säkra nyckelhantering. I vårt föreslagna systemet, användaren profilen som definieras över en samling av små data-artefakter. En artefakt är det minsta logisk enhet i en profil. En artefakt kan vara en användares status tweak, text kommentar, fotoalbum metadata, eller multimedieinnehåll. Dessa artefakter då är logiskt ordnade att bilda ett hierarkiskt träd, ring Användarprofil Hierarki. Roten till profilen hierarkin är den enda inkörsporten exponeras genom Safebook varifrån hela användarprofil kan passeras. Synligheten av delar av användarprofilen kan definieras genom att exponera en delmängd av profilen hierarki. Detta kräver att begränsa tillgången till barn artefakter, genom att kryptera uppkopplingen informationen med särskilda snabbtangenter. Varje artefakt är associerad med en dynamisk tillgång kedja, som är en krypterad sträng och innehåller information om de underordnade noder. En dynamisk tillgång kedjan genereras med hjälp av en ström chiffer, där varje barns unika identifierare är krypterad med dess specifika tillgången knapp och sammanfogas för att bilda den dynamiska tillgång kedjan. Dekrypteringsprocessen avslöjar endast de barn artefakter vars tillgång nycklar delas. De snabbtangenter hanteras på ett hierarkiskt sätt över profilen hierarkin. Barn artefakter ärva föräldrarnas tillgång nyckel eller deras åtkomstnyckeln kan åsidosättas med en ny nyckel. På detta sätt kan finkorniga åtkomsträttigheter uppnås över en användares artefakter. Fjärranvändare kan upptäcka förändringar i en viss gren av en profil hierarki och hämta nya artefakter genom vår föreslagna profil hierarki uppdateringstjänst. Ovanpå den föreslagna åtkomstkontroll system kan alla sociala nätverk abstraktion (t.ex. grupper, cirklar, märken, osv.) lätt genomföras.

User Privacy

Access Control

Distributed Social Networks

Key Management

Användarnas Privatliv

Atkomstkontroll

Distribuerade Sociala Nätverk

Nyckelhantering

Communication Systems

Kommunikationssystem

Symmetric Key Management for Mobile Financial Applications : A Key Hierarchy Approach

Azam, Junaid

January 2013

In recent times the usage of smart phones has significantly increased. Businesses are transforming to make more out of smart phones. As a consequence, there is an increasing demand to have more and more mobile applications. Among other areas, mobile applications are also being used to make financial transactions. Applications used for financial transactions need to be more reliable and have end-to-end security. To implement security we heavily depend on cryptography and the heart of cryptography is the keys which are used in cryptographic processes (encryption/decryption). Therefore, it is essential not only to protect, but also to properly manage these keys, so that a robust and secure system can be achieved. This research work provides a complete implementation of symmetric key management for mobile phone applications with a focus on financial data using a key hierarchy approach. We have developed a key management system which allows smart phones to download the cryptographic key hierarchy. This key hierarchy is used to encrypt and decrypt financial data, such as PIN and other transaction information. Using this application (key management system), we can achieve an end-to-end security between client (mobile phones) and payment server (banking server). This research work presents implementation of key management system for Android OS only.

Symmetric Key Management

Key Hierarchy

Key Security

Financial Transaction

Mobile Phone

Mobile Application Security

mCommerce.

Computer and Information Sciences

Data- och informationsvetenskap