Dissertationen zum Thema „Attribute authentication“

This thesis' major contribution is to propose an attribute based authentication scheme (AAS). An A AS scheme is a new cryptosystem that extends the field of public key cryptography and more precisely digital signatures. An AAS scheme allows a verifier lo decide on the set ol' attributes (b)he would like the signer to possess. The verifier sends the request to a group of possible signers as a monotone boolean expression. Any member with sufficient attributes can sign.

This master’s thesis focuses on implementation of ABC (Anonymous attribute-based credential) pilot system on the Android platform. The support for attribute authentication on the Android platform is very weak in terms of the number of implementations and needs a special attention. The theoretical part of the thesis describes the cryptographic support on the Android platform, the use of the Android Native Development Kit (NDK) and the Host-Card Emulation (HCE) service. The theoretical part of the thesis also includes a description of attribute authentication schemes, including a pilot RKVAC system. The practical part describes the implementation of the RKVAC system on the Android platform along with the implementation of a custom cryptographic kernel based on the native MCL cryptographic library. The practical part of this thesis describes implementation proces of RKVAC system on Android plaform, that uses native cryptographic library MCL. The final part shows the results of time, memory and computation difficulty of developed applications.

Devido Ãs crescentes ameaÃas inerentes aos sistemas de informaÃÃo, o uso de mecanismos de autenticaÃÃo e autorizaÃÃo baseados em identificador de usuÃrio e senha nÃo à mais suficiente para garantir a seguranÃa das informaÃÃes. Este trabalho propÃe um novo modelo de autenticaÃÃo e autorizaÃÃo para controle de acesso de aplicaÃÃes distribuÃdas, baseado em resumos criptogrÃficos e certificados de atributos. Os resumos criptogrÃficos sÃo utilizados no processo de autenticaÃÃo da aplicaÃÃo, enquanto os certificados de atributos especificam privilÃgios e outras informaÃÃes de autorizaÃÃo associadas ao seu proprietÃrio. Os certificados de atributos sÃo gerenciados pela infra-estrutura de gerenciamento de privilÃgios (IGP). A arquitetura e o funcionamento do modelo bem como os processos de geraÃÃo do certificado de atributos, autenticaÃÃo e autorizaÃÃo da aplicaÃÃo sÃo descritos. O modelo proposto foi especificado em Redes de Petri Coloridas e validado por meio de simulaÃÃes.
Due to increasing threats inherent to the information systems, the use of authentication and authorization mechanisms based in login and password does not enough to assure the information security. This work proposes a new model of authentication and authorization for distributed applications, based in hash and attributes certificates. Hash is used in the application authentication process, while certificates of attributes specify privileges and other authorization information. Its use is managed by the privilege management infrastructure (PMI). In this work, we describe the architecture and the functioning of the model, as well the processes of the attributes certificates generation, authentication and authorization of the application. The proposed model was specified in Coloured Petri Nets and validated by simulation.

The main goal of this diploma thesis was to create web applications for issuer, verifier and revocation authority of revocable keyed-verification anonymous credentials system. Applications created in this thesis provide functions for all tasks, that are performed by each entity. Using these applications a global management of RKVAC system is possible. Authentication module created in verifier’s app is universaly usable for access control to any web service. Both issuer’s and revocation authority’s app are compatible with whole RKVAC system and are therefor applicable as central elements of systems.

