Secure Session Research Articles

Hierarchical and Dynamic Elliptic Curve Cryptosystem Based Self-Certified Public Key Scheme for Medical Data Protection

As our aging population significantly grows, personal health monitoring is becoming an emerging service and can be accomplished by large-scale, low-power sensor networks, such as Zigbee networks. However, collected medical data may reveal patient privacy, and should be well protected. We propose a Hierarchical and Dynamic Elliptic Curve Cryptosystem based self-certified public key scheme (HiDE) for medical data protection. To serve a large amount of sensors, HiDE provides a hierarchical cluster-based framework consisting of a Backbone Cluster and several Area Clusters. In an Area Cluster, a Secure Access Point (SAP) collects medical data from Secure Sensors (SSs) in the sensor network, and transmits the aggregated data to a Root SAP located in the Backbone Cluster. Therefore, the Root SAP can serve a considerable number of SSs without establishing separate secure sessions with each SS individually. To provide dynamic secure sessions for mobile SSs connecting SAP, HiDE introduces the Elliptic Curve Cryptosystem based Self-certified Public key scheme (ESP) for establishing secure sessions between each pair of Cluster Head (CH) and Cluster Member (CM). In ESP, the CH can issue a public key to a CM, and computes a Shared Session Key (SSK) with that CM without knowing the CM's secrete key. This concept satisfies the Zero Knowledge Proof so CHs can dynamically build secure sessions with CMs without managing a CM's secrete keys. Our experiments in realistic implementations and Network Simulation demonstrate that ESP requires less computation and network overhead than the Rivest-Shamir-Adleman (RSA)-based public key scheme. In addition, security analysis shows keys in ESP are well protected. Thus, HiDE can protect the confidentiality of sensitive medical data with low computation overhead, and keep appropriate network performance for wireless sensor networks.

클라우드 서비스 환경의 안전한 인증과 보안세션 관리를 위한 다중세션 인증 기법

Recently, as the service scale of cloud service is expanded, an anxiety due to concerns on new vulnerabilities and security related incidents and accidents are also increasing. This paper proposes a certification scheme for multiple session management of security sessions which are generated after the user authentication. The proposed session multiplexing scheme enables the independent management of security sessions in the level of virtualization (hypervisor) within the service provider. As a result of performance analysis, providing a strong safety due to session multiplexing and mutual authentication, and the superiority of performance was proven by comparing it with the existing mutual authentication encryption algorithms.

A User Authentication Scheme Based on Elliptic Curves Cryptography for Wireless Ad Hoc Networks.

The feature of non-infrastructure support in a wireless ad hoc network (WANET) makes it suffer from various attacks. Moreover, user authentication is the first safety barrier in a network. A mutual trust is achieved by a protocol which enables communicating parties to authenticate each other at the same time and to exchange session keys. For the resource-constrained WANET, an efficient and lightweight user authentication scheme is necessary. In this paper, we propose a user authentication scheme based on the self-certified public key system and elliptic curves cryptography for a WANET. Using the proposed scheme, an efficient two-way user authentication and secure session key agreement can be achieved. Security analysis shows that our proposed scheme is resilient to common known attacks. In addition, the performance analysis shows that our proposed scheme performs similar or better compared with some existing user authentication schemes.

A Provably Secure Three-Party Password Authenticated Key Exchange Protocol without Using Server's Public-Keys and Symmetric Cryptosystems

Three-party password authenticated key exchange (3PAKE) protocols allow two clients to establish a common secure session key via the help of an authentication server, in which each client only needs to share a single password with the server. Many researchers pay attention to 3PAKE protocols since they are well suited for large-scale communication in mobile environments. Recently, Farash et al. proposed an enhanced 3PAKE protocol without using server's public-keys and symmetric cryptosystems. They claimed that their protocol is secure against various attacks. However, we found that Farash et al.'s protocol is vulnerable to partition attacks and off-line dictionary attacks. Moreover, their protocol needs 5 rounds to work, so it is inefficient in terms of communication. To overcome these shortcomings, we improve their protocol and propose a provably secure 3PAKE protocol, which is more efficient and secure than other related protocols.DOI: http://dx.doi.org/10.5755/j01.itc.44.2.8197

BYOD 환경을 고려한 모바일 웹을 위한 세션 관리 개선 방안 연구

This paper explains a web session management system for mobile web environment with BYOD(Bring Your Own Device). This system operates by enhanced secure session token. This system consists of an unique identifier, time stamp, and encryption algorithm. The Unique identifier in this system classifies each mobile device for web security based on mobile environment with BYOD. And the Time stamp in this system that determine session effectiveness for web security. Also the Cipher algorithm in this system that protects session token information for web security. This paper analysis a security of session management system running on mobile web environment using the simulation techniques. The proposed method is more suitable than the other methods under enviroment mobile web environment with BYOD.

