Imran Erguler

Bio: Imran Erguler is an academic researcher from Scientific and Technological Research Council of Turkey. The author has contributed to research in topics: Encryption & Authentication. The author has an hindex of 7, co-authored 15 publications receiving 164 citations. Previous affiliations of Imran Erguler include Boğaziçi University & Doğuş University.

Achieving Flatness: Selecting the Honeywords from Existing User Passwords

Abstract: Recently, Juels and Rivest proposed honeywords (decoy passwords) to detect attacks against hashed password databases. For each user account, the legitimate password is stored with several honeywords in order to sense impersonation. If honeywords are selected properly, a cyber-attacker who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing the storage requirement by 20 times, the authors introduce a simple and effective solution to the detection of password file disclosure events. In this study, we scrutinize the honeyword system and present some remarks to highlight possible weak points. Also, we suggest an alternative approach that selects the honeywords from existing user passwords in the system in order to provide realistic honeywords—a perfectly flat honeyword generation method—and also to reduce storage cost of the honeyword scheme.

A potential weakness in RFID-based Internet-of-things systems

Abstract: In recent years, a large body of research has been devoted to the security and privacy of RFID that is expected to become a critical component of IoT (Internet of Things). Most of these studies have been conducted under the assumption that an RFID system consists of the following elements: RFID tags, a reader and a back-end server. However, in IoT scenario it is supposed that a high density of RFID readers will be deployed and networked to the system over the Internet. Hence, a multi-reader RFID environment circumstance, where readers may be mobile handsets like mobile phones, should be involved in the security analysis of RFID based IoT systems. In this paper, we point out that RFID authentication protocols in the IoT need new security mechanisms that consider untrustworthy RFID entities, compromised readers or insecure communication channel between the readers and the back-end servers. Thus, traditional RFID security schemes designed for closed-loop systems cannot fulfill security and privacy demands, if they are directly adapted to the IoT environment. To emphasize this discrimination, we demonstrate that a secure protocol in a closed-loop RFID system may jeopardize the security of the system in this new RFID concept. Furthermore, we address this fault by investigating the security of a recent IoT RFID authentication protocol, named as AKE-MRFID. We exploit security flaws that have gone unnoticed in the design and present three attacks: de-synchronization, replay and reader impersonation attacks. To defend against the aforementioned attacks, we amend the protocol with a stateful variant so that it holds the claimed security properties.

Scalability and Security Conflict for RFID Authentication Protocols.

Abstract: RFID technology continues to flourish as an inherent part of virtually every ubiquitous environment. However, it became clear that the public--implying the industry--seriously needs mechanisms emerging the security and privacy issues for increasing RFID applications. As the nodes of RFID systems mostly suffer from low computational power and small memory size, various attempts which propose to implement the existing security primitives and protocols, have ignored the realm of the cost limitations and failed. In this study, two recently proposed protocols--SSM and LRMAP--claiming to meet the standard privacy and security requirements are analyzed. The design of both protocols based on defining states where the server authenticates the tag in constant time in a more frequent normal state and needs a linear search in a rare abnormal states. Although both protocols claim to provide untraceability criteria in their design objectives, we outline a generic attack that both protocols failed to fulfill this claim. Moreover, we showed that the SSM protocol is vulnerable to a desynchronization attack which prevents a server from authenticating a legitimate tag. Resultantly, we conclude that defining computationally unbalanced tag states yields to a security/scalability conflict for RFID authentication protocols.

Scalability and Security Conflict for RFID Authentication Protocols

Abstract: RFID technology continues to flourish as an inherent part of virtually every ubiquitous environment. However, it became clear that the public--implying the industry--seriously needs mechanisms emerging the security and privacy issues for increasing RFID applications. As the nodes of RFID systems mostly suffer from low computational power and small memory size, various attempts which propose to implement the existing security primitives and protocols, have ignored the realm of the cost limitations and failed. In this study, two recently proposed protocols--SSM and LRMAP--claiming to meet the standard privacy and security requirements are analyzed. The design of both protocols based on defining states where the server authenticates the tag in constant time in a more frequent normal state and needs a linear search in a rare abnormal states. Although both protocols claim to provide untraceability criteria in their design objectives, we outline a generic attack that both protocols failed to fulfill this claim. Moreover, we showed that the SSM protocol is vulnerable to a desynchronization attack which prevents a server from authenticating a legitimate tag. Resultantly, we conclude that defining computationally unbalanced tag states yields to a security/scalability conflict for RFID authentication protocols.

