Showing papers on "Message authentication code published in 2019"

RF-PUF: Enhancing IoT Security Through Authentication of Wireless Nodes Using In-Situ Machine Learning

Abstract: Traditional authentication in radio-frequency (RF) systems enable secure data communication within a network through techniques such as digital signatures and hash-based message authentication codes (HMAC), which suffer from key-recovery attacks. State-of-the-art Internet of Things networks such as Nest also use open authentication (OAuth 2.0) protocols that are vulnerable to cross-site-recovery forgery (CSRF), which shows that these techniques may not prevent an adversary from copying or modeling the secret IDs or encryption keys using invasive, side channel, learning or software attacks. Physical unclonable functions (PUFs), on the other hand, can exploit manufacturing process variations to uniquely identify silicon chips which makes a PUF-based system extremely robust and secure at low cost, as it is practically impossible to replicate the same silicon characteristics across dies. Taking inspiration from human communication, which utilizes inherent variations in the voice signatures to identify a certain speaker, we present RF-PUF: a deep neural network-based framework that allows real-time authentication of wireless nodes, using the effects of inherent process variation on RF properties of the wireless transmitters (Tx), detected through in-situ machine learning at the receiver (Rx) end. The proposed method utilizes the already-existing asymmetric RF communication framework and does not require any additional circuitry for PUF generation or feature extraction. The burden of device identification is completely shifted to the gateway Rx, similar to the operation of a human listener’s brain. Simulation results involving the process variations in a standard 65-nm technology node, and features such as local oscillator offset and ${I}$ – ${Q}$ imbalance detected with a neural network having 50 neurons in the hidden layer indicate that the framework can distinguish up to 4800 Tx(s) with an accuracy of 99.9% [≈99% for 10000 Tx(s)] under varying channel conditions, and without the need for traditional preambles. The proposed scheme can be used as a stand-alone security feature, or as a part of traditional multifactor authentication.

Building PUF Based Authentication and Key Exchange Protocol for IoT Without Explicit CRPs in Verifier Database

Abstract: Physically Unclonable Functions (PUFs) promise to be a critical hardware primitive to provide unique identities to billions of connected devices in Internet of Things (IoTs). In traditional authentication protocols a user presents a set of credentials with an accompanying proof such as password or digital certificate. However, IoTs need more evolved methods as these classical techniques suffer from the pressing problems of password dependency and inability to bind access requests to the “things” from which they originate. Additionally, the protocols need to be lightweight and heterogeneous. Although PUFs seem promising to develop such mechanism, it puts forward an open problem of how to develop such mechanism without needing to store the secret challenge-response pair (CRP) explicitly at the verifier end. In this paper, we develop an authentication and key exchange protocol by combining the ideas of Identity based Encryption (IBE), PUFs and Key-ed Hash Function to show that this combination can help to do away with this requirement. The security of the protocol is proved formally under the Session Key Security and the Universal Composability Framework. A prototype of the protocol has been implemented to realize a secured video surveillance camera using a combination of an Intel Edison board, with a Digilent Nexys-4 FPGA board consisting of an Artix-7 FPGA, together serving as the IoT node. We show, though the stand-alone video camera can be subjected to man-in-the-middle attack via IP-spoofing using standard network penetration tools, the camera augmented with the proposed protocol resists such attacks and it suits aptly in an IoT infrastructure making the protocol deployable for the industry.

An Efficient Message-Authentication Scheme Based on Edge Computing for Vehicular Ad Hoc Networks

Abstract: With the progress in wireless communication technology and the increasing number of vehicles, vehicular ad hoc networks (VANETs) have become essential for improving road conditions and enhancing driving experience. The core of the VANETs is the communication between different vehicles, and the security of the communication is based on message authentication. Several schemes have been designed to enhance the efficiency of message authentication. However, these schemes have the disadvantage of redundant authentication, i.e., repeated authentication of the same message, and fail to seek invalid messages from the batch of messages. To solve these problems, this paper introduces a novel edge-computing concept into the message-authentication process of VANETs. In our scheme, the roadside unit can efficiently authenticate messages from nearby vehicles and broadcast the authentication results to the vehicles within its communication range, thereby reducing redundant authentication and enhancing the efficiency of the entire system. The security analysis results show that the proposed scheme satisfies the security requirements of the VANETs. The performance analysis results show that the proposed scheme can not only work well in an ideal environment where the attacker is absent but also capable of quickly identifying valid and invalid messages even if the VANET is attacked.

