IoMT AUTHENTICATION AND AUTHORIZATION ACCESS CONTROL BASED ON MULTIPARTY TRUST NEGOTIATION

Allouzi, Maha Ali

19 April 2022

No description available.

Computer Science

Testing Fuzzy Extractors for Face Biometrics: Generating Deep Datasets

Tambay, Alain Alimou

11 November 2020

Biometrics can provide alternative methods for security than conventional authentication methods. There has been much research done in the field of biometrics, and efforts have been made to make them more easily usable in practice. The initial application for our work is a proof of concept for a system that would expedite some low-risk travellers’ arrival into the country while preserving the user’s privacy. This thesis focuses on the subset of problems related to the generation of cryptographic keys from noisy data, biometrics in our case. This thesis was built in two parts. In the first, we implemented a key generating quantization-based fuzzy extractor scheme for facial feature biometrics based on the work by Dodis et al. and Sutcu, Li, and Memon. This scheme was modified to increased user privacy, address some implementation-based issues, and add testing-driven changes to tailor it towards its expected real-world usage. We show that our implementation does not significantly affect the scheme's performance, while providing additional protection against malicious actors that may gain access to the information stored on a server where biometric information is stored. The second part consists of the creation of a process to automate the generation of deep datasets suitable for the testing of similar schemes. The process led to the creation of a larger dataset than those available for free online for minimal work, and showed that these datasets can be further expanded with only little additional effort. This larger dataset allowed for the creation of more representative recognition challenges. We were able to show that our implementation performed similarly to other non-commercial schemes. Further refinement will be necessary if this is to be compared to commercial applications.

Biometric

Fuzzy Extractor

Privacy

Dataset

Authentication

Face Image

A Novel Authentication And Validation Mechanism For Analyzing Syslogs Forensically

Monteiro, Steena D.S.

01 December 2008

This research proposes a novel technique for authenticating and validating syslogs for forensic analysis. This technique uses a modification of the Needham Schroeder protocol, which uses nonces (numbers used only once) and public keys. Syslogs, which were developed from an event-logging perspective and not from an evidence-sustaining one, are system treasure maps that chart out and pinpoint attacks and attack attempts. Over the past few years, research on securing syslogs has yielded enhanced syslog protocols that focus on tamper prevention and detection. However, many of these protocols, though efficient from a security perspective, are inadequate when forensics comes into play. From a legal perspective, any kind of evidence found at a crime scene needs to be validated. In addition, any digital forensic evidence when presented in court needs to be admissible, authentic, believable, and reliable. Currently, a patchy log on the server side and client side cannot be considered as formal authentication of a wrongdoer. This work presents a method that ties together, authenticates, and validates all the entities involved in the crime scene--the user using the application, the system that is being used, and the application being used on the system by the user. This means that instead of merely transmitting the header and the message, which is the standard syslog protocol format, the syslog entry along with the user fingerprint, application fingerprint, and system fingerprint are transmitted to the logging server. The assignment of digital fingerprints and the addition of a challenge response mechanism to the underlying syslogging mechanism aim to validate generated syslogs forensically.

Authentication and validation

foresic validity

model

system log files

Computer Sciences

High Assurance Models for Secure Systems

Almohri, Hussain

08 May 2013

Despite the recent advances in systems and network security, attacks on large enterprise networks consistently impose serious challenges to maintaining data privacy and software service integrity. We identify two main problems that contribute to increasing the security risk in a networked environment: (i) vulnerable servers, workstations, and mobile devices that suffer from vulnerabilities, which allow the execution of various cyber attacks, and, (ii) poor security and system configurations that create loopholes used by attackers to bypass implemented security defenses. Complex attacks on large networks are only possible with the existence of vulnerable intermediate machines, routers, or mobile devices (that we refer to as network components) in the network. Vulnerabilities in highly connected servers and workstations, that compromise the heart of today's networks, are inevitable. Also, modern mobile devices with known vulnerabilities cause an increasing risk on large networks. Thus, weak security mechanisms in vulnerable  network components open the possibilities for effective network attacks On the other hand, lack of systematic methods for an effective static analysis of an overall complex network results in inconsistent and vulnerable configurations at individual network components as well as at the network level. For example, inconsistency and faults in designing firewall rules at a host may result in enabling more attack vector. Further, the dynamic nature of networks with changing network configurations, machine availability and connectivity, make the security analysis a challenging task This work presents a hybrid approach to security by providing two solutions for analyzing the overall security of large organizational networks, and a runtime  framework for protecting individual network components against misuse of system resources by cyber attackers. We  observe that to secure an overall computing environment, a static analysis of a network is not sufficient. Thus, we couple our analysis with a framework to secure individual network components including high performance machines as well as mobile devices that repeatedly enter and leave networks. We also realize the need for advancing the theoretical foundations for analyzing the security of large networks. To analyze the security of large enterprise network, we present the first scientific attempt to compute an optimized distribution of defensive resources with the objective of minimizing the chances of successful attacks. To achieve this minimization, we develop a rigorous probabilistic model that quantitatively measures the chances of a successful attack on any network component. Our model provides a solid theoretical foundation that enables efficient computation of unknown success probabilities on every stage of a network attack. We design an algorithm that uses the computed attack probabilities for optimizing security configurations of a network. Our optimization algorithm  uses state of the art sequential linear programming to approximate the solution to a complex single objective nonlinear minimization problem that formalizes various attack steps and candidate defenses at the granularity of attack stages. To protect individual network components, we develop a new approach under our novel idea of em process authentication. We argue that to provide high assurance security, enforcing authorization is necessary but not sufficient. In fact, existing authorization systems lack a strong and reliable process authentication model for preventing the execution of malicious processes (i.e., processes that intentionally contain malicious goals that violate integrity and confidentiality of legitimate processes and data). Authentication is specially critical when malicious processes may use various system vulnerabilities to install on the system and stealthily execute without the user's consent. We design and implement the Application Authentication (A2) framework that is capable of monitoring application executions and ensuring proper authentication of application processes. A2 has the advantage of strong security guarantees, efficient runtime execution, and compatibility with legacy applications. This authentication framework reduces the risk of infection by powerful malicious applications that may disrupt proper execution of legitimate applications, steal users' private data, and spread across the entire organizational network. Our process authentication model is extended and applied to the Android platform. As Android imposes its unique challenges (e.g., virtualized application execution model), our design and implementation of process authentication is extended to address these challenges. Per our results, process authentication in Android can protect the system against various critical vulnerabilities such as privilege escalation attacks and drive by downloads. To demonstrate process authentication in Android, we implement DroidBarrier. As a runtime system, DroidBarrier includes an authentication component and a lightweight permission system to protect legitimate applications and secret authentication information in the file system. Our implementation of DroidBarrier is compatible with the Android runtime (with no need for modifications) and shows efficient performance with negligible penalties in I/O operations and process creations. / Ph. D.

