Mahdieh Ebrahimi; Majid Bayat; Behnam Zahednejad
Abstract
The medical system remains among the fastest to adopt the Internet of Things. The reason for this trend is that integration Internet of Things(IoT) features into medical devices greatly improve the quality and effectiveness of service. However, there are many unsolved security problems. Due to medical ...
Read More
The medical system remains among the fastest to adopt the Internet of Things. The reason for this trend is that integration Internet of Things(IoT) features into medical devices greatly improve the quality and effectiveness of service. However, there are many unsolved security problems. Due to medical information is critical and important, authentication between users and medical servers is an essential issue. Recently, Park et al. proposed an authentication scheme using Shamir's threshold technique for IoT-based medical information system and claimed that their scheme satisfies all security requirements and is immune to various types of attacks. However, in this paper, we show that Park et al.'s scheme does not achieve user anonymity, forward security, and mutual authentication and it is not resistant to the DoS attacks and then we introduce an improved mutual authentication scheme based on Elliptic Curve Cryptography (ECC) and Shamir 's secret sharing for IoT-based medical information system.In this paper, we formally analyze the security properties of our scheme via the ProVerif. Moreover, we compare our proposed scheme with other related schemes in terms of security and performance.
Mohammad Ali Hadavi; Arash Bagherdaei; Simin Ghasemi
Volume 13, Issue 2 , July 2021, , Pages 117-129
Abstract
< p>Automatic detection of access control violations in software applications is a challenging problem. Insecure Direct Object Reference (IDOR) is among top-ranked vulnerabilities, which violates access control policies and cannot be yet detected by automated vulnerability scanners. While such ...
Read More
< p>Automatic detection of access control violations in software applications is a challenging problem. Insecure Direct Object Reference (IDOR) is among top-ranked vulnerabilities, which violates access control policies and cannot be yet detected by automated vulnerability scanners. While such tools may detect the absence of access control by static or dynamic testing, they cannot verify if it is properly functioning when it is present. When a tool detects requesting access to an object, it is not aware of access control policies to infer whether the request is permitted. This completely depends on the access control logic and there is no automatic way to fully and precisely capture it from software behavior. Taking this challenge into consideration, this article proposes a black-box method to detect IDOR vulnerabilities in web applications without knowing access control logic. To this purpose, we first, gather information from the web application by a semi-automatic crawling process. Then, we tricksily manipulate legal requests to create effective attacks on the web application. Finally, we analyze received responses to check whether the requests are vulnerable to IDOR. The detection process in the analysis phase is supported by our set theory based formal modeling of such vulnerabilities. The proposed method has been implemented as an IDOR detection tool (IDOT) and evaluated on a couple of vulnerable web applications. Evaluation results show that the method can effectively detect IDOR vulnerabilities provided that enough information is gathered in the crawling phase.
Mansoureh Labbafniya; Shahram Etemadi Borujeni; Roghaye Saeidi
Abstract
Nowadays the security of the design is so important because of the different available attacks to the system. the main aim of this paper is to improve the security of the circuit design implemented on FPGA device. Two approaches are proposed for this purpose. The first is to fill out empty space ...
Read More
Nowadays the security of the design is so important because of the different available attacks to the system. the main aim of this paper is to improve the security of the circuit design implemented on FPGA device. Two approaches are proposed for this purpose. The first is to fill out empty space using flip-flops and LUTs so that there is no available space for inserting a hardware Trojan. We name this filling structure as Gate-chain. The second approach increases the security of the implemented design by identifying the low observable/controllable points of the main design and wiring them to the unused ports or the pre-designed Gate-chains. The proposed solutions not only prevent Trojan insertion but also increase the Trojan detection capabilities. Simulation results on Xilinx devices implementing different benchmarks show that the proposed method incurs dynamic power overhead just in test mode with less than one percent of delay overhead for critical path in normal mode.
Abdllkader Esaid; Mary Agoyi; Muhannad Tahboush
Abstract
Ad hoc network is infrastructure-less support, so network nodes are vulnerable to many attacks. Security attacks in Ad-Hoc networks are increasing significantly with time. They communicated and exchanged data should be also secured and kept confidential. Therefore, hybrid cryptography is proposed to ...