Vulnerabilities and Limitations of MQTT Protocol Used between IoT Devices

Abstract: With the proliferation of smart devices capable of communicating over a network using different protocols, each year more and more successful attacks are recorded against these, underlining the necessity of developing and implementing mechanisms to protect against such attacks. This paper will review some existing solutions used to secure a communication channel, such as Transport Layer Security or symmetric encryption, as well as provide a novel approach to achieving confidentiality and integrity of messages. The method, called Value-to-Keyed-Hash Message Authentication Code (Value-to-HMAC) mapping, uses signatures to send messages, instead of encryption, by implementing a Keyed-Hash Message Authentication Code generation algorithm. Although robust solutions exist that can be used to secure the communication between devices, this paper considers that not every Internet of Things (IoT) device or network design is able to afford the overhead and drop in performance, or even support such protocols. Therefore, the Value-to-HMAC method was designed to maximize performance while ensuring the messages are only readable by the intended node. The experimental procedure demonstrates how the method will achieve better performance than a symmetric-key encryption algorithm, while ensuring the confidentiality and integrity of information through the use of one mechanism.

An Intelligent Secured Framework for Cyberattack Detection in Electric Vehicles’ CAN Bus Using Machine Learning

Abstract: Electric Vehicles' Controller Area Network (CAN) bus serves as a legacy protocol for in-vehicle network communication. Simplicity, robustness, and suitability for real-time systems are the salient features of CAN bus. Unfortunately, the CAN bus protocol is vulnerable to various cyberattacks due to the lack of a message authentication mechanism in the protocol itself, paving the way for attackers to penetrate the network. This paper proposes a new effective anomaly detection model based on a modified one-class support vector machine in the CAN traffic. The proposed model makes use of an improved algorithm, known as the modified bat algorithm, to find the most accurate structure in the offline training. To evaluate the effectiveness of the proposed method, CAN traffic is logged from an unmodified licensed electric vehicle in normal operation to generate a dataset for each message ID and a corresponding occurrence frequency without any attacks. In addition, to measure the performance and superiority of the proposed method compared to the other two famous CAN bus anomaly detection algorithms such as Isolation Forest and classical one-class support vector machine, we provided Receiver Operating Characteristic (ROC) for each method to quantify the correctly classified windows in the test sets containing attacks. Experimental results indicate that the proposed method achieved the highest rate of True Positive Rate (TPR) and lowest False Positive Rate (FPR) for anomaly detection compared to the other two algorithms. Moreover, in order to show that the proposed method can be applied to other datasets, we used two recent popular public datasets in the scope of CAN bus traffic anomaly detection. Benchmarking with more CAN bus traffic datasets proves the independency of the proposed method from the meaning of each message ID and data field that make the model adaptable with different CAN datasets.

RSMA: Reputation System-Based Lightweight Message Authentication Framework and Protocol for 5G-Enabled Vehicular Networks

Abstract: Traditional public key infrastructure-based authentication schemes provide vehicular networks with identity authentication and conditional privacy protection, which are not sufficient for assessing the credibility of messages. Additionally, although the new generation of cellular networks (5G) can dramatically improve the transmission efficiency of the messages, many existing authentication schemes are based on complex bilinear pairing operations, and the calculation time is too long to be suitable for delay-sensitive 5G-enabled vehicular networks. To address these issues, we propose a reputation system-based lightweight message authentication framework and protocol for 5G-enabled vehicular networks. The trusted authority (TA) is in charge of reputation management. A vehicle with a reputation score below the given threshold cannot obtain a credit reference from the TA for participating in the communication; therefore, the number of untrusted messages in vehicular networks is reduced from the source. Security analysis shows that our scheme is secure against an adaptively chosen-message attack, and also satisfies a series of requirements of vehicular networks. The scheme is based on the elliptic curve cryptosystem and supports batch authentication; therefore, it shows better performance in terms of time consumption when compared with related schemes.