Dizertační práce se zabývá kryptografickými schématy zvyšující ochranu soukromí uživatelů v systémech řízení přístupu a sběru dat. V současnosti jsou systémy fyzického řízení přístupu na bázi čipových karet využívány téměř dennodenně většinou z nás, například v zaměstnání, ve veřejné dopravě a v hotelech. Tyto systémy však stále neposkytují dostatečnou kryptografickou ochranu a tedy bezpečnost. Uživatelské identifikátory a klíče lze snadno odposlechnout a padělat. Funkce, které by zajišťovaly ochranu soukromí uživatele, téměř vždy chybí. Proto je zde reálné riziko možného sledovaní lidí, jejich pohybu a chovaní. Poskytovatelé služeb nebo případní útočníci, kteří odposlouchávají komunikaci, mohou vytvářet profily uživatelů, ví, co dělají, kde se pohybují a o co se zajímají. Za účelem zlepšení tohoto stavu jsme navrhli čtyři nová kryptografická schémata založená na efektivních důkazech s nulovou znalostí a kryptografii eliptických křivek. Konkrétně dizertační práce prezentuje tři nová autentizační schémata pro využití v systémech řízení přístupu a jedno nové schéma pro využití v systémech sběru dat. První schéma využívá distribuovaný autentizační přístup vyžadující spolupráci více RFID prvků v autentizačním procesu. Tato vlastnost je výhodná zvláště v případech řízení přístupu do nebezpečných prostor, kdy pro povolení přístupu uživatele je nezbytné, aby byl uživatel vybaven ochrannými pomůckami (se zabudovanými RFID prvky). Další dvě schémata jsou založena na atributovém způsobu ověření, tj. schémata umožňují anonymně prokázat vlastnictví atributů uživatele, jako je věk, občanství a pohlaví. Zatím co jedno schéma implementuje efektivní revokační a identifikační mechanismy, druhé schéma poskytuje nejrychlejší verifikaci držení uživatelských atributů ze všech současných řešení. Poslední, čtvrté schéma reprezentuje schéma krátkého skupinového podpisu pro scénář sběru dat. Schémata sběru dat se používají pro bezpečný a spolehlivý přenos dat ze vzdálených uzlů do řídící jednotky. S rostoucím významem chytrých měřičů v energetice, inteligentních zařízení v domácnostech a rozličných senzorových sítí, se potřeba bezpečných systémů sběru dat stává velmi naléhavou. Tato schémata musí podporovat nejen standardní bezpečnostní funkce, jako je důvěrnost a autentičnost přenášených dat, ale také funkce nové, jako je silná ochrana soukromí a identity uživatele či identifikace škodlivých uživatelů. Navržená schémata jsou prokazatelně bezpečná a nabízí celou řadu funkcí rozšiřující ochranu soukromí a identity uživatele, jmenovitě se pak jedná o zajištění anonymity, nesledovatelnosti a nespojitelnosti jednotlivých relací uživatele. Kromě úplné kryptografické specifikace a bezpečnostní analýzy navržených schémat, obsahuje tato práce také výsledky měření implementací jednotlivých schémat na v současnosti nejpoužívanějších zařízeních v oblasti řízení přístupu a sběru dat.

L'internet des objets (IoT) est une nouvelle technologie qui vise à connecter des milliards d'objets physiques à Internet. Ces objets peuvent être engagés dans des relations complexes, notamment la composition et la collaboration avec d'autres systèmes indépendants et hétérogènes, afin de fournir de nouvelles fonctionnalités, conduisant ainsi à ce que l'on appelle les systèmes de systèmes (SoS). Les composants de l'IoT communiquent et collaborent dans des environnements distribués et dynamiques, confrontés à plusieurs problèmes de sécurité de grande ampleur. La sécurité es tconsidérée parmi les enjeux majeurs de l'IoT et soulève des défis liés aux contraintes de capacité de calcul et stockage ainsi que le très grand nombre des objets connectés. Dans cette thèse, nous nous intéressons à l'application des outils cryptographiques ainsi que la technologie blockchain pour résoudre les problèmes de sécurité dans l'IoT, à savoir : l'authentification et la gestion de confiance. Dans un premier lieu, nous nous sommes intéressés au problème du contrôle d'accès distant des actionneurs intelligents utilisant des dispositifs IoT. Pour aborder ce problème, nous avons proposé une solution de contrôle d'accès efficace et à granularité fine, basée sur le mécanisme ABE (Attribute Based Encryption) et des chaînes de hachage. À l'aide d'outils formels d'analyse de sécurité, nous avons démontré la sécurité de notre protocole face aux attaques malveillantes. Dans un deuxième lieu, nous avons abordé le problème d'authentification dans les applications IoT basé sur le paradigme du fog computing. Nous avons proposé un nouveau protocole d'authentification mutuelle efficace qui est basé sur la technologie blockchain et la cryptographie à seuil. Dans notre solution, les objets IoT et les serveurs de fog n'ont besoin que de quelques informations à stocker pour vérifier l'authenticité de chaque objet du système. L’authentification est effectuée seulement sur la bordure du réseau sans passer par des entités externes. Ainsi, la latence et la capacité de stockage sont réduites au minimum. Enfin, dans notre troisième contribution, nous avons proposé un nouveau protocole de gestion de réputation basé sur la technologie blockchain et le fog computing, avec la prise en charge de la mobilité des objets connectés. Notre protocole permet aux objets IoT d'évaluer et de partager avec précision la réputation relative aux autres objets de manière scalable, sans se recourir à une entité de confiance. Nous avons confirmé l'efficacité de notre protocole par des analyses théoriques et des simulations approfondies. Nous avons montré que notre protocole surpasse les solutions existantes,notamment en matière de scalabilité, prise en charge de la mobilité, la communication et le calcul
The Internet of things (IoT) is a new technology that aims to connect billions of physical devices to the Internet. The components of IoT communicate and collaborate between each other in distributed and dynamic environments, which are facing several security challenges. In addition, the huge number of connected objects and the limitation of their resources make the security in IoT very difficult to achieve. In this thesis, we focus on the application of lightweight cryptographic approaches and blockchain technology to address security problems in IoT, namely : authentication and trust management. First, we were interested on some kind of IoT applications where we need to control remotely the execution of smart actuators using IoT devices. To solve this problem, we proposed an efficient and fine-grained access controlsolution, based on the Attribute Based Encryption (ABE) mechanism and oneway hash chains. Using formal security tools, we demonstrated the security of our scheme against malicious attacks. Second, we tackled the problem of authentication in IoT based fog computing environments. Existing authentication techniques do not consider latency constraints introduced in the context of fog computing architecture. In addition, some of them do not provide mutual authentication between devices and fog servers. To overcome these challenges, we proposed a novel, efficient and lightweight mutual authentication scheme based on blockchain technologyand secret sharing technique. We demonstrated the efficiency of our authentication scheme through extensive simulations. The third problem treated in this work is the trust management in IoT. Existing trust management protocols do not meet the new requirements introduced in IoT such as heterogeneity, mobility and scalability. To address these challenges, we proposed a new scalable trust management protocol based on consortium blockchain technology and fog computing paradigm, with mobility support. Our solution allows IoT devices to accurately assess and share trust recommendations about other devices in a scalable way without referring to any pre-trusted entity. We confirmed the efficiency of our proposal through theoretical analysis and extensive simulations. Finally, we showed that our protocol outperforms existing solutions especially in terms of scalability, mobility support, communication and computation