Read More
Ad hoc network is infrastructure-less support, so network nodes are vulnerable to many attacks. Security attacks in Ad-Hoc networks are increasing significantly with time. They communicated and exchanged data should be also secured and kept confidential. Therefore, hybrid cryptography is proposed to avoid unauthorized access to data. Data will be transmitted in an encrypted state, through Diffie-Hellman and later decrypted by the intended party. If a third party intercepts the encrypted data, it will be difficult to decipher. Ad Hoc on Demand Distance Vector (AODV) routing protocol is employed to determine the destination. The proposed solution is a hybrid mechanism of encryption algorithms. The NS-2.3 simulator was used to evaluate the performance of the proposed security algorithm. Simulation results have shown the performance of the proposed algorithm in the ad-hoc network on several metrics outperformed many developed security algorithm. A hybrid encryption algorithm for mitigating the effects of attacks in ad hoc networks was developed based on ADOV routing protocol. The algorithm manipulated AES and Blowfish encryption algorithms to increase the speed of the algorithm as well as encryption which will lead to preventing access to a packet while transmission in Ado- hoc network
Saadi Hadjer; Yagoub Mustapha C.E.; Rachida TOUHAMI
Abstract
The Internet of Things (IoT) is a very encouraging and fast-growing area that brings together the benefits of wireless systems, sensor networks, actuators, etc.A wide range of IoT applications have been targeted and several aspects of this field have been identified to address specific issues, ...
Read More
The Internet of Things (IoT) is a very encouraging and fast-growing area that brings together the benefits of wireless systems, sensor networks, actuators, etc.A wide range of IoT applications have been targeted and several aspects of this field have been identified to address specific issues, as well as technologies and standards developed in various domains such as in radio frequency identification(RFID), sensors, and mobile telephony, to name a few. This article aims to talk specifically about the RFID technology and its accompanying communication, authentication, risk, and security concerns while applied to the IoT field. An important part of this work is indeed focused on security aspects that derive from the use of RFID in IoT, especially in IoT networks. The results of our research work highlighted an excellent integration of RFID in the field of Internet of things, particularly in healthcare systems.
Mansoureh Labbafniya; Roghaye Saeidi
Abstract
Nowadays there are different kinds of attacks on Field Programmable Gate Array (FPGA). As FPGAs are used in many different applications, its security becomes an important concern, especially in Internet of Things (IoT) applications. Hardware Trojan Horse (HTH) insertion is one of the major security threats ...
Read More
Nowadays there are different kinds of attacks on Field Programmable Gate Array (FPGA). As FPGAs are used in many different applications, its security becomes an important concern, especially in Internet of Things (IoT) applications. Hardware Trojan Horse (HTH) insertion is one of the major security threats that can be implemented in unused space of the FPGA. This unused space is unavoidable to meet the place and route requirements. In this paper, we introduce an efficient method to fill this space and thus to leave no free space for inserting HTHs. Using a shift register in combination with gate-chain is the best way of filling unused space, which incurs a no increase in power consumption of the main design. Experimental results of implementing a set of IWLS benchmarks on Xilinx Virtex devices show that the proposed prevention and detection scheme imposes a no power overhead with no degradation to performance and critical path delay of the main design
A. Mohseni-Ejiyeh; M. Ashouri-Talouki; M. Mahdavi
Abstract
Due to the explosion of smart devices, data traffic over cellular networks has seen an exponential rise in recent years. This increase in mobile data traffic has caused an immediate need for offloading traffic from operators. Device-to-Device(D2D) communication is a promising solution to boost the ...
Read More
Due to the explosion of smart devices, data traffic over cellular networks has seen an exponential rise in recent years. This increase in mobile data traffic has caused an immediate need for offloading traffic from operators. Device-to-Device(D2D) communication is a promising solution to boost the capacity of cellular networks and alleviate the heavy burden on backhaul links. However, direct wireless connections between devices in D2D communication are vulnerable to certain security threats. In this paper, we propose an incentive-aware lightweight secure data sharing scheme for D2D communication. We have considered the major security challenges of the data sharing scheme, including data confidentiality, integrity, detecting message modification, and preventing the propagation of malformed data. We have also applied an incentive mechanism to motivate users involvement in the process of data sharing. Actually, D2D communication is highly dependent on user participation in sharing content, so, we apply the concept of virtual check to motivate users(named proxy users)to help the requesting user(client) in the process of obtaining the data. Unlike the previous studies, our proposed protocol is an stateless protocol and does not depend on the users contextual information. Therefore, it can be used at anytime and from anywhere. The security analysis proves that the proposed protocol resists the security attacks and meets the security requirements. The performance evaluation shows that the proposed protocol outperforms the previous works in terms of communication and computation cost. Thus, the proposed protocol is indeed an efficient and practical solution for secure data sharing in D2D communication.
K. Baghery; B. Abdolmaleki; B. Akhbari; M. R. Aref
Abstract
Nowadays Radio Frequency Identification (RFID) systems have appeared in lots of identification and authentication applications. In some sensitive applications, providing secure and confidential communication is very important for end-users. To this aim, different RFID authentication protocols have been ...