An Efficient and Safe Road Condition Monitoring Authentication Scheme Based on Fog Computing

Abstract: In recent years, with the development of intelligent vehicles and wireless sensor network technology, the research on road safety has attracted much attention in vehicular ad-hoc networks (VANETs). By sensing events on the road, vehicles can broadcast information to inform others of traffic jams or accidents. However, the mobile vehicle network has a large transmission delay, which makes real-time content transmission impossible. In this paper, a new certificateless aggregate signcryption scheme (CLASC) is proposed by using a fog computing framework that supports mobility, low latency, and location awareness. It is combined with online/offline encryption (OOE) technology, which reduces many time-consuming operations and improves the security of vehicle users and the efficiency of message authentication. In addition, the scheme has the characteristics of mutual authentication, anonymity, untraceability, and nondeniability. Based on the difficulty of the discrete logarithm problem (DLP) and the computational Diffie–Hellman (CDH) problem, the scheme is further proved to be unforgeability and confidentiality under the random oracle model. The simulation results show that compared with the existing schemes, this scheme can not only ensure the security requirements of the system but also achieve higher efficiency in computing and communication.

Achieving Searchable and Privacy-Preserving Data Sharing for Cloud-Assisted E-Healthcare System

Abstract: The integration of wearable wireless devices and cloud computing in e-health systems has significantly improved their effectiveness and availability. Patients can upload their personal health information (PHI) files to the cloud, from where the health service providers (HSPs) can obtain appropriate information to determine the health state. This system not only reduces the costs associated to healthcare but also provides timely diagnosis to save lives. However, a number of privacy concerns arise while sharing sensitive information. In this paper, we propose a novel privacy-preserving patient health information sharing scheme, which allows HSPs to access and search PHI files in a secure yet efficient manner. We make use of the searchable encryption technique with keyword range search and multikeyword search. The proposed privacy-preserving equality test protocol allows different types of numeric comparison searches on encrypted data. We also use a variant of bloom filter and message authentication code to classify PHI files, filter false data, and check integrity of search results. The simulations on real-world and synthetic data show the feasibility and efficiency of the system, and security analysis proves the privacy-preservation properties.

An Efficient Authentication Scheme Based on Semi-Trusted Authority in VANETs

Abstract: With the development of intelligent transportation systems, vehicular ad hoc networks (VANETs) are widely used in safety driving, and so on. However, existing signature schemes, such as pseudonym- and group-based schemes, have certain problems, such as the need for a certificate distribution and certificate revocation lists (CRLs). With such schemes, the vehicle needs to store a valid certificate generated by the management center. Simultaneously, the receiver needs to check the CRLs prior to message authentication. CRLs require large amounts of storage space and computational and communication resources. In addition, many such schemes are built on a trusted authority and do not meet real-world needs. Thus, we propose an efficient authentication scheme based on semitrusted authority in VANETs. In this scheme, we combine the self-healing key distribution method with a certificateless signature in a semitrusted authority environment, such that the receivers do not require to query the CRLs. Therefore, the vehicles do not have to store the CRLs, thereby saving storage space and communication resources. This also reduces the computational costs and improves the efficiency of the message authentication. Since the proposed scheme is built on a semitrusted authority, it is a more realistic approach.