The enormous growth of the Internet and the World Wide Web has provided the opportunity for an enterprise to extend its boundaries in the global business environment. While commercial functions can be shared among a variety of strategic allies - including business partners and customers, extranets appear to be the cost-effective solution to providing global connectivity for different user groups. Because extranets allow third-party users into corporate networks, they need to be extremely secure and external access needs to be highly controllable. Access control and authorisation mechanisms must be in place to regulate user access to information/resources in a manner that is consistent with the current set of policies and practices both at intra-organisational and cross-organisational levels. In the business-to-customer (B2C) e-commerce setting, a service provider faces a wide spectrum of new customers, who may not have pre-existing relationships established. Thus the authorisation problem is particularly complex. In this thesis, a new authorisation scheme is proposed to facilitate the service provider to establish trust with potential customers, grant access privileges to legitimate users and enforce access control in a diversified commercial environment. Four modules with a number of innovative components and mechanisms suitable for distributed authorisation on extranets are developed: * One-shot Authorisation Module - One-shot authorisation token is designed as a flexible and secure credential for access control enforcement in client/server systems; * Token-Based Trust Establishment Module - Trust token is proposed for server-centric trust establishment in virtual enterprise environment. * User-Centric Anonymous Authorisation Module - One-task authorisation key and anonymous attribute certificate are developed for anonymous authorisation in a multi-organisational setting; * Agent-Based Privilege Negotiation Module - Privilege negotiation agents are proposed to provide dynamic authorisation services with secure client agent environment for hosting these agents on user's platform