Read More
Nowadays Radio Frequency Identification (RFID) systems have appeared in lots of identification and authentication applications. In some sensitive applications, providing secure and confidential communication is very important for end-users. To this aim, different RFID authentication protocols have been proposed, which have tried to provide security and privacy of RFID users. In this paper, we analyze the privacy of two recently proposed RFID authentication protocols in 2012 and 2013. We present several traceability attacks including traceability, backward traceability and forward traceability against the first protocol. We also show that, the second protocol not only suffers from Denial-of-Service (DoS) attack, but also it is vulnerable to traceability and backward traceability attacks. We present our privacy analysis based on a well-known formal RFID privacy model which has been proposed by Ouafi and Phan in 2008. Then, in order to overcome the weaknesses, we apply some modifications on these protocols and propose two modified versions.
M. A. Akhaee; F. Marvasti
Abstract
This paper investigates digital data hiding schemes. The concept of information hiding will be explained at first, and its traits, requirements, and applications will be described subsequently. In order to design a digital data hiding system, one should first become familiar with the concepts and criteria ...
Read More
This paper investigates digital data hiding schemes. The concept of information hiding will be explained at first, and its traits, requirements, and applications will be described subsequently. In order to design a digital data hiding system, one should first become familiar with the concepts and criteria of information hiding. Having knowledge about the host signal, which may be audio, image, or video and the final receiver, which is Human Auditory System (HAS) or Human Visual System (HVS), is also beneficial. For the speech/audio case, HAS will be briefly reviewed to find out how to make the most of its weaknesses for embedding as much data as possible. The same discussion also holds for the image watermarking. Although several audio and image data hiding schemes have been proposed so far, they can be divided into a few categories. Hence, conventional schemes along with their recently published extensions are introduced. Besides, a general comparison is made among these methods leading researchers/designers to choose the appropriate schemes based on their applications. Regarding the old scenario of the prisoner-warden and the evil intention of the warden to eavesdrop and/or destroy the data that Alice sends to Bob, there are both intentional and unintentional attacks to digital information hiding systems, which have the same effect based on our definition. These attacks can also be considered for testing the performance or benchmarking, of the watermarking algorithm. They are also known as steganalysis methods which will be discussed at the end of the paper.
S. Mohammadi; A. Hakimi
Abstract
The intriguing characteristics of chaotic maps have prompted researchers to use these sequences in watermarking systems to good effect. In this paper we aim to use a tent map to encrypt the binary logo to achieve a like-noise signal. This approach makes extraction of the watermark signal by potential ...
Read More
The intriguing characteristics of chaotic maps have prompted researchers to use these sequences in watermarking systems to good effect. In this paper we aim to use a tent map to encrypt the binary logo to achieve a like-noise signal. This approach makes extraction of the watermark signal by potential attacker very hard. Embedding locations are selected based on certain principles. Experimental results demonstrate that our proposed watermarking method is highly superior to other techniques reported in literature and readily achieves the desired robustness and security level.
F. Salim; J. Reid; E. Dawson
Abstract
This article presents a survey of authorization models and considers their 'fitness-for-purpose' in facilitating information sharing. Network-supported information sharing is an important technical capability that underpins collaboration in support of dynamic and unpredictable activities such as emergency ...
Read More
This article presents a survey of authorization models and considers their 'fitness-for-purpose' in facilitating information sharing. Network-supported information sharing is an important technical capability that underpins collaboration in support of dynamic and unpredictable activities such as emergency response, national security, infrastructure protection, supply chain integration and emerging business models based on the concept of a 'virtual organization'. The article argues that present authorization models are inflexible and poorly scalable in such dynamic environments due to their assumption that the future needs of the system can be predicted, which in turn justifies the use of persistent authorization policies. The article outlines the motivation and requirement for a new flexible authorization model that addresses the needs of information sharing. It proposes that a flexible and scalable authorization model must allow an explicit specification of the objectives of the system and access decisions must be made based on a late trade-off analysis between these explicit objectives. A research agenda for the proposed Objective-Based Access Control concept is presented.
R. Ramezanian
Abstract
Many security protocols have the aim of authenticating one agent acting as initiator to another agent acting as responder and vice versa. Sometimes, the authentication fails because of executing several parallel sessions of a protocol, and because an agent may play both the initiator and responder role ...
Read More
Many security protocols have the aim of authenticating one agent acting as initiator to another agent acting as responder and vice versa. Sometimes, the authentication fails because of executing several parallel sessions of a protocol, and because an agent may play both the initiator and responder role in parallel sessions. We take advantage of the notion of transition systems to specify authentication for parallel multiple session's execution. To model the authentication, two main notions called 1. agent's scope and 2. agent's recognizability are introduced, which consider the difference of ability of agents due to their different roles in the protocol and different access to keys and secrets. To formalize above notions, a process algebra provided by some primitives for manipulating cryptographic messages is used. We formalize some security protocols and examine our definition of authentication for them. We just discuss the symmetric key case.