A Practical and Compatible Cryptographic Solution to ADS-B Security

Abstract: As the heart of next-generation air transportation systems, the automatic dependent surveillance-broadcast (ADS-B) is becoming a substitute for the radar, because it can enhance flight safety by requiring aircraft to regularly broadcast their precise geographic positions. Despite its promise, the lack of security mechanisms, e.g., not providing data encryption and message authentication, is a significant barrier to realistically deploy this new technology. While many methods have been proposed for ADS-B security, they can deal with either privacy or integrity unilaterally, and also need to change current ADS-B standards. In this paper, we present a new cryptographic solution to ADS-B security by first carefully exploiting some cryptographic primitives, and then adapting them to the air traffic-monitoring scenario. In contrast to previous approaches, our proposed solution is not only of high compatibility with existing protocols of ADS-B, but also lightweight for congested data links and resource-constraint avionics. Furthermore, it can also tolerate package loss and disorder that frequently occur in ADS-B wireless broadcast networks, making the proposed solution easy-to-deploy and practical. Security analysis shows that our proposal simultaneously achieves the confidentiality and authenticity of ADS-B messages. In addition, performance evaluation also demonstrates the efficiency of communication and computation for the proposal by using flight data of OpenSky –a sensor network that covers Central Europe aiming at gathering ADS-B flight data. Finally, the deployment in a real airport environment also proves the effectiveness of our solution.

Biometric-based efficient medical image watermarking in E-healthcare application

Abstract: Information hiding is particularly used for security applications to protect the secret message from an unauthorised person. Due to the tremendous development of the Internet and its usage, the issue of protection over the internet is increasing. Under such a condition, transforming the information from the transmitter to the receiver requires more security. Accordingly, in my previous research, an efficient medical image watermarking technique in E-healthcare application using a combination of compression and cryptography algorithm was proposed. The system only gives confidentiality and reliability. To overcome the problem, the authors propose a biometric-based on an efficient medical image watermarking in E-healthcare application, which produces a system for authentication, confidentiality, and reliability of the system. The proposed system utilises the fingerprint biometric for authentication, cryptography process for confidentiality, and reversible watermarking for the integrity. Basically, the proposed system consists of two stages such as (i) watermark embedding process and (ii) watermark extraction process. The experiments were carried out on the different medical images with electronic health record and the effectiveness of the proposed algorithm is analysed with the help of peak signal-to-noise ratio and normalised correlation.

A Novel Approach for Mitigation of Replay and Masquerade Attacks in Smartgrids Using IEC 61850 Standard

Abstract: There is growing awareness towards cybersecurity threats in power systems. Deployment of more intelligent electronic devices (IEDs) and the communication lines increase the probability of such attacks. IEC 61850 standard facilitates communication between different IEDs and eases interoperable operation with set data and message structures. An unwanted consequence of this standardized communication over ethernet is increased viability to cyber threats. Replay and masquerade attacks are, especially, of concern due to their imminent impact on the operation. While detecting replay attacks is easier, since the original messages are used for the attack, masquerade attack messages may be difficult to distinguish from original ones. Furthermore, inadequate mitigation approaches may be tricked by the hackers and the system starts the attacker as the authentic sender and discards original messages from authentic sources. It is vital to develop an approach that incorporates message authentication. In this fashion, when the hackers modify the message contents to by-pass security systems, the tampering can be detected, and the messages will be discarded. This paper analyses replay and masquerade attacks on IEC 61850 GOOSE messages and develops a solution to mitigates both of those. To detect modified messages, two distinct authentication mechanisms are utilized: RSA since it is the algorithm stipulated in IEC 62351-6 and Elliptic Curve Digital Signature Algorithm (ECDSA) due to its widespread use in smartgrid cybersecurity solutions. A full solution to mitigate GOOSE replay and masquerade attacks is developed based on the proposed framework in IEC 62351 standard. Full implementation is tested in the lab and results are included to show the viability of the solution.

Public key authenticated encryption with keyword search: revisited

Abstract: In 2017, the notion of public key authenticated encryption with keyword search (PAEKS) and its security model was defined by Huang and Li. Their main motivation was providing security against inside keyword guessing attacks (KGA). They also proposed a concrete PAEKS scheme secure in their proposed model. In this study, the authors first show that their security model has an important drawback and therefore, cannot handle multi-user settings. As such settings are a necessity in the public-key environment, it is vital to improving the model to capture multiple users. This is what they do in the first part of this study. Then, they consider Huang and Li's PAEKS scheme and prove that it is not secure against inside (and even outside) KGA. Finally, they propose a modified scheme to fix the problem without any additional communication or computation costs. They further prove that the new scheme is secure in the improved model.