Enhancement key agreement scheme based on chaotic maps

Due to certain subtle and intimate links between the properties of traditional cryptosystems and chaotic systems, the application of chaotic systems to cryptography has received much attention from researchers in various disciplines. Key agreement schemes ensure secure communication and help two or more communicating parties establish a shared secure session key. Recently, many key agreement schemes that are based on chaotic maps have been proposed, some of which still require verification tables and remain insecure. Thus, we proposed an enhancement scheme to overcome these weaknesses – a concrete key agreement scheme that is based on the special properties of chaotic maps. This scheme provides secret and authenticated communication session keys and prevents known-key attacks.

A Virtual-Internetworking-Stack (VIS) Approach to Achieve a Flexible, Proprietary Security Model by Augmentation of the Transport Layer under the Collaborative Framework of Sine Wave Encryption Technique and Generation of Color QR Codes

Due to potentially peer works going on to address the loopholes in the existing system research works in Internet Security is never likely to saturate. The degree of one's need of security on Internet varies with one's economical, organizational and political position and the sensitivity of the information itself. This thesis envisages a Virtual Internetworking Stack (VIS), achieved by augmentation of the TCP/IP stack to befool possible cyber vigilance on one’s activities over the Internet. The model prescribes a secure session set-up randomly by exchanging colored QR codes, where the wavelength of the color determines the phase of a sinusoid used to encrypt/decrypt a message, which is understood only by a compatible and intended VIS-stack. Since, the augmentation of TCP/IP layer is done in the Kernel of the user’s Operating System, any message that this VIS-stack sends to another VIS-stack across the Internet, will be meaningless to the routers and gateways in between which participate in cyber vigilance; and an attempt to steal one’s information will be fooled by the proposed security model. We also present a vulnerability study and performance evaluation of the augmented TCP/IP stack, obtained by results of physically performed experiments.

Securing Online Bank Transactions from Phishing Attacks using MFA and Secure Session Key

Phishing is an online criminal activity using the collection of social engineering methods such as messages and emails to make the users to disclose their sensitive information such as personal details, username /password4 , etc. Since 2007 Net-Banking transactions are the target of the phishers. The strong techniques are required to avoid phishing attacks. In our paper, we proposed Multi Factor Authentication (MFA) and secure session key generation using Gaussian distribution to reduce the attacks caused by the phishers. Multi Factor Authentication technique authenticates the users using user’s signature image recognition8 and secret question answer. After successful authentication of user using Multi Factor Authentication technique, session key generated using Gaussian distribution is sent to user’s mobile phone. User proceeds with the transaction only after entering the session key received1 . By incorporating above mentioned techniques users can perform online transactions safely and securely. Keywords: Gaussian Distribution, Multi Factor Authentication, Phishing, Session Key, Social Engineering

Improvement of a chaotic maps-based three-party password-authenticated key exchange protocol without using server’s public key and smart card

Three-party password-authenticated key exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a trusted server. Recently, Farash and Attari proposed a chaotic maps-based 3PAKE protocol without using server’s public key, smart card and symmetric cryptosystems and claimed its security by providing well-organized security proof. Unfortunately, in this paper, we demonstrate that their protocol cannot resist impersonation attack and off-line password guessing attack. To overcome their security weaknesses, we propose an improved chaotic maps-based 3PAKE protocol with the same advantages. Further, we apply the pi calculus-based formal verification tool ProVerif to show that our 3PAKE protocol achieves authentication and security and show that our protocol is more efficient than Farash and Attari’s protocol in terms of computation and communication costs.

A lossy channel aware parameterisation of a novel security protocol for wireless IP-enabled sensors

IP-enabled sensors can be globally addressable by any Internet-connected entity, and therefore, their protection presents different challenges than that of traditional sensors, as they are subject to any potential attacker in the Internet. For this reason, specific security protocols must be developed to address the security requirements of IP-enabled sensors. An interesting approach to achieve this aim is the Ladon security protocol, which allows resource-deprived devices to efficiently implement end-to-end authentication, authorisation and key establishment mechanisms. However, in so limited environments such as sensor networks, not only efficient protocols must be defined, but they must also be optimally parameterised. This paper constitutes a step forward in this direction. First, a state transition model of the Ladon protocol is presented to analytically describe its behaviour. Then, this model is used to select the most effective parameterisation of the protocol in terms of message retransmissions and execution of cryptographic operations. The obtained results show that the selected parameterisation allows maximising the probability of a successful secure session establishment, while keeping the overhead introduced by the protocol low. Additionally, the performance comparison carried out shows that Ladon outperforms alternative approaches to achieve the same objective in terms of message transmission and reception operations.