Ces dernières années, nous assistons à une immense révolution numérique de l’internet où de nombreuses applications, innovantes telles que l’internet des objets, les voitures autonomes, etc., ont émergé. Par conséquent, l’adoption des technologies d’externalisations des données, telles que le cloud ou le fog computing, afin de gérer cette expansion technologique semble inévitable. Cependant, l’utilisation du cloud ou du fog computing en tant que plateforme d’externalisation pour le stockage ou le partage des données crée plusieurs défis scientifiques. En effet, externaliser ses données signifie que l’utilisateur perd le contrôle sur ces derniers. D’où la sécurité des données devienne une préoccupation majeure qui doit être proprement traitée. C’est dans ce contexte que s’inscrivent les travaux de cette thèse dans laquelle nous avons déterminé dans un premier temps les principaux problèmes de sécurité liés à l’adoption du cloud et du fog computing. Puis, nous avons adressé trois problématiques de sécurité majeure, qui sont : 1 - Le contrôle d’accès aux données dans une architecture de type Cloud storage, où nous avons proposé une nouvelle solution de contrôle d’accès basée sur le chiffrement à base d’attributs. Notre solution assure un contrôle d’accès souple et à grains fins. De plus, elle permet d’effectuer une révocation immédiate des utilisateurs et des attributs sans aucune mise à jour des clés de chiffrement fournies aux utilisateurs. 2 - Le problème de l’authentification mutuelle entre les utilisateurs et les serveurs Fog dans une architecture Fog computing, où nous avons proposé un nouveau schéma d’authentification efficace, qui assure l’authentification mutuelle et qui est robuste contre les comportements malicieux des serveurs Fog. 3 - Le problème de traçabilité et de la protection de la vie privée dans le cadre des applications de partage d’informations publiques, où nous avons proposé une nouvelle solution pour le partage d’informations publiques assurant le service de traçabilité tout en préservant les informations privées des utilisateurs. Avec notre solution, les serveurs d’externalisations authentifient les utilisateurs sans pouvoir obtenir des informations sur leur vie privée. En cas de comportements malicieux, notre solution permet de tracer les utilisateurs malveillants grâce à une autorité
These last years, we are witnessing a real digital revolution of Internet where many innovative applications such as Internet of Things, autonomous cars, etc., have emerged. Consequently, adopting externalization technologies such as cloud and fog computing to handle this technological expansion seems to be an inevitable outcome. However, using the cloud or fog computing as a data repository opens many challenges in prospect. This thesis addresses security issues in cloud and fog computing which is a major challenge that need to be appropriately overcomed. Indeed, adopting these technologies means that the users lose control over their own data, which exposes it to several security threats. Therefore, we first investigated the main security issues facing the adoption of cloud and fog computing technologies. As one of the main challenges pointed in our investigation, access control is indeed a cornerstone of data security. An efficient access control mechanism must provide enforced and flexible access policies that ensure data protection, even from the service provider. Hence, we proposed a novel secure and efficient attribute based access control scheme for cloud data-storage applications. Our solution ensures flexible and fine-grained access control and prevents security degradations. Moreover, it performs immediate users and attributes revocation without any key regeneration. Authentication service in fog computing architecture is another issue that we have addressed in this thesis. Some traditional authentication schemes endure latency issues while others do not satisfy fog computing requirements such as mutual authentication between end-devices and fog servers. Thus, we have proposed a new, secure and efficient authentication scheme that ensures mutual authentication at the edge of the network and remedies to fog servers' misbehaviors.Finally, we tackled accountability and privacy-preserving challenges in information-sharing applications for which several proposals in the literature have treated privacy issues, but few of them have considered accountability service. Therefore, we have proposed a novel accountable privacy preserving solution for public information sharing in data externalization platforms. Externalization servers in our scheme authenticate any user in the system without violating its privacy. In case of misbehavior, our solution allows to trace malicious users thanks to an authority

This thesis deals with the topic of attribute based credentials with revocable anonymous credentials. The main focus of this work is the implementation of this scheme through a web application. The web application serves primarily as a visualization, which shows the functionality of this scheme through animations, and also as a practical demonstrator. Data and cryptographic calculations for individual system protocols are provided by the given cryptographic C application that communicates with the created application. The web application is also able to communicate with the connected smart card reader and the MultOS smart card and thus create the transmission of APDU commands and responses between the smart card and provided C application.

Dissertação de mestrado integrado em Telecommunications and Informatics Engineering
With sophisticate ways to forge authentication systems such as ticketing, there is a growing interest in a way to reduce fraud in these systems. To do so, attribute certificate’s technology will be used, more specifically, in a scheme where will be employed QR code to support its transport, to share and to present the attribute certificate for better identification so that a user has a harder task when trying to forge its identity. The proposed solution will make authentication systems more secure; validations will be available in both online and offline schemes; and since people these days are using and abusing smartphones, and companies need to reduce financial losses due to fraud, our system could easily be delivered with no extra cost for final users.
Com sofisticadas formas de forjar sistemas de autenticação como a bilhética, existe um enorme interesse para a redução de fraude nestes sistemas. Para isso, a tecnologia de certificados de atributo será usada, e mais especificamente numa forma onde serão empregues códigos QR para suportar o transporte, a partilha e a visualização do AC numa melhor identificação para que o individuo tenha uma tarefa complicada se pretender forjar a sua identidade. A solução proposta fará com que os sistemas de autenticação se tornem mais seguros; validações estão disponíveis nos modos online e offline; e, assumindo que nestes dias as pessoas usam e abusam dos smartphones, para a redução de custos nas empresas devido à fraude, este sistema pode ser empregue sem custo extra para o utilizador final.