Analysis and Implementation of Message Authentication Code (MAC) Algorithms for GOOSE Message Security

Abstract: There is growing awareness towards cybersecurity threats in power systems. IEC 61850 standard facilitates communication between different Intelligent Electronic devices (IEDs) and eases interoperable operation with set data and message structures. An unwanted consequence of this standardized communication over ethernet is increased viability to cyber threats. The IEC 62351-6 standard stipulates the use of digital signatures for ensuring integrity in IEC 61850 message exchanges. However, the digital signatures result in higher computational times which makes it very difficult to use for Generic Object-Oriented Substation Events (GOOSE) messages. This short communication article proposes implementation of the Message Authentication Code (MAC) algorithms, such as Hash-based Message Authentication Code (HMAC) and Advanced Encryption Standard-Galois Message Authentication Code (AES-GMAC), for GOOSE message integrity. Lab tests are run to observe their timing performances and feasibility for GOOSE.

An Attribute-Based Framework for Secure Communications in Vehicular Ad Hoc Networks

Abstract: In this paper, we introduce an attribute-based framework to achieve secure communications in vehicular ad hoc networks (VANETs), which enjoys several advantageous features. The proposed framework employs attribute-based signature (ABS) to achieve message authentication and integrity and protect vehicle privacy, which greatly mitigates the overhead caused by pseudonym/private key change or update in the existing solutions for VANETs based on symmetric key, asymmetric key, and identity-based cryptography and group signature. In addition, we extend a standard ABS scheme with traceability and revocation mechanisms and seamlessly integrate them into the proposed framework to support vehicle traceability and revocation by a trusted authority, and thus, the resulting scheme for vehicular communications does not suffer from the anonymity misuse issue, which has been a challenge for anonymous credential-based vehicular protocols. Finally, we implement the proposed ABS scheme using a rapid prototyping tool called Charm to evaluate its performance.

EverParse: Verified Secure Zero-Copy Parsers for Authenticated Message Formats

Abstract: We present EverParse, a framework for generating parsers and serializers from tag-length-value binary message format descriptions. The resulting code is verified to be safe (no overflow, no use after free), correct (parsing is the inverse of serialization) and non-malleable (each message has a unique binary representation). These guarantees underpin the security of cryptographic message authentication, and they enable testing to focus on interoperability and performance issues. EverParse consists of two parts: LowParse, a library of parser combinators and their formal properties written in F*; and QuackyDucky, a compiler from a domain-specific language of RFC message formats down to low-level F* code that calls LowParse. While LowParse is fully verified, we do not formalize the semantics of the input language and keep QuackyDucky outside our trusted computing base. Instead, it also outputs a formal message specification, and F* automatically verifies our implementation against this specification. EverParse yields efficient zero-copy implementations, usable both in F* and in C. We evaluate it in practice by fully implementing the message formats of the Transport Layer Security standard and its extensions (TLS 1.0–1.3, 293 datatypes) and by integrating them into miTLS, an F* implementation of TLS. We illustrate its generality by implementing the Bitcoin block and transaction formats, and the ASN.1 DER payload of PKCS#1 RSA signatures. We integrate them into C applications and measure their runtime performance, showing significant improvements over prior handwritten libraries. EverParse is open-source and publicly available on GitHub. You can view Antoine Delignat-Lavaud’s presentation at USENIX Security 2019.

Sec-D2D: A Secure and Lightweight D2D Communication System With Multiple Sensors

Abstract: Device-to-Device (D2D) communication is a promising method for the emerging Internet of Things. Secure information exchange plays a key role in the application of D2D communication. Considering that the wireless devices are powered by batteries, in this paper, a lightweight secure D2D system is designed by using multiple sensors on mobile devices. Specifically, by leveraging an acceleration sensor equipped in two wireless devices, a lightweight and efficient key distribution scheme for secure D2D communication is proposed. Based on the distributed secure key, an efficient near-field authentication is developed with a speaker and a microphone to determine whether these two devices are physically close; and a secure information exchange scheme with high efficiency, which includes message encryption/decryption and message authentication, is presented over the audio channel and the RF channel. The Extensive experiments are provided to demonstrate that our system can achieve a secure information exchange between two wireless devices with low energy consumption and computing resources.