Fast and Secure Session Mobility in IMS-based Vertical Handover Scenario

In this paper, the make-before-break handover method is basically considered in order to reduce the SIP (session initiation protocol) session restoration delay due to the interface switching during WiFi-to-3G vertical handover under IMS (IP multimedia subsystem). Actually, the session restoration delay in WiFi-to-3G handover scenario can be dramatically reduced by performing IMS registration and session re-setup beforehand via WiFi link before actual vertical handover. However, the proper SA (security association) setup scheme between MH (mobile host) and P-CSCF (proxy call session control function) should be developed for the successful pre-authenticated registration since the IP address bound to 3G interface has to be used instead of the IP address bound to WiFi interface as the source IP address of the packets that the MH generates. In this paper, we have enhanced SIP header in order to solve this kind of IP address-mismatch problem. That is, a SA setup scheme is proposed for pre-authenticated registration in WiFi-to-3G handover scenario. We also define IMS handover delay as the sum of authenticated registration delay and session re-setup delay occurring under IMS-based vertical handover. We finally show that this delay reduced by the proposed scheme is acceptable enough to provide delay-sensitive real-time services. Moreover, the modification is deployed only at MH and P-CSCF, which is independent of other party’s network as well as the CSCFs in MH’s HN (home network).

Security Analysis and Improvements of Authentication and Access Control in the Internet of Things

Internet of Things is a ubiquitous concept where physical objects are connected over the internet and are provided with unique identifiers to enable their self-identification to other devices and the ability to continuously generate data and transmit it over a network. Hence, the security of the network, data and sensor devices is a paramount concern in the IoT network as it grows very fast in terms of exchanged data and interconnected sensor nodes. This paper analyses the authentication and access control method using in the Internet of Things presented by Jing et al (Authentication and Access Control in the Internet of Things. In Proceedings of the 2012 32nd International Conference on Distributed Computing Systems Workshops, Macau, China, 18–21 June 2012, pp. 588–592). According to our analysis, Jing et al.'s protocol is costly in the message exchange and the security assessment is not strong enough for such a protocol. Therefore, we propose improvements to the protocol to fill the discovered weakness gaps. The protocol enhancements facilitate many services to the users such as user anonymity, mutual authentication, and secure session key establishment. Finally, the performance and security analysis show that the improved protocol possesses many advantages against popular attacks, and achieves better efficiency at low communication cost.

Provably secure authenticated Diffie-Hellman key exchange for resource-limited smart card

Authenticated Diffie-Hellman key agreement is quite popular for establishing secure session keys. As resource-limited mobile devices are becoming more popular and security threats are increasing, it is desirable to reduce computational load for these resource-limited devices while still preserving its strong security and convenience for users. In this paper, we propose a new smart-card-based user authenticated key agreement scheme which allows users to memorize passwords, reduces users’ device computational load while still preserves its strong security. The proposed scheme effectively improves the computational load of modular exponentiations by 50%, and the security is formally proved.

An efficient client–client password-based authentication scheme with provable security

Recently, Tso proposed a three-party password-based authenticated key exchange (3PAKE) protocol. This protocol allows two clients to authenticate each other and establish a secure session key through a server over an insecure channel. The main security goals of such protocols are authentication and privacy. However, we show that Tso's protocol achieves neither authentication goal nor privacy goal. In this paper, we indicate that the privacy and authentication goals of Tso's protocol will be broken by off-line password guessing attack and impersonation attack, respectively. To overcome the weaknesses, we propose an improved 3PAKE protocol to achieve more security and performance than related protocols. The security of the proposed improved protocol is proved in random oracle model.

