Single sign-on v J2EE webových aplikacích založené na protokolu SPNEGO/Kerberos / Single Sign-On in J2EE Web Applications Based on SPNEGO/Kerberos

Nečas, Tomáš

Unknown Date

The dissertation deals with requirements, analysis, description and integration of Single Sign-On solution based on SPNEGO/Kerberos protocol. The thesis provides an overview of the Single Sign-On basic principles and concepts and deals with the Kerberos authentication mechanism in more detail. After introducing the fundaments of the Kerberos protocol, its terminology and common implementations, attention is focused on the services and settings of Microsoft Kerberos implementation in Windows 2000/2003 environment. An authentication solution demonstration is performed on J2EE platform using the authentication filter and plug-in. The thesis also includes a brief overview of integrating the Single Sign-On solution into different architectures of corporate information systems and describes the implementation process of this solution. In conclusion, the usability of Kerberos Single Sign-On solution in today's business sector is analysed.

Design and Evaluation of Accelerometer Based User Authentication Methods

Haitham, Seror

January 2017

Smartphone's are extremely popular and in high demand nowadays. They are easy to handle and very intuitive compared with old phones for end users. Approximately two billion people use Smartphones all over the world, so it is clear that these phones are very popular. One of the major issues of these smart phones is theft. What happens if someone steals your phone? Why should we try to secure our phones? The reason is that, even if the phone is stolen, the thief should not be able to open and use it through unlocking easily. People are generally careless while typing their password/pin code or drawing a pattern while others are watching. Maybe someone can see it just by standing next to or behind the person who is typing the pin or drawing the pattern. This scenario of getting the information is called shoulder surfing. Another scenario is to use a hidden camera, so-called Record monitoring. Shoulder surfing can be used by an attacker/observer to get passwords or PINs. Shoulder surfing is very easy to perform by just looking over the shoulder when a user is typing the PIN or drawing the unlock pattern. Record monitoring needs more preparation, but is not much more complicated to perform. Sometimes it also happens that the phone gets stolen and by seeing fingerprints or smudge patterns on the phone, the attacker can unlock it. These above two are general security threats for smart phone users. This thesis introduces some different approaches to overcome the above mentioned security threats in Smartphones. The basic aim is to make it more difficult to perform shoulder surfing or record monitoring, and these will not be easy to perform by the observer after switching to the new techniques introduced in the thesis. In this thesis, the usability of each method developed will be described and also future use of these approaches. There are a number of techniques by which a user can protect the phone from observation attacks. Some of these will be considered, and a user interface evaluation will be performed in the later phase of development. I will also consider some important aspects while developing the methods such as -user friendliness, Good UI concepts etc. I will also evaluate the actual security added by the methods, and the overall user impression. Two separate user studies have been performed, first one with students from the Computer Science department, and then one with students from other departments. The results indicate that students from Computer Science are more attracted to the new security solution than students from other departments.

Authentication

Smartphone security

Shoulder surfing

Accelerometer

Natural Sciences

Naturvetenskap

Lightweight & Efficient Authentication for Continuous Static and Dynamic Patient Monitoring in Wireless Body Sensor Networks

Radwan Mohsen, Nada Ashraf

11 December 2019

The emergence of the Internet of Things (IoT) brought about the widespread of Body Sensor Networks (BSN) that continuously monitor patients using a collection of tiny-powered and lightweight bio-sensors offering convenience to both physicians and patients in the modern health care environment. Unfortunately, the deployment of bio-sensors in public hacker-prone settings means that they are vulnerable to various security threats exposing the security and privacy of patient information. This thesis presents an authentication scheme for each of two applications of medical sensor networks. The first is an ECC based authentication scheme suitable for a hospital-like setting whereby the patient is hooked up to sensors connected to a medical device such as an ECG monitor while the doctor needs real-time access to continuous sensor readings. The second protocol is a Chebyshev chaotic map-based authentication scheme suitable for deployment on wearable sensors allowing readings from the lightweight sensors connected to patients to be sent and stored on a trusted server while the patient is on the move. We formally and informally proved the security of both schemes. We also simulated both of them on AVISPA to prove their resistance to active and passive attacks. Moreover, we analyzed their performance to show their competitiveness against similar schemes and their suitability for deployment in each of the intended scenarios.

Authentication

E-Health

Body Sensor Network

IoT

ECC

Chaotic maps

Biometrics

PGP und authentisierte Kommunikation mit Nutzern des URZ

Mueller, Thomas

21 June 1995

Im Vortrag werden die Funktionsprinzipien von PGP sowie verwendete Verfahren dargelegt. Ziel ist die Schaffung einer geeigneten Technologie im Universitaetsrechenzentrum zur Sicherung des Mailbetriebs.

info:eu-repo/classification/ddc/004

ddc:004

PGP

Public_Key_Encryption

Authentication

Secure and lightweight authentication schemes for Internet of Things (IoT)

Alshahrani, Mohammed M.