Cooperative Authentication in Underwater Acoustic Sensor Networks

Abstract: With the growing use of underwater acoustic communications (UWAC) for both industrial and military operations, there is a need to ensure communication security. A particular challenge is represented by underwater acoustic networks (UWANs), which are often left unattended over long periods of time. Currently, due to the physical and performance limitations, the UWAC packets rarely include encryption, leaving the UWAN exposed to external attacks faking legitimate messages. In this paper, we propose a new algorithm for message authentication in a UWAN setting. We begin by observing that, due to the strong spatial dependency of the underwater acoustic channel, an attacker can attempt to mimic the channel associated with the legitimate transmitter only for a small set of receivers, typically just for a single one. Taking this into account, our scheme relies on trusted nodes that independently help a sink node in the authentication process. For each incoming packet, the sink fuses beliefs evaluated by the trusted nodes to reach an authentication decision. These beliefs are based on the estimated statistics of the channel parameters, which are chosen to be the most sensitive to the transmitter-receiver displacement. Our simulation results show accurate identification of an attacker’s packet. We also report results from a sea experiment demonstrating the effectiveness of our approach.

Noise Explorer: Fully Automated Modeling and Verification for Arbitrary Noise Protocols

Abstract: The Noise Protocol Framework, introduced recently, allows for the design and construction of secure channel protocols by describing them through a simple, restricted language from which complex key derivation and local state transitions are automatically inferred. Noise "Handshake Patterns" can support mutual authentication, forward secrecy, zero round-trip encryption, identity hiding and other advanced features. Since the framework's release, Noise-based protocols have been adopted by WhatsApp, WireGuard and other high-profile applications. We present Noise Explorer, an online engine for designing, reasoning about, formally verifying and implementing arbitrary Noise Handshake Patterns. Based on our formal treatment of the Noise Protocol Framework, Noise Explorer can validate any Noise Handshake Pattern and then translate it into a model ready for automated verification and also into a production-ready software implementation written in Go or in Rust. We use Noise Explorer to analyze more than 57 handshake patterns. We confirm the stated security goals for 12 fundamental patterns and provide precise properties for the rest. We also analyze unsafe handshake patterns and document weaknesses that occur when validity rules are not followed. All of this work is consolidated into a usable online tool that presents a compendium of results and can parse formal verification results to generate detailed-but-pedagogical reports regarding the exact security goals of each message of a Noise Handshake Pattern with respect to each party, under an active attacker and including malicious principals. Noise Explorer evolves alongside the standard Noise Protocol Framework, having already contributed new security goal verification results and stronger definitions for pattern validation and security parameters.

Cryptographic and parallel hash function based on cross coupled map lattices suitable for multimedia communication security

Abstract: Cryptographic hash functions can map data of arbitrary size to data of fixed size (hash values), which can be used in a wide range of multimedia applications for communication security, such as integrity protection, message authentication and digital signature. In this paper, we present a cryptographic and parallel chaotic hash function based on the cross coupled map lattices for multimedia communication security. More specifically, we first utilize the piecewise linear chaotic map with secret keys to generate initial parameter sequence for the cross coupled map lattices and an initial hash value. Then, we extend the original message into a message matrix to enhance the correlation of message characters. Next, we process each of the message blocks in the matrix in parallel as the space domain input of the cross coupled map lattices and the initial parameters as the time domain input to generate intermediate hash values. After all message blocks are processed in parallel, the final h-bit hash value is obtained by logical operations with the initial and intermediate hash values. Finally, we evaluate the performance of the proposed hash function in terms of uniform distribution of hash values, sensitivity of the hash value to subtle changes of the original message, secret keys, and images, confusion and diffusion properties, collision tests, efficiency of computation speed. The cryptanalytic results demonstrate that the proposed hash algorithm has statistical properties with $\bar {B} = 64.0022$ and P = 50.0017%, collision resistance with d = 85.3944, average computation speed of 132.0 Mbps, and better statistical performance compared with existing chaotic hash functions, which are suitable for multimedia communication security.