Security Interaction of Web Services in Heterogeneous Platforms

Currently, there are a large number of heterogeneous platforms. The standards of Web Services in different platforms are different and complex. Therefore, security interaction of Web services based on heterogeneous platform has become increasingly prominent. In order to realize security interaction of heterogeneous platforms, a security interactive model of Web Service based on WebSphere and .NET is proposed in this paper. The model adopts an approach based on predicate logic to integrate the security policies of heterogeneous platforms and uses the integrated policy to sign the SOAP message. The experimental results show that the model can ensure the safety of SOAP message transmission and realize the security session between these two heterogeneous platforms. DOI : http://dx.doi.org/10.11591/telkomnika.v12i4.4734

An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps

Three-party password-based authenticated key exchange (3PAKE) protocols allow two clients to establish a secure session key through a server over an insecure channel. Recently, the 3PAKE protocols have been developed based on Chebyshev chaotic maps, in which the clients utilize smart cards to login into the server and employ server’s public key to ensure the identity of the server or symmetric cryptosystems to encrypt the messages. However, this paper describes an efficient chaos-based 3PAKE protocol without smart cards, which requires neither server’s public key nor symmetric cryptosystems. The security of the proposed 3PAKE protocol is proved in the random oracle model using the chaos-based decisional Diffie–Hellman assumption. In comparison with the existing chaos-based 3PAKE protocols, our protocol individually provides better performance in terms of communication, computation, and security aspects, and is supported by the formal proof in the random oracle model.

Enhancing secure access to sensor data with user privacy support

With the development of solutions like 6LoWPAN, the implementation of IP technology in sensor devices is already a reality. Therefore, sensors can be natively integrated in the Internet, becoming globally addressable by any other Internet-connected party. Despite the huge potential of this approach, it also gives place to new threats, being one of the most critical ones the effective protection of the information gathered by sensors from unauthorised remote access attempts. A suitable solution to address this issue is the Ladon security protocol, which provides resource-deprived devices with end-to-end authentication, authorisation and key establishment mechanisms. Once the critical security issue has been solved, additional concerns arise. Specially remarkable is the protection of user privacy in order to prevent potential eavesdroppers from tracking users’ access trends and obtaining behavioural patterns. In this regard, authentication and authorisation processes deserve an special consideration, since they imply conveying user identity-related information to the targeted services. In this paper, we present a privacy-enhanced Ladon protocol by integrating the original protocol with the PrivaKERB user privacy framework for Kerberos. Due to the severe resource limitations that characterise the targeted environments, a performance evaluation of the proposed solution is carried out in order to prove that it meets the performance requirements of the considered environments in terms of energy cost and additional delay for each secure session establishment. The obtained results show that privacy-enhanced Ladon is a secure and efficient solution to implement privacy-supporting authentication and authorisation processes in resource-deprived environments.

A New Kind of Security Communication Mechanism with Security Sessions

For the smart card, the existing security system does not establish a secure communication with the terminal application, which makes the possibility of being attacked by intercepted, modified or forged orders. In this paper, the definition of security session is given. Through a combination of the original concept of security state and security attributes, security session can set up secure communication channel between the smart card and the applications on terminals, which form a new smart card security communication mechanism.

On the security of SSL/TLS-enabled applications

SSL/TLS (Secure Socket Layer/Transport Layer Security)-enabled web applications aim to provide public key certificate based authentication, secure session key establishment, and symmetric key based traffic confidentiality. A large number of electronic commerce applications, such as stock trading, banking, shopping, and gaming rely on the security strength of the SSL/TLS protocol. In recent times, a potential threat, known as main-in-the-middle (MITM) attack, has been exploited by attackers of SSL/TLS-enabled web applications, particularly when naive users want to connect to an SSL/TLS-enabled web server. In this paper, we discuss about the MITM threat to SSL/TLS-enabled web applications. We review the existing space of solutions to counter the MITM attack on SSL/TLS-enabled applications, and then, we provide an effective solution which can resist the MITM attack on SSL/TLS-enabled applications. The proposed solution uses a soft-token based approach for user authentication on top of the SSL/TLS’s security features. We show that the proposed solution is secure, efficient and user friendly in comparison to other similar approaches.

An undetectable on-line password guessing attack on Nam et al.'s three-party key exchange protocol

Three-party key exchange protocol is one of the most essential cryptographic technique in the secure communication areas. In this protocol, two clients, each shares a human-memorable password, working with a trusted server, can agree a secure session key. Recently, Lu and Cao proposed a new simple three-party key exchange S-3PAKE protocol and claimed that it is not only very simple and efficient, but also can survive against various known attacks. However, Nam et al. pointed out that S-3PAKE is vulnerable to both off-line password guessing attack and undetectable on-line password guessing attack. Based on their finding, Nam et al. proposed an improved method to resolve this weakness. They further claimed that so far no off-line password guessing attack has been successful against their proposed protocol. In this paper, we demonstrate that Nam et al.'s improved protocol, unfortunately, is still vulnerable to an undetectable on-line password guessing attack. We therefore propose a simple and powerful method to address this issue. Which results in an improved three-party key exchange protocol that can protect against an undetectable on-line password guessing attack.