04 December 2019

IoT platforms face huge challenges in deploying robust authentication mechanisms due to the fact that edge devices and resource-constrained devices may not have enough compute and storage capabilities to deploy and run existing mechanisms, which involve in general complex computations. Moreover, establishing end-to-end device authentication in the Internet of Things (IoT) networks is challenging because of the heterogeneous nature of IoT devices. One of the well-known challenges confronting the IoT infrastructure is related to authentication. Many IoT devices rely on weak authentication schemes, which has led in the last few years to several successful and widely publicized hacking incidents. According to the ISO/IEC 27002 standard, authentication is the process of determining whether something is, in fact, what it is declared to be. Authentication is considered the main gate to protect IoT networks from various security threats; determining who the entity is (authentication) is of high importance to establish a secure session between IoT devices. This dissertation identifies gaps in the literature and presents new authentication schemes and security mechanisms to improve IoT security and privacy against common attacks such as replay and impersonation. This research enhances IoT security and privacy by introducing a new lightweight mutual authentication and key exchange protocol for IoT based on dynamic identity and cumulative chained-hash. Nodes can anonymously and mutually authenticate and establish a session with the controller node using dynamic identities and temporary symmetric keys in an unlinkable and untraceable manner. Moreover, the enforcement of security policies between nodes is guaranteed by setting up virtual domain segregation and restricting node capabilities of sending and receiving data to or from other nodes. The Cumulative chained-hash technique is introduced as a way to ensure the identity of the sender (through challenge-response). Additionally, we introduce a new anonymous device- to-device mutual authentication and key exchange protocol based on the ZigBee technique. The proposed protocol relies on symmetric encryption and counter and enables IoT devices to authenticate in the network and agree on a shared secret session key when communicating with each other via a trusted intermediary (home controller). To achieve forward secrecy, the session keys are changed frequently after every communication session. The proposed scheme achieves secure, anonymous authentication with the unlinkability and untraceability of IoT device transactions. The security of the protocols is evaluated and simulated using three different methods: informal analysis, formal analysis using the Burrows–Abadi–Needham logic (BAN), and model-checking using the automated validation of Internet security protocols and applica- tions (AVISPA) toolkit. The overhead and efficiency of the proposed schemes are analyzed and compared with other related schemes. The results showed that our protocols are in general more efficient. / Graduate

Internet of Things (IoT)

Smart home

Authentication

Access Control

What are the Problems with Implementing Blockchain Technology for Decentralized IoT Authentication : A Systematic Literature Review

Kortzon, Daniel

January 2020

The implementation of internet of things is plagued by problems such as security and scalability. It is a very heterogeneous environment and overcoming these hurdles is therefore not an easy feat. A concept of using the decentralized and secure nature of the blockchain technology to combat these problems have been identified. However the stark contrast of blockchain technology being resource hungry and internet of things devices being resource depraved is among other things a new hurdle that is introduced. This systematic literature study aimed to identify problems that a rose when trying to merge these technologies while focusing on the authentication aspect.Smart contracts play a huge role in making most of the identified solutions at least feasible to implement on a larger scale. While most systems have solved the authentication problem the major problems of the blockchain adaptation for internet of things remains unsolved. Three solutions were identified that really try to combat these problems by changing the blockchain technology at its core while the rest feel like they are trying to do the best with what is available and falls short in some major way.

Internet of things

blockchain technology

authentication

Information Systems

Memory-based Hardware-intrinsic Security Mechanisms for Device Authentication in Embedded Systems

Soubhagya Sutar (9187907)

30 July 2020

<div>The Internet-of-Things (IoT) is one of the fastest-growing technologies in computing, revolutionizing several application domains such as wearable computing, home automation, industrial manufacturing, <i>etc</i>. This rapid proliferation, however, has given rise to a plethora of new security and privacy concerns. For example, IoT devices frequently access sensitive and confidential information (<i>e.g.,</i> physiological signals), which has made them attractive targets for various security attacks. Moreover, with the hardware components in these systems sourced from manufacturers across the globe, instances of counterfeiting and piracy have increased steadily. Security mechanisms such as device authentication and key exchange are attractive options for alleviating these challenges.</div><div><br></div><div>In this dissertation, we address the challenge of enabling low-cost and low-overhead device authentication and key exchange in off-the-shelf embedded systems. The first part of the dissertation focuses on a hardware-intrinsic mechanism and proposes the design of two Physically Unclonable Functions (PUFs), which leverage the memory (DRAM, SRAM) in the system, thus, requiring minimal (or no) additional hardware for operation. Two lightweight authentication and error-correction techniques, which ensure robust operation under wide environmental and temporal variations, are also presented. Experimental results obtained from prototype implementations demonstrate the effectiveness of the design. The second part of the dissertation focuses on the application of these techniques in real-world systems through a new end-to-end authentication and key-exchange protocol in the context of an Implantable Medical Device (IMD) ecosystem. Prototype implementations exhibit an energy-efficient design that guards against security and privacy attacks, thereby making it suitable for resource-constrained devices such as IMDs.</div><div><br></div>