Anonymous and Efficient Message Authentication Scheme for Smart Grid

Abstract: Smart grid has emerged as the next-generation electricity grid with power flow optimization and high power quality. Smart grid technologies have attracted the attention of industry and academia in the last few years. However, the tradeoff between security and efficiency remains a challenge in the practical deployment of the smart grid. Most recently, Li et al. proposed a lightweight message authentication scheme with user anonymity and claimed that their scheme is provably secure. But we found that their scheme fails to achieve mutual authentication and mitigate some typical attacks (e.g., impersonation attack, denial of service attack) in the smart grid environment. To address these drawbacks, we present a new message authentication scheme with reasonable efficiency. Security and performance analysis results show that the proposed scheme can satisfy the security and lightweight requirements of practical implementations and deployments of the smart grid.

BTMonitor: Bit-time-based Intrusion Detection and Attacker Identification in Controller Area Network

Abstract: With the rapid growth of connectivity and autonomy for today’s automobiles, their security vulnerabilities are becoming one of the most urgent concerns in the automotive industry. The lack of message authentication in Controller Area Network (CAN), which is the most popular in-vehicle communication protocol, makes it susceptible to cyber attack. It has been demonstrated that the remote attackers can take over the maneuver of vehicles after getting access to CAN, which poses serious safety threats to the public. To mitigate this issue, we propose a novel intrusion detection system (IDS), called BTMonitor (Bit-time-based CAN Bus Monitor). It utilizes the small but measurable discrepancy of bit time in CAN frames to fingerprint their sender Electronic Control Units (ECUs). To reduce the requirement for high sampling rate, we calculate the bit time of recessive bits and dominant bits, respectively, and extract their statistical features as fingerprint. The generated fingerprint is then used to detect intrusion and pinpoint the attacker. BTMonitor can detect new types of masquerade attack that the state-of-the-art clock-skew-based IDS is unable to identify. We implement a prototype system for BTMonitor using Xilinx Spartan 6 FPGA for data collection. We evaluate our method on both a CAN bus prototype and a real vehicle. The results show that BTMonitor can correctly identify the sender with an average probability of 99.76% on the real vehicle.

Energy efficient cross-layer approach for object security of CoAP for IoT devices

Abstract: CoAP is an application layer protocol designed for resource-constrained devices in Internet-of-Things (IoT). Object Security of CoAP (OSCoAP) is an IETF draft for addressing security issues with CoAP messages that can arise with the use of intermediate proxies. These proxies are employed for better performance, scalability and offloading expensive operations. OSCoAP adopts the counter with cipher block chaining message authentication code (CCM) mode of authenticated encryption with associated data (AEAD) that simultaneously ensures confidentiality, integrity, and authentication of the messages. The current implementation of CCM for OSCoAP is carried out in software. In this paper, we propose a cross-layer approach towards exploiting the CCM for OSCoAP using mac-layer security suite in IoT devices. The motivation is based on the fact that most of these devices are equipped with 802.15.4 radio chips. The IEEE 802.15.4 standard mandates the availability of some security features for mac-layer encryption in these radio chips including the CCM. We propose an algorithm that takes advantage of these on-board features by efficiently implementing the CCM operations for OSCoAP. The results show that our implementation of CCM is memory efficient, save up to 10 times more energy, improves battery life by 30% and is 37% faster than state of the art software implementation of CCM for OSCoAP.