A modified stream generator for the GSM encryption algorithms A5/1 and A5/2

Abstract: A5/1 and A5/2 are the GSM encryption algorithms that protect user data transmission over air. However, both of the A5/1 and A5/2 were cryptanalized by using different attack techniques such as time-memory trade off, divide and conquer and correlation attacks. In this study, we present a modified version of the A5/1 and A5/2 with offering security improvements to the vulnerabilities of the algorithms. By changing just the clocking mechanism of the shift registers used in the algorithms, it is shown that known attacks techniques become impractical.

Data quality in internet of things

Abstract: In the Internet of Things (IoT), data gathered from a global-scale deployment of smart-things, are the base for making intelligent decisions and providing services. If data are of poor quality, decisions are likely to be unsound. Data quality (DQ) is crucial to gain user engagement and acceptance of the IoT paradigm and services. This paper aims at enhancing DQ in IoT by providing an overview of its state-of-the-art. Data properties and their new lifecycle in IoT are surveyed. The concept of DQ is defined and a set of generic and domain-specific DQ dimensions, fit for use in assessing IoT's DQ, are selected. IoT-related factors endangering the DQ and their impact on various DQ dimensions and on the overall DQ are exhaustively analyzed. DQ problems manifestations are discussed and their symptoms identified. Data outliers, as a major DQ problem manifestation, their underlying knowledge and their impact in the context of IoT and its applications are studied. Techniques for enhancing DQ are presented with a special focus on data cleaning techniques which are reviewed and compared using an extended taxonomy to outline their characteristics and their fitness for use for IoT. Finally, open challenges and possible future research directions are discussed.

Water quality monitoring in a smart city: a pilot project

Abstract: A smart city is an urban development vision to integrate multiple information and communication technology (ICT), “Big Data” and Internet of Things (IoT) solutions in a secure fashion to manage a city's assets for sustainability, resilience and liveability. Meanwhile, water quality monitoring has been evolving to the latest wireless sensor network (WSN) based solutions in recent decades. This paper presents a multi-parameter water quality monitoring system of Bristol Floating Harbour which has successfully demonstrated the feasibility of collecting real-time high-frequency water quality data and displayed the real-time data online. The smart city infrastructure – Bristol Is Open was utilised to provide a plug & play platform for the monitoring system. This new system demonstrates how a future smart city can build the environment monitoring system benefited by the wireless network covering the urban area. The system can be further integrated in the urban water management system to achieve improved efficiency.

Scalable RFID security protocols supporting tag ownership transfer

Abstract: We identify privacy, security and performance requirements for radio frequency identification (RFID) protocols, as well as additional functional requirements such as tag ownership transfer. Many previously proposed protocols suffer from scalability issues because they require a linear search to identify or authenticate a tag. In support of scalability, some RFID protocols, however, only require constant time for tag identification, but, unfortunately, all previously proposed schemes of this type have serious shortcomings. We propose a novel scalable RFID authentication protocol based on the scheme presented in Song and Mitchell (2009) [1], that takes constant time to authenticate a tag. We also propose secret update protocols for tag ownership and authorisation transfer. The proposed protocols possess the identified privacy, security and performance properties and meet the requirements for secure ownership transfer identified here.

A Family of Dunces: Trivial RFID Identification and Authentication Protocols.

Abstract: Security and privacy in RFID systems is an important and active research area. A number of challenges arise due to the extremely limited computational, storage and communication abilities of a typical RFID tag. This paper describes a step-by-step construction of a family of simple protocols for inexpensive untraceable identification and authentication of RFID tags. This work is aimed primarily at RFID tags that are capable of performing a small number of inexpensive conventional (as opposed to public key) cryptographic operations. It also represents the first result geared for so-called batch mode of RFID scanning whereby the identification (and/or authentication) of tags is delayed. Proposed protocols involve minimal interaction between a tag and a reader and place very low computational burden on the tag. Notably, they also impose low computational load on back-end servers.