Systems Security

Authentication

Mathematical Programming

Optimization

Security Risk

DYNAMICKÝ BIOMETRICKÝ PODPIS JAKO EFEKTIVNÍ NÁSTROJ PRO VNITROPODNIKOVOU KOMUNIKACI / DYNAMIC BIOMETRIC SIGNATURE AS AN EFFICIENT TOOL FOR INTERNAL CORPORATE COMMUNICATION

Hortai, František

January 2019

The aim of this thesis is to provide comprehensive information on the possibilities of authentication, combination of authentication factors and the integration of this issue into corporate communication. The work focuses on this issue and specifies the possibilities for obtaining authentication information, analyses the authentication methods, identification and authorization. It examines the applicability of biometric technologies, the principle of their functionality, examples of their use, their impact, the advantages and disadvantages they bring. A natural, easy-to-use, convenient tool for effective and secure communication is authentication including the dynamic biometric signature. The issues of the dynamic biometric signature technology and its implementation are examined from a comprehensive perspective involving experiments. The research proved that the dynamic biometric signature can serve as a method for supporting secure corporate communication and reduce authentication risks in companies and for individuals.

A PRIVACY-AWARE WEARABLE FRAMEWORK

Mohzary, Muhammad A.

05 December 2018

No description available.

Computer Science

METABOLOMICS APPROACH FOR AUTHENTICATION OF PISCO AND DETECTION OF CONTAMINANTS

Menevseoglu, Ahmed

January 2019

No description available.

Food Science

Evaluating intrusion detection points in an end-to-end solution

Pankaczi, Lilla

January 2023

Evaluating all intrusion detection points in an end-to-end cyber-physical system can be challenging. This master thesis focuses on evaluating the security of the most exposed part of such systems, Radio Frequency Identification (RFID) communication. As both the RFID reader and tag can be located outside of secure premises, RFID communication can be a target of several cyber threats. Common cyber-attacks such as replay attacks, eavesdropping, or tag cloning can be associated with the lack of security of the communication channel between the reader and the tag or flaws of the implemented authentication protocols and encryption algorithms. This thesis briefly summarizes parts 4 and 3 of the ISO/IEC 14443 standard, which specify the initialization, selection, and transmission protocols in high-frequency RFID smart-card and reader communication. A formal security analysis was conducted to evaluate these protocols using a tool called Scyther. Then, an improved authentication protocol was proposed utilizing a commercially available feature, the Random Unique Identifier of the card (RID). The Scyther protocol verification results showed that implementing RID can prevent many RFID attacks such as, eavesdropping or replay attacks, and protect the cardholder's privacy.

RFID

Random UID

Mutual Authentication

Scyther

Computer Engineering

Datorteknik

Preserving Trust Across Multiple Sessions in Open Systems

Chan, Fuk-Wing Thomas

13 July 2004

Trust negotiation, a new authentication paradigm, enables strangers on the Internet to establish trust through the gradual disclosure of digital credentials and access control policies. Previous research in trust negotiation does not address issues in preserving trust across multiple sessions. This thesis discusses issues in preserving trust between parties who were previously considered strangers. It also describes the design and implementation of trust preservation in TrustBuilder, a prototype trust negotiation system. Preserving trust information can reduce the frequency and cost of renegotiation. A scenario is presented that demonstrates that a server supporting trust preservation can recoup the cost of the trust preservation facility when approximately 25% of its requests are from repeat customers. The throughput and response time improve up to approximately 33% as the percentage of repeat customers grows to 100%.

Trust negotiation

single-sign-on

authentication

authorization

security

Computer Sciences

Extensible Pre-Authentication in Kerberos

Hellewell, Phillip L.

03 July 2007

Organizations need to provide services to a wide range of people, including strangers outside their local security domain. As the number of users grows larger, it becomes increasingly tedious to maintain and provision user accounts. It remains an open problem to create a system for provisioning outsiders that is secure, flexible, efficient, scalable, and easy to manage. Kerberos is a secure, industry-standard protocol. Currently, Kerberos operates as a closed system; all users must be specified upfront and managed on an individual basis. This paper presents EPAK (Extensible Pre-Authentication in Kerberos), a framework that enables Kerberos to operate as an open system. Implemented as a Kerberos extension, EPAK enables many authentication schemes to be loosely coupled with Kerberos, without further modification to Kerberos. EPAK provides the mutual benefits of enhancing the flexibility of Kerberos and increasing the viability of alternate authentication systems as they move to the enterprise.

Kerberos

security

authentication

SAW

trust negotiation

Computer Sciences