Computer Engineering

Computer System Security

physically unclonable functions

PUF

Dynamic Random Access Memories

DRAM

device authentication

key exchange

authentication protocol

authentication scheme

authentication mechanism

combination PUF

memory PUF

implantable medical devices

IMD

IMD security

hardware security

Embedded Systems Security

Design and Implementation of a Blockchain-based Global Authentication System Using Biometrics and Subscriber Identification Module

Khalili, Navid

06 June 2022

The digital world tolerates a high volume of information and interactions. Considering the usage of electronic services by authorities, User Authentication (UA) is crucial. Numerous authentication methods are proposed in the literature; yet, identifying users based on their actual identities with the capability of global usage and respecting privacy is under research. By adopting Blockchain technology in the software industry, the record management systems have satisfied properties such as transparency, accountability, anonymity, and attack resiliency. Moreover, Smartphones are powerful devices capable of hosting a Subscriber Identification Module (SIM) Card that secures the execution of processes involving use of sensitive information. A combination of these technologies is the foundation of a strong UA in cyberspace. In this thesis, we propose the design and prototype of Blockchain-based Global Authentication System (BBGAS) that offers a secure, privacy-preserving, and transparent authentication system based on users' biometrics via Smartphones appropriate for service provider applications.

Authentication

Electronic Governments

Smart Cities

Biometrics

SIM Card

Blockchain

Smartphones

Automatic Detection and Prevention of Fake Key Attacks in Signal

Yadav, Tarun Kumar

19 December 2019

The Signal protocol provides end-to-end encryption for billions of users in popular instant messaging applications like WhatsApp, Facebook Messenger, and Google Allo. The protocol relies on an app-specific central server to distribute public keys and relay encrypted messages between the users. Signal prevents passive attacks. However, it is vulnerable to some active attacks due to its reliance on a trusted key server. A malicious key server can distribute fake keys to users to perform man-in-the-middle or impersonation attacks. Signal applications support an authentication ceremony to detect these active attacks. However, this places an undue burden on the users to manually verify each other's public key. Recent studies reveal that the authentication ceremony is time-consuming and confusing, and almost nobody adopts it. Our goal is to explore various approaches for automatically detecting or preventing fake key attacks. We modified a local copy of the Signal server to demonstrate that active attacks are feasible. We then designed three defenses that automatically detect or prevent the attacks. We completed a threat analysis of the defenses and implemented some proof-of-concept prototypes for two of them. We analyze their strengths and weaknesses and outline avenues for future work.

Signal protocol

authentication

secure messaging

Physical Sciences and Mathematics

The Use of One-Time Password and RADIUS Authentication in a GSS-API Architecture

Yang, Xi

January 2006

The Generic Security Service Application Program Interface (GSS-API) is an architecture that facilitates applications using distributed security services in a mechanism-independent fashion. GSS-API is supported by various underlying mechanisms and technologies such as Kerberos version 5 and public-key technologies. However, no one-time password based GSS-API mechanism existed. This thesis focuses on an investigation using one-time passwords together with RADIUS authentication as a protection facility for a GSS-API mechanism. This thesis presents a security architecture using one-time passwords to establish a GSS-API security context between two communicating peers. The proposed one-time password based GSS-API mechanism could be used to enhance the security of user authentication. Moreover, the mechanism can greatly facilitate static-password based system’s transition to stronger authentication. / IETF GSS-API är ett applikationsgränssnitt (API) som tillhandahåller distribuerade säkerhetstjänster för autentisering och datakonfidentialitet oberoende av den underliggande säkerhetarkitekturen. Applikationer som skrivs mot detta API kan på detta sätt flyttas eller porteras utan att västentligen skrivas om. GSS-API stöds av ett flertal undrliggande säkerhetsarkitekturer som tex Kerberos 5, Windows NTLM och PKI. API har också sk bindings för "C" och Java. I dagsläget finns det dock ingen lösning som baseras på engångslösenord. Denna magisteruppsats har som mål att undersöka möjligheten att använda engångslösenord tillsammans med RADIUS för att implementera en ny GSS-API mechanism. Denna uppsats presenterar ett förslag för hur RADIUS och engångslösenord kan användas för att säkra kommunikationen mellan två GSS-API entiteter. Den föreslagna mekanismen kan också användas för att förbättra säkerheten för användarautentisering och möjliggöra en övergång från statiska lösenord till stark autentisering.

GSS-API

one-time password

RADIUS authentication

Communication Systems

Kommunikationssystem