Cryptographic Hashing in P4 Data Planes

Abstract: P4 introduces a standardized, universal way for data plane programming. Secure and resilient communication typically involves the processing of payload data and specialized cryptographic hash functions. We observe that current P4 targets lack the support for both. Therefore, applications and protocols, which require message authentication codes or hashing structures that are resilient against attacks such as denial-of-service, cannot be implemented. To enable authentication and resilience, we make the case for extending P4 targets with cryptographic hash functions. We propose an extension of the P4 Portable Switch Architecture for cryptographic hashes and discuss our prototype implementations for three different P4 target platforms: CPU, NPU, and FPGA. To assess the practical applicability, we conduct a performance evaluation and analyze the resource consumption. Our prototype implementations show that cryptographic hashing can be integrated efficiently. We cannot identify a single hash function delivering satisfying performance on all investigated platforms. Therefore, we recommend a set of hash functions to optimize target-specific performance.

PACStack: an Authenticated Call Stack

Abstract: A popular run-time attack technique is to compromise the control-flow integrity of a program by modifying function return addresses on the stack. So far, shadow stacks have proven to be essential for comprehensively preventing return address manipulation. Shadow stacks record return addresses in integrity-protected memory secured with hardware-assistance or software access control. Software shadow stacks incur high overheads or trade off security for efficiency. Hardware-assisted shadow stacks are efficient and secure, but require the deployment of special-purpose hardware. We present authenticated call stack (ACS), an approach that uses chained message authentication codes (MACs). Our prototype, PACStack, uses the ARM general purpose hardware mechanism for pointer authentication (PA) to implement ACS. Via a rigorous security analysis, we show that PACStack achieves security comparable to hardware-assisted shadow stacks without requiring dedicated hardware. We demonstrate that PACStack's performance overhead is small (~3%).

A Novel Intrusion Detection and Prevention Scheme for Network Coding-Enabled Mobile Small Cells

Abstract: Network coding (NC)-enabled mobile small cells are observed as a promising technology for fifth-generation (5G) networks that can cover the urban landscape by being set up on-demand at any place and at any time on any device. Nevertheless, despite the significant benefits that this technology brings to the 5G of mobile networks, major security issues arise due to the fact that NC-enabled mobile small cells are susceptible to pollution attacks; a severe security threat exploiting the inherent vulnerabilities of NC. Therefore, intrusion detection and prevention mechanisms to detect and mitigate pollution attacks are of utmost importance so that NC-enabled mobile small cells can reach their full potential. Thus, in this article, we propose for the first time, to the best of our knowledge, a novel intrusion detection and prevention scheme (IDPS) for NC-enabled mobile small cells. The proposed scheme is based on a null space-based homomorphic message authentication code (MAC) scheme that allows detection of pollution attacks and takes proper risk mitigation actions when an intrusive incident is detected. The proposed scheme has been implemented in Kodo and its performance has been evaluated in terms of computational overhead.

An Effective Multifactor Authentication Mechanism Based on Combiners of Hash Function over Internet of Things.

Abstract: Internet of Thing (IoT) is the most emerging technology in which all the objects in the real world can use the Internet to communicate with each other as parts of a single unified system. This eventually leads to the development of many smart applications such as smart cities, smart homes, smart healthcare, smart transportation, etc. Due to the fact that the IoT devices have limited resources, the cybersecurity approaches that relied on complex and long processing cryptography are not a good fit for these constrained devices. Moreover, the current IoT systems experience critical security vulnerabilities that include identifying which devices were affected, what data or services were accessed or compromised, and which users were impacted. The cybersecurity challenge in IoT systems is to find a solution for handling the identity of the user, things/objects and devices in a secure manner. This paper proposes an effective multifactor authentication (CMA) solution based on robust combiners of the hash functions implemented in the IoT devices. The proposed CMA solution mitigates the authentication vulnerabilities of IoT and defends against several types of attacks. Also, it achieves multi-property robustness and preserves the collision-resistance, the pseudo-randomness, the message authentication code, and the one-wayness. It also ensures the integrity, authenticity and availability of sensed data for the legitimate IoT devices. The simulation results show that CMA outperforms the TOTP in term of the authentication failure rate. Moreover, the evaluation of CMA shows an acceptable QoS measurement in terms of computation time overhead, throughput, and packet loss ratio.