碩士
國立交通大學
電機工程學系
104
As the rapid development of cloud computing technologies, health records are stored in a cloud system for information sharing and ease access. The electronic health record system running on a cloud needs to preserve the confidentiality and integrity of the health records. Nevertheless, in the current design, a patient can only share his/her health records with a doctor in a single hospital. Therefore, the doctor who needs to refer to the patient's health records in other hospitals may fail to access the records crossing hospitals, and similar examinations need to be reconducted. In this thesis, we propose an Auth, Auz and Access control scheme using Attribute-based encryption (called A4) to secure the confidentiality of the electronic health records transmitted over the Internet. A4 leverages ciphertext-policy attribute-based proxy re-encryption (CP-ABPRE) algorithm to encrypt and decrypt the health records stored in the cloud. A4 is composed of seven phases including "Init", "Reg", "Appoint", "EHRReqI", "EHRReqII", "Condult" and "Diagnosis" phases. The seven phases is to fulfill the health record requests in different scenarios. A4 allows a doctor to access the medical data crossing the hospitals when the doctor has to refer to a patient's health records in a different hospital for better diagnosis. $A^4$ also provides the functionality that allows a doctor to consult with other doctors specializing in different ontologies. By using BAN logic, we demonstrate the $A^4$ is secure enough to fulfill the fundamental security requirements, such as parties authentication and message freshness, etc. We also prove that $A_4$ can resist common attacks, including Replay Attack, Man-in-the-middle Attack, Eavesdropping Attack and DDOS Attack.

In service-oriented architecture, services can communicate and share data among themselves. This thesis presents a solution that allows detecting several types of data leakages made by authorized insiders to unauthorized services. My solution provides role-based and attribute-based access control for data so that each service can access only those data subsets for which the service is authorized, considering a context and service’s attributes such as security level of the web browser and trust level of service. My approach provides data protection in transit and at rest for both centralized and peer-to-peer service architectures. The methodology ensures confidentiality and integrity of data, including data stored in untrusted cloud. In addition to protecting data against malicious or curious cloud or database administrators, the capability of running a search through encrypted data, using SQL queries, and building analytics over encrypted data is supported. My solution is implemented in the “WAXEDPRUNE” (Web-based Access to Encrypted Data Processing in Untrusted Environments) project, funded by Northrop Grumman Cybersecurity Research Consortium. WAXEDPRUNE methodology is illustrated in this thesis for two use cases, including a Hospital Information System with secure storage and exchange of Electronic Health Records and a Vehicle-to-Everything communication system with secure exchange of vehicle’s and drivers’ data, as well as data on road events and road hazards.

To help with investigating data leakage incidents in service-oriented architecture, integrity of provenance data needs to be guaranteed. For that purpose, I integrate WAXEDPRUNE with IBM Hyperledger Fabric blockchain network, so that every data access, transfer or update is recorded in a public blockchain ledger, is non-repudiatable and can be verified at any time in the future. The work on this project, called “Blockhub,” is in progress.

碩士
中國科技大學
資訊工程系資訊科技應用碩士在職專班
107
The equipment of Internet of Things (IoT) has been widely used in daily life, such as automobiles, factory equipment, sweeping robots, smart audio, smart lighting and other household appliances. IoT uses embedded sensors and APIs through WIFI, 3G/4G, LORA, NB-IoT and other technologies to exchange information on the Internet. The IoT can combine with other key technologies such as big data management tools, AI machine learning, cloud computing, and RFID. IoT applications include all kinds of areas, such as home personal applications, industrial production automation applications, military equipment, transportation construction, smart water meters, intelligent transportation systems, hazardous industries (e.g., oil or mining), home monitoring systems and product quality supervision system, etc. Taking the IoT architecture of a smart family as an example, the main behavior of IoT system is the home product control and automation. The system includes many devices such as security door lock, monitor, air conditioning system, lighting control, and smart audio. These devices can transmit all kinds of detected information to the cloud service platform through Wi-Fi and 3G/4G. It allows users to view the real-time situation at home and control various home appliances in the home by computer, tablet and mobile phone. If a special situation occurs in the home, the warning message is transmitted to the users smart device through SMS, E-mail, and voice. In the IoT environment, many application services are accessed and controlled remotely. In this study, we designed a new remote user login authentication method based on geometric attributes to achieve fast computation with low computational complexity. In addition, we also combine the users biometric technology to enhance the security level. Our proposed authentication method satisfies the following security features: the user is anonymous, can resist forgery attacks, resist repeated attacks, provide fast detection errors, resist offline password guessing attacks, and resist server overload attacks. Finally